Trouble with PC not sure if it's a virus

[silveriris]

Hi,

I am having trouble with my pc, there is a process that is contiously running which is slowing down my pc. It of course happens after boot up, but it also starts on it's own in the middle of the day and makes it impossible to work. I though it might be a virus but honestly not sure. I reformated earlier this year..

I have gone through the preliminary virus removal instructions.

PC Info:
Win XP home edition with sp2
AMD Sempron(tm)
1.47GHz, 256 mb of RAM

I've attached the HJT, Combofix, MBAM nad SAS logs... (sorry that makes 4 )

Panda Antirootkit scan results were no toolkits found

Let me know if you need something else...

Any help you can give me would be much appreciated, I am in a position where I really need to use my personal pc..

thanks, SilverIris

 

[leadpill42]

Seems like you need to upgrade parts of your pc. It looks a bit out of date and might not be able to keep up.

 

[Bobbye]

Considerations: It appear that you are running both Network Associates (McAfee) and AVG v8 which also is antivirus program. Decide which you want and uninstall the other.

Looks like running the Java updater hasn't done much good- you are way way behind:
Updater: C:\Program Files\Java\jre6\bin\jusched.exe

Old Java versions:
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

Dowload the latest version which is v6u7 from here:
https://www.techspot.com/downloads/6463-java-se.html

You can unitall the old versions in Add/Remove Programs in the Control Panel.

Turn off this Real Time program

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

When the above have been handled, please run HijackThis again. I did not review the rest of the log or the other logs. You need to get the AV handled now and the Java updated.

 

[silveriris]

Hello Bob,

Thanks for looking.

I doubled checked, and I don't have McAfee installed. McAffee or Network Associates do not appear in add/remove programs. Let me know if there is anything you want me to check regarding the AV. Not sure why you are seeing two AVs.

I did have the latest version of JRE however I think those were left over files from previous upgrades, so I uninstalled anyways and deleted any left over files and installed from the site you mentioned.

I also uninstalled the Panda active scan.


Just in case I've attached the HJT file.

Thanks,

 

[Bobbye]

Well, I will have to wear a red face today! I saw "Network", made an incorrect assumption that it was Network Associates instead of Network Magic. My apology.

I see Java is now current. mbam is clean, combofix deleted some files. SuperAntispyware turned up a gazillion Tracking Cookies, as expected with all the game entries. Have all of those deleted please.

For that process that is running: when it happens, open the Task Manager (right click on Task Bar> Task Manager) and see which process is consuming much of the CPU. To sort the CPU column, double-click on the top frame of the column. That will sort in descending order- the highest numbers at the top.

Reopen HijackThis and check these entries:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
{DBC80044-A445-435b-BC74-9C25C1C588A9}
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Go to the Control Panel> Java> Update tab> UNCHECK 'automatically check for updates> answer Yes when you're asked if you're sure, then close.
Access the Startup menu: Start> Run> type in 'msconfig' without the quotes> enter> Selective Startup> Star up tab: Uncheck the following:

qttask.exe
GoogleToolbarNotifier.exe

Apply> OK> Reboot into Normal mode> Close the nag message that comes up after checking 'don't show this message again'.

Be sure to remove the Tracking Cookies. Post back with the name of the process(es) in the Task Manager that starts to run in the background.

 

[silveriris]

Bob,

Thanks again...

Ok I did as you asked.

I deleted all the tracking cookies and fix checked the items you identified in HJT.

qttask.exe and GoogleToolbarnotifier.exe were not in the start up tab (I assume that the fix check took them out, I also cleaned up my startup this weekend)

Here are the processes running (wow lots).. Please note they are not in order of which ones using the most cpu. Also didn't know if there is a trick to cut and paste these so I have typed them out. Hopefully there are no typos

-------- List of running processs after bootup ----------
taskmgr.exe
ctfmon.exe
SuperAntiSpyware.exe
usnssvc.exe
wuauclt.exe
avgtray.exe
alg.exe
alclient.exe
nmsrvc.exe
aawservice.exe
explorer.exe
nmapp.exe
svchost.exe
vsmon.exe
mcciCMSerive.exe
svchost.exe
avgwdsvc.exe
AppliceMobileDeviceService.exe
svchost.exe
svchost.exe
msnmsgr.exe
svchost.exe
mccitrayApp.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
avgrsx.exe
spoolsv.exe
system
system Idle Process

------------------------------------------------------------

I noticed that svchost.exe is there at least 6 times. Is this normal?

Also when I have the problem with the pc performance, the processes taking the most CPU seem to be:

wuauclt.exe, mcci (not sure which of the two), svchost.exe, iexplorer..

I will keep a closer eye on the processes.

My PC has been running a bit better over the weekend since I updated the startup and completed the prelimary removal steps. I will continue to monitor...

Do you recommend that I increase the privacy settings in IE to better control the cookies? I believe I was set to Med/High. Which setting would you recommend?

I really appreciate your time... Let me know if there is anything else you think I should check or information you may need.

Regards,

SilverIris (aka..Natalie)

 

[silveriris]

FYI .. I just had the problem where processes where going nuts

The processes which were using most of the cpu were : explorer.exe, mccitrayapp, system and I also got dumpprep.exe...

 

[Bobbye]

Blocking Third Party Cookies

I noticed that svchost.exe is there at least 6 times. Is this normal?

Yes. I usually have around 9.

Do you recommend that I increase the privacy settings in IE to better control the cookies? I believe I was set to Med/High. Which setting would you recommend?

Leave the security setting where it is. But you should block or prompt for third party Cookies. First Party is for the site itself, Third Party is for all the ads, partners and 'junk':
Open IE> Tools> Internet Options> Privacy tab> Advanced> check 'allow' for 1st party, 'block' for 3rd party, check 'always allow per session Cookies'.

Another way to control the Cookies is by restricting the Domain they come from:
Internet Options> Security tab> Restricted sites> Sites> each domain can be typed in one at a time and Added to the blocked sites: like this:

For Internet Explorer: Tools> Internet Options> Security tab> Restricted Sites> Sites> type the Tracking Cookie Domain in and Add.

Some others you might want to Add:
Common Tracking Cookies:
.112.2o7.net
*.180solutions
.2o7.net
.ad.lookery
*.ad.yieldmanager.com
.adrevolver.com
ads.monster.com
.ads.pointroll.com
.advertising.com
*.atdmt.com
.bluestreak.com
*.casalemedia.com
.doubleclick.net
.fastclick.net
.mediaplex.com
.realmedia.com
*.rightmedia
.specificclick.net
.statcounter.com
.tacada.net
.tacada.com
.trafficmp.com
.tribalfusion.com
*.zango.com

Type each in exactly as shown. The use of the * acts as a wild card to block anything from that Domain> Add.
You only have to do this once. IF you get a message that it is already in another zone, open the Trusted sites and remove it from there, then add to Restricted.

 

[Bobbye]

You should be able to identify most of those processes here:
http://www.bleepingcomputer.com/startups/

You can also use these:
STARTUP APPLICATION DATABASE LIST
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
http://www.sysinfo.org/startuplist.php

explorer.exe> is the Windows Program Manager or Windows Explorer.

McciTrayApp.exe> Tray icon for Bell South broadband customers which can be used to diagnose and repair connection and hardware problems. This software is rebranded software from Motive

If you have McciTrayApp.exe on the Startup Menu, you can uncheck it as it does not need to start at boot and run in the background. The process will show this in the Command Column on Startup: C:\Program Files\BellSouthWCC\

dumpprep.exe> Dumpprep.exe is a Microsoft Dump Reporting Tool, a part of Windows Operation System.
It is used to prepare error report after system or program crash. Dumpprep may be disabled via Control Panel, System, Additional, Error Reporting dialog. This process does not need to be running.

MCCI Exe> associsted with PDAPhoneHome. (Verizon)

iexplore.exe> Internet Excplorer

wuauclt.exe> is a process managing automatic updates for Microsoft Windows

For high usage by the 'System' process, please review this:
How to troubleshoot configuration errors by using the System Configuration utility in Windows XP
http://support.microsoft.com/kb/310560

This should be of great help. This process should not be using high CPU.

 

[silveriris]

Bob,

Thank you so much for all the help, you are amazing. I will go through all the information you provided. The PC is already running better from all the help and information I got from this site and of course with your help.

I will be more deligent about the sites I visit (games)...

Thanks,

 

[Bobbye]

You're welcome. Let us know if you need more help.