Look2me, Yourtruths, newsalone

L

LM79

New Member
Hi there,
I am stuck with Look2me, Yourtruths, newsalone, locatebest.com, allcomprehend, greatbulletin, firstnarrative, oneperception.

I have deleted all cookies and have run Spybot, Ewido and have AVG in background which keeps finding same viruses weekly.

Here are my Hijackthis and Smartfraudfix logs:
Appreciate your help please. please please please!

Logfile of HijackThis v1.99.1
Scan saved at 11:56:23 p.m., on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\DOCUME~1\Compaq\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LCIDConfig] C:\WINDOWS\lcidchng.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150717858126
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150717836665
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://daywalker79.multiply.com/photos/uploader.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://photo.digitalmax.co.nz/en/ulcontrolxp.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\q2680cjuefo80.dll (file missing)
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\i2600cjmefoa0.dll (file missing)
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\fpp6037se.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ogfox32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)

-----------------------------------

SmitFraudFix v2.109

Scan done at 0:02:58.67, Mon 16/10/2006
Run from C:\Documents and Settings\Compaq\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\icont.exe FOUND !
C:\WINDOWS\keyboard1.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

C:\WINDOWS\Web\desktop.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq\Application Data

C:\Documents and Settings\Compaq\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Compaq\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

-------------------

Thanks in advance.
Much appreciated.

LM79.
 
Yes, it appears you have multiple infections which will require a few different steps/tools. Begin with this.

Download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/

Reboot your computer in Safe Mode by doing the following.

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Disable Spybot, Ewido and AVG during all these steps as they may interfere with the cleaning process.

Run Smitfraud

* Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
* Select option #2 - Clean by typing 2 and press Enter.
* Wait for the tool to complete and disk cleanup to finish.
* You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
* The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.Save this log.

From safemode, run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked'

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\q2680cjuefo80.dll (file missing)
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\i2600cjmefoa0.dll (file missing)
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\fpp6037se.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ogfox32.dll (file missing)
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)

Exit Hijack This but remain in safe mode.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use firefox also, select at top of ATF cleaner-tick Select all and run again.

Reboot into normal windows, run ATF cleaner and then follow these instructions here - http://www.atribune.org/content/view/28/1/

Once finished, post a fresh 'HJT' log along with the Look2Me-Destroyer log and safemode SmitFraud scan log.
 
Here goes... sorry for delay.

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 7:38:35 p.m., on 21/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\Compaq\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LCIDConfig] C:\WINDOWS\lcidchng.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150717858126
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150717836665
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://daywalker79.multiply.com/photos/uploader.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://photo.digitalmax.co.nz/en/ulcontrolxp.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\q2680cjuefo80.dll (file missing)
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\r4r60e9seh.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ogfox32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)
------------------------
RAPPORT:

SmitFraudFix v2.109

Scan done at 19:31:59.65, Sat 21/10/2006
Run from C:\Documents and Settings\Compaq\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\icont.exe Deleted
C:\WINDOWS\keyboard1.dat Deleted
C:\WINDOWS\Web\desktop.html Deleted
C:\Documents and Settings\Compaq\Application Data\Install.dat Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------
LOOK2MEdestroyer


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 21/10/2006 7:59:39 p.m.

Infected! C:\WINDOWS\system32\ir6ml5j11.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP193\A0030717.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP194\A0031409.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP194\A0031446.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP195\A0031504.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP195\A0032495.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP196\A0035522.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035580.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035581.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035582.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035583.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035584.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035587.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0036537.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0036545.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP201\A0038619.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP203\A0039626.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP206\A0039654.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP206\A0039655.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP208\A0040654.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP209\A0040678.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP209\A0041678.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP210\A0041787.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP210\A0041798.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP210\A0042788.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP211\A0042843.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP211\A0042855.dll
Infected! C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP211\A0043322.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\ir6ml5j11.dll
C:\WINDOWS\system32\ir6ml5j11.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP193\A0030717.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP193\A0030717.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP194\A0031409.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP194\A0031409.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP194\A0031446.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP194\A0031446.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP195\A0031504.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP195\A0031504.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP195\A0032495.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP195\A0032495.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP196\A0035522.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP196\A0035522.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035580.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035580.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035581.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035581.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035582.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035582.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035583.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035583.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035584.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035584.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035587.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0035587.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0036537.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0036537.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0036545.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0036545.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP201\A0038619.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP201\A0038619.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP203\A0039626.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP203\A0039626.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP206\A0039654.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP206\A0039654.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP206\A0039655.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP206\A0039655.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP208\A0040654.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP208\A0040654.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP209\A0040678.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP209\A0040678.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP209\A0041678.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP209\A0041678.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP210\A0041787.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP210\A0041787.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP210\A0041798.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP210\A0041798.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP210\A0042788.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP210\A0042788.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP211\A0042843.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP211\A0042843.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP211\A0042855.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP211\A0042855.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP211\A0043322.dll
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP211\A0043322.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OemStartMenuData

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BF326C1A-7D7E-42F5-9DAD-F40704578BDA}"
HKCR\Clsid\{BF326C1A-7D7E-42F5-9DAD-F40704578BDA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1F8E32CC-D021-4FE0-8F6F-812D7CACCB07}"
HKCR\Clsid\{1F8E32CC-D021-4FE0-8F6F-812D7CACCB07}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1288A63F-C4FC-4D9D-8993-F693388CF4D5}"
HKCR\Clsid\{1288A63F-C4FC-4D9D-8993-F693388CF4D5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C1E8ADA1-BCA3-46BD-BE55-60088BEA22D7}"
HKCR\Clsid\{C1E8ADA1-BCA3-46BD-BE55-60088BEA22D7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C9D35A4A-80E6-4B0E-9D4E-7DCA4077C3BB}"
HKCR\Clsid\{C9D35A4A-80E6-4B0E-9D4E-7DCA4077C3BB}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
----------

thanks - await your reply please.

LM79
 
Your latest 'HJT' log looks like it was run from not only safemode but before the other scans were completed. Do the following from normal windows.

Incase further cleaning is necessary, create a folder in 'C/Program Files' called 'HijackThis' and install 'HijackThis.exe' there.

Run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked'.

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\q2680cjuefo80.dll (file missing)
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\r4r60e9seh.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ogfox32.dll (file missing)
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)

Now reboot your computer and once back in normal windows, post a new 'HJT' log.
 
Hello

The only entry I could see in HJT was:
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)
.... so I checked it and "fixed checked" item.

But I see that it still appears in the below HJT log?:confused:
I even did it twice.

Please advise,
many thanks,

LM79
-------------------------------------




Logfile of HijackThis v1.99.1
Scan saved at 12:32:30 a.m., on 24/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LCIDConfig] C:\WINDOWS\lcidchng.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150717858126
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150717836665
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://daywalker79.multiply.com/photos/uploader.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://photo.digitalmax.co.nz/en/ulcontrolxp.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)
 
Go to 'Control Panel/folder options/view' and check 'show hidden files and folders'.While there, UNCHECK 'hide protected operating system files(recommended)'. Click Apply and Okay.

Open HijackThis again. Select 'Misc.Tools/Delete a File on Reboot"

Navigate to - C:\WINDOWS\wdfmgr.exe

Click open.Okay.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system must reboot now.

Once back in normal windows, purge the Restore Folder by going to 'Control Panel/ System/System Restore' and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'.Reboot your computer and then enable system restore again and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'.

Next, go to ADD/REMOVE Programs and uninstall all versions of 'Java'. Then go here - http://java.sun.com/javase/downloads/index.jsp and install 'Java Runtime Environment (JRE) 5.0 Update 9'.

Run 'HJT' again and see if that entry is gone.
 
Hi, sorry this took so long - been on leave.

I did the above and there is still the wdfmgr entry there.

Please see below HJT log

Logfile of HijackThis v1.99.1
Scan saved at 2:38:50 p.m., on 4/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LCIDConfig] C:\WINDOWS\lcidchng.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150717858126
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150717836665
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://daywalker79.multiply.com/photos/uploader.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://photo.digitalmax.co.nz/en/ulcontrolxp.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe (file missing)
 
I wouldn't worry about that entry. I feel it's gone and that service has to be stopped through a c prompt for it to be completely removed. Besides that, your system seems fine now doesn't it.
 
You must log in or register to reply here.
Back
Top