Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure what happened.


  • This topic is locked This topic is locked
13 replies to this topic

#1 Pyronises

Pyronises

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 08 December 2016 - 07:16 PM

Woke up today and my computer was running as slow as a PC from 1991. Couldn't do anything... Eventually was able to restore it to a previous version. That didn't help much, but it allowed me to bring up my task manager and look into what was slowing me down so much. The HDD with my OS on it was running at 100% and not reading/writing anything. Naturally I thought it was the HDD. But, I tried something else anyway. Restored to "factory" version with just OS and personal files on it. HDD is still running hard, but I can do things. Ran a report to check and see if there was another underlying cause to the issue. Also, I can't install Avira, says that there is an issue with installing.

 

Hijackthis has also been denied access to the host files.

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 7:15:54 PM, on 12/8/2016
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.14393.0000)
 
 
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
C:\Users\The Master\AppData\Local\Microsoft\OneDrive\OneDrive.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\The Master\Downloads\HijackThis.exe
C:\Users\The Master\Downloads\HijackThis.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = %11%\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O4 - HKLM\..\Run: [Avira SystrayStartTrigger] "C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe"
O4 - HKLM\..\Run: [Avira System Speedup User Starter] "C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Core.Common.Starter.exe"
O4 - HKCU\..\Run: [OneDrive] "C:\Users\The Master\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
O4 - HKCU\..\RunOnce: [Uninstall C:\Users\The Master\AppData\Local\Microsoft\OneDrive\17.3.6381.0405\amd64] C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\The Master\AppData\Local\Microsoft\OneDrive\17.3.6381.0405\amd64"
O4 - HKCU\..\RunOnce: [Uninstall C:\Users\The Master\AppData\Local\Microsoft\OneDrive\17.3.6381.0405] C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\The Master\AppData\Local\Microsoft\OneDrive\17.3.6381.0405"
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Avira Service Host (Avira.ServiceHost) - Avira Operations GmbH & Co. KG - C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
O23 - Service: @%SystemRoot%\system32\DiagSvcs\DiagnosticsHub.StandardCollector.ServiceRes.dll,-1000 (diagnosticshub.standardcollector.service) - Unknown owner - C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Malwarebytes Service (MBAMService) - Malwarebytes - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe,-1001 (Sense) - Unknown owner - C:\Program Files (x86)\Windows Defender Advanced Threat Protection\MsSense.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SensorDataService.exe,-101 (SensorDataService) - Unknown owner - C:\WINDOWS\System32\SensorDataService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: Avira System Speedup (SpeedupService) - Avira Operations GmbH & Co. KG - C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.SpeedupService.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\WINDOWS\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\WINDOWS\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\TieringEngineService.exe,-702 (TieringEngineService) - Unknown owner - C:\WINDOWS\system32\TieringEngineService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\WINDOWS\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\WINDOWS\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\WINDOWS\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 7403 bytes
 


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:25 PM

Posted 09 December 2016 - 09:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

===

p.s.
HijackThis is no longer supported and not ready for your Operating system.
I suggest your remove via the Control panel > Programs > Programs and Features Applet.
Use the Farbar tool from now on to report problems.
<<<>>>

#3 Pyronises

Pyronises
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 09 December 2016 - 08:16 PM

Attached are the files you have requested.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:25 PM

Posted 10 December 2016 - 08:18 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.6\ToolbarUpdater.exe
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
GroupPolicy: Restriction <======= ATTENTION
HKU\S-1-5-21-65261642-1456557817-1565949025-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-65261642-1456557817-1565949025-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={E448F851-594C-4BC5-8DC7-D70A875001A5}&mid=65d402ecf3bc47cfb75fa59d73bc7a28-458b84f2d0aa8cd8e755847a6128bab5079bba47&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2016-12-09 00:33:42&v=4.3.6.255&pid=wtu&sg=&sap=hp
SearchScopes: HKU\S-1-5-21-65261642-1456557817-1565949025-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={E448F851-594C-4BC5-8DC7-D70A875001A5}&mid=65d402ecf3bc47cfb75fa59d73bc7a28-458b84f2d0aa8cd8e755847a6128bab5079bba47&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2016-12-09 00:33:42&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\40.3.6\\npsitesafety.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\The Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-12-08]
CHR Extension: (Chrome Media Router) - C:\Users\The Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-08]
R2 vToolbarUpdater40.3.6; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\40.3.6\ToolbarUpdater.exe [1349704 2016-12-08] (AVG Secure Search)
S3 dot4usb; \SystemRoot\System32\drivers\dot4usb.sys [X]
C:\Users\The Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\The Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm

reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me know what problem persists.

#5 Pyronises

Pyronises
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 14 December 2016 - 12:20 AM

Attached is the file you requested.

 

Upon restart I noticed that the computer was very sluggish on shutdown, and boot.

 

I will continue to monitor this over the next few days and will report on it at a later date.

 

The computer is running a little better for now, any further instruction is welcome.

 

Will monitor for the next few days.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:25 PM

Posted 14 December 2016 - 09:04 AM


Run this cleaning tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#7 Pyronises

Pyronises
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 16 December 2016 - 11:57 PM

Still slow on the boot and restart. Haven't tried to restart or boot since running the cleanup tool.

 

Attached is the zoek log.

 

I will continue to monitor the performance over the next few days.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:25 PM

Posted 17 December 2016 - 08:46 AM

Reboot one more time and let me know how the computer is running.

#9 Pyronises

Pyronises
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 18 December 2016 - 01:48 PM

It's running much more smooth now. I'll be watching what it does and coming back here every so often over the next week to update you all and provide follow up information. But it seems to be doing so much better, thank you so much!
 

What was wrong with it, what happened to cause it to slow down like that?



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:25 PM

Posted 18 December 2016 - 02:15 PM

Nothing wrong. Some time a restart does the trick after running Zoek.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#11 Pyronises

Pyronises
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 18 December 2016 - 09:44 PM

Lol, I meant in general, what ended up causing it to run so slow when we started?

 

It's still restarting very slow. Could be a setting, could be the HDD. I know that the hard drive is running slow on the startup, but why does it take so long to shut down?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:25 PM

Posted 19 December 2016 - 10:01 AM

It could be a wrong driver version.

Navigate to this page.
http://learn.flexerasoftware.com/SVM-EVAL-Personal-Software-Inspector

Download and run the Flexera Software Personal Software Inspector.

Update all the old drivers.

Keep me posted.

#13 Pyronises

Pyronises
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 20 December 2016 - 01:10 AM

Still slow start up, again probably because of the HDD, I'm going to get an m.2 pci-e x4 adapter for the motherboard.

 

Heading over to flexera now.

 

Edit: Downloaded the PSI software, ran it, and all of my programs are up to date, but I'm not sure about the hardware drivers. How would I go about checking and updating my hardware drivers?


Edited by Pyronises, 20 December 2016 - 01:39 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,930 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:25 PM

Posted 20 December 2016 - 10:54 AM

How would I go about checking and updating my hardware drivers?


Check the Manufacturer's site and check for your model number.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users