A
Alex Clark
Hi All,
I'm trying in vain to clean up an XP Home (w/ SP3) machine for someone and
I'm having some curious problems.
I'm fairly sure it's infected with malware. If I try to run the installer
for MBAM, I get the "Please select language" option, and then as soon as I
get to the next screen it instantly vanishes. AVG installer behaves in a
similar manner, briefly flashes up on screen and then vanishes. I've
checked Task Manager and can confirm that the process exists for a split
second before vanishing. Oddly enough, exactly the same thing happens even
with SysInternals Process Explorer tool.
Other apps run fine though, and that can be anything from regedit to
Computer Management to a command prompt. To me, this sounds like classic
malware behaviour, as something is killing any processes that it believes
may pose a threat to it. This occurs even if I've started in safe mode
with a command prompt, and even if I rename the AVG or mbam installers to
something else. I just cannot get around it.
So with that in mind, I took the hard drive out and hooked it up to my
machine where I then ran a full scan using MBAM. This found about 4
infected files, all of which seemed to be in the \System Restore folders
which made me think they couldn't be doing much harm from there. That was
all it found, though naturally it couldn't scan the registry. I reinstalled
the disc, booted the machine and... exactly the same as before - cannot
install any anti virus apps.
Then I downloaded the latest Avira rescue CD, burned & booted off that and
did a full scan. Avira scanned the registry and went through every file.
Number of infections? Zero. Did not find a single thing wrong.
So I've got antivirus apps telling me the disc is clean, but it doesn't take
a genius to figure out it's still infected. I tried looking through the non
PnP devices in Device Manager as I'd read of a few root kits installing as
TD***.sys, but nothing matched that particular pattern.
Could it be that a virus left behind some kind of software policy
restriction to prevent these apps from running, and the machine is truly
clean? Or do you guys think it's infected with something that MBAM and
Avira just can't find?
Any ideas?
Thanks in advance,
Alex
I'm trying in vain to clean up an XP Home (w/ SP3) machine for someone and
I'm having some curious problems.
I'm fairly sure it's infected with malware. If I try to run the installer
for MBAM, I get the "Please select language" option, and then as soon as I
get to the next screen it instantly vanishes. AVG installer behaves in a
similar manner, briefly flashes up on screen and then vanishes. I've
checked Task Manager and can confirm that the process exists for a split
second before vanishing. Oddly enough, exactly the same thing happens even
with SysInternals Process Explorer tool.
Other apps run fine though, and that can be anything from regedit to
Computer Management to a command prompt. To me, this sounds like classic
malware behaviour, as something is killing any processes that it believes
may pose a threat to it. This occurs even if I've started in safe mode
with a command prompt, and even if I rename the AVG or mbam installers to
something else. I just cannot get around it.
So with that in mind, I took the hard drive out and hooked it up to my
machine where I then ran a full scan using MBAM. This found about 4
infected files, all of which seemed to be in the \System Restore folders
which made me think they couldn't be doing much harm from there. That was
all it found, though naturally it couldn't scan the registry. I reinstalled
the disc, booted the machine and... exactly the same as before - cannot
install any anti virus apps.
Then I downloaded the latest Avira rescue CD, burned & booted off that and
did a full scan. Avira scanned the registry and went through every file.
Number of infections? Zero. Did not find a single thing wrong.
So I've got antivirus apps telling me the disc is clean, but it doesn't take
a genius to figure out it's still infected. I tried looking through the non
PnP devices in Device Manager as I'd read of a few root kits installing as
TD***.sys, but nothing matched that particular pattern.
Could it be that a virus left behind some kind of software policy
restriction to prevent these apps from running, and the machine is truly
clean? Or do you guys think it's infected with something that MBAM and
Avira just can't find?
Any ideas?
Thanks in advance,
Alex