"Li'l Abner" <blvstk@dogpatch.com> wrote in message
news:Xns9F6D78C2CD54Cbutter@wefb973cbe498...
> "Li'l Abner" <blvstk@dogpatch.com> wrote in
> news:Xns9F6D2880F7C64butter@wefb973cbe498:
>
>> I've got someone's badly infected HP Media Center PC here that is
>> showing me all kinds of new symptoms. First of all, in normal mode, it
>> only boots as far as the welcome screen, then reboots. It will boot OK
>> in Safe Mode. Internet access is OK so I downloaded MBAM and it
>> installed OK and updated, something popped up and went away, the
>> program never started. The icon on the desktop didn't show the normal
>> MBAM logo. mbam.exe was present in the program folder but corrupt. I
>> tried renaming the installation file and reinstalling. Also tried
>> copying a good mbam.exe from my own machine under a different name. No
>> dice. I ran hitmanpro and it found all kinds of infected files
>> (mbam.exe was one of them) and a rootkit. I should interject another
>> strange behavior. Every time I boot into Safe Mode, it asks to choose
>> the network type and I always choose Home, but not until my "new
>> device", the mouse, has been found which takes almost a minute. This
>> is every time. I uncheck almost everything in msconfig, reboot, and
>> when it reboots and does all the above mentioned stuff again, I go
>> into msconfig and everything is checked again. I created a new user
>> "Joe" and was able to log off and log in to "Joe", but I couldn't do
>> anything in that account than I could in the original. Hitman fixed
>> enough that I could install and run MBAM which found a trojan
>> downloader. When I rebooted back to Safe Mode, "Joe" was gone, and it
>> went through all the above rigamarole again and msconfig was filled up
>> with checkmarks again. I've copied all his documents and pictures off
>> and there's a restore partition which I fully intend to use.
>>
>> But if there's still a rootkit in there, will a restore get rid of it?
>> It will format the windows partition and reinstall, but will
>> formatting be enough to get rid of it?
>>
>> Another thing I did was run ComboFix which claimed it needed
>> administrative privileges to use the selected options but it ran
>> anyway and ran into a rootkit and required a reboot. On reboot it
>> never resumed but went through all the aboved named stuff again. When
>> it finally settled down, I ran ComboFix again (it still wanted
>> administrative privileges) but ran all the way through, so it must
>> have gotten rid of the rootkit it found the first time when it
>> rebooted. So I ran it one more time and it found nothing. But
>> everything remains the same. No changes in mscofig will stick. A newly
>> created user won't stick and it still reboots at the welcome screen in
>> normal mode.
>>
>> Sorry I got carried away like that again, but I tried to cover
>> everything I can remember.
>
> I did the back to factory restore. Will spend the rest of the day
> installing the two service packs and all the subsequent updates.
> So far, so good.

That's probably the best course of action anyway, as far as having
having confidence in the results.

Whenever "Safe Mode" isn't minimal enough to prevent malware from
running, you might consider Vista's recovery options (similar to the XP
"Recovery Console" - only better) on the installation disc.

If no disc was supplied, the tools may be installed on the harddrive and
you may have a 'recovery partition' instead of an installation disc.

Many vendors now offer Linux based recovery toolkits on 'live cd' for
a good clean boot and scan for malware.