Problems in registry probably a Virus

[Saint Rygar]

Hi about a week ago i have experienced some troubles in accesing to regedit normally (i can access with external programs like XP Repair PRO 2006) but any changes to the registry are not accepted
This message error is displayed
"The administrator has disabled the registry modification"
besides i identified some hidden files with the extensions *.LOG and *.rrr.LOG
in the windows carpets of C:\System32\config, C:\Documents and settings\Standard, C:\Documents and Settings\Network Service, C:\Documents and Settings\Local Service
I run NOD32 Antivirus scan and reported the above mention files as "file locked"
I already followed the steps recommended by Microbell and none gave a report about virus in the registry or something in particular except for some adware so i'm uncertain of which could be the problem and i hope you can help me with this guys
Thanks in advance!

Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 06:35:49 p.m., on 30/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\Lexmark X5100 Series\lxbabmgr.exe
C:\Archivos de programa\Lexmark X5100 Series\lxbabmon.exe
C:\Archivos de programa\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\ARCHIV~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\wkcalrem.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-mx\msntb.dll
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-mx\msntb.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Archivos de programa\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Archivos de programa\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Archivos de programa\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NBJ] "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Avisos del Calendario de Microsoft Works.lnk = C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096737276465
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Speed Disk service - Unknown owner - C:\ARCHIV~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

[greyknight17]

Welcome to TSF.

I assume you don't want to user Symantec anymore right? Let's remove all traces of it and also see if we can fix that registry problem.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Also if you have any programs that may prevent system changes (like Spybot's TeaTimer program, Ad-aware's Ad-Watch, and others), make sure you disable them before doing any of the fixes (or accept the changes for the fix we give you when asked by the programs).

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.
** You may change the above options back after your log is clean. If we ask you to fix something that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ). Make sure to close any internet browsers that may still be open.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Speed Disk service - Unknown owner - C:\ARCHIV~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop ccPwdSvc
sc delete ccPwdSvc
sc stop ccSetMgr
sc delete ccSetMgr
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\ARCHIV~1\NORTON~1\
C:\Archivos de programa\Archivos comunes\Symantec Shared\

Restart. Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply along with a new HijackThis log.

Any better?

[Saint Rygar]

Hello I'm back
I did everything you indicated and many of the lines were fixed but i still got some troubles and questions

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

This line only appears in normal mode
when i run my pc on safe mode it's not present

The line of
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
it's still present although fixed it with hijackthis but i guess it's normal
the *rrr.LOG and *.LOG files indicated on my last post are still present and some are new

anyway here's my new HJT log and the report you asked for from panda

Logfile of HijackThis v1.99.1
Scan saved at 11:49:23 a.m., on 03/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Eset\nod32kui.exe
C:\Archivos de programa\Lexmark X5100 Series\lxbabmgr.exe
C:\Archivos de programa\Lexmark X5100 Series\lxbabmon.exe
C:\Archivos de programa\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\wkcalrem.exe
C:\ARCHIV~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-mx\msntb.dll
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-mx\msntb.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Archivos de programa\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Archivos de programa\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Archivos de programa\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [NBJ] "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Avisos del Calendario de Microsoft Works.lnk = C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096737276465
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...29/mcfscan.cab
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Panda Scan


Incident Status Location

Adware:adware/secure32 Not disinfected C:\WINDOWS\system32\drivers\etc\hosts
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Standard\Cookies\standard@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Standard\Cookies\standard@dist.belnk[2].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Standard\Cookies\standard@www.advnt01[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Standard\Cookies\standard@adopt.hbmediapro[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Standard\Cookies\standard@tucows[1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Standard\Cookies\standard@c.goclick[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Standard\Cookies\standard@burstnet[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Standard\Cookies\standard@ad.yieldmanager[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Standard\Cookies\standard@toplist[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Standard\Cookies\standard@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Standard\Cookies\standard@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Standard\Cookies\standard@dist.belnk[2].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Standard\Cookies\standard@www.advnt01[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Standard\Cookies\standard@adopt.hbmediapro[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Standard\Cookies\standard@tucows[1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Standard\Cookies\standard@c.goclick[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Standard\Cookies\standard@burstnet[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Standard\Cookies\standard@ad.yieldmanager[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Standard\Cookies\standard@toplist[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Standard\Cookies\standard@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@belnk[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@advertising[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@adopt.hbmediapro[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@statcounter[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@burstnet[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@tribalfusion[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@atdmt[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@adtech[2].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@valueclick[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@as1.falkag[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@casalemedia[2].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@paypopup[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@dist.belnk[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@fastclick[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@maxserving[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@ad.yieldmanager[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@as-eu.falkag[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@bravenet[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@tribalfusion[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@zedo[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@atwola[1].txt
Spyware:Cookie/Admotion Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@admotion.com[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@www.myaffiliateprogram[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Eduardo\Cookies\eduardo@ig.com[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Eduardo\Datos de programa\Mozilla\Firefox\Profiles\r0pcscj1.default\cookies.txt[]
well that's it
like before thanks for the help!

[Saint Rygar]

BUMP

[Saint Rygar]

Bump
:)

[skate_punk_21]

[b]Download Hoster
Open up the Host program.

• Make sure that the "make hosts writable?" button in the upper right corner is enabled.
• Click back up Host files
• then click Restore orginal host files
• then click the "make host Read Only?" button in the upper right corner.
• close program

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! and install it.
Run CleanUp! Set the program up as follows:

• Click "Options..."
• Move the arrow down to "Custom CleanUp!"
• Put a check next to the following:
  
• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. DO NOT Reboot/logoff when prompted.


Now From normal mode, go ahead and fix the following line in your HJT Log:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

Reboot your computer and post a fresh HijackThis log please, along with a status update.

[Saint Rygar]

Hi thanks for answering!
Well i run everything and the line has been fixed
the registry it's working fine apparently
my only question is the *rrr.LOG and .LOG in the carpets i mentioned earlier are still present
It's normal? maybe i'm a bit paranoid
also i used some other programs the spyware doctor and installed Kaspersky Antivirus and resolved some problems before you answered my post
i think the machine it's ok but here's my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 02:14:33 p.m., on 08/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spyware Doctor\swdoctor.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\wkcalrem.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-mx\msntb.dll
O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\es-mx\msntb.dll
O4 - HKLM\..\Run: [kav] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NBJ] "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Archivos de programa\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Avisos del Calendario de Microsoft Works.lnk = C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1096737276465
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...34/mcfscan.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Archivos de programa\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Thanks again and i'll wait for your next answer

[greyknight17]

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

Don't know about the LOG and rrr.LOG files. What are the contents for those files? Open them up in Notepad and find out.

[Saint Rygar]

Hi again!
Sorry about the delay in my answer but i got really busy this week

The PC is working fine no troubles in the registry and everything looks clean

The files i mentioned are empty apparently or with junk (at least for me it's probably some code of the programs)

Here's an example:

regf  �wºF‡¨Ä




W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ T e m p K e y COM Name Arbiterpÿÿÿsk € €
t
€H X   4   ? 
    ? 


  
  YQ¸fr]%dc;
 nk Øÿÿÿvk 8

ComDB Merge Øÿÿÿ
øÿÿÿ
˜ BFC1-08002BE10318} Øÿÿÿvk  ¨

UpperFilters èÿÿÿP a r t M g r øÿÿÿ€
øÿÿÿ( øÿÿÿ* ˆÿÿÿnk ‚x;¸N'Á
ÿÿÿÿ¡E„¥DIRTÿ@
á\ D e v i c e \ H a r d d i s k V o l u m e 1 \ W I N D O W S \ s y s t e m 3 2 \ C O N F I G \ T e m p K e y Eà éàÿÿ�E°Pècéûÿéàÿÿ�E°PèŒéûÿé&àÿÿ‹Eì‹ ‹ ‰Eظ
ËeèÇEä

€‹MØ‹E‰ƒ}à „úßÿÿ‰MÄ�E°Pè†éûÿééßÿÿ�Müè>£÷ÿ‰EøéìÛÿÿÇEø@ €é8ÜÿÿÇEø

€é,ÜÿÿÇ é\Ýÿÿ€H
édÝÿÿ‹Eè‹HP‰MàéàÝÿÿ‹Îè–õÿéõÝÿÿÿuàÿ*òé÷Ýÿÿèæsõÿ…Àtÿvÿt$ÿv‹ÈèP½ûÿé^éÿÿ3ÀéWéÿÿ3À‰CéÅÕÿÿ
€é,Õÿÿ€e éÑÿÿÇF é&ÑÿÿèÑ�ûÿ¶ÀéDÑÿÿÇF é
Ñÿÿ‹Müƒy…ÉÑÿÿ¸

€éHÔÿÿº &ò‹Mèryõÿ…À…QÔÿÿ¸ÿÿ €é)Ôÿÿ¸


€éÔÿÿ�Ê » ‰éÎÑÿÿhˆðü

Well thanks for all your time helping me with the problem
I already followed some of the tips for security
If there's nothing more thanks! if there's still something you see or can comment i'll check it later
Bye for now!