I picked up a machine (XP pro, SP3) from a customer on 9/1 that had an infection that would allow you to start an anti-malware tool (I tried Autoruns first, then Malwarebytes, and Spybot S&D, along with a few other items) but the program would be killed while scanning. After it was killed, the infection would then block access to the EXE, preventing you from deleting it or overwriting it. Renaming the programs before running them did not help.
SAV had been on the machine, which is what gave the customer her first warning. However, by the time I got there it had been disabled, though parts of it were still showing in the task manager.
Extensive searching only found two people with similar problems and only a few hints on what to try to do.http://www.bleepingcomputer.com/forums/t/254129/cant-run-antimalware-mwaw-hjt-ddsscr-etc/
My usual procedure is to slave the hard drive in another machine and perform a virus-scan.
When I did this, SAV Coprorate 8.1 found some items...
Malwarebytes found "Backdoor.Sdbot"
However, when I put the hard drive back, this did not resolve the fundamental issue of not being able to run the malware tools.
The trick that finally worked for me (based on something I read somewhere...I must have spent 3 hours scouring posts from other people!) was to kill "explorer" via the task manager and then launch applications from there.
I was then able to run Sysinternals "autoruns". I re-installed and ran "Malwarebytes" and after a 10 hour scan, it found and removed a number of items, including the following...
I re-installed SAV but it would not start properly. I then uninstalled it fully and re-installed from scratch. It is now running properly.
I followed up with a scan by Spybot S&D and it found and removed the following...
(Those may have just been residue items)
I am now running another Malwarebytes scan, but the machine seems to be behaving properly.
Every day I learn something new!
Hopefully this will help someone else.