Computer start-up slowed to a crawl

Hi all --

About three weeks ago, my computer (a Lenovo T61) suddenly started taking roughly 15 minutes to start-up (start-up defined as initial splash screen through successfully opening my first program, typically outlook.)

The really bizarre thing is that once this 15 minutes has past, my computer runs more or less fine (though I find opening programs takes a little longer than it should.) I've poured through my bios settings, looked at every service I have running, combed through hijack this (including running ADS spy), ran spybot, prayed to several different deities for help, and even resorted to calling my IT department.

I have attached my hijack-this log; I would *greatly* appreciate any thoughts; also, please let me know if there's any additional information I can upload or post that might help.

- J

 

Hi jlnorton,
Welcome to Major Geeks!

Have you checked your harddrive for physical errors? There's a Windows tool which you can get to by opening My Computer (or going to Start and clicking on My Computer) to show all the drives. Choose the drive you wish to scan and right-click on it. Go to properties / tools and select the first item on the tools tab which will look for flaws in the harddisk. There may be a tool of Symantec which also does this. There used to be a tool called DiskDoctor. I don't know if it is still part of Symantec's tools?

The other thing to consider is that there may be a software conflict. Did you install anything just before this started, including Windows updates? Have you always been running Symantec?

If the above scan of the harddrive(s) does not show anything amiss, you may wish to return your computer to a system restore point which preceeds the beginning of this slowdown and see if this changes the problem. To do this, go to Start / All Programs / Accessories / System Tools / System Restore check the box to Restore my computer to an earlier time and click on Next. You'll see a calendar with highlighted dates. Choose one of the dates just preceeding these problems and allow your system to return to that date. See if the problem goes away. If it doesn't, you can go through the same steps only select to reverse the change you just made and this will return it to where it is now.

Let me know how all this goes.
abri

 

Hi Abri --

Thanks for your thoughts; I really appreciate it. It didn't even occur to me to check the disk. I did notice that chkdsk took half of forever to run (maybe 4 hours for a 120GB drive), so maybe that does seem to point to some type of hardware problem... Actually, and I should have mentioned this earlier, the reason I suspected some type of maleware is that my system restore had no points prior to the date when my computer slowed down.

Do you happen to have any other thoughts for what I should check? The problem is very strange; the delays seem to come entirely between data read/writes from the hard drive (in other words, hard drive access itself is not particularly slow, but there are ridiculous pauses between the times when the computer accesses the hard drive when the processor doesn't seem taxed -- the computer kinda just sits there. This is not a problem when the computer is working from the RAM cache...)

Thank you again for your help; I really do appreciate it.

 

Hi jlnorton,

The reason I suspected a flaw in the harddrive, is because that's how mine acted once. I put in a 2003 version of the Norton Disk Doctor, it found a faulty sector and rerouted everything around it. After that I didn't have any problem with it again.

With the disappearing restore points, I would try first running Combofix. Go to the READ & RUN ME FIRST and scroll down to the bottom of the page. Click on the link for the cleaning instrutions for your operating system. On the page that opens up scroll down past the download link for Combofix until you come to the instructions called Running Combofix. Click on that and follow the instructions for downloading and installing it. When it finishes, there should be a log and in the instructions it tells you where to find it. Please attach that. Also, if you manage to do that, please then try and get the MGTools to run and let me see that set of logs called MGlogs.zip as well. That should give me some clue as to whether there is malware or not.

abri

 

Grabbing an old version of disk doctor is a really good idea; that hadn't even occurred to me. I might even have one at home. Not to take even more of your time, but I'm curious if you know why disk doctor is so much better than chkdsk. It seems to me (who knows very little) that either a sector works properly or it doesn't and any software that tested for this would be pretty much the same...

I've attached the two files. Again, thanks much!

 

Hi jlnorton,

I don't see any evidence for malware. I do see some files that I wonder about so maybe you can look at them while we're in looking at your files.

Right click on the following in Windows Explorer and then click on properties and see if you can find more information on them.

C:\WINDOWS\system32\
workaf~1.exe Jan 22 2008 16384 "WorkAfterReboot.exe"

If you open your newfiles.txt log in the MGlogs.zip and do a search for "Sep 11" without the quotes, you'll see a number of items from that date under Windows. One of them might jog your memory.

C:\WINDOWS\
qfe284.tmp Sep 11 2007 512752 "qfe284.tmp"
qfe28d.tmp Sep 11 2007 524680 "qfe28D.tmp"
MS Sep 11 2007 "ms <--- this is a folder ... what is in it?

After getting the information of the files, please go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3

Reboot after uninstalling the above.

Install the current version of Sun Java from: Sun Java Runtime Environment

I would then ask you to start a thread in the Hardware or Software Forum and see if they can help you in terms of diagnostic tools. If there's an error, they may be able to help you force a blue screen so you can get the error message.

If it seems like it could still be malware, it might be worth it for you to either complete the READ & RUN ME scans (Spybot, MalwareBytes and SuperAntispyware) or alternatively do the BitDefender and/or Panda Active online scans. Each of these picks up different malware items. The instructions for the first three scans you can get to by using the READ & RUN ME link. The other two scans can be found in the Alternate Scans. Be sure to use the link that has the instructions with it rather than just the download link.

abri

 

Thanks again for all of the advice. I could not figure out what "workafterreboot" was, but after digging around decided to remove it to be safe. The temp files were just left over from a service pack installation... None of this has seemed to help, so I will have to try the hardware/software forum. Thanks again!

 

oh... forgot to mention, the folder "MS" was empty. Out of an abundance of caution, I deleted it...

 

Hi jlnorton,

Did you ever actually complete the scans in the READ & RUN ME? Spybot, SuperAntiSpyware and Malwarebytes?

Also, do you know what these are?

C:\WINDOWS\
qfe284.tmp Sep 11 2007 512752 "qfe284.tmp"
qfe28d.tmp Sep 11 2007 524680 "qfe28D.tmp"

If these two are still there, I recommend renaming them to qfe284.tmp.zzz and see what happens. I don't think they should be in Windows. The only thing which makes me cautious about deleting them is because they've been in there so long.

And finally, even files with the strangest names may belong to a valid program. If you're not sure about a file, rename it and if you're still not quite sure, back it up somewhere before you delete it so you can get it back. One of the reasons we use tools like Combofix is because they do back up the files that are removed.

abri

 

Hi Abri --

Sorry about the delay, I was buried the past few days...

1) I did complete Spybot, SuperAntiSpyware, and Malwarebytes.
2) Those temp files seem to have been left over from a WinXP service pack installation. As with the other files, I renamed and moved them rather than simply deleting them first (though I've since permanently deleted them).

Again, your help has been hugely appreciated; should you get hit with a brilliant idea at some point, please let me know.

- J