Mal...where?

A

Alex Clark

Hi All,

I'm trying in vain to clean up an XP Home (w/ SP3) machine for someone and
I'm having some curious problems.

I'm fairly sure it's infected with malware. If I try to run the installer
for MBAM, I get the "Please select language" option, and then as soon as I
get to the next screen it instantly vanishes. AVG installer behaves in a
similar manner, briefly flashes up on screen and then vanishes. I've
checked Task Manager and can confirm that the process exists for a split
second before vanishing. Oddly enough, exactly the same thing happens even
with SysInternals Process Explorer tool.

Other apps run fine though, and that can be anything from regedit to
Computer Management to a command prompt. To me, this sounds like classic
malware behaviour, as something is killing any processes that it believes
may pose a threat to it. This occurs even if I've started in safe mode
with a command prompt, and even if I rename the AVG or mbam installers to
something else. I just cannot get around it.

So with that in mind, I took the hard drive out and hooked it up to my
machine where I then ran a full scan using MBAM. This found about 4
infected files, all of which seemed to be in the \System Restore folders
which made me think they couldn't be doing much harm from there. That was
all it found, though naturally it couldn't scan the registry. I reinstalled
the disc, booted the machine and... exactly the same as before - cannot
install any anti virus apps.

Then I downloaded the latest Avira rescue CD, burned & booted off that and
did a full scan. Avira scanned the registry and went through every file.
Number of infections? Zero. Did not find a single thing wrong.

So I've got antivirus apps telling me the disc is clean, but it doesn't take
a genius to figure out it's still infected. I tried looking through the non
PnP devices in Device Manager as I'd read of a few root kits installing as
TD***.sys, but nothing matched that particular pattern.

Could it be that a virus left behind some kind of software policy
restriction to prevent these apps from running, and the machine is truly
clean? Or do you guys think it's infected with something that MBAM and
Avira just can't find?

Any ideas?

Thanks in advance,
Alex
 
P

PA Bear [MS MVP]

Assuming no anti-virus application was installed when the machine got
infected and/or when you started working on the machine, backup the personal
data, then do a format & clean install of Windows. Please note that a
Repair Install (AKA in-place upgrade) will NOT fix this!

After the clean install, you'll have the equivalent of a "new computer" so
take care of everything on the following page before otherwise connecting
the machine to the internet or a network and before using a USB key that
isn't brand-new or hasn't been freshly formatted:

5 steps to help protect your new computer before you go online
http://www.microsoft.com/protect/computer/advanced/xppc.mspx

Also see.

Steps To Help Prevent Spyware
http://www.microsoft.com/protect/computer/spyware/prevent.mspx
 
A

Alex Clark

I'm planning on a complete reinstall anyway; it's clearly been too badly
infected to recover, but I'm just wondering if anyone knew of anything that
caused these symptoms? It sounds like a rootkit to me but (surprise
surprise) I can't run RootKit Revealer or GMER as the dang thing won't let
me.

Is there any way, in XP, to get some kind of process autopsy? What I mean
is, I would like to know the exact details of why a specific process ended,
what sent the kill signal to it, and what its exit code was.

Thanks,
Alex
 
S

smlunatick

I'm planning on a complete reinstall anyway; it's clearly been too badly
infected to recover, but I'm just wondering if anyone knew of anything that
caused these symptoms?  It sounds like a rootkit to me but (surprise
surprise) I can't run RootKit Revealer or GMER as the dang thing won't let
me.

Is there any way, in XP, to get some kind of process autopsy?  What I mean
is, I would like to know the exact details of why a specific process ended,
what sent the kill signal to it, and what its exit code was.

Thanks,
Alex
Click to expand...

Not sure but you might want to check for possible infestations in Safe
Mode, However, most applications will not install in Safe Mode.
 
S

sgopus

nice that you say it works, but what does it remove? I wouldn't trust
something as generic as this myself.
 
D

Daave

Not sure but you might want to check for possible infestations in Safe
Mode, However, most applications will not install in Safe Mode.
Click to expand...

Not in OP's case. I've seen this before. What worked for me was changing
the name of the installation file.
 
A

Alex Clark

Indeed. I've tried installing MBAM, AVG et al in Safe Mode but the same
symptoms persist.

Whatever's got a hold of it, it's a nasty piece of work - and a scan of the
disc via another machine (and via Avira rescue boot CD) doesn't show any
infection at all. Crazy...
 
T

The Real Truth [MS MVP]

Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://www.ms-mvp.org/

--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
 
L

Leythos

Choose yes for all options when prompted.
Click to expand...

And you will be blocked from reputable anti-mawlare sites.

Not a single ethical person will support Butt's pilfering of code that
others worked to create.
 
T

Tim Meddick

Hi Bear,
Being a curious sort I visited the page. Question: where can I
get hold of the original software that I've been told this guy has
plagiarized. Some of it looks good but am TERRIFIED of having anything to
do with his reversed-engineered versions.
 
A

Alex Clark

Yeah, every time he posts here under a new alias I add it to my OE killfile.
I've lurked here on and off for a couple of weeks - easily long enough to
know he's a troll selling spyware.
 
T

The Real Truth [MS MVP]

That's a very good question, he will probably pretend he did not see the
question and not answer when the real reason is he does not know. I will
answer it for him. There is a fake stolen knock off of my Remove-it software
here http://www.internetinspiration.co.uk/roguefix.htm it was stolen more
then a few years back. I have since, as you will see when you compare them,
made numerous changes and upgrades to Remove-it that can no longer get
pirated by anyone. If you would like a list just let me know.


--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
 
L

Leythos

it was stolen more
then a few years back. I have since, as you will see when you compare them,
made numerous changes and upgrades to Remove-it that can no longer get
pirated by anyone. If you would like a list just let me know.
Click to expand...

And yet each time he updates his application the changes show up in
yours LATER, not to mention that the numerous fake entries that were put
into HIS that show up in yours, still today.
 
L

Leythos

*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
Click to expand...

And each time yo post you're stalking David and myself as well as
others, showing how unethical you are.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Malwarebytes does not load on start up or manually from the short cut. 3
Windows can't find C:\Windows\ 11
O.T. new Antivirus? 7
Need a FREE for Anti-Virus program, please........ 9
Userinit Logon Application 0
XP Freezes Overnight 11
i think my web browser was hijacked 7
Is there any External AV program? 14

Top