Need help!!

Re: Still need help. svchost.exe identified

I merged you back with your originally thread. Things have been very busy around here and we just were not able to get to you yet.

 

Re: Still need help. svchost.exe identified

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Re: Still need help. svchost.exe identified

This looks like a safe mode boot log. Please post one from Normal boot mode.
You do have a few things I can see that must be fixed. I'll get back to you in a little while.

What is your expected home page?
Do you use iFinger?

 

Re: Still need help. svchost.exe identified

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)


After clicking Fix, run another scan with HJT.

I'm guessing that the crazywinnings.com stuff may come back. Let me know if they do. I have another step to fix that.

 

Re: Still need help. svchost.exe identified

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

 

Re: Still need help. svchost.exe identified

But did it work. Check you HJT log now. Are the O15 lines gone?

 

Re: Still need help. svchost.exe identified

What svchoast.exe thing? You don't have any files like that running. You do have:
C:\WINDOWS\system32\svchost.exe

but that is a valid process.

 

Re: Still need help. svchost.exe identified

If the O15 lines are gone you should be able to use the PC but I would look into having the stuff from here installed first: How to Protect yourself from malware!

Especially a firewall, but you may have the WinXP SP2 firewall already enable since that is the default.

 

Re: Still need help. svchost.exe identified

This problem occurred because it was lying dormant in the background while you were not connecting to the internet. Now that you connected, we can see it and fix it.

Download the below tools:

http://www.downloads.subratam.org/DllCompare.exe

Pocket KillBox


VX2.BetterInternet Finder XP/2k - Version Msg126

Generic Find It Tool - NT/2000/XP


Extract all the files from the Generic Tool into its own folder.
Then run find.bat. Post the log it creates back here as an attachment.

 

Re: Still need help. svchost.exe identified

Please be careful! Only run what I ask. I did not want you to run anything but the find.bat program. I will tell when we will use the others.

Here is a list of files that we need to delete using Killbox.

C:\WINDOWS\System32\mvtscax.dll
C:\WINDOWS\System32\l66olgj316o.dll
C:\WINDOWS\System32\splwapi.dll
C:\WINDOWS\System32\f62mlgf1162.dll
C:\WINDOWS\System32\kkdlt1.dll
C:\WINDOWS\System32\mwpbde40.dll
C:\WINDOWS\System32\MUC70.dll
C:\WINDOWS\System32\oweaut32.dll
C:\WINDOWS\System32\rHsdlg.dll
C:\WINDOWS\System32\dg32gt.dll
C:\WINDOWS\System32\stnike.dll
C:\WINDOWS\System32\cmrpol.dll
C:\WINDOWS\System32\micms.dll
C:\WINDOWS\System32\myctf.dll
C:\WINDOWS\System32\mcdemui.dll
C:\WINDOWS\System32\ote2disp.dll
C:\WINDOWS\System32\crc.dll
C:\WINDOWS\System32\mxdart.dll
C:\WINDOWS\System32\wbi.dll
C:\WINDOWS\System32\iordbg32.dll
C:\WINDOWS\System32\mbxml2.dll
C:\WINDOWS\System32\woavideo.dll

and C:\WINDOWS\System32\guard.tmp

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\System32\mvtscax.dll

1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally. Tell me if you get any error messages on reboot and tell me the exact messages.

After it reboots get another find.bat log and post it. Also run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.

Also post a new HijackThis log.

Important:
Also run Windows Explorer and look in C:\WINDOWS\System32 for the file guard.tmp. Tell me if you see it or not.

 

Re: Still need help. svchost.exe identified

No I'm not here 24 hrs a day, though it seems like that sometimes.

Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

NOW:

Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are "greyed" out:

- UserAgent$ Button to remove the UserAgent from the registry
- Guardian.reg
- Restore Policy

Exit and reboot.

Using START > RUN > regedit, please open the registry editor and navigate to the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory

Backup this key by clicking File, Export and then enter a File name and save it somewhere you can find it (if needed). Do the Export before doing the following:
RightClick on the above registry key (the Dynamic Directory one - make sure the bottom of the regedit window shows the full reg key as shown above in bold) and select DELETE.

NEXT: Run find.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log

We may be finished if everything checks out.

 

Re: Still need help. svchost.exe identified

You forgot to attach the files.

 

Re: Still need help. svchost.exe identified

Okay! The problem is all cleaned up now. However I see this in your HJT log:

O23 - Service: Print Spooler - Unknown - C:\WINDOWS\system32\spoolsv.exe (file missing)

That file should not be missing. Check in C:\WINDOWS\system32 to see if it is really missing. If so, you need to get a copy back there. Look for a c:\i386 or a c:\windows\i386 folder on your hard disk. If you find it, check for a spoolsv.exe file there and copy it to the system32 folder. If you find it but it is named spoolsv.ex_ , you will have to uncompress the file from a command prompt. I'll explain that later if it becomes necessary.

 

Re: Still need help. svchost.exe identified

Yes, the helpers here are all volunteers!

For the spoolsv.exe
Open a command prompt by click Start, Run and enter cmd in the box and click OK.
Now enter the following commands each followed by the enter key:
cd c:\windows\system32
expand c:\windows\i386\spoolsv.ex_ spoolsv.exe
exit

Now open Windows Explorer and make sure the file c:\windows\i386\spoolsv.exe is present and that you HJT log does not show it to be missing.

 

Re: Still need help. svchost.exe identified

Did you enter the command properly?

There is a space after expand and another space after spoolsv.ex_

The way you wrote it above looks like you left out the space.

And it is not i86. It is i386.

 

Re: Still need help. svchost.exe identified

You're welcome! Now that's a nice offer. I would love to visit Denmark some day.