about:blank...comp really slow

Hi all,
I'm posting this from my mom's computer. She's having problems with it being slow. I ran all the scans from the sticky except one. The trend micro would freeze without scanning any files. Although it shows that I ran it in my HJ log I think.
She has Win 98SE. 56k dial up
I ran HJ and deleted some about blank lines.
Can someone take a look at the log?
Thanks,
T.Blue

 

Sorry about the delayed post, been really busy here lately!

• Download HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

• Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

No problem BJ. I Appreciate the help. I'm actually going to attach 3 logs. The first one I ran and then fixed some obvious things. The second I ran and didn't fix anything. Then I unistalled NAV (it was old and not updated) and had to reboot so I ran another one. I'm posting these from work so won't be able to do anything to her computer untill around lunch time, if you get to it before then.
Thanks again,
T.Blue

 

Here is the 3rd log.
Thanks again
T.Blue

 

For the above entries you will need to run Spybot S&D in Safe Mode, but before you do a scan you will need to go in Advanced Mode and uncheck all ignored items. Then do a full scan to remove this!

First:

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com

F1 - win.ini: load=C:\WINDOWS\Csrss.exe
F1 - win.ini: run=C:\WINDOWS\Csrss.exe

O4 - HKLM\..\Run: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\RunServices: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKCU\..\RunServices: [Runtime Process] C:\WINDOWS\Csrss.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\NewDotNet ←–– Delete this whole folder if it exist!

C:\WINDOWS\Csrss.exe

C:\WINDOWS\web\related.htm

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Booted in safe mode. Opened Spybot, unchecked ignored items. Ran spybot, it found 13 entries of NewDot. Could only fix 12. Couldn't fix c:/programfiles/NewDotNet/
Ran it again and it found the same entry but fixed it this time. Booted into normal mode, ran HJ, fixed items you said to.
Before I could boot into safe mode again a blue DOS looking screen came up and said
Windows
"A fatal exception OE has occured @0177:BFF9DFFF.
The current application will be terminated"
Gave option to:
Press any key to terminate the current application or
Press CTRL,alt,delete again to restart computer. You will lose any unsaved info. in all applications.
I chose the first option.
Another DOS looking screen came up
Explorer
Explorer caused a general protection fault in module
USER.EXE@0012:00000167.
Close

I clicked on close and the First errors came up again with same choices. I then chose ctrl,alt,delete and it restarted the computer.
I then booted in safe mode. Couldn't locate NewDotNet.
Couldn't delete csrss.exe got error "The specified files is being used by windows". Checked to see if it was read only...it was not. It was checked hidden so I unchecked it but still couldn't delete. Hide files and extensions is unchecked. Whew!!!! Jeez thats a long post!!! Sorry
Attached is HJ log

 

Download Pocket KillBox

Please boot into Safe Mode

Now scan with HijackThis and Check the Boxes for the following:

F1 - win.ini: load=C:\WINDOWS\Csrss.exe
F1 - win.ini: run=C:\WINDOWS\Csrss.exe

O4 - HKLM\..\Run: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKLM\..\RunServices: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKCU\..\Run: [Runtime Process] C:\WINDOWS\Csrss.exe
O4 - HKCU\..\RunServices: [Runtime Process] C:\WINDOWS\Csrss.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\Csrss.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

After doing the above, Reboot into Normal Mode and attach a new HJT log.

 

Ok will do tonight as I am back at work now.
Thanks again
T.Blue

 

Okay!

Will be awaiting results!

 

Little FYI
I had to print your first set of instructions and bring to her house to perform. For some reason it didn't print to delete the c\windows\web\related.htm
Don't know why but it didn't. I just noticed it in your reply. I guess I can do it this evening????

 

OK I did it all. HJ log doesn't have those entries anymore. I did get an error on reboot
Can't find the file C\windows\Csrss.exe or one of its componets. Make sure the path & file name are correct & that all required libraries are available.
I guess thats because its not there anymore huh. Genius that I am
Attached is the HJ log. If everythin looks alright I'm going to do the "How to protect yourself sticky...."

Thanks again BJ,
T.Blue

 

Its in Post #5 to delete that file. Allow me a moment to check the latest log.

 

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After you do this, you should be ready to go. Also, about the startup error. Click Start > Programs > Startup and check to see if anything is in that folder that relates to the file.

Let me know!

 

Hey man,
Reset everything. Seems to be running better and faster.(as fast as you can on dialup grrrrrrrrrr) There was nothing in the start>programs>startup about that file. The only thing in there was Microsoft Office and Winzip Quick Pic??? The error is still coming up. Let me know what you think.

Thanks,
T.Blue

 

Lets see if we can find out where its starting from.

Please download "StartDreck", from here: http://www.niksoft.at/php/dl.php?f=startdreck.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Please attach the log in this thread.

 

Do I need to have files and extensions unhidden before I run this program???

 

Shouldnt have to, but you should already have this enabled per the tutorial.

 

yea but I put everything back like it was...no biggie I can undo them again I'll be able to get back to her computer this evening

 

Okay! Will be awaiting the log.

 

ok here is the log.

 

What was the exact startup error again?

 

"Can't find the file C\windows\Csrss.exe or one of its componets. Make sure the path & file name are correct & that all required libraries are available."

 

Click Start > Run > type in msconfig

Click on the startup tab, and check EVERY box! Now run HJT and attach the log.

DO NOT REBOOT WHEN PROMPTED!

 

Attached is the HJ log.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Gator

GAIN

PrecisionTime

DownloadWare

SAVE

WeatherBug

DateManager <-- Its up to you, buts its Adware!

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Common Files\CMEII ←–– Delete this whole folder if it exist!

C:\Program Files\DownloadWare ←–– Delete this whole folder if it exist!

C:\Program Files\SAVE ←–– Delete this whole folder if it exist!

C:\Program Files\NewDotNet ←–– Delete this whole folder if it exist!

C:\Program Files\AWS ←–– Delete this whole folder if it exist!

C:\Program Files\PrecisionTime ←–– Delete this whole folder if it exist!

C:\Paltalk ←–– Delete this whole folder if it exist!

Atiptaaa.exe ←–– Search for this file and delete when found!


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Note: Before running Spybot S&D go in Advanced Mode and uncheck all the ignored items, then run a full scan.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Ok will do...I'm at home now and thats a little to extensive for my mom I'll be able to do it tomorrow at lunch.
Thanks,
T.Blue

 

Okay! Let me know the results, when you get done post a fresh HJT log. Also, let me know if you still get the error.

 

None of these were found.

Ran HJ and fixed all that you said too.

None of the above folders were found

Deleted above folders & file

Ran CCleaner

Tried to update spybot got the following error
"Error retrieving update info file! Cannot allocate socket"
Did advanced mode instructions
Ran spybot found 1entry of mediplex, avenue a, inc., Wild Tangent
2 entries of GAIN.Gator
Fixed all
Ran cleanmgr
Rebooted to normal and got error
"Cannot find the file 'C\WINDOWS\Csrss.exe' (or one of it's componets). Make sure the path and file name are correct and that all required libraries are available."

Also got this error on reboot to normal mode
"Windows is searching for aoltray.exe. To locate the file yourself click browse."
Ran HJ in normal mode. Log is attached.
The computer is running better & faster overall...but that Csrss.exe error is strange. What type of file is that???

 

The file C\WINDOWS\Csrss.exe refers to the W32.Netsky.AB@mm worm, the W32.Webus Trojan, Win32.Ladex.a and more.

To be safe lets do the following:

Download Kaspersky Anti-Virus Personal 5.0 as it cleans this thoroughly + much of the crap that comes with it!! This version is a 30 day trial.

You should print this out for reference!

You must disable any AntiVirus programs you have installed

Now install KAV 5.0

When Installing, do the following as you come to them:

Uncheck the Operate According to Recommended Settings Box

Uncheck the Use Real-time Protection against Network Attacks Box

Uncheck the Use The iStreams Technology Box

Now, allow KAV 5.0 to download and install Updates. Then, look under Settings > Configure Updater and select Extended Database > OK > Check for Updates and allow those to install.

Then, Click Settings > Configure On-Demand Scan Settings and Set Scan Level to Maximum > Perform Recommended Action > OK

NOW, Close ALL Programs (including KAV 5.0) and Browsers!

Physically Disconnect from the Internet - Pull the Cable!!

Boot into SAFE MODE

OPEN KAV 5.0


Now : Start a FULL SYSTEM SCAN. Click the Protection Tab and select Scan My Computer .


This process may take HOURS . . . . LET IT RUN!

Close KAV 5.0 and reboot to Normal Windows and get a fresh HijackThis Log and let us know how things look!

 

ok will do this evening....get back with ya tonight or in the morning.
Thanks
T.Blue

 

Good Luck!

Just to let you know, this probably will take some time but let it run.

 

Another quick question...
How big is that program? Wondering if I should burn it to a disk instead of trying to download it on her puter (dialup)

 

11.7 MB

 

Dude Not Good,

I had my mon download the Kaspersky program while I was at my boys baseball practice. I disabled Avast. I then went to install it I did the first two UNCHECK options that you said to, I never saw the third one. I think I might have screwed up the install when it said where it was gonna install the program I changed the location. I was thinking that I was downloading it so I changed it to my spyware folder. Anyways it still installed with no problems. When I tried to install updates everything went to crap. I kept getting errors it would say it couldnt connect to get updates, everything got reaaaaaallllllllllllllllllllllllly slow. Task mangaer wouldnt work the whole ccomputer just shut down on me. On reboot it was really slow. I tried to uninstall Kas but I couldnt. Couldn't shut down normally had to just hit the on/off button. Rebooted into safe mode and uninstalled Kas. It had me worried for a while. I then connected to the internet but it couldn't find home page or any page????? Evrything seem back to normal I guess after I uninstalled Kas except that the browser wouldnt find any pages. I ran spybot again it foud nothing. Also ran HJ attached is the log. Did I screw it up by changing the install location????? I'm back at my house now going to bring a laptop to moms tomorrow evening in case I still cant connect with her computer. I know this is long...the inability to find a web page is probably something simple but uhhhhhh I'm a little simple minded sometimes....lol. Questions, comments or suggestions??????? I think all the processes we have running might have had something to do with it having a hard time rebooting????jeez I don't know. I'll be able to work on it a lot more tomorrow evening if ya gonna be around

 

Try to install KAV again, follow my steps exactly as they appear.

 

That didn't work. It never gave me the option to

Don't know if that has anything to do with anything.

It cant connect to the internet to get its updates. So it wont run and once I try it really slows everything down. Had to boot into safe mode again to uninstall Kas.

Don't know why the internet browsers(firefox or IE) cant find any pages....Thats what we need to figure out now...how to get back on the internet!!

 

Okay! This is the first problem I have ever experienced with KAV. Uninstall it and attach a current HJT log.

 

Ok I'll post another one this evening. The one in post#34 is pretty current. The only thing that has happened since is I installed & unistalled Kas??

 

Thats a lot to read haha

As of right now, what problems are you having, besides the startup error?

 

Its really kinda runnning slow again. I have another error."missing toolbar I think aol.tool And the browsers not being able to find any web pages. I can connect to the internet(dialup) but can't find any pages. There sholud be a HJ log attached to that message #34

 

The other error is aoltray.exe, missing shortcut

 

Hey Man,
The computer really seems to be running alright. Just can't find a web page and the two error messages persist. Here is the latest HJ log.
Thanks,
T.Blue

 

Your log looks clean!

Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Look for anything relating to the startup errors. If found right click and delete it.

Also, check the startup folder:

Start > Programs > Startup

Delete anything in this folder relating to the errors.

After doing the 2 above steps and error remains:

Click Start > Run > Type in win.ini

Towards the top of the document (generally 3-4 line) you should see a run= line. Verify that nothing similar to the program that is loading at startup is after run= line. If this line appears to contain a command line pointing to the program that you are experiencing the issue with, delete everything after run=

Note: Make a backup of the win.ini file just to be safe.

 

ok will do.......... I'll let ya know as soon as I do it.
Thanks,
T.Blue

 

Okay!

 

Damn I feel like an idiot...how do you nav to that key in win 98se?????

 

Click Start > Run > type in regedit

Then, navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

.

Did not find anything in that key

Found America Online 8.0 Tray Icon
Deleted it

After this tried to do a normal shutdown
"Windows is shutting down" screen came up. waited a couple of minutes...never shut down.....had to shut down via the on/off button...

Scan disk then came up because windows shut down improperly
After scan disk windows restarted...Csrss.exe erorr came up again

Ran win.ini
didn't see anything related to errors????

 

No Chas haven't done any of those things. But will do and post results.
Thanks,
T.Blue