Sending out an SOS.

Okay, move.reg is done.

I did not delete winspool.exe; I knew that was an important file.

Anything else?

 

The lines are (Finally!) gone from the HJT log.

The only other problem is disabling my Window's Firewall, as I have said in an earlier post. I fixed my desktop problem by looking at someone else's problem (So that's another problem fixed), and I think I'm finally ready to do a final (Major) scan after that.

I'm still confused as to how explorer.exe is able to request a send to contact admin2cash.biz. Would another program be doing this?

 

It was explorer.exe.

The Windows firewall is hard to disable, since Group Policy cannot be installed on XP Home SP2. I'm trying to work through the command line, and I'm making fair headway.

Just a question: Is it okay to reboot my computer?

 

Now I am thouroughly pissed.

HJT log posted.

EDIT: I still can't figure out how to manually disable Windows Firewall; Its still up, and it refuses to budge.

 

My older brother used Yahoo, my Younger brother used Gamefaqs, no games were played (besides the one in your arcade, which my little brother played), and nothing was downloaded besides what you asked.

 

We all use one account. System restore is diabled, and Norton (is as of now) uninstalled due to how outdated it was. Instead, we now have Avast, but it does nothing at all against this conflict.

 

Alright, I've done it. Er, for now.

Well, after several hours of fiddling and working on my own for the time being (and constantly re-following advice), I think I've finally worked around things, if only temporary.

None of the trusted zones show up on HJT, but I can't re-enable the protection on Spyware Blaster or re-immunize on Spybot, or risk getting all the zones back. Thankfully, that is clear, and I KNOW I won't be seeing any pop-ups from the net for now.

I have discovered something very peculiar with certain groups of programs that are spyware. There is a group of programs running around (I think it has recently been causing many problems), and the head program is dddd.exe (Which was orginally called video.exe). With this program, several other programs usually fall behind to back it up:

htt.exe
eree.exe
op.exe
sfee.exe
dfe.exe

There are more, but I did not record them. These programs seem to actually cooperate with the isvrs folder. At least, on my computer. See, if you delete one or the other, they will bring each other back. If you try to delete them both, there is a fall-back program they have (or something of the sort) which will bring back BOTH of them at the same time. I have recieved the desktop.exe and the iffsearch.exe programs back many times due to how I deleted it. However, I was able to by-pass some of it by only deleting a portion of the folder (Which chas told me to do).

There is some connection between the two... and I need to figure out what it is.

For now, this temp fix I created will do just fine, although I haven't tested any games or AIM yet. It still manages the basic programs just fine now; At least I can now get to work on my english essay due tomorrow. XD

I can't thank you enough chas, for actually dealing with me! Even though I still have problems (Including disabling the Windows Firewall without the Group Policy program [Friggin' requirements!]), I believe I'm fixed... at the moment. However, this thread will continue, as I will be coming back VERY frequently and checking on how the dddd.exe program can be removed without troubles. My patience was worn just a little too thin for me at the moment, and I really need to find something else to do besides toil over this every day.

Once again, I can't thank you enough, chaslang.

(A little confused? I am still, too. Also, here is a most recent HJT log.)

 

The dddd.exe program (And its affiliates) are located in C:\Documents and Settings\Owner folder. They did infect the l2fix folder, and I was forced to delete that.

The isvrs folder is still there, but desktop.exe and iffsearch.exe are removed. edmond.exe is still present, with its respective dll files.

As for the risk part, whenever I do immunize or enable protection and restart, the registry gets re-edited and I have all the programs stuck back on, along with the trusted sites. However, when left alone, none of the sites are placed back in, and the registry is left alone.

Reboot is very normal. Nothing is being affected at start-up from what I can see.

...Go Eagles.

 

No, no, no! I'm not saying that I can't delete them! I'm saying that IF I delete them, they come back and re-edit my registry, just like the isvrs folder does.

I'm nervous about getting rid of Spyware Blaster AND Spybot at the same time... I would be very vulnerable, wouldn't I?

I don't think that they would be infected, but something IS editing the protection to both of them.

 

Sorry for the double post, but the temp protection that I originally thought worked was just destroyed. I'm very confused as to how these programs are working together to keep me from having an actual clean computer.

Egh... back to the drawing board. I'm going ahead and doing what you said.

 

Actually, I just did a variation of it last night. However, it went more like this:

1. I began by cleaning out my computer again like last time, and rebooted in safe mode to finish it off, and disconnected the cable to the internet.

Note: I happen to have a very wierd HSRemove problem where 8 files is constantly removed, even right after the scan is finished. I believe you've seen this problem before on one of these threads; I really need a link to it.

2. Reboot in safe mode: Everything was normal. That was more or less expected.

3. Reboot in normal mode: Everything was still normal. The cable was still disconnected.

4. Second Reboot in normal mode: This time, I plugged in the cable, but did not turn on the Internet. The boot was normal.

5. Third Reboot in normal mode: Finally, I turned on the Internet (Cable modem box), and lo and behold, I'm attacked at start up. Avast was disabled for a short while, every program came back, and I was struck once more.

Evidently, something seems to check to see if these programs are still on my computer, and only when I'm connected to the internet at start-up. To keep myself safe for the moment, I disconnect the cable before I turn on the computer now. I've tested this out twice already, and the ad-ware only struck me when I was connected to the internet at startup.

...You know what? I would love to be a guinea pig. I'll try that removal software out right now.

 

HJT log posted (I just want you to look at what is in it.)

I ran the removal tool, but I stayed physically disconnected to see what would happen. So far, it doesn't look like anything happened. I'm about to reboot completely normally.

...Wish me luck.

 

Thanks for the info. At least now I don't have to worry about that.

That, I have done, too. In fact, that's what I do now.

Yes, they came from the removal tool, but they do absolutely nothing. In fact, when I checked out what file it was, it was merely the same removal tool they offered me; It was just renamed.

Upon rebooting with the internet at startup, it (Sadly) did nothing to stop all the programs from being re-installed back on.

 

Well, before I go and get re-infected to do what you say (Since right now its, clean... just gotta reboot!), I do have a small question. I recently have been seeing a new system process labeled wmiprvse.exe running. Is this supposed to be here? What exactly is that process?

 

Alright, I just did what you said (In safe mode... got hit VERY hard when I rebooted, and it froze the computer... >_>), and rebooted while connected to the Internet. Did not use HJT. The reboot came out... Normal.

This is rather abnormal, and I don't think this is to last. I did try to look at some processes that were running, and I think I have the regboot.log from Regmon the last time I booted (When I got hit very hard). If you want to look at it, I can upload it; I think its a little big, though.

I'm gonna go check to see if the programs were re-installed (Or basically filled back up again). I did find a certain program labeled build2.exe in my C:\Documents and Settings\Owner\Local Settings\Temp\B197691134 folder. This seems to work in conjunction with all the problems I've been having as well.

EDIT: Just checked the files I edited with notepad; Seems as though they are all still 0 bytes. Should I try rebooting again to see if they will re-create themselves? Or should I try cleaning out my registry again?

 

Blargh, can't edit after five minutes, so I'll just get the edit through a double post.

EDIT AGAIN: Scratch that. The Commands.ini file was written back in. This is located in C:\Documents and Settings\Owner folder. How to counter this?

 

The commands.ini file has very confusing characters; Japanese/chinese, along with a sad face in it. Very wierd. Its probably what languages that are installed in my computer are what's showing... But that's what it shows.

Should I attach it to show you?

 

Files I have edited using Notepad:
C:\Windows\isrvs\delprot.sys
C:\Windows\isrvs\desktop.exe
C:\Windows\isrvs\edmond.exe
C:\Windows\isrvs\ffisearch.exe
C:\Windows\isrvs\isearch.xpi
C:\Windows\isrvs\mfiltis.dll
C:\Windows\isrvs\msdhbk.dll
C:\Windows\isrvs\sysupd.dll
C:\Windows\delprot.ini
C:\Documents and Settings\Owner\dfe.exe
C:\Documents and Settings\Owner\eree.exe
C:\Documents and Settings\Owner\htt.exe
C:\Documents and Settings\Owner\commands.ini
C:\Documents and Settings\Owner\Local Settings\Temp\~DF6D68.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\2c96_appcompat.txt
C:\Documents and Settings\Owner\Local Settings\Temp\52ec_appcompat.txt
C:\Documents and Settings\Owner\Local Settings\Temp\8885_appcompat.txt
C:\Documents and Settings\Owner\Local Settings\Temp\fc66_appcompat.txt
C:\Documents and Settings\Owner\Local Settings\Temp\jusched.log
C:\Documents and Settings\Owner\Local Settings\Temp\B197691134\build2.exe
C:\Documents and Settings\Owner\Local Settings\Temp\B197691134\ping2.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\50a3_appcompat.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\b061_appcompat.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\b71d_appcompat.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\d33d_appcompat.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\kb.log

I think Build2.exe is bad because of two real reasons:

1. It loads up as one of the starting processes, and constantly opens iexplore behind my back and starts sucking up my CPU usage and Commit charge. It also is opened up by a different program on start-up, and not begin on startup. Its effectively hidden.

2. When editing these files with notepad, all the exe files had a very familiar heading to them all. This also had the same header.

As for deleting, I already tried it. It, as well as the isrvs folder and the programs in the Documents and Settings\Owner folder were re-installed. However, dddd.exe is missing for some odd reason.

Here is my most recent HJT log; Its infested again.

 

Okay, I went in and used HJT; .finefind is still being persistant, again.

Commands.ini changes back to what it had, and all of the appcompat.txt files keep getting info off my computer.

I hate to say it, but perhaps there is an ADS on my computer that is working as spyware? It sounds stupid, I know... but could it?

I'm going to sleep, I'll be back on at around 4 or 5 in the morn. Then at 3 in the afternoon after school.

 

ADS log posted.

I would look this stuff myself, but I'm just plainly lost about ADS. They are just too confusing for me to try to understand. Can you look at these?

 

Here are the infected files:

C:\WINDOWS\winra32.exe: infected with Backdoor.Small.DC
C:\WINDOWS\ServicePackFiles\i386\explorer.exe: infected with Win32.Bube.B
C:\WINDOWS\explorer.exe: infected with Win32.Bube.B

None of these files can be replaced, since I cannot find a new replacement, and they cannot be fixed. I used BitDefender to find this.

Is there any site I can find which helps me learn how to replace the explorer and important system files? I've checked Microsoft, but with no luck.

 

I'll try your suggestion of killing the explorer when BitDefender scans. I don't have a bootable CD-ROM of SP2, though I wish I did.

 

The scan failed, and could not remove it, despite unloading it from memory. I am going to have to search for some bootable WinXP with SP2 now.

I got SP2 through Windows Update. I'm rather surpised I have such a different virus on my computer.

 

On another minor note, all the software came back. It still refuses to be removed from my computer, even though I cleaned out the commands.ini file using notepad.

 

Services and Runner log loaded.

I have a couple of notes to say:

I re-connected my cable after reading download Silent Runners, and that was after I rebooted into normal mode. Should I go back and reboot the computer with the cable in and Internet on as to re-create my previous situations?

Also, I'll post up HJT log next.

 

HJT log posted.

I cannot remove the boln.dll registry entry (The file itself is gone!). It came back after the reboot.

 

Remember, I rebooted with the cable dis-connected. I plugged it back in after reboot.

The registry entry for the boln.dll file came back, not the file itself.