Sign in to follow this  
diegoaraujod

TR/Crypt.ULPM.Gen Help me please!

Recommended Posts

Hi! I got this trojan from a flash memory i think and my computer is getting slower everyday! I have to wait years for it to start. As I've seen you might need the report file from Avira Antivir and the log from Hijackthis, so here it is. If someone knows how i can fix the problem i would appreciate a lot!!

 

 

 

Avira AntiVir Personal

Report file date: Martes, 10 de Junio de 2008 22:44

 

Scanning for 1321794 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: COMPUDIEGO

 

Version information:

BUILD.DAT : 8.1.00.295 16479 Bytes 09/04/2008 16:24:00

AVSCAN.EXE : 8.1.2.12 311553 Bytes 18/03/2008 16:02:56

AVSCAN.DLL : 8.1.1.0 53505 Bytes 07/02/2008 15:43:37

LUKE.DLL : 8.1.2.9 151809 Bytes 28/02/2008 15:41:23

LUKERES.DLL : 8.1.2.1 12033 Bytes 21/02/2008 15:28:40

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 17:33:34

ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 20:08:58

ANTIVIR2.VDF : 7.0.4.120 2206720 Bytes 01/06/2008 03:35:17

ANTIVIR3.VDF : 7.0.4.172 260096 Bytes 10/06/2008 03:35:17

Engineversion : 8.1.0.55

AEVDF.DLL : 8.1.0.5 102772 Bytes 25/02/2008 16:58:21

AESCRIPT.DLL : 8.1.0.40 266618 Bytes 11/06/2008 03:40:52

AESCN.DLL : 8.1.0.21 119156 Bytes 11/06/2008 03:40:37

AERDL.DLL : 8.1.0.20 418165 Bytes 11/06/2008 03:40:28

AEPACK.DLL : 8.1.1.5 364918 Bytes 11/06/2008 03:39:35

AEOFFICE.DLL : 8.1.0.18 192890 Bytes 11/06/2008 03:38:31

AEHEUR.DLL : 8.1.0.30 1253750 Bytes 11/06/2008 03:38:17

AEHELP.DLL : 8.1.0.15 115063 Bytes 11/06/2008 03:36:15

AEGEN.DLL : 8.1.0.28 307572 Bytes 11/06/2008 03:35:57

AEEMU.DLL : 8.1.0.6 430451 Bytes 11/06/2008 03:35:18

AECORE.DLL : 8.1.0.31 168310 Bytes 11/06/2008 03:35:17

AVWINLL.DLL : 1.0.0.7 14593 Bytes 24/01/2008 00:07:53

AVPREF.DLL : 8.0.0.1 25857 Bytes 18/02/2008 17:37:50

AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 20:26:47

AVREG.DLL : 8.0.0.0 30977 Bytes 24/01/2008 00:07:49

AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 15:29:23

AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28/02/2008 15:31:31

SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/01/2008 00:28:02

SMTPLIB.DLL : 1.2.0.19 28929 Bytes 24/01/2008 00:08:39

NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 19:05:10

RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10/03/2008 21:37:25

RCTEXT.DLL : 8.0.32.0 86273 Bytes 06/03/2008 19:02:11

 

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\archivos de programa\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:, D:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: Martes, 10 de Junio de 2008 22:44

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'AcroRd32.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'guardgui.exe' - '1' Module(s) have been scanned

Scan process 'WLLoginProxy.exe' - '1' Module(s) have been scanned

Scan process 'iexplore.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned

Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'igfxtray.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned

Scan process 'LVCOMSX.EXE' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'EOUWiz.exe' - '1' Module(s) have been scanned

Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned

Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned

Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned

Scan process 'scvhost.exe' - '1' Module(s) have been scanned

Module is infected -> 'C:\WINDOWS\system32\scvhost.exe'

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'MATLAB.exe' - '1' Module(s) have been scanned

Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned

Scan process 'EvtEng.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

Process 'scvhost.exe' has been terminated

C:\WINDOWS\system32\scvhost.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[WARNING] The file could not be deleted!

 

61 processes with 60 modules were scanned

 

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

 

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

 

Starting to scan the registry.

 

The registry was scanned ( '35' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\backup.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\delextra.exe

[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

[NOTE] The file was deleted!

C:\gm.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Documents and Settings\Diego Araujo D\Configuración local\Archivos temporales de Internet\Content.IE5\VBUOAR0G\backupme[1].exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5HERSXYN\vadelnew[1].gif

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\GT6JOPE7\chin[1].gif

[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

[NOTE] The file was deleted!

C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\GT6JOPE7\vadelextra[1].gif

[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

[NOTE] The file was deleted!

C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\S9UVS16F\vadel[1].gif

[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)

[NOTE] The file was deleted!

C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\SLQJK9QJ\gm[1].gif

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\SLQJK9QJ\gm[2].gif

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\Documents and Settings\LocalService\Configuración local\Archivos temporales de Internet\Content.IE5\SLQJK9QJ\gm[3].gif

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP100\A0017378.exe

[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP101\A0017381.exe

[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP101\A0017382.exe

[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP101\A0017383.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP103\A0017519.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP104\A0017560.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP104\A0017588.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP105\A0017632.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP105\A0017668.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP107\A0017702.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP109\A0017831.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP109\A0017833.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP109\A0017834.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP97\A0017215.exe

[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP99\A0017335.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP99\A0017348.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

C:\WINDOWS\system\chin.exe

[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

[NOTE] The file was deleted!

C:\WINDOWS\system\delnew.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

Begin scan in 'D:\'

 

 

End of the scan: Miércoles, 11 de Junio de 2008 01:59

Used time: 3:14:43 min

 

The scan has been done completely.

 

15069 Scanning directories

513797 Files were scanned

31 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

29 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

513766 Files not concerned

2098 Archives were scanned

2 Warnings

29 Notes

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:50:37, on 11/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe

C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe

C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe

C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe

C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe

C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe

C:\Archivos de programa\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe

C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Archivos de programa\iPod\bin\iPodService.exe

C:\ARCHIV~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Archivos de programa\Internet Explorer\iexplore.exe

C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [EOUApp] "C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [iSUSPM] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [WatchDog] C:\Archivos de programa\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [avgnt] "C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart16.exe

O4 - Global Startup: DVD Check.lnk = C:\Archivos de programa\InterVideo\DVD Check\DVDCheck.exe

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe (file missing)

 

--

End of file - 8081 bytes

 

Thanks!

Share this post


Link to post
Share on other sites

Hi,

 

* Please visit this webpage for instructions for downloading and running ComboFix:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

 

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Share this post


Link to post
Share on other sites

Hi. Thanks for the help. Here is the ComboFix log:

 

ComboFix 08-06-10.5 - Diego Araujo D 2008-06-11 19:34:20.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.3082.18.243 [GMT -5:00]

Se ejecuta desde: C:\Documents and Settings\Diego Araujo D\Escritorio\ComboFix.exe

Command switches used :: C:\Documents and Settings\Diego Araujo D\Escritorio\WindowsXP-KB310994-SP2-Pro-BootDisk-ESN.exe

* Creado un nuevo punto de restauración

.

 

(((((((((((((((((( Archivos creados desde 2008-05-12 - 2008-06-12 )))))))))))))))))))))))))))))))))

.

 

2008-06-11 14:49 . 2008-06-11 14:49 <DIR> d-------- C:\Archivos de programa\Trend Micro

2008-06-10 22:20 . 2008-06-10 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Datos de programa\Avira

2008-06-10 22:20 . 2008-06-10 22:20 <DIR> d-------- C:\Archivos de programa\Avira

2008-06-10 22:16 . 2008-06-10 22:16 10,752 --a------ C:\WINDOWS\system\del.exe

2008-06-10 15:14 . 2008-06-10 15:14 <DIR> d--h----- C:\Documents and Settings\Administrador\Reciente

2008-06-10 15:14 . 2008-06-10 15:14 <DIR> d-------- C:\Documents and Settings\Administrador\Mis documentos

2008-06-10 15:14 . 2008-06-10 15:14 <DIR> dr------- C:\Documents and Settings\Administrador\Menú Inicio

2008-06-10 15:14 . 2008-06-10 15:14 <DIR> d--h----- C:\Documents and Settings\Administrador\Impresoras

2008-06-10 15:14 . 2008-06-10 15:14 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos

2008-06-10 15:14 . 2008-06-10 15:14 <DIR> d-------- C:\Documents and Settings\Administrador\Escritorio

2008-06-10 15:14 . 2008-06-10 15:14 <DIR> d--h----- C:\Documents and Settings\Administrador\Entorno de red

2008-06-10 13:44 . 2008-06-10 15:14 <DIR> d--h----- C:\Documents and Settings\Administrador\Plantillas

2008-06-10 13:44 . 2008-06-10 15:14 <DIR> dr-h----- C:\Documents and Settings\Administrador\Datos de programa

2008-06-10 13:44 . 2008-06-11 19:37 <DIR> d--h----- C:\Documents and Settings\Administrador\Configuración local

2008-06-10 13:44 . 2008-06-10 15:14 <DIR> d-------- C:\Documents and Settings\Administrador

2008-06-03 22:39 . 2001-08-22 22:15 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll

2008-06-03 22:39 . 2001-08-22 22:15 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll

2008-06-03 22:39 . 2001-08-17 22:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll

2008-06-03 22:39 . 2001-08-17 22:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll

2008-06-03 22:39 . 2001-08-17 22:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll

2008-06-03 22:39 . 2001-08-17 22:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll

2008-05-17 22:13 . 2008-05-17 22:16 <DIR> d-a------ C:\Documents and Settings\All Users\Datos de programa\TEMP

2008-05-17 22:13 . 2008-05-17 22:34 <DIR> d-------- C:\Archivos de programa\Flash Favorite

2008-05-17 22:09 . 2008-05-17 22:09 <DIR> d-------- C:\my flashes

2008-05-17 22:01 . 2008-05-17 22:34 <DIR> d-------- C:\Archivos de programa\Flash Saver

2008-05-17 22:01 . 2005-03-29 08:34 246,784 --a------ C:\WINDOWS\system32\sqlite3.dll

 

.

(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-11 03:13 --------- d-----w C:\Archivos de programa\ESET

2008-06-08 18:43 --------- d-----w C:\Documents and Settings\All Users\Datos de programa\pdf995

2008-06-05 03:50 --------- d-----w C:\Documents and Settings\Diego Araujo D\Datos de programa\LimeWire

2008-06-01 22:45 --------- d-----w C:\Archivos de programa\Scientific Notebook

2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll

2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys

2002-11-12 16:36 114,688 ----a-w C:\Archivos de programa\internet explorer\plugins\DjVuControl.dll

.

 

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 07:00 15360]

"MsnMsgr"="C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 16:22 794713]

"IntelZeroConfig"="C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51 667718]

"IntelWireless"="C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52 602182]

"EOUApp"="C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56 569413]

"Adobe Reader Speed Launcher"="C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52 221184]

"ISUSPM"="C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" [ ]

"RemoteControl"="C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42 32768]

"QuickTime Task"="C:\Archivos de programa\QuickTime\qttask.exe" [2007-06-29 06:24 286720]

"iTunesHelper"="C:\Archivos de programa\iTunes\iTunesHelper.exe" [2007-08-15 20:15 271672]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-22 17:36 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-22 17:31 126976]

"WatchDog"="C:\Archivos de programa\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 16:47 184320]

"avgnt"="C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-20 07:00 15360]

 

C:\Documents and Settings\All Users\Men£ Inicio\Programas\Inicio\

AutoCAD Startup Accelerator.lnk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart16.exe [2005-03-05 08:18:22 10872]

DVD Check.lnk - C:\Archivos de programa\InterVideo\DVD Check\DVDCheck.exe [2008-04-06 12:39:36 184320]

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Archivos de programa\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"D:\\StubInstaller.exe"=

"C:\\Archivos de programa\\LimeWire\\LimeWire.exe"=

"C:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Archivos de programa\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Archivos de programa\\iTunes\\iTunes.exe"=

"C:\\Archivos de programa\\NetMeeting\\conf.exe"=

 

S2 Windows Action Script;Windows Action Script;"C:\WINDOWS\system32\scvhost.exe" []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77169749-116b-11dd-a153-00c09fb68c3a}]

\Shell\AutoRun\command - G:\1.bat

\Shell\explore\Command - G:\1.bat

\Shell\open\Command - G:\1.bat

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78a6e954-d977-11dc-a088-0012f0ecd639}]

\Shell\AutoRun\command - F:\8u.com

\Shell\explore\Command - F:\8u.com

\Shell\open\Command - F:\8u.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d92c2f8-da7b-11dc-a08f-0012f0ecd639}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85d5a996-e311-11dc-a0b7-0012f0ecd639}]

\Shell\AutoRun\command - c18vk.exe

\Shell\explore\Command - c18vk.exe

\Shell\open\Command - c18vk.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85d5a99b-e311-11dc-a0b7-0012f0ecd639}]

\Shell\Auto\command - G:\SCVH0ST.EXE

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SCVH0ST.EXE

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{861759a6-db12-11dc-a092-0012f0ecd639}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88717f4a-dbcf-11dc-a094-0012f0ecd639}]

\Shell\Auto\command - adp.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL adp.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88965a34-0b04-11dd-a13f-00c09fb68c3a}]

\Shell\AutoRun\command - F:\vt6e.cmd

\Shell\explore\Command - F:\vt6e.cmd

\Shell\open\Command - F:\vt6e.cmd

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88965a35-0b04-11dd-a13f-00c09fb68c3a}]

\Shell\AutoRun\command - G:\vt6e.cmd

\Shell\explore\Command - G:\vt6e.cmd

\Shell\open\Command - G:\vt6e.cmd

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef22679f-d5c0-11dc-a078-0012f0ecd639}]

\Shell\AutoRun\command - p3r1ud.exe

\Shell\explore\Command - p3r1ud.exe

\Shell\open\Command - p3r1ud.exe

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-11 19:39:24

Windows 5.1.2600 Service Pack 2 NTFS

 

escaneando procesos ocultos ...

 

escaneando entradas ocultas de autostart ...

 

escaneando archivos ocultos ...

 

el escaneo se completo con exito

archivos ocultos: 0

 

**************************************************************************

.

Tiempo completado: 2008-06-11 19:50:09

ComboFix-quarantined-files.txt 2008-06-12 00:50:00

 

12 dirs 67,012,550,656 bytes libres

17 dirs 67,250,991,104 bytes libres

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ESN.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

 

149 --- E O F --- 2008-05-28 23:31:02

 

 

The Hijackthis report is:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:55:43, on 11/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe

C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe

C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe

C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe

C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe

C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe

C:\Archivos de programa\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe

C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\svchost.exe

C:\Archivos de programa\iPod\bin\iPodService.exe

C:\ARCHIV~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Archivos de programa\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\explorer.exe

C:\Archivos de programa\internet explorer\iexplore.exe

C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [EOUApp] "C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [iSUSPM] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [WatchDog] C:\Archivos de programa\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [avgnt] "C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart16.exe

O4 - Global Startup: DVD Check.lnk = C:\Archivos de programa\InterVideo\DVD Check\DVDCheck.exe

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe (file missing)

 

--

End of file - 8011 bytes

 

Thanks!

Share this post


Link to post
Share on other sites

Hi,

 

* Download next removal tool to your desktop:

http://www.techsupportforum.com/sectools/s...Disinfector.exe

If you have any flashdrives being used previously, since this is a flashdrive infection, insert your flashdrive as well, because above tool will disinfect it as well.

Then doubleclick the Flash_Disinfector.exe to run the tool.

Your desktop and icons will disappear afterwards. This is normal.

When the tool has finished, reboot your computer.

 

Then, Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

 

REGEDIT4

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77169749-116b-11dd-a153-00c09fb68c3a}]

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78a6e954-d977-11dc-a088-0012f0ecd639}]

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85d5a996-e311-11dc-a0b7-0012f0ecd639}]

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85d5a99b-e311-11dc-a0b7-0012f0ecd639}]

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{861759a6-db12-11dc-a092-0012f0ecd639}]

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88717f4a-dbcf-11dc-a094-0012f0ecd639}]

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88965a34-0b04-11dd-a13f-00c09fb68c3a}]

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88965a35-0b04-11dd-a13f-00c09fb68c3a}]

 

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef22679f-d5c0-11dc-a078-0012f0ecd639}]

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000000

"UpdatesDisableNotify"=dword:00000000

"AntiVirusOverride"=dword:00000000

"FirewallOverride"=dword:00000000

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

 

Then go to start > run and copy and paste next command in the field:

 

sc delete "Windows Action Script"

 

hit enter

 

Let me know in your next reply how things are.

Share this post


Link to post
Share on other sites

Hi!

 

I ran the Flash disinfector and merged the file in the registry. Then i reboot my computer but i don't find any improvement. It's still extremely slow. What else can i do? Thank u so much for your help

Share this post


Link to post
Share on other sites

Hi,

 

I found the file C:\WINDOWS\system\del.exe and i delete it, but my computer keeps being slow. I really don't have too many programs installed and the computer began to be slow when i got the virus. What else can i do? Thanks

Share this post


Link to post
Share on other sites

The malware is already removed though.

 

I rather think that you weren't running an Antivirus before, because you only installed Avira recently. And that's maybe why you notice a difference in system speed.

 

Did you disable the unnecessary startups? Because that was in my instructions on that page.

 

can you post a new HijackThislog please so I can see if you have actually performed the steps on that page?

 

Also, can you tell me about the slowness? Is it slow in general or only when you are browsing?

Also, take a look in your taskmanager > processes tab and let me know if a certain process is hogging cpu.

Share this post


Link to post
Share on other sites

Extra note.. I also see you have the DjVu Browser Plug-in installed. Not sure what this plugin exactly is, but if you're not aware that you installed this one, then please uninstall it again.

Share this post


Link to post
Share on other sites

Hi!

 

I followed the steps on your link to improve my computer. It became a little bit faster but not as it was. It keeps being really slow. Before i had Antivir i had installed NOD32 as my antivirus, so i don't think that's the problem. I start seeing the problem at the start up of window. In the status bar whe windows is starting, it doesn't flow normally, it stops or advances really slow. After that, even the music when windows open is not clear. And it takes about 5 minutes for it to open completely. The same when i open any program, it takes a while before it opens.

 

Here's the HiJackthis log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:32:19, on 12/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe

C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe

C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe

C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe

C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Archivos de programa\iTunes\iTunesHelper.exe

C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\ARCHIV~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Archivos de programa\iPod\bin\iPodService.exe

C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [EOUApp] "C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [iSUSPM] "C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [WatchDog] C:\Archivos de programa\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [avgnt] "C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart16.exe

O4 - Global Startup: DVD Check.lnk = C:\Archivos de programa\InterVideo\DVD Check\DVDCheck.exe

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe

 

--

End of file - 7061 bytes

 

I already erased the DjVu Browser Plug-in.

Thanks!

Share this post


Link to post
Share on other sites

It could be AntiVir though - This is with almost every Antivirus or Firewall. Where it works smoothly on one system, it may cause issues and a huge slowdown on other systems even though both computers have the same requirements.

You can test it by temporary uninstalling Avira, reboot and see if there's a difference after reboot.

If so, then I suggest another Antivirus instead.

 

But there are more programs that can be disabled from startup as well...

 

You can disable some unnecessary startups.

To do this, perform next:

 

Go to start > run and type: msconfig

Select the tab: Startup

 

There you will see all the programs starting up with windows.

Some are not needed and can also cause a system slowdown.

That's why it's a good idea to disable them there by unchecking them. Don't disable them all there! Because some are needed!

 

You can always access these programs by going to your startmenu > all programs or start them manually via the Programs Folder where they are present.

You can always enable them afterwards again.

 

Next are not needed to start with windows:

  • SynTPEnh (SynTPEnh.exe)
  • IntelZeroConfig (ZCfgSvc.exe)
  • Adobe Reader Speed Launcher (Reader_sl.exe)
  • LVCOMSX
  • ISUSPM
  • WatchDog (DVDCheck.exe)
  • and another reference to DVDCheck.exe
  • AutoCAD Startup Accelerator.lnk (acstart16.exe)

The choice is yours ofcourse which above ones you find necessary to startup with windows. But in general, they are not required.

 

After reboot, you'll get a message that something was modified in your System Configuration. Just check the box there where it says not to display this message again.

 

Have you also defragmented your disk?

Did you also read this on my page and doublechecked to make sure it is set to "DMA if available"?:

 

If all above steps were performed and you're still having the same problems - then check the IDE channels to see if they are running in PIO or DMA mode.

To do this, go to start > run and type: devmgmt.msc in order to open the Device Manager.

Doubleclick IDE ATA/ATAPI-Controllers > rightclick the Primary IDE Channel > Properties > Advanced Settings tab

In the Transfer Mode dropdown list - it should be set to "DMA if available"

Share this post


Link to post
Share on other sites

Hi,

 

Sorry for the delay... I tried uninstalling Avira but it didn't work out. It keeps being slow. So i went to a restore point and Avira is not working because there's a file missing. I'll have to install it again. Besides, i tried to go to an earlier restore point but the system didn't let me to do it.

I followed your advice to disable some programs from start up. I checked the part that says "DMA if available". I had two dropdown lists. One of them was in DMA if available but the other was in PIO mode, so i switched it. But it remains slow. I can't hear any music, programs and windows take a long to open.

If u can tell me what else to try i would appreciate it.

Share this post


Link to post
Share on other sites
I checked the part that says "DMA if available". I had two dropdown lists. One of them was in DMA if available but the other was in PIO mode, so i switched it
It should be in "DMA if available" and nothing else!

Did you already reboot?

 

As I also already asked, can you check taskmanager which process is hogging cpu?

 

Can you also test if you're having the same issue in Windows safe mode?

 

Other question... Can you check if you're having the same issue on another useraccount?

 

As an extra test.... Please run this online scan to help look for remnants.

 

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

 

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

 

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

 

But I really don't think this is a malware related issue here since we already deleted the active malware. Even though the problem started with the malware, it doesn't mean that there's still malware present. Malware damages a lot... that's a fact.

Share this post


Link to post
Share on other sites

Hi!

Yes i put both menus in DMA if available. I already reboot my computer when i answered the other post. I checked the task manager and i saw that there are no processes that keeps hogging cpu, but it keeps moving between

Taskmgr

explorer

Ifrmewrr.exe

System

lsass.exe

S24EvMon.exe

svchost.exe

I noticed that there are 6 svchost.exe in the task manager. Is that normal? When i opened Internet Explorer, i noticed that this process took up to 37% of the percentage.

I tested in the safe mode and it works normally. It's not slow. I don't have other user account.

The Kaspersky test i ran, took 4:30 hours. Is that normal? Here is the report:

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Saturday, June 14, 2008

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Saturday, June 14, 2008 16:05:55

Records in database: 863864

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

C:\

D:\

E:\

 

Scan statistics:

Files scanned: 177203

Threat name: 1

Infected objects: 1

Suspicious objects: 0

Duration of the scan: 05:07:01

 

 

File name / Threat name / Threats count

D:\Documentos Diego\Instaladores\sdsetup3.8.exe Infected: Trojan-Downloader.Win32.Delf.gcy 1

 

The selected area was scanned.

 

Another thing, i don't know what happened but Excel is not working anymore. I have to reinstall it. The other programs from the office application are working normally.

 

Thanks

Share this post


Link to post
Share on other sites

Hi,

 

Navigate to and delete the following file:

 

D:\Documentos Diego\Instaladores\sdsetup3.8.exe

 

I noticed that there are 6 svchost.exe in the task manager. Is that normal? When i opened Internet Explorer, i noticed that this process took up to 37% of the percentage.
Yes, that's totally normal and how it should be. Also, when you open Internet Explorer.

 

If it runs normally in safe mode, then it's most probably caused by a legitimate program. It isn't caused by malware, that's for sure. What Kaspersky found is certainly not the cause. For some reason, I suspect it may be caused by your Intel Wireless, so we can test afterwards and end some processes related with it, but for that I need a new HijackThislog to see what is currently running.

Share this post


Link to post
Share on other sites

Hi!

 

I deleted the file you told me to. I use the Intel Wireless to connect to my University network. Here's the Hijackthis log generated:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:05:35, on 15/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe

C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe

C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe

C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Archivos de programa\iTunes\iTunesHelper.exe

C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe

C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe

C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Archivos de programa\iPod\bin\iPodService.exe

C:\ARCHIV~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Archivos de programa\Windows Live\Messenger\usnsvc.exe

C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE

C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos

O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [intelWireless] "C:\Archivos de programa\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [EOUApp] "C:\Archivos de programa\Intel\Wireless\Bin\EOUWiz.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Archivos de programa\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Archivos de programa\Intel\Wireless\Bin\S24EvMon.exe

 

--

End of file - 6506 bytes

 

 

Thanks!!

Share this post


Link to post
Share on other sites

Ok, since you said that everything is fine in safe mode, then there's a legitimate process causing the issues as there's nothing malware related present anymore.

 

It's also confusing here, because you said you have uninstalled Avira and I see it's still present and running here. You have to understand that it's hard to properly troubleshoot if I'm not sure what instructions were performed. That's why I still don't know if it may be Avira causing this or another legitimate program. It would have been easier if I was using your computer, so I can properly troubleshoot since I know what steps were done.

 

Anyway, I assume that you have uninstalled Avira before, REBOOTED afterwards and installed it again. IF NOT... Please tell me, because otherwise it's really confusing and it could take days and even more to figure out what the problem is.

 

IF you have indeed uninstalled it before, rebooted afterwards, noticed no difference and reinstalled it again, then please open your taskmanager and end the next processes:

 

EvtEng.exe

S24EvMon.exe

spoolsv.exe

ifrmewrk.exe

EOUWiz.exe

iTunesHelper.exe

ZCfgSvc.exe

AppleMobileDeviceService.exe

msnmsgr.exe

RegSrvc.exe

iPodService.exe

Dot1XCfg.exe

usnsvc.exe

WLLoginProxy.exe

 

DO NOT REBOOT!!! Just test if this improves your speed without above processes running.

Share this post


Link to post
Share on other sites

Hi!

 

Sorry if it wasn't clear in a post before. I said that I uninstalled Avira and it didn't improve, so I went to a restore point, just before uninstalling it.

 

I ended the processes that you mentioned in the last post, but i didn't notice any improvement. I didn't rebot my computer and opened some programs, but they were working still slow. Besides that, i'm noticing some abnormal things happening:

- Everytime i start Excel, it acts like it's installing this software before opening it. There appers an screen of windows installation and, after getting some information, it opens.

- Every time I try tu shut down, there appears a Windows update, even though the icon in the task bar didn't appear at all... I have accepted these updates a couple of times but it seems strange that there's always a new update.

 

If you need anything else to help me please tell me. Thank you!

Share this post


Link to post
Share on other sites

Please visit Windows update and download and install the updates there.

Then reboot after installing the updates.

 

After reboot, check if there are new updates.

 

I actually don't get it though... It runs fine in Windows Safe mode, so I asked to end the processes which don't run in Windows Safe mode and it doesn't make a difference....

But after all, it's harder to properly troubleshoot if I cannot be sure if everything was performed correctly.

 

So after installing all updates, Please run a GMER Rootkit scan:

 

Download GMER's application from here:

http://www.majorgeeks.com/GMER_d5198.html

 

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

 

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

 

Warning ! Please, do not select the "Show all" checkbox during the scan.

Share this post


Link to post
Share on other sites

Hi!

 

I updated Windows, rebooted my computer and download GMER's application. I ran it and this is the report generated:

 

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-06-17 21:16:15

Windows 5.1.2600 Service Pack 2

 

 

---- System - GMER 1.0.14 ----

 

SSDT F8BB8974 ZwCreateThread

SSDT F8BB8960 ZwOpenProcess

SSDT F8BB8965 ZwOpenThread

SSDT F8BB896F ZwTerminateProcess

SSDT F8BB896A ZwWriteVirtualMemory

 

---- User code sections - GMER 1.0.14 ----

 

.text C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe[968] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 0056DBBD C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)

.text C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!DialogBoxParamW 7E3A555F 5 Bytes JMP 4362F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!DialogBoxIndirectParamW 7E3B2032 5 Bytes JMP 437C1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!MessageBoxIndirectA 7E3BA04A 5 Bytes JMP 437C15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!DialogBoxParamA 7E3BB10C 5 Bytes JMP 437C162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!MessageBoxExW 7E3D05D8 5 Bytes JMP 437C1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!MessageBoxExA 7E3D05FC 5 Bytes JMP 437C15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!DialogBoxIndirectParamA 7E3D6B50 5 Bytes JMP 437C16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE[2252] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 436516B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

 

---- Devices - GMER 1.0.14 ----

 

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

 

---- EOF - GMER 1.0.14 ----

 

Thanks

Share this post


Link to post
Share on other sites

Nothing strange here either though...

 

SSDT F8BB8974 ZwCreateThread

SSDT F8BB8960 ZwOpenProcess

SSDT F8BB8965 ZwOpenThread

SSDT F8BB896F ZwTerminateProcess

SSDT F8BB896A ZwWriteVirtualMemory

Those hooks are from Avira.

 

I'm really out of ideas since this is no malware causing it... and we've tried everything to troubleshoot

 

For excel; look here: http://support.microsoft.com/kb/280504

Since I don't use Excel and I don't have knowledge about this, I can't help you with that.

 

You said you have updated Windows now... Because if updates are waiting, svchost.exe may cause the slowdown while it checks for updates.

Are all updates installed now? Any progress in speed? Because you said that svchost.exe was hogging cpu previously.

Share this post


Link to post
Share on other sites

Hi! Yestarday just for curiosity I ran Avira on my harddrives and both viruses appeared again. Here i post the report.

Note: I had to stop it the first time i ran Avira, that's why there are two reports.

Besides it, it keeps appearing the message to update windows everytime i turn off the computer. Not sure about it.

 

Avira AntiVir Personal

Report file date: Miércoles, 18 de Junio de 2008 21:28

 

Scanning for 1337442 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: COMPUDIEGO

 

Version information:

BUILD.DAT : 8.1.0.308 16478 Bytes 28/05/2008 17:03:00

AVSCAN.EXE : 8.1.2.12 311553 Bytes 18/03/2008 16:02:56

AVSCAN.DLL : 8.1.1.0 53505 Bytes 07/02/2008 15:43:37

LUKE.DLL : 8.1.2.9 151809 Bytes 28/02/2008 15:41:23

LUKERES.DLL : 8.1.2.1 12033 Bytes 21/02/2008 15:28:40

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 17:33:34

ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 20:08:58

ANTIVIR2.VDF : 7.0.4.195 2546176 Bytes 14/06/2008 05:06:34

ANTIVIR3.VDF : 7.0.4.204 78336 Bytes 16/06/2008 05:06:38

Engineversion : 8.1.0.55

AEVDF.DLL : 8.1.0.5 102772 Bytes 25/02/2008 16:58:21

AESCRIPT.DLL : 8.1.0.40 266618 Bytes 11/06/2008 03:40:52

AESCN.DLL : 8.1.0.21 119156 Bytes 11/06/2008 03:40:37

AERDL.DLL : 8.1.0.20 418165 Bytes 11/06/2008 03:40:28

AEPACK.DLL : 8.1.1.5 364918 Bytes 11/06/2008 03:39:35

AEOFFICE.DLL : 8.1.0.18 192890 Bytes 11/06/2008 03:38:31

AEHEUR.DLL : 8.1.0.30 1253750 Bytes 11/06/2008 03:38:17

AEHELP.DLL : 8.1.0.15 115063 Bytes 11/06/2008 03:36:15

AEGEN.DLL : 8.1.0.28 307572 Bytes 11/06/2008 03:35:57

AEEMU.DLL : 8.1.0.6 430451 Bytes 11/06/2008 03:35:18

AECORE.DLL : 8.1.0.31 168310 Bytes 11/06/2008 03:35:17

AVWINLL.DLL : 1.0.0.7 14593 Bytes 24/01/2008 00:07:53

AVPREF.DLL : 8.0.0.1 25857 Bytes 18/02/2008 17:37:50

AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 20:26:47

AVREG.DLL : 8.0.0.0 30977 Bytes 24/01/2008 00:07:49

AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 15:29:23

AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28/02/2008 15:31:31

SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/01/2008 00:28:02

SMTPLIB.DLL : 1.2.0.19 28929 Bytes 24/01/2008 00:08:39

NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 19:05:10

RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10/03/2008 21:37:25

RCTEXT.DLL : 8.0.32.0 86273 Bytes 06/03/2008 19:02:11

 

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\archivos de programa\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:, D:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: Miércoles, 18 de Junio de 2008 21:28

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned

Scan process 'MATLAB.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'EOUWiz.exe' - '1' Module(s) have been scanned

Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned

Scan process 'EvtEng.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

34 processes with 34 modules were scanned

 

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

 

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

 

Starting to scan the registry.

The registry was scanned ( '26' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP109\A0017835.exe

[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen

[NOTE] The file was deleted!

C:\System Volume Information\_restore{ADF4F1C0-1227-4902-8F71-053F0E387058}\RP109\A0017836.exe

[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen

[NOTE] The file was deleted!

 

 

End of the scan: Miércoles, 18 de Junio de 2008 23:39

Used time: 2:11:05 min

 

The scan has been canceled!

 

10658 Scanning directories

404751 Files were scanned

2 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

2 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

404749 Files not concerned

1580 Archives were scanned

1 Warnings

2 Notes

 

Avira AntiVir Personal

Report file date: Miércoles, 18 de Junio de 2008 23:45

 

Scanning for 1337442 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: COMPUDIEGO

 

Version information:

BUILD.DAT : 8.1.0.308 16478 Bytes 28/05/2008 17:03:00

AVSCAN.EXE : 8.1.2.12 311553 Bytes 18/03/2008 16:02:56

AVSCAN.DLL : 8.1.1.0 53505 Bytes 07/02/2008 15:43:37

LUKE.DLL : 8.1.2.9 151809 Bytes 28/02/2008 15:41:23

LUKERES.DLL : 8.1.2.1 12033 Bytes 21/02/2008 15:28:40

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 17:33:34

ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07/03/2008 20:08:58

ANTIVIR2.VDF : 7.0.4.195 2546176 Bytes 14/06/2008 05:06:34

ANTIVIR3.VDF : 7.0.4.204 78336 Bytes 16/06/2008 05:06:38

Engineversion : 8.1.0.55

AEVDF.DLL : 8.1.0.5 102772 Bytes 25/02/2008 16:58:21

AESCRIPT.DLL : 8.1.0.40 266618 Bytes 11/06/2008 03:40:52

AESCN.DLL : 8.1.0.21 119156 Bytes 11/06/2008 03:40:37

AERDL.DLL : 8.1.0.20 418165 Bytes 11/06/2008 03:40:28

AEPACK.DLL : 8.1.1.5 364918 Bytes 11/06/2008 03:39:35

AEOFFICE.DLL : 8.1.0.18 192890 Bytes 11/06/2008 03:38:31

AEHEUR.DLL : 8.1.0.30 1253750 Bytes 11/06/2008 03:38:17

AEHELP.DLL : 8.1.0.15 115063 Bytes 11/06/2008 03:36:15

AEGEN.DLL : 8.1.0.28 307572 Bytes 11/06/2008 03:35:57

AEEMU.DLL : 8.1.0.6 430451 Bytes 11/06/2008 03:35:18

AECORE.DLL : 8.1.0.31 168310 Bytes 11/06/2008 03:35:17

AVWINLL.DLL : 1.0.0.7 14593 Bytes 24/01/2008 00:07:53

AVPREF.DLL : 8.0.0.1 25857 Bytes 18/02/2008 17:37:50

AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 20:26:47

AVREG.DLL : 8.0.0.0 30977 Bytes 24/01/2008 00:07:49

AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 15:29:23

AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28/02/2008 15:31:31

SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/01/2008 00:28:02

SMTPLIB.DLL : 1.2.0.19 28929 Bytes 24/01/2008 00:08:39

NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 19:05:10

RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10/03/2008 21:37:25

RCTEXT.DLL : 8.0.32.0 86273 Bytes 06/03/2008 19:02:11

 

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\archivos de programa\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:, D:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: Miércoles, 18 de Junio de 2008 23:45

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'WLLoginProxy.exe' - '1' Module(s) have been scanned

Scan process 'iexplore.exe' - '1' Module(s) have been scanned

Scan process 'iexplore.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned

Scan process 'MATLAB.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'EOUWiz.exe' - '1' Module(s) have been scanned

Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned

Scan process 'EvtEng.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

38 processes with 38 modules were scanned

 

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

 

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

 

Starting to scan the registry.

The registry was scanned ( '26' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

 

 

End of the scan: Miércoles, 18 de Junio de 2008 23:54

Used time: 09:15 min

 

The scan has been canceled!

 

488 Scanning directories

8725 Files were scanned

0 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

8725 Files not concerned

19 Archives were scanned

1 Warnings

0 Notes

 

There are no improvement in speed. What i said about svchost.exe was that there were 5 or 6 processes with the same name.

 

Thanks

Share this post


Link to post
Share on other sites

That's in your system restore points... This is normal it goes there afterwards.

 

Flush your system restore points:

To do this, you have to disable systemrestore and enable it afterwards again.

(note: this will delete all your system restore points and malware that were present in it).

 

How to disable system restore in XP <= click me for instructions with screenshots

After you disabled System Restore.... Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :)

 

For the Windows update thing.. Please visit Windows updates again and download and install all updates!

Reboot after you have installed them.

Share this post


Link to post
Share on other sites

Hi, i flushed the restore points. I installed service pack 3 for Windows XP and there is a little of improvement in the speed but not enough... I think I would have to format my hard drive.

Share this post


Link to post
Share on other sites

I'm really out of ideas as well..

We checked everything, even checked for rootkits etc.. and nothing explains your "slow issues".

I actually don't know where else to look anymore... the only thing I can think of is that some instructions were overlooked.

On the other side, create a new useraccount and test if it works OK there. If so, then use that new useraccount instead and delete the "old" one.

Share this post


Link to post
Share on other sites
Sign in to follow this