Hello everybody from Greece.

My son gave me his old pc (brand new and super advanced for me) and my problems started as soon as i tried to use it...

My anti trouble protection is avg free edition and ewido.

Ewido keeps on poping and warns me that found Adware.VirtuMonde, location: windows\system32\efcdedc.dll and advices me to "clean and quarnetine". I do so 10 times per minute .
I tried to delete this file, could't do a thing.

Every now and then avg pops an says that it found drsmartload.exe... "move to vault" is what i ordered. With no results.
Some times rarely avg finds some other virus i don't recall the name

What i did...
safe mode, full scan wit ewido, full scan with avg.
ewido found virtumonde and some other stuff and i ordered "quarantine", avg didn't find anything. However as long as i am writing this post avg keeps on poping up finding downloader.VB.FK, drsmartload1.exe; those i put in virus vault.

Here are the ewido logs:

C:\WINDOWS\system32\__delete_on_reboot__m_l_j_i_f_d_d_._d_l_l_ -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__p_m_n_m_l_i_g_._d_l_l_ -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__q_o_m_k_j_j_j_._d_l_l_ -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__r_q_r_p_q_p_q_._d_l_l_ -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__t_u_v_t_s_q_p_._d_l_l_ -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\efcdedc.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C0I3F7OH\pro[1].exe/dreve.exe -> Downloader.Adload.cy : Cleaned with backup (quarantined).
C:\pro3_install.exe/dreve.exe -> Downloader.Adload.cy : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LXXCJY0E\drsmartload[1].exe -> Downloader.Adload.de : Cleaned with backup (quarantined).
C:\drsmartload1.exe -> Downloader.Adload.de : Cleaned with backup (quarantined).

Back to normal mode, what a surprise...
My hand was tired to click on "clean and quarantine as soon as i open my pc. This virtumonde is a disaster. I don't know if it is dangerous for dialers, i don't have that much money for the telephone bill.

I found a virtumode removal tool in symantec. I run it ..."didn't find virtumode in my pc"(!!!).

Today i d/loaded hijackthis.

I run it in normal mode here are the logs:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\tabi\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pas.gr/4new
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\etc\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [defender] C:\\dfndrad_5.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmad_5.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154168479294
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y2hyaXM\command.exe (file missing)
O23 - Service: Debug Window Services - Unknown owner - C:\WINDOWS\system32\bug32.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: K4NV - Unknown owner - C:\WINDOWS\k4nv.exe (file missing)
O23 - Service: Windows Task Scheduler (MSTASK) - Unknown owner - C:\WINDOWS\system\mstask.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Print Spooler Manager (prntspman) - Unknown owner - C:\WINDOWS\spoolsvr.exe (file missing)
O23 - Service: Windows Protected Content Restoration Service (ProtectedContentSvc) - Unknown owner - C:\WINDOWS\etc\services.exe (file missing)
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe


You are my last chance before i return to my old pc and through this monster away. (pity cause it has a dvd rom, that my old pc didn't)

Thank you so much, for listening to me.

Regards from Greece.


P.S.1
I cannot update my windows! Sometimes an error occurs, last times i tried to do so, the page seemed frozen!

P.S.2
I am not an experienced user, so if someone replies, please advice me as simple as possible for the steps i have to make. Thanks a lot.

P.S.3
Before i discovered your forum, i tried to fix some problems with avg and i have deleted some files. Unfortunately i didn't keep an archive of my actions. Hope i didn't destroy anything usefull

P.S.4
Please don't laugh with me, if some things i wrote are childish. I told you i don't know much

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Thank you so much for your attention.

so...

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 21:23:28 30/07/2006

Listing files found while scanning....

C:\windows\system32\efcaawu.dll
C:\windows\system32\efcdedc.dll

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\efcaawu.dll
C:\windows\system32\efcaawu.dll Has been deleted!

Attempting to delete C:\windows\system32\efcdedc.dll
C:\windows\system32\efcdedc.dll Could not be deleted.

Performing Repairs to the registry.
Done!


and hijackthis...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\tabi\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pas.gr/4new
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\etc\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154168479294
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154283165592
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Debug Window Services - Unknown owner - C:\WINDOWS\system32\bug32.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: K4NV - Unknown owner - C:\WINDOWS\k4nv.exe (file missing)
O23 - Service: Windows Task Scheduler (MSTASK) - Unknown owner - C:\WINDOWS\system\mstask.exe (file missing)
O23 - Service: Print Spooler Manager (prntspman) - Unknown owner - C:\WINDOWS\spoolsvr.exe (file missing)
O23 - Service: Windows Protected Content Restoration Service (ProtectedContentSvc) - Unknown owner - C:\WINDOWS\etc\services.exe (file missing)
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe

Hmmmm
I don't know if i should do this, but i have done it...

After i posted my first reply, my pc looked to work better, no ewido poping up!
But i discovered (!) that for some reason i don't know resident shield was unactive...

I restarted my computer and virtumonde came again!

Then i run again vundofix, if i did wrong sorry...

Here are the logs and the new hijack...
For your information, ewido keeps poping up continiously, finding virtumonde in different location now and finding some other viruses as well

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 22:45:28 30/07/2006

Listing files found while scanning....

C:\windows\system32\mljjjji.dll

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\mljjjji.dll
C:\windows\system32\mljjjji.dll Has been deleted!

Performing Repairs to the registry.
Done!




Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\tabi\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pas.gr/4new
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\etc\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154168479294
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154283165592
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Debug Window Services - Unknown owner - C:\WINDOWS\system32\bug32.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: K4NV - Unknown owner - C:\WINDOWS\k4nv.exe (file missing)
O23 - Service: Windows Task Scheduler (MSTASK) - Unknown owner - C:\WINDOWS\system\mstask.exe (file missing)
O23 - Service: Print Spooler Manager (prntspman) - Unknown owner - C:\WINDOWS\spoolsvr.exe (file missing)
O23 - Service: Windows Protected Content Restoration Service (ProtectedContentSvc) - Unknown owner - C:\WINDOWS\etc\services.exe (file missing)
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe

* First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run ewido and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
   • Select "Automatically generate report after every scan"
   • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

* If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.


* Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

* Next, run Ad-aware and perform a full scan. Remove everything found.

1. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
2. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
3. ewido will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
4. If you have any infections you will prompted, then select "Apply all actions"
5. Next select the "Reports" icon at the top.
6. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

* Boot back into normal mode

* Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

* After that, post a new hijackthis log here with the report from ewido

Hello,

While normally format is a last resort, in your case it might be a good idea, especially if you do not mind losing the data and programs on your hard drive. I notice from your Hijackthis log you only have SP1 and you said you have problem updating your windows, that is normally a sign of a severely damaged windows.

Try jurgenv's helpful advices, but if you can format, definately a good option too, it's fast, easy, and make sure your windows is thoroughly cleaned. Let us know how things worked out for you.

I don't want to format, so i try jurgenv's way

safe mode...

Ad-aware

WINANTIVIRUSPRO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : clsid\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
obj[21]=Regkey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}

ALEXA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=Regkey : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
obj[2]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "MenuStatusBar"
obj[3]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Script"
obj[4]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "clsid"
obj[5]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Icon"
obj[6]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "HotIcon"
obj[7]=RegValue : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "ButtonText"
obj[8]=RegValue : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
obj[9]=RegValue : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
obj[10]=RegValue : S-1-5-21-746137067-789336058-854245398-1003\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"

POSSIBLE BROWSER HIJACK ATTEMPT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[11]=RegData : Software\Microsoft\Internet Explorer\Main "Search Page"
obj[12]=RegData : Software\Microsoft\Internet Explorer\Search "SearchAssistant"
obj[13]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\Main "Search Page"
obj[14]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\Main "Start Page"
obj[15]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\Main "Search Bar"
obj[16]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\Main "Default_Search_URL"
obj[17]=RegData : S-1-5-18\Software\Microsoft\Internet Explorer\Main "Search Page"
obj[18]=RegData : S-1-5-18\Software\Microsoft\Internet Explorer\Main "Start Page"
obj[19]=RegData : S-1-5-18\Software\Microsoft\Internet Explorer\Main "Search Bar"
obj[20]=RegData : S-1-5-18\Software\Microsoft\Internet Explorer\Main "Default_Search_URL"

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[22]=IECache Entry : Cookie:tabi@statse.webtrendslive.com/
obj[23]=IECache Entry : Cookie:tabi@qksrv.net/
obj[24]=IECache Entry : Cookie:tabi@counter.hitslink.com/
obj[25]=IECache Entry : Cookie:tabi@adtech.de/
obj[26]=IECache Entry : Cookie:tabi@apmebf.com/
obj[27]=IECache Entry : Cookie:tabi@casalemedia.com/
obj[28]=IECache Entry : Cookie:tabi@atdmt.com/
obj[29]=IECache Entry : Cookie:tabi@mediaplex.com/
obj[30]=IECache Entry : Cookie:tabi@tradedoubler.com/
obj[31]=IECache Entry : Cookie:tabi@advertising.com/
obj[32]=IECache Entry : Cookie:tabi@adserver.hellasnet.gr/
obj[33]=IECache Entry : Cookie:tabi@statcounter.com/
obj[34]=IECache Entry : Cookie:tabi@247realmedia.com/
obj[35]=IECache Entry : Cookie:tabi@doubleclick.net/

CMDSERVICES
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[36]=Regkey : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}
obj[37]=RegValue : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} "DisplayName"
obj[38]=RegValue : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} "DisplayVersion"
obj[39]=RegValue : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} "NoModify"
obj[40]=RegValue : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} "NoRemove"
obj[41]=RegValue : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} "NoRepair"
obj[42]=RegValue : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} "UninstallString"
obj[43]=Regkey : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
obj[44]=RegValue : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} "DisplayName"
obj[45]=RegValue : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} "DisplayVersion"
obj[46]=RegValue : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} "NoModify"
obj[47]=RegValue : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} "NoRemove"
obj[48]=RegValue : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} "NoRepair"
obj[49]=RegValue : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} "UninstallString"
obj[52]=File : C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C0I3F7OH\installer[1].exe

TARGETSAVER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[50]=Regkey : software\microsoft\windows\currentversion\uninstall\tsa
obj[51]=RegValue : software\microsoft\windows\currentversion\uninstall\tsa "UninstallString"
obj[55]=File : C:\WINDOWS\system32\tsuninst.exe

ADWARE.YAZZLE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[53]=File : C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XNA2NKKM\Mendoza1[1].exe
obj[54]=File : C:\RECYCLER\S-1-5-21-746137067-789336058-854245398-1003\Dc3.exe


safe mode ewido


+ Scan result:



C:\WINDOWS\system32\__delete_on_reboot__o_p_n_n_l_l_m_._d_l_l_ -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rqrrqrp.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\68S8ZQLN\pro[1].exe/dreve.exe -> Downloader.Adload.cy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Com\__delete_on_reboot__d_r_e_v_e_._e_x_e_ -> Downloader.Adload.cy : Cleaned with backup (quarantined).
C:\pro3_install.exe/dreve.exe -> Downloader.Adload.cy : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C0I3F7OH\drsmartload[1].exe -> Downloader.Adload.de : Cleaned with backup (quarantined).


::Report end

normal mode aft cleaner and finally hijackthis...

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\tabi\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pas.gr/4new
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\etc\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154168479294
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154283165592
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Debug Window Services - Unknown owner - C:\WINDOWS\system32\bug32.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: K4NV - Unknown owner - C:\WINDOWS\k4nv.exe (file missing)
O23 - Service: Windows Task Scheduler (MSTASK) - Unknown owner - C:\WINDOWS\system\mstask.exe (file missing)
O23 - Service: Print Spooler Manager (prntspman) - Unknown owner - C:\WINDOWS\spoolsvr.exe (file missing)
O23 - Service: Windows Protected Content Restoration Service (ProtectedContentSvc) - Unknown owner - C:\WINDOWS\etc\services.exe (file missing)
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe



Is it that bad or i still have chances?

* Please open hijackthis and put a check next to the following:

O23 - Service: Debug Window Services - Unknown owner - C:\WINDOWS\system32\bug32.exe (file missing)
O23 - Service: K4NV - Unknown owner - C:\WINDOWS\k4nv.exe (file missing)

* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* Now, post a new hijackthis log here and tell me how everything is working.

Unfortunately things seem to get worse. Everything has slowed down a loooot.
I think i got adware.look2me now and some vorus i don't remember the name! I cannot go to avg vault to say the name cause there's a war going on with ewido and i try several times to post this reply
I don't know how i got the new infections, cause i only come in these forums when cennected to internet.
Take a look in the logs.
In you i trust and i don't loose my courage (yet)

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\tabi\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pas.gr/4new
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\etc\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154168479294
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154283165592
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Windows Task Scheduler (MSTASK) - Unknown owner - C:\WINDOWS\system\mstask.exe (file

Please download Look2Me-Destroyer.exe to your desktop.

* Close all windows before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.
* Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

hijackthis

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\nwnmff_7.exe
C:\dfndrff_7.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\kybrdff_7.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wdfmgr.exe
C:\Documents and Settings\tabi\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pas.gr/4new
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\etc\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [newname] C:\\nwnmff_7.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154168479294
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154283165592
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Windows Task Scheduler (MSTASK) - Unknown owner - C:\WINDOWS\system\mstask.exe (file missing)
O23 - Service: Print Spooler Manager (prntspman) - Unknown owner - C:\WINDOWS\spoolsvr.exe (file missing)
O23 - Service: Windows Protected Content Restoration Service (ProtectedContentSvc) - Unknown owner - C:\WINDOWS\etc\services.exe (file missing)
O23 - Service: sqlmanagement - Unknown owner - C:\WINDOWS\sqlmanagement.exe (file missing)
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe

Sorry i couldn't post look2me txt. It disappeared! Same happened with icons on my desktop, they come and go! They all came back now

Temporary things looked to go better, but it went worse after a while.

Looking in my c:| i find
__delete_on_reboot__d_r_s_m_a_r_t_l_o_a_d_4_5_a_7_i_._e_x_e_ __delete_on_reboot__d_r_s_m_a_r_t_l_o_a_d_4_6_a_7_i_._e_x_e_
__delete_on_reboot__d_r_s_m_a_r_t_l_o_a_d_8_4_9_a_7_i_._e_x_e_
__delete_on_reboot__I_n_s_t_a_l_l_e_r_3_._e_x_e_
dfndrff_7
drsmartload
drsmartload1
drsmartload45a7i
drsmartload46a7i
drsmartload849a7i
kybrdff_7
MTE3NDI6ODoxNg
nwnmff_7
pro3_install

All these weren't there before!
Should i delete them?

I think that we are reparing one thing and then something else comes along...

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 01/08/2006 15:09:03

Infected! C:\WINDOWS\system32\enp4l17q1.dll
Infected! C:\WINDOWS\system32\lvrm0991e.dll
Infected! C:\WINDOWS\system32\ww2help.dll
Infected! C:\WINDOWS\system32\ww2help.dll
Infected! C:\WINDOWS\system32\dfnhupnp.dll
Infected! C:\WINDOWS\System32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\enp4l17q1.dll
C:\WINDOWS\system32\enp4l17q1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lvrm0991e.dll
C:\WINDOWS\system32\lvrm0991e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dfnhupnp.dll
C:\WINDOWS\system32\dfnhupnp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DateTime
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4C6DB042-DBD6-40B0-B0B6-424873AB68BB}"
HKCR\Clsid\{4C6DB042-DBD6-40B0-B0B6-424873AB68BB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{982D1AC7-A100-407E-AC01-FE6D0E3AF832}"
HKCR\Clsid\{982D1AC7-A100-407E-AC01-FE6D0E3AF832}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{35000592-64CE-4D60-96CF-7E386AE3D817}"
HKCR\Clsid\{35000592-64CE-4D60-96CF-7E386AE3D817}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1CE91958-7A8C-4F46-BE68-EBEBC823BD5D}"
HKCR\Clsid\{1CE91958-7A8C-4F46-BE68-EBEBC823BD5D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8E829A69-17AC-4C4B-9DE6-9B05F2149D2E}"
HKCR\Clsid\{8E829A69-17AC-4C4B-9DE6-9B05F2149D2E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{502F97B6-7956-4EA1-B903-0AA3A80B51D5}"
HKCR\Clsid\{502F97B6-7956-4EA1-B903-0AA3A80B51D5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F5DCB5FC-32DD-48C2-83D0-222C42533F4A}"
HKCR\Clsid\{F5DCB5FC-32DD-48C2-83D0-222C42533F4A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{98BDA8C7-495B-4273-9A0D-A3A0D5FDD8E0}"
HKCR\Clsid\{98BDA8C7-495B-4273-9A0D-A3A0D5FDD8E0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{902FC3BF-1F6E-48D7-A5B4-94983F57FA05}"
HKCR\Clsid\{902FC3BF-1F6E-48D7-A5B4-94983F57FA05}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A19904F6-FF7C-4453-B239-41711F71FDE1}"
HKCR\Clsid\{A19904F6-FF7C-4453-B239-41711F71FDE1}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C01F5573-BCC7-402A-B873-C9711A5709F7}"
HKCR\Clsid\{C01F5573-BCC7-402A-B873-C9711A5709F7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8B666781-029D-439D-BED4-F54C981179BF}"
HKCR\Clsid\{8B666781-029D-439D-BED4-F54C981179BF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D6F53E15-FFFA-4D50-B50C-30F4D45EE109}"
HKCR\Clsid\{D6F53E15-FFFA-4D50-B50C-30F4D45EE109}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1A81BC87-63E2-4CDA-89DC-E10E355A27B7}"
HKCR\Clsid\{1A81BC87-63E2-4CDA-89DC-E10E355A27B7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DAE7B521-3EA8-4C57-A8D2-E25F04F1D03A}"
HKCR\Clsid\{DAE7B521-3EA8-4C57-A8D2-E25F04F1D03A}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file





hijackthis

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\nwnmff_7.exe
C:\dfndrff_7.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\kybrdff_7.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wdfmgr.exe
C:\Documents and Settings\tabi\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pas.gr/4new
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\etc\services.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [newname] C:\\nwnmff_7.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1154168479294
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1154283165592
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Windows Task Scheduler (MSTASK) - Unknown owner - C:\WINDOWS\system\mstask.exe (file missing)
O23 - Service: Print Spooler Manager (prntspman) - Unknown owner - C:\WINDOWS\spoolsvr.exe (file missing)
O23 - Service: Windows Protected Content Restoration Service (ProtectedContentSvc) - Unknown owner - C:\WINDOWS\etc\services.exe (file missing)
O23 - Service: sqlmanagement - Unknown owner - C:\WINDOWS\sqlmanagement.exe (file missing)
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\wdfmgr.exe

1. Please download Ewido Anti-Malware

• Install ewido anti-malware
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  
  You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")
• Exit Ewido, do not run the scan yet!

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

2. Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
• Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.