Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Slow XP SP 2 - suspect svchost files bogging me down

(New)
(!)

Renzo McDuffy's Avatar
Renzo McDuffy Renzo McDuffy is offline
Computer Specs
Member with 32 posts.
THREAD STARTER
 
Join Date: Aug 2007
Experience: Beginner
19-Nov-2007, 02:31 PM #16
Below is the Bit Defender report, but the first scan apparently finished but I think my office manager closed it not knowing what it was. It identified some viruses and removed them according to what she remembers, but I can't find the report. Ran a second scan, and it came back clean, as seen below.

BitDefender Online Scanner



Scan report generated at: Mon, Nov 19, 2007 - 10:48:48





Scan path: A:\;C:\;D:\;







Statistics

Time
01:13:23

Files
159745

Folders
4400

Boot Sectors
3

Archives
3086

Packed Files
7158




Results

Identified Viruses
0

Infected Files
0

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0




Engines Info

Virus Definitions
878270

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
14

Archive plugins
38

Unpack plugins
7

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

No virus found.
Renzo McDuffy's Avatar
Renzo McDuffy Renzo McDuffy is offline
Computer Specs
Member with 32 posts.
THREAD STARTER
 
Join Date: Aug 2007
Experience: Beginner
19-Nov-2007, 02:33 PM #17
Here is the reglooks log file:

REGLOOKS logfile

version 0.976
2007-11-19 11:32:07.05
running from: "C:\WINDOWS"

--- SSODL regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad
only standard or legit regkeys found


--- STS regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler
only standard or legit regkeys found


--- USERINIT regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


--- SHELL regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe"


--- SYSTEM regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"=""


--- APPINIT_DLLS regkey ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=""


--- NOTIFY regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
"!SASWinLogon" "DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"igfxcui" "DLLName"="igfxsrvc.dll"


--- BOOTEXECUTE regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute= autochk *\0\0


--- SHELLEXECUTEHOOKS regkey ---

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell executehooks
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{076394AD-7FDD-44EF-A075-32C68DBAB99B}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""


--- HKLM\Run regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"StartCounterSpyIconApp"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Agent\\CounterSpyAgentIcon.exe"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgemc.exe"
[run\OptionalComponents]
[run\OptionalComponents\IMAIL]
"Installed"="1"
[run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[run\OptionalComponents\MSFS]
"Installed"="1"


--- HKLM\RunOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKLM RunOnce keys found


--- HKLM\RunOnceEx regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
no HKLM RunOnceEx keys found


--- HKLM\RunServices regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKLM RunServices keys found


--- HKLM\RunServicesOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnc e
regkey does not exist


--- HKCU\Run regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Second Copy"="\"C:\\PROGRA~1\\SecCopy\\SecCopy.exe\""
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


--- HKCU\RunOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKCU RunOnce keys found


--- HKCU\RunOnceEx regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
regkey does not exist


--- HKCU\RunServices regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKCU RunServices keys found


--- HKCU\RunServicesOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
no HKCU RunServicesOnce keys found


--- HKU\.DEFAULT\Run regkeys - Default user ---

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


--- HKU\S-1-5-19\Run regkeys - User Lokale service ---

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"


--- HKU\S-1-5-20\Run regkeys - User Netwerkservice ---

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"


--- HKLM\Explorer\Run regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explo rer\Run
no HKLM Explorer\Run keys found


--- HKCU\Explorer\Run regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explor er\Run
no HKCU Explorer\Run keys found


--- Image File Execution regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
no debuggers found


--- BROWSER HELPER OBJECTS regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" FILE ="C:\\Program Files\\Adobe\\Acrobat 7.0\\ActiveX\\AcroIEHelper.dll"


--- TOOLBAR regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
no toolbars found


--- URLSEARCHHOOKS regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
only standard regkeys found


--- CONTEXTMENUHANDLERS regkeys ---

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
"AVG7 Shell Extension" CLSID ={9F97547E-4609-42C5-AE0C-81C61FFAEBC3} FILE ="C:\\Program Files\\Grisoft\\AVG7\\avgse.dll"
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE NOT FOUND
"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE NOT FOUND
"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE NOT FOUND
"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" {A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE NOT FOUND

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers
"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE NOT FOUND
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE NOT FOUND
"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"
"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers
"AVG7 Shell Extension" CLSID ={9F97547E-4609-42C5-AE0C-81C61FFAEBC3} FILE ="C:\\Program Files\\Grisoft\\AVG7\\avgse.dll"


--- ALTERNATESHELL regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
"AlternateShell"="cmd.exe"


--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
no unknown services found


--- SAFEBOOT NETWORK SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
no unknown services found


--- SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Adaptive_Server_Anywhe re
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aeaudio

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CounterSpyAgent
"DisplayName"="CounterSpyAgent"
Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESCameraService
"DisplayName"="ESCameraService"
Files\EagleSoft\Shared Files\ESCameraService.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HP Port Resolver
"DisplayName"="HP Port Resolver"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HP Status Server
"DisplayName"="HP Status Server"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ILADFtmi
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASDIFSV
"DisplayName"="SASDIFSV"
Files\SUPERAntiSpyware\SASDIFSV.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASENUM
"DisplayName"="SASENUM"
Files\SUPERAntiSpyware\SASENUM.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASKUTIL
"DisplayName"="SASKUTIL"
Files\SUPERAntiSpyware\SASKUTIL.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winvnc
"DisplayName"="VNC Server"
Files\TightVNC\WinVNC.exe" -service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{BC501D5C-C92E-4573-954B-6FC1E2E82389}
no imagepath value found


--- SECURITYPROVIDERS regkey ---

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


--- SVCHOST regkey ---

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
HTTPFilter REG_MULTI_SZ:
LocalService REG_MULTI_SZ:
NetworkService REG_MULTI_SZ:
netsvcs REG_MULTI_SZ:
DcomLaunch REG_MULTI_SZ:
rpcss REG_MULTI_SZ:
imgsvc REG_MULTI_SZ:
termsvcs REG_MULTI_SZ:
WudfServiceGroup REG_MULTI_SZ:


--- WOW-CMDLINE regkeys ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
"wowcmdline" = -a %SystemRoot%\system32\krnl386


--- STARTUP FOLDERS ---



--- TASK SCHEDULER JOBS ---

no .job files found


--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)


FINISHED
Jintan's Avatar
Malware Removal Specialist with 1,164 posts.
 
Join Date: Oct 2007
19-Nov-2007, 09:05 PM #18
Of course would have liked to have seen that first BitDefender run results, but at least this second one indicates no additional items located. Two registry entry areas in this last log don't quite match what I had expected, and as areas infection also uses let's get a check on those now.


Code:
@ECHO OFF
if exist Check.txt del /q Check.txt
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute > Regsearch1.txt
REG QUERY "HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost" >> Regsearch1.txt
Type Regsearch*.txt > Check.txt
del /q Regsearch*.txt 
Notepad Check.txt
exit
Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text into the open text box, then save this to your desktop as "newcheck.bat"

Be sure to include the "" quotes in the name. Then click on newcheck.bat. When the scan completes a textbox will open - copy/paste those contents back here please.
Renzo McDuffy's Avatar
Renzo McDuffy Renzo McDuffy is offline
Computer Specs
Member with 32 posts.
THREAD STARTER
 
Join Date: Aug 2007
Experience: Beginner
20-Nov-2007, 10:10 AM #19
FYI, My system seems to be running much better. I logged on this morning to my dental practice software program, and it is opening and jumping screens as it should be now, so that is progress for sure! I cannot thank you enough for your help. I'll be sure to donate. Once this issue is resolved on this computer, can we tackle the other computer after Thanksgiving weekend?

Here is the Newcheck log:


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute REG_MULTI_SZ autocheck autochk *\0\0


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSys tem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServ er\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nws apagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedacc ess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0wi nmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN \0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost\DComLaunch

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost\HTTPFilter

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost\LocalService

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost\PCHealth

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs
Jintan's Avatar
Malware Removal Specialist with 1,164 posts.
 
Join Date: Oct 2007
20-Nov-2007, 12:25 PM #20
Good your system is back on track now, and as always i am glad to provide the assistance. Those last reg entries do appear correct, so it must have been a function of the scan tool that caused the unusual entries I was looking at. You will need to post a new request on this other computer's issues, as trying two different system repairs in one thread is not recommended. For the system here just need to clean up the changes we made here.

You can uninstall BitDefender in IE by going to Tools, and click "Uninstall BitDefender Online Scanner", and follow the steps provided. For Kaspersky there should be an uninstall option in Add/Remove Programs in Control Panel. Delete any other files/folders of tools we used, including logs created, and to have ComboFix remove it's files/folders and undo some changes it made just go to Start - Run, type the following (and press OK):

ComboFix /u

Then a last step would be to reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

In addition, I like to recommend reviewing the information Here to make sure you stay malware free.
Renzo McDuffy's Avatar
Renzo McDuffy Renzo McDuffy is offline
Computer Specs
Member with 32 posts.
THREAD STARTER
 
Join Date: Aug 2007
Experience: Beginner
21-Nov-2007, 12:49 PM #21
Jintan - Thank you, thank you! Your help has absolutely made my life so much easier at work! My office manager had been complaining about her slow system for 2 months! I donated to techguy today, as it was by far the most affordable solution. Not to mention the fastest! You rock, my friend! I have saved a new HJT log for my second computer that is having problems (was hoping you would be the one I get to work with again, but I'm sure all the volunteers through techguy are just as good). Happy Thanksgiving! I, for one, am thankful for all your help!
Jintan's Avatar
Malware Removal Specialist with 1,164 posts.
 
Join Date: Oct 2007
21-Nov-2007, 07:10 PM #22
I was glad to be of assistance, and yes, all the folks here are qualified to provide the needed repairs as well.
Renzo McDuffy's Avatar
Renzo McDuffy Renzo McDuffy is offline
Computer Specs
Member with 32 posts.
THREAD STARTER
 
Join Date: Aug 2007
Experience: Beginner
27-Nov-2007, 10:31 AM #23
Can you take a look at my other log that was posted last week? I am back from the long weekend today, and have had no replies on the other post. I assume everyone was away for the holiday, and things will be back to normal this week.
Jintan's Avatar
Malware Removal Specialist with 1,164 posts.
 
Join Date: Oct 2007
27-Nov-2007, 03:30 PM #24
We all here will be working through the older unanswered threads so it will receive one as well.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑