Slow Uncached speed 3 MB/s on C and D

Discussion in 'Malware Help (A Specialist Will Reply)' started by Galligher1, Jan 7, 2005.

  1. Galligher1

    Galligher1 Private E-2

    Hello good geeks! I have noticed lately that my speed has slowed down a bunch and I am getting more programs freezing that must be ended with control alt delete. I went to PC pitstop and ran full tests (have results link) and ran adware and spybot to check for spyware. Also running current NAV. PC Pitstop has thrown up a red flag at my uncached disk speed which is 3MB/s and advised I go to hijack this and run their program. (have log)

    I also run Zone Alarm 5.5.062.004 and Diskeeper8.0. I back up every day to a Western Digital External Hardrive and most mornings come in to about 100 error messages (that I have to click through!!!!) telling me that a delay write failed and the data was lost due to connection failure....the drive will back up anything else on command, such as MS Money, QuickBooks, etc, but it seems if the drive backs up for a longer period of time, the unattended backups are halted somehow. Using Stomp Software and Western Digital has replaced the drive twice. I have copies of error messages. I also get a balloon error message from the right side of the task bar advising of the same error.

    If anyone can help me with this, please do! :rolleyes: :eek:
     
    Galligher1, Jan 7, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Jan 7, 2005
    #2
  3. Galligher1

    Galligher1 Private E-2

    Well, I did everything you asked to do.

    Nothing at Trend Micro.
    Symantec security check all good.
    Ran Stinger....nothing
    Cleaned with CCCleaner.....delete index DAT was already checked as a default
    Adaware SE update downloaded and run....found 9 audit trails on various programs....last this, last that, deleted
    Spybot updated and run....5 DSO exploits fixed in registry....changes made to internet explorer browser
    Ran CWShredder.....nothing
    Kill2Me Nothing
    Buster, nothing
    HSRemove nothing
    Hijack this, Log in my docs.
    System is still very slow compared to reload of XP back in August. Most noticeably in last week or so.

    Tell me what you would like me to do next.
     
    Galligher1, Jan 9, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not need to run HSremove or about:Buster. They are for HSA and about:blank hijackers which you did not indicate that you have.

    I asked you to post a HijackThis log if still having a problem after the cleanup. Note HijackThis must be installed properly. Make sure you are not running it from any of the directories I said where NOT to put it. It is just easier to put it in C:\Program Files\HJT. Then exit ALL browsers do a scan and save the log. Then run your browser come back here and post the log as an attachment.
     
    Last edited: Jan 9, 2005
    chaslang, Jan 9, 2005
    #4
  5. Galligher1

    Galligher1 Private E-2

    Sorry Doc, I thought I had to wait until I was asked and I did not catch that request.... my Hijack this is in its own directory on the C:drive...C:Hijackthis
     

    Attached Files:

    Galligher1, Jan 9, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it is. But do you know what the below is?
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
     
    chaslang, Jan 9, 2005
    #6
  7. Galligher1

    Galligher1 Private E-2


    I have NOOO idea! Could there be two versions of ie on my computer?
     
    Galligher1, Jan 9, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! That is the path to the real Internet Explorer. Are you sure that you exited (not minimized) all IE sessions before running IE. Check right now. Close (click the X in the top right corner of the window) all IE sessions including the one you are reading this message in. Then run HJT and get a new log. Does IE still show as running?
     
    chaslang, Jan 9, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is this your expected home page: http://www.medion.com

    What is this program: :\Program Files\sMaRTcaPs\SmartCaps.exe
    Do you really use this: C:\Program Files\ScrubXP\scrubxp.exe

    Why do you have msconfig running at startup? See this line:
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    What are you using it to block from loading? Run msconfig and change it to Normal Startup. Then run SpyBot S&D and disable TeaTimer.exe. Then reboot your system and get a new HJT log to post.
     
    chaslang, Jan 9, 2005
    #9
  10. Galligher1

    Galligher1 Private E-2


    Expected page has been changed to "blank" by me. The computer came with Medion as home page.

    smart caps is a program which eliminates screw ups by quick presses of the caps and num keys....requires you to hold the key 3 seconds before it functions. What I REALLY want is to be able to boot with num lock on! Dont need smart caps, and its a 30 day trial which I will uninstall.

    Scrub x runs in the tray and when you click on it, it cleans all tracks, incl internet activity. Any different suggestions on that?

    I run MSConfig at boot so I can see if any programs are loading without my knowledge. But I missed this one !C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    There is so much crap in my startup in MSConfig....must be about 30 or so lines! I will follow further direction and post new log tomorrow....the wifey awaits!

    Thanks for the help, Doc!

    Pvt Brian!
     
    Galligher1, Jan 9, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do not have blank set, you have http://www.medion.com set and it will always change back to that do to the O14 line they added: O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com

    What is this Teknum update thing? I seem to rememem it being malware of some sort?
    O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup

    Exit all browsers and run HJT. Have it fix the below lines:
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O15 - Trusted Zone: http://*.ifriends.com
    O15 - Trusted Zone: http://*.imlive.com
    O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab?
    O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (Download Coach Installer) - http://www.objectcube.com/dc5/aebn/files/objectCubeInstall.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
    O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
    O16 - DPF: {C06C3EE1-9932-4BA2-8299-B23B1B480E89} (QBMASSyncCom2_2003.UserControl1) - https://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2003.cab
    Now post a new HJT log!
     
    chaslang, Jan 9, 2005
    #11
  12. Galligher1

    Galligher1 Private E-2

    Hello, Doc, I have completed all tasks....ran spybot with teatimer off....I cannot find a place to turn it off in the program, so I turned it off in MSConfig and rebooted....everything else in MSConfig is running except Teatimer. Then ran HJT, log attached.

    When I open a new IE window, it shows "about blank" I got tired of seeing the Medion Screen and went into tools and changed it. It stays there all the time...haven't seen Medion since I changed it. Would love to find a "girl of the day" site!

    Teknum is the maker of HandyBits File Shredder which is use to shred documents for hospitals and doctors that I work with. If you know an alternative, Teknum is recognized by spybot as a possible threat.

    Talk atcha soon. Thanks again!

    Brian


     

    Attached Files:

    Galligher1, Jan 10, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To disable TeaTimer the right way: run Spybot, change the Mode to Advanced, select Tools, and then select Resident. In the right window pane, uncheck the TeaTimer option.

    Your log still show TeaTimer running. Please disable it the proper way and stop using msconfig to restrict anything from loading. I want you to boot with Normal Startup.

    The below statement does not make any sense:

    You still have your start page set to Medion. Look at your HJT log. And it is always going to be that page anytime you Reset your web settings since they changed your IERESET.INF file to have their information. See the O14 line in HJT. Medion took it over.

    Who is Medion and would you like to fix this?
     
    Last edited: Jan 11, 2005
    chaslang, Jan 11, 2005
    #13
  14. Galligher1

    Galligher1 Private E-2

    Good morning. Whe I get to the office I will fix the tea timer thing and be a good geek and not use MSConfig to change start ups. :)

    Medion is the "Brand Name" of my computer...I bought it at Circuit City. It was made in Germany. All I can tell you is that I went to tools in IE and there is a row of buttons to choose from. I chose the option "use blank". If we can fix the medion entry, that would be good.

    Unless I get other instructions, I will disable teatimer, run spybot, reboot and run HJT and post a new log. Can I check the Medion entry to get rid of it?Thanks, Doc.
     
    Galligher1, Jan 11, 2005
    #14
  15. Galligher1

    Galligher1 Private E-2

    Yo Doc! I have unchecked the teatime box in advanced mode of Spybot and the sucker wont go away....as soon as I switch pages and go back its there again. I tried closing the program and still comes back. I cannot find a save button either....wrote to spybot support for comments. attached is new log with no restrictions on MSConfig.

    Thanks again,
    Brian
     

    Attached Files:

    Galligher1, Jan 11, 2005
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall Spybot for now and then reboot. We can reinstall it lated. I'm not sure what the problem is with stopping TeaTimer.
     
    chaslang, Jan 11, 2005
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Nope! msconfig is still being used at startup! This line is still in your log:
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto


    You need to click Start, Run, and enter msconfig and click OK.

    Then select the option that says Normal Startup. Then click Apply and OK.

    Make sure you have uninstalled Spybot as requested in my previous message.
    Run HJT and have it Fix the below lines:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto <--- if still here
    O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
    O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} -
    O16 - DPF: {C06C3EE1-9932-4BA2-8299-B23B1B480E89} -

    Then reboot and get a new HJT log.
     
    chaslang, Jan 11, 2005
    #17
  18. Galligher1

    Galligher1 Private E-2

    OK, something is REALLY wrong here. I removed Spybot in Control Panel/Add Remove programs.... and Teatimer was NOT GONE! So I went into Start/Programs/and Spybot was still there. I clicked on it and sure enough, spybot opened! It wont run but it is obvious the uninstall in add/remove programs was incomplete.....everything appears normal when you open the program but it will not update from the web and then freezes. The program does not show now in add/remove programs and there is no option to uninstall in Start/programs/spybot. Shoud I attempt to remove in MyComputer/C:/program files/Spybot and delete the folder?
     
    Galligher1, Jan 11, 2005
    #18
  19. Galligher1

    Galligher1 Private E-2

    OK, your geekness, this is getting scary. I checked msconfig and the Normal box was checked. (this freekin computer is NOT normal!) I checked the box on the last 3 boots to eliminate msconfig opening on boot, but it does anyway. Now, after removing the selected items you suggested, everything removed except the R1 Medion, the 04 MSCONFIG, and the teatimer. I retried it three times with no success.

    What should we do now?

    Thanks, Brian
     

    Attached Files:

    Galligher1, Jan 11, 2005
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Open Windows Explorer and check for the following folder:
    C:\Program Files\Spybot - Search & Destroy

    If it exists, delete it.
    Now you need to either stop Ad-Aware's Adwatch program or you will have to uninstall Ad-Aware. It is also stopping you from changing items. That may be why you cannot make those other changes in HJT.

    You can try this to stop Ad-watch from running:


    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side.
    Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    After clicking Fix, exit HJT.

    Now right click on your desktop Internet Explorer icon and select Properties. Then click the General tab and set your home page address to www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell me how things are working.
     
    Last edited: Jan 11, 2005
    chaslang, Jan 11, 2005
    #20
  21. Galligher1

    Galligher1 Private E-2

    Hey Doc! It worked! Check out the log....unless I'm blind, I would say it worked. I was able to disable adwatch right in the program and it did not list in the process manager after i disabled it. But the entries we had problems with are gone. Too early to tell on system, but if its OK, I can go back tp Pitstop to measure disk speed? Or is there a utility online I can download? Log is attached.

    Thanks again,
    Brian
     

    Attached Files:

    Galligher1, Jan 12, 2005
    #21
  22. Galligher1

    Galligher1 Private E-2

    Hey Doc...In addition to above, Have used the machine all afternoon...no improvement in speed...... :rolleyes:
     
    Galligher1, Jan 12, 2005
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so we have fixed the problem with your start page. As I suspected, it was not a hijack. It was just the blocking effects of the programs your were using.

    Now as far as speed! What is it that you are talking about? Do you mean download speed? Or are you saying in general all operations on your PC seem to be taking longer that your "think" they used to take? What is your reference point?
     
    chaslang, Jan 12, 2005
    #23
  24. Galligher1

    Galligher1 Private E-2

    TIP > Unusually low disk performance
    Drive C has an uncached speed of 3 megabytes per second.

    Drive D has an uncached speed of 3 megabytes per second.

    For comparison, systems with the same CPU and clock speed as this one have a speed of 32.9 MB/s.

    The above was written by PC Pitstop when I visited their site a few weeks ago for their online testing. I went there because I have had good results with them on other machines, and my windows files are getting very lazy when opening up. Even my sound files seem to be breaking up. Any suggestions?
     
    Galligher1, Jan 12, 2005
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Which PC Pitstop test are you running?

    I'm not sure how you connect to the internet. It may be that you need AOL, if so skip the first 4 items listed below that I say to kill with HijackThis's Process Explorer.

    What I want you to try is running HijackThis to end a bunch of Processes and then run your test again!

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following processes and one at a time kill them by selecting it and then click "Kill process". Then click yes.

    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\America Online 9.0a\shellmon.exe
    C:\Program Files\America Online 9.0a\waol.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\Program Files\ScrubXP\scrubxp.exe
    C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
    C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Messenger\msmsgs.exe

    After killing them exit HJT and run your test. Is there any change?
    What does the PCPitstop DiskHealth report indicate?
     
    chaslang, Jan 12, 2005
    #25
  26. Galligher1

    Galligher1 Private E-2

    Hey Doc, the files below could not be killed by HJT because they were either already stopped or they were protected. I killed the rest, went to PCPitstop and ran full system test....same results for slow uncached disk speed on C, D, external drive L. Link for test results is below the files that could not be killed.

    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


    Pitstop Link
    http://www.pcpitstop.com/techexpress.asp?id=K0CP9WPWGGRSVRK7

    Thanks again Doc....BTW, my Dad died this morning at 2AM, so I'll be flying out from west Palm FL to Philly on Sat and may not be back until next thursday (20th), but feel free to keep posting on this til fri PM.

    Brian
     
    Galligher1, Jan 13, 2005
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Brian,

    I'm very sorry to hear about your Dad! My best wishes go to you and your family.

    We can pick this up when you get back!
     
    chaslang, Jan 13, 2005
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is your Primary Disk Controller interface set for PIO or DMA?
     
    chaslang, Jan 13, 2005
    #28

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds