Windows XP Cannot follow Cleaning Procedure

Hi,

I have printed everything, gone through all the hoops downloading Spybot, Superantispyware, Malwarebytes, combofix.exe and mgtools.exe. I successfully ran Superantispyware, but Spybot does nothing when I click on it, and same with Malwarebytes so I am stopping before I get more jacked up. I am attaching the log from SAS.

Here is my issue. I am fixing a friends laptop. Too much pron surfing. I removed 12 viruses (used Sysclean from trendmicro), they were mostly trojans from the system which was crippled by Joke_blue screen. Anyhow all that is gone (I am pretty sure). What was harder and I don't believe is gone is Anti Virus Pro 2008 or similar. I deleted all registry, start up, ran hijack this, trendmicro sysclean (from dos not online version) scanned registry again. Now windows loads normally without the gag screensaver and everything looks good until you try to use the browser. It starts but Once you try to google or yahoo something, it sends you to other places. Cannot access Microsoft update, Adaware, Trend Micro or even your forum here. Nothing will go beyond initial search and when you try typing an address in directly a second window pops up and goes to asiuoqgusdbaksd.com which redirects you to some other site. And now certain executables simply wont run. Firefox wont even start either.

 

OK I was able to run MGtools.exe. Here is the log produced.

 

Hi. Thanks for your quick reply. Here is an update...

I deleted VAV folder from Program Files.

I ran the MGtools HJT program and successfully removed all lines quoted except one:

04 - HKLM\..\Run: [a43868e7] Rundll32.exe "c:\windows\system32\uagweceu.dll",b

It was simply not in the HJT display to select for removal.

Next

Please note that due to my inablity to access many internet sites on the affected Laptop I must copy the data from the MG email and not directly from the quote area in the post on this site. I fear that characters may be getting placed in the email that don't belong in the data you wish me to copy.

For example I attempted a to run the Registry Merge as instructed. I copied everything from between quote to end quote in the post. After several tries and error messages. I removed "*" from start and end of the copied data, and then the merge was successful. (The asterisks aren't visible on this site but are in the email.)


THen I attempted to run The Avenger program exactly as instructed. I have not been able to get it to execute.


"Error: Invalid Script. A valid script must begin with a command directive. Aborting Execution!"

Since I had to remove unneeded characters from the Registry merge script I also tried leaving out files to delete and folders to delete text from this script but it still did not take. Below is exactly was is between the quote and end quote lines of the email. I don't see any other difference. Please correct accordingly or advise where the error is.

I stopped further instructions until I can complete this step or you instruct otherwise...


Files to delete:C:\WINDOWS\tovafrnm.exeC:\WINDOWS\Sys1.tmp"C:\WINDOWS\sys6e1.exe C:\WINDOWS\sys6e2.exe C:\WINDOWS\sys6e3.exe C:\WINDOWS\pntqkflv.dllC:\WINDOWS\SYSTEM32\gEwUoMda.dllC:\WINDOWS\system32\uagweceu.dllC:\WINDOWS\gxvpsafm.dllC:\WINDOWS\system32\khfEVPfD.dllC:\WINDOWS\system32\dfjhghno.dllC:\WINDOWS\system32\bnkotaxp.ini C:\WINDOWS\system32\dfpvefhk.ini C:\WINDOWS\system32\dfpvef~1.ini C:\WINDOWS\system32\fncooguo.iniC:\WINDOWS\system32\onhghjfd.iniC:\WINDOWS\system32\uecewgau.iniC:\WINDOWS\system32\xqxjccgf.ini C:\WINDOWS\system32\drivers\vmdesched.sys Folders to delete:C:\Documents and Settings\Administrator\Application Data\RHCN5L~1

 

I cannot login to the forum on the affected computer because I cannot go to many URLs due to the redirect by the malware program. I can however access my hotmail account and I copy the text from the email that I get from your post there. However it appears something isn't right because although I copy directly as listed I still get the error I mentioned. I will try to manually delete the files as you have suggested and repost the result.

 

OK. I attempted to manually delete the files as suggested. Here is the result. Note, that on the ones that showed in use or access denied, I also tried a 2nd attempt at delete but in safe mode. Same result.

Files to delete:
C:\WINDOWS\tovafrnm.exe successfully deleted
C:\WINDOWS\Sys1.tmp" successfully deleted
C:\WINDOWS\sys6e1.exe successfully deleted
C:\WINDOWS\sys6e2.exe successfully deleted
C:\WINDOWS\sys6e3.exe successfully deleted
C:\WINDOWS\pntqkflv.dll successfully deleted
C:\WINDOWS\SYSTEM32\gEwUoMda.dll <---- In use by another process
C:\WINDOWS\system32\uagweceu.dll successfully deleted
C:\WINDOWS\gxvpsafm.dll successfully deleted
C:\WINDOWS\system32\khfEVPfD.dll <------ I got "access denied" error
C:\WINDOWS\system32\dfjhghno.dll successfully deleted
C:\WINDOWS\system32\bnkotaxp.ini NOT FOUND
C:\WINDOWS\system32\dfpvefhk.ini NOT FOUND
C:\WINDOWS\system32\dfpvef~1.ini NOT FOUND
C:\WINDOWS\system32\fncooguo.ini NOT FOUND
C:\WINDOWS\system32\onhghjfd.ini NOT FOUND
C:\WINDOWS\system32\uecewgau.ini NOT FOUND
C:\WINDOWS\system32\xqxjccgf.ini NOT FOUND
C:\WINDOWS\system32\drivers\clbdriver.sys NOT FOUND

Folders to delete:
C:\Documents and Settings\Administrator\Application Data\RHCN5L~1 successfully deleted

 

HI,

I wanted to thank you for trying to help out. Unfortunately my friend needed his laptop back, so since there aren't many files to move and installed programs he cares about, he has decided to have me wipe it clean and start fresh.

If I had more time I would see this through. I hate giving up. But, now that I know you guys are here I will be back for sure.

Thanks again!

Art