Tried to clean viruses/malware, lost desktop (very long, sorry!)

Hi, I'm pretty new to the site and still going through many of the threads. I found one post from '04 I believe with a person who had almost the same problem, but it only had a couple responses and seemed to revolve around reinstalling Windows. So just in case there's a ray of hope, I'll give you the whole run down.

Ok, this is gonna be long :zzz If you don't want to read about my whole journey and just see what mess I got myself into, CTRL+F "whatiwouldn'tgiveforagiantmagnetrightnow"

I volunteered to try and fix/clean up my boyfriend's sister's computer while she's out of town for the week. She had been having some problems with it so I thought it might make a fun project. Before she left, I sat down with her and the PC to get a better idea of what was going on. Turns out, she bought this computer through an infomercial (that's right) a few years ago and has never installed any type of antivirus or spyware/malware software (yep, you heard me). There were several error messages in Windows (XP Home with IE Service Pack 6-1), and pop-ups galore upon connection to the internet.

After the basics (emptying Internet Temp files, deleting cookies, looking through programs to figure out what I was sure I could remove) I started out trying to install AVG Free, but without much luck. Getting online was difficult because there were so many pop-ups and site redirections, but I finally managed to download the installation file. I had saved a new installation file on my flash drive just in case, but it couldn't be opened (don't remember what the error message was, but I tried it out on my laptop and it worked fine). It took me several attempts to install AVG because something in the computer kept shutting it down mid-install. I finally completed the installation, but every time it tried to scan any files in WINDOWS/System32 the application would shut down.

I decided to boot up in Safe Mode and try again, but low and behold there was no option for such upon F8 after reboot (I had several boot options that made no sense to me, but were combos of letters and maybe numbers. I didn't write any down, but an example of how they looked might be "EG-06-A5-3C-ZK-J5". SO, I booted back up in Normal mode.

I did manage to install and run TuneUp Utilities 2007 and run pretty much every option that application had for whatever that was worth. It found 814 problems in the registry the first go around, and 231 probs in "programs-missing files" 414 files for cleaning in "disk cleaner" (138.08MB freed). I also set Internet Explorer privacy from "lowest" to "high" and set the temp interenet files space used from 5757MB to 100MB on all user profiles. The second time I ran TuneUp I found/fixed 9 probs in the registry and 2 probs in programs-missing files.

Next I tried Spybot S&D, finding 28 threats and 604 infections. Seemed like a good idea at the time but now it's actually yelling at me about registry changes every 5 seconds. Not sure if that's more nasty stuff or if something else I'm running to fix stuff is doing that. Hmmm.

This is when I stumbled across your awesome guide for Malware removal and kept that open in hopes of finding something else that might work. I went through msconfig to boot in safe mode. It had previously been set to "Selective Startup" (but of COURSE it was). Restarted in Safe Mode, went to run AVG again and it was GONE. :*** I'm now certain that this computer has grown an evil mind of its own and is consciously fighting me to ensure its survival.

Decided to try Trend Micro HouseCall 6.5 (online virus scan recommend in some forum somewhere). First, I changed folder settings in my C:\ drive to show hidden files and files with known extentions, disabled System Restore (which had never been used)...then ran the scan. It found over 100 objects but every time I would try to actually remove/quarantine them it would stop mid-clean. I did have the opportunity to see the names of what was bugging the PC (oh how I WISH I had written them all down...but I was tired, what can I say?), and I noticed many trojans and rootkits (had never actually encoutered these before, was morbidly excited). :rolleyes I did jot down "C:\WINDOWS\System32\winivstr.exe" because it would always scan to that file then stop. Will Google that and see what I can figure out. I also wrote down to uninstall IDirectPlay4 because it was listed as a vulnerability that might not work if some adware was removed.

Decided an online trojan scan might clean things up well enough to try a full virus scan again, so I ran Windows Security Trojan Scan. It found 222 objects, so the obvious move was to quarentine them all...right?

whatiwouldn'tgiveforagiantmagnetrightnow :cry

After several minutes of attempting to clean off this junk (and it seemed to be working)...all of a sudden I got this message that looked like some sort of a Windows system error message. I didn't write down everything on the box because there was a timer counting down and I freaked. The gist of it was that there was an error and my system would be shut down when the time was up. It had something to do with "WINDOWS\System32\lass.exe" and it also said "Status Code 259" (time for another Google search). Sure enough, my computer (er, her computer) rebooted (still came back in Safe Mode of course), BUT (dun duh DUUUNNNN)...:tas

The screen was all black!!! No icons, no text, no Taskbar or Start menu...

I tried hitting the keys to open the Start menu but no reponse. I found that I could still open the Task Manager with Ctrl+Alt+Del, so just for S's and G's I rebooted in normal mode. Everything up to the log-in screen seemed perfectly normal. I tried logging into both admin user accounts, and interestingly the wallpaper was still there! At that point I scratched my head, laughed hysterically and challenged the PC to a rematch later this week. :boxing

I'm going to be a little more prepared and organized this time (I really should have been the first time around). I'll review the Malware guide again, but I’m not sure how to get the comp up and running on its own to do that. My next approach is going to be a little different unless someone here advises against it. I think the PC is about due for an MRI. :neener hehe I wish. Seriously though, I plan to throw the hard drive into another fully operating/protected PC box as a slave drive and scan it without actually booting up or opening anything on the drive. This should work…right? I'm a little concerned, though, about regaining some level of functionality. My theory is that this PC has been so infected for so long that is has literally mutated. To remove all of the viruses would involve running the registry through a virtual shredder. :guns

:tired

If anyone has stayed awake through this crazy-long email and made it to this point, thankd you for your patience. If you have any comments, tips, suggestions, thoughts, warnings,... ANYTHING I would greatly appreciate it. I'd really like to return a beautifully working machine to my boyfriend's sister and come out looking like a hero (read: please don't make me format her hard drive!!). If there's anything I'm missing that I should try, keep track of, etc. that's not mentioned in the guide (or that's mentioned but everyone forgets), feel free to point it out. I always welcome constructive criticism on my journey to becoming a true geek. :celebrate

Just out of curiosity, can anyone tell me if I can reinstall Windows (maybe a repair install) without losing all of the documents and programs? I had never reinstalled without a format before, but recently I did a repair install on my boyfriend's computer and he didn't lose anything (I guess I thought it always formatted before reinstalling no matter what). Not sure why it worked that way, but I wouldn't mind reinstalling if I wasn't worried losing everything on the PC (which may be inevitible).

 

Part of my problem is that I can't boot correctly at all right now (in ANY mode). I can log in, but there are no icons, no toolbars, no nothing...just a desktop background and the task manager. Any idea how (or IF) I can get back whatever I lost? If I tried sticking the hard drive in another pc and going through all the steps with it as a slave drive so I'm not actually booting up on that Windows, would I run any risk of infecting the other PC? I wouldn't open any applications on the dirty hard drive of course. At this point, I can't do anything with this computer since I can't access my flash drive to get to the files. Hmm...maybe I'll see if I can open the command prompt through the task manager first. I'll post again once I manage to get to a point that I can go through the guide and post some logs. Thanks! :cool