Completed "RUN FIRST" tasks - can you help me confirm/complete clean?

Hello,

Thank you for running such a helpful site. A family friend came to me with a completely hosed computer (XP Home SP2). I haven't ever dealt with such a severely infected/infested computer, so it's taken a while to get here.

The system has two users (both members of admin group, one is pwd protected). Originally had the full Norton suite (utilities + av), current version as of early 2008, had update subscription valid thru 2009 - presumably set to auto-update (as were m$oft/windows updates).

When I got it, windows auto-updates were disabled, the norton was nowhere to be found (though ghost remained, peculiarly), the "task manager has been disabled by admin..." quirk was present, desktop had been changed to fake virus/infection alert. It seemed that any sort of action (right clk, using taskbar, opening ie) launched instead a fake infection warning. Even just sitting still would periodically launch these varied warning msgs (prompting to click here to download something that could fix it). These msgs even appeared in safe-mode.

Eventually, I was able to start > run > E: to access a cd I'd burned some apps to. I ran lavasoft ad-aware, which found over 100 infections (not counting tracking cookies, but including duplicate id's). I purchased ESET NOD32 and Webroot SpySweeper. ESET didn't seem to find much, but it did pull some stuff out (especially w/ the "run after reboot" option). Spy sweeper found a good deal, and between it and the free Comodo firewall, numerous attempts to contact external ip's were intercepted (as were attempts to set start-up processes or modify registry keys).

However, I wasn't sure how to approach the fact that there were two users, so I would run something in one user acct, reboot, then repeat in the other. Eventually the system came back to life, but every time I'd get spysweeper and nod32 and ad-aware to run clean, infections would return after a reboot (I knew this from the intercepted IP connection attempts and id's during subsequent scans.). SuperAntiSpyware finally got my system to the point where multiple reboots would find only an infestation of Vundo (6 instances in 2 locations). This was only temporary however, as when I connected the network cable (I'd done all of this disconnected by installing from burned cd's) to run the MajorGeeks "RUN THIS" sequence, stuff just came out of the woodwork.

So, I come to you, hat (and logs) in hand, humbly requesting your expertise in cleaning this system up. I only want the data (pics, vids, etc) off of the system - I'll dump this to an ext hdd I purchased for the owner - and then I'll fdisk/format the system and start over. But I just want to make sure the files I pull off are free of these vermin.

Thank you in advance for your help.

 

Adding MG logs archive.

 

Thank you for the quick response!

I completed the steps you requested - please find the logs attached.

Regarding TW9t: I don't know what that is, so I deleted it.
Regarding the C:\Program Files\temp01 "folder" that the avenger log referenced: I viewed Program Files in windows explorer, and temp01 was indeed a file (mousing over the icon, it stated it was 0 Bytes). I right-click > deleted it. (and just emptied the recycle bin as I typed this).

Thank you again for your priceless help. Please let me know if the coast is clear.

 

Thank you again for your help. I have completed the tasks you asked of me (the reg merge completed successfully).

I wasn't sure if I was supposed to repeat all of the previous "RUN FIRST" steps in all user accounts (there are two, and I had been working primarily in only one of them - though I had run the CCCleaner thing in both, as well as "Administrator" in safe mode), so I logged in to the other acct and ran found a few things.

I've added the output of a malwarebytes run, as well as the "fixes" output of a spypot S&D run, and the "checks" output of a subsequent run showing that the three WildTangent id's that were not cleaned in the initial "fixes" attempt remain even after SS&D was run at startup. Note: I ran SS&D on the other, original account as well, and those three WildTangent id's are still there, and also impervious to SS&D clean attempts at start-up.

Please let me know what addt'l steps I should take from here, or even if these developments should concern me.

Thank you again. You are a life-saver.

 

Thanks for the continued assistance and the head's up about multiple accounts. Avenger was successful in removing the wildtangent remnants, and I've now run the full "RUN FIRST" suite on the second acct, and nothing was identified in any of the scans. Seems like we're clean enough now to confidently copy off the data and wipe the disk. Thank you again for your help. There is a huge weight off my shoulders, as I was doing this as a favor but it was beyond my grasp. You and this site are life savers.

One related question: does any of the malware out there make a habit of infecting (somehow) the re/install data that OEM pc manufacturers "hide" on unmounted (?) partitions of the HDD? This is a dell computer, and I'm referring to the 3-5 GB of HDD space that contains the necessary data to wipe clean the system to factory default config. I'm planning on running the recommended op procedure for this "reset" task as provided by dell, but I wonder if I should be concerned that the buggies that had infested this machine for what was apparently a few months might have embedded themselves in the OEM recovery data...

Thank you. again.

 

Well, this system belongs to a family member who is not the most technologically savvy user, and over time the system has been bogged down with nuisance applications, partial uninstallations, code rot, etc., so I told them that once I got their pictures/videos off I would wipe the system. (This way I'm not responsible for why the "clean" system still runs like crap.) I am just unfamiliar with the "state of the art" in malware and its ilk, and I suspected that the data I wanted to preserve was vulnerable to infection so I wanted to clean the system before retaining the data. Thank you tremendously for helping me do this safely and confidently.