1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Slow XP SP 2 - suspect svchost files bogging me down

Discussion in 'Virus & Other Malware Removal' started by Renzo McDuffy, Nov 13, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Renzo McDuffy

    Renzo McDuffy Thread Starter

    Joined:
    Aug 19, 2007
    Messages:
    32
    Below is the Bit Defender report, but the first scan apparently finished but I think my office manager closed it not knowing what it was. It identified some viruses and removed them according to what she remembers, but I can't find the report. Ran a second scan, and it came back clean, as seen below.

    BitDefender Online Scanner



    Scan report generated at: Mon, Nov 19, 2007 - 10:48:48





    Scan path: A:\;C:\;D:\;







    Statistics

    Time
    01:13:23

    Files
    159745

    Folders
    4400

    Boot Sectors
    3

    Archives
    3086

    Packed Files
    7158




    Results

    Identified Viruses
    0

    Infected Files
    0

    Suspect Files
    0

    Warnings
    0

    Disinfected
    0

    Deleted Files
    0




    Engines Info

    Virus Definitions
    878270

    Engine build
    AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

    Scan plugins
    14

    Archive plugins
    38

    Unpack plugins
    7

    E-mail plugins
    6

    System plugins
    1




    Scan Settings

    First Action
    Disinfect

    Second Action
    Delete

    Heuristics
    Yes

    Enable Warnings
    Yes

    Scanned Extensions
    *;

    Exclude Extensions


    Scan Emails
    Yes

    Scan Archives
    Yes

    Scan Packed
    Yes

    Scan Files
    Yes

    Scan Boot
    Yes




    Scanned File
    Status

    No virus found.
     
  2. Renzo McDuffy

    Renzo McDuffy Thread Starter

    Joined:
    Aug 19, 2007
    Messages:
    32
    Here is the reglooks log file:

    REGLOOKS logfile

    version 0.976
    2007-11-19 11:32:07.05
    running from: "C:\WINDOWS"

    --- SSODL regkeys ---

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    only standard or legit regkeys found


    --- STS regkeys ---

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
    only standard or legit regkeys found


    --- USERINIT regkey ---

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


    --- SHELL regkey ---

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    "Shell"="Explorer.exe"


    --- SYSTEM regkey ---

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    "System"=""


    --- APPINIT_DLLS regkey ---

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
    "AppInit_DLLs"=""


    --- NOTIFY regkeys ---

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    "!SASWinLogon" "DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
    "igfxcui" "DLLName"="igfxsrvc.dll"


    --- BOOTEXECUTE regkey ---

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
    BootExecute= autochk *\0\0


    --- SHELLEXECUTEHOOKS regkey ---

    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
    "{076394AD-7FDD-44EF-A075-32C68DBAB99B}"=""
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""


    --- HKLM\Run regkeys ---

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "StartCounterSpyIconApp"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Agent\\CounterSpyAgentIcon.exe"
    "AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgemc.exe"
    [run\OptionalComponents]
    [run\OptionalComponents\IMAIL]
    "Installed"="1"
    [run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"
    [run\OptionalComponents\MSFS]
    "Installed"="1"


    --- HKLM\RunOnce regkeys ---

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    no HKLM RunOnce keys found


    --- HKLM\RunOnceEx regkeys ---

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
    no HKLM RunOnceEx keys found


    --- HKLM\RunServices regkeys ---

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    no HKLM RunServices keys found


    --- HKLM\RunServicesOnce regkeys ---

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
    regkey does not exist


    --- HKCU\Run regkeys ---

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "Second Copy"="\"C:\\PROGRA~1\\SecCopy\\SecCopy.exe\""
    "MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


    --- HKCU\RunOnce regkeys ---

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    no HKCU RunOnce keys found


    --- HKCU\RunOnceEx regkeys ---

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
    regkey does not exist


    --- HKCU\RunServices regkeys ---

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    no HKCU RunServices keys found


    --- HKCU\RunServicesOnce regkeys ---

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
    no HKCU RunServicesOnce keys found


    --- HKU\.DEFAULT\Run regkeys - Default user ---

    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
    "MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


    --- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
    "MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


    --- HKU\S-1-5-19\Run regkeys - User Lokale service ---

    HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"


    --- HKU\S-1-5-20\Run regkeys - User Netwerkservice ---

    HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"


    --- HKLM\Explorer\Run regkeys ---

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    no HKLM Explorer\Run keys found


    --- HKCU\Explorer\Run regkeys ---

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    no HKCU Explorer\Run keys found


    --- Image File Execution regkeys ---

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    no debuggers found


    --- BROWSER HELPER OBJECTS regkeys ---

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" FILE ="C:\\Program Files\\Adobe\\Acrobat 7.0\\ActiveX\\AcroIEHelper.dll"


    --- TOOLBAR regkeys ---

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    no toolbars found


    --- URLSEARCHHOOKS regkeys ---

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
    only standard regkeys found


    --- CONTEXTMENUHANDLERS regkeys ---

    HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
    "AVG7 Shell Extension" CLSID ={9F97547E-4609-42C5-AE0C-81C61FFAEBC3} FILE ="C:\\Program Files\\Grisoft\\AVG7\\avgse.dll"
    "Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE NOT FOUND
    "Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE NOT FOUND
    "Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE NOT FOUND
    "{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" {A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE NOT FOUND

    HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers
    "EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE NOT FOUND
    "Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE NOT FOUND
    "Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"
    "{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"

    HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers
    "AVG7 Shell Extension" CLSID ={9F97547E-4609-42C5-AE0C-81C61FFAEBC3} FILE ="C:\\Program Files\\Grisoft\\AVG7\\avgse.dll"


    --- ALTERNATESHELL regkey ---

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
    "AlternateShell"="cmd.exe"


    --- SAFEBOOT MINIMAL SERVICES ---

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
    no unknown services found


    --- SAFEBOOT NETWORK SERVICES ---

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
    no unknown services found


    --- SERVICES ---

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Adaptive_Server_Anywhere
    no imagepath value found

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aeaudio

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CounterSpyAgent
    "DisplayName"="CounterSpyAgent"
    Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESCameraService
    "DisplayName"="ESCameraService"
    Files\EagleSoft\Shared Files\ESCameraService.exe

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HP Port Resolver
    "DisplayName"="HP Port Resolver"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HP Status Server
    "DisplayName"="HP Status Server"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ILADFtmi
    no imagepath value found

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASDIFSV
    "DisplayName"="SASDIFSV"
    Files\SUPERAntiSpyware\SASDIFSV.SYS

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASENUM
    "DisplayName"="SASENUM"
    Files\SUPERAntiSpyware\SASENUM.SYS

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASKUTIL
    "DisplayName"="SASKUTIL"
    Files\SUPERAntiSpyware\SASKUTIL.sys

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winvnc
    "DisplayName"="VNC Server"
    Files\TightVNC\WinVNC.exe" -service

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{BC501D5C-C92E-4573-954B-6FC1E2E82389}
    no imagepath value found


    --- SECURITYPROVIDERS regkey ---

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    --- SVCHOST regkey ---

    HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
    HTTPFilter REG_MULTI_SZ:
    LocalService REG_MULTI_SZ:
    NetworkService REG_MULTI_SZ:
    netsvcs REG_MULTI_SZ:
    DcomLaunch REG_MULTI_SZ:
    rpcss REG_MULTI_SZ:
    imgsvc REG_MULTI_SZ:
    termsvcs REG_MULTI_SZ:
    WudfServiceGroup REG_MULTI_SZ:


    --- WOW-CMDLINE regkeys ---

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
    "wowcmdline" = -a %SystemRoot%\system32\krnl386


    --- STARTUP FOLDERS ---



    --- TASK SCHEDULER JOBS ---

    no .job files found


    --- File associations ---

    .BAT files: ("%1" %*)
    .COM files: ("%1" %*)
    .EXE files: ("%1" %*)
    .HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
    .INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
    .INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
    .JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
    .PIF files: ("%1" %*)
    .REG files: (regedit.exe "%1")
    .SCR files: ("%1" /S)
    .TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
    .VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)


    FINISHED
     
  3. Jintan

    Jintan Malware Specialist

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Of course would have liked to have seen that first BitDefender run results, but at least this second one indicates no additional items located. Two registry entry areas in this last log don't quite match what I had expected, and as areas infection also uses let's get a check on those now.


    Code:
    @ECHO OFF
    if exist Check.txt del /q Check.txt
    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute > Regsearch1.txt
    REG QUERY "HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost" >> Regsearch1.txt
    Type Regsearch*.txt > Check.txt
    del /q Regsearch*.txt 
    Notepad Check.txt
    exit
    Open Notepad (Start - Run, type notepad and press Enter).

    Copy/paste the above text into the open text box, then save this to your desktop as "newcheck.bat"

    Be sure to include the "" quotes in the name. Then click on newcheck.bat. When the scan completes a textbox will open - copy/paste those contents back here please.
     
  4. Renzo McDuffy

    Renzo McDuffy Thread Starter

    Joined:
    Aug 19, 2007
    Messages:
    32
    FYI, My system seems to be running much better. I logged on this morning to my dental practice software program, and it is opening and jumping screens as it should be now, so that is progress for sure! I cannot thank you enough for your help. I'll be sure to donate. Once this issue is resolved on this computer, can we tackle the other computer after Thanksgiving weekend?

    Here is the Newcheck log:


    ! REG.EXE VERSION 3.0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
    BootExecute REG_MULTI_SZ autocheck autochk *\0\0


    ! REG.EXE VERSION 3.0

    HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

    HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost\DComLaunch

    HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost\HTTPFilter

    HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost\LocalService

    HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

    HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost\PCHealth

    HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs
     
  5. Jintan

    Jintan Malware Specialist

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Good your system is back on track now, and as always i am glad to provide the assistance. Those last reg entries do appear correct, so it must have been a function of the scan tool that caused the unusual entries I was looking at. You will need to post a new request on this other computer's issues, as trying two different system repairs in one thread is not recommended. For the system here just need to clean up the changes we made here.

    You can uninstall BitDefender in IE by going to Tools, and click "Uninstall BitDefender Online Scanner", and follow the steps provided. For Kaspersky there should be an uninstall option in Add/Remove Programs in Control Panel. Delete any other files/folders of tools we used, including logs created, and to have ComboFix remove it's files/folders and undo some changes it made just go to Start - Run, type the following (and press OK):

    ComboFix /u

    Then a last step would be to reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

    You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

    When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

    In addition, I like to recommend reviewing the information Here to make sure you stay malware free.
     
  6. Renzo McDuffy

    Renzo McDuffy Thread Starter

    Joined:
    Aug 19, 2007
    Messages:
    32
    Jintan - Thank you, thank you! Your help has absolutely made my life so much easier at work! My office manager had been complaining about her slow system for 2 months! I donated to techguy today, as it was by far the most affordable solution. Not to mention the fastest! You rock, my friend! I have saved a new HJT log for my second computer that is having problems (was hoping you would be the one I get to work with again, but I'm sure all the volunteers through techguy are just as good). Happy Thanksgiving! I, for one, am thankful for all your help!
     
  7. Jintan

    Jintan Malware Specialist

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    I was glad to be of assistance, and yes, all the folks here are qualified to provide the needed repairs as well.(y)
     
  8. Renzo McDuffy

    Renzo McDuffy Thread Starter

    Joined:
    Aug 19, 2007
    Messages:
    32
    Can you take a look at my other log that was posted last week? I am back from the long weekend today, and have had no replies on the other post. I assume everyone was away for the holiday, and things will be back to normal this week.
     
  9. Jintan

    Jintan Malware Specialist

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    We all here will be working through the older unanswered threads so it will receive one as well.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/651539