I am helping someone get their computer back into an operational state. It is a Windows XP SP3 machine.
I contemplated starting this topic in the Virus, Trojan, Spyware, and Malware Removal Logs, but being new I thought it might be better for me to start here - especially because it's hard to pinpoint what is going on with the machine I am working on.
In a nutshell, Windows XP can NOT start up normally. At some point in the startup routine the computer throws error messages that look exactly like this: "userinit.exe - Application Error: The application failed to initialize properly (0xc0000022). Click OK to terminate the application." After you click "OK", and if the stars have aligned correctly, you may actually get to see some desktop icons and even the Taskbar and Start Button. However most of the time all you get is the Wallpaper and nothing further. Regardless, once this message appears, any further exe you try to execute will have the same fate. Essentially all you can do is reboot.
So I reboot and start in Safe Mode. Oddly enough the computer spins like a top. Checking the System Event Log will reveal some interesting behind the scenes activity - almost an entire log full of entries from when Windows was started normally, even though there was no obvious activity. The events are all similar to this:
Event Type: Warning
Event Source: AMP
Event Category: Amp message
Event Id: 1
Time: 9:53:50 PM
Description: Infection detected in C:\Windows\System32\WGATRAY.EXE
The only difference in all the logs is the Description - I have seen pretty much any .dll, .sys, .drv, and .exe file in any directory. They are all valid paths with valid filenames.
I have tried to Goolge this ("Amp message" "Infection detected") and come up with no hits. Feels like Malware to me, but nothing I can find any information on. No other searching has proven especially effective.
System Restore is enabled and the user thinks that they started having problems around February 26th. I have restored back to before February 21st and still get the same behavior from the machine.
The computer also has Norton Go Back and I did try once or twice to restore to previous dates but with no change to system behavior.
I did run an updated MBAM scan in Safe Mode as well as SpyBot S&D. The only real hit I got was an Adware for an Coupons.com, but I believe that has been happily on the computer for quite some time. I did remove it anyway for kicks and it did not help.
One of my web searches related to the original problem of not being able to execute any exe files led me down a path of trying to allocate Read permissions on all dll and ocx files for the BuiltIn\Users account. That resulted in a very bad BSOD situation. Fortunately either System Restore or Norton Go Back got me out of that one...
That is about the time that I decided it was time to utilize this community as it has been very helpful to me in the past!
I did not generate any logs for this topic yet because I can only run in Safe Mode. However I am more than happy to do so if it will help.
Any thoughts or ideas would be greatly appreciated!
Thanks so much. ...Marc Animal
Edited by Marc Animal, 22 March 2010 - 11:05 PM.