Computer runing slowly, logs attached

[lindylou2]

Hi, please could someone look at the attached logs, my computer is running so slowly I think there may be some malware in it. I followed all the steps in the virus malware thread. I had to use safe mode to run the gmer as it would not save log files in normal mode. Thank you in advance
Lindylou

 

[Bobbye]

Are you having any other 'symptoms' except for slow?
Most common reasons for 'slow'- other that or in addition to malware:
1. Not enough resources free. You should be running the system with as close to 80% resources free as possible. You have only slightly more than 50% free.
2. Too many (unnecessary) processes starting on boot and running in the background. You have several of these- some starting on boot which will slow load time down: example 'Advanced system Care' by Iobit. Dell AIO. several auto updaters. Webcam
3. Several outdated versions of programs which should have been deleted. Examples:
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
These are also vulnerabilities.

We'll look further. Please run the following:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
======================================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave the Combofix report and the Eset log in your next reply.

Please do not run any other cleaning programs or scans while I am helping you unless I direct you to. Do not run a Registry cleaner or make any Registry changed.

 

[lindylou2]

thanks for your swift reply, I will follow instructions as posted. I have run the cc cleaner inbetween my and your posting - I hope this does not matter!!

 

[Bobbye]

Okay, no problem. Just stick with the steps from now on.

 

[lindylou2]

Bobeye
Thank you for your help - much appreciated.

I have done the steps you suggested and also deleted the java updates and a couple of other programmes not used. I have attached the combi log, and have done the Eset scan which showed up 3 items. I have now managed to loose the txt file for this, I pressed save to desktop but it does not appear to be there. I am now loosing the will to live as it took nearly 2 hours to do the scan!!! I will have another look for it and post if I can find it otherwise will have to scan AGAIN!!!

 

[lindylou2]

Ok, have tried to find log for eset and can't. Have tried to rescan and it won't let me - says "unexpected error another instance is probably already running".
What should I do now?

 

[Bobbye]

Okay, don't worry- we'll try another scanner. Since speed is the issue mainly, let's remove some files that don't need to be on the system any longer, as well as some other entries:

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\documents and settings\Megan.END-8825FE3CB3B\Application Data\Real\Update\setup3.10
c:\documents and settings\End-User\Application Data\Real\Update\setup3.10\setup.exe
c:\documents and settings\Megan.END-8825FE3CB3B\Application Data\Real\Update\setup3.10\setup.exe
c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
c:\documents and settings\End-User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
c:\documents and settings\End-User\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
c:\program files\iTunes\iTunesHelper.exe

Folder::
Registry::
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
You have a process for the HP DeskJet Taskbar Utility from 2002 still loading. It for a background print job spooling tasks associated with some HP DeskJet printers. I didn't see any other entries and you appear to be using a Dell AIO so you will want to uninstall the HP printer. I did not include it in the script.
===========================
We need to check out the AV since there were 3 items and I don't know what files they were in. If you can't get the log, please Run
Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
=====================
Then please download HijackThis from here.

• Save it to a permanent folder (such as C:\HJT).
• Next, open HijackThis, and select Do a system scan and save a logfile.
• A Notepad document will open. Please post the contents of that document.

Leave the new Combof fix report, the Kaspersky scan and the HijackThis log. I'll have you remove any viruses and help you stop unnecessary processes from running.

Be sure to keep the Recycle Bin emptied. I forget to tell people this!

 

[lindylou2]

Hi, I have attached logs from combi and from hijack. I am now having trouble with the kapersky on line scanner, it seems to go so slowly - in fact I am not sure it is scanning or not. When I click on report there is nothing to show perhaps its cos my computer is going so slow. I will try the other scan you suggested previously. I am beginning to think I am a lost cause

 

[lindylou2]

restarted the computer and it worked this time managed to redo eset scan log attached

 

[Bobbye]

These infections all came from your LimeWire downloads.
P2P or 'file sharing Warning:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
===========================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  :Services
  :Reg
  
  :Files 
  C:\Documents and Settings\Megan.END-8825FE3CB3B\My Documents\LimeWire\Saved\put you together again hot.mp3	
  C:\Documents and Settings\Megan.END-8825FE3CB3B\My Documents\LimeWire\Saved\swing low sweet charriot [cd rip].mp3	
  C:\Documents and Settings\Megan.END-8825FE3CB3B\My Documents\LimeWire\Saved\swing low sweet charriot.mp3	
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
============================
You have only slightly more than 50% of your resources free. You should be running as close to 80% as possible. You need to review Add/Remove Programs in the control Panel and uninstall whatever you aren't using. If you don't know what the program is, do a Google search. That will free up some of your hard drive. (Recommend uninstall program:C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe)

I don't know how much RAM you have. To run windows XP well, you should have at least 512MB. The more proceeses you have starting on boot and running in the background, the more RAM is used. You can control that by taking unnecessary processes of off Startup as below. All of the ones I have listed do not need to start on boot:

To access Startup using the msconfig utility:: Click on Start> Run> type in msconfig> enter>

1. Check Selective Startup and everything below except the "Load the Startup Items" & "Original Boot.ini."
   
   
2. Click on the Startup tab> here's what you'll see:
   
   
   
   
3. If you need to expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on from next to Location and move to the right to expand.
4. UNCHECK these unneeded Startup items:
   Adobe Reader 9.3 (Reader_sl.exe)
   Apple Software Update
   AutoUpdate
   Creative Live! Cam Video IM Driver (1.01.01.00)
   Creative Software AutoUpdate
   Dell AIO 810
   GoogleToolbarNotifier.exe
   GrooveMonitor.exe (Office12 Service to work offline with files from Sharepoint.)
   hpztsb05.exe
   iTunesHelper.exe>> BIG resource user!
   Java Auto Updater (jusched.exe)
   Microsoft Office 2007 & all associates apps (ctfmon.exe)
   Microsoft Software Update for Web Folders (English) 12
   QuickTime (QTTask.exe)
   RealPlayer (realsched.exe)
   StreamPlug Player
   Virtual Earth 3D (Beta)
   WebFldrs XP
   Windows Media Player 11

This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted. You don't do anything on the other tabs. When through> Apply> OK

When you reboot the system the first time after making changes, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Stay in Selective Startup to retain the changes.

Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.

Let me know how it goes.

 

[lindylou2]

Thank you for your help.

I have done as you suggested and run OTMovit. I removed Limewire from the computer quite a long time ago (daughter downloaded it!!) They will be remnents from that.

I had already unchecked some things previously from the startup menu, like msn messenger so it did not load up at start up. I have looked at the list you have suggested but most of these do not show up on the boot up menu. How can I get them to show up so I can uncheck them from the startup menu?

Most of them are (of course) in the add/remove programmes bit (but I don't want to uninstall them do I?)

There is 1 for applesyncnotifier on the startup menu, could I uncheck that or would it affect the itunes?

Many thanks Linda

 

[Trillionsin]

Thank you for your help.

I have done as you suggested and run OTMovit. I removed Limewire from the computer quite a long time ago (daughter downloaded it!!) They will be remnents from that.

I had already unchecked some things previously from the startup menu, like msn messenger so it did not load up at start up. I have looked at the list you have suggested but most of these do not show up on the boot up menu. How can I get them to show up so I can uncheck them from the startup menu?

Most of them are (of course) in the add/remove programmes bit (but I don't want to uninstall them do I?)

There is 1 for applesyncnotifier on the startup menu, could I uncheck that or would it affect the itunes?

Many thanks Linda

If its not there, then its not automatically starting up when you turn on the system. This means you wont have to worry if its not showing up there, and you wont need to uncheck it.

 

[Bobbye]

All of the processes I listed were running in the HijackThis log. Whether they started on boot and were running in the background, whether you used the program and didn't close it, or whether ti was started by a Service on Automatic, I had no way of knowing.

They will all be listed in Add/Remove Programs but you only uninstall them if you no longer want or need the program.

How much RAM do you have installed? If you don't know: Control Panel> System> the System Properties tab will show you the amount of RAM at the bottom.

I can set up the HijackThis log and tell you which processes to check which will stop some of them- at that time.

Some processes can be started by a Registry entry or a Service. All of the processes I listed for you were running- that's how I saw them.

 

[lindylou2]

Thanks for your help, I have looked and I have 504MB of ram. Yes it would be a great help if they did not all start up, I am sure computer would not take quite so long to load and would work much more effeiciently. Should I uninstall all the other cleaners etc I have used now?, are they no longer needed?

 

[Bobbye]

You're welcome. You can remove the cleaning tools now and set a new restore point:

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if I can be of any more help.

 

[lindylou2]

Thank you, I have done as you suggested and also created a new restore point. I have removed as many old and unused programmes as I can.

my computer is now showing used space 33.1 GB and free 41.3 GB. (Is this much better than before?) Am feeling quite pleased with myself with all this computer housekeeping :grinthumb and computer is now running better but how do I move some programmes so that I can uncheck them so that they will not then start on load up? As I am sure this will help speed things up even further.
Many thanks for your help
Linda

 

[Bobbye]

but how do I move some programmes so that I can uncheck them so that they will not then start on load up

I don't think you still don't understand the startup process. You don't move a program so you can uncheck it. If it's starting on boot, it will already be on the Startup menu. Go through the list I left for you in Reply #10, step 4. You can uncheck any of those entries that are checked on the Startup menu.

Unchecking a process doesn't remove it- it just stops it from starting on boot. You can also change the Startup type of the Following Services:

Click on Start> Run> type in services.msc> Find each of the Services below and double click to open it> Change the Startup type as instructed:

1. 
   [*] Apple Mobile Device - Set to Manual
   [*]Bonjour - Set to Manual
   [*] dlcg_device - Set to Manual -(Printer monitor for Dell printers)
   [*] iPod Service - Set to Manual (This service is used by Itunes for using your Ipod. If you do not use Itunes you can disable this service.)
   [*]Java Quick Starter - Set to Disable. Stop the Service. This does not need to run.(
   [*] Rapport Management Service- Disable> Stop and Uninstall (see my note)

Exit Services.
There are more Services. Some Must run- these are the only ones in your HJT log that can be changed.

About (RapportMgmtService)
Rapport is developed by Trusteer Ltd. The homepage is shop.ingdirect.com

There are 9 reviews and it is only rated 2.6 out of 5. I see this in some logs but I am not familiar with how it works or if it's worth running. It is freeware, but I doubt it will give anymore protection that you get with antivirus program, firewall and at least 2 antimalware programs. but it's your choice. For myself, I wouldn't run it. The site is also promoting:
Home Energy Diet Book for $15
Norton Internet Security Software FREE (can't be the real one!)
Highway Safety Kit for $35.00