Windows 7 loads slow and theme change

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual update Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only RogueKiller and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run the rest of the READ & RUN ME FIRST instructions on the infected account.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

Hi there.

That's quite a mess to clean up.

You have Avast installed yet there are many active remnants of AVG scattered around. We must address this after malware removal.

It explains where, right here.


Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate this detection:

• [V2][SUSP PATH] VisualBeeRecovery : C:\Users\BJ\AppData\Local\VisualBeeExe\VisualBeeRecovery.exe - /s [x] -> FOUND

Place a checkmark next to this item, leave the others unchecked.
Now press the Delete button.

...and the same for these items on the file/folder tab please...

• [ZeroAccess][File] @ : C:\Users\BJ\AppData\Local\{dbcaa52c-e526-45d0-2df8-41b4d6fcb8cf}\@ [-] --> FOUND
• [ZeroAccess][Folder] U : C:\Windows\Installer\{dbcaa52c-e526-45d0-2df8-41b4d6fcb8cf}\U [-] --> FOUND
• [ZeroAccess][Folder] U : C:\Users\BJ\AppData\Local\{dbcaa52c-e526-45d0-2df8-41b4d6fcb8cf}\U [-] --> FOUND
• [ZeroAccess][Folder] L : C:\Windows\Installer\{dbcaa52c-e526-45d0-2df8-41b4d6fcb8cf}\L [-] --> FOUND
• [ZeroAccess][Folder] L : C:\Users\BJ\AppData\Local\{dbcaa52c-e526-45d0-2df8-41b4d6fcb8cf}\L [-] --> FOUND

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.




Re run Hitman and have it remove Malware remnants, and Potential Unwanted Programs.



Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
• O2 - BHO: DownloadTerms - {2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} - C:\Users\BJ\AppData\Local\DownloadTerms\temp.dat (file missing)
• O2 - BHO: NCH EN - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Program Files (x86)\NCH_EN\prxtbNCH_.dll (file missing)
• O2 - BHO: AMD SteadyVideo BHO - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - (no file)
• O3 - Toolbar: NCH EN Toolbar - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Program Files (x86)\NCH_EN\prxtbNCH_.dll (file missing)
• O4 - HKUS\S-1-5-18\..\RunOnce: [SpUninstallDeleteDir] rmdir /s /q "\SearchProtect" (User 'SYSTEM')
• O4 - HKUS\.DEFAULT\..\RunOnce: [SpUninstallDeleteDir] rmdir /s /q "\SearchProtect" (User 'Default user')

After clicking Fix exit HJT.



Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the area. Do not include the word Code.

Code:

:Files
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\aswOfferTool.exe 
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\avBugReport.exe 
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\avbugreport_ais-7db.vpx 
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\HTMLayout.dll
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\instcont_ais-7db.vpx 
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\Instup.dll
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\instup.exe 
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\instup_ais-7db.vpx 
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\offertool_ais-7db.vpx
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\selfdefense_x64_ais-7db.vpx
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\selfdefense_x86_ais-7db.vpx 
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\setgui_ais-7db.vpx 
c:\users\BJ\AppData\Local\Temp\_av_iup.tm~a06016\ycuxguuy.sys
C:\Users\BJ\AppData\Local\Temp\_av_iup.tm~a06016
C:\Users\BJ\AppData\Local\VisualBeeExe
c:\programdata\Conduit
c:\windows\SysWow64\SearchProtect
c:\users\BJ\AppData\Local\Conduit
c:\users\BJ\AppData\Local\SoftwareUpdater
c:\program files (x86)\NCH_EN
C:\Users\BJ\AppData\Roaming\Microsoft\Windows\Templates\841fg27cc50y80686110fhmdfx5t800fcm7oe36241t
C:\Users\BJ\AppData\Roaming\Microsoft\Windows\Templates\b0ox82m1fa8vey
C:\Users\BJ\AppData\Roaming\Microsoft\Windows\Templates\qdc6io7rx11746o6u722u7
c:\Program Files\Playbryteav.ico

:reg
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallDeleteDir"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{37483b40-c254-4a72-bda4-22ee90182c1e}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{37483b40-c254-4a72-bda4-22ee90182c1e}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{5a1d0d31-749c-4186-a295-4106e6e7b26a}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{01624CC8-882D-4D9C-B4BF-EBD5DC67EFD3}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}]

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



Find the version applicable to you and use their removal tool to be rid of all traces of AVG.

Please download LSPFix when you double click the LSPFix.exe file, the program will open up, does it show any problems?


If you still have Combofix installed then you should ensure it is on your DESKTOP and not in this location here:

Code:

Running from: c:\users\BJ\Downloads\ComboFix.exe

Now re run RogueKiller, and attach the new log.
Same for Hitman.
Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Hi.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/?type=293224&fr=spigot-yhp-ie

After clicking Fix exit HJT.

Your remaining issues are topic for the software forum really, however, I will give you one thing to try.


Open up the Windows Registry (click start > type regedit and click on regedit.exe to open)

• Navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\gpsvc
• Right click on this key (gpsvc) and EXPORT it to desktop. Then right click on this key and delete it from in the registry, not the desktop.
• Download the following to your desktop. gpsvc.reg

• Now please click Start, and type regedit into the search box.
• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right click on regedit.exe and select Run As Administrator
• Then in the Registry Editor menu click File and select Import.
• Navigate to the gpsvc.reg file saved to your Desktop and double click it. Allow it to be added to the registry.

Did you get a success message? Now reboot the machine and let me know whether you're still getting that message pop up or not.

 

Just do this, leaving a section out from last time:

• Now please click Start, and type regedit into the search box.
• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right click on regedit.exe and select Run As Administrator
• Then in the Registry Editor menu click File and select Import.
• Navigate to the gpsvc.reg file saved to your Desktop and double click it. Allow it to be added to the registry.
  
  
• Did you get a success message? Now reboot the machine and let me know whether you're still getting that message pop up or not.

 

Try deleting all the files in the below folder and then reboot your PC

c:\windows\system32\winevt\Logs

 

Now please click Start, and type cmd.exe into the search box.

• You should see a cmd.exe black icon appear in the Programs area of the Start Menu.
• Right click on cmd.exe and select Run As Administrator.
• A command prompt window will open.
• Enter the below commands in this window. Do both commands even if you receive an error on the first. Follow each by the enter key. Note there are spaces after the sc and after the stop and after the delete.
  
  sc stop SystemStoreService
  sc delete SystemStoreService

Now reboot your PC and see if you still have the problem. Also do the below so I can verify the above fixed took affect.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip