Windows 7 Machine super slow

Discussion in 'Malware Help (A Specialist Will Reply)' started by douglaswlee, May 21, 2013.

  1. douglaswlee

    douglaswlee Private E-2

    Hello,

    I understand that my Windows 7 machine being slow may not be from malware/virus, but it seems the elementary steps most often mentioned here is the Read Me First! scenario. I have attempted to follow all the guidelines to the best of my ability & hope I do not waste anybody's time here. I am attaching the logs for an advisor to look at. Thank you in advance!
     

    Attached Files:

    douglaswlee, May 21, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To properly work on this we really need logs from normal boot mode especially for MGtools. But let's address a couple things and then get a new log from MGtools.

    Uninstall Delta toolbar and then reboot your PC.

    After reboot, boot into normal mode and continue.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the JRT.TXTlog
    • C:\MGlogs.zip
     
    chaslang, May 22, 2013
    #2
  3. douglaswlee

    douglaswlee Private E-2

    Thank you, I am already seeing some speeding up my computer after the steps you asked me to perform.
     

    Attached Files:

    douglaswlee, May 22, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.



    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: {ae07101b-46d4-4a98-af68-0333ea26e113} - {127AD70F-B2B7-4f6a-ACD9-C7B1FE48C8C0} - C:\Windows\syswow64\MsiExec.exe
    O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - (no file)
    O3 - Toolbar: (no name) - !{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - (no file)
    O3 - Toolbar: Naturalsoft IE Bar V9 - {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll (file missing)
    O3 - Toolbar: (no name) - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - (no file)
    O3 - Toolbar: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)

    After clicking Fix, exit HJT.

    Now please rerun Hitman Pro just like you did previously in the READ & RUN ME and attach a new log. There may be more to cleanup that JRT did not remove.
     
    chaslang, May 23, 2013
    #4
  5. douglaswlee

    douglaswlee Private E-2

    I believe there is probably more to clean up. The computer stalled several times this morning. Those "malware demons" must know there time of infestation is short, lol. Attached is the Hitman log.
     

    Attached Files:

    douglaswlee, May 24, 2013
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your problems with stalling may just be due to the software you are running.


    First thing you need to do is run MSconfig and put your PC back into Normal Startup mode. You should not be using MSConfig like you are to control startups. It was not meant to be a startup manager. Read this to better understand why not to use MSconfig: Dealing with Startup Process

    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Windows\tasks\PC Optimizer Pro Updates.job
C:\Windows\tasks\PC Optimizer Pro64 startups.job
C:\Windows\TEMP\*.*
C:\Users\Doug\AppData\Local\Temp\*.*
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1231839B-064E-4788-B865-465A1B5266FD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2DAC2231-CC35-482B-97C5-CED1D4185080}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3F1CD84C-04A3-4EA0-9EA1-7D134FD66C82}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3F83A9CA-B5F0-44EC-9357-35BB3E84B07F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{47E520EA-CAD2-4F51-8F30-613B3A1C33EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{57C91446-8D81-4156-A70E-624551442DE9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{70AFB7B2-9FB5-4A70-905B-0E9576142E1D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7AD65FD1-79E0-406D-B03C-DD7C14726D69}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{97DD820D-2E20-40AD-B01E-6730B2FCE630}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B177446D-54A4-4869-BABC-8566110B4BE0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D9D1DFC5-502D-43E4-B1BB-4D0B7841489A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E0B07188-A528-4F9E-B2F7-C7FDE8680AE4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKEY_USERS\S-1-5-21-3463355303-4046505870-281057948-1000\Software\Datamngr]
[-HKEY_USERS\S-1-5-21-3463355303-4046505870-281057948-1000\Software\DataMngr_Toolbar]
[-HKEY_USERS\S-1-5-21-3463355303-4046505870-281057948-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
[-HKEY_USERS\S-1-5-21-3463355303-4046505870-281057948-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{9D717F81-9148-4F12-8568-69135F087DB0}]
[-HKEY_USERS\S-1-5-21-3463355303-4046505870-281057948-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4f12-8568-69135F087DB0},]
[-HKEY_USERS\S-1-5-21-3463355303-4046505870-281057948-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99079A25-328F-4BD4-BE04-00955ACAA0A7}]
[-HKEY_USERS\S-1-5-21-3463355303-4046505870-281057948-1000_Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 24, 2013
    #6
  7. douglaswlee

    douglaswlee Private E-2

    I changed the start up to normal. When I ran the OTM I did not think to turn off my AVG Antivirus software & it appeared to have tried to interfere with the OTM running. I tried to run OTM again, but it looks like we might have gotten the logs I will include the 1st log & then one log when I tried to run it again. Before the AVG interrupted I also got an error while running the OTM. My computer seems to be running extra slow. I think it may be because while I was using the selective startups process I was avoiding some of the programs I no longer needed to use at startup. I see HJT has a remedy for this & may need to use that at some time in the near future, but I felt a little intimidated because I fear I might delete a wrong file. Maybe I can work on that with someone here once we are done with the malware Thankjs for all your help.
     

    Attached Files:

    douglaswlee, May 26, 2013
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Which programs don't you need at all to startup? If you give me a list, I can give you a registry patch to permanently remove them. For things you would like to be able to control when they start up, I would use AutoRuns which I mentioned in the Dealing With Startup Process link.
     
    chaslang, May 26, 2013
    #8
  9. douglaswlee

    douglaswlee Private E-2

    Here is a list of prugrams I would like to take off of my startup process:
    belkin
    seagate dashboard & status icon
    efax
    filevault (? not sure what it does)
    google desktop
    TomTom

    Thanks again
     
    douglaswlee, May 27, 2013
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before continuing you need to decide whether you want

    AVG 2013

    Or you want the below:
    Microsoft Security Client
    Microsoft Security Essentials

    One of these must be uninstalled immediately!!


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Then reboot and make sure they do not show anymore.
     
    chaslang, May 27, 2013
    #10
  11. douglaswlee

    douglaswlee Private E-2

    I am sorry for not getting back with you yesterday (overload of work after the holiday in the USA) I was able to uninstall MS Windows security essentials. When I gave you the list of items that I did not want to startup I was not aware that Google Desktop would be associated with Google Drive Sync, if that is the case I will have to keep Google Desktop, because I need my Google Drive definitely to sync. With that in mind is this what I should do?


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    TomTomHOME.exe"=-
    "FileVault.exe"=-
    "eFax 4.4"=-
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
    "InstaLAN"=-
    "Seagate Dashboard"=-
    [HKEY_USERS\S-1-5-21-3463355303-4046505870-281057948-1000\Software\Microsoft\Windows\CurrentVersion\run]
    "TomTomHOME.exe"=-
    "FileVault.exe"=-
    "eFax 4.4"=-
     
    douglaswlee, May 29, 2013
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes but don't for get that the patch must start with
    REGEDIT4 must be the first line. And there must be a blank line after it.
     
    chaslang, May 30, 2013
    #12
  13. douglaswlee

    douglaswlee Private E-2

    Many Thanks for all your help!
     
    douglaswlee, May 31, 2013
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove, you can delete these files now.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jun 1, 2013
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds