Crashing while on line

By hlratliff ยท 53 replies
Apr 5, 2009
  1. I am new to techspot and would welcome and invite any help. You may have to walk me through some of this, but I am a quick learner. While on line I have other windows opening up in minimized form. I have run adware, malware bytes, vundo fix and avast. Nothing seems to be helping. Now my sessions are crashing while on line. I ran hijack this and do not know what is good and what is bad. Can someone please help me? I am completely frustrated. Thank you so much, hlratliff
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Do the TechSpot 8 steps:

    Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).

    Most importantly update MalwareBytes (MBAM) and SuperAntiSpyware (SAS)!

    Before you scan with either MalwareBytes or SuperAntiSpyWare do the Extra Configs below these have become most important lately

    SuperAntispyware extra config

    After installed double-click the icon on your desktop to run it.

    Update the program definitions.

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

    MalwareBytes extra config

    After update but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    Run them and attach their logs.

    Do this correctly and we will make a short job of this!

  3. hlratliff

    hlratliff TS Rookie Topic Starter Posts: 45

    Thank you for your quick reply. I will do these 8 steps as soon as I get home from church. I don't have superantispyware. Where can I download this from? what are real time monitoring programs and how do i disable them?
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    The 8 Steps have it all!

  5. hlratliff

    hlratliff TS Rookie Topic Starter Posts: 45

    I forgot to ask. After running these things do I get rid of whatever they find?
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Perhaps you can just follow the steps here without all the extras:

    There are links on the above page to download the programs. When you have finished, attach all three logs here for review.

    When the cleaning is complete, you will be told how to remove the cleaning tools and old restore points.

    Regarding this:
    Both Malwarebytes and SuperAntispyware have a line for you to check for the removal of the malware found:

    In MBAM: "* Make sure that everything is checked, and click Remove Selected."
    In SAS: " * Make sure everything found has a checkmark next to it,then press 'Next'."

    In HijackThis, WE will instruct you in which items to remove.

    The instructions for Disabling Real Time monitoring are found here:

    This link is in Step 3. Please read the Steps first. You will then note that the information is all available to you there.
    Two off the most common Real Time processes are: Tea Timer from Spybot Search & Destroy, AdWatch from the paid AdAware. But there are others so please review them in Step 3.
  7. hlratliff

    hlratliff TS Rookie Topic Starter Posts: 45

    where do we go from here?

    I completed the 8 steps now what?! I have attached the logs.
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    hlratliff watch out that you don't report your own 1st post ;)
    Those buttons are very sensitive :)
  9. hlratliff

    hlratliff TS Rookie Topic Starter Posts: 45

    I have completed the 8 steps

    I am so sorry. I am new to all of this and I guess I have alot to learn. Here are the attached logs.
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    OK good job!

    Run SAS again as it may find more. We need to see a clean log!

    ONLY after above do the below..

    Download ComboFix

    Get it here:
    Or here:

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Download SDFix to Desktop.

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

  11. hlratliff

    hlratliff TS Rookie Topic Starter Posts: 45

    Attached is the current log. Do I run it again before I do combofix, etc.?

    It keeps saying that I need to rename combo fix. Help

    This is exactly what it says. You cannot rename ComboFix as ComboFix[1]. Please use another name, preferably made up of alphanumeric characters.

    Okay, I figured out combofix and completed it as well as sdfix. I have attached the log files you requested. Please let me know what we do next. Thank you, Hailey

    Attached Files:

  12. mflynn

    mflynn TS Rookie Posts: 2,655

    You should now have improvement with your posted issues. How is computer running now?

    OK looks good! But run MBAM after updating again in Quickscan mode. Minor issues but I always want to see a clean log?

    Rename ComboFix.exe to 12cbf34.exe and run it again also.

    Then the below will finish up hopefully.

    Go here Download DrWeb


    Boot to Safe Mode only! Not with Networking and run...

    DrWeb will fisrt do an Express Scan on its own when it completes then you should do a full scan.

    The first Virus it finds select Cure and it will use this as the default automatically for all the rest. What it can't fix will be Quarantined!

    This will take a while based on CPU and HD speed and size, but is worth it!

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Let's get a grip on those Tracking Cookies:

    Reset Cookies:
    You have malware in the restore points, so DON'T do a System Restore. The old restore points will be removed at the end of the cleaning.

    Search and make sure this file is gone: qtwmci32.dll.
    Regarding the ComboFix renaming:
    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it

    Again I add that AdWatch should be temporarily disabled before you do the scans:

    This needs to be removed- O8 - Extra context menu item: &Search - ?p=ZRfox000it is part of MyWebSearch. The first SAS log shows MyWebSearch> hopefully you checked for removal But this file got by and needs to be removed.
  14. hlratliff

    hlratliff TS Rookie Topic Starter Posts: 45

    Do I need to just run combofix again or actually download it again?
  15. mflynn

    mflynn TS Rookie Posts: 2,655

    ReDownload and save as different name as Bobbye advised and run new name.

  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Try this ;)

    Un-install Combofix
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK
    • [​IMG]
    • Any popup errors about Antivirus just ok or close
    Note #1: 1 space after ComboFix in that uninstall command
    Note #2: Substitute Combofix for whatever name was used if renamed

    Re-Download Combofix Instructions

    • Download [​IMG]Combofix to your desktop.
    • Rename ComboFix to ComboF
    • Double click ComboF & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
  17. hlratliff

    hlratliff TS Rookie Topic Starter Posts: 45

    Okay, I reloaded combofix and ran it again as well as MBAM. I took care of the cookies that Bobby suggested also. I ran Dr. Web and I got a little confused and deleted the 17 things it found instead of using the cure. I hope that was okay. I ran SAS again found some things, deleted and then ran again with clean results. Things seem to be much better with the exception that it takes my browser page a long time to load any thoughts. Thank you all so much for all your help! I couldn't have done any of this without you. Hailey

    I forgot to attach my logs.
  18. mflynn

    mflynn TS Rookie Posts: 2,655

    All should be OK with the DrWeb but post its log.

    For the Browser slow load.
    Open SAS Click Preferences-Repairs
    Then do the following Repairs

    Enable Windows Explorer options
    Internet Zone Security Reset
    Remove Explorer Policy Restrictions
    Remove Internet Explorer Policy Restrictions
    Remove WinOldApp policy restrictions
    Reset URL PreFixes
    Reset Web Settings
    Reset Winlogon Shell
    Reset ZoneMap Settings
    User Agent Post Platform Reset
    User Agent reset

    If you still have a Browser problem then we can continue with that but my closing below covers Temp and Registry cleanup so recheck the Browser issue again after that!

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt

    Save to desktop.

    This will remove all the tools we used to clean your computer.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    Run CCleaner (if you did 8 Steps you already have this) (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner Temp and Registry, repeatedly until no more found.

    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    Run it click Analyze when it finishes click Clean.
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

    Yes! Even if you use system restore and other backups Registry and Images.

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.
    Look at

    Run SpyBot ocassionally and use the Immunize function.

    I highly reccomend Hostman (Especially for you HL due to the issues you had related to your hosts file ): Hostman

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I don't know how much memory (RAM) you have but crashes can also come if you use it all up. How? By having too many programs startup when you boot, then running in the background. And then if you open other programs additionally, they will use more of the RAM.

    Here are some tips about common, unnecessary startups you have: NONE need to start when you boot:
    I'm leaving help for you to stop:

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    Big resource user
    O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
    O4 - Startup: PowerReg Scheduler.exe
    Using msconfig to change Startup:
    Start> Run> msconfig> enter> Selective startup> Startup tab> UNCHECK the process you don't want to start on boot>> when finished checking all of those you don't want> Apply> OK

    NOTE: the first time you reboot after changing the Startup, you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

    To change the Startup type for a related Service:
    Start> Run> service.msc> double click the Service>> if you are going to use this, set it to Manual> if you aren't going to use this> set it to Disabled.

    The following are browser helper objects and toolbars 02 BHO, 03Toolbar, loading when you boot. This take time. Do you really "need" them?
    Yahoo! Toolbar Helper
    RealPlayer Download and Record Plugin for Internet Explorer
    Google Toolbar Helper
    Google Toolbar Notifier BHO
    Google Dictionary Compression sdch
    MSN Toolbar Helper
    Java(tm) Plug-In 2 SSV Helper
    SingleInstance Class
    MSN Toolbar
    Google Toolbar
  20. hlratliff

    hlratliff TS Rookie Topic Starter Posts: 45

    Mike, I am working on your latest set of instructions. I have run CCleaner several times and am running it again. I also did the registry, however I was unsure about whether or not to back up while it was fixing the problems so I chose no to the backup. I hope that's not a problem. With regard to javacoolsoftware, what do I need to do with that? Also do I need to download spybot and run that tonight also? Sorry to ask so many questions, but I'm not that knowledgeable when it comes to these kinds of things. Thanks, Hailey
  21. mflynn

    mflynn TS Rookie Posts: 2,655

    No need at this time to run CCleaner more than till it is clean or finds something it can not clean and if it does leave it! It is a good idea to backup as you clean.

    JavaCool download and install SpywareBlaster update and enable all protections.

    On Spybot is optional. Spybot is way behind MBAM and SAS, but just may find something that these 2 miss. But the Immunize feature is great and worth installing the program for alone.I stll keep it myself.

    Ask questions that is why I am here!

  22. hlratliff

    hlratliff TS Rookie Topic Starter Posts: 45

    Okay, I've done everything on your list. I don't really know how to use Hostsman. Could you give me a little instruction? Thanks, Hailey

    I downloaded javacool and spywareblaster.

    I really need help with Bobbye's list. I'm kind of unsure how to even get started. I would like to be able to do all that he suggested but need simpler directions. Thanks, Hailey

    Okay, I worked with Bobbye's list. I never use Real Player so I decided to uninstall but it wouldn't let me because it said the uninstall wasn't there. How do you get around that? Does SAS need to be checked on the start up? Does Threat Fire need to be check on start up? Basically what, if anything, needs to be checked on your start up menu? I'm still having a problem with my web browser opening slowly. Thanks, Hailey
  23. mflynn

    mflynn TS Rookie Posts: 2,655

    I will answer tomorrow.



    EDIT: Using Hostman
    1st when it installs let it disable DNS Client.
    2nd after install dbl click the Hostman Icon in the System Tray to get the program on the screen then click Hosts the check for updates
    3rd make sure all 4 hosts boxes are checked then click Update and close it.

    Now you have blocked thousands of known Malware Virus Spam porn and other malicious sites!

  24. hlratliff

    hlratliff TS Rookie Topic Starter Posts: 45

    Is avast adequate antivirus or would you suggest something else? Also, what can I do to speed up my web browser loading? I want to thank you for all your help, I am no longer getting those annoying web pages opening while i'm on line. Since I have super antispyware I uninstalled adware, is that okay?
  25. mflynn

    mflynn TS Rookie Posts: 2,655

    Avast is very good not worth switching especially in combo with Threatfire and Hostman.

    Ok on uninstalling Adaware.

    Just remember to run MBAM and SAS occasionally while working sleeping or watching TV!

    Ok for the slow loading. Actually these steps speed up everything.

    Clean and tweak services

    In services stop and disable all of the below just to get them out of the way for now for trouble shooting purposes.

    Nothing is un-installed or deleted only disabled from running!

    They can be put back anytime later but I would not, as none of them are needed by most home users and very few business users. Basically stuff M$ thought you should have.

    Disabled uses no memory (RAM) and no CPU cycles.
    Manual uses the RAM but a small amount of CPU.
    Auto and not started they use even more RAM and CPU.
    Auto and started even more RAM and CPU ..

    Now in this case we disabling for trouble shooting purposes. But when we finish if you leave them all off until it is noticed that you need one (not likely for 99%) then it can be enabled.

    Leaving these all off, then becomes a performance tweak/boost as they free some RAM and CPU cycles! Special note. If you are going to pick and choose then be aware that the small amount of RAM and CPU cycles of each one individually is not significant but as a group it is! So if you need most of them (or just think you do because you don't) then just as well enable them all)!

    Distributed Link Tracking Client
    Distributed Transaction Coordinator
    DNS Client
    Fast User switching
    Health Key and Certificate Management Service
    Indexing service
    Net logon
    Net.TCP Port Sharing
    NetMeeting Remote Desktop Sharing
    IPsec services
    QoS RSVP
    Remote Registry
    Uninterruptable power supply
    Universal Plug and play
    Web Client
    Windows media player Network Sharing

    IF you are using a wired network card and "NOT" using wireless on this computer then you can
    also disable

    Wireless Zero configuration

    Wireless Zero configuration is only used on computers with a wireless NIC like a Laptop. Do not disable Wireless Zero configuration on a Laptop. Has nothing to do with other wireless hardware like wireless routers etc.

    In short if this computer has a CAT 5 or 6 cable and no ability to connect wirelessly if that cable is unplugged, then you can disable Wireless Zero configuration.

    This is not to be confused with Wired Auto Config do not disable that!

    The below procedure will do it all for you. Just remember do not agonize over this as nothing is removed or deleted, just stopped from loading/running.

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    @echo off
    sc config Alerter start= disabled
    sc stop Alerter
    sc config AeLookupSvc start= disabled
    sc stop AeLookupSvc
    sc config ClipBook start= disabled
    sc stop ClipBook
    sc config Dfs start= disabled
    sc stop Dfs
    sc config FastUserSwitchingCompatability start= disabled
    sc stop FastUserSwitchingCompatability
    sc config TrkWks start= disabled
    sc stop TrkWks
    sc config TrkSvr start= disabled
    sc stop TrkSvr
    sc config DNSCache start= disabled
    sc stop DNSCache
    sc config ERSvc start= disabled
    sc stop ERSvc
    sc config HidServ start= disabled
    sc stop HidServ
    sc config PolicyAgent start= disabled
    sc stop PolicyAgent
    sc config CiSvc start= disabled
    sc stop CiSvc
    sc config IsmServe start= disabled
    sc stop IsmServ
    sc config kdc start= disabled
    sc stop kdc
    sc config LicenseService start= disabled
    sc stop LicenseService
    sc config Messenger start= disabled
    sc stop Messenger
    sc config Netlogon start= disabled
    sc stop Netlogon
    sc config NetTcpPortSharing start= disabled
    sc stop NetTcpPortSharing
    sc config mnmsrvc start= disabled
    sc stop mnmsrvc
    sc config NetDDE start= disabled
    sc stop NetDDE
    sc config NetDDEdsdm start= disabled
    sc stop NetDDEdsdm
    sc config NtLmSsp start= disabled
    sc stop NtLmSsp
    sc config SysmonLog start= disabled
    sc stop SysmonLog
    sc config RSVP start= disabled
    sc stop RSVP
    sc config SSDPSRV start= disabled
    sc stop SSDPSRV
    sc config upnphost start= disabled
    sc stop upnphost
    sc config WMPNetworkSvc start= disabled
    sc stop WMPNetworkSvc
    sc config WmiApSrv start= disabled
    sc stop WmiApSrv
    sc config WmdmPmSN start= disabled
    sc stop WmdmPmSN
    sc config RemoteRegistry start= disabled
    sc stop RemoteRegistry
    sc config RemoteAccess start= disabled
    sc stop RemoteAccess
    sc config SCardSvr start= disabled
    sc stop SCardSvr
    sc config TlnSvr start= disabled
    sc stop TlnSvr
    sc config UPS start= disabled
    sc stop UPS
    sc config WebClient start= disabled
    sc stop WebClient
    sc config DNSCache start= disabled
    sc stop DNSCache
    sc config RpcSs start= Automatic
    sc start RpcSs
    sc config RpLocator start= Automatic
    sc start RpcLocator
    sc config MSIServer start= Automatic
    sc start MSIServer

    Autoruns/Runscanner cleanup

    Make sure hidden files and folders are shown. Open Windows Explorer click Tools or View and then Folder Options-View.

    Choose Show hidden files and folders, uncheck Hide protected operating system files and click OK.

    Download install and run AutoRuns

    Run it let it scan, then when it says ready at bottom left corner, make sure the EVERYTHING Tab is selected and then click File at top and then Find.

    Type in the find box file not found and hit enter and delete all lines that have file not found.

    When you reach the bottom the go back to top and click the first entry under The Everything Tab (to begin the search from that point) and search again in case any were missed.

    This is a bunch of old stuff that M$ thought you might or would need that no longer exist, or for computers that are assumed to have SCSI or AMD processors but do not, or that you have Intel but do not!

    After the file not found search scroll back to the top and highlight the very first entry so you are searching from the top and click Find and search for anything you want, if needed.

    Then look carefully through all the Everything entries and delete anything that you may have had but uninstalled and thought were gone. If you are sure delete these also.


    Then get install and run:

    Click Scan computer
    Double click all Red lines to select, then click Item fixer and remove them.

    Then click Extra stuff again select all Red lines. Then click back to Malware hunting and Click the Item fixer again and remove these.

    Same as already said on AutoRuns stuff that was assumed to be need but you do not have.

    None of these items can run as the file is missing so most of the improvement you may see comes as a quicker startup as windows no longer searches or tries to load some of these. But some have noticed a faster shutdown also.

    Reboot and recheck with both AutoRuns and RunScanner.


    Specifically for IE, see if it helps your slow loading issue.

    Run IE without addons.
    Copy (don't change your original shortcut) an Internet explorer SHORTCUT name it IE no addons, then go into properties and add a space then -extoff to the end of the Target line.

    Should look like this. "C:\Program Files\Internet Explorer\iexplore.exe" -extoff

    This will run IE with all addons turned off. If no problem here then it is an addon that is the issue.

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...