Help! Worst I've seen

Ok working on my fiance's sisters computer, this time its the other sister. She had some serious issues going on with multiple variants of vundo a couple rootkits, browser hijacker and some droppers. Its really quit messy. I couldnt hardly boot up the machine, but I have it cleaned up as much as i can now. It took forever to be able even load up the microsoft update page. let alone get the computer to update spybot s and d. So with that I have already done considerable work and I can post some of the earlier logs if needed. But here are the most current logs.
-Currently I keep getting an adaware watch warning that it is blocking "crt5.tmp (3680) from loading" it is triggering as a win32 downloaderinjector.

-None of the spyware programs seem to adequately clear the memory of these problems I been having with each reboot the keep reloading. But at least I could finally update adaware, windows xp, spybot s and d, mabm, and superantispyware. previously they would be blocked or hijacked if in a browser.

-most current logs follow

 

-other current logs

 

This was one of the original logs to see what was all on there before I could update windows, java, or any of the malware removal programs because it was blocked but should give you some idea of what was on here originally if that helps. THIS IS NOT THE MOST CURRENT LOG, see below


Let me know if you need anything else

and

Thanks for your help.

 

First off thank you for your help I will try to answer the questions the best that I can

“Do you know why she was running this PC with no protection?”

I don’t know why they didn’t have an up to date virus protection on the computer. It did have an old out of date version of Norton from 03’ that I have removed in preparation of installing CA on it for them. That is if I don’t need to do a full format and reinstall.

“Do you have Windows XP Home Edition SP3 on CD”

I currently only have a Home edition sp2 slipstream I created. but I have upgraded my xp home with sp3 and so I will need to make a new slipstream sp3 disc anyhow if I ever plan on restoring it, without wiping all my info, so. Yes that is doable.

“Uninstall the below old versions of software….. Kazaa”

I have tried to manually uninstall those files I think the uninstall file is corrupt I will search for a means to manually uninstall them. I cannot find this anywhere on the c:\ and I have deleted a few registry items still left over from it, but if you know of any other way to remove it or if it still shows on the coming scans please let me know.

“Run C:\MGtools\analyse.exe by double clicking on it”
“fix…. Exit hjt”

done, no problems

“open note pad and copy…. Kill all <cmd>” “run combofix using this script”

done no problem

“run cc cleaner”

done, no problem

“install new copy of MG tools, and run”

Done, Rootkit activity detected, 2 reboots later I got error at very end, don’t know if it was related but I suspect it was. Error said application failed to initialize properly 0xc0000007b. After I closed that window and the log finished.

My Ethernet was connected to the network, and while I was typing this out on the other computer to post spyware protect 2009 popped up. So I know I am not clean. Adaware live scan also noticed some kind of attack called banker fox.a to port 62657 of the machine. I have turned windows firewall on but usually these things have some kind of ways to bypass or turn these off.

Let me know what the logs uncover, and if you have any more ideas. I am thinking I may need to backup their text, pictures, pdf files and the like and then just do a complete HD reformat and reinstall at this point. Unless you think there is anyway we may salvage it. If I do go this route what should I avoid saving, that may risk reinfestation if I move it over. Could anything follow the pictures, mp3s and pdf files over?

Thanks for you help.
Logs posted.

 

Ok i found the attack detected was actually that spyware protect malware program. it was doing it even when not connected to the router. I have installed ca firewall and virus, and it did detect virtu.17408 infecting 4 key files that it couldnt clean till a reboot.

-it was infecting winnt\system32\rundll32.exe (x2 one was in capital letters and on in lower case letters)

-an it was infecting system32\svchoste.exe (x2 one in capital letters and one in lower case letters)

I think it cleaned these and corrupted the files and made them unstable. upon reboot windows boots but when selecting a user it logs on and then quickly logs that user off to the user select screen again. even in safe mode. so looks like i will be slipstreaming that sp3 disc after all. to see if i can get back in to the desktop gui :cry

please still let me know what the logs show, as if i get xp backusable i need to determine if backing up the pics, docs. and reformatting the hard disk will be the best method or if it is cleanable.

thanks for all the help

 

Ok, thank you for your honesty. I will do what I can to back up the necessary items and scan them with a virus checker. I will discuss what has to be backed up and delete everything not essential. I am sure she would want to save financial information, and the like.

I was aware that the vundo variants did try to spread on the network from shared drives. Do you think my computer would have been at risk if it was connected to a network via router at the same time as that computer too? I know i made sure I had a different work group name from the infected computer, and think i had my software firewall up most of the time, it was connected.

I had a feeling that it was going to come to this, just by running the first scan and seeing what all had been infected. My original thought was reformat start from scratch but I was hoping to keep all of her information for her. I did end up making the sp3 slipstream disc an unattended version so at least it will come in use, once i delete all those partitions.:cool so at least i know i didnt waste all my time.