Jump to content

DudgeonousTweet

Honorary Members
  • Posts

    38
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hello Kevin, It is good to be able to put a positive post up at the end of this long thread. After you had pronounced my PC to be free of malware, I was still suspicious that there was some nefarious algorithms going on during the cold boot. Cold boots were still 3 minutes 46 seconds compared to a restart time of 35 seconds. I visited the BlackViper site but none of his articles seemed relevant and he made it clear that he did not want to be contacted. I have been posted on Lenovo, TechNet, and Sysinternals forums attempting to find out how to trace a cold boot. If I could see what was going on I could perhaps focus on the problem. I was never able to trace a cold boot. There does appear to be no way to do that. That seems like a very serious hole in the current state of technical affairs. Sysinternals has Process Monitor. Process Monitor holds out the hope of tracing a cold boot since it does not have a restart baked in. However, I was never able to get to work on my PC. There was one claim to have tested it and found it to work on a PC, but I am suspicious that they may not have actually tried a cold boot. However, the fellow at Sysinternals was coming from his experience that there was not that big a difference between a cold boot and a restart and so he was suspicious that it was hardware. After I told him about my ongoing adventures with disabling the M.2 cache SSD he suggested that I go beyond disabling it and remove it from the system. It was not all that easy to do that since notebook computers are packed very densely and some of the screws were very tight. They may have been cross threaded. Ultimately I got the SSD out and the machine put back together. And the cold boot dropped to 44 seconds. The restart is 35 seconds. That is a reasonable difference. So, you were right. My machine was clean. The 3 minute 46 second cold boot was not nefarious algorithms and the international conspiracy to bring down western civilization that I had imagined. It was hardware. Thank you. And, on behalf of western civilization, thank you again. Dudge
  2. I hope you are right. I am still suspicious. I will check out Mr. Viper. Thank you very much for your help. Dudge
  3. Attached below is the latest Fixlog.txt. I ran CCleaner, Delfix, and GeekUninstaller. I used GeekUninstaller to uninstall Sophos and Zemana. I am still struggling to get the cold boot time down. I remains suspicious that stuff is happening that is unnecessary or harmful. The means that I am pursuing is to use Process Monitor to trace a cold boot. I have not gotten Process Monitor to do that yet. According to the response I have gotten at the SysInternals forum it has been tested and shown to work on some Windows 7 machines. I have not yet found out if it can be made to work on my machine. I asked in the Lenovo forum whether Process Monitor can be used to trace a cold boot on a Lenovo S431 64 bit PC running Windows 7. I got a reply that said it was very hard. They did not elaborate. I can use Process Monitor to trace a restart without a problem. When I turn on the msconfig ntbtlog.txt boot logging it shows the list of drivers loaded during a restart to be identical to those loaded during a cold boot with the exception of one driver. That driver was part of the Intel Rapid Start Technology. I disabled that in the UEFI/BIOS setup screen and uninstalled the software. After that the ntbtlog.txt list of loaded drivers was exactly the same for the restart and the cold boot. However, Process Monitor boot logging the cold boot still did not work. Removing this software did have the effect of reducing my cold boot time from 3 min 57 seconds down to 3 min 47 seconds. That is the shortest time yet. The struggle continues. Thank you for your help. Fixlog.txt
  4. Bye the way, that last Fixlist.txt run did improve my cold boot time from 4 minutes 0 seconds to 3 minutes 57 seconds. It must have gotten rid of something meaningful. Thank you.
  5. Hello Kevin, Please find attached the most recent FixLog.txt that resulted from the last Fixlist.txt. Also attached are the FRST.txt and the Addition.txt files from the last FRST run. Would it be bad form to now run CCleaner against the registry to see if it would clean up any additional SkyDrive remnants? Thank you. Fixlog.txt FRST.txt Addition.txt
  6. Hello Kevin, I have run SystemLook. The log file is attached. It seems to have found less than everything. For example, it reports no hits in the registry, but using regedit I find these hits: HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ SkyDriveEx HKEY_CLASSES_ROOT\AppID\SkyDrive.EXE HKEY_CLASSES_ROOT\CLSID\{573FFD05-2805-47C2-BCE0-5F19512BEB8D} Default Microsoft SkyDrive Pro Context Menu State Handler HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7} Default Microsoft SkyDrive Pro Icon Overlay 1 (ErrorConflict) HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 Default C:\Users\[Me]\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\ amd64\SkyDriveShell64.dll HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 Default C:\Users\[Me]\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\ amd64\SkyDriveShell64.dll HKEY_CLASSES_ROOT\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} Default SkyDriveEx HKEY_CLASSES_ROOT\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 Default C:\Users\[Me]\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\ amd64\SkyDriveShell64.dll and many more. It also missed some hits in the file system. Will some other tool catch the rest? Thank you. SystemLook.txt
  7. Hello Kevin, I continue to work on this problem and have an update. I have gotten suggestions to update the UEFI/BIOS on the machine. While looking at the PC BIOS setup screen I noticed and remembered that I had set up the machine to do what they call a diagnostic boot. There are two boot offered on a Thinkpad S431 notebook computer. There is [Quick] and [Diagnostic]. The on screen description of the two options is this: [Quick] The diagnostic splash screen a does not display unless press Esc during boot. [Diagnostic] The diagnostic splash screen always displays during boot. During this investigation I wanted to see that splash screen in case it gave me some options that might be helpful so I turned it on. I have subsequently come to find out that there is more to it than that. The documentation for the machine says this about the Quick and the Diagnostic boot options: The Quick boot is intended to boot the operating system as soon as possible by reducing the POST (Power On Self Test) elapsed time. The Diagnostics boot is to be used for the problem determination by performing tests of the devices. More device testing. That explains some of my slow cold boot. In fact when I set this boot mode back to the default Quick the cold boot time was reduced from 5 minutes 9 seconds to 4 minutes 0 seconds. That is my personal best so far. The restart time is 35 seconds. One of the things I have been pursuing is trying to learn how to trace a cold boot. So far without success. I can use Process Monitor to trace a restart but not a cold boot. When I did trace a restart I noticed that I have a lot of activity around SkyDrive. I uninstalled SkyDrive. However, the registry is full of SkyDrive and it exists in 41 places on the file system. Some of the SkyDrive references exposed by Process Monitor look like this: C:\Users\Me\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64\SkyDriveShell64.dll It makes me suspicious to see this cloud referencing object squirrelled away under AppData\Local. And I am surprised to see all this SkyDrive stuff after I had uninstalled it. And I think FRST quarantined it also. There is some SkyDrive hits in the FRST quarantine. Could you walk me through getting the last remnants of SkyDrive off of my computer. If there are many SkyDrive references in the Process Monitor boot log for a restart, perhaps there are many more during the cold boot that is 3 minutes and 25 seconds longer. I would like to rule out SkyDrive as part of my problem. Thank you.
  8. Rats. I thought you meant the two results files. Here are the two drivers jftfy.sys and pbtiehv.sys. jftfy.zip
  9. Oops. Sorry. Here they are. Can VirusTotal be used to scan programs that launch earlier in the boot such as ntoskrnl.exe, smss.exe, csrss.exe, WinInit.exe, SCM.exe, lsass.exe, and lsm.exe? These are the things that are running in the first 3 minutes of the boot that should be taking 20 seconds. Thank you. Antivirus scan for 65807f2eeb7e60e1a7efb4aec9bb20c7121e8754e9001616df919e5ea8b7c541 at 2016-05-10 235101 UTC - VirusTotal.zip
  10. BTW. The navigation panel from virustotal could not see these files in the C:\Windows\System32\drivers context. I had to copy them to the desktop in order for the navigation panel to see them. Perhaps it is some prohibition set up in IE. I presume that that behavior is normal.
  11. Here is for jftfy.sys SHA256: 65807f2eeb7e60e1a7efb4aec9bb20c7121e8754e9001616df919e5ea8b7c541 File name: jftfy.sys Detection ratio: 0 / 56 Analysis date: 2016-05-10 23:51:01 UTC ( 4 minutes ago ) Probably harmless! There are strong indicators suggesting that this file is safe to use. Here is for pbtiehv.sys SHA256: 65807f2eeb7e60e1a7efb4aec9bb20c7121e8754e9001616df919e5ea8b7c541 File name: pbtiehv.sys Detection ratio: 0 / 56 Analysis date: 2016-05-10 23:57:33 UTC ( 0 minutes ago ) Probably harmless! There are strong indicators suggesting that this file is safe to use. Thank you.
  12. Also, a cold boot is still a rock solid 5 minutes 10 seconds.
  13. I ought to have mentioned that this Cyrillic report was listed as having been sent somewhere.
  14. Hello Kevin, I did my duty. Please find attached the ComboFix log file. When ComboFix finished it did not request a reboot or throw up any warning messages. I notice in the log file that it was looking at files that were new since 4/10/16. I initially became aware of the problem back on 4/7/16 and I don't know how long before that I may have been infected with something stealthy before it came out of the closet on 4/7/16. If I go Control Panel --> Action Center --> View Reliability History --> View All Problem Reports there is one listed for 4/7/16 whose detail is this: Source Хост-процесс для служб Windows Summary Stopped working Date ‎4/‎7/‎2016 10:42 AM Status Report sent Problem signature Problem Event Name: APPCRASH Application Name: svchost.exe Application Version: 2.24.0.74 Application Timestamp: 54034084 Fault Module Name: svchost.exe Fault Module Version: 2.24.0.74 Fault Module Timestamp: 54034084 Exception Code: c0000005 Exception Offset: 000000000001789e OS Version: 6.1.7601.2.1.0.768.3 Locale ID: 1033 Additional Information 1: 3682 Additional Information 2: 3682c7237f7d92b3f5a9a43efc99e583 Additional Information 3: c685 Additional Information 4: c685385faff17315223574279bb5118f Extra information about the problem Bucket ID: 46550579 Note the cyrillic alphabet near the top. I am suspicious of this. Might it not be prudent to extend our gaze further back in time? Thank you. ComboFix.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.