Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Extremely Slow for a Week and a Half


  • Please log in to reply
12 replies to this topic

#1 GaryGranath

GaryGranath

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:28 PM

Posted 10 December 2009 - 04:15 PM

My PC has been running extremely slowly for about a week and a half. I have older Gateway 1.6GHz with 512MB, Windows XP Home SP3, wired home network, DSL router with firewall. I use ZoneAlarm Extreme Security, with its antivirus/antispyware, firewall, program security, and browser security activated. Also use the following, with latest updates, although I didn't have them installed before the slowdown started. I installed them afterward to see if they could find a cause for the problem. Spybot and Malware Bytes have detected and removed a few malwares, but still very slow.

Microsoft Malicious Software Removal Tool
Malware Bytes' Anti-Malware
Spybot S&D
SpywareBlaster
ESET Online Scanner

The PC can take a full 10 minutes just to boot and it locked up completely once. I think that a Windows update fouled up somehow because I kept getting the yellow shield in the system tray telling me to download and install - may not be relevant. Also, something I've never heard of - during a reboot, Windows told me I had to activate/register my copy of XP. I've been using it for several years so what's that about? I called MS, entered a couple very long codes, and I'm ok again, but I wonder if that's relevant too. Can someone please help me get started with this sweetheart?
Thanks, GG

BC AdBot (Login to Remove)

 


#2 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:28 PM

Posted 14 December 2009 - 10:42 PM

I'm adding to my original post (no replies after 4 days) because my situation is going downhill quickly.
This evening my PC rebooted without any warning and when it came back up, the following message from Microsoft was waiting for me:

Microsoft Windows Error Reporting:

Problem caused by antivirus or firewall program
You received this message because your antivirus or firewall program has caused a blue screen error, which means the computer has shut down abruptly to protect itself from potential data corruption or loss.

Oh dear, this sounds serious. Someone please help!

#3 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 15 December 2009 - 08:01 AM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Please rerun Malwarebytes and post back the log.
Computer Pro

#4 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:28 PM

Posted 15 December 2009 - 04:37 PM

Toward the middle of this post is the MalwareBytes log you requested. I updated MB just before the scan, and did a "full" scan. Neither Spybot, SpywareBlaster, MS Malicious Software Removal Tool, nor ZoneAlarm Extreme Security finds anything now.

However, Malwarebytes did quarantine the following recently:
--------------------------------------
12/10/09
Files Infected:
C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1154\A0230267.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1154\A0230356.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
---------------------------------------
12/05/09
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d714a94f-123a-45cc-8f03-040bcaf82ad6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
---------------------------------------

After last night's crash and the recent extremely slow perfm, I'm sure there's still something deep down inside ichewing away.

BTW, I am already subscribed - I checked for replies last night and didn't get notification of your update till this morning. Here's today's MB log.
-Gary

Malwarebytes' Anti-Malware 1.42
Database version: 3365
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/15/2009 4:12:12 PM
mbam-log-2009-12-15 (16-12-12).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 301594
Time elapsed: 2 hour(s), 38 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 15 December 2009 - 08:31 PM

Ok, next:

Please run ATF and SAS:

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note 2: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.



Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#6 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:28 PM

Posted 15 December 2009 - 11:45 PM

Your first note cautions: Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

I am the only user and the administrator on this PC. Do I need to be concerned about the "users" other than myself (Gary Granath) listed under Documents and Settings, specifically Administrator, All Users, Default User, Local Service, and Network Service?

I run Win XP Home SP3 so how should I respond to your note2 re: using ATF Cleaner to empty Windows Temp?

#7 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 16 December 2009 - 07:52 AM

Just under your account is fine. Yes, have ATF delete those as well.
Computer Pro

#8 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:28 PM

Posted 16 December 2009 - 09:29 AM

Super did not find anything. I followed your directions exactly and Super scanned both of my fixed drives. Here is the log. Don't know what to think. I still have an extremely unresponsive machine and have found nothing so far to explain my earlier "blue screen" error. What would you like me to try next?

-------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/16/2009 at 03:07 AM

Application Version : 4.31.1000

Core Rules Database Version : 4377
Trace Rules Database Version: 2217

Scan type : Complete Scan
Total Scan Time : 03:08:57

Memory items scanned : 442
Memory threats detected : 0
Registry items scanned : 7456
Registry threats detected : 0
File items scanned : 166138
File threats detected : 0

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 16 December 2009 - 06:42 PM

Lets run another scan:

Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#10 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:28 PM

Posted 22 December 2009 - 10:12 AM

I finally got to complete the scans. They ran a long time, even the Express. When the Complete scan finished I didn't see a "Move incurable" option. Maybe I didn't pay attention or it didn't display. But I didn't see it. So I clicked "Yes to all."
Then I saved the report to desktop and tried to exit Dr.Web Cureit. He told me I had bugs I hadn't acted upon. Based on what you told me to do, that made sense. So I renamed the first saved report to Dr.Web1.csv, then I clicked the Move choice and saved another report and named it Dr.Web2.csv. The two saved reports appear identical. They are below.

Finally, I have a DoctorWeb folder under my user Docs and Settings containing a CureIt.log and a Quarantine folder, which contains four files: A0228800.dll, A0229158.exe, descript.ion, and hosts (no file extension indicated). Anything else?
-Gary

DrWeb1.csv:
RegUBP2b-Gary Granath.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
A0228800.dll;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1152;Adware.Coupons.34;;
A0237914.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1183;Trojan.StartPage.1505;Deleted.;
A0237991.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1183;Trojan.StartPage.1505;Deleted.;
A0241140.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1184;Trojan.StartPage.1505;Deleted.;
A0241260.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1185;Trojan.StartPage.1505;Deleted.;
A0241392.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1186;Trojan.StartPage.1505;Deleted.;
A0241525.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1186;Trojan.StartPage.1505;Deleted.;
A0241962.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1190;Trojan.StartPage.1505;Deleted.;
A0229158.exe\data012;F:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1154\A0229158.exe;Adware.Coupons.34;;
A0229158.exe\data013;F:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1154\A0229158.exe;Adware.Coupons.34;;
A0229158.exe\data015;F:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1154\A0229158.exe;Adware.Coupons.34;;
A0229158.exe\data016;F:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1154\A0229158.exe;Adware.Coupons.34;;
A0229158.exe;F:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1154;Container contains infected objects;Moved.;


DrWeb2.csv:
RegUBP2b-Gary Granath.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
A0228800.dll;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1152;Adware.Coupons.34;Moved.;
A0237914.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1183;Trojan.StartPage.1505;Deleted.;
A0237991.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1183;Trojan.StartPage.1505;Deleted.;
A0241140.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1184;Trojan.StartPage.1505;Deleted.;
A0241260.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1185;Trojan.StartPage.1505;Deleted.;
A0241392.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1186;Trojan.StartPage.1505;Deleted.;
A0241525.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1186;Trojan.StartPage.1505;Deleted.;
A0241962.reg;C:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1190;Trojan.StartPage.1505;Deleted.;
A0229158.exe\data012;F:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1154\A0229158.exe;Adware.Coupons.34;;
A0229158.exe\data013;F:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1154\A0229158.exe;Adware.Coupons.34;;
A0229158.exe\data015;F:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1154\A0229158.exe;Adware.Coupons.34;;
A0229158.exe\data016;F:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1154\A0229158.exe;Adware.Coupons.34;;
A0229158.exe;F:\System Volume Information\_restore{F79FAA88-221F-465A-93A7-CFA6B401C4D7}\RP1154;Container contains infected objects;Moved.;

-----------End of Reports-----------

#11 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 22 December 2009 - 09:48 PM

Is it still slow?
Computer Pro

#12 GaryGranath

GaryGranath
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, in the infamous Durham Triangle
  • Local time:12:28 PM

Posted 23 December 2009 - 10:14 PM

I should wait a day or two more to make sure, but I think performance has improved to its previous level.

I don't know how much the bugs detected by ATF Cleaner, SuperAntiSpyware, and DrWeb Cureit had to do with it. During one particularly slow period after you started helping me, I ran Task Manager and found that my Firefox browser, which I had closed earlier, was still running and was using 95 percent of my processor's power. I terminated Firefox and uninstalled it. Things seemed to improve immediately. But obviously the three tools you had me run found several things so they very likely helped.

If after a few days my perfm is still stable, I think we can close this thread. I wouldn't spend my own time helping people for free and I don't expect you to do that. Could you please let me know how much time you've spent on this and if you wish, to give me a donation suggestion? Otherwise I'll have to take a stab in the dark.
Thanks Very Much, Gary

#13 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 23 December 2009 - 10:23 PM

I'm glad that the performance is back to normal. I am just 14 year old, and I just do this in my free time when I'm not playing sports, in school, and such. I enjoy helping others. So please don't worry about a donation. If you wish to donate, please donate to a local charity of your choice.'

And to complete:



Create a new Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then use Disk Cleanup to remove all but the most recently created Restore Point.
Go to Start > Run and type: Cleanmgr
Click "Ok"
Disk Cleanup will scan your files for several minutes, then open.
Click the "More Options" Tab.
Click the "Clean up" button under System Restore.
Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
Click Yes, then click Ok.
Click Yes again when prompted with "Are you sure you want to perform these actions?"
Disk Cleanup will remove the files and close automatically.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users