Windows2000 Slow Down

Discussion in 'Malware Help (A Specialist Will Reply)' started by CorporalMcKinney, Sep 9, 2010.

  1. CorporalMcKinney

    CorporalMcKinney Private E-2

    I may have crud on the system which is causing the system to run slower than it seemed it used to. Not a crisis yet, but it is annoying. Most noticeable when I was using Wikipedia via Firefox, and the "slider" on the right side seemed to hang up, and wouldn't allow movement of text for about a half a minute. Sometimes I would forget where I had tried to move text up and down and the display would bounce up and down until it "caught up." More problematic was when I was trying to write a letter on 'Word', and my hunt & peck fingers were running ahead of the display, which I didn't recall happening before.

    I have Panda Antivirus and ran a virus scan which came up clean, and tried cleaning out garbage with Spybot, which nailed 44 "problems." I manually cleaned out my temporary internet files. I have attempted to follow your 5 step instructions and the scans may have done this again as well. The Task Manager doesn't seem to be going crazy with overloads. A similar problem I had 2 years ago, constant reliance on virtual memory, was solved with increasing the memory limits, the procedure of which I don't immediately recall. If it helps, right now I am running 6314 Handles, 351 Threads, 35 Processes. I have a commit charge of 327456, limit 625492, peak 569184. I have Physical Memory of 130596, Available Memory 5440, and System Cache 14812. My kernal memory is 48600, Paged 37456, Nonpaged 11144.

    Attached are the logs as best as I could get them. The RootRepeal may have not run, although I think I do have a 32 bit system. The scan would stop with a Device to IO Control Error Error Code 0=0. I made an error in doing the Super AntiSpy Scan, running it on 9/6 exactly backward from what you instructed me to check and uncheck in scan settings. I did it correctly on 9/7. Both logs are attached. The logs are mostly Greek to me, so if you see something obvious, or have any suggestions, your help would be most appreciated.
     

    Attached Files:

    CorporalMcKinney, Sep 9, 2010
    #1
  2. CorporalMcKinney

    CorporalMcKinney Private E-2

    Here are the other two logs.
     

    Attached Files:

    CorporalMcKinney, Sep 9, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Panda Antivirus 2007 <--- You really ought to ditch this as it is very outdated, install antivir perhaps? (But not yet!)

    Java 2 Runtime Environment Standard Edition v1.3.1_02 <--- Uninstall this outdated java.

    Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe <--- You need to move combofix directly onto your DESKTOP before we continue.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\WINNT\8e2c~1 
C:\WINNT\i
C:\WINNT\p   
C:\WINNT\~p’ 
C:\WINNT\c6af~1       
C:\WINNT\084c~1        
C:\WINNT\27d3~1        
C:\WINNT\7b8f~1       
C:\WINNT\8527~1      
C:\WINNT\0f45~1       
C:\WINNT\t            
C:\WINNT\8516~1        
C:\WINNT\0416~1       
C:\WINNT\8f25~1        
C:\WINNT\0f65~1       
C:\WINNT\07f6~1      
C:\WINNT\_c3ff~1       
C:\WINNT\0827~1        
C:\WINNT\8816~1       
C:\WINNT\81b6~1        
C:\WINNT\0437~1       
C:\WINNT\8eb6~1       
C:\WINNT\8305~1        
C:\WINNT\8337~1        
C:\WINNT\0c47~1
C:\WINNT\0405~1        
C:\WINNT\a             
C:\WINNT\8fb6~1  
C:\WINNT\0573~1    
C:\WINNT\c7ff~1 
C:\WINNT\8c37~1      
C:\WINNT\41f5~1        
C:\WINNT\0f15~1  
C:\WINNT\0ec5~1       
C:\WINNT\8ee5~1 
C:\Documents and Settings\Administrator.CIEGA.000\Local Settings\temp\~sho0001.tmp
C:\Documents and Settings\Administrator.CIEGA.000\Local Settings\temp\~sho0002.tmp
C:\Documents and Settings\Administrator.CIEGA.000\Local Settings\temp\{ac76b~1.ini  
C:\Documents and Settings\Administrator.CIEGA.000\Local Settings\temp\{ac76b~2.ini
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Tell me how things are running now. :)
     
    Kestrel13!, Sep 9, 2010
    #3
  4. CorporalMcKinney

    CorporalMcKinney Private E-2

    We are now in a crisis mode. This machine now seems to be running MUCH slower. Prior to a reboot I was frequently getting repeated error messages that say "Web Proxy.exe has generated errors and will be closed by windows. You will need to restart the program. An error log is being created.", although this has not happened yet. As I am typing this there were pauses in the display.

    Functions that used to take a half minute are now running up to a minute in lag time, if not more. At this point, unless the attached logs show you something obvious, I am going to have to call in a professional, as the machine is hardly suitable for daily business use.

    Attached (hopefully) are the combofix log and the MGlog.zip. In between doing those I did what I think was the upgrade to Java RunTime 6 from the Major Geek site. Download was labeled jre-6ru21-windows-i586.exe.

    Hopefully you'll be able to help, otherwise I am in significant trouble. Any advice is appreciated. I am not sure I ever sent the original Hijackthis .txt, so you should also see that, although bear in mind it was done before any of the 5 step process was undertaken.
     
    CorporalMcKinney, Sep 10, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Those errors relate to Panda AV, which is out of date anyway. Using out of date AV is leaving yourself wide open to all sorts of crap.
    Erm, you mean what I have already removed? (And you did not attach new logs :()

    Well, I am fully trained in malware removal, do it on a daily basis, so I am hardly an amateur. However if this is a business machine, perhaps you should ask the IT technician to look at it, as that's what they are paid to do, wheras I am a volunteer.
     
    Kestrel13!, Sep 11, 2010
    #5
  6. CorporalMcKinney

    CorporalMcKinney Private E-2

    Please note I am the amateur here, fully acknowledged as such! Any help you can provide IS appreciated. Also, I am a small business owner (sell janitorial chemicals @1MM/year) so there is no in-house IT, although we do have a guy available on call.

    I had always thought that if I updated my AntiVirus, which is done everyday automatically, I would be protected. Newer versions might work better/faster, but would not a 2007 Panda updated keep the same Virii out as a 2010?

    I am typing this on my laptop, and tried putting the pertinent .txt files on a flashdrive and will attempt sending them again. The combofix was somewhat alarming as it ran. Maybe I am just nervous about words like "kill." What were all of those files such as " C:\WINNT\0f45~1"? Perhaps most alarming was the disappearance of all my screen Icons as it concluded - fortunately they all came back, but a blue screen for the moment was a chiller.
     

    Attached Files:

    CorporalMcKinney, Sep 11, 2010
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Nope. Always better to keep up to date!

    I don't know but they all have the same file size and seem suspicious to me. We can take a closer look at one of them.

    Could you please get this: 0437~1 into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:

    log retrievable @ C:\collect.zip

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\WINNT\~p’ 
C:\WINNT\084c~1       
C:\WINNT\0437~1       
C:\WINNT\p
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Sep 11, 2010
    #7
  8. CorporalMcKinney

    CorporalMcKinney Private E-2

    Attached, hopefully, is what I think you are asking for.

    I sometimes wonder if I have a problem, as at times the machine seems to run OK (I just tried doing a wikipedia search, and the slider moves up and down freely, and right now the letters are displaying them as I type this). At other times it seems as if something has to be abnormally slow (just now the display and slider hung up).

    When I tried to access the 'My Computer' icon to get the MGlog.zip file, the wait for the computer to do something was easily 10 - 15 seconds. When I just now tried to access 'Word' the wait was 5 - 10 seconds. However when I closed 'Word' back down, and tried to immediately reclick on the icon, the program launched almost immediately. When I hit the 'Start' the wait can be as long as 9 seconds (I timed it with a stopwatch) for something to happen, other times and I can hit it and it is instantaneous or close to it. Does any of that give you a clue about anything? The 'Local Disk' shows 12.8 gig used and 5.8 gig free space.

    The running of the Combofix took just about 54 minutes:
    1:43 to Backing up Registry, 7:14 to Scanning Message...Program should take 10 minutes, etc., 28:53 to complete scan, 31:00 Shutdown and Restart, A message "cannot make creg.dat Error accessing the registry" popped up at this point, 36:28 preparing log report, 54:50 notepad log up.

    At the TEMP file there was only one item, jusched.log, which I deleted to the recycle bin.
     

    Attached Files:

    CorporalMcKinney, Sep 12, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Okay I think many of your problems will have to be further discussed in another forum. Let's continue on here for now with the rest of what needs to be done.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

C:\WINNT\~p’
C:\WINNT\8527~1       
C:\WINNT\_c3ff~1      
C:\WINNT\0f65~1 
C:\WINNT\p
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run this

    Using ESET's Online Scanner

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Last edited: Sep 13, 2010
    Kestrel13!, Sep 13, 2010
    #9
  10. CorporalMcKinney

    CorporalMcKinney Private E-2

    Pardon the Interruption... I was out of town and thus away from the computer for a few days. Here are the logs I think you are requesting:

    The Combofix again took the best part of an hour, finishing with the log.txt at 57:15. The Esetlog took about 2 hours to run. The MGlog is pretty quick, under 5 minutes, if any of that tells you anything.

    Thanks for any advice...
     

    Attached Files:

    CorporalMcKinney, Sep 18, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No problem, let's continue.

    HijackThis 1.99.1 <--- uninstall this

    Now download The Avenger by Swandog469, and save it to your Desktop.

    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Run this: Running Kaspersky Online Scanner

    You really need to get rid of the outdated Panda Antivirus now.
    If you had up to date AV at the time perhaps it could have caught something. If you need us in the future and you still have this old 2007 Panda installed you may be refused help.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Sep 20, 2010
    #11
  12. CorporalMcKinney

    CorporalMcKinney Private E-2

    I don't know to what degree I am in over my head in this (probably a lot) http://forums.majorgeeks.com/images/smilies/confused.gif

    The machine seemed to be running better, as in the post of 9/12 I was wondering if I had a problem. I am now back to almost the status I was at the beginning, where the slider on e-mail or wikipedia is again sticky, and clicks on buttons take so long it raises alarm bells about just WHAT IS going on, and the display is again occasionally trailing my hunt n' peck.

    Attached hopefully is the avenger txt and the mglog.

    I could not get Kaspersky to work, I don't think, despite my attempts to make it go three times. To begin with, downloading the updates took about two hours, and once I did get the online scan to go, it stopped at object 211 or 221 (I didn't record which) at something called slipmenu.scp at c\winnt\system32\ras. The second attempt was done starting from scratch, reupdating for two hours, and running during the workday, where I need to have a driver on for the printer. It again stopped at object 221, at something called EQI021E.HLP at c\winnt\system32...001\drivers\w32x86\3 It really was stuck here, I think, as I left the machine alone for 5 hours and Kaspersky never moved beyond that point.

    The third attempt was on Saturday, when everything could be off except Kaspersky, except now it won't run (I think) because "the launch of Java is interrupted, Please establish an uninterrupted Internet Connection." Without checking Wikipedia, I am not sure what Java is, why (per your earlier suggestion) I needed to update it, and why it might be interrupted.

    I have contacted Panda, and they are trying to figure out if the money I spent to renew it in July could be applied toward the Panda 2011. I am annoyed that a big operation like Panda would happily take my money if 2007 was inadequate in some way, a concept I am also unclear on if it is being updated automatically everyday. When I was using Lavasoft for Spyware removal, they had the decency to tell me the version I had was too old, and although it might still work, would not be updated any longer.

    Nevertheless, the Panda 2007 DOES provide popups telling me when something is stopped or is questionable. When I first tried downloading the updates for Kaspersky, it popped up that ROOTKIT/Agent.LNB was attempting to get on. I didn't know if this was part of Kaspersky, so I told Panda to ignore it, which may have been a mistake. It was supposed to be located at c\winnt\system32\drivers\aeiop.sys, but when I search for this or look at the address, I don't think I see anything. In all of the subsequent attempts to run Kaspersky, I disabled the automatic protection of Panda, as I have done prior to doing any of the steps you proscribe. When I check Panda after disabling it from the toolbar, it says that protection is "low" and that definitions and such need to be enabled, so I think it is "off".

    In the MajorGeek world, I don't know if there is a point where you are confronted with a "no-hoper," but I never pretended to be anything but an amateur. Do you have any suggestions or do the logs tell you anything?
     

    Attached Files:

    CorporalMcKinney, Sep 25, 2010
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am trying to consider what would be our next best move. The logs tell me something is creating those strange files even after we delete them but I cannot figure what exactly. I guess we need to dig a little deeper if you do not mind persevering that is. I will also ask Chaslang for his opinion on the matter in the mean time.

    Try this

    GMER - running with a random name
     
    Kestrel13!, Sep 26, 2010
    #13
  14. CorporalMcKinney

    CorporalMcKinney Private E-2

    System seems to be running hot and cold. At times everything will be smooth as silk, and I'll be questioning if I have a problem. At other times, it is slow as molasses, and I'll hear what I suppose is the hard drive sounding with a digga-digga-digga-dig as it works away. Right now I am fine, but just prior to logging on to Major Geeks, I was checking the e-mail which was sticky on the slider and with significant pauses at any instruction from the keyboard.

    In the interim since the last post, I ran the Panda Antivirus scan which came up clean, the Super AntiSpyware scan which came up clean, and the MalwareBytes scan which came up clean. Curiously, there appear to be two logs from that scan, although I thought I only saved it once. While doing the scan MBAM popped up once with a "MBAM - Error - Check - Infected (5,7) Access is denied." However, once I closed the popup, everything continued smoothly.

    I have run the GMER with the attached log. It stopped twice in the scan with a popup message "C:\winnt\system32\config\software The process cannot access the file because it is being used by another process." However, closing the popups allowed the scan to continue smoothly, I think. It concluded with a popup "GMER has found system modification found by Rootkit activity."
     

    Attached Files:

    CorporalMcKinney, Sep 28, 2010
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Go to VirusTotal and upload the following file for analysis:

    Could you please get this: MSTask.exe into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:



    Let me know the VT results and attach the C:\collect.zip
     
    Kestrel13!, Sep 29, 2010
    #15
  16. CorporalMcKinney

    CorporalMcKinney Private E-2

    I think I did it correctly...
     

    Attached Files:

    CorporalMcKinney, Sep 29, 2010
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmm, my anti virus did not flag that file as suspicious, GMER is reporting a rootkit, which could be just a false positive, but I am going to ask my colleagues about this. In the mean time I ran it through VirusTotal as well and nothing was found as suspicious.

    Run this whilst we figure out the next move.

    Using Sophos Anti-Rootkit
     
    Last edited: Sep 29, 2010
    Kestrel13!, Sep 29, 2010
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The "Rootkit" was a false detection by GMER on win2k systems.

    Have spoken to Chaslang who says:

    I did not seen any real reason to suspect malware. It is an old slow PC with very little memory, perhaps current day applications like Panda are just too much for it to handle. I suggest uninstalling Panda to see if it alleviates your "slow down". Otherwise options like:

    • visiting the software forum
    • reinstallation of your OS
    • new PC with more memory and modern OS

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Sep 30, 2010
    #18
  19. CorporalMcKinney

    CorporalMcKinney Private E-2

    Well... I guess that's a victory in one sense, in the general conclusion that Malware is not the cause of the slow downs. Thanks for your help!

    I did try running the SOPHOS scan and it too came up clean. I also was able to get Panda 2011 on, I think. I have not yet done a scan with that, but I would be willing to bet it will also be clean.

    Regarding the suggestion that this machine does not have enough memory, while perhaps the Software forum will be able to answer this, in your opinion, is 18.6 GB total, with 13.4 used and 5.15 free adequate memory? By my math, that's better than 25% still empty. The virtual memory popup is rarely seen since the procedure to increase the working memory was done (the steps of which I don't precisely recall).

    Upgrading from Windows 2000 might eventually be necessary, but one reason we have kept on with 2000 is because our accounting functions are done using Unix, and I understand that later OS versions, particularly Vista, are unfriendly to non Microsoft programming. On this, the Software forum may be helpful.

    Thanks again.
     
    CorporalMcKinney, Sep 30, 2010
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is hard disk space not memory. ;)
     
    chaslang, Sep 30, 2010
    #20

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds