svchost trojan -- Please help.

[ktharrington]

I unfortunately don't have one, and no way of acquiring one without purchase.

[Elise]

No problem. Can you tell me exactly when the mouse/kb stops working? For example, can you still move the mouse on the welcome screen?

[ktharrington]

Sure, the keyboard will work through any bios/setup selections up to the point where I choose which Windows XP installment to open. Afterwards the windows xp splash screen appears and it loads to the logon screen (i had a password setup) where the pointer remains motionless in the center and the cursor blinks on the password line but doesn't receive any keyboard input. When I ran the Xpud program earlier both mouse and keyboard worked.

As a sidenote, this is a laptop with touchpad mouse, and usually when my computer started up the blue light indicating the touchpad was turned on would light up automatically. Under the new windows installation it still lights up manually, but under the sick installation, it doesn't light up unless I manually press the touchpad button to do so, after which the mouse still doesn't function.

[Elise]

Please upload the following file at http://www.bleepingcomputer.com/submit-malware.php?channel=105

c:\windows.0\system32\config\system (without any extension).

This assuming that Windows.0 is the folder of your original installation, if the new installation uses Windows.0 as windows folder, then please upload the same file in the c:\windows folder.

[ktharrington]

I'm certain that I never saw a Windows.0 folder in the years before, so I'm going to assume that came with the new XP installation.

I submitted the file to the link you gave, but it informed me the file was larger than the 5MB upload limit.

[Elise]

Please right click the file and select Sent to > Compressed (zipped) folder. Upload the zipped folder instead.

Look for both Windows and Windows.0 folder when they were created (right click folder > select Properties). Use the oldest one.

[ktharrington]

Windows contains the oldest file. I zipped it and uploaded it to the site.

[Elise]

Something went seriously wrong there, thank you for the upload!

Please take your time to execute the following steps, be sure to follow them in the order given!

BACKUP THE REGISTRY

---------------------------

Backup Your Registry with ERUNT

• Please download Erunt
  
• Run the setup program to install ERUNT on your computer

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

In your working windows installation click Start > run, type regedit and press enter.

Highlight the HKEY_LOCAL_MACHINE key in the left panel and click File > Load Hive.

Navigate to c:\windows\system32\config\system (the same file you uploaded to me) and click Open.

Next you will be prompted for a key name, type fix and press enter.

Verify that you now see the fix key under HKEY_LOCAL_MACHINE.

Close Regedit

Next download this file: http://www.bleepstatic.com/fhost/uploads/0/i8042prt.reg

Note: this file is customized for this user only! It can not be used to replace a regular i8042prt service!

Double click on this file to merge it. Click OK to confirm.

When done, reopen Regedit, expand HKEY_LOCAL_MACHINE and highlight the fix key (the one we loaded earlier). Click File > Unload Hive. Click OK to confirm unloading the hive.

After doing all this, reboot in the other windows installation and let me know if kb/mouse work now.

[ktharrington]

I completed the directions, and the kb/mouse work now. But after I input my password at the logon screen, it says "loading your personal settings" and the I get the error message "windows product activation - a problem is preventing windows from accurately checking the license for this computer. Error code: 0x80004005.". I push "ok" and it takes me back to the logon screen.

The new installation still goes through just fine.

[Elise]

Did you register the second installation of XP with the same product key? If that is the case it may have caused this error.

You can try the steps here under "method 2": http://support.microsoft.com/kb/306081

Be sure to choose your old XP installation (the one that is broken) when entering the recovery console.

[ktharrington]

Hi, I'm not sure if I'm doing it correct or not, but when I boot with the cd I don't see the recovery console option, just a "install windows" , " delete partition" and "exit" option.

When I enter the recovery console thag I downloaded bwfore running combofix before, I try to follow the initial directions for accessing

Cd%systemriot%system32 and it says the directory is

Not recognized.

[Elise]

You need to replace %systemroot% with Windows. So: c:\windows\system32

[ktharrington]

Ok, how can I replace it?

[Elise]

Cd %systemroot%\system32 <-- this is the correct command.(mind the spaces and backslash!).

If that doesn't work try "cd windows\system32"

[ktharrington]

I still can't get it to work ;/

I'm not sure why it's not recognizing the directory.

[Elise]

Let me know what exactly you typed now.

[ktharrington]

I pressed 1 and enter to select the windows.

Then I typed cd %systemroot%\system32

Then cd windows\system32

Then a number of other combinations, like d:\ cd %systemroot%\system32 etc

[Elise]

Doesn't the prompt change from c:\windows> to c:\windows\system32> after that? If so, you can continue with the following commands:

REN file_name.extension file_name.old

Wpa.dbl

Pidgen.dll

Actshell.html

Licdll.dll

Regwizc.dll

Licwmi.dll

Wpabaln.exe

Type the drive letter of your CD-ROM drive followed by a colon (for example, "D:"), and then press ENTER.

Type cd i386, and press ENTER.

Type the following commands one at a time. Press ENTER after each command:

expand licwmi.dl_ %systemroot%\system32

expand regwizc.dl_ %systemroot%\system32

expand licdll.dl_ %systemroot%\system32

expand wpabaln.ex_ %systemroot%\system32

expand wpa.db_ %systemroot%\system32

expand actshell.ht_ %systemroot%\system32

copy pidgen.dll %systemroot%\system32

Type Exit and press ENTER to restart the computer.

[ktharrington]

The prompt doesn't change, it still states the directory isn't recognized. Does it matter that this is not the CD recovery console, but the one that I installed via combofix ?

[Elise]

No, that shouldn't matter

What happens when you type cd system32 and press enter?

[ktharrington]

Typing cd system32 worked, and I was able to rename all files except Actshell.dll.

I'm able to switch to D:, but when I type cd i386 it's not recognized.

I restarted and after login the old windows gives me an empty error box and then logs me out, however Im able to get through fine in Safe mode, albeit with the message that my windows is not activated.

I can access the new windows.0 as usual.

[Elise]

In the Recovery console type map and press enter. What letter is the CD drive?

[ktharrington]

Looks like my cd drive just wasn't picking up the disc before, I got it to work and go to D:\I386, but when I input the commands it always says "Access is denied."

[Elise]

Type the following in the recovery console and then try again:

set allowremovablemedia = true

set allowallpaths = true

Press enter after each line.

[ktharrington]

For all input commands it says "Unable to create file (filename) 0 files expanded.

And for the last input, "copy pidgen.dll" it says the system cannot find the file or directory specified.