My laptop has become so slow! 1/2

[dogwonder]

Recently my laptop has become very slow. Can't find any malware with my normal AV og AdWare-removal (Norman Antivirus and Ad-Aware SE Pro).

As far as I know I have followed every step up until this posting.

[TimW]

Please attach the remaining logs that are asked for:
When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
o CounterSpy
o AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
o Bitdefender - from step 6
o Panda Scan - from step 6
o runkeys.txt - the log from GetRunKey.bat
o newfiles.txt - the log from ShowNew.bat
o HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

[dogwonder]

post 2/2

[TimW]

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now

[dogwonder]

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

&

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

don't seem to go away. They come up again when I run a new HJT...

The Pc is a bit faster, but not by far the way it was like 2 weeks ago...

[TimW]

Let's try two things:

First: Go to add/remove programs in the control panel and uninstall Counterspy, as we will no longer need it.

Also you must shutdown Ad-Aware's Ad-Watch because it will also block changed we are trying to make. If it is in your system tray, you should be able to shut it down from there.

Now re-run the HJT fix and see if that works for this key:
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Don't remove the other key (
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) )

Once that is done please attach a new HJT log.

[dogwonder]

It is still slow as a turtle. Removed the program while disabling the Ad-Aware.
I have also defragmented the harddisk. Nothing seems to help.

[TimW]

Did you have HJT try to fix the item? Do you have Realtek AC97 Audio in your add/remove program list in the control panel? ALCMTR.EXE is an information gathering program that is probably what is slowing down your computer....it is part of the Realtek program and needs to be removed. If you did have HJT remove it, and it still is reoccuring, you may want to remove the Realtek program.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Quote:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

After clicking Fix, exit HJT.

Then please attach a new:
* GetRunKey log (named runkeys.txt)
* ShowNew log (named newfiles.txt)
* HijackThis log

[dogwonder]

Quote:

Originally Posted by TimW

Did you have HJT try to fix the item? Do you have Realtek AC97 Audio in your add/remove program list in the control panel? ALCMTR.EXE is an information gathering program that is probably what is slowing down your computer....it is part of the Realtek program and needs to be removed. If you did have HJT remove it, and it still is reoccuring, you may want to remove the Realtek program.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe


After clicking Fix, exit HJT.

Then please attach a new:
* GetRunKey log (named runkeys.txt)
* ShowNew log (named newfiles.txt)
* HijackThis log

Yes, I used HJT to try to fix the item. Yes I have Realtek High Definition Audio Driver on my computer, and it shows in Add/Remove programs. Can I remove it without losing the sound on my PC? Do I need another driver?


Ran HJT with no browsers active and Ad-Aware of.

[chaslang]

Quote:

Originally Posted by dogwonder

Can I remove it without losing the sound on my PC? Do I need another driver?

No and No!


Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Did you at one time install Remote Packet Capture Protocol to use in capturing packets? Perhaps with software like Ethereal (now called WireShark). The below service is showing for it:
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Do you use the below encryption software from Acer?(see http://global.acer.com/products/et/eDataSecurity.htm)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll


I see the below file which is noramlly related to TuneUp Utilities and a BootScreen loaded but I don't see the program installed. Did you have this installed and uninstall it? If not, this may be a malware file.
C:\WINDOWS\system32\TUKernel.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Programfiler\Fellesfiler\Symantec Shared <--- the whole folder
C:\Programfiler\Sunbelt Software <--- the whole folder

Now run Ccleaner.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Speed Launch.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Microsoft Office.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Steve Yttervik^Start-meny^Programmer^Oppstart^Adobe Gamma.lnk]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
"key"=-
"item"=-
"hkey"=-
"command"=-
"inimapping"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ccApp]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MsnMsgr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"startup"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now! If your PC is still "slow", explain exactly what is slow:

1. boot up ?
2. shutdown ?
3. surfing ?
4. all processes ?
5. is it slow when not connected to the internet ?
6. Is it slow in safe mode?

[dogwonder]

OK... New development...

Came as far as double-clicking the .reg-file. Then all the icons went blanc, nothing would open. It stated that it was ex. ad-aware.lnk file that it can't recognize or open.

Basicly my pc is "d"ucked now...

All I can do is opening the internet browser in the start menu. I can't even open msconfig in "run". Don't know why firefox is the only thing I can use on my PC, but I would prefer to have more functionality.

It seems like all the .exe files are corrupted in some sort of way.

[chaslang]

Quote:

Originally Posted by dogwonder

It stated that it was ex. ad-aware.lnk file that it can't recognize or open.

Translate this into a more complete statement please!

None of what we were doing would cause your Desktop to disappear nor would it cause you to loose files associations which it sounds like is what you were possibly describing above.

See fix # 12 on this page: http://www.kellys-korner-xp.com/xp_tweaks.htm

[dogwonder]

Quote:

Originally Posted by chaslang

Translate this into a more complete statement please!

None of what we were doing would cause your Desktop to disappear nor would it cause you to loose files associations which it sounds like is what you were possibly describing above.

See fix # 12 on this page: http://www.kellys-korner-xp.com/xp_tweaks.htm

OK. Fixed it...
It seems like Ad-aware didn't like the registry modifications that much and ducked up my pc.

Now I have lost all my system icons in my system tray (Down to the right). Does that have anything to do with the .reg file you made???

Will complete your "recipie" now, and post it soon... Thnx

[chaslang]

Quote:

Originally Posted by dogwonder

Now I have lost all my system icons in my system tray (Down to the right). Does that have anything to do with the .reg file you made???

No! What exactly are you doing on your PC? If you are doing anything other than exactly what we ask you to do then you must stop doing that. As far as I can tell you still have not completed my instructions in message # 10, and I don't know what you have been doing since I have posted them. You never even addressed any of my questions.

[dogwonder]

Quote:

Originally Posted by chaslang

No! What exactly are you doing on your PC? If you are doing anything other than exactly what we ask you to do then you must stop doing that. As far as I can tell you still have not completed my instructions in message # 10, and I don't know what you have been doing since I have posted them. You never even addressed any of my questions.

OK... I'll just take it from where everything went wrong...
After the regedit Ad-aware went ballistic and started blocking all the registry-changes. (Had it on automatic) After that I lost all function of the links to bat, exe, reg and com-files, so that's why I have been a little slow to answer. Fixed all that with the link you sent me. I have now managed to do the HJT, GetRunKey and ShowNew diagnosis you've asked me to do. (Posted under).

Now to adress your questions (sorry about the lateness, but as you now know I got into other problems along the way):

1.Did you at one time install Remote Packet Capture Protocol to use in capturing packets? I haven't done that personally. It may have come with the computer when I bought it, but I don't really know. (Have an Acer Aspire 1640Z)

Do you use the below encryption software from Acer? I don't use it, but I know it is on the computer as a part of the "Acer empowering-system"

I see the below file which is noramlly related to TuneUp Utilities and a BootScreen loaded but I don't see the program installed. Did you have this installed and uninstall it? If not, this may be a malware file.
C:\WINDOWS\system32\TUKernel.exe: Yes, I had TuneUp Utilities installed on my PC, but I uninstalled it after the trial-period. I still have a TuneUp Back up-choice when I start up windows which I don't seem to get rid of.

Slow Computer???
Yes, it is still slow.
1. Boot up: It goes much slower than before. Both Loading windows and loading the start-up programs and such. Especially when trying to open a folder for the first time after booting. Start-> Controll Panel -> Add/Remove Programs takes like 2 min to open. Never been that way before.
2. Shutdown varies very. Sometimes it shuts down within a snap of my fingers, but othertimes it takes forever (Even when I'm not running any programs)
3. Surfing goes OK I guess. I use FireFox, and it has always been kind of slow in the startup. Can't say I see any difference.
4. All processes? Not entirely sure what you mean by that, but some programs takes a bit longer to start up than before. (Ad-Aware, Loading games like Football Manager and such)
5. It is not any slower when connected to the web I think.
6. It is a bit faster in SafeMode. I.e opening folders and such.

Another thing I have noiced in the startup is that a file called Nvcoas.exe uses a lot of CPU... The first couple of minutes it hovering on about 90 CPU. I know that is a function in Norman AV, but I don't know if or how to shut it of. For all I know it might be essential for the AV function.

Ps. About the system icon trays. They just disappeared after the .reg entry, but they now have come back. Don't know why. Haven't done anything.
Pss. The LCD-volume display has disappeared also, but haven't come back yet. But thats is no biggie.

Hope this helps with figuring out the problem.

[chaslang]

Your runkeys.txt logs shows (in the section titled Listing MSCONFIG Registry Keys ) that you are using Msconfig or another startup manager to control startups. Per the READ ME, you must not do this. The registry patch in message number 10 was trying to get around some of this automatically. Now you just set them and more into this same state again. Please stop using whatever you are using to control startups so we can solve your problems properly. Stopping startups that you never need to load is not the correct answer. The correct answer is to never load them to begin with.

It sounds to me (based on your comment about Norman using 90% or your CPU) that you problem is not malware at all but is really Norman. Perhaps you should test trial uninstalling (no do not just disable it from loading using msconfig or similar - it will not have the same effect) it and then reboot! Now see if your speed problems go away. If so, you can either reinstall it, to see if the problems come back or they stay gone. If they come back, uninstall it permanently and use one of the free tools mention in this: How to Protect yourself from malware!


Also delete the below file which you no longer need since TuneUp Utilities is not used:
C:\WINDOWS\system32\TUKernel.exe

Also since you obviously do not use Remote Packet Capture, do the below to remove the service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Remote Packet Capture Protocol v.0 (experimental)
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasterpcapd into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot when it tells you it needs to.

Now after doing all of the above (and making sure no startups are disabled by MSconfig or anything else), attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

[dogwonder]

OK...

-Have msconfig on start up all items...

-Un-installed Norman and are now using Avast

-Installed Kerio Personal Firewall, Disabled Windows Firewall.

-Deleted C:\WINDOWS\system32\TUKernel.exe

-Remote Packet Capture Protocol v.0 (experimental) wasn't in services.msc. So that problem is still a problem or it's mysteriously solved???

* Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
* At the lower right, click on the Config button
* Then click the Misc tools button
* Select Delete an NT Service
* Copy/pasterpcapd into the box that opens, and press OK
* If you receive any error messages just ignore them and continue.
* Now exit HJT and reboot when it tells you it needs to.

-The Above is DONE, BUT... I didn't get a reboot-prompt, and have not rebooted before running HJT, NewFiles and RunKeys -

[chaslang]

Quote:

Originally Posted by dogwonder

-Un-installed Norman and are now using Avast

Norman left a bunch of service behind that we need to remove!

Quote:

Originally Posted by dogwonder

--Remote Packet Capture Protocol v.0 (experimental) wasn't in services.msc. So that problem is still a problem or it's mysteriously solved???

No!!!! It is still there and you need to re-run the procedure I gave you and follow it exactly as written from beginning to end. Ignore any error messages and continue. We are going to have to do the same thing to remove all of the left over Norman service so let's get this one done right first. If you don't see Remote Packet Capture Protocol v.0 (experimental), tell me if you see something similar.


Norman left the 5 below services behind!
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE (file missing)
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Unknown owner - C:\Norman\Nvc\bin\nvcoas.exe (file missing)
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Norman\Nvc\BIN\NVCSCHED.EXE (file missing)

You did not tell me if uninstalling Norman cured your problem with high CPU usage!

You also have a leftover process from Symantec. Let's fix it a some other stray entries!


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"

After clicking Fix, exit HJT.
Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now attach a new HJT log!