Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Startup After Virus Removal


  • Please log in to reply
18 replies to this topic

#1 djvtech

djvtech

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:58 AM

Posted 23 January 2012 - 05:26 AM

When booting, it takes over 2 minutes to load windows(used to take 45 seconds), and then its another minute before I can run programs, my AV also doesn't show the trey icon for a minute. It hangs a little on the "starting windows" logo, and used to have a black screen with courser after "welcome" for about 30 seconds but that went away. Performance is normal after.

I couple days ago I got a few viruses (See bottom). It was fake alert and hid all my files, disabled my internet. I removed viruses with malwarebytes and superantisyware and combofix. Reran MBAM and everything was clear. Used Unhide successfully for my files, and then had to mess around with "attrib -s -h *.* /s /d" settings" until certain "Hidden Files" (like desktop.ini) where hidden. Restored internet with ICRTool.

Things I've done:
PC is normally fast,
- Ran another full malwarebytes scan (clean)
- Optimised services (unchanged from before), only 42 processes running
- only 3 startup items (AV, sound driver, bandwidth monitor).
- CCleaner (files and registry)
- Memory diagnostics (no prob found)
- Update GPU drivers
- Defrag HDD

I don't know what else to do. Help appreciated.

Viruses removed:

Memory Processes Detected: 1
c:\## aswsnx private storage\r430\0.158088123649_{cf6dcd6f-4092-11e1-99cc-002511a7d93b}\image\programdata\hxcmlzje8afk4b.exe (Rogue.FakeAlert) -> 4048 -> Delete on reboot.

Files Detected: 3
c:\## aswsnx private storage\r430\0.158088123649_{cf6dcd6f-4092-11e1-99cc-002511a7d93b}\image\programdata\hxcmlzje8afk4b.exe (Rogue.FakeAlert) -> Delete on reboot.
C:\Users\Daniel\Local Settings\Temporary Internet Files\Content.IE5\NHT06NUP\Testbundle23w_1254[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\0.15808812364993918.exe (Exploit.Drop.2) -> Quarantined and deleted


System: Windows 7 64bit, Intel Q8300 2.5Ghz, GTS 250 1GB, 6.5GB ram, 750GB HDD.
My other problem here: http://www.bleepingcomputer.com/forums/topic439647.html

Edited by hamluis, 26 January 2012 - 06:53 PM.
Moved from Win 7 to Am I Infected.


BC AdBot (Login to Remove)

 


#2 LucheLibre

LucheLibre

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:04:58 AM

Posted 24 January 2012 - 06:07 PM

Does the PC boot substantially faster into Safe Mode?

Use Autoruns to list startup programs.

  • Download the .zip file and extract to a folder on your desktop. Open that folder, right-click autoruns and select Run As Administrator.
  • Autoruns will begin scanning immediately. Press Esc to interrupt it.
  • Click Options > Filter Options and check Hide Microsoft Entries. Click OK
  • Press F5 to begin a new scan.
  • When it is finished, click File > Save and save the report to your desktop.
  • Locate the report on the desktop, right click, select Send To > Compressed (zipped) Folder. A new archive will appear on the desktop.
  • Use the forum's 'Full Editor' to attach the archive to your next post.

==========================================================

If it looks like I know what I'm doing, there's a pretty good chance the only reason for that is because
I once asked someone to run chkdsk /r and a BC Advisor smacked me in the back of the head.

~ LL ~


#3 djvtech

djvtech
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:58 AM

Posted 25 January 2012 - 05:53 PM

I tried safe mode, it does start up faster, about 1:15 minute to windows, then 15 seconds to open programs. And here is the Autoruns.

Attached Files



#4 LucheLibre

LucheLibre

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:04:58 AM

Posted 26 January 2012 - 03:59 PM

The first thing to note is that you have a lot of services and programs related to GameGuard that auto-start. These have rootkit-like behavior patterns. I wouldn't be surprised that Combofix broke some of these programs in such a way that they hang for a bit when starting.

If it looks like I know what I'm doing, there's a pretty good chance the only reason for that is because
I once asked someone to run chkdsk /r and a BC Advisor smacked me in the back of the head.

~ LL ~


#5 djvtech

djvtech
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:58 AM

Posted 27 January 2012 - 11:35 PM

The first thing to note is that you have a lot of services and programs related to GameGuard that auto-start. These have rootkit-like behavior patterns. I wouldn't be surprised that Combofix broke some of these programs in such a way that they hang for a bit when starting.


What do I do about it? I don't think I need them, it's related to a game I uninstalled along time ago.

#6 LucheLibre

LucheLibre

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:04:58 AM

Posted 27 January 2012 - 11:44 PM

I'd first uninstall any entries related to it from the Add/Remove Programs utility.

There is also this: http://www.bleepingcomputer.com/forums/topic131307.html

Vista and 7 are not much different under the hood, so you might have some success with it.

Also this: http://www.aionsource.com/topic/53559-how-to-completly-remove-nprotect-game-guard/

If it looks like I know what I'm doing, there's a pretty good chance the only reason for that is because
I once asked someone to run chkdsk /r and a BC Advisor smacked me in the back of the head.

~ LL ~


#7 djvtech

djvtech
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:58 AM

Posted 01 February 2012 - 07:31 PM

I'd first uninstall any entries related to it from the Add/Remove Programs utility.
There is also this: http://www.bleepingcomputer.com/forums/topic131307.html
Vista and 7 are not much different under the hood, so you might have some success with it.
Also this: http://www.aionsource.com/topic/53559-how-to-completly-remove-nprotect-game-guard/


Ok thanks did all that except the "nprotectremover.exe" link doesnt work and I can't find a download for it. I did everything on the aion site, deleted those 3 files, the 2 registry folders, uninstalled anything associated with gamegaurd. No difference, still have the slow startup.

Edited by djvtech, 01 February 2012 - 07:32 PM.


#8 LucheLibre

LucheLibre

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:04:58 AM

Posted 01 February 2012 - 10:23 PM

The next thing I suggest is to reinstall your antivirus software.

If no change, I suggest using Autoruns. Focus on the Logon, Winlogon, and Explorer tabs only. Uncheck those entries and retest. If windows works more normally, rerun Autoruns and enable one thing. Retest and repeat until you find something that greatly increases startup time.

Edited by LucheLibre, 01 February 2012 - 10:24 PM.

If it looks like I know what I'm doing, there's a pretty good chance the only reason for that is because
I once asked someone to run chkdsk /r and a BC Advisor smacked me in the back of the head.

~ LL ~


#9 djvtech

djvtech
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:58 AM

Posted 03 February 2012 - 05:37 PM

The next thing I suggest is to reinstall your antivirus software.

If no change, I suggest using Autoruns. Focus on the Logon, Winlogon, and Explorer tabs only. Uncheck those entries and retest. If windows works more normally, rerun Autoruns and enable one thing. Retest and repeat until you find something that greatly increases startup time.

Did all that. Unchecked EVERYTHNIG under logon and explorer. Winlogon didnt have anything. No change in bootup time.

#10 LucheLibre

LucheLibre

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:04:58 AM

Posted 03 February 2012 - 05:56 PM

Welp, I guess we (well...you ;-) ) will have to go about this the (possibly) long way.

http://support.microsoft.com/kb/929135

Edited by LucheLibre, 03 February 2012 - 11:33 PM.

If it looks like I know what I'm doing, there's a pretty good chance the only reason for that is because
I once asked someone to run chkdsk /r and a BC Advisor smacked me in the back of the head.

~ LL ~


#11 djvtech

djvtech
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:58 AM

Posted 06 February 2012 - 06:01 PM

Welp, I guess we (well...you ;-) ) will have to go about this the (possibly) long way.

http://support.microsoft.com/kb/929135


Disabled all non-microsoft services, AND startup items. Restarted, no change in speed...

#12 LucheLibre

LucheLibre

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:04:58 AM

Posted 06 February 2012 - 07:29 PM

Well, that supports a conclusion of basic system damage then, likely leftovers from the malware and your repair attempts.

Check System File Integrity

  • Click Start Orb and type cmd. In search results, right-click cmd and select Run as Administrator.
  • At the prompt, type sfc /scannow and press Enter. There is a space between "sfc" and "/scannow". This process make take a while.
    • If SFC find errors it cannot correct, it may ask you to insert your Windows CD.
  • When SFC finishes, it will show you a summary of it's scan. Copy the entire contents to your next reply.
  • Restart your computer.
  • Run Windows Update immediately if you had to use your Windows CD during this operation.

===========================================

This next procedure may not provide the answers we need, but it would be good to have available if you plan to continue troubleshooting this instead of reinstalling.

Use Process Monitor to capture boot operations.

  • Download and extract to a folder on your desktop. Right-click on program and select Run As Administrator.
  • The ProcMon filter dialog box will appear. Click Reset and then OK.
  • Process Monitor will begin capture. Immediately press Control + E to stop. Press Control + X to clear log.
  • Click Options > Enable Boot Logging.
  • An options dialog will open. Check Generate profiling events. Select Every second.
  • Close Process Monitor and restart computer.
  • As soon as possible, rerun Process Monitor. It will ask to save the collected data. Click Yes. Save to your desktop as bootlog.
    • Depending on the size of your log, Process Monitor will create several files named "bootlog", "bootlog-1", etc.
  • Download 7-zip and install.
  • Hold down the Ctrl key and click every bootlog file on the desktop. Release the Ctrl key. Right-click on one of (now-highlighted) files and select 7-Zip > Add to "bootlog.7z". Do not select Add to "bootlog.zip".
  • Locate the new archive on your desktop and upload to a file-sharing site such as Mediafire.
  • Copy the file's weblink to your next reply.

======================================================

Edited by LucheLibre, 06 February 2012 - 07:30 PM.

If it looks like I know what I'm doing, there's a pretty good chance the only reason for that is because
I once asked someone to run chkdsk /r and a BC Advisor smacked me in the back of the head.

~ LL ~


#13 djvtech

djvtech
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:58 AM

Posted 06 February 2012 - 08:34 PM

Check System File Integrity

===========================================

This next procedure may not provide the answers we need, but it would be good to have available if you plan to continue troubleshooting this instead of reinstalling.


Ok, I ran that and it went through verification phase then said "Windows Resource Protection did not find any integrity violations."

And here are the bootlog files: http://www.mediafire.com/?x7y5pyarrryhey1

#14 LucheLibre

LucheLibre

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:04:58 AM

Posted 06 February 2012 - 11:18 PM

Just a hunch...

Uninstall Avast and retest, if you haven't tried this already.

If no change, uninstall (don't just disable) your audio drivers and retest.

If it looks like I know what I'm doing, there's a pretty good chance the only reason for that is because
I once asked someone to run chkdsk /r and a BC Advisor smacked me in the back of the head.

~ LL ~


#15 djvtech

djvtech
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:58 AM

Posted 08 February 2012 - 03:00 AM

Uninstalling avast didn't work. I uninstalled my realtek HD audio (no change), but I don't think that was the drivers. You're talking about the drivers in the device manager? I'll do that, but how will I reinstall it? Will the audio driver "High Definition Audio Device" still be there and I just right click on it to reinstall it? see picture below:

http://img855.imageshack.us/img855/1738/audiodrivers.png

Edited by djvtech, 08 February 2012 - 03:01 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users