I am not very computer literate and am suffering from malware. Most of the time I can't go on the internet, no pages will load. This is what I get from spybot s&d, can someone please, please, please help me?

LSA: Configuración (Clave del registro, fixing failed)
HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa

LSA: Configuración (Clave del registro, fixing failed)
HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa

Command Service: Configuración (Clave del registro, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Configuración (Clave del registro, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Post a hijackthis log please. Download and then extract Hijackthis.exe to a new folder. Do not run it from the zip the desktop or a temp folder.

Here's a link:
http://www.merijn.org/files/hijackthis.zip

Do not remove anything using HijackThis. Save the log and then copy and paste the contents into your next reply here in this same topic. It lists many types of entries. Some are good, and others need to be removed. We will help you sort it out.

------
Download WinPFind here:
http://www.bleepingcomputer.com/files/winpfind.php



Download WinPFind here:
http://www.bleepingcomputer.com/files/winpfind.php

Read and follow the instructions on the page to download and then run WinPFind and post the results please.

------------------

Extract the contents to a convenient folder.

Double click in WinPFind.exe to run it.


Click "Start Scan"
This is going to take considerable time.

Once the Scan has finished it will generate a text file named WinPFind.txt in the WinPFind folder. Post the contents of WinPFind.txt into your next reply here too.


-------

You may have to reply more than once to fit all the logs into your response. Please be sure the entire contents of all logs is showing in your reponses. Thank you.

Thanks for your help! Here is my hijackthis! log:

Logfile of HijackThis v1.99.1
Scan saved at 12:06:50, on 10/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\Archivos de programa\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Jazztel\Adsl\dslagent.exe
C:\Archivos de programa\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
C:\Archivos de programa\SAGEM\SAGEM F@st 1200\SagemMonitor.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Moira\Mis documentos\Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {755C98A7-545F-E9E9-2B06-7877C85B4A5D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Jazztel\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Jazztel\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Windows Security Service] wowvp.exe
O4 - HKLM\..\Run: [Windows live Support] wlmsn.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPTBox] C:\ARCHIV~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [Omnipage] C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [KAV50] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKLM\..\Run: [SagemMonitor] C:\Archivos de programa\SAGEM\SAGEM F@st 1200\SagemMonitor.exe
O4 - HKLM\..\Run: [IRC Client] updated.exe
O4 - HKLM\..\RunServices: [Windows Security Service] wowvp.exe
O4 - HKLM\..\RunServices: [Windows live Support] wlmsn.exe
O4 - HKLM\..\RunServices: [IRC Client] updated.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Security Service] wowvp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IRC Client] updated.exe
O4 - HKCU\..\RunServices: [Windows Security Service] wowvp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Búsqueda en Google - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traducir palabra inglesa - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.filelodge.com/ImageUploader3.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)
O23 - Service: KLBLMain - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: MpService - Canon Inc. - C:\Archivos de programa\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\Archivos de programa\Photodex\ProShowGold\ScsiAccess.exe

Again, thanks so much for help!! here is my log.

Windows OS and Versions Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 24/08/2001 12:00:00 41129 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 12/01/2006 12:32:12 543496 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 10/03/2006 2:10:36 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/03/2006 2:10:36 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 12/02/2002 23:22:28 650240 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 24/08/2001 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 27/12/2003 7:49:04 168448 C:\WINDOWS\SYSTEM32\ympg.dll
UPX! 27/12/2003 7:49:26 76800 C:\WINDOWS\SYSTEM32\ympgcdc.cfg

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/04/2006 11:57:38 S 2048 C:\WINDOWS\bootstat.dat
15/02/2006 21:22:46 H 10684 C:\WINDOWS\system32\mlfcache.dat
10/04/2006 11:57:56 H 1024 C:\WINDOWS\system32\config\default.LOG
10/04/2006 11:57:38 H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/04/2006 11:57:56 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
10/04/2006 12:13:16 H 1024 C:\WINDOWS\system32\config\software.LOG
10/04/2006 11:58:40 H 1024 C:\WINDOWS\system32\config\system.LOG
15/03/2006 11:09:02 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
03/04/2006 23:33:44 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0e8889de-092d-4fcc-832a-d92a85ac0330
03/04/2006 23:33:44 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/04/2006 11:57:38 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
19/08/2003 9:20:04 180224 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 24/08/2001 12:00:00 68096 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 24/08/2001 12:00:00 562176 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 24/08/2001 12:00:00 132096 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 24/08/2001 12:00:00 151552 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 30/08/2002 19:56:44 293376 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 24/08/2001 12:00:00 123392 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 4:41:00 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 14:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 24/08/2001 12:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 24/08/2001 12:00:00 567808 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 24/08/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 24/08/2001 12:00:00 258560 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 24/08/2001 12:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 24/08/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 24/08/2001 12:00:00 112128 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 24/08/2001 12:00:00 274944 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 24/08/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 24/08/2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
07/01/2004 17:14:48 53248 C:\WINDOWS\SYSTEM32\vp6dec_settings.cpl
Microsoft Corporation 26/05/2005 5:16:30 175384 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 24/08/2001 12:00:00 68096 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 24/08/2001 12:00:00 562176 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 24/08/2001 12:00:00 132096 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 24/08/2001 12:00:00 151552 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 30/08/2002 19:56:44 293376 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 24/08/2001 12:00:00 123392 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 4:41:00 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 24/08/2001 12:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 24/08/2001 12:00:00 567808 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 24/08/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 24/08/2001 12:00:00 258560 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 24/08/2001 12:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 24/08/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 24/08/2001 12:00:00 112128 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 24/08/2001 12:00:00 151552 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 24/08/2001 12:00:00 274944 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 24/08/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 24/08/2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Checking Selected Startup Folders
Checking files in %ALLUSERSPROFILE%\Startup folder...
14/12/2005 22:33:40 HS 84 C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
14/12/2005 21:47:44 HS 62 C:\Documents and Settings\All Users\Datos de programa\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
14/12/2005 22:33:40 HS 84 C:\Documents and Settings\Moira\Menú Inicio\Programas\Inicio\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
14/12/2005 21:47:44 HS 62 C:\Documents and Settings\Moira\Datos de programa\desktop.ini
Checking Selected Registry Keys
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{DD230880-495A-11D1-B064-008048EC2FC5} = C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\ShellEx.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Archivos de programa\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Elemento anclado al menú Inicio = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}
= C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{DD230880-495A-11D1-B064-008048EC2FC5} = C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\ShellEx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Archivos de programa\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}
= C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Archivos de programa\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
= C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroDigitalExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}
=

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{755C98A7-545F-E9E9-2B06-7877C85B4A5D}
=
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\archivos de programa\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Sugerencia del día = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\archivos de programa\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Consola de Sun Java : C:\Archivos de programa\Java\jre1.5.0_06\bin\npjpi150_06.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Banda multimedia = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
Banda del explorador para búsqueda de archivos = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Banda de Explorador = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Dirección : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Vínculos : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Dirección : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Vínculos : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\archivos de programa\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DSLSTATEXE C:\Program Files\Jazztel\Adsl\dslstat.exe icon
DSLAGENTEXE C:\Program Files\Jazztel\Adsl\dslagent.exe
Windows Security Service wowvp.exe
Windows live Support wlmsn.exe
{0228e555-4f9c-4e35-a3ec-b109a192b4c2} C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
MPTBox C:\ARCHIV~1\Canon\MULTIP~1\MPTBox.exe
Omnipage C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
NeroFilterCheck C:\WINDOWS\System32\NeroCheck.exe
Picasa Media Detector C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
OfficeGuard RegChecker "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
KAV50 "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
SagemMonitor C:\Archivos de programa\SAGEM\SAGEM F@st 1200\SagemMonitor.exe
IRC Client updated.exe
NWEReboot

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Windows Security Service wowvp.exe
Windows live Support wlmsn.exe
IRC Client updated.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Archivos de programa\Messenger\msmsgs.exe" /background
Windows Security Service wowvp.exe
msnmsgr "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
Skype "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
IRC Client updated.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Windows Security Service wowvp.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\ARCHIV~1\ARCHIV~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

The type of infections you have and had are information stealing trojans and keyloggers. They steal passwords and send them up to the attacker. Therefore, all sensitive information on your system is not private any longer. ANY AND ALL BANKING passwords need to be changed and do not do any banking online until you are clean. Get in touch with your bank immediately if you do online banking. Same for any other financial transactions or passwords to email, or sites like this etc.
----------------


Copy the contents of the code box to notepad.
Name the file deleteit.bat
Save as Type:all files

Save in C:\
Now you have C:\deleteit.bat



Mkdir C:\outtahere
attrib -s -h -r C:\WINDOWS\System32\wowvp.exe
Copy C:\WINDOWS\System32\wowvp.exe C:\outtahere
del C:\WINDOWS\System32\wowvp.exe
attrib -s -h -r C:\WINDOWS\System32\wlmsn.exe
copy C:\WINDOWS\System32\wlmsn.exe C:\outtahere
del C:\WINDOWS\System32\wlmsn.exe
attrib -s -h -r C:\WINDOWS\System32\updated.exe
copy C:\WINDOWS\System32\updated.exe C:\outtahere
del C:\WINDOWS\System32\updated.exe
attrib -s -h -r C:\WINDOWS\wowvp.exe
copy C:\WINDOWS\wowvp.exe C:\outtahere
del C:\WINDOWS\wowvp.exe
attrib -s -h -r C:\WINDOWS\wlmsn.exe
copy C:\WINDOWS\wlmsn.exe C:\outtahere
del C:\WINDOWS\wlmsn.exe
attrib -s -h -r C:\WINDOWS\updated.exe
Copy C:\WINDOWS\updated.exe C:\outtahere
del C:\WINDOWS\updated.exe


You will be restarting into Safe mode later. Here's help if you need it.

To use the F8 key to start Windows XP in Safe mode
Restart the computer.
Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening.
As soon as the BIOS loads, begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again.
Using the arrow keys on the keyboard, select Safe mode and then press Enter.




Restart into Safe mode:

BUT when the welcome screen appears, Press CTRL + ALT +DEL twice to bring up
a logon. Log on to your Profile!
Go to Start >Run and type hijackthis. Press enter.

Do not run anything else!


Select the following entries and click the fix checked button:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {755C98A7-545F-E9E9-2B06-7877C85B4A5D} - (no file)
O4 - HKLM\..\Run: [Windows Security Service] wowvp.exe
O4 - HKLM\..\Run: [Windows live Support] wlmsn.exe
O4 - HKLM\..\Run: [IRC Client] updated.exe
O4 - HKLM\..\RunServices: [Windows Security Service] wowvp.exe
O4 - HKLM\..\RunServices: [Windows live Support] wlmsn.exe
O4 - HKLM\..\RunServices: [IRC Client] updated.exe
O4 - HKCU\..\Run: [Windows Security Service] wowvp.exe
O4 - HKCU\..\Run: [IRC Client] updated.exe
O4 - HKCU\..\RunServices: [Windows Security Service] wowvp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

-----------

Go to Start >Run and type in:
C:\deleteit.bat

Press enter.

This will run the file you created earlier. IT will run quickly and close.

--------------

Restart back into Windows.

Run hijackthis and post a new log please.

---------

We will have more to do and I'll want to look at some registry keys too.

Because none of the files mentioned in your startups are showing in your running porcesses, either they are hidden or have already been removed. But the startups are still there. So we'll see what's going on. '

You are running from an account which has Administrative priviledges?

Thanks SO much for this, I shall start immediately and will let you know outcome.

sorry, yes, this is my home PC and I guess I do have administrative privileges...

I took all the steps but in safe mode, in hijackthis the entry:

06 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel

was not present. When I restarted my PC and ran hijackthis again, to take a log, it WAS present, so I fixed it then. (hope this didn't do more damage...)

Here is the log, after those steps:
Logfile of HijackThis v1.99.1
Scan saved at 14:06:54, on 11/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\Archivos de programa\Canon\MultiPASS4\MPSERVIC.EXE
C:\Archivos de programa\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Jazztel\Adsl\dslagent.exe
C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
C:\ARCHIV~1\Canon\MULTIP~1\MPTBox.exe
C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
C:\Archivos de programa\SAGEM\SAGEM F@st 1200\SagemMonitor.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Moira\Mis documentos\Software\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Jazztel\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Jazztel\Adsl\dslagent.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPTBox] C:\ARCHIV~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [Omnipage] C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [KAV50] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKLM\..\Run: [SagemMonitor] C:\Archivos de programa\SAGEM\SAGEM F@st 1200\SagemMonitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Security Service] wowvp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IRC Client] updated.exe
O4 - HKCU\..\RunServices: [Windows Security Service] wowvp.exe
O8 - Extra context menu item: &Búsqueda en Google - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traducir palabra inglesa - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)
O23 - Service: KLBLMain - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: MpService - Canon Inc. - C:\Archivos de programa\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\Archivos de programa\Photodex\ProShowGold\ScsiAccess.exe

You're welcome.

The reason that and some other entries weren't present in
Safe Mode is that you were not signed into your own account.


I think you missed this part of the directions:

Restart into Safe mode:

BUT when the welcome screen appears, Press CTRL + ALT +DEL twice to bring up
a logon. Log on to your Profile!

--------------
Let's see if you can fix these in regular windows mode.

Run hijackthis. Select the following items and press the fix checked button:


O4 - HKCU\..\Run: [Windows Security Service] wowvp.exe
O4 - HKCU\..\Run: [IRC Client] updated.exe
O4 - HKCU\..\RunServices: [Windows Security Service] wowvp.exe

---------------

The batch file I had you create and run made a new folder:
C:\outtahere

Can you go there, open it, and tell me if it contains any files please? It very well may not.

---------------------------------
The command service entries are just leftovers. But we can get rid of those too.
Go to Start >run and type services.msc
Press enter
When the services console opens, scroll to the Task Scheduler entry and be sure it is running. If not double click on the entry and then start the service. If it is disabled, enable it and then start it. Close the services console.

Copy the contents of the code box to notepad.
Name the file Delete cmdservice System priv.vbs
Save as Type: All files
Wait until the minute on the clock in systray turns over
Double click on Delete cmdservice System priv.vbs
Wait a minute or so and a black command window will open and run quickly
A file named results.txt will open
Post the contents of results.txt into your next reply here.



'Deletes the cmdservice Service Registry Entries

'Written by Mosaic1
'Use at your own risk

'Wait until the minute on the clock in systray turns over
'Double click on Delete cmdservice System priv.vbs
'Wait a minute or so and a black command window will open and run quickly
' A file named results.txt will open
'Post the contents of results.txt into your Forum post.



Dim Future, NewD ,Short,Location ,batty, present, fpath ,F , DT
Dim Current, Failed, Default, LKG , Place , R ,ImagePath ,slash

set fso = Wscript.CreateObject("Scripting.FilesystemObject")
Set Wshshell = Wscript.CreateObject("Wscript.shell")

On Error Resume next
ImagePath = Wshshell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ImagePath")


If fso.FileExists(ImagePath) then present = True
slash = InstrRev(ImagePath,"\")
fpath = Mid(ImagePath, 1,Slash -1)
F = fpath
If fso.FolderExists(fpAth) then fpath = true




Current = Wshshell.RegRead("HKLM\SYSTEM\Select\Current")
Current = "HKLM\System\CurrentControlSet" & "\Enum\Root\LEGACY_cmdservice"

Default = Wshshell.RegRead("HKLM\SYSTEM\Select\Default")
Default = "HKLM\SYSTEM\ControlSet00" & Default & "\Enum\Root\LEGACY_cmdservice"

On error Resume Next
Failed = Wshshell.RegRead("HKLM\SYSTEM\Select\Failed")
Failed = "HKLM\SYSTEM\ControlSet00" & Failed & "\Enum\Root\LEGACY_cmdservice"

Err.clear
LKG = Wshshell.RegRead("HKLM\SYSTEM\Select\LastKnownGood")
LKG = "HKLM\SYSTEM\ControlSet00" & LKG & "\Enum\Root\LEGACY_cmdservice"


Set batty = Fso.CreateTextFile("r.bat", false)

Set Location = fso.GetFile("r.bat")
Short = Location.ShortPath
Place = fso.GetParentFolderName(Short) & "\results.txt"
R = fso.GetParentFolderName(Short) & "\r.bat"

DT = Now

Batty.Writeline "Echo " & DT & " >>" & Place


Batty.Writeline "Echo >>" & Place


Batty.Writeline "Echo Working on HKLM\Select ,Current >>" & Place
Batty. Writeline "Echo Deleting" & Chr(32) & Current & " >>" & Place
Batty. Writeline "Reg delete" & Chr(32) & Current & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"

Current = Replace(Current,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo >>" & Place

Batty. Writeline "Echo Deleting" & Chr(32) & Current & " >>" & Place
Batty. Writeline "Reg delete" & Chr(32) & Current & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place



Batty.Writeline " Echo Working on HKLM\Select ,Default>>" & Place
Batty.Writeline "Echo Deleting" & Chr(32) & Default & ">>" & Place
Batty.WriteLine "Reg delete" & Chr(32) & Default & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Default = Replace(Default,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo >>" & Place

Batty.Writeline "Echo Deleting" & Chr(32) & Default & ">>" & Place
Batty.WriteLine "Reg delete" & Chr(32) & Default & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place




Batty.Writeline "Echo Working on HKLM\Select ,Failed >>" & Place
Batty.Writeline "Echo Deleting" & Chr(32) & Failed & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & Failed & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Failed = Replace(Failed,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo >>" & Place

Batty.Writeline "Echo Deleting" & Chr(32) & Failed & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & Failed & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place


Batty.Writeline "Echo Working on HKLM\Select ,LastKnownGood >>" & Place
Batty.Writeline "Echo Deleting " & Chr(32) & LKG & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & LKG & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
LKG = Replace(LKG,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo >>" & Place
Batty.Writeline "Echo Deleting " & Chr(32) & LKG & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & LKG & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place


If present = True then Batty.WriteLine "echo ImagePath File found here: " & ImagePath & ">>" & Place

If present <> True then Batty.WriteLine "echo ImagePath File not found: " & ImagePath & ">>" & Place

Batty.Writeline

If fpath = True then Batty.WriteLine "echo ImagePath Folder found here: " & F & ">>" & Place

If fpath <> True then Batty.WriteLine "echo ImagePath Folder not found: " & F & ">>" & Place

Batty.Writeline "Echo >>" & Place


Batty.WriteLine "Start Notepad" & Chr(32) & Place
Batty.WriteLine "del " & R


Batty.Close

NewD = DateAdd("n" , 1, Now)
Future = FormatDateTime(NewD,3)



Wshshell.run "Cmd.exe /c" & "At" & Chr(32) & Chr(34) & Future & Chr(34) & Chr(32) & "/Interactive" & Chr(32) & Short ,vbhidden 'Set the task


Set fso = nothing
Set Wshshell = nothing
Set Location = nothing


MsgBox "Wait for the command box to run and close" & vbcrlf & "This will take a minute."




*** NOTE: This script only works on Windows XP. It is not for Win2k or 9x.

After we get you cleaned up you need to update your Windows to Service Pack2.

Hiya,
OK, one thing at a time.

You are right, I logged on as administrator, instead of my profile (assuming wrongly that it'd be "better"). I just cleaned those entries mentioned in normal mode, my new log is this:

Logfile of HijackThis v1.99.1
Scan saved at 19:48:50, on 11/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\Archivos de programa\Canon\MultiPASS4\MPSERVIC.EXE
C:\Archivos de programa\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Jazztel\Adsl\dslagent.exe
C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
C:\ARCHIV~1\Canon\MULTIP~1\MPTBox.exe
C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
C:\Archivos de programa\SAGEM\SAGEM F@st 1200\SagemMonitor.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Moira\Mis documentos\Software\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Jazztel\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Jazztel\Adsl\dslagent.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPTBox] C:\ARCHIV~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [Omnipage] C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [KAV50] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKLM\..\Run: [SagemMonitor] C:\Archivos de programa\SAGEM\SAGEM F@st 1200\SagemMonitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: &Búsqueda en Google - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traducir palabra inglesa - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)
O23 - Service: KLBLMain - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: MpService - Canon Inc. - C:\Archivos de programa\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\Archivos de programa\Photodex\ProShowGold\ScsiAccess.exe


Next, the cmd entries, that you mention are only leftovers, I managed to clean them in the time between me posting my first help message and you replying. I used "ren-cmdservice" which I read about on another post. So technically only LSA entries are now detected but not fixed, using S&D.

What are my next steps? (thanks... from Madrid - you are most welcome to this city, I promise to show you around!)

Sorry!

C:\outtahere

Does NOT contain anything...

Thank you.

I have a feeling this is a matter of registry permissions now.

All you seemed to have is leftovers.

Did you read my comment in an earlier post about protecting your personal information? That is very urgent.

-------------

Copy the contents of the quote box to notepad.
Name the file lsa.bat
Save as Type: All files
Double click on lsa.bat to run it.

It will export some registry keys I need to see.
When it had finished it will open a file named lsa.txt

Please post the contents of lsa.txt into a new reply.




If not exist Files MkDir Files


regedit /a /e files\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE
regedit /a /e files\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa
regedit /a /e files\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
regedit /a /e files\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
regedit /e /a files\6.txt HKEY_USERS\DEFAULT\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA
regedit /a /e files\7.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
regedit /a /e files\8.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center"
Regedit /a /e files\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e files\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e files\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall
Regedit /a /e files\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall
Regedit /a /e files\13.txt HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate
Regedit /a /e files\14.txt HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
Regedit /a /e files\15.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"
Regedit /a /e files\16.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"
Regedit /a /e files\17.txt HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa
Regedit /a /e files\18.txt HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa


Copy files\*.txt = lsa.txt
rmdir /s /q files
Start Notepad lsa.txt

Yes, I did, no personal information in my computer anyway, anything "really" important is in my office PC.

Here is the log you requested:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=dword:00000000
"CreateFirstRunRp"=dword:00000001
"DSMin"=dword:000000c8
"DSMax"=dword:00000190
"RPSessionInterval"=dword:00000000
"RPGlobalInterval"=dword:00015180
"RPLifeInterval"=dword:0076a700
"CompressionBurst"=dword:0000003c
"TimerInterval"=dword:00000078
"DiskPercent"=dword:0000000c
"ThawInterval"=dword:00000384
"RestoreDiskSpaceError"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Cfg]
"DiskPercent"=dword:0000000c
"MachineGuid"="{F35EA7A8-4593-4340-8986-5DB203CC760C}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SnapshotCallbacks]
@=""

REGEDIT4

[HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Security Service"="wowvp.exe"

REGEDIT4

[HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows Security Service"="wowvp.exe"

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"Windows live Support"="wlmsn.exe"
"Windows Security Service"="wowvp.exe"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"Windows Security Service"="wowvp.exe"
"EnableRemoteConnect"="N"

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:000002b4
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"Windows Security Service"="wowvp.exe"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:fe,5e,11,19,f7,32,da,55,5d,b9,7a,07,ac,5c,4c,b6,31,38,36,35,62,\
34,33,63,00,67,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
53,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,87,eb,d5,f8

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:c3,08,fc,f3,88,e8,0e,ad,78

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:19,d9,99,66,6b,fd

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:5c,79,5b,81,6d,6a,4a,63,2c,f6,f7,56,41,fe,43,cb

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:ac,88,60,0b,f1,14,c6,01

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,56,ee,99,4e,50,c2,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,10,5d,89,83,2c,c1,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,10,5d,89,83,2c,c1,01
"Type"=dword:00000031

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091



Create a new folder on the C:\ drive and name it cleanit


Copy the contents of the code box to notepad.
Name the file r.reg
Save as Type: All files
Save it in the C:\cleanit folder.

REGEDIT4

[-HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa]

[-HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa]

[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"Windows live Support"=-
"Windows Security Service"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
"Windows Security Service"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Windows Security Service"="wowvp.exe"


Copy the contents of this next quote box to notepad.
Name the file setit.vbs
save as Type: All files


'run the script to set a task which will
'then import r.reg with System Privileges in a minute

'Written by Mosaic1
'Use at your own risk

Dim Future, NewD ,Short,Location

set fso = Wscript.CreateObject("Scripting.FilesystemObject")
Set Wshshell = Wscript.CreateObject("Wscript.shell")

NewD = DateAdd("n" , 1, Now)
Future = FormatDateTime(NewD,3)

Set Location = fso.GetFile("r.reg")
Short = Location.ShortPath

Wshshell.run "Cmd.exe /c" & "At" & Chr(32) & Chr(34) & Future & Chr(34) & Chr(32) & "/Interactive regedit" & Chr(32) & Short ,vbhidden 'Set the task


MsgBox "Wait for Registry Confirmation." & vbcrlf & "This may take a minute." 'Alert the User

Set fso = nothing
Set Wshshell = nothing
Set Location = nothing




Wait for the minute to turn over on your clock.
Double click on setit.vbs

If you get a warning about a malicious script, please ignore and allow this to run. I wrote it and it is safe.

In a minute, the task the script set will run and clean up the regustry.

Say yes to the prompt when asked if you want to enter the information into the registry.


Then run Spybot again and see if you are now all clear.

where should I save setit.vbs? I do so on the desktop and get an error message...

I attach an error message (in Spanish though)

I'm sorry. Did I forget to have you save setit.vbs in the same folder as r.reg?

That message is file not found. Both r.reg and setit.vbs need to be in the same folder.

Hi Mosaic,

Right, this is incredible! Everything seems to be perfect again. THANK YOU.


Now, my next questions are: How do I protect myself for the future? how do I upgrade to Service Pack 2? Unforch my PC came blank so I borrowed my brother's Windows and of course I'm unable to upgrade using windows updates....

Hi moira,

Short of having you buy a legal copy of windows, I am not able to help you with that. I'm sorry.

Once you have rebooted a time or two, be sure everything is in working order. It is time to flush your system restore points. Once you do that you will not be able to correct any problems you may have now by going back to a point before today.


After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.


Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
----------------------------
Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html



Mo

yeah, yeah, must find out how to buy a legal copy, as in Spain the are only available for new PCs...

Will follow your last instructions, reboot, and let you know how it goes!!

You'd think MS would like a customer. I'm glad you're system is working better now. Although SP2 is by no means a guarantee, it is supported and you need to be able to have the newest if you can get it.


Good luck.

Hope it all works out for you.

I wonder if you can get a second license for that other CD which your brother owns so you can use it as well.

Can I swear? I'm trying to follow your last link, to learn about security, and I get the error message I used to get. (Please tell me the link is broken....)

It can be frustrating.

The link works.


Let's see if renaming your hosts file does anything.

Go to
C:\windows\system32\drivers\etc

Open the etc folder.

Look for a file named hosts

No file extension. Just plain hosts.

Right click on hosts and click rename on the menu.

rename hosts as ghosts.

Close Internet Explorer.

Reopen Internet Explorer and see if the link works now.

OK, it's working now. My usual problem is a get a server error message in IE, can't load the page. But if I click "go" a second time, then the pages load. I think I need to surf for a bit, and then I'll come back to you. You are being very helpful. Thanks so much.

What is the application "Registry Mechanic" for?

Registry Mechanic is a registry cleaner. It is not a free application though.

OK, was just curious.

So far, so good, BTW!!!

Thanks Mo, for your time and patience.

As the problem appears to be resolved this topic will be archived. :bigthumb:

If you need it re-opened please send me a pm and provide a link to the thread.

Glad we could help, thank you Mosaic1