Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC still slow after cleanup


  • Please log in to reply
15 replies to this topic

#1 kullaroo

kullaroo

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 10 September 2009 - 12:20 AM

I am helping a friend remove Norton (NIS, NSW, N360, NLiveUpdate) and references to her ex-husband from her PC. The PC is a Packard Bell D815AW 1.5GHz which had 128Mb increased to 384Mb RAM with Windows XP Home sp2 purchased late-2001. She uses a dial-up connection with an internal modem. Her PC had stopped responding with the last update to a Norton product (she was unsure which).

Being a Packard Bell, there would have been an icon on the desktop to create a recovery CD from the OS in a hidden partition. Her ex-husband did not do this and there is no recovery CD (I would have preferred to reformat the HDD and start fresh). I used TweakUI to check for the hidden partition but it has been removed (probably to make space as it is only a 35Gb)

It takes 1:05 mins to open the Desktop + a further 1:10 to complete the startup process. It takes 1:15 to shutdown.
It still seems to be quite slow in responding to programs; eg, opening a search windows takes about 30secs.

I've:
used the Norton removal Tool to remove: NIS, NSW, N360, NLU.
removed accounts no longer required.
changed Computer Owner Name to her name (she had bought the PC but her ex-husband had taken it over).

To install SP3 I had to remove a "Documents" folder in C:\ that had no owner and no permissions; I did this by modifying the security settings for it and its sub-folders (it looked like a newly created MyDocuments folder when Windows is first installed). Once this was done, the folder disappeared and SP3 installed without the failure to copy "beethov9.wma" which had been occurring repeatedly.

In the process of removing this "Documents" folder, I've then gone in Safe Mode | CMD prompt; I found and removed the contents and directories under C:\Apps\Norton (various).

As any attempt to use IE or OE invoked an ISP's signup version of the Internet Connection Wizard, I installed Chrome browser.

I installed:
Kaspersky Internet Security 2010.
OpenOffice.org v3.1
Thunderbird e-mail client.

When I've returned the PC and connected to her dialup account I'll install Mailwasher v6.1 Free to check mail on sever before downloading.

I've deleted most of the $NTinstallKB* folders in C:\Windows (some, although selected, did not delete).

I've uninstalled Microsoft Money 2002 (left over from MS Works which did not appear on the Add/Remove list).

I've used:
EasyCleaner to remove invalid registry entries and "unnecessary" files including Internet temporary files, Cookies and History.
NTregOpt to defrag the registry,
Diskcleanup to remove temporary files.

I've defragmented the C: drive; I have 71% free space on the HDD.

I then turned off System restore to remove old restore points; turned System restore back on and created a post-Cleanup restore point.

I've installed and run MalwareBytes AM tool; there were 3 items found:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Files Infected:
C:\WINDOWS\system32\spoolsvc.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\videosd32.exe (Backdoor.Bot) -> No action taken.

EasyCleaner reports csrss.exe as a suspect startup item. This file is located in the Windows\system32 folder; I think this is a required part of Windows.
KIS reports Windows\system32\drivers\MSIKBD2K.SYS as a PDM.Keylogger. The motherboard is an MSI one and I think this is a keyboard driver.

I've reduced the startup programs to just KIS2010, OOo quickstart, HPmonitor, Network connection and ATi video control.

I've not changed the hosts file.

I've stopped the Indexing Service.

I've removed Windows components Internet Explorer and Outlook Express (they were ISP versions which would only invoke the Internet Connection Wizard).

I've got the MBAM and HiJackThis logs I ran after cleaning the PC as best I could.

Is there anything else I could do (without being able to reformat the HDD to start afreash) to speed up this PC?

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 10 September 2009 - 12:52 AM

Upload these two files to Jotti for analysis:

C:\WINDOWS\system32\spoolsvc.exe
C:\WINDOWS\system32\videosd32.exe
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 kullaroo

kullaroo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 10 September 2009 - 03:37 AM

results are:
spoolsvc.exe 0Kb (not scanned)
Note: there are five copies of spoolsv.exe spoolsv(2).exe through spoolsv(5).exe each 57Kb

videosd32.exe
Scanners

ArcVir 2009-09-09 Found nothing

G-Data 2009-09-10 Backdoor.Bot.37405

A-Squared 2009-09-10 Found nothing

Ikarus 2009-09-10 Found nothing

Avast! 2009-09-09 Win32:Trojan-gen {Other}

Kaspersky 2009-09-10 Found nothing

AVG 2009-09-10 Win32/Heur

NOD32 2009-09-09 Found nothing

AntiVir 2009-09-09 WORM/ForBot.93362

Norman Operation timed out

Bit Defender 2009-09-10 Backdoor.Bot.37405

Panda 2009-09-09 Malicious

Clam AV 2009-09-10 Found nothing

Quick Heal 2009-09-10 Trojan.Agent.a

CP secure 2009-09-10 Found nothing

Sophos 2009-09-10 Sus/UnkPacker

DrWeb 2009-09-10 Found nothing

VBA32 2009-09-09 Found nothing

F-Prot 2009-09-09 Found nothing

VirusBuster 2009-09-09 Packed/MEW

F-Secure 2009-09-10 Found nothing

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 10 September 2009 - 04:26 PM

Run another Malwarebytes scan and remove everything found. Post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 kullaroo

kullaroo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 10 September 2009 - 07:44 PM

Done. Here is the log:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/09/2009 10:35:26 AM
mbam-log-2009-09-11 (10-35-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 155608
Time elapsed: 1 hour(s), 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\videosd32.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spoolsvc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 10 September 2009 - 07:55 PM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 kullaroo

kullaroo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 11 September 2009 - 04:58 AM

Done as requested.

Here is the SUPERAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/11/2009 at 01:27 PM

Application Version : 4.28.1010

Core Rules Database Version : 4094
Trace Rules Database Version: 2034

Scan type : Complete Scan
Total Scan Time : 01:46:16

Memory items scanned : 206
Memory threats detected : 0
Registry items scanned : 4615
Registry threats detected : 0
File items scanned : 53241
File threats detected : 0

Does this mean we are clear now?

Edited by kullaroo, 11 September 2009 - 07:43 AM.


#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 13 September 2009 - 04:39 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 kullaroo

kullaroo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 14 September 2009 - 10:02 PM

Hi Budapest,

Here is the DrWeb log:

POSTOOBE.NEC;C:\DRIVERS;VBS.Generic.331;Deleted.;
TFTP2280;C:\WINDOWS\system32;Win32.HLLW.MyBot;Deleted.;

Where to next?

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 14 September 2009 - 10:06 PM

Please run another Malwarebytes quick-scan and post the log. Also, let us know how your computer is running.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 kullaroo

kullaroo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 15 September 2009 - 01:39 AM

Hi Budapest,

It is running pretty well now considering I couldn't do a fresh install of WinXP; about 1:10 to shutdown; 0:50 to open the desktop and a further 1:00 to finish all the background/startup processes. (I had the network cable disconnected and KIS2010 would waste some time looking for updates.)

Here is the MBAM log as requested:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

15/09/2009 4:29:58 PM
mbam-log-2009-09-15 (16-29-58).txt

Scan type: Quick Scan
Objects scanned: 104093
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

As they say in the ads, "Are we there yet?"

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 15 September 2009 - 01:47 AM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java or JS2E entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 kullaroo

kullaroo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 15 September 2009 - 06:01 AM

Hi Budapest,

Done.

In Add/Remove Programs there is just a Java entry:
Java™ 6 Update 13 Size 97.04Mb

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 15 September 2009 - 04:12 PM

That Java entry is out of date. You should remove it and then get the latest from here:

http://java.com/en/download/index.jsp
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 kullaroo

kullaroo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 15 September 2009 - 06:12 PM

Hi Budapest,
Done. We now have Java 6 update 16.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users