Trojan Woes

-Machine Xp sp3 build 2600 080814-1236
P4 1gig ram

-Introduction:major
I have been fixing friends infected computers and damaged parts for many years now, however my auntie who downloaded and ran a Trojan from a file she downloaded in lime wire (i told her not to use it!:cry) informed her she needed to download X.file to view what she just downloaded.
I have tried all my tricks to fix it but nothing worked.
Things i normally try (and up until this point have worked);

1. Avg (already installed, gave it a go but it would not start, it is uninstalled now.)
2. Crap Cleaner
3. RunViewer (Used up free trial)
4. HijackThis
5. Nod32 (picked up some things after the first, 2 hour scan, nothing on the next)
6. A .exe file association repair registry entry file (worth a shot)
7. Recovery Console (was going to reset windows policies, i still have not reset them yet)

-Symptoms Before:major

1. Her user profile seems to have been restricted, "folder options" was removed Processing Time egg kept appearing
2. .exe files in the root of C:\
3. Constant web redirecting to anti spyware programs (irony) ->webclicks
4. Huge slow down in speed
5. Some .exe programs fail to execute
6. System Restore wont initiate.

-Symptoms After :major

1. i tried to repair, (i made a new user with administrator rights to gain more control and view hidden files.)
2. Browser Hijacking still
3. Some .exe programs fail to execute
4. System restore still wont initiate.

-Following the guide from this point on:major

1. Mbam does not start.
2. Spy bot does not start.
3. SuperantiSpyware does not start.
4. combofix does not start.
5. Mgtools ran and made a log file.

By not run i mean i double click on the exe, the time egg shows up for about 1 second then disappears.

Made an sp3 cd (from from another pc, i might try from hers tommorow) and the Recovery Console still will not run. As soon as i click it it fails to get past the blinking dashing line.

Latest javascript will not install returning the error "The system administrator has set policies to prevent this installation"-another reason for my self to try and reset policies (still need to try and do it)

Any Help would be greatly appreciated (i want to cure this machine, i see formatting as been defeated, also my auntie requested if possible to back it up and with it being infected by an unknown trojan and my pc the only way to back her data up (single hard drive) i would be worried for my files also)

I will be back in about 16 hours to reply (sorry if that is to far away, in between those 16 hours are a nights sleep:zzz and a 9 hours shift of work-doh)
(attached is the only log file i could generate)
Thanks in advance-Eppiox

 

Thank you for helping and.
Update:
TDSServ.sys is not there.
HJT successful
Reg file successful

C:\WINDOWS\TEMP\UAC998b.tmp (all temp was cleared out)
C:\a.exe (is actually a renamed mBam install, renamed it from mb to see if it worked, also trojan was using this file name, thought it was worth a shot)
C:\VirusTrojanBusting --> unless this is something you created. (it was, has other apps, dll monitors, process tree monitors (all useless in this case)
C:\WINDOWS\system32\ghu02 (deleted
C:\WINDOWS\system32\a.dll (deleted

The java applet installed
No other programs ran that already did not

Mbam gives an error
vbAcceleration SGrid II Controll
Error "0"
then another error
Mbam error
Error 440, automation error
i see a lot of "missing .mui" in logs when ever i try to run these programs.
I can now see the folder options menu in the original user account though

 

The original Trojan was deleted by my auntie along with lime wire, nod32 killed off about 60+ items and i had already run HJT and a few other apps to see what i could disable.

I think the result might lie with windows policies :/ but i do not know how to reset them without the recovery console.

 

Hello TimW I finally fixed the machine.
I tried to run the windows file but it returned "Administrator has disabled this option in policies "(cant remember exact wording) however i was in administrator in safe mode.

I snooped around and found an AVG anti root kit. Found 13 items removed them and then the system seemed to be back to normal with hijacking still happening however.

Ran the windows file, then the command you made and it seems fine.

I had no idea what a root kit was until this morning.
After reading if you are infected on the Kernel level via root kits you are never 100% sure of a clean system.

As she does a lot of internet banking related things on her system i suggested a format and stronger virus prevention programs (just to be 100% sure and not 90%)

Thanks for all your help! Perhaps a root kit scan should be the first step when someone says they cant get a few virus scanner programs to run if it not to great a risk.