Can't find a solution to clean computer

[cubby1223]

This one's got me stumped. Some things found on the computer were hadjajr.ini, printer.exe, new_drv.sys, and ntdll.dll (this file gets copied to every profile's desktop each restart).

The first 3 are removed along with an IM & IMS directories under program files, and a dozen or so .exe files in windows\system32. Temp directories & internet history all wiped clean. Hijackthis file is clean.

Windows update is broken, and nothing can be downloaded from download.microsoft.com. I need a new tool to try and find what's putting ntdll.dll on the desktops, then go from there. Google isn't helping any.

Thanks

 

[mechBgon]

Paging Dr. Medea...

1) what version of Windows, and what Service Pack?

2) what security software (if any) is installed on the computer at this point?

3) detailed symptoms = ? Balloons, certain pop-ups, ???


Here are some things to try, anyway:


If you're ok with uninstalling the current antivirus (if any), then you might try the 30-day trial version of Kaspersky Antivirus 7. If you do so, you want to open its Settings panel, max out all the detection sliders on all the modules, hit the Customize button and make sure the Heuristic Analyzer is maxed as well for each module, and enable the Riskware detection in Threats & Exclusions. Also enable the Extended Rootkit Scan option. Then run a Rootkit Scan and a Scan My Computer.

Once that step is done, you might want to go ahead and do these other steps (copying and pasting from some stuff I use elsewhere):

1. REMOVE ROOTKITS

Scan for rootkits using Panda AntiRootkit and McAfee Rootkit Detective, which are both free:
http://www.majorgeeks.com/Panda_Anti-Rootkit_d5457.html
http://vil.nai.com/vil/stinger/rkstinger.aspx


2. REMOVE VIRUSES, WORMS, AND TROJANS

Make sure your antivirus is current-generation software, not old stuff from several years ago. Update your antivirus software's virus definitions/DATs, then run a full antivirus scan. Besides your own antivirus software, also get a "second opinion" from some additional online antivirus scanners, such as these, for increased coverage (no single company detects all malware):
http://support.f-secure.com/enu/home/ols.shtml
http://www.pandasoftware.com/products/activescan.htm
http://housecall.trendmicro.com


3. REMOVE SPYWARE AND ADWARE

Scan for spyware using SUPERAntiSpyware's free version:
http://www.superantispyware.com

Scan for spyware using Spybot Search & Destroy, which is also free:
http://www.safer-networking.org


4. ADVANCED TECHNIQUES

You can also remove stubborn stuff manually using HijackThis, if the antivirus and antispyware scanners don't detect it. Start Windows in Safe Mode to use HijackThis (HJT) most effectively. If you get an error when you run HJT, rename it to something random and run it again (some malware will block it by name):

http://www.spywareinfo.com/~merijn/programs.php
http://hijackthis.de/en (online HJT logfile analyzer)

To start Windows in Safe Mode so you can run HijackThis properly, begin tapping the F8 key (preceded by the F-Lock key, if your keyboard has one) when you know the first Windows startup screen is about to show, the one with the scrolling bar. If you want access to the online log analyzer, you can start in Safe Mode With Networking instead.


For stubborn leftovers, SmitFraudFix may help too. Use as directed. http://siri.urz.free.fr/Fix/SmitfraudFix_En.php It?s not unusual for this download to be detected by antivirus software because some of the files it contains could be used for malicious purposes. In this case, however, it?s OK.


~ SECURITY TIPS ~

Update your Windows and Office software with security patches:
http://update.microsoft.com

Use Secunia's new checkup tool to see if your computer needs updates for third-party software like QuickTime, Adobe Reader, WinAmp, IM, torrent clients, etc. The bad guys use these weaknesses to infect computers, so get them fixed:
<a target=_blank class=ftalternatingbarlinklarge href="https://psi.secunia.com"><a target=_blank class=ftalternatingbarlinklarge href="https://psi.secunia.com">https://psi.secunia.com</a></a>

How to start using defense-in-depth at home:
http://www.mechbgon.com/build/security2.html

 

[Medea]

Looks like your computer has some nasty infections.

You have a smitfraud infection - printer.exe and hadjajr.ini are signs of smitfraud. SmitFraudFix would nuke the infection.

However, the one that is particularly nasty is new_drv.sys - it's an Infostealer. This file has rootkit characteristics which means your computer has been compromised. It steals passwords on your computer, drops other malware on your system, etc. which means that you probably have other hidden malware.
Be sure to change your passwords at sensitive websites from a computer you know to be clean as soon as possible.

You can either try to clean your system or format and reinstall. If you want to try and clean it, PM me with your HJT log.

 

[cubby1223]

Depending on the timing of running hijackthis, I eventually was able to see what was causing the remaining problem, a file called scardsvr.dll loaded as a BHO, but hiding itself from hijackthis by adjusting permissions with reading the registry. After I deleted off that file, I never had ntdll.dll copied to the desktop anymore. A repair install fixed internet connectivity, and reregistering a list of dll files fixed windows update. I'll recommend to the owner to move to Kaspersky. I've gotten to the point where to clean up computers, I just hook the drive to a different computer where I have full control over it - but it missed the scardsvr.dll file. There was a directory off the root folder marked system & hidden, but no files inside, and another hidden system file in the root folder that I forget the name before I deleted it off. Also a folder that looks like temporary storage for windows updates, but would not delete off even when the drive is connected to another computer, I'd bet something bad was in there. Had to boot to a cd which ignores ntfs permissions & such to remove that directory.

 

[Medea]

YGPM