Tech Support Forum - View Single Post - Took steps to speed up slow computer but may still have traces of spyware or viruses.

jabberwockdb · 06-06-2008, 05:37 PM

Hi,

I have read the posts regarding fixing slow computers and the 5 steps to take prior to posting here. After taking these steps, my computer sped up a little; however, I noticed some things that make me believe I still have viruses or spyware.

Possible Issues:
I am now running Mcafee Total Protection for Small Business. When the computer starts up, I notice that the realtime Virus protection is sometimes disabled. I am not sure if a spyware or virus is disabling it. The Mcafee firewall also reported a file GLB46.tmp attempting to access the internet.

In looking at the registry items listed in Autoruns, I found at least two items that are tagged by http://www.bleepingcomputer.com/startups/ as potential virus or trojan files. The two files I first noticed are userinit.exe and Explorer.exe. I suspect there are others. I did not want to try to disable or remove these without your assistance.

I have run DSS a few times; however, I noticed that the extra.txt file was only created on the first run. Prior to the first run, I had used msconfig to limit items from loading at startup. After returning msconfig to normal startup and using CCLeaner, I have rerun DSS , but no extra.txt file was generated. I will attach the only copy of extra.txt I have. If you need a current version of extra.txt, please let me know how I can have one regenerated.

Thanks in advance!!

Here is the main.txt from DSS:

Deckard's System Scanner v20071014.68
Run by A276BEL on 2008-06-06 14:30:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 254 MiB (512 MiB recommended).

-- HijackThis (run as A276BEL.exe) ---------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-06 14:32:43
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\OPHALDCS.EXE
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
D:\data\my documents on d\installation\dss.exe
C:\Program Files\Trend Micro\HijackThis\A276BEL.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pc-180-16-215-201.cm.vtr.net:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6021\SiteAdv.exe
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Internet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O15 - Trusted Zone: *.aaa.com (HKCU)
O15 - Trusted Zone: *.buy.com (HKCU)
O15 - Trusted Zone: *.godaddy.com (HKCU)
O15 - Trusted Zone: *.jabberwock.net (HKCU)
O15 - Trusted Zone: http://jhfunds.com (HKCU)
O15 - Trusted Zone: http://jhnetwork.com (HKCU)
O15 - Trusted Zone: http://jhsalesnet.com (HKCU)
O15 - Trusted Zone: *.nickandelsa.com (HKCU)
O15 - Trusted Zone: https://www.sfnclientfacts.com (HKCU)
O15 - ProtocolDefaults: Unknown 'myui' protocol is in Trusted Zone (HKLM)
O15 - ProtocolDefaults: Unknown 'myrm' protocol is in Trusted Zone (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} () - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1113925648917
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} () - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) - https://java.sun.com/update/1.5.0/ji...ndows-i586.cab
O16 - DPF: {9800DFDB-CC8D-48A3-AC45-2C313C5683CE} () - https://www.sfnclientfacts.com/ba32/...oadPicture.CAB
O16 - DPF: {984425BF-82C1-11D6-8152-00B0D026F003} () - http://hub.jhancock.com/mfcentral/co...nchNotesDB.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} () - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} () - http://download.yahoo.com/dl/install...od/yregcfg.cab
O16 - DPF: {B5665C6C-2E8C-4b23-A5B7-B137CF1064EF} () - http://kdx.omn.org/securedelivery/omn/omn.cab
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} () - https://secure-extranet-integ.jhnetw...intControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {DEF7CADC-83C0-11D0-A0F1-00A024703500} (True OLE DBGrid 7 Control) - https://www.sfnclientfacts.com/ba32/Include/todg7.CAB
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - (no file)
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt4.7.0.538.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\system32\spool\drivers\w32x86\3\OPHALDCS.EXE
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe

--
End of file - 11142 bytes

-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-06 12:28:11 0 dr-h----- C:\Documents and Settings\A276BEL\Recent
2008-06-05 11:36:58 0 d-------- C:\Program Files\Panda Security
2008-06-05 08:18:03 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\VSee
2008-06-04 16:10:32 0 d-------- C:\Program Files\PC Wizard 2008
2008-06-04 15:36:52 0 d-------- C:\Program Files\Trend Micro
2008-05-14 10:01:38 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-14 09:54:51 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-07 23:25:30 0 d-------- C:\Program Files\Bomgar

-- Find3M Report ---------------------------------------------------------------

2008-06-06 11:21:43 0 d-------- C:\Program Files\epson
2008-06-06 11:21:42 0 d-------- C:\Program Files\Google
2008-06-06 11:09:03 0 d-------- C:\Program Files\TweakNow RegCleaner
2008-06-06 10:48:42 0 d-------- C:\Program Files\Yahoo!
2008-06-06 10:37:32 0 d-------- C:\Program Files\JAP
2008-06-06 10:17:05 0 d-------- C:\Program Files\FlashGet
2008-06-06 10:16:31 0 d-------- C:\Program Files\eXtech.net
2008-06-06 10:15:40 0 d-------- C:\Program Files\FileZilla Client
2008-06-06 10:13:38 0 d-------- C:\Program Files\DivX
2008-06-06 08:40:45 0 d-------- C:\Program Files\Common Files
2008-06-05 20:50:23 0 d-------- C:\Program Files\SpywareBlaster
2008-06-05 08:34:22 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-05 08:17:17 0 d-------- C:\Documents and Settings\A276BEL\Application Data\VSee
2008-06-05 08:15:11 0 d-------- C:\Program Files\VSee
2008-06-04 20:16:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-04 20:12:11 0 d-------- C:\Program Files\Common Files\JHIllustrator
2008-06-03 11:14:01 8562 --a------ C:\WINDOWS\mozver.dat
2008-05-29 14:34:11 0 d-------- C:\Documents and Settings\A276BEL\Application Data\SiteAdvisor
2008-05-28 11:20:23 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-22 11:32:20 0 d-------- C:\Program Files\Real
2008-05-22 11:28:53 0 d-------- C:\Program Files\Forecaster
2008-05-22 11:23:19 0 d-------- C:\Program Files\CLEM CHEM 220
2008-05-22 11:22:20 0 d-------- C:\Program Files\Bulk Rename Utility
2008-05-22 11:21:02 0 d-------- C:\Documents and Settings\A276BEL\Application Data\ESTsoft
2008-05-21 18:42:26 0 d-------- C:\Program Files\Star Downloader
2008-05-21 13:42:33 0 d-------- C:\Program Files\WebEx
2008-05-21 13:31:47 0 d-------- C:\Program Files\Skype
2008-05-21 07:37:48 0 d-------- C:\Documents and Settings\A276BEL\Application Data\AdobeUM
2008-05-20 08:12:52 0 d-------- C:\Program Files\SiteAdvisor
2008-04-20 23:56:09 27528 --a------ C:\Documents and Settings\A276BEL\Application Data\GDIPFONTCACHEV1.DAT
2008-04-15 16:10:09 0 d-------- C:\Program Files\MSECache

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [01/22/2008 10:09 PM]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6021\SiteAdv.exe" [02/03/2007 11:25 AM]
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe" [01/22/2008 10:09 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/29/2007 11:08 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [02/16/2005 05:15 PM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [11/11/2005 07:30 PM]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [07/31/2003 02:52 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/20/2004 03:51 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/20/2004 03:55 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [03/20/2006 05:34 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/23/2006 03:45 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/04/2006 01:28 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [10/12/2006 04:10 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]
Debugger=C:\data\ProcessExplorerNt\procexp.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- "G:\Install FreeAgent Tools.exe" /run

-- End of Deckard's System Scanner: finished at 2008-06-06 14:34:03 ------------