Chronic malware removal help?

Hi. So, I hope I'm doing this right, apologies if not. I've gone through the general purpose cleanout a couple of times with no luck, and would like help cleaning this system. will attach the neccessary logs upon request.

Basically, this is my girlfirend's laptop, and while she can rule out suspicious crack and hack websites and disreputable porn vendors, it's nevertheless gradually been getting more and more decrepit as far as the internet goes. She has had CA Antivirus for a couple of years, but last year it started failing to get into contact with the update server. Their helpline wasn't all that helpful,and no amount of their troubleshooting seemed to be able to fix it. Suffice to say the problem spontaneously fixed itself about a week before the re-subscription fee was due. Understandably unimpressed, she managed to extricate herself with difficulty from that program, but the upshot is that she's had almost a year happily surfing with practically no antivirus protection. She'd been getting some redirects, so I installed and ran a couple of your recommended programs with no result.

NOW she's running ESET Nod32 as antivirus but was already experiencing browser redirects and 'surprise tabs' fairly constantly in both explorer and firefox, and neither this nor any of the usual tools are picking up any problems. The only result of the new antivirus was that the computer started doing a "this system has to shut down in 60, 59 etc seconds" about halfway through scans. After some googling we found out how to run "shutdown -a" or "-w" or something similar in command.com to let the scan finish, but it didn't actually find anything, and after a few weeks of being killed mid-shutdown with command.com, the shutdown timer stopped appearing . Eset nod is now blocking suspicious IP's constantly the moment she leaves the safe harbour of Gmail, the redirects, reloads and interruptions are reaching plague proportions, and "Bad Image" errors have begun popping up madly on several running processes, including gnotify.dll and sensapi.dll (seeming to do with google's mail monitor) and dwintl.dll (attributed to dwwin.exe, which google tells me is something to do with windows' diagnostic service failing to run properly. I've got some screenshots to show a couple of examples of both the blocked IP's and the bad image popups.

Out of other ideas, I ran your xp cleanup routine, with no results, the only interesting hiccup was that while running combofix, i got a message saying
"combofix has detected the following realtime scanner(s) to be active:

antivirus: CA Anti-Virus"

BUT, CA was uninstalled months ago. Sorta one of the causes of this whole mess. So, I opened some browser windows, restarted and redisabled the current antivirus before twigging to the fact that the program was long dead, then closed the lot before continuing. Couldn't find CA anywhere, couldn't be bothered searching every running process to find out if it was actually there. Hoping that brief recess didn't affect combofix's running, but the CA thing is something to think about. Are you guys able to help me? If so, what do you need me to attach? Is there anything i've missed? I'm perfectly happy to run the procedure again if so. I'll be checking back regularly and resisting the urge to double-post. Having never done this before, I have no idea how quickly you guys move through the huge number of requests for help you must get.
Cheers,
D

 

Hokay, so- sorry guys. I've attached the three logs i brought with me but I don't actually have the laptop with me (I knew this was going to be a problem), and overlooked the MGlogs one when I was collecting the logs.
Anyway, I don't have that one, and I can't find the rootrepeal log. My dearest is bringing the lappy over tonight, so i'll dig up the other two in a few hours. If I can't find the rootrepeal one, am I just able to go through the read-and-run-me-first and run it again, or do I need to do that and the XP procedure step by step again?

 

Yeah, so that's the interesting thing, I uninstalled it via add-remove programs in maybe december. It hasn't been installed for some time. Any tips on how to ferret it out and kill it dead?
In other news, my girlfiend's off for the easter weekend, so no laptop for a bit. Prolly safest just to run whole routine again, post the lot up soon.

 

So, ran scans again. First set of attachments. Only interesting things of note are that Combofix still reckons CA Antivirus is installed, and that after SAS scan, NOD (the actual antivirus software) started picking up a threat.

 

i'm sure saying 'bump' here is in bad taste. attached the mgtools logs.
Edit: let me know what you need from me next.

 

so, here's a new wrinkle. Laptop started up fine this morning, so i tried to start it in safe mode to see if NOD could get the little bugger, which it's finding in the operating memory. It did the thing that it's been doing with safe mode, which is get to mup.sys and then restart, so i turned it off.

Now, it gets to the loading windows screen and then flashes up a bluescreen for half a second, which after much restarting i figured out says something like

STOP:C000218 {Registry File Failure}
The registry is corrupt cannot load the hive (file
\systemroot\system32\config\SECURITY
or its log or alternate
is corrupt, absent or not writeable

Just letting you know what's happening.

 

Thanks heaps for that, it made a hard decision a bit easier. Knowing it was clean, my girlfriend elected just to retrieve the useful stuff and format. Of course, after the enema it's running much better. Sorry for late reply, only just got word that the lappy was working a-ok again. Spose i'll see if it'll fit more ram, or a bigger one or something, just to grease the wheels.
What you guys do is amazing, and i'm big-upping you to my friends and browsing the merch in celebration.
Consider this a job well done!