The computers have all been running various versions of Windows Vista (one Basic, two Premium). Neither would boot into normal mode; they continually rebooted. In safe mode, Explorer wouldn't run. No desktop wallpaper. Running Combofix (renamed or not) would give the loading bar and nothing else. HijackThis would get about 80% through a scan and shut down. MBAM won't install, SAS can't install in safe mode. Unsure of what it was, I even ran a scanner for Virut, which rebooted the system.
From the command prompt there were a massive number of hidden .dll and .exe files in the System32 folder that shouldn't have been there, as well as a ton of .exe files in the Users/username/AppData/temp folder.
I made an image of the drive and started toying around. I managed to remove most of the .dll and .exe files in System32, but one of them (which had a random filename) wouldn't delete. I renamed it and rebooted, and deleted the now-renamed file. As soon as it was deleted, the computer rebooted automatically, but it was indeed gone. I then noticed this line in the registry:
Shell REG_SZ Explorer.exe rundll32.exe tftp.msc beforegllav
After removing everything after Explorer.exe, I was able to reboot (into safe mode still) and have Explorer open, but still couldn't run any other spyware-related software except for "rmvirut", which scans clean. Another quirk -- after HijackThis automatically closes, the permissions are changed so that I cannot run it or delete it (There's no "as administrator" button, only "Try Again").
HJT's StartupList feature shows the following:
Enumerating ShellServiceObjectDelayLoad items:
None of these files are present in the System32 folder, however. There's nothing else of particular interest in the StartupList file.
I yanked the drive from the system and hooked it up as a slave in another system, and ran MBAM on the drive. Came up with zero infections. There doesn't appear to be any hidden files that weren't visible from the actual system (due to a rootkit, etc).
Has anyone had any luck with this or does anyone have any further suggestions beyond a reformat/reinstall or a parallel installation?
UPDATE: XP Protector 2008 folder in Users\username had a single .exe; this was deleted. Cleared out all temp folders and temporary internet file folders previous to all this.
UPDATE: Avira was suggested; this won't install. Installing to a flash drive and trying to run didn't help, either. Closes about halfway through install, and "Error executing program" when running off flash drive.
UPDATE: Booting to a Vista disc and dropping to a command prompt, there are several "ytas*" files. I deleted the five that were there, and rebooted into Safe mode. Still can't load ComboFix / HJT / etc.
UPDATE: CCleaner is about the only thing that will install. I installed it and ran a scan, and deleted any of the crap that came up. Ran a registry scan and it found lots of problems, but nothing of real significance whatsoever. Spybot and Malwarebytes both give an error Internal error: failed to expand shell folder constant "userappdata" and drop the installation. I did a Google search for this error which doesn't return much, but one Microsoft rep did post about removing the Recent key in User Shell Folders (which did nothing for me), and another just said to scan with SREng, which did scan successfully. I'll attach the log from that as soon as I get home.
Edited by Zeromus-X, 16 September 2009 - 05:07 PM.