BleepingComputer.com: Slow Startup After Virus Removal

When booting, it takes over 2 minutes to load windows(used to take 45 seconds), and then its another minute before I can run programs, my AV also doesn't show the trey icon for a minute. It hangs a little on the "starting windows" logo, and used to have a black screen with courser after "welcome" for about 30 seconds but that went away. Performance is normal after.

I couple days ago I got a few viruses (See bottom). It was fake alert and hid all my files, disabled my internet. I removed viruses with malwarebytes and superantisyware and combofix. Reran MBAM and everything was clear. Used Unhide successfully for my files, and then had to mess around with "attrib -s -h *.* /s /d" settings" until certain "Hidden Files" (like desktop.ini) where hidden. Restored internet with ICRTool.

Things I've done:
PC is normally fast,
- Ran another full malwarebytes scan (clean)
- Optimised services (unchanged from before), only 42 processes running
- only 3 startup items (AV, sound driver, bandwidth monitor).
- CCleaner (files and registry)
- Memory diagnostics (no prob found)
- Update GPU drivers
- Defrag HDD

I don't know what else to do. Help appreciated.

Viruses removed:

Quote

System: Windows 7 64bit, Intel Q8300 2.5Ghz, GTS 250 1GB, 6.5GB ram, 750GB HDD.
My other problem here: http://www.bleepingcomputer.com/forums/topic439647.html

This post has been edited by hamluis: 26 January 2012 - 06:53 PM
Reason for edit: Moved from Win 7 to Am I Infected.

Does the PC boot substantially faster into Safe Mode?

Use Autoruns to list startup programs.

• Download the .zip file and extract to a folder on your desktop. Open that folder, right-click autoruns and select Run As Administrator.
  
• Autoruns will begin scanning immediately. Press Esc to interrupt it.
  
• Click Options > Filter Options and check Hide Microsoft Entries. Click OK
  
• Press F5 to begin a new scan.
  
• When it is finished, click File > Save and save the report to your desktop.
  
• Locate the report on the desktop, right click, select Send To > Compressed (zipped) Folder. A new archive will appear on the desktop.
  
• Use the forum's 'Full Editor' to attach the archive to your next post.

==========================================================

I tried safe mode, it does start up faster, about 1:15 minute to windows, then 15 seconds to open programs. And here is the Autoruns.

The first thing to note is that you have a lot of services and programs related to GameGuard that auto-start. These have rootkit-like behavior patterns. I wouldn't be surprised that Combofix broke some of these programs in such a way that they hang for a bit when starting.

LucheLibre, on 26 January 2012 - 03:59 PM, said:

What do I do about it? I don't think I need them, it's related to a game I uninstalled along time ago.

I'd first uninstall any entries related to it from the Add/Remove Programs utility.

There is also this: http://www.bleepingcomputer.com/forums/topic131307.html

Vista and 7 are not much different under the hood, so you might have some success with it.

Also this: http://www.aionsource.com/topic/53559-how-to-completly-remove-nprotect-game-guard/

LucheLibre, on 27 January 2012 - 11:44 PM, said:

Ok thanks did all that except the "nprotectremover.exe" link doesnt work and I can't find a download for it. I did everything on the aion site, deleted those 3 files, the 2 registry folders, uninstalled anything associated with gamegaurd. No difference, still have the slow startup.

This post has been edited by djvtech: 01 February 2012 - 07:32 PM

The next thing I suggest is to reinstall your antivirus software.

If no change, I suggest using Autoruns. Focus on the Logon, Winlogon, and Explorer tabs only. Uncheck those entries and retest. If windows works more normally, rerun Autoruns and enable one thing. Retest and repeat until you find something that greatly increases startup time.

This post has been edited by LucheLibre: 01 February 2012 - 10:24 PM

LucheLibre, on 01 February 2012 - 10:23 PM, said:

Did all that. Unchecked EVERYTHNIG under logon and explorer. Winlogon didnt have anything. No change in bootup time.

Welp, I guess we (well...you ;-) ) will have to go about this the (possibly) long way.

http://support.microsoft.com/kb/929135

This post has been edited by LucheLibre: 03 February 2012 - 11:33 PM

LucheLibre, on 03 February 2012 - 05:56 PM, said:

Disabled all non-microsoft services, AND startup items. Restarted, no change in speed...

Well, that supports a conclusion of basic system damage then, likely leftovers from the malware and your repair attempts.

Check System File Integrity

• Click Start Orb and type cmd. In search results, right-click cmd and select Run as Administrator.
  
• At the prompt, type sfc /scannow and press Enter. There is a space between "sfc" and "/scannow". This process make take a while.
  
  • If SFC find errors it cannot correct, it may ask you to insert your Windows CD.
  
  
• When SFC finishes, it will show you a summary of it's scan. Copy the entire contents to your next reply.
  
• Restart your computer.
  
• Run Windows Update immediately if you had to use your Windows CD during this operation.

===========================================

This next procedure may not provide the answers we need, but it would be good to have available if you plan to continue troubleshooting this instead of reinstalling.

Use Process Monitor to capture boot operations.

• Download and extract to a folder on your desktop. Right-click on program and select Run As Administrator.
  
• The ProcMon filter dialog box will appear. Click Reset and then OK.
  
• Process Monitor will begin capture. Immediately press Control + E to stop. Press Control + X to clear log.
  
• Click Options > Enable Boot Logging.
  
• An options dialog will open. Check Generate profiling events. Select Every second.
  
• Close Process Monitor and restart computer.
  
• As soon as possible, rerun Process Monitor. It will ask to save the collected data. Click Yes. Save to your desktop as bootlog.
  
  • Depending on the size of your log, Process Monitor will create several files named "bootlog", "bootlog-1", etc.
  
  
• Download 7-zip and install.
  
• Hold down the Ctrl key and click every bootlog file on the desktop. Release the Ctrl key. Right-click on one of (now-highlighted) files and select 7-Zip > Add to "bootlog.7z". Do not select Add to "bootlog.zip".
  
• Locate the new archive on your desktop and upload to a file-sharing site such as Mediafire.
  
• Copy the file's weblink to your next reply.

======================================================

This post has been edited by LucheLibre: 06 February 2012 - 07:30 PM

LucheLibre, on 06 February 2012 - 07:29 PM, said:

Ok, I ran that and it went through verification phase then said "Windows Resource Protection did not find any integrity violations."

And here are the bootlog files: http://www.mediafire.com/?x7y5pyarrryhey1

Just a hunch...

Uninstall Avast and retest, if you haven't tried this already.

If no change, uninstall (don't just disable) your audio drivers and retest.

Uninstalling avast didn't work. I uninstalled my realtek HD audio (no change), but I don't think that was the drivers. You're talking about the drivers in the device manager? I'll do that, but how will I reinstall it? Will the audio driver "High Definition Audio Device" still be there and I just right click on it to reinstall it? see picture below:

http://img855.imageshack.us/img855/1738/audiodrivers.png

This post has been edited by djvtech: 08 February 2012 - 03:01 AM