Help me be a hero to my new girlfriend

Welcome to Majorgeeks!

You need to disable Spybot's Teatimer as the READ ME requests. It could get in the way of fixing your problems. In addition you don't want it running anyway since it can be a resource hog and you already have Ewido, SpywareDoctor, and Windows Defender running as blockers. If Ewido and Spyware Doctor are free trials, uninstall them.

Looks like you have signs of a Qoologic infection. Download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• attach the contents of the txt.log which will open when the scan is finished.

FindQool is not a removal procedure. It is a scan that helps us to locate hidden files and registry keys so we can work up a fix for the Qoologic infection.

 

Actually it is pretty simple. You must be reading right past it.

To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.
Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked.
Now quit Spybot!

Was Spyware Doctor a free or paid version. If paid, you may want to keep it. If not, then yes we need to get rid of it as it is still showing. We'll get to the rest of this discussion later. Let's fix the malware now.


Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you
have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "
Unregister DLL" (If available) Click the RED X and it will ask you to
confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file.
Once you get to the last one click YES and it will reboot. Note some of the files listed below may not
exist but we need to check for them anyway.

C:\Program Files\Windows NT\hotepy.dll
C:\WINDOWS\keyboard171.dat
C:\WINDOWS\system32\epburd.exe
C:\WINDOWS\system32\fuyccin.exe
C:\WINDOWS\system32\w251a2ca.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Please run HijackThis and click please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,fuyccin.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {9B0E2556-2CFC-4848-B5DC-24DDA963D3C7} - C:\Program Files\Windows NT\hotepy.dll (file missing)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O4 - HKLM\..\Run: [w251a2ca.dll] RUNDLL32.EXE w251a2ca.dll,I2 000be02c0251a2ca
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ehfmrb] C:\WINDOWS\system32\epburd.exe reg_run
O4 - HKCU\..\Run: [aemns] C:\WINDOWS\system32\epburd.exe reg_run
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} -

Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
C:\Program Files\Windows NT\hotepy.dll
C:\WINDOWS\keyboard171.dat
C:\WINDOWS\system32\epburd.exe
C:\WINDOWS\system32\fuyccin.exe
C:\WINDOWS\system32\w251a2ca.dll

Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second
time.

Now attach a new HJT log and a new log from FindQool

Also tell me how things are working!

 

That was due to temporary hidden instructions being created while waiting for your other log. I was getting a head start and then finished it off when your log was posted. It is all posted now.

 

Just continue thru all steps! Some of the lines were not seen by HJT because the registry patch I had you run did remove them. The HJT procedure is a redundant backup just incase the patch does not work or incase the malware respawns.

 

For Spyware Doctor jsut have HJT fix the below line:

O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q

And delete the associated folder in C:\Program Files ifit exists.

Your log is clean but I do question what the below is. Do you know?
O4 - HKLM\..\Run: [Pad39A-HtEHL] D:\Pad39A.exe

 

What is disk drive D? (hard disk, CD Rom, etc)
And also what is the E drive that you are running hijackthis.exe from?

We are not done yet. We will get to the last advice and what to keep running later.

 

Then have HJT fix the below since it cannot normally run anyway:

O4 - HKLM\..\Run: [Pad39A-HtEHL] D:\Pad39A.exe


What do you mean E is tiny and why did you put HijackThis there?


If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

The SP2 firewall (as mentioned) is not adequate.

AVG and ZoneAlarm. While ZoneAlarm is one of the best firewalls and also is pretty easy to setup for novices, some people do find it a bit resource hungry. Note that each piece of protection (AV, AS, and firewall) does impact PC performance but it is a necssary price to pay for security. Sort of like car insurance! Your PC is the car and the roads you are driving on are the internet!