Heh - maybe I can give you some more...
I hope you aren't assuming that because a single scanner found
nothing, that malware is excluded?
Also, how did you run the tool; from the infected OS?
That's never reliable, but in this case, we do have specific reasons
to anticipate self-defense by the malware you are trying to find. If
what we theorise is happening, we already know we're after a malware
that hides running tasks, and is launching these on startup (and is
thus active from startup onwards).
So what I would do is formally scan one of these PCs using my Bart
project CDR, which runs a sequence of scanners from its own boot.
Multiple scanners improves the chances of detection, and by not
booting or running any infected code, the malware can't hide.
A slide show of the process is here...
http://cquirke.spaces.live.com/photos/cns!C7DAB1E724AB8C23!197/
....though you might skip the RAM and HD testing steps.
In your case, you don't have "my Bart project", so it's not as easy.
You can download Bart PE Builder, and you can add scanners such as:
- Trend SysClean
- Kaspersky CLI scanner
- Sophos CLI scanner
- McAfee Stinger (FWIW)
- Avast Cleaner (FWIW)
The MSRT won't run from a Bart CDR, but it will run from a WinPE 2.0
boot disk, if you have such a thing. Building WinPE isn't as easy as
Bart, plus WAIK is a far larger download, but it's a good mOS.
A quick way to get a bunch of scanners into Bart would be to find and
download David Lipman's Multi-AV tool. This is designed to be
installed on a sick PC and run from Safe Mode, but it can be adapted
for formal use as follows...
- find an uninfected PC
- download and install Bart PE Builder
- find and copy an XP SP2 or Server 2003 \i386 to the PC
- set Bart PE Builder to point to that
- build a test Bart CDR and verify that it works
- download and install Multi-AV
- run Multi-AV and update all four scanners
- create an arbitrary directory, e.g. C:\INCLUDE
- set Bart PE Builder's Custom directory to C:\INCLUDE
- copy C:\AV-CLS (the Multi-AV subtree) to C:\INCLUDE
- build a new Bart CDR
Now to use this on the sick PC...
- boot the sick PC from your new Bart CDR
- note that X: = Bart CDR drive letter
- note that B: = RAMDisk, and Temp is in RAM disk
- copy X:\AV-CLS subtree to C:\AV-CLS
- run Multi-AV from StartMenu.bat
You may find StartMenu.bat is a pain, if it insists on trying to
update the scanners before use, etc. If so, try running the scanners
directly, as follows...
Sophos - via SOFclean.bat
Kaspersky - via KAVclean.bat
McAfee ScanPM - via DOSclean.bat
Trend SysteClean doesn't have a matching batch filem so CD into
C:\AV-CLS\Trend and run SysClean.com directly.
I don't think your Q's answered as yet, so I HTH...
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.