Unpatched Windows XP for 4 years, no root password: 250+ infected files

\rant

So I had set up a computer for my parents 4 years back; after that they never pactched it. The root account has no password. Today I ran MBAM on it.
250+ infected files
Registry Keys Infected: 4
Registry Values Infected: 1
Folders Infected: 13

1 trojan
2 worms
2 backdoors
250+ rogue software files (all related to smartbridge)



I installed MBAM using a USB key. Now, the USB key has autorun.inf file. Is this malware?
autorun.inf:

Code:

[autorun]
UsEaUtOpLaY=1
SHeLl\opEN=Open
OPen=storage\sys.exe
SHElL\opeN\coMmand=storage\sys.exe

There is also now a new Storage\sys.exe file in the USB key
The new Storage directory has has a desktop.ini file:

Code:

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}^@

EDIT: Uploaded the exe file to virustotal. Here is the report(preanalysed):
~ Virus Total Results Removed per Policy ~

 

In a heavily infected situation such as this, and on top of that, a 4 year old PC that's not been maintained, wiping would be my first thought.

Start fresh - build from there.

 

Yes, that is the sane course of action. I'm giving him another computer, so I'm thinking of just letting this infected computer be, especially as we have low speed internet (512kbps).
But I know my dad will do the same thing to the new computer. I just know it. I'm gonna install Sandboxie on the new computer, and use LUA+SRP. I'm not sure he will bother to user Sandboxie. So I gotta try to lock the new computer down before he uses it.

 

What about Defensewall or Geswall for them?

 

Is GesWall better than Sandboxie?

 

I know he's you're dad, but if he hasn't learnt from this, then Hope he hasn't been doing online banking, and/or ANY financial transactions

 

No, fortunately not. At least not on windows. The computer is dual boot with linux; but linux too has not been patched for 4 years. Firefox is 4 years old on it. Even there, he does not have online finance accounts.

And he goes about bashing windows saying it is so insecure, it gets viruses etc

The cake on top --- he teaches at an IT institute (some engineering courses though, not core IT)

 

that makes me very

 

Yeah me too. At least he only teaches some engineering courses, not core IT.

 

At least wipe the drive.

That should do it and don't give them the administrator password. If he needs help he contacts you because you are the administrator. Also enable automatic updates so none are missed.