Incredibly slow boot up and general response time

[Kerryh_r]

Hi

I believe I was recently infected with the W32.Alcra.D Trojan (perhaps something else too?). I see from the following thread, that another member had similar issues/symtoms, but his ultimate resolution was not clearly stated.
http://www.softwaretipsandtricks.com...p-problem.html
If anyone knows what that cure was, please let me know.

See also:-
http://www.bleepingcomputer.com/star...exe-12864.html
http://www.bleepingcomputer.com/sta....exe-12633.html
http://www.sarc.com/avcenter/venc/d...echnicaldetails

Not sure if all my symptoms below are related to that, but here is a short history of my problem and my latest HJT log.

My PCs boot up time has slowed so much that it can take 10-15 minutes before I can do anything with the PC, and after that, it is intermittently slow to perform any activity, web or simply pc related. I noticed that I could not get Task Manager via alt/ctrl/del and ultimately the hard disk was full, even after I cleared 3 Gb off it.
My initial investigations pointed me towards msmovies/msupdate.exe, but also svchost.exe (NOT scvhost or similar). I deactivated and removed them (not svchost), also their registry entries, and associated folders, and tens of thousands of zip files up to 1/2 Mb each in two hidden folders.
I have run a number of different virsus scanners, (BFU, CCleaner, WinPFind, Jotti, Ewido, Blacklight, SpySweeper), plus scripts to remove the bogus *.com files referred to by the links above, but my PC is still painfully slow booting up, and responding afterwards.

If you need any more info, please let me know.

thanks, and good luck
Kerry

Spec: DELL XPS T500 256 Mb Ram, 500Mhz chip running XP pro SP2. I have a 2Mb ADSL connection running through a Linksys 54Mbps Wireless router, and a DLink 108Mbps card on the PC. I have standard Windows Firewall and am using AVGuard
http://support.dell.com/support/edoc...dkub/specs.htm

Logfile of HijackThis v1.99.1
Scan saved at 21:37:26, on 17/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SafeSweeper.exe
C:\Documents and Settings\Kerry\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kerry\Application Data\Mozilla\Profiles\default\adf3dte7.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {40BF816B-D862-41B9-9445-ECA36D5F67F9} (Flatcast Viewer 4.12) - http://www.1mal1.com/flatcast/NpFv412.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1111332976636
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...b?1122720995651
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...pDownloader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

[Kerryh_r]

Also SpySweeper found the following:-

17:08: | Start of Session, 17 December 2005 |
17:08: Spy Sweeper started
17:08: Sweep initiated using definitions version 584
17:08: Starting Memory Sweep
17:15: Memory Sweep Complete, Elapsed Time: 00:06:58
17:15: Starting Registry Sweep
17:16: Found Adware: winad
17:16: HKLM\software\microsoft\windows\currentversion\mod uleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
17:16: Registry Sweep Complete, Elapsed Time:00:01:04
17:16: Starting Cookie Sweep
17:16: Found Spy Cookie: yieldmanager cookie
17:16: kerry@ad.yieldmanager[1].txt (ID = 3751)
17:16: Found Spy Cookie: addynamix cookie
17:16: kerry@ads.addynamix[2].txt (ID = 2062)
17:16: Found Spy Cookie: advertising cookie
17:16: kerry@advertising[2].txt (ID = 2175)
17:16: Found Spy Cookie: atlas dmt cookie
17:16: kerry@atdmt[1].txt (ID = 2253)
17:16: Found Spy Cookie: belnk cookie
17:16: kerry@belnk[1].txt (ID = 2292)
17:16: Found Spy Cookie: burstnet cookie
17:16: kerry@burstnet[2].txt (ID = 2336)
17:16: kerry@dist.belnk[2].txt (ID = 2293)
17:16: Found Spy Cookie: fastclick cookie
17:16: kerry@fastclick[2].txt (ID = 2651)
17:16: kerry@media.fastclick[2].txt (ID = 2652)
17:16: Found Spy Cookie: questionmarket cookie
17:16: kerry@questionmarket[1].txt (ID = 3217)
17:16: Found Spy Cookie: revenue.net cookie
17:16: kerry@revenue[2].txt (ID = 3257)
17:16: Found Spy Cookie: servedby advertising cookie
17:16: kerry@servedby.advertising[1].txt (ID = 3335)
17:16: Found Spy Cookie: tribalfusion cookie
17:16: kerry@tribalfusion[1].txt (ID = 3589)
17:16: Found Spy Cookie: adserver cookie
17:16: kerry@z1.adserver[1].txt (ID = 2142)
17:16: Cookie Sweep Complete, Elapsed Time: 00:00:01
17:16: Starting File Sweep
17:23: Found Adware: 180search assistant/zango
17:23: salm_gdf.dat (ID = 93789)
17:33: salmau.dat (ID = 93788)
17:47: File Sweep Complete, Elapsed Time: 00:31:04
17:47: Full Sweep has completed. Elapsed time 00:39:19
17:47: Traces Found: 19

[bookworm]

Just two small points, did you turn off System Restore, any baddies can remain because Win protects these restore points from your AV and Syware programes. I'd boot into safe Mode and run all your checks again.Also have you tried a free online virus scan Trend do a good one find it here http://housecall.trendmicro.com/


Hope this helps

[Kerryh_r]

Hi Barbara

Yes, System restore was turned off off, and currently remains off.
Trendcall has also been tried, Adaware, spybot, silent runners, and symantic online.
http://metallica.geekstogo.com/p2pnetwork.bfu script for W32.Alcra.D
Tried various in safemode too.

This morning I timed the boot up. Ten minutes before I could get any sort of response. After that, just clicking Start for instance, and anything else, responses go slow, the resultant list remains blank for 30 seconds or so, however I could still use an explorer window, just can't see all of it, or move it around to be able to see it better, until the system starts responding again.

Task manager is currently active (you'll see earlier it wasn't) and reports nothing particularly unusual. Other threads I have seen reported similar problems with regedit, but i just find those a little slow starting up too.

I'm currently using msconfig selective startup and only have the following at startup:-

"AVGCtrl" = "C:\Program Files\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"]

"AVSCHED32" = "C:\Program Files\AVPersonal\AVSched32.EXE /min" ["H+BEDV Datentechnik GmbH"]

"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"D-Link AirPlus" -> shortcut to: "C:\Program Files\D-Link AirPlus\AirPlus.exe" ["D-Link"]

"Launch Internet Explorer Browser" -> shortcut to: "C:\Program Files\Internet Explorer\iexplore.exe" [MS]

My last resort would be to reinstall windows, but twice before I did that, I contracted the Lasser, I believe it was called virus, immediately upon connecting to the net. fixed it, and ultimately reinstalled sp2. I should not have to do that every few months.
I'm even resorting to upgrading the ram, and considering a faster cpu, but I've been running it for over 2 years as it is with xp on it, without these problems before. Got laggy around 7-8 months ago, and obviously a reinstall cured it, but i would rather get to the bottom of this.

Could it be WAN related? I have a spare dlink 108Mbps router I was considering switching too.

Perhaps a magic wand would help.

Kerry

[macattack1]

Hi Kerryh_r,

Just looking around for a solution to another issue when i spotted this thread. Not sure if you've solved this issue yet but here's my contribution. I too had similar slow response problems and ran many AV and malware scans to attempt to solve the problem. A typical symptom on my reasonably fast PC (AMD 64 3000) was that IE would take ages to open even though cpu usage remained low as did the memory usage. In addition i had very slow startup and shutdown times.

In the end i found Spysweeper to be the culprit. Try uninstalling it, at least temporarily to see what effect it has. For me, the degradation in performance caused by this software was worse than that which could be caused by the malware that it was protecting me from.

/mac

[yoni5002]

Hi, let me give you my opinion.... after been infected there are so many registry keys obsoletes that Windows takes ours to load up. Also the Prefetch folder contains lot of missed links for XP to start up aplications. In adition Some windows XP files could be damaged by the virus, spyware etc... if after you load up your windows it runs smooth then there is not such a problem, I can get you to the desktop in 38 Sec or less waranteed!! If Windows response in general is still poor then we need to start reparinng the mess caused by the viruses... either way you can replay and let me know... I'll get your XP running as good as the first time... probably even better than that... just let me know by posting here or e-mail me at ralphy5002@comcast.net

Hope this help

Yoni5002º
________

[Kerryh_r]

thanks for your belated replies guys. I shan't be using this forum in future, if getting a response takes up to 3 months. I shall take my problems here instead, and get them resloved in days!!http://forums.thetechguys.com/forumdisplay.php?f=22

bye bye