Need help with problem computer

Here’s the sitch…

Not a novice – been working as a NetAdmin for 15 years. I have NEVER encountered a computer as jacked up as this one. I have always been able to correct any Spyware problems with Spybot & AdAware. (I guess I have been lucky)

This PC has been connected to Broadband and unprotected for months – nice, huh.

I installed Trend Micro Internet Security 2005 and set the firewall to max security. I Ran the Antivirus and Spyware scans. No help.

I decided that I (being the all-knowing genius that I am) could just run some of the other utilities that you listed and get the computer fixed up. I ran around in circles chasing my tail all weekend (thoroughly secure in the knowledge that I was all-knowing). Every time I thought it was clean, most of the issues came back with a vengeance. (So much for all-knowing)

UNCLE!

I began fresh following the steps suggested by you, the masters, and performed them EXACTLY as recommended. I still can’t seem to get this system clean. Any help would be much appreciated, I’m really glad that you guys are here.

System is an Athlon Thunderbird 950mhz with 640 megs of RAM – running Windows XP Pro SP2

I have a HJT log if needed.

The saga continues…

 

Welcome

It is very important that you did everything in the TUTORIAL. If you still have a problem then do the following:

Please try to turn OFF any applications that are not needed It makes it much easier to look at the HJT log.
Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

Good Luck

 

Here is the HJT log. I hope I did it right.

I ran it several times removing stuff with the tutorial.

This log was created in safe mode - hope that doesnt matter

The 2 issues that seem to be trying to kill me are;

desktop.exe
dollsp.dll

I have run lspfix numerous times and removed it but it is currently not listed in the results

I also ran Find-it and have that log if you need it.

Thanks for all your help.

 

Sorry, it does matter. Resubmit the log in noprmal mode. In safe mode the problems may not show up.

Be careful fixing in HJT on your own. Also your HJT is way oout of date.

 

Not sure if you caught this or not but I'll go ahead and post it for you.

Disciple23,

Please Update to Hijack This 1.99.1 and attach a new log using the new version from normal boot mode.

 

LOL. We all saw at the same time. I missed originally and then while looking at log saw it, edited, and lo and behold both of you saw it.

 

Indeed! This is why jumping in should be left to MODS. We want to avoid the confusion of too many people posting in same thread! If you didn't catch it eventually, we would . . .

desktop.exe is usually a component of that isrvs nasty.

Most of the time, Microsoft® Windows AntiSpyware gets a good bit of it, so if that hasn't been tried yet, it might be worth a go before getting HJT Log.

PP

 

Thanks PP

Would you prefer that be run in normal mode or safe mode?

 

Best results probably in Safe Mode!

 

Thanks folks

I will run the Microsoft scan in Safe Mode (AKA not-so-safe mode) - download a current HJT and will reply with an attached log (run from normal mode) =) in the morning.

You "guys" rock!

 

OK,

I ran the Microsoft Spyware and it found a bunch of stuff and fixed it. I ran it first in Normal mode because it didn't want to install in safe mode, so I figured while I was there I would go ahead and run it. After it fixed a bunch of stuff it wanted to reboot. I rebooted to normal mode again and it found more stuff. After cleaning it wanted to reboot again. This time I booted into safe mode and ran it. It came up clean.

I downloaded the lateset HJT and ran it. The log is attached as requested.

Thanks MUCH for all of y'alls help.

I seem to be getting quite the malware education here. This site rocks.

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll

O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com

O20 - Winlogon Notify: StateMgr - C:\WINDOWS\system32\jtp4077qe.dll

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\system32\webzone.dll

C:\WINDOWS\system32\jtp4077qe.dll


NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows


Download the following items:

KILL 2 ME.zip

L2MeFix Tool

Generic Detection Tool - NT/2000/XP

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

DO NOT USE ANY OF THESE TOOLS UNTIL TOLD TO!


NOW:

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.


ALSO:
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log.

Please don't run any other files in the L2MFix folder.


Scan with HijackThis and attach the new log along with the L2MFix log and Generic Detection log.

Remember DO NOT REBOOT after posting these log!

 

Done.

All 3 logs combined into 1 file. Listed in the order run.

Thanks

 

Can you attach the logs in 3 different log files? Makes it easier on me

 

Sure, but I can't seem to attach more that 2 files to each post. Will post twice to get them all.

Here are the first 2.

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - Global Startup: strings.exe.

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Download Pocket KillBox


Make sure you are COMPLETELY DISCONNECTED from the Internet when you do this.

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.


NOW, you will be entering items into Pocket KillBox. Please open KillBox and select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Also, check the box to “End Explorer Shell While Killing File” for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:

C:\WINDOWS\system32\aqmfd.dll
C:\WINDOWS\system32\wnhisn.dll
C:\WINDOWS\system32\mvglibnt.dll
C:\WINDOWS\system32\svgtab.dll
C:\WINDOWS\system32\dosynth.dll
C:\WINDOWS\system32\eq.dll
C:\WINDOWS\system32\ryvpmsg.dll
C:\WINDOWS\system32\oBkley.dll
C:\WINDOWS\system32\LYKRN12n.DLL
C:\WINDOWS\system32\luk.dll
C:\WINDOWS\system32\decpcsvc.dll
C:\WINDOWS\system32\LQEFX12n.DLL
C:\WINDOWS\system32\kodblr.dll
C:\WINDOWS\system32\irr6l59s1.dll
C:\WINDOWS\system32\pOnmap.dll
C:\WINDOWS\system32\wriprop.dll
C:\WINDOWS\system32\EFUtil.dll
C:\WINDOWS\system32\inxwan.dll
C:\WINDOWS\system32\dnnhpast.dll
C:\WINDOWS\system32\lgeps11n.dll
C:\WINDOWS\system32\fpl2033oe.dll
C:\WINDOWS\system32\nprshu.dll
C:\WINDOWS\system32\kydycc.dll
C:\WINDOWS\system32\lmeps11n.dll
C:\WINDOWS\system32\ujrfaxa.dll
C:\WINDOWS\system32\asifile.dll
C:\WINDOWS\system32\sxesrv.dll
C:\WINDOWS\system32\wtdsp.dll
C:\WINDOWS\system32\nniew.dll
C:\WINDOWS\system32\xnlprov.dll
C:\WINDOWS\system32\pfchdprf.dll
C:\WINDOWS\system32\kudycc.dll
C:\WINDOWS\system32\dlconfig.dll
C:\WINDOWS\system32\ohbc32.dll
C:\WINDOWS\system32\cEpesnpn.dll
C:\WINDOWS\system32\kvdhe319.dll
C:\WINDOWS\system32\kudaze.dll
C:\WINDOWS\system32\tgccvid.dll
C:\WINDOWS\system32\kjcom.dll
C:\WINDOWS\system32\ddcompos.dll
C:\WINDOWS\system32\ihircl.dll
C:\WINDOWS\system32\MJXCLU(3).DLL
C:\WINDOWS\system32\iCsrecst.dll
C:\WINDOWS\system32\d2j02c1mgf.dll
C:\WINDOWS\system32\o4nsle571h.dll
C:\WINDOWS\system32\n4n60e5seh.dll
C:\WINDOWS\system32\pButoenr.dll
C:\WINDOWS\system32\rEsser.dll
C:\WINDOWS\system32\lv2s09f7e.dll
C:\WINDOWS\system32\wunfax.dll
C:\WINDOWS\system32\i042laho1d4c.dll
C:\WINDOWS\system32\gp6ql3j51.dll
C:\WINDOWS\system32\ir2sl5f71.dll
C:\WINDOWS\system32\lv8o09l3e.dll
C:\WINDOWS\system32\dnnm0151e.dll

When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.


NOW

Open VX2.BetterInternet Finder XP/2k and Click on the "Find Vx2.BetterInternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button

Guardian.reg

Restore Policy

Allow Machine to Reboot.


Finally, reboot and give me another Find.bat Log (From Generic Detection Tool) and HijackThis Log and tell me how things are running now and whether you had problems with the above instructions! Will check back as time permits.

 

Please note that these files should already be removed. You can skip the part of removing these files. However, there are a two we need to remove.

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\wsxsvc ←–– Delete this whole folder!

C:\WINDOWS\System32\vmss ←–– Delete this whole folder!


Now, reboot and give me another Find.bat Log (From Generic Detection Tool) and HijackThis Log and tell me how things are running now and whether you had problems with any of the instructions! Will check back as time permits.

 

Sorry for the delay...

Followed your instructions. The only issue was that KillBox did not reboot when I said "yes". I had to manually reboot.

Log files are attached.

Thanks,

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - Global Startup: strings.exe

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW

Open VX2.BetterInternet Finder XP/2k and Click on the "Find Vx2.BetterInternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button

Guardian.reg

Restore Policy

Allow Machine to Reboot.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\wsxsvc ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\vmss ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\sysmonnt.exe


NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows , Scan with HijackThis and attach the new log along with one final findit.bat log.

 

Done.

I notice that the Global;Strings keeps showing up.

I have followed all of your instructions to the letter.

???


This PC is not connected to the Internet at all and I am doing all of my downloads & Correspondance on another machine.

Thanks

 

I have requested a second set of eyes on this, hang in there a few

 

Chas, This was one of the things I noticed that kept coming back. Not sure if he used the VX2.BetterInternet Finder XP/2k I requested to or not.

I guess this would fix this?? A registry fix like the one below?

 

No, I ran the utilities one at a time.

The only other thing running is PCCillin - I will disable that and try it again.

I'm pretty sure that I did. I will download it again and try it. In the morning. I'm at home and the machine is at the office.

Thanks for all your help guys.

 

Disciple23,

Let me put this all in one post for you just to avoid confusion.

First:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file VX2FIX.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the VX2FIX.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

Second:

Scan with HijackThis, if you see the below entry:

O4 - Global Startup: strings.exe

Have it fix the entry!

Third:

Reboot into Safe Mode and navigate to and delete the following file:

C:\WINDOWS\System32\strings.exe

Note: Also, be sure these 2 folders are removed!
C:\WINDOWS\System32\wsxsvc

C:\WINDOWS\System32\vmss


NEXT:
Run CCleaner

Fourth:

Reboot to Normal Windows , Scan with HijackThis and attach the hopefully last log.

Good Luck

 

Done.

It is gone now.

Sorry for all the hassle. You have been a huge help. I really appreciate all of the time you have taken to help me out.

Hopefully this log means you are done with me.

 

Glad that baddie is gone!

You should see the How To article Chaslang mentioned so those baddies dont return.

Browse Safely!