I've got someone's badly infected HP Media Center PC here that is showing
me all kinds of new symptoms. First of all, in normal mode, it only boots
as far as the welcome screen, then reboots. It will boot OK in Safe Mode.
Internet access is OK so I downloaded MBAM and it installed OK and updated,
something popped up and went away, the program never started. The icon on
the desktop didn't show the normal MBAM logo. mbam.exe was present in the
program folder but corrupt. I tried renaming the installation file and
reinstalling. Also tried copying a good mbam.exe from my own machine under
a different name. No dice. I ran hitmanpro and it found all kinds of
infected files (mbam.exe was one of them) and a rootkit.
I should interject another strange behavior. Every time I boot into Safe
Mode, it asks to choose the network type and I always choose Home, but not
until my "new device", the mouse, has been found which takes almost a
minute. This is every time. I uncheck almost everything in msconfig,
reboot, and when it reboots and does all the above mentioned stuff again, I
go into msconfig and everything is checked again. I created a new user
"Joe" and was able to log off and log in to "Joe", but I couldn't do
anything in that account than I could in the original. Hitman fixed enough
that I could install and run MBAM which found a trojan downloader. When I
rebooted back to Safe Mode, "Joe" was gone, and it went through all the
above rigamarole again and msconfig was filled up with checkmarks again.
I've copied all his documents and pictures off and there's a restore
partition which I fully intend to use.

But if there's still a rootkit in there, will a restore get rid of it? It
will format the windows partition and reinstall, but will formatting be
enough to get rid of it?

Another thing I did was run ComboFix which claimed it needed administrative
privileges to use the selected options but it ran anyway and ran into a
rootkit and required a reboot. On reboot it never resumed but went through
all the aboved named stuff again. When it finally settled down, I ran
ComboFix again (it still wanted administrative privileges) but ran all the
way through, so it must have gotten rid of the rootkit it found the first
time when it rebooted. So I ran it one more time and it found nothing. But
everything remains the same. No changes in mscofig will stick. A newly
created user won't stick and it still reboots at the welcome screen in
normal mode.

Sorry I got carried away like that again, but I tried to cover everything I
can remember.

--
--- A dyslexic man walks into a bra ---