I'm seeing is antivirus aware. It intercepts the install of malwarebyte and every other type of antivirus/antimalware tht I've tried. It also will not allow IE, Firefox or Opera to load any antivirus web page or security sweep site.
I have created a bart pe disk in the hopes that I can qwell this infection, but thus far, it has been resilient against removal.
I should also mention that safe boot does not work, system restore states that it is disabled by gpo, though I suspect this is unavailable in XP home, though I need confirmation of this.
I was finally able to get something to install and begin removal of trojans from this unit. Most were unidentified, however there were 2 that were: Vundo and bat/delsys. I was able to install the T-R trojan remover. It identified the following files being hijacked and redirected to ones held in the following location:
win.exe, uninst.exe, rundll.exe, iexplore.exe as well as a few others. Also, the run32dll.exe in the c:\windows\system32 folder was also compromised. In addition, the install of any other tool resulted in corruption of either the install file in the temp directory, or the exe was reported as being a missing image file and would show the error C:\windows\system32\zabunego.exe.
After running T-R and 2 restarts later, the unit was uncrippled enough to install and run malwarebyte which found further infections, 18 to be exact. It also stated that the restore point as well as other items in the OS had been turned off including automatic updates. It offered to re-enable these items.
Once Malwarebyte had completed it also wanted a restart. I attempted to install avira at that time, however the install is still being compromised leading me to believe that something is still going on. I tried to look in the add/remove programs to see what may have happened, however any of the applications needing run32dll.exe are not working because it too was infected and neutralized by the T-R software. I am attempting to restore that file to see what further damage may have been done. As a side note, Stinger would not run and was being infected as it was copied to the hard drive.
Just thought someone may want to know.
Edited by macinslaw, 09 July 2009 - 06:34 AM.