Posted 02 July 2011 - 01:20 PM
I was able to get malewarebytes to run in safe mode, and it appears to have removed the XP antivirus 2012 as I can work with it. If i try to run rkill or GMER I get a "program too big to fit in memory" on the cmd prompt and it closes. If I use the .com or .scr, i get "this application is not a valid win32 application". I tried to run HijackIt.msi, or any .msi I get a XP software restriction error. Basically I cannot run anything. I tried to run ESET online scanner and it became re-infected rather quickly even while ESET was running. Finally I tried running avira rescue cd to no avail. Apparently they have changed all file associations and permission etc. I looked at the local security policy and I dont see any software restrictions.
Right now I have it in a DMZ hanging off my ASA so it wont affect anythign else, but I cant hook it up to the internet it will just get infected again. One process i saw come up was yki.exe and then the XP 2012 stuff would pop up. Looks like there might be a Apache server configured as well.