[Resolved] Help computer/internet very slow

[dbarnett123]

Internet Explorer is very, very slow. It started a few days ago. Takes 1 minute and 45 seconds to bring up explorer with the initial MSN page; 45 seconds plus to bring up google. Initially the pages were available within 2 - 3 secondds. A similar machine beside this main machine with the slowness issue on same network still comes up within 2 - 3 seconds. Machine is an IBM clone running XP Pro.

Additionally, H: drive is available if I cold boot but is unavailable on a warm boot. This is 100% consistant for over 55 test boots over 38 days.

So, I have completed Legendary Viruses, etc. per preliminary removal instructions and have attached the three designated files.

Panda Antirootkit found nothing; all zeros.

I ran AVG Antispyware 3 times. The last time it only found a few items which were found/deleted. The first time there were several items which were deleted, although the report says no action taken I ran it a second time and deleted the files. Unfortunately I did not save a file for the second run which deleted the unwanted items. Nevertheless, the final run shows all unwanted files deleted. All three were test were completed in safe mode without connection to the internet. I had to abort the third test but included the report. I ran a fourth complete test; it takes over 13 hours; It found nothing and unfortunately no report was generated. It is slowly grinding sown.

The machine seems to be running much slower, however I can not quantify that specifically.

Internet using Internet Explorer is running much, much slower on this machine !

Status of Issue: Internet Explorer is as slow or slower after cleaning items. machine is slowing down; H: drive still exhibits same symptoms.

FYI: I have Computer Associates security suite running (antivirus, spywere, firewall, etc.). AND I just put a url in the Address area of Explorer Directory window and it came up within 2 seconds !!! I am confused ???

Your advice and counsel is greatly appreciated; Please help me with the slowness issue.

Thanks for your help.

Doug

 

[momok]

Hi,

1. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   

   File::
   C:\WINDOWS\system32\jjjlm.bak1
   C:\WINDOWS\system32\jjjlm.bak2
   C:\WINDOWS\system32\jjjlm.ini2
   C:\WINDOWS\system32\j1201436.dll

2. Save this as CFScript on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Your slowness problem could be due to your CA security suite/Symantec. I see tonnes of startup services coming from those two in your HijackThis log. We'll work on those after we're done cleaning with your system.

Thereafter, please post a fresh HJT and the resultant ComboFix log from the above instructions as attachments into this thread.


Regards,
momok =)

This thread is for the use of dbarnett123 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.

 

[dbarnett123]

CFScript run with Combofix, results attached

Hi,

Many thanks for helping me with my problems. I appreciate it.

Attached per your instructions are the two log files (ComboFix with CFscript and fresh HighJack log). I hope you can provide some modifications that will help.

CA is a Commercial variety of ZoneAlarm produced for Frontiernet and others; for all practical purposess it is ZoneAlarm. It is a suite of security products. Firewall, antivirus, malware, etc. Logicaly, the majority of slowness is not a result of CA, since the slowness occurred sometime after installation of CA. Nevertheless, some small part of the slowness could be from CA.

Symantic: I have only the Windows Registry fix part and the Hard drive repair parts installed along with the updates for these two parts. Is there a Hard drive repair software that is equal to Norton/symantic that I could use? I really don't like symantic, but need some software to keep my hard drives in good health.

I note that the computer is still loading a service of a Lexmark printer that is no longer installed on the computer.

Thanks or all your help.

Regards,

Doug

 

[momok]

Hi,

I see 9 or more services under CA running, and at least 5 other symantec services running. I do not see how that will not drastically slow down your system with all that processes. In any case, since you have a CA suite, why are you still using Symantec? I would strongly suggest you uninstall any components that you have no use for.

1. Run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   
   R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
   O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
   O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
   O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
   
   
2. Whilst still in HijackThis, go to "Main Menu" and click on "Open the Misc Tools section". Click on the "Misc Tools" button and then "Delete an NT service..." Type the following into the prompt box and press OK after each entry.
   LexBce Server
   Close HJT.
   
   
3. Navigate in Windows Explorer and delete the following files and folders in bold.
   C:\WINDOWS\imsins.BAK
   
   
4. Please download and run CCleaner via step 9 of the instructions HERE.

Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread. Do not copy and paste the logs.

Meanwhile, for more information to speed up your system, please read this thread HERE.


Regards,
momok =)

This thread is for the use of dbarnett123 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[dbarnett123]

Response to your suggestion/request

In response to your question about Symantic. There are only 2 symantic software pieces installed on computer: Hard Drive repair module and Registry Cleaner. If I had a good piece of software to keep Hard Drives healthy I would get rid of Symantic in less than a heart beat. Any suggestions???

All your request completed and files attached.

Note: on doing the requested actions: "Open the Misc Tools section". Click on the "Misc Tools" button and then "Delete an NT service..." Type the following into the prompt box and press OK after each entry.

LexBce Server

Close HJT

Response: "Was not found"

Note on running ComboFix: Initally there was an error message Address access 0016700 SWRE.CF... I could not read it all before it went away. Otherwise, it went through the various steps.

C:\WINDOWS\imsins.BAK DELETED as instructed.

CCleaner run 4 times.

Logs attached per request.

Success: I only takes 45 seconds for IE to initiate and bring up google. But initiallly it only took about 4 seconds. Firefox takes about 3 seconds to come up. Windows/CPU are responding faster also.

What should I do next? Any thinking about Hard Disk health software????

 

[momok]

Hi,

Sorry about that. Let's try this again. Since you've uninstalled the lexmark printer, let's remove the components from your system.

1. Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:
   
   LEXPPS.EXE
   LEXBCES.EXE
   
   
2. Go to start > type "services.msc" and press enter. Search for the following services and right click to disable them. Then Right click > Properties to set the startup type to "disabled".
   
   LexBce Server
   
   
3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   
   O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
   
   
4. Whilst still in HijackThis, go to "Main Menu" and click on "Open the Misc Tools section". Click on the "Misc Tools" button and then "Delete an NT service..." Type the following into the prompt box and press OK after each entry.
   
   LexBce Server
   
   Close HJT.
   
   
5. Navigate in Windows Explorer and delete the following files and folders in bold.
   
   C:\WINDOWS\system32\LEXPPS.EXE
   C:\WINDOWS\system32\LEXBCES.EXE

---------------------------------------------------------------------------------------

Here are some entries in HijackThis I suggest you fix, as IMO they are unnecessary. Should you feel they are useful, by all means leave them running.

O2 BHO's are downloaded and installed programs that 'assist' the browser (BHO's) or add a toolbar to the IE browserO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 entries are boot up entries during startup in msconfig.
O4 - HKLM\..\Run: [Adobe Photo Downloader] "I:\Light room\Lightroom 1.0\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] I:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = I:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O9 entries are the "right click" menu in IE.
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 are installed activeX objects in IE.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab

Hopefully that should speed up your system and IE start up time. Let me know if you encounter any problems.
CCleaner has a registry cleaner, not sure if its better than what you have though.


Regards,
momok =)

This thread is for the use of dbarnett123 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[dbarnett123]

We are making progress

I followed instructions:

Proceded fine until your item 3, run Hijack etc.

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Response: "file not found"

Also, your item 4

Hijack, delete and Nt service: LexBce Server

Response: Not found in registry.

The responses to items 3 and 4 seem ok to me, just not what I expected.

Your item 5 # Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\LEXBCES.EXE

Completed successfully !
However, there are two other files located in that directory

Lexusb.dll
lexping.exe

May I delete them also ???

All other requested actions completed successfully

In response to your comment about Ccleaner and symantic cleaner; I do not know either, but I would gladly get rid of symantic if I had a good Hard drive maintenance software.

I have attached a Hijack log; Is there more I can do

Further:

1. Thanks very much for your help
2. I learned a lot.
3. In my win.ini there is an entry: win.ini [-1236370804]

I have searched the internet but can find no reference to it. Can you provide any information?

Again, a big thank you !

Doug

 

[momok]

Hi,

No worries about the error messages. The service was disabled, and the file was deleted. Yes, you may delete the other two files you found, although it doesn't make that much a difference hehe.

I'm sorry I'm unable to provide you with a solution to your search for a good hard drive maintenance software, as I'm not very well versed in that area.

Could you describe the win.ini entry further and what you were doing with it?
How's your system running by the way?

Here's some final instructions for the cleaning:

1. Please download and run CCleaner via step 9 of the instructions HERE.
   
   
2. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
   
   
3. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
4. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
5. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

Regards,
momok =)

 

[dbarnett123]

I have lost all my printers, print spooler, and ability to add printers.

How do I get it back. Did deleting one of those Lexmark printer files cause it or stopping a service???

Please help before I continue. I need desperately to print a document.

Thanks

I will complete the actions you suggested and report later. But help me get back my printers for now.

When I try to start the printer spooler in Services, I get the error message: Could not start print spooler service on local computer , error 1068 The dependency service or group failed to start.

Doug

I have lost all my printers, print spooler, and ability to add printers.

How do I get it back. Did deleting one of those Lexmark printer files cause it or stopping a service???

Please help before I continue. I need desperately to print a document.

Thanks

(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)

I will complete the actions you suggested and report later. But help me get back my printers for now.

I notice that LexBce Server is still disabled. Is that the Issue???

Doug

 

[momok]

Hi,

Earlier you told me

I note that the computer is still loading a service of a Lexmark printer that is no longer installed on the computer.

I take it that the lexmark printer is no longer in use which is why I removed it for you. If you wish to re install it you'll need all the drivers that you downloaded or the CD etc.

What is the exact error message that you recieved?

Regards,
momok

 

[dbarnett123]

The Lexmark Printer was removed earlier, however, there are two other printers on the computer, both Hewlett Packard (HP's). One is color and one is black and white.

When I try to print the error is: There is a problem with printing. No printers can be found.

In the start, settings, printers and fax, there is only the "add printer" available available. I have lost the HP's. When I try to add a printer the error message is: Operation could not be completed. The print Spooler is not running.

When I go to Computer Management, Services (with the intent to start the Spooler); the settings are Automatic; The start column is blank. When I right click and click on start, the error message is: Could not start print spooler service on local computer, error 1068 The dependency service or group failed to start.

How is the best way to reestablish the printers or the add printer facility?

Thanks for you help.

Doug

 

[momok]

Hi,

This seems very similar to the problem another user had in our forums HERE. Try the fix that RealBlackStuff offered at the bottom of the page and let me know if it works for you.

Regards,
momok

 

[dbarnett123]

Fixiung printer problem

I tried the fixes suggested.

"Remote Procedure Call (RPC) Service must be Started and set to Automatic, (It is already) otherwise Spooler can't work.

Check the LogOn tab that it is enabled. (It is already)

Check the same tab for your Printer Spooler. (Same here).

Everything was as he suggested already.

I checked the dependencies for some of these services, one of which is LexBce.exe When I try to start this service it says "Could not start LexBce server service on local computer. errror 2 the system could not find the specified file. I am guessing that the file was either quarantined or deleted or the reference to it. Unfortunately, the recycle ben had been cleaned so I can not tell what has been deleted.

Suggestions please.

Doug

 

[momok]

Hi,

This is pretty weird, since we only deleted files associated with the lexmark printer; the HP printer should not have been affected.

I researched a little about this, and found that there were a few users facing similar problem as you; after uninstalling their lexmark printers, they were unable to add a new printer.

It installs itself as a "DependOnService" for the print spooler service. If you stop or disable it, the print spooler also stops or won't start. You have to remove it as a depedency. To do this, use regedit and go to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" and right click on the value "DependOnService" then select modify. You will see 3 columns set out in the screen. On the far right, highlite all alpha and numeric characters up to but excluding the "R" of the service "RPCSS" and delete them. Restart the computer.

-from http://www.file.net/process/lexbces.exe.html

Try the fix and see if it works.
IMPORTANT: Please back up your registry before you conduct the fix. See HERE on how to back up registry (XP)
I believe it should go well now.

Regards,
momok

 

[dbarnett123]

Success !

While waiting for your reply, I used some software to find the deleted file (turned out to be LexBces,exe, restored it, checked it for virus, rebooted, and all my printers reappeared.

Went to email to report to you and found your recent post, indicating essentially the same thing. I will need to read all the threads and make sure all is right and no opportunity to get virus, malware, etc.

After that I will go to the last post from you which I did not have time to do and will complete that and report.

Thanks again for sticking with me. I know that you were dissappointed and confused too.

And it is odd about the Lexmark/system file LexBecs. I must spend some time reading on that on.

Later.

And thanks again.

Doug

 

[momok]

Running the additional LexBecs service is pretty much pointless, since you wanted to optimise your system's performance. I would still suggest you go ahead with removing the dependency of your print spooler service on that file, and go ahead with deleting it.

See http://www.bleepingcomputer.com/startups/LEXBCES.EXE-7634.html on removing the dependency.

The hassle is just the fault of Lexmark printers, that's all.

Regards,
momok

 

[dbarnett123]

Update and printers

It has taken me 3 days to get rid of the Lexmark printer issue. It was tied to all the other printers and dozens of other programs/processes. The hardest part when I finished the references you referred me to and others cascading from that caused me to remove over 80 entires from the registry and modify several others.

Nevertheless, it is printer cleaned and 1 printer is installed and a second one will be installed tomorrow.

I will run the system a day or so to make sure it is stable then, I will work on your last recommendations. This is just an update on printer problem.

More later.

Doug

 

[momok]

Yes Lexmark printers are infamous for such issues. I wouldn't even consider one if I ever needed a printer hehe.

 

[dbarnett123]

Nearing the end

On the Lexmark subject: Where were you 7 years ago when I purchased it ;(

Oh well, I learned a lot. But I have to purge from the laptop now

I completed all that you recommended, suggested, or the subsequent articles recommended.

I think the computer is a lot less risky now, and better protected.

A BIG THANK YOU.

Of course I have not rebooted since completing the last set of your instructions, but I will hope for the best.

Although it still takes 45 seconds for Internet Explorer to come up, thereafter it runs reasonably fast; and I am now primarily using Firefox. And the computer itself is running a little faster. So, all is good!

One thing that is still nagging me is the odd entry in the win.ini file.

[-1236370804]
the sub listing is a long number
-1418578068631463665=1070273589

Can you provide any information about it. Malicious? innocent? What?

Thanks again.

Doug

 

[momok]

Well, to be frank, I have no idea about what that entry means, because I am not well versed in those affairs. I would believe it should not be there, since it is used to load various settings every time your windows loads. That listing turns up nothing in the search engines; perhaps it is what is left over after we cleaned out the infection. That's the best guess I have.

However, before you modify your win.ini file, I would suggest you create a backup copy just in case, and name it win.ini.bak or something.

I do find it strange that it takes so long for your IE to boot up so slow. Perhaps you could try reading this thread HERE and see if it helps.

Regards,
momok

 

[dbarnett123]

Final Reply

I just want to take the time to say a BIG THANK YOU to you for all the help and nurturing me through the cleaning process. I feel much more confident about the security of the machine and my ability to keep it reasonably clean of ill programs.

Again Thank You.

Doug

 

[momok]

You're very much welcome =) Glad to be of assistance.

Thread closed as the problem appears to have been resolved. Should the original starter require it to be reopened, please PM a mod.