[221b]

Hi All-

Hi-

My Win7 Lenovo X220 laptop is now taking very long to boot and authenticate me / load initially.

I ran Catchme and received the following output:

"detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error"

I read that it's almost a sure sign of a rook kit so I downloaded OTL, booted to safe mode, and ran it with minimal output, standard registry = all, and LOP and Purity Checks enabled.

I also checked the startup services and performance issues logged in Event Viewer, but nothing other than reporting critical errors taking a long time starting. I also ran a check disk and windows resource protection did not find any violations.

Edited by Essexboy, 12 November 2011 - 01:16 PM.
Log removed - no apparent malware

[Advertisements]

Hi 221b1. If you have the W7 installation disk run SFC (system file checker)
Open an elevated command prompt. To do this, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
2.Type the following command, and then press ENTER:
sfc /scannow
The sfc /scannow command scans all protected system files and replaces incorrect versions with correct Microsoft versions.
To determine which files could not be repaired by the System File Checker tool, follow these steps:
1.Open an elevated command prompt.
2.Type the following command, and then press ENTER:
findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >%userprofile%\Desktop\sfcdetails.txt
Note The Sfcdetails.txt file contains details from every time that the System File Checker tool has been run on the computer. The file includes information about files that were not repaired by the System File Checker tool. Verify the date and time entries to determine the problem files that were found the last time that you ran the System File Checker tool.
3.Type sfcdetails.txt in Search programs and files and press Enter.

Then do the following please;

My first suggestion is to tidy up the data on your HDD so please follow the directions provided below starting with Autoruns http://technet.micro...ernals/bb963902

1: Extract the Autoruns Zip file contents to a folder.
2: Double-click the "Autoruns.exe".
3: Click on the "Everything" tab
4: Remove any entries that mention "File Not Found" by right-clicking the entry and select Delete.
5: Go to File then to Export As or Save in some versions.
6: Save AutoRuns.txt file to known location like your Desktop.
7: Attach to your next reply.

2nd: Download and run TFC from http://www.geekstogo...ds&showfile=187 your computer should automatically re-boot on completion but if not do it manually.

3rd: Defrag your HDD http://www.auslogics...re/disk-defrag/ do this at least once a week in the future, a tidy drive is a faster drive, please note that I am not suggesting that you use any other product or service here.
Couple of other things to consider are what size HDD do you have and how much free storage space is available, you should always have between 12 and 15% of the overall capacity available, do not have more than 1 AV program running as it causes slowness as the programs fight for control of system resources, this can lead to instability and/or crashes.
What AV do you use, some use a lot more system resources than others Norton and AVG are excellent but very demanding.

To speed up your boot times find any unnecessary programs linked to start up "how to" below;

START -> RUN
type MSCONFIG in the RUN box
then click OK

Click on the start-up TAB

Look at each line that has a check in the box, these are start-up items. Uncheck the ones you do not want to run at start-up.

[phillpower2]

Hi 221b1. If you have the W7 installation disk run SFC (system file checker)
Open an elevated command prompt. To do this, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
2.Type the following command, and then press ENTER:
sfc /scannow
The sfc /scannow command scans all protected system files and replaces incorrect versions with correct Microsoft versions.
To determine which files could not be repaired by the System File Checker tool, follow these steps:
1.Open an elevated command prompt.
2.Type the following command, and then press ENTER:
findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >%userprofile%\Desktop\sfcdetails.txt
Note The Sfcdetails.txt file contains details from every time that the System File Checker tool has been run on the computer. The file includes information about files that were not repaired by the System File Checker tool. Verify the date and time entries to determine the problem files that were found the last time that you ran the System File Checker tool.
3.Type sfcdetails.txt in Search programs and files and press Enter.

Then do the following please;

My first suggestion is to tidy up the data on your HDD so please follow the directions provided below starting with Autoruns http://technet.micro...ernals/bb963902

1: Extract the Autoruns Zip file contents to a folder.
2: Double-click the "Autoruns.exe".
3: Click on the "Everything" tab
4: Remove any entries that mention "File Not Found" by right-clicking the entry and select Delete.
5: Go to File then to Export As or Save in some versions.
6: Save AutoRuns.txt file to known location like your Desktop.
7: Attach to your next reply.

2nd: Download and run TFC from http://www.geekstogo...ds&showfile=187 your computer should automatically re-boot on completion but if not do it manually.

3rd: Defrag your HDD http://www.auslogics...re/disk-defrag/ do this at least once a week in the future, a tidy drive is a faster drive, please note that I am not suggesting that you use any other product or service here.
Couple of other things to consider are what size HDD do you have and how much free storage space is available, you should always have between 12 and 15% of the overall capacity available, do not have more than 1 AV program running as it causes slowness as the programs fight for control of system resources, this can lead to instability and/or crashes.
What AV do you use, some use a lot more system resources than others Norton and AVG are excellent but very demanding.

To speed up your boot times find any unnecessary programs linked to start up "how to" below;

START -> RUN
type MSCONFIG in the RUN box
then click OK

Click on the start-up TAB

Look at each line that has a check in the box, these are start-up items. Uncheck the ones you do not want to run at start-up.

[221b]

Thanks.

I've already run System File Checker with no issues found. I've also previously checked services starting via MSCONFIG, disabling all by Microsoft and it was still slow.

I've attached Autoruns.txt.

I've cleaned temporary files (only in recycle bin) and defragged (only 10.8% was fragmented as the laptop is only 3 months old).

Attached Files

•  AutoRuns.txt   74.09KB   273 downloads

Edited by 221b, 12 November 2011 - 03:33 PM.

[phillpower2]

Hi 221b
Can you please remove the OTL from your previous post by way of the edit tab as they are not used here, only the Malware Techs are permitted/trained to address those logs.

Ok I notice from your Autoruns that you have both Avast and Symantec/Norton AV installed, this is most likely the cause of the issue as the 2 programs will be fighting for control of system resources, some people have the misconception that having 2 AV programs will make their PC more secure when it in fact it will make it unstable.
Was Norton pre installed on the laptop when you purchase it and you have since added Avast?
Norton is a very good AV program but it is also a hogger of system resources whereas Avast is very good but light on resources, I suggest you remove Norton and be sure you use the proper uninstaller or you will get serious issues;
https://www-secure.s...n=1&pvid=f-home let us know if this resolves the issue.

[221b]

I've removed the OTL log from the previous post.

As Symantec is company-installed, and this is a corporate machine, I've removed Avast now too.

[phillpower2]

Ok thanks, how is it running now with only the Symantec AV program?

[221b]

I just booted and it took over a minute to startup (after I entered my credentials - hung on "Welcome").

What else should I try?

Edited by 221b, 12 November 2011 - 04:02 PM.

[phillpower2]

Please Run the PCPitstop.com OverDrive Full Tests

Here's how:

You must use your Internet Explorer for this procedure. (doesn't work so well in Firefox or others). If your machine is running Vista or Windows 7, you must Select IE to “Run as Administrator”. After completing PCPitstop OverDrive you can close your IE browser and re-open it Normally so that you are no longer running as administrator.

Go to: http://www.pcpitstop.com
Click on "Free Computer Check-up" listed below PC Pitstop OverDrive
In the User Login - Click on "Sign up FREE!"
You'll need to submit a valid email address and create your own password, then click - Create Account(button)

Now enter your email address and password to Log in, Select - Scan this system Now!(button)
You will then be asked to download an ActiveX component and allow it to install.
It is safe and does not compromise your privacy.
Follow the on-screen prompts to install the ActiveX and to allow the Full Tests to be run on your machine.

The Full Tests take about 2 1/2 - 3 minutes on most machines.
When complete, a Results - Summary - Recommended Fixes will be displayed.

Please post the URL internet address, from your Results, back here into this Topic Thread so that we can review the configuration and present performance levels of your machine.

Note: During the graphics 2D and graphics 3D testing, your screen will display some rapidly moving objects.
If you are sensitive to visual flashing, it may cause dizziness. Therefore, look away from the screen during that portion of the testing.

After reviewing the results we will be more informed and may be able to provide better recommendations for you to work towards improving your machine's performance.

While PCPitstop does offer a variety of Paid Products, the PCPitstop OverDrive testing is FREE. Please ignore the references to Paid Products. We prefer to provide manual solution instructions that you can apply directly to your machine.

Thanks to rshaffer61 for the above instructions

[221b]

Here you go:

http://www.pcpitstop...?conid=24649457

[rshaffer61]

I've cleaned temporary files (only in recycle bin)

Please run TFC as that will clear everything and not just the recycle bin.

Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Background info courtesy of DonnaB Thank you

As for TFC, this is a tidbit of an article I found a while back by a MicroSoft MVP.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB).

Before running, it will stop Explorer and all other running applications. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.
-- TFC only cleans temp folders.
-- TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail.

[221b]

I ran it again and it only found, and cleaned, temporary files in my Recycle Bin (this time 8MB). No reboot, but it did pop open an explorer window to my Libraries.

[rshaffer61]

OK then it has gotten rid of everything. Speed better or about the same as post 7?
The hanging on Welcome would indicate a driver, service or user.ini file issue. Follow Phillpower2 as he is very good and will stay with you till the end. If need be I am watching the topic also.

[rockmilk]

Hello 221b I would like to give this a shot if you dont mind.
Download CCLEANER the link below:

http://www.piriform....leaner/download



Just DONT us the registry cleaner function of CCleaner unless you know what you are deleting exactly!!

Then open ccleaner hit the tools button then startup second one down below uninstall then in the bottom right hand corner of ccleaner hit save to text file.Save it to your desktop and post the startup.txt here in your next reply.Also hit start run then type msconfig then hit the services tab then hit put a check mark in hide microsoft services what is listed there,after hiding microsoft services?

Edited by rockmilk, 12 November 2011 - 04:46 PM.

[221b]

Thanks.

It's not the speed issue that was concerning me so much as the 1+ minutes to login / boot after entering my credentials.

A couple more points:

1. As mentioned, this is a company machine so I log into a domain (DOMAIN\USERNAME) except when it's not available (i.e. when working outside the office). Could searching for the domain be an issue?

2. I work at a small office, and I don't trust my network administrator. I scanned me desktop - not this machine which is a laptop - at work with Symantec and found 18 potential viruses which were all quarantined (see attached). I'm not sure if these are actual viruses are just false positives because every time I run it, it finds these files, and I never received any virus notifications otherwise. Again, I don't trust my network administrator and feel he may have installed a key logger. But that's on another machine and another story...

Thank you for all your help, guys! You rock.

Attached Thumbnails

• 

[rshaffer61]

1. As mentioned, this is a company machine so I log into a domain (DOMAIN\USERNAME) except when it's not available (i.e. when working outside the office). Could searching for the domain be an issue?

Good possibility there as it is looking for the domain to log in and will slow any bootup down till it times out.