After a 1.5 day long struggle with this one (potentially the toughest one I've had in years), I finally got it all cleaned, and said to myself "self, someones gotta put this info up on the web for anyone else who gets this." So in the vain of thank you's to BC and the community for so much great info over the years, I thought I'd make sure anyone else who has to deal with it can make some use of the following information:
There are several variations of the Copyright Violation scam infection. There is actually some great information about it out there already, however, this version/strain of it was particularly nasty. In most cases you can follow S!Ri's guides to input a known registration key to bypass the lockout screen and at least get into explorer to launch the task manager and get a few cleaning programs installed. I've had great success with these steps in the past, so I am specifically describing a situation where following any/all of THOSE steps do NOT WORK.
I wish I kept screen shots of the various steps, but alas I was not expecting this to be nearly as aggravating as it turned out to be, so I'll do my best to verbally describe as many portions of the process as I can.
Windows XP sp3 not updated since about November last year - my fault, but I've been on big projects and the road a lot and didn't realize this systems windows updates had broken.
Java 6 update 12 <- you will see later this was a large culprit
partially uninstalled Avast Pro Managed Anti-virus
A broken install of Sophos Anti-virus
The users account was a domain account and the system was bound to our corporate domain (making certain aspects of cleaning rather difficult)
system restore was ON
First off let me explain what DIDN'T work:
Doing ANYTHING in the users domain account was impossible. First off, imputing S!Ri's key to bypass the scam pop-up did not work, even trying several keys proved futile, this newer variation must have been updated to ignore any web posted keys. Very irritating. The task-manager had been locked out with a group policy hack, all windows key shortcuts disabled, and even command prompt had been hijacked to prevent any exe's from running, and any NEW .com processes were halted and deleted within seconds of running. -yeah NASTY.
Logging into local administrator account allowed download of latest Combofix.exe and Malware-Bytes Anti-Malware, but neither program worked as you will see. First I ran combofix which requested a reboot, but on reboot the process was not re-initiated. Later you will see this was due to a java bot that held a fixed state of registry and cleared out the run-once entries.
Running MBAM resulted in the program terminating and the exe being deleted from the install directory within seconds of opening the program. This was fun because after about 3 attempts, the bot actually LEARNED my attempt to run this program and then deleted it upon uninstall and reinstall before I could even rename the program from "mbam.exe" to "mbam.com" resulting in a fresh install with NO mbam.exe...
Even safemode did not allow any further progress. Somehow this nasty was able to function even in command prompt only safe mode....
I don't know for sure if there would have been a faster way of dealing with this than what I did, but the steps listed below is what got me forward movement towards cleaning it.
Start by removing the drive from the machine entirely. I used a SATA to USB adapter and plugged the drive into another machine altogether. I ran both combofix.exe and MBAM from that machine on the drive. some 60ish items were found and deleted. I put the drive back in the original machine after cleaning and was able to get some progress from there.
At this point the Copyright scam pop-up was still present, but now task-manager was no longer disabled. However, I was still unable to run .exe's or .com's. so I dropped back into safe mode with local admin and was now able to turn off system restore, and then ran combofix again. this DID find more items for deletion. I'm guessing dll's that were re-loaded into the kernel once it was rebooted back int he machine. Following the signs of progress I also tried to run MBAM, no dice.
I then went old-school and tried "roguescanfix" an old favorite of mine from a few years ago for rootkit removal. It did find some things and clear them. I also installed and ran hijackthis and cleared out everything that looked questionable (admittedly I did not save the log at this point.... sorry guys! - but I do have a later log attached).
A reboot got me into the domain account, and with no copyright pop up lock! (i neither confirm nor deny that my arms may have been thrown up in excitement.... and there may have been some dancing involved...) However there was an error on some gibberish dll so I knew there were still some lingering registry entries to contend with.
I fired up hijackthis and ran it again. much fewer entries since the first attempt, but there were still some gibberish dll's listed. I clicked, I cleaned (still no log at this point) and I rebooted. Here I made a stupid assumption that Hijackthis did it's job, so I then tried to run MBAM again figuring some junk would be loaded in the user profile.... Then BAM disappeared and "mbam.exe" was gone again..... (at this point I neither confirm nor deny the use of several four letter words that are more common in our warehouses than our offices...).
Fired up hijack this again (YES the log that is attached) and noticed several of the entries I tried to delete one reboot ago where right back where they started....
SOOOO I tried it again..., this time I rescanned immediately after removal. Yup, you guessed it, right back. No matter what I tried, these stubborn entries would not be removed. In each case, some vanished, and some came back, but if I waited long enough, they all eventually returned. I also tried using local admin to regedit the entries manually once I found them - again they reappeared before my eyes each time I deleted them.
I spent a good part of the afternoon googling all the listed dll files for some kind of hint on how to get rid of them. NOTHING. Luckily though, through a fluke search for the original Copyright scam problem I saw a poster berating someone for having a very old version of Java, which gave me a clue. I then uninstalled java completely and finally admitted to myself I had to delete these files externally.
The major culprit here was the entry "AppInit: gawubuwo.dll". I slowly began to figure out that this file was the ring-leader, and ultimately the only actually physical file. So after many various attempts to find and delete this file with no success I pulled out my old standby - Knoppix Live. As we all know there is no better brute force method for deletion than if you can mount an NTFS drive in any Unix/Linux environment. I assume here BartPE might have worked well also, but I've had mixed results over the years, so I just go straight for a Unix/Linux distro.
Once booted up, I mounted the drive with write permissions and browsed to the [device root]\windows\system32\gawubuwo.dll and deleted that sucker.
After reboot, there were still an error pop-up for gibberish dll, so I loaded up Hijackthis and gave the entries another shot. Sure enough they cleared out this time.
At this point the system was more or less clean. I used regedit to verify any entries with either the "ladegize.dll" or "gawubuwo.dll" were cleared out and did one more reboot.
CLEAN AS A WHISTLE! (I definitely confirm that there was much rejoicing at this point). As a follow up I also reinstalled the latest java (necessary for one of our corporate applications) , fully updated, and reinstalled SOPHOS AV. Life was good.