Winfixer, Yield Manager...and who knows what else.

Give this a run: Running Spy Sweeper...

Make sure you attach the Spy Sweeper log when finished and also attach a new HJT log too.
It will take quite awhile for the Spy Sweeper scan to run. It is very intensive and should resolve your Look2Me problems.

 

Also note: Your OS and IE version are seriously out of date and represent a major security risk. After we fix your current problems, you MUST get updated. You multiple issues to fix still.

 

You still need IE to get MS updates and some other websites require it too. You must update. Your friend is wrong about SP2! You just must not install it while malware is present. You need your updates.

Disconnect (unplug the cable) from the internet and run SpySweeper. If that does not help then run Spy Sweeper after booting in safe mode.

 

That is not a log from a Spy Sweeper scan. See message number 13 in this thread for and example of what it looks like: http://forums.majorgeeks.com/showthread.php?t=77858

 

Let's try to fix a few things manually. First run msconfig and select normal startup (as the procedure for running HijackThis requests). We need to see all items on your PC.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Windows Update Service (or if not found look for wuamgrd) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Windows Update Service

If that does not work try entering the short name: wuamgrd

Now exit HJT but do not reboot if told it need to do so. We will do that later after restarting HJT to fix other problems.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKCU\..\Run: [klop] C:\WINDOWS\50.tmp
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\p04ulah91d4.dll
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\System32\dghlgcha.dll (file missing)
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - (no file)
O21 - SSODL: SysTray.Exmr - {73F8D5FF-6F5C-4f5b-B964-E6F214F6F852} - C:\WINDOWS\System32\gfmanpmk.dll (file missing)
O21 - SSODL: BIIHBCBA - {21747355-5137-5A30-3FD6-13DE34C83737} - C:\WINDOWS\System32\Bdhqjd32.dll (file missing)
O23 - Service: Windows Update Service (wuamgrd) - Unknown owner - C:\WINDOWS\System32\wuamgrd.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\p04ulah91d4.dll
C:\WINDOWS\system32\enbiei.exe
C:\WINDOWS\system32\scvhost.exe <--- Be very careful. This is scvhost.exe not svchost.exe. DO NOT DELETE svchost.exe
C:\WINDOWS\50.tmp

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now try to run SpySweeper and save the log if it runs and post it later when you come back.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Did you download SpySweeper from the link I gave you? Or did you get it from somewhere else??

 

If you already have it running, let it finish. Then work thru the procedure I gave you below anyway. Some items may be gone due to SpySweeper so just ignore them if you do not see them and continue. Afterwards post the spysweeper and new HJT logs.

 

OK! In addition to posting the two logs, don't forget to tell me how things are working.

 

Just do what I gave you in message # 12.

 

I did not ask you to look in the system folder. I said the c:\window\system32 folder.
It is impossible to not have a system32 folder. Without it, your PC would not boot.
You must not have done step 2 of the READ & RUN ME.

 

Not true! Take a look at your HijackThis log and where all the files for your Windows OS are running from. For example:

I did not say search, I said use Windows Explorer to look for the files. That means manully navigate to the folders. Windows Search will not look in the system32 folder unless you setup the options in Windows Search to look in hidden and system folders.

 

Download the attached ZIP file and extract the getWfiles.bat file from it to C:\

Then double click on the .bat file. It will create a file named c:\wfile-list.txt
Put this new file into a ZIP file (hope you know how to do that) and upload it back here as an attachment.

Attached Fileshttp://forums.majorgeeks.com/images/attach/zip.gifgetWfiles.zip (324 Bytes)


Also download the below getsys32.zip file and extract it someplace you can locate it. Then use windows explorer to locate the getsys32.bat and double click on it to run the bat file. This will create a file named c:\sys32hs.txt
Also put this file into a ZIP file (it will be too big to post otherwise). Attached the ZIP file to your next message.

Attached Fileshttp://forums.majorgeeks.com/images/attach/zip.gifgetsys32.zip (296 Bytes)

 

Split the file in half and zip each half.

By the way, as I said before. The c:\windows\system32 folder does exist. The short log from the command I had you run, even shows one baddie you must delete:
c:\windows\system32\hr4o05h3e.dll which does show. It is left over from the Look2Me infection.

I'm not sure what it is that you are doing or not doing but what I just had you run does not lie. The folder is there.

I'm going to make a modification to the getsys32.bat file to also have it scan for all files/folders. Currently it only look for hiddden & system files which is what hr4o05h3e.dll is. If you cannot see it, then viewing of hidden, system files, and file extensions is not enabled.

 

The folder is there! Look at the log you posted. The files and folders in that log are from the c:\windows\system32 folder.

In order to use Windows Search, it must be configured properly or is will not search for hidden files or in system folders. See how to configure below:

Searching for Hidden Files on WinXP


Also try downloading and installing the below and use it to look for files and folders. It os much more powerful than Windows Explorer.

ExplorerXP

 

It shows from DOS which means it is there. Run ExplorerXP and look for it.

 

Also run regedit and navigate to the below registry key and make sure the value for the SuperHidden attribute is set to 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

 

One other thing you could try that may help:

Open command prompt and type: attrib -a -h -r -s c:\windows\system32

Note the spacing (no space after the minus signs)
Let me know if you see it now.

 

Now you see why I kept insisting it was there. Even without all this searching I know it has to be there because as stated before, without that folder your PC would not even boot.

Use ExploreXP to delete that file I mentioned in message # 30. Also go all the way back to message number 12 and look for those items too and delete if found. Also do what I said in message # 36 and see if the folder becomes visible in Windows Explorer.

 

Something had changed the folder attributes to be totally hidden.

What kind of programs is it that you are looking for?

Post a current HJT log! How are things running?

You're welcome! No I do not do this for a living? But I should! There is no shortage of work.

Yeah! But that's just a TV show!

 

Your clean! Now go to the below link and complete all steps. The first steps is to get your Microsoft Updates:

How to Protect yourself from malware!

 

You're welcome.
P2P sites are notorious spreaders of malware problems so it's possible.

 

This is an issue for the Software Forum. But answer these:

1) Is your copy of WinXP legitimate and own by you? Was it activated with Microsoft?
2) Did you go thru the Windows Genuine Validation phase on the download site? With out getting this validation you cannot download. Exactly how far did you get?

 

Correct and also no other downloads/updates from Microsoft Update either. Like Windows Media Player, DirectX, Internet Explorer etc.