rcpilot2
asked on
Why is my pc so slow?
Hello, my Window XP pro is taking 4-5 minute to boot and is becoming very very slow. I have attached my hijack file. I also have scan with ad-ware and found nothing. I am running symantec endpoint virus protection and that is up-to-date. I also ran msconfig and checked out my startup programs, and that appears to be fine.This is a domain client computer(2003 Small Business Server) What else can I try?? his is driving me crazy!Any help would be appreciated!!!
hijackthis.log
hijackthis.log
khashayar01
Is anything else slow? anything under event log? Try disabling all the start up items using msconfig, then go to the services tab and check hid all microsoft services and disable the rest. Reboot now and see if it's resolved. If it is then you can enable a group at a time to narrow it down.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Has this problem occured over time, or just overnight?
Do you store quite a bit of files/folders on your desktop?
Is your user profile excessive in size?
Do you store quite a bit of files/folders on your desktop?
Is your user profile excessive in size?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok I have run a clean sweep and a combofix, and attached the log. Please let me know if you need more info from me. It seems to be getting better in speed. So we are heading in the right direction.
@FlooringPro:
This Problem just slowly took over my computer, with very little fan fare.I do not have much stored on my desktop, or do I have large user profiles.
@thomascheung_net:
I have 2 GB of RAM on this PC
@rpggamergirl:
This entry is bad and needs fixing which is from a Trojan-PSW.Win32.Small.bs
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
How can I be sure this has nothing to do with my Windows 32 Small Business Server?
log.txt
@FlooringPro:
This Problem just slowly took over my computer, with very little fan fare.I do not have much stored on my desktop, or do I have large user profiles.
@thomascheung_net:
I have 2 GB of RAM on this PC
@rpggamergirl:
This entry is bad and needs fixing which is from a Trojan-PSW.Win32.Small.bs
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
How can I be sure this has nothing to do with my Windows 32 Small Business Server?
log.txt
@rcpilot2
How old is the install? The Reason i ask, Windows is notorious for becoming very slow after being installed for a long time. Using XP, in my own experience, i typically re-installed the O/S once every couple of years. If your next question is why does it get slow, then i will defer to one of the other EE's.
How old is the install? The Reason i ask, Windows is notorious for becoming very slow after being installed for a long time. Using XP, in my own experience, i typically re-installed the O/S once every couple of years. If your next question is why does it get slow, then i will defer to one of the other EE's.
<<<"How can I be sure this has nothing to do with my Windows 32 Small Business Server?">>>
You don't have to believe me, you can check for yourself, try checking the startup entry in the registry see what it says. Then also check the properties of the file it should give you some information, and do some research.
I know I am sure because many sources confirmed it is.
By the way, it is a password and an infostealer just so you know.
HKEY_CURRENT_USER\Software
ttool = c:\windows\9129837.exe
ttool <-- startup name
C:\Windows\9129837.exe <-- filename
http://www.bleepingcomputer.com/startups/9129837.exe-16056.html
http://www.threatexpert.com/files/9129837.exe.html
http://www.symantec.com/security_response/writeup.jsp?docid=2006-110710-2700-99&tabid=2
http://www.sophos.com/security/analyses/viruses-and-spyware/trojhiloadd.html
http://www.avira.com/en/threats/section/fulldetails/id_vir/2903/tr_psw.small.b.1.html
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.ZZ&VSect=T
http://vil.nai.com/vil/content/v_160109.htm
http://74.125.153.132/search?q=cache:gJKBBGIQnTAJ:www.pandasecurity.com/enterprise/security-info/206993/information/Spyforms.BZ+9129837.exe+panda&cd=6&hl=en&ct=clnk&gl=au
You don't have to believe me, you can check for yourself, try checking the startup entry in the registry see what it says. Then also check the properties of the file it should give you some information, and do some research.
I know I am sure because many sources confirmed it is.
By the way, it is a password and an infostealer just so you know.
HKEY_CURRENT_USER\Software
ttool = c:\windows\9129837.exe
ttool <-- startup name
C:\Windows\9129837.exe <-- filename
http://www.bleepingcomputer.com/startups/9129837.exe-16056.html
http://www.threatexpert.com/files/9129837.exe.html
http://www.symantec.com/security_response/writeup.jsp?docid=2006-110710-2700-99&tabid=2
http://www.sophos.com/security/analyses/viruses-and-spyware/trojhiloadd.html
http://www.avira.com/en/threats/section/fulldetails/id_vir/2903/tr_psw.small.b.1.html
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.ZZ&VSect=T
http://vil.nai.com/vil/content/v_160109.htm
http://74.125.153.132/search?q=cache:gJKBBGIQnTAJ:www.pandasecurity.com/enterprise/security-info/206993/information/Spyforms.BZ+9129837.exe+panda&cd=6&hl=en&ct=clnk&gl=au
ASKER
rpggamergirl
How do you suggest removing this C:\Windows\9129837.exe <-- filename
problem
How do you suggest removing this C:\Windows\9129837.exe <-- filename
problem
The file was not showing as one of the files deleted in the Combofix log, though Combofix did removed the relevant service --> Service_new_drv
It's possible that Combofix removed it during its first run (the log shows that CF has been run twice)
The entry was only showing in the Hijackthis startup line, but since Hijackthis can not tell us if the file still existit's hard to know.
You can either check the first combofix log and see if Cf had deleted it, or just manually look for the file --> C:\Windows\9129837.exe
If you can't find it(with hidden files showing) then that could also mean that it's just a remnant reg entry.
It's possible that Combofix removed it during its first run (the log shows that CF has been run twice)
The entry was only showing in the Hijackthis startup line, but since Hijackthis can not tell us if the file still existit's hard to know.
You can either check the first combofix log and see if Cf had deleted it, or just manually look for the file --> C:\Windows\9129837.exe
If you can't find it(with hidden files showing) then that could also mean that it's just a remnant reg entry.
Or we can let Combofix find it and delete it if still present, using a script.
Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
--------------------------
File::
C:\Windows\9129837.exe
--------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
--------------------------
File::
C:\Windows\9129837.exe
--------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
ASKER
Thanks to all for your help
rcpilot2,
It's also a good idea to run an online scan with Kaspersky, it's a very thorough scanner just to check if it finds any threats that other scanners may have missed. It doesn't remove any viruses that it finds so you need to save the log.
When you're done with ComboFix you can uninstall it.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
Thanks!
It's also a good idea to run an online scan with Kaspersky, it's a very thorough scanner just to check if it finds any threats that other scanners may have missed. It doesn't remove any viruses that it finds so you need to save the log.
When you're done with ComboFix you can uninstall it.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
Thanks!