Solved Carried our 8 step rule, but got very slow laptop again

[jimbob1]

I carried out the 8 step rules, and for 24 hours after this the laptop was like new and really fast again. Now it has gone back to being very sluggish and slow, but I have not done any changes since the 8 step rules.

Also, regularly when I open IE, a second IE appears in taskmanager with memory usage averaging between 300k and 600k, which uses 95% of the CPU

I have attached the HiJackThis log

 

[Bobbye]

You didn't leave any logs. But if you do, I'll need all three- not just HijackThis.

Please understand that a slow computer can have many causes. In this forum, we help find and remove malware which can contribute to a slow system. The 8 steps are preliminary virus and malware removal only. Running them does not guarantee to fix everything- that's why you must leave the logs.

 

[jimbob1]

Sorry, please see attached. I couldnt get a report for the SuperAnitSpy.

the Malwarebites report is the one which discovered the viruses / malware

 

[Bobbye]

There are some entries that you can remove that might help the speed. But if you have enough memory- at least 512MB and the chips are good, what I'm seeing isn't enough to be noticeably slow.

For this entry: O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
Note: If you are NOT using the Client for Netware, follow the LSP directions. IF you are, omit that scan and proceed with the rest:

[1] Click on the following link to download LSPFix to your desktop.
http://www.cexx.org/lspfix.htm
OR
Click on this link to download the exe file directly here> [b]http://www.cexx.org/LSPFix.exe[/b]

[2] Once the exe file is on your desktop, double-click on it to open
[3] In the left hand column, you should see the NWPROVAU.DLL file listed. Click on it to highlightt, then click the arrow

in the middle of the screen that points to the right

This will move the filename to the right-hand column labeled Remove
NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"

[4] Once the file has been transferred to the Remove column, click Finish at the bottom of the screen. You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry. Close the LSPFix program now.
--------------------------
For this entry:
C:\WINDOWS\system32\SearchProtocolHost.exe

Searchprotocolhost.exe is one of the reason to make your system slow. Following are the step(s) to stop this and make system fast.

• 
  [1] Click Start > Run> Type services.msc and press 'OK' or click 'Enter'
  [2] Scroll down to find 'Windows Search' and double click
  [3] Stop the process . Change the Startup type to Disabled.
  [4] Repeat Start> Run> then type msconfig> enter
  [5] Selective Startup> Startup tab
  [6] Uncheck Windows Search
  [7] Apply> OK> Reboot> Close the nag message after checking 'don't show this message again.' Stay in Selective Startup.
  
  Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    Important! Save the renamed download to your desktop.
    
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. .
  • Double click on the setup file on the desktop to run
  • If prompted to download and install Recovery Console, please allow.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    
  • If prompted to update, please allow.
    
  • Click on Yes, to continue scanning for malware.
    
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
  Notes:
  • 
    1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
  Rescan with Hijack this and attach new log in next reply.

 

[jimbob1]

Hi Bobbye,

please see attached latest logs

 

[Bobbye]

Just checking the HJT log I see the following:
First HJT log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gvpromotions.co.uk/

Second HJT log: only this one:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gvpromotions.co.uk/

This site describes itself as follows:

Leading UK supplier of promotional merchandise. By providing promotional products at the most competitive rates available, without compromising the quality, GV Promotions are proud to be a Leading Promotional Product Supplier.

There is no company information and no Privacy Policy:
http://www.adgifts.com/default.aspx?SchemeId=246&Master=MasterPage

But I note in Combofix:
2010-01-08 c:\windows\Tasks\GV Promotions 1188131904.job
- c:\program files\Intuit\QuickBooks Pro\AutoBackupEXE.exe [2073-09-09 18:25]

Can you jut tell me if this is a legit company you are doing business with? If so, okay.

You need to update the Adobe reader to v9.xx. You have v7 and it is a vulnerability:
Visit this Adobe Reader site and get the most current update. Uninstall any earlier updates as they are vulnerabilities.
OR
">Download Foxit Reader It is free and does the same thing as Adobe without the bloat.

I'd like you to do this: Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Attach the log. Making sure there's no malware remaining. If this is clean, I'll have you remove the cleaning tools and set a clean restore point. There are many possible reasons for a slow system other than malware.

Then I need to know specifically what, if any problems you are having. If I clear you for malware, then you will need to look into the RAM or other unnecessary processes running and using the system resources.

 

[jimbob1]

Hi,

Yes the company etc is legit.

Please see attached report as requested.

I put a new RAM chip in about 2 weeks ago which sped up the laptop greatly, then 48 hours later it went back to being really slow again

 

[Bobbye]

See if this helps:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KILLALL::

File::
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
c:\documents and settings\Jimmy\Local Settings\Application Data\Temp
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\drivers\fidbox.dat
c:\windows\system32\drivers\fidbox2.dat

Folder::
c:\program files\Common Files\ParetoLogic
c:\documents and settings\All Users\Application Data\ParetoLogic

Driver::
fidbox
fidbox1

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

 

[jimbob1]

Hi Bobbye,

I have attached the new log file.

many thanks

 

[Bobbye]

Did you see any improvement after some of the removals above- like SearchFilterHost?
What size RAM did you put in? 512MB or more?

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KILLALL::

File::
c:\windows\system32\drivers\fidbox2.idx
c:\windows\system32\drivers\fidbox.idx

Folder::
c:\documents and settings\LocalService\Application Data\McAfee
c:\documents and settings\All Users\Application Data\McAfee

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

You should be clear of any malware causing the slowdown.

 

[jimbob1]

An extra 1Gb of Ram was added (taking it to, so the system reads, 1.49Gb)

I have attached the new log file now.

The computer is better but IE is deadly slow

 

[Bobbye]

Please rescan with HijackThis and give me the new log.

As mentioned, there are many reasons for a slow browser or computer. In this forum, we look for malware causes. The add-ons in IE could be a source of slowness. Also running a camera, scanner, printer, media players, auto-update from startup to running in the background can also contribute.

 

[jimbob1]

Please see attached log file

 

[Bobbye]

You need to update the Adobe Reader: you have v7. Current is v9.xx
Visit this Adobe Reader site and get the most current update. Uninstall any earlier updates as they are vulnerabilities.

Please print out the list of entries you are checking. You will need it.
Open HJT to 'do system can only'. Check all of the following:

C:\Program Files\Corel\Corel Graphics 12\Programs\CorelDRW.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Corel\Corel Graphics 12\Programs\CorelDRW.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
----------------------------------------
O23 - Service: [b Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

Close all Windows except HJT and click on "Fix Checked."

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

1) For Startup Processes:
Using the list I asked you to print out, you are going to take the processes that begin with C:\ through 08 using the msconfig utility. I have put the process name in BOLD that you should see listed.. This will take the process off of Startup. None of these need to start on boot and run in the background. They can be accessed when-or if-you need them:
1)Start> Run> type in msconfig> enter> Selective Startup> Startup tab> Uncheck all of the processes named above> when finished> click on Apply> OK.

2)For the 023 Services section:
Start> Run> type in services.msc> scroll to each Service below and double click to open> set the Startup Type as given:
Adobe LM> Manual
Java Quick Starter> Disable> Stop the Service
Indexing> Manual
Then Exit Services

3)Click on My Computer> right click on Local Drive (C)> Properties< General tab> Uncheck both the 'Compress' box and the 'Indexing' box on the bottom> Apply> OK.

4)Control Panel> Add/Remove Programs> Uninstall any program you don't use.
5)Control Panel> Java> temporary internet files> Settings> Delete.
6)While still in Java> Update tab> Uncheck 'check automatically'> answer Yes when asked to confirm> Apply> OK

7)Reboot the computer into Normal Mode: NOTE: the first time you reboot after making msconfig changes, you will get a nag message. This can be ignored and closed after checking 'don sows this message again.' Stay in Selective Startup.

Let me know how you're running after doing this.