Please help! LSA

**moira** · 2006-04-09, 17:12

I am not very computer literate and am suffering from malware. Most of the time I can't go on the internet, no pages will load. This is what I get from spybot s&d, can someone please, please, please help me?

LSA: Configuración (Clave del registro, fixing failed)
HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa

LSA: Configuración (Clave del registro, fixing failed)
HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa

Command Service: Configuración (Clave del registro, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Configuración (Clave del registro, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

**Mosaic1** · 2006-04-09, 19:40

Post a hijackthis log please. Download and then extract Hijackthis.exe to a new folder. Do not run it from the zip the desktop or a temp folder.

Here's a link:
http://www.merijn.org/files/hijackthis.zip

Do not remove anything using HijackThis. Save the log and then copy and paste the contents into your next reply here in this same topic. It lists many types of entries. Some are good, and others need to be removed. We will help you sort it out.

------
Download WinPFind here:
http://www.bleepingcomputer.com/files/winpfind.php

Download WinPFind here:
http://www.bleepingcomputer.com/files/winpfind.php

Read and follow the instructions on the page to download and then run WinPFind and post the results please.

------------------

Extract the contents to a convenient folder.

Double click in WinPFind.exe to run it.

Click "Start Scan"
This is going to take considerable time.

Once the Scan has finished it will generate a text file named WinPFind.txt in the WinPFind folder. Post the contents of WinPFind.txt into your next reply here too.

-------

You may have to reply more than once to fit all the logs into your response. Please be sure the entire contents of all logs is showing in your reponses. Thank you.

**moira** · 2006-04-10, 12:13

Thanks for your help! Here is my hijackthis! log:

Logfile of HijackThis v1.99.1
Scan saved at 12:06:50, on 10/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\Archivos de programa\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Jazztel\Adsl\dslagent.exe
C:\Archivos de programa\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
C:\Archivos de programa\SAGEM\SAGEM F@st 1200\SagemMonitor.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Moira\Mis documentos\Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {755C98A7-545F-E9E9-2B06-7877C85B4A5D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Jazztel\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Jazztel\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Windows Security Service] wowvp.exe
O4 - HKLM\..\Run: [Windows live Support] wlmsn.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPTBox] C:\ARCHIV~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [Omnipage] C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [KAV50] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKLM\..\Run: [SagemMonitor] C:\Archivos de programa\SAGEM\SAGEM F@st 1200\SagemMonitor.exe
O4 - HKLM\..\Run: [IRC Client] updated.exe
O4 - HKLM\..\RunServices: [Windows Security Service] wowvp.exe
O4 - HKLM\..\RunServices: [Windows live Support] wlmsn.exe
O4 - HKLM\..\RunServices: [IRC Client] updated.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Security Service] wowvp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IRC Client] updated.exe
O4 - HKCU\..\RunServices: [Windows Security Service] wowvp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Búsqueda en Google - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traducir palabra inglesa - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.filelodge.com/ImageUploader3.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)
O23 - Service: KLBLMain - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: MpService - Canon Inc. - C:\Archivos de programa\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\Archivos de programa\Photodex\ProShowGold\ScsiAccess.exe

**moira** · 2006-04-10, 12:21

Again, thanks so much for help!! here is my log.

Windows OS and Versions Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 24/08/2001 12:00:00 41129 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 12/01/2006 12:32:12 543496 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 10/03/2006 2:10:36 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/03/2006 2:10:36 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 12/02/2002 23:22:28 650240 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 24/08/2001 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 27/12/2003 7:49:04 168448 C:\WINDOWS\SYSTEM32\ympg.dll
UPX! 27/12/2003 7:49:26 76800 C:\WINDOWS\SYSTEM32\ympgcdc.cfg

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/04/2006 11:57:38 S 2048 C:\WINDOWS\bootstat.dat
15/02/2006 21:22:46 H 10684 C:\WINDOWS\system32\mlfcache.dat
10/04/2006 11:57:56 H 1024 C:\WINDOWS\system32\config\default.LOG
10/04/2006 11:57:38 H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/04/2006 11:57:56 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
10/04/2006 12:13:16 H 1024 C:\WINDOWS\system32\config\software.LOG
10/04/2006 11:58:40 H 1024 C:\WINDOWS\system32\config\system.LOG
15/03/2006 11:09:02 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
03/04/2006 23:33:44 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0e8889de-092d-4fcc-832a-d92a85ac0330
03/04/2006 23:33:44 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/04/2006 11:57:38 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
19/08/2003 9:20:04 180224 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 24/08/2001 12:00:00 68096 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 24/08/2001 12:00:00 562176 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 24/08/2001 12:00:00 132096 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 24/08/2001 12:00:00 151552 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 30/08/2002 19:56:44 293376 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 24/08/2001 12:00:00 123392 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 4:41:00 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 14:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 24/08/2001 12:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 24/08/2001 12:00:00 567808 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 24/08/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 24/08/2001 12:00:00 258560 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 24/08/2001 12:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 24/08/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 24/08/2001 12:00:00 112128 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 24/08/2001 12:00:00 274944 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 24/08/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 24/08/2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
07/01/2004 17:14:48 53248 C:\WINDOWS\SYSTEM32\vp6dec_settings.cpl
Microsoft Corporation 26/05/2005 5:16:30 175384 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 24/08/2001 12:00:00 68096 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 24/08/2001 12:00:00 562176 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 24/08/2001 12:00:00 132096 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 24/08/2001 12:00:00 151552 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 30/08/2002 19:56:44 293376 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 24/08/2001 12:00:00 123392 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 4:41:00 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 24/08/2001 12:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 24/08/2001 12:00:00 567808 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 24/08/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 24/08/2001 12:00:00 258560 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 24/08/2001 12:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 24/08/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 24/08/2001 12:00:00 112128 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 24/08/2001 12:00:00 151552 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 24/08/2001 12:00:00 274944 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 24/08/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 24/08/2001 12:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Checking Selected Startup Folders
Checking files in %ALLUSERSPROFILE%\Startup folder...
14/12/2005 22:33:40 HS 84 C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
14/12/2005 21:47:44 HS 62 C:\Documents and Settings\All Users\Datos de programa\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
14/12/2005 22:33:40 HS 84 C:\Documents and Settings\Moira\Menú Inicio\Programas\Inicio\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
14/12/2005 21:47:44 HS 62 C:\Documents and Settings\Moira\Datos de programa\desktop.ini
Checking Selected Registry Keys
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{DD230880-495A-11D1-B064-008048EC2FC5} = C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\ShellEx.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Archivos de programa\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Elemento anclado al menú Inicio = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}
= C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{DD230880-495A-11D1-B064-008048EC2FC5} = C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\ShellEx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Archivos de programa\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}
= C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Archivos de programa\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
= C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroDigitalExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}
=

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{755C98A7-545F-E9E9-2B06-7877C85B4A5D}
=
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\archivos de programa\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Sugerencia del día = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\archivos de programa\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Consola de Sun Java : C:\Archivos de programa\Java\jre1.5.0_06\bin\npjpi150_06.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Banda multimedia = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
Banda del explorador para búsqueda de archivos = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Banda de Explorador = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Dirección : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Vínculos : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Dirección : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Vínculos : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\archivos de programa\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
DSLSTATEXE C:\Program Files\Jazztel\Adsl\dslstat.exe icon
DSLAGENTEXE C:\Program Files\Jazztel\Adsl\dslagent.exe
Windows Security Service wowvp.exe
Windows live Support wlmsn.exe
{0228e555-4f9c-4e35-a3ec-b109a192b4c2} C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
MPTBox C:\ARCHIV~1\Canon\MULTIP~1\MPTBox.exe
Omnipage C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
NeroFilterCheck C:\WINDOWS\System32\NeroCheck.exe
Picasa Media Detector C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
OfficeGuard RegChecker "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
KAV50 "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
SagemMonitor C:\Archivos de programa\SAGEM\SAGEM F@st 1200\SagemMonitor.exe
IRC Client updated.exe
NWEReboot

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Windows Security Service wowvp.exe
Windows live Support wlmsn.exe
IRC Client updated.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Archivos de programa\Messenger\msmsgs.exe" /background
Windows Security Service wowvp.exe
msnmsgr "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
Skype "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
IRC Client updated.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Windows Security Service wowvp.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\ARCHIV~1\ARCHIV~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

**Mosaic1** · 2006-04-10, 21:17

The type of infections you have and had are information stealing trojans and keyloggers. They steal passwords and send them up to the attacker. Therefore, all sensitive information on your system is not private any longer. ANY AND ALL BANKING passwords need to be changed and do not do any banking online until you are clean. Get in touch with your bank immediately if you do online banking. Same for any other financial transactions or passwords to email, or sites like this etc.
----------------

Copy the contents of the code box to notepad.
Name the file deleteit.bat
Save as Type:all files

Save in C:\
Now you have C:\deleteit.bat

Code:

 Mkdir C:\outtahere
attrib -s -h -r C:\WINDOWS\System32\wowvp.exe
Copy C:\WINDOWS\System32\wowvp.exe C:\outtahere
del C:\WINDOWS\System32\wowvp.exe
attrib -s -h -r C:\WINDOWS\System32\wlmsn.exe
copy C:\WINDOWS\System32\wlmsn.exe C:\outtahere
del  C:\WINDOWS\System32\wlmsn.exe
attrib -s -h -r C:\WINDOWS\System32\updated.exe
copy C:\WINDOWS\System32\updated.exe C:\outtahere
del C:\WINDOWS\System32\updated.exe
attrib -s -h -r C:\WINDOWS\wowvp.exe
copy C:\WINDOWS\wowvp.exe C:\outtahere
del C:\WINDOWS\wowvp.exe
attrib -s -h -r C:\WINDOWS\wlmsn.exe
copy C:\WINDOWS\wlmsn.exe C:\outtahere
del  C:\WINDOWS\wlmsn.exe
attrib -s -h -r C:\WINDOWS\updated.exe
Copy C:\WINDOWS\updated.exe C:\outtahere
del C:\WINDOWS\updated.exe

You will be restarting into Safe mode later. Here's help if you need it.

To use the F8 key to start Windows XP in Safe mode
Restart the computer.
Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening.
As soon as the BIOS loads, begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again.
Using the arrow keys on the keyboard, select Safe mode and then press Enter.

Restart into Safe mode:

BUT when the welcome screen appears, Press CTRL + ALT +DEL twice to bring up
a logon. Log on to your Profile!
Go to Start >Run and type hijackthis. Press enter.

Do not run anything else!

Select the following entries and click the fix checked button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {755C98A7-545F-E9E9-2B06-7877C85B4A5D} - (no file)
O4 - HKLM\..\Run: [Windows Security Service] wowvp.exe
O4 - HKLM\..\Run: [Windows live Support] wlmsn.exe
O4 - HKLM\..\Run: [IRC Client] updated.exe
O4 - HKLM\..\RunServices: [Windows Security Service] wowvp.exe
O4 - HKLM\..\RunServices: [Windows live Support] wlmsn.exe
O4 - HKLM\..\RunServices: [IRC Client] updated.exe
O4 - HKCU\..\Run: [Windows Security Service] wowvp.exe
O4 - HKCU\..\Run: [IRC Client] updated.exe
O4 - HKCU\..\RunServices: [Windows Security Service] wowvp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

-----------

Go to Start >Run and type in:
C:\deleteit.bat

Press enter.

This will run the file you created earlier. IT will run quickly and close.

--------------

Restart back into Windows.

Run hijackthis and post a new log please.

---------

We will have more to do and I'll want to look at some registry keys too.

**Mosaic1** · 2006-04-10, 21:35

Because none of the files mentioned in your startups are showing in your running porcesses, either they are hidden or have already been removed. But the startups are still there. So we'll see what's going on. '

You are running from an account which has Administrative priviledges?

**moira** · 2006-04-10, 22:18

Thanks SO much for this, I shall start immediately and will let you know outcome.

**moira** · 2006-04-10, 22:19

sorry, yes, this is my home PC and I guess I do have administrative privileges...

**moira** · 2006-04-11, 14:09

I took all the steps but in safe mode, in hijackthis the entry:

06 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel

was not present. When I restarted my PC and ran hijackthis again, to take a log, it WAS present, so I fixed it then. (hope this didn't do more damage...)

Here is the log, after those steps:
Logfile of HijackThis v1.99.1
Scan saved at 14:06:54, on 11/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\Archivos de programa\Canon\MultiPASS4\MPSERVIC.EXE
C:\Archivos de programa\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Jazztel\Adsl\dslagent.exe
C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
C:\ARCHIV~1\Canon\MULTIP~1\MPTBox.exe
C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
C:\Archivos de programa\SAGEM\SAGEM F@st 1200\SagemMonitor.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Moira\Mis documentos\Software\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Jazztel\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Jazztel\Adsl\dslagent.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPTBox] C:\ARCHIV~1\Canon\MULTIP~1\MPTBox.exe
O4 - HKLM\..\Run: [Omnipage] C:\Archivos de programa\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [KAV50] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKLM\..\Run: [SagemMonitor] C:\Archivos de programa\SAGEM\SAGEM F@st 1200\SagemMonitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Security Service] wowvp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IRC Client] updated.exe
O4 - HKCU\..\RunServices: [Windows Security Service] wowvp.exe
O8 - Extra context menu item: &Búsqueda en Google - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traducir palabra inglesa - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)
O23 - Service: KLBLMain - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: MpService - Canon Inc. - C:\Archivos de programa\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\Archivos de programa\Photodex\ProShowGold\ScsiAccess.exe

**Mosaic1** · 2006-04-11, 18:45

You're welcome.

The reason that and some other entries weren't present in
Safe Mode is that you were not signed into your own account.

I think you missed this part of the directions:

Restart into Safe mode:

BUT when the welcome screen appears, Press CTRL + ALT +DEL twice to bring up
a logon. Log on to your Profile!

--------------
Let's see if you can fix these in regular windows mode.

Run hijackthis. Select the following items and press the fix checked button:

O4 - HKCU\..\Run: [Windows Security Service] wowvp.exe
O4 - HKCU\..\Run: [IRC Client] updated.exe
O4 - HKCU\..\RunServices: [Windows Security Service] wowvp.exe

---------------

The batch file I had you create and run made a new folder:
C:\outtahere

Can you go there, open it, and tell me if it contains any files please? It very well may not.

---------------------------------
The command service entries are just leftovers. But we can get rid of those too.
Go to Start >run and type services.msc
Press enter
When the services console opens, scroll to the Task Scheduler entry and be sure it is running. If not double click on the entry and then start the service. If it is disabled, enable it and then start it. Close the services console.

Copy the contents of the code box to notepad.
Name the file Delete cmdservice System priv.vbs
Save as Type: All files
Wait until the minute on the clock in systray turns over
Double click on Delete cmdservice System priv.vbs
Wait a minute or so and a black command window will open and run quickly
A file named results.txt will open
Post the contents of results.txt into your next reply here.

Code:

'Deletes the cmdservice Service Registry Entries  

'Written by Mosaic1
'Use at your own risk

'Wait until the minute on the clock in systray turns over
'Double click on Delete cmdservice System priv.vbs
'Wait a minute or so and a black command window will open and run quickly
' A file named  results.txt will open
'Post the contents of results.txt into your Forum post.

 

Dim Future, NewD ,Short,Location ,batty, present, fpath ,F , DT
Dim Current, Failed, Default, LKG , Place , R ,ImagePath ,slash

set fso = Wscript.CreateObject("Scripting.FilesystemObject")
Set Wshshell = Wscript.CreateObject("Wscript.shell")

On Error Resume next
ImagePath = Wshshell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ImagePath")


 If fso.FileExists(ImagePath) then  present = True
slash = InstrRev(ImagePath,"\")
fpath = Mid(ImagePath, 1,Slash -1)
F = fpath
If fso.FolderExists(fpAth) then fpath = true




Current = Wshshell.RegRead("HKLM\SYSTEM\Select\Current")
Current = "HKLM\System\CurrentControlSet" & "\Enum\Root\LEGACY_cmdservice"

Default = Wshshell.RegRead("HKLM\SYSTEM\Select\Default")
Default = "HKLM\SYSTEM\ControlSet00" & Default & "\Enum\Root\LEGACY_cmdservice"

On error Resume Next
Failed = Wshshell.RegRead("HKLM\SYSTEM\Select\Failed")
Failed = "HKLM\SYSTEM\ControlSet00" & Failed & "\Enum\Root\LEGACY_cmdservice"

Err.clear
LKG = Wshshell.RegRead("HKLM\SYSTEM\Select\LastKnownGood")
LKG = "HKLM\SYSTEM\ControlSet00" & LKG & "\Enum\Root\LEGACY_cmdservice"


Set batty = Fso.CreateTextFile("r.bat", false)

Set Location = fso.GetFile("r.bat")
Short = Location.ShortPath
Place = fso.GetParentFolderName(Short) & "\results.txt" 
R = fso.GetParentFolderName(Short) & "\r.bat"

DT = Now

Batty.Writeline  "Echo " &  DT  & " >>" & Place


Batty.Writeline "Echo  >>" & Place


Batty.Writeline  "Echo Working on HKLM\Select ,Current >>" & Place
Batty. Writeline "Echo Deleting" & Chr(32) & Current & " >>"  & Place
Batty. Writeline "Reg delete" & Chr(32) & Current & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"

Current =  Replace(Current,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo  >>" & Place

Batty. Writeline "Echo Deleting" & Chr(32) & Current & " >>"  & Place
Batty. Writeline "Reg delete" & Chr(32) & Current & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place



Batty.Writeline " Echo Working on HKLM\Select ,Default>>" & Place
Batty.Writeline "Echo Deleting" & Chr(32) & Default &   ">>" &  Place
Batty.WriteLine "Reg delete" & Chr(32) & Default &  Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Default = Replace(Default,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo  >>" & Place

Batty.Writeline "Echo Deleting" & Chr(32) & Default &   ">>" &  Place
Batty.WriteLine "Reg delete" & Chr(32) & Default &  Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place




Batty.Writeline "Echo Working on HKLM\Select ,Failed >>" & Place
Batty.Writeline "Echo Deleting" & Chr(32)  &  Failed &  ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & Failed & Chr(32) &  "/f >>" & Place & Chr(32) & "2<&1"
Failed = Replace(Failed,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo  >>" & Place

Batty.Writeline "Echo Deleting" & Chr(32)  &  Failed &  ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & Failed & Chr(32) &  "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place


Batty.Writeline "Echo Working on HKLM\Select ,LastKnownGood >>" & Place
Batty.Writeline "Echo Deleting " & Chr(32) & LKG & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) &  LKG & Chr(32) &  "/f >>" & Place & Chr(32) & "2<&1"
LKG =  Replace(LKG,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo  >>" & Place
Batty.Writeline "Echo  Deleting " & Chr(32) & LKG & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) &  LKG & Chr(32) &  "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place


If present = True then Batty.WriteLine "echo ImagePath File found here: "  & ImagePath & ">>" & Place

If present <> True then Batty.WriteLine "echo ImagePath File  not found: "  & ImagePath & ">>" & Place

Batty.Writeline

If fpath = True then Batty.WriteLine "echo ImagePath Folder found here: "   &  F & ">>" & Place

If fpath <> True then Batty.WriteLine "echo ImagePath Folder not found: "  & F & ">>" & Place

Batty.Writeline "Echo  >>" & Place


Batty.WriteLine "Start Notepad" & Chr(32) & Place
Batty.WriteLine "del " & R 
 

Batty.Close

NewD = DateAdd("n" , 1, Now)
Future =  FormatDateTime(NewD,3)



Wshshell.run "Cmd.exe /c" & "At" & Chr(32)  & Chr(34) & Future & Chr(34) &  Chr(32) & "/Interactive" & Chr(32) &  Short ,vbhidden 'Set the task


Set fso = nothing
Set Wshshell = nothing
Set Location = nothing


MsgBox "Wait for the command box to run and close" & vbcrlf & "This will take a minute."

*** NOTE: This script only works on Windows XP. It is not for Win2k or 9x.

After we get you cleaned up you need to update your Windows to Service Pack2.

Thread: Please help! LSA

Thread Tools

Display

Please help! LSA

LSA Problems... hijackthis log

LSA Problems: WinPfind Log

Thanks

Posting Permissions