CLOSED Machine slowdowns, Windows Explorer Crashes

[HoggyDog 1]

I'm having my semi-annual system slowdown and Windows Explorer crashes.

Emsisoft Internet Security found and quarantined "E:\Users\[path redacted for privacy]\Skyrim\LOOT_6854b5e053c96408b178bca502e159959f3d7bf6\LOOT.exe     detected: Gen:Variant.Razy.146401 (B) [krnl.xmd]" a couple of days ago, but other than that there have been no reports of anything amiss, other than the symptoms mentioned, and removing it did not fix the problems.

Log files attached per instructions. Thanks.

 

scan_170312-191004.txt

Addition.txt

FRST.txt

[Kevin Zoll 309]

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
2017-03-10 19:09 - 2016-11-28 15:35 - 00004120 _____ C:\Windows\System32\Tasks\{5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4}
Task: {81D5E6BE-684B-44BC-9118-D84EF4E66EB7} - System32\Tasks\IHSelfDeleteTASK => CMD /C DEL C:\Users\Angie\AppData\Local\Temp\IHU9AE8.tmp.exe <==== ATTENTION
Task: {CDB41BD2-82BA-4BBC-88B5-7135005BA305} - System32\Tasks\IHUninstallTrackingTASK => CMD /C DEL C:\Users\Angie\AppData\Local\Temp\IHU9A7A.tmp.exe <==== ATTENTION
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:DocumentSummaryInformation [63]
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:SummaryInformation [63]
C:\Users\Angie\AppData\Local\Temp\IHU9AE8.tmp.exe 

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[HoggyDog 1]

Fixlog attached, Good to see you again, Kevin!

-Thanks

Fixlog.txt

[Kevin Zoll 309]

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

[HoggyDog 1]

New scan results. Hard to tell 'how things are running' because the slowdowns and crashes are random and unpredictable, hence unduplicatable. That said, in the 2 days since running the fixlist, I have not had a Windows Explorer crash OR a baffling, absurd notice upon exiting Skyrim that my i5-3570K OC to 4.2GHz, 8GB-RAM, GTX-970 4GB-VRAM system is too slow to support my desktop at millions of colors and would I like Windows to downgrade to 16 colors to increase performance? :wallbash:

So, I guess no news is good news? Or, 'so far, so good but the jury's still out?'

Thanks.

scan_170316-140813.txt

Addition.txt

FRST.txt

[Kevin Zoll 309]

Other than a few orphaned registry items and a couple of ADS your logs look pretty good.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Task: {D3572C2E-F3FC-4CC0-A2E9-7DC7856BB9E9} - \{5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} -> No File <==== ATTENTION
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:DocumentSummaryInformation [63]
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:SummaryInformation [63]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[HoggyDog 1]

New fixlog. Two entries say "ADS can't remove." How can I get them gone since they appear to be stuck?

Thanks!

Fixlog.txt

[Kevin Zoll 309]

Changing tools.

Download RogueKiller from one of the following links and save it to your desktop:

• Link 1
• Link 2
  
  • Close all programs and disconnect any USB or external drives before running the tool.
  • Double-click RogueKiller.exe to run the tool (Vista/7/8/10 users: Right-click and select Run As Administrator).
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
  • Attach the RogueKiller report to your next reply.
    
    • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
    • The highest number of [X], is the most recent Scan
      
    
    
    
  
  
  

[HoggyDog 1]

RK report attached- I can't read it because I have no idea how to open a *.json file but as it was running I noticed that it had flagged 4 entries from CurseClient. That's an addon manager for some games I play, but if it's potentially risky I don't mind uninstalling it. Thanks.

RKreport_SCN_03172017_203912.json

[Kevin Zoll 309]

The file I need has a TXT file extension and not JSON.

[HoggyDog 1]

RogueKiller did not produce any RKReport*.txt file, or any *.txt file whatsoever- I used UltraSearch to scrutinize all 4 of my hard drives for any txt file produced in the past hour immediately after running RK and none of the files found were produced by RogueKiller.- just the JSON one. I am leery of running RK again without your instrruction because I have no idea what RogueKiller is or what it does, or if doing whatever it does twice in a row could be harmful.

Also, as a mater of practice, I never 'install' or save anything to my Desktop because it is too easy for me with my blurry vision and fat fingers to run it unintentionally. This means that I am having to translate your instructions to download to desktop, install to desktop (etc) to match what I am actually willing to do on my machine: I download installables to ...\Downloads\ and then I install them to a dedicatred folder if given the option due to Windows draconian, user-hostile UAC- I would have chosen "E:\RogueKiller" had I been afforded an option- or install to the default installation path if no option is presented.

In the case of RogueKiller, the download was a Setup executable, not the program executable itself, and included several ancillary files beside RogueKiller.exe. The setup process offered no installation path options- it simply installed itself to "C:\Program Files\RogueKiller\RogueKiller64.exe." Your instructions specify that users should run the downloaded file then send the resulting report, but since the download is NOT the program executable it is not possible to follow your instructions as they are currently written. I realize that the instructions are probably cut-n-paste boilerplate on your end, so I'm suggesting that you might want to download RK yourself, install it, and run it- then update your boilerplate to match the actuality of what users will experience. Also, because RK does not automatically produce the report text file you are looking for, you might include instuctions on how to make it do so.

Please give me specific, detailed instructions on how to force RogueKiller to produce the file you are looking for using the latest version of RK (that I just downloaded) because it occurs to me that your experience may be on an older version and the failure to produce a txt file may be a 'feature' of a newer version. At any rate,.RK is not doing what you said it should do, which is scary.

[Kevin Zoll 309]

RK should produce a TXT report that is saved to the Windows Desktop.  If it did not then something went wrong.

Please run it again.

[HoggyDog 1]

"RK should produce a TXT report that is saved to the Windows Desktop." RK absolutely does not do this by default- it does not produce ANY txt-format report, and the json report it does produce is saved to the RK installation path, which is C:\Program Files\[some subfolder] and cannot be changed.

"Once the Status box shows "Scan Finished", just close the program" If you do this, no report other than the *.json report I attached previously is produced, and it was saved to the installation directory of RK, not the desktop..

"The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)" Again, this is 100% wrong. NO TEXT-FORMAT LOG IS PRODUCED BY DEFAULT, the only log produced is in JSON format, and it is saved in the RK installation directory. When I finally managed to actually save a report in txt format, it was named 'rk_FA17.txt' and it is attached below.

I hate being contentious because I know you're trying to help, but the dead-wrong instructions and statements are the exact opposite of helpful. Several of the instuctions and expectations in your posts regarding RogueKiller are simply wrong. I'm begging you to download and run it yourself, then change your instructions to match what RK actually does and what a user must do to produce the report you need.

That said, after the (second) RK scan completed, I was able to produce the attached text-format report by manually pressing a button cryptically labeled [TXT] and I forced it to the desktop by manually overriding the RK installation path where it 'wanted' to put it and pointing it to the desktop.

Thanks.

 

rk_FA17.txt

[Kevin Zoll 309]

If the authors of RK have changed its default behavior, then I am not aware of it.  RK is widely used in the security community, and changes like this do result in a significant amount of backlash from the security community.  JSON logs are useless to everyone, and they are not human readable.

Close all programs and disconnect any USB or external drives before running the tool.

• Double-click RogueKiller.exe to run the tool again (Vista/7/8/10 users: Right-click and select Run As Administrator)[/i].)[/i].)[/i].
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished".
  
  • Click the Registry Tab and select the following items:

    [PUP.Gen1] (X64) HKEY_USERS\RK_Angie_ON_E_5721\Software\APN PIP -> Found
    [PUP.Gen1] (X86) HKEY_USERS\RK_Angie_ON_E_5721\Software\APN PIP -> Found
    [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-512916201-3985343410-3463357333-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://fluxcapacity.enjin.com/  -> Found
    [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-512916201-3985343410-3463357333-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://fluxcapacity.enjin.com/  -> Found
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

  • Click the Delete button.
    
  
  
• Attach the RogueKiller report to your next reply.
  
  • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex.txt)
  • The highest number of [X], is the most recent Delete log.
    
  
  
  

[HoggyDog 1]

rk_EFCA.txt

RK says "Error(2)" on one of the entires, but after searching throughout the app I am unable to find any guide or key to Error Numbers so I have no idea why it errored out on that entry.

I decided to let RK also delete the Curse Client "suspicious paths" and the MIE home pages, both of which are irrelevant now since I don't use either of them any more.

[Kevin Zoll 309]

I'm not sure why RK produce and error on the x86 registry entry.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

[HoggyDog 1]

scan_170330-031440.txt

FRST.txt

Addition.txt

[Kevin Zoll 309]

A few minor issues that should be addressed.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

CustomCLSID: HKU\S-1-5-21-512916201-3985343410-3463357333-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Angie\AppData\Local\Microsoft\OneDrive\17.3.6798.0207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-512916201-3985343410-3463357333-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Angie\AppData\Local\Microsoft\OneDrive\17.3.6798.0207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-512916201-3985343410-3463357333-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Angie\AppData\Local\Microsoft\OneDrive\17.3.6798.0207\amd64\FileSyncShell64.dll => No File
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:DocumentSummaryInformation [63]
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:SummaryInformation [63]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[HoggyDog 1]

Fixlog.txt

[Kevin Zoll 309]

The fix failed to remove the 2 ADS.  They are not that big of a deal, unless you are still having problems.

How are things running?

[HoggyDog 1]

On 3/31/2017 at 5:33 PM, Kevin Zoll said:

The fix failed to remove the 2 ADS.  They are not that big of a deal, unless you are still having problems.

How are things running?

No recent Windows Explorer crashes, but the notice upon reaching the desktop after exiting a game that (paraphrasing from memory) "Windows needs to reduce color depth to 16 colors to improve performance" has started popping up again.

I would like to remove everything that could possibly be an issue, including these two resistant ADS (whatever an ADS is) if you can please help me do that. I am familiar with how to get to Safe Mode and/or use Regedit if necessary.

Thanks.

[Kevin Zoll 309]

See https://superuser.com/questions/314570/disable-do-you-want-to-change-the-color-scheme-to-improve-performance-warning to disable that warnign message on Windows 7.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:DocumentSummaryInformation [63]
AlternateDataStreams: C:\Windows\SysWOW64\zlib.dll:SummaryInformation [63]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

From Safe Mode. Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.
 

[Kevin Zoll 309]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

[Kevin Zoll 309]

Support thread opened at original posters request.

[HoggyDog 1]

Failed again. What is 'ADS?'

Fixlog.txt

[HoggyDog 1]

Been researching ADS. Found a utility called StreamArmor, which has the following note: "On 64 bit platforms, only 32 bit processes are supported."

I have a 64-bit system (Win7 x64). The file that Farbar keeps finding (and failing to remove) the ADS's from is in a folder named syswow64, leading me to believe that everything in that folder is a 64-bit process. I wonder if that's why Farbar can't remove it?

I also found an article dated 2013 claiming that a PowerShell commandlet 'RemoveItem' could remove any ADS, but I tried it and it didn't remove either of the ADS's. I researched zlib.dll, the file with the ADS's, buit all I could find out is that it has something to do with compression. Whether that's NTFS disk compression or file compression such as zip or 7z was not made clear at all, but zlib.dll is apparently NOT a Microsoft file.

Thanks and hope you can figure out some way to remove the ADS.

 

[Kevin Zoll 309]

SysWow64 is the 32-bit system folder on 64-bit systems.

ZLIB is an open source file compression library.

You can probably ignore those entries, as ZLIB cannot do anything malicious.

[HoggyDog 1]

On 4/10/2017 at 5:58 PM, Kevin Zoll said:

You can probably ignore those entries, as ZLIB cannot do anything malicious.

OK, thanks then, I will. Thanks for your help, and feel free to close the thread. SOLVED!

[Kevin Zoll 309]

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

• Ensure Remove disinfection tools is checked.
• Also place a checkmark next to:
  
  • Create registry backup
  • Purge system restore
    
  
  
• Click the Run button.
  

When the tool is finished, a log will open in notepad. I do not need the log.  You can close Notepad.

Empty the Recycle Bin

Download to your Desktop:
- CCleaner Portable

• UnZip CCleaner Portable to a folder on your Desktop named CCleaner
  

Run CCleaner

• Open the CCleaner Folder on your Desktop and double-click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
• Click "Options" and choose "Advanced"
• Uncheck "Only delete files in Windows Temp folders older than 24 hours"
• Then go back to "Cleaner" and click the "RunCleaner" button.
• Exit CCleaner.
  

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

[HoggyDog 1]

Did all as instructed. Thanks for your help.

[Kevin Zoll 309]

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only.  Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair.  Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.