Help!!!

You did not follow the directions in step 7 of the READ & RUN ME. As a result, you did not install HJT properly and you do not have the proper version of HijackThis. The version you have is very old.

Make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

Also please tell us what problems you are experiencing.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to srvss safe (or if not found look for srvss) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

srvss safe

If that does not work try entering the short name: srvss

Now exit HJT but do not reboot. We will reboot after fixing a few items below by running HJT again.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\srvsc.exe <--- should already be gone due to above steps
C:\windows\system32\dh9012.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [0cw80lwc.dll] RUNDLL32.EXE 0cw80lwc.dll,b 360746000
O4 - HKLM\..\Run: [dh9012] c:\windows\system32\dh9012.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\i0600ajmedoa0.dll <--- this will come back! Probably renamed. We will get it later.
O23 - Service: srvss safe (srvss) - Unknown owner - C:\WINDOWS\srvsc.exe <--- should already be gone due to above steps

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\srvsc.exe
C:\windows\system32\dh9012.exe
C:\WINDOWS\system32\i0600ajmedoa0.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

That's because it renamed itself as I said it would. See your new log. It is now:

O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\o4ro0e93eh.dll

Here is what I want you to do. It seems to me like you may be using an old version of SpySweeper. Uninstall it! Then reboot and then follow the instructions in the below thread for using this new version of SpySweeper (make sure you do the update) and post the log as requested.

Running Spy Sweeper

Afterwards also attach a new HJT log.

 

You're welcome! Your log is now clean. If you are not having any other malware problems, it is now recommended that you follow the steps in the below link:

How to Protect yourself from malware!