System possessed

[sjm1027]

My nephew was kind enough to bring over his possessed system for me to look at. I booted the system and it comes up pretty quickly, then all of a sudden all hell breaks loose... I suspect the system is trying to connect to something... The bottom line is the system is very slow, always see the hourglass on the cursor. I have run spybot, ad-aware, ran CClean to clean registry and files. Checked to see if defrag is needed, deleted a lot of junk files and I still have the same problem.
Can any of you offer any ideas as to how to tackle this problem. The XP Home software seems to work but the system is VERY VERY slow.

Thanks and Happy New Year
Steve

[EzyStvy]

Quote:

then all of a sudden all hell breaks loose

Specific details would help

[Brothersoft]

Does the hdd LED glitter all the time?

[sjm1027]

I wish I could give you more. There is no HDD light on this system (Gateway) I don't see anything. All I can tell you is the system comes up ok at first, then 2 seconds later the cursor starts to show an hourglass as if it was doing something, I go to control panel and it can take up to 10 to 12 minutes for it to invoke. Sometimes you select a menu and it opens up... half way...
The really weird thing I have seen this morning is... in the add and remove software window the first 25 programs show up in the window and as you scroll through the window going down to the other programs it is separated by black stripes in the window. If you scroll down far enough the remaining programs installed will show... weird, I have never seen this before.
The system seems really bogged down by trying to run something or something running in background.
CPU Usage is low, that all looks normal. Defrag not needed...
Thats all I have..

Thanks

[flanzig1]

Would start the system up in Safe mode, then using MSCONFIG, take a look at what is in the start-up section. There is probably a lot of junk in there. Should be able to trim the programs in start-up down to about 6.

[sjm1027]

Quote:

Originally Posted by flanzig1 Would start the system up in Safe mode, then using MSCONFIG, take a look at what is in the start-up section. There is probably a lot of junk in there. Should be able to trim the programs in start-up down to about 6.

Yes I did this today and I am at approx 11 but seems to be something going on. I chacked the processes, cpu usage... nothing is obvious

Thanks

[Les28]

Just a couple of ideas,do you know if the page file is heavily fragmented, if you open windows defragmenter and select the drive and click Analyse then click View Report then scroll down the Volume Information window, is either the Pagefile or the MFT fragmented.

Have you tried running something like F-Secure Blacklight to see if the pc has any rootkit infection.

Do you have plenty of free hard drive space, how much RAM in the pc and how many sticks.

[sjm1027]

Quote:

Originally Posted by Les28 Just a couple of ideas,do you know if the page file is heavily fragmented, if you open windows defragmenter and select the drive and click Analyse then click View Report then scroll down the Volume Information window, is either the Pagefile or the MFT fragmented. Have you tried running something like F-Secure Blacklight to see if the pc has any rootkit infection. Do you have plenty of free hard drive space, how much RAM in the pc and how many sticks.

The disk is ok, doesn't need to run defrag, the report was fine.

I have not ran f-secure, not sure what that is but i will go research it now.

I have enough hard drive space and the ram is 1 gig and room for expansion 2 sticks

Thanks

[rjfvillarosa]

What antivirus software is installed?
What antispyware software is installed?
Go to the tools tab of CCleaner and in "StartUp" shut down everything except for the antivirus software.
Clear all the temporary internet files using CCleaner.
Does your nephew have any idea when this started to happen?, can you do a system restore back before he first noticed it? or is he clueless as to when it all started?

[sjm1027]

Quote:

Originally Posted by rjfvillarosa What antivirus software is installed? What antispyware software is installed? Go to the tools tab of CCleaner and in "StartUp" shut down everything except for the antivirus software. Clear all the temporary internet files using CCleaner. Does your nephew have any idea when this started to happen?, can you do a system restore back before he first noticed it? or is he clueless as to when it all started?

There was norton on the system but sadly enough it was norton 2005 I had to uninstall it because it was not letting me get on-line and wanted me to pay for an upgrade. I will install McAfee once I get things fixed.

I have already loaded CCleaner and cleaned everything up a few days ago...

he told me it's been going on for quite some time. I went back to the last restore point but noticed he was attempting to clean the system then. I better not use that point. I did create a new restore point before I started.
The last restore point goes to September 2007 so it doesn't go back far enough to a good configuration.

Thanks
Steve

[Panama Red]

Have you tried running Hijack This! to see what is hiding in there? You've already done the prerequisites we recommend before posting a HJT log file. Might as well do that now and post it here for the rest of us to review.

Oh, and unless you have a love affair with McAfee, avoid that one just as you would Norton.

[sjm1027]

Quote:

Originally Posted by Panama Red Have you tried running Hijack This! to see what is hiding in there? You've already done the prerequisites we recommend before posting a HJT log file. Might as well do that now and post it here for the rest of us to review. Oh, and unless you have a love affair with McAfee, avoid that one just as you would Norton.

No I havn't but I will tomorrow evening, I'll post it then

Thanks again,
Steve

[rjfvillarosa]

If you think there are no good system restore points on that machine, switch off system restore and restart the machine. This will clear out the system restore files where a lot of this type of junk often hides, after the restart you can switch system restore back on.

[Brothersoft]

Well, I have experienced another case, the system becomes slow because the hdd transfering mode is PIO but DMA, maybe you can check that in Device Manager first.

[Les28]

When you removed Norton did you use the Norton Removal Tool ? Might have nothing to do with your problem but I just wondered how you removed Norton and whether the problems were there before you removed it or are worse since you removed it.

On the hardware side a couple of things you might look at have you tried removing both ram sticks then putting just one stick back at any one time and booting up to see how it performs with one stick, also have you had a look for any bad caps on the motherboard.
http://en.wikipedia.org/wiki/Capacitor_plague

Have you tried F-Secure Blacklight or AVG AntiRootkit Free
http://free.grisoft.com/doc/download...otkit/us/frt/0
Try running these in safe mode as well as normal

and maybe try a-squared free and a-squared HiJackFree
http://www.emsisoft.com/en/software/download/

[sjm1027]

Quote:

Originally Posted by Panama Red Have you tried running Hijack This! to see what is hiding in there? You've already done the prerequisites we recommend before posting a HJT log file. Might as well do that now and post it here for the rest of us to review. Oh, and unless you have a love affair with McAfee, avoid that one just as you would Norton.

Hi Panama Red,

I ran Hijack This tonight and have attached the results. Thanks everyone for your help

Steve

[sjm1027]

Quote:

Originally Posted by Les28 When you removed Norton did you use the Norton Removal Tool ? Might have nothing to do with your problem but I just wondered how you removed Norton and whether the problems were there before you removed it or are worse since you removed it. On the hardware side a couple of things you might look at have you tried removing both ram sticks then putting just one stick back at any one time and booting up to see how it performs with one stick, also have you had a look for any bad caps on the motherboard. http://en.wikipedia.org/wiki/Capacitor_plague Have you tried F-Secure Blacklight or AVG AntiRootkit Free http://free.grisoft.com/doc/download...otkit/us/frt/0 Try running these in safe mode as well as normal and maybe try a-squared free and a-squared HiJackFree http://www.emsisoft.com/en/software/download/

I actually used Microsoft to uninstall the software. I maybe should of used Norton but didn't think of it. Looks like Live Update is still on the system. I will have a look at it tomorrow evening

Thanks

[Panama Red]

Yup, you have company. Rather that do thru each item, here are links to two log analysers. They will tell you which items need to be removed. Feel free to post any questions here before you remove them.

http://hjt.networktechs.com/

http://www.hijackthis.de/en

[sjm1027]

Quote:

Originally Posted by Panama Red Yup, you have company. Rather that do thru each item, here are links to two log analysers. They will tell you which items need to be removed. Feel free to post any questions here before you remove them. http://hjt.networktechs.com/ http://www.hijackthis.de/en

Thanks, I ran the log file on http://www.hijackthis.de/en[/QUOTE] and it gave me a few (6 or 7) Nasty files. This thing is not to easy to read. Do you think it's ok to kill all the nasty files first and reboot to see if it fixes anything?
Then maybe look at the others flagged not so nasty?

Thanks

[Panama Red]

All those files that get tagged with a big yellow ? and contain nothing but consonants are all nasty too. Some files may get tagged because they are unknown. Examine them and make sure they aren't part of an application you have installed.

[sjm1027]

Quote:

Originally Posted by Panama Red All those files that get tagged with a big yellow ? and contain nothing but consonants are all nasty too. Some files may get tagged because they are unknown. Examine them and make sure they aren't part of an application you have installed.

Thanks, I will let you know how I make out towards the end of the week.

Steve

[rjfvillarosa]

Each line of your log begining with 04 is a proccess that starts when Windows starts.
You have far too many, try looking through them and decide what you do and don't need to start up with Windows, a lot of the problems on that machine can not be removed until the proccess is stopped, if you can disable them to begin with it may help with the removal proccess.

[sjm1027]

Quote:

Originally Posted by rjfvillarosa Each line of your log begining with 04 is a proccess that starts when Windows starts. You have far too many, try looking through them and decide what you do and don't need to start up with Windows, a lot of the problems on that machine can not be removed until the proccess is stopped, if you can disable them to begin with it may help with the removal proccess.

Thanks, I'll look into doing that.
Your right, to many things turnd on at the start.

Steve

[rjfvillarosa]

I can see that you have a listing for AOHell and Verizon in your 04's, how do you connect to the internet? dialup, dsl, or cable and who is your service provider?

Edit.. I remember now you are cleaning this machine for your nephew, so the question should have been how does he connect to the internet?

[sjm1027]

Quote:

Originally Posted by rjfvillarosa I can see that you have a listing for AOHell and Verizon in your 04's, how do you connect to the internet? dialup, dsl, or cable and who is your service provider? Edit.. I remember now you are cleaning this machine for your nephew, so the question should have been how does he connect to the internet?

This is my nephew's system, they use Verison DSL. I have it connected to Comcast right now Broadband cable

They also have AOHell... I have told them to Dump it but they don't for some reason

Steve

[rjfvillarosa]

Looking through the log file makes me wonder if it would be better to backup all his personal music and picture files, then format and reinstall Windows.
There is so much junk in there you could possibly have system file damage.
It's possible the reason they won't ditch AOHell is that they still have an email account with them, but I believe there are ways around that these days, if I remember correctly after ditching AOHell they keep your email active for a period of time.
Personally the only contact I have ever had with AOHell was to use one of their installation disks to stop a wonky table leg moving.

[sjm1027]

Quote:

Originally Posted by rjfvillarosa Looking through the log file makes me wonder if it would be better to backup all his personal music and picture files, then format and reinstall Windows. There is so much junk in there you could possibly have system file damage. It's possible the reason they won't ditch AOHell is that they still have an email account with them, but I believe there are ways around that these days, if I remember correctly after ditching AOHell they keep your email active for a period of time. Personally the only contact I have ever had with AOHell was to use one of their installation disks to stop a wonky table leg moving.

Oh geesh, that is a good one... Never thought of that I just use to fling them off the cliff at work to see how far I could toss them.

The kid is 16 so I am sure he has surfed every ware... and some!
The music and pictures are the most important thing and yes you are right about backing them up. I asked them to get a 500 gig backup WD MyBook a few days ago if I get it on Saturday I will do just that, at least back it up. I really hate to re-load this system but it may be the thing to do.
Thanks for the suggestion
Steve

[Panama Red]

I'm with rjf on the nuke and pave idea. Way to much stuff to spend time cleaning that machine. Good luck on either way you go.

[rjfvillarosa]

A reinstall is very easy if you do it "Lite" just load the absolute minimum to make it work, ditch all the Verizon and Printer garbage, just use the neccessary drivers ,nothing else.

[sjm1027]

Ok So I am reading what your asking but they have the HP all in one printer and they also have Verison. So if I ditch that stuff they will have to add it back again. How is that a good thing?
Anything I am ditching will be tempoary right now.
I am going to try to get them to drop AoHell because they can use Google, Yahoo or MSN mail.

So should I reformat the HD or try to re-load XP over it?
Then the issue of SP2... They don't have SP2 I don't think so when I load XP can I go to MS web site and load SP2?
Just want to make sure of the steps before I do it.

Thanks
Steve