Masters!!! your loyal follower needs your help again!!!

Good afternoon Honorable Gentlemen. I need your help again. I am trying repair a friends computer that was apparently hit by some sort of virus/malware through an email attachment. She states that it came from a friendly source and trusted it and the "blamo" flashing blue screen...scads of porn popups she panicked and just pulled the plug. Her husband tried to fire it back up and error after error no connectivity...etc etc.
Well my first step as you instruct is to go to add/remove programs....only there seems to be no way to get there now. A lot of control items have dissappeared. Rather than fly blind, I figured i would stop at this point and ask your advice before i went any further.....also i did notice multiple spyware programs and seems to have "norton.....(yuk) antivirus installed although not sure which version. Will patiently await further instructions, and thank you in advance for any and all help!!

 

Yes, can boot into safe mode. and i do have a thumbdrive to put the downloads on...i am on my pc, i do not have the other pc on the net at the moment. I did try combofix, but not sure if working or not, a little rectangular bar opened and filled with green squares, but there was no confirmation of anything so i do not know the result. Did system restore to 30 days prior, seemed to slow down the errors but are still there. the system resources in the task manager shows 100% usage and fluctates up and down, but not very far down, and if you go into running processes there are items usage rates go up and down and seems like processes flash on and off. I have never seen anything like this before....so i am very unsure what to do first.

Also, i am in administrator under safe mode, but access is denied to installing and running ccleaner and add/remove programs...something about a rundll error.

PS....doesn't seem to like safemode...screen keeps going black and removing all icons and toolbars, then have to reboot.

 

i do not know where to download MGTools from....

Scratch that....i found it, you have changed some things around since the last time i was here, please excuse my error....if possible i will ad it to this through edit.

 

ok, in safe mode....from the desktop i get this....

16 bit ms-dos-subsystem(blue bar)
C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt. the system file is not suitable for running ms-dos and microsoft windows applications. Choose close to terminate the application.
you can choose "close" or "ignore"...choosing ignore does nothing keeps popping up...choosing close will not close it says" the process cannot access the file because it is being used by another process

 

CHASLANG!!! nice to hear from you again....Ok i think i was a little impatient. it ran its course and this is what i have obtained.

 

i had ran the fix right after i reread the mgtools instuctions and reran it, but i had already posted the first file and didnt want to jump my own thread (and also was not sure that the info was not on the original file. my apologies. here is the new file....

 

only ran the xphomefix, and i believe we did just put it in the wrong place. Right now we have started over from basically step 1 of README to see where we went wrong , some things that weren't working before are now and able to run. i apologize, i somehow got lost in the instructions for the xpfix. We have just basically started from the beginning and i am writing down step by step what he have done with results of what can run and not run and the results. Sorry about all the confusion, i have never seen a system as bad as this, and with the pc just shutting down or locking up during some of the procedures it is making it very difficult to keep track....hence the hand writtin log i am making now that i will post along with the logs that i am able to get.

 

Ok, to this point this is what we have done after the mishmosh.

1. Ran ccleaner
2. at this point there is no ad/remove or control panel
3. Did not do SunJava as system is not on net
4. MSconfig was done
5. Norton was previously uninstalled
6. Since only being able to run in safe mode could not run SuperAntispyware.
7. Spybot-updated manually and ran.
8. Malwarebytes ran...log will be included...after reboot system managed to stay in normal mode Control panel is back, checked ad/remove for unknowns none present. At this reboot...AVsystemcare ws attempting to install, went in task manager and stopped it. Also at this time Spybot refired on its own so we let it run its course and it found a few more items and fixed them. Since normal startup was obtained, took a step backwards and ran SuperAntispyware...log will be included.
9. Combofix, ran....but would not allow the special instruction("%userprofile%\desktop\cf.exe" /killall) to start process...had renamed icon as instructed and just double clicked desktop icon and it fired....whether this will still give results needed i don't know but will attach log that it provided.

At this point we are running the MGtools....since can only post 3 items i figured to give you this info while we run the MGtools...

 

Ok MGtools ran ...no errors this time....only discrepancy was that the window did not close itself...log attached.

At this time we have not put it in online as we are waiting for instructions for anything else that needs done....am looking for a way to remove the AVsystemcare and that will be the only thing done until we hear from you.

 

a couple items you wanted me to fix in analyse were not there, but i checked the rest that you mentioned. I copied the fixme and put it on the desktop but when i double click it, it will ask if i'm sure i want to ad it, i click yes it gives me an error of cannot import...error accessing registry.... I did not want to go any further....should have i done this in safe mode?

 

It says...

Cannot import C:\DOCUME-1\Don\Desktop\fixMe.reg: Error accessing the registry.

And i also noticed that some old windows updates were trying to install including sp2, but it would fail saying another process was using (i cant remember which process name). so at this point i'm kind of dead in the water.

 

Ok, went ahead and skipped the fixME.
ran avenger...log included.
ran atf
Ran the Java runtime 6

at this point a reboot dont remember why(this was last night)...and the automatic updates came up to install xp-sp2....figured i would try to let it do its job and it ran this time.

installed AVG8 and let it do a full system scan and removed whatever it found.

MGtools\getlogs.bat.....mglogs.zip included.

Still as of this time i have not yet put the pc online. have been doing all downloading through a flashdrive and transferring info back and forth.

fixME.reg is not yet functional.

 

OK. what a difference. Seems to running very well. Any further instructions or logs you need? I am sending this from the actual pc now. I just put it on line and let the windows updates do its thing (56 in all including IE7). I have AVG8 running, and let the turned windows firewall back on (did not want to change this yet till i talked with the owner).

 

Ok, my friend....all is done. except the combofix was already gone...i'm thinking from previous step/mishap not sure, but its nowhere to be found. I am instructing the owner on what to do next and providing links to the MG forums to keep their pc safe and let them decide which other options they want to take.

Cant thank you enough and as always you guys are truly a godsend to those of us who know how to jack up a pc.

Thank you Master Tim, Chas, Attitude and all who fight.

God Bless