Trojan stops me from following Read & Run

I just typed a LONG post, and got logged out by the time I submitted it, so it was lost. :crybaby

There's a lot to explain (and I'm sure I'll forget some retyping it now) but the short version is: I can't follow several of the steps required by the EXCELLENT tutorial thread. :cry All of this is about a friend's Dell Dim4550 (WinXPH IE6) which is set up beside the one I'm using now. I started trying to fix it BEFORE I read the tutorial here, so some things were done out-of-order. But I did read the whole tutorial, including the links, & some of the links in the links. I also read all the similar threads from the title search on the New Thread page, but none discussed the INability to follow the Read & Run steps.

My friend let a friend try to dl some stupid video a few days ago (not porn, but I don't remember exactly what it was; maybe something about a band being in trouble), and he immediately started getting popups for spyware removers. He was running AVGfree, but IDK if he ever updated it. I tried to coach him over the phone for a few hours including installing SpyBot from CDR, but it failed. So he brought it to me, and I've been messing with it for ~4 days now. I uninstalled a bunch of apps he didn't need, or didn't recognize, or that I knew were problems (including AVG, p2pnetworking, some game & ad programs, and something like "Apple Mobile Device"), deleted an unused dialup connection (which really slowed down the popups since it's also NOT connected to my router/switch), found that MSMessenger was already disabled even though it appeared in the System Tray after every boot & eventually deleted its folder under Program Files, ran NAV09 from its original CD but didn't let it dl updates so the definitions are a few months old (that also removed the wallpaper image & lost the desktop icons/Start bar until I manually ran explorer.exe thru TaskMan), and it cleared ~12 items but couldn't remove 4 instances of AdWare (I think that was the name).

I made him dl 105 removal tools from Symantec onto CDR, but they take a LONG time to run, so I'm only ~1/2way thru, and none of them have hit. Some don't seem to run; some lock up at the end requiring a boot; some run so fast I'm not sure they're working; but most scan every file on the HDD. I emptied the Recycle Bin (& deleted NPROTECT\ from an old installation many years ago), and I wanted to delete all the C:\WINDOWS\$Uninstall... folders to speed them up, but Folder Options is gone. It's not in Control Panel, the Tools menu of Windows Explorer, and even the direct link in Help fails - I get a window telling me the administrator has diabled that function. So I can't show hidden/system files. I was only able to see/remember 1 folder name from the progress bar of the removal tools, and I deleted that folder. Some of the tools require Safe Mode, but when I boot that way, no desktop icons appear, no Start bar, & TaskMan won't run (CtrlAltDel) so there's nothing I can do.

Each time I boot (Normal mode only), I run TaskMan & end ~1/2 the processes before running the removal tools. Things like ~tmpb12.exe, alg.exe, jusched.exe, anything beginning with "hp..." (since no HP hardware is connected), & anything that seems to suggest messaging. Some come back instantly (wscntfy.exe, but I've learned this is WinSecurityCtr); some take a while to return (HPZipm12.exe, wCcR5P80.exe, & AppleMobileDevice until I uninstalled it); some appear sporadically for a few seconds (dfrgntfs.exe), but that might be related to the removal tools.

Today, just before finding this BBS, I discovered that I can't open Add/Remove Programs any more. When I try, another instance of rundll32.exe appears briefly, but no window. I haven't booted since discovering that, so maybe it's temporary.

We managed to copy all his JPGs onto his 8GB thumbdrive, but we forgot to get his MP3s (can either of them carry an infection?). He has a few games installed for which he can't find all the install disks, which is the only reason we're trying to salvage this system.

Is this just too much to fight? Should I format the HDD, clear the BIOS, & start over? Should I finish running the Symantec Removal Tools? Should I keep ending processes after each boot? Should I fill the case with battery acid & mail it to Dell? rolleyes

 

Thanks for the reply, but as I stated in my (epic) 1st post, I can't follow those steps OR do anything in Safe Mode. Safe Mode gets me a black screen (with "Safe Mode" in the corners) with no icons & no start bar. This trojan has his system by the wedding veg!

Since that post, I've continued to run the Symantec tools (from CDR) and I'm almost through all 105. The only hit was from the Vundo tool, which reported terminating 1 process & suspending 1, but it terminated NO threads, deleted NO files, & fixed NO registry entries. I ran it again with precisely the same result, & moved on.

After another removal tool locked up, I booted, & Add/Remove works again. But there's nothing in it on the list here. I also used the (long) list of \$NtUninstallKB######$\ on my XP system to find some of the hidden ones on his & delete them.

There's a bunch of trash in the Startup tab of MSCONFIG including a few entries running from \LOCALSETTINGS\Temp\ which correspond to a few of the processes that I couldn't end, so I'm guessing those are part of the problem.
dcsm (DriveCleaner Free, which isn't installed in Add/Rem)
IMJPMIG (the command line switches are "/Spoil /RemAdvDef /Migration32")
IMEKRMIG (possibly legitimate MS foreign language support which he doesn't need or use)
BCMSMMSG (? is that what added MSMessenger even though the native service was disabled?)
NvCpl (?)
nwiz (the command line switch is "/install")
NvMcTray (?)
dumprep 0 -u (?)
REGSHAVE ("/AUTORUN")
P2P Networking ("/AUTORUN", I uninstalled that from Add/Rem)
hphmon05 (possibly related to his HP printer, but it runs from \WINDOWS\System32\)
hpztsb09 (same as above)
ckhbksum (?)
urod (? running from \Docs&Settings\...\AppData\)
msmsgs ("/background" running from ProgFiles\Messenger\ which I thought I deleted)
aim (which isn't in Add/Rem)
~tmpb (running from \Docs&Settings\...\LocalSettings\Temp\)
yyy8289 (running from \Docs&Settings\...\LocalSettings\Temp\)
csrssc (running from \Docs&Settings\...\LocalSettings\Temp\)
DESKTOP (twice, referencing DESKTOP.INI which recently began opening in Notepad after each boot)

In the Services tab, there are a few Unknown Mfr. entries:
DSBrokerService - Stopped
InstallDriver Table Manager - Stopped
Java Quick Starter - Stopped
Windows Media Player Network Sharing Service - Stopped




While typing this, I've gone thru 3 more removal tools, so when they're done, I'll go back to the Read&Run Guide & follow as much of it as I can. When I get some reports, I'll post back here.

 

This thread can probably be locked now.

I got fed up & just reinstalled the OS. Sorry to have wasted your time & mine, but thanks for the GREAT articles on how to reduce the risk in the future. I'll be following the Protection thread on every system in my house (5), and I'm putting the link on my friend's computer so he can read/follow it, too.

 

Yeah, I'd have been interested to know what it was, too, but it just wasn't worth the time. He found his install disks for everything he still wanted on the system, and I was getting tired of fighting it.



This is also a bridge that has been crossed, but if you have a minute...

I formatted the HDD & installed WXPP from its CD. But each time it booted, I got a choice of either the new XPP OS, or the old XPH (which obviously doesn't exist). Now, I've already fixed it by editing the boot.ini file, but I don't unnerstan how a NEW boot.ini file on a freshly-formatted HDD ended up with an entry referencing a wiped OS... Seems like when the drive was formatted, that all would have been lost, and the new boot.ini would only show the new (& ONLY) OS on the HDD. Does the mobo store that info somehow so it survives wiping the HDD? If so, WHY??? If the drive is wiped, it seems like that would be a good time to LOSE any references to what WAS on it.

BTW
The hardest part of the process was figuring out which driver to install for the onboard NIC so I could DL more drivers! Especially since there was ALSO no driver for the USB hubs OR the 8G flash drives I was using to transfer files.

 

No, I clicked full, and it took ~1hr to format before files began to be copied onto the HDD. Anyway, it's fixed & I gave it back to him, with a link to the Protect page here at the TOP of his favorites list.

The page I found (on another site) with instructions to remove the reference to the old OS described editing BOOT.INI in a command-prompt window, and that worked for me. But when I was tweaking some stuff later, I found that it can be edited more easily from System Properties>Advanced tab>Startup and Recovery Settings>System Startup Edit.