Hi, I have been asked by a friend to have a look at their laptop as they were having problems with it, it is Windows 98 Home edition SP3.
When it boots to desktop it is incredibly slow, I mean the mouse pointer moves about 10 seconds after you have actually moved it making actually doing things nigh on impossible and cpu usage seems high even though no processes are running in task manager.
The only thing I could find on there that sounded a bit fishy is something called bearshare which seemed to take over the web search toolbar in IE.
I booted the laptop into safe mode and it runs fine. I deleted all mentions of bearshare files and registry entries, installed Malwarebytes anti-malware and did a full scan which only found 1 problem item.
I then installed avast free version but that for some reason wouldn’t open properly in safe mode. I also tried to install Hijackthis but it won’t even let me install that it just comes up with a message saying “The system administrator has set policies to prevent this installation”
Any help or advice would be greatly appreciated, thanks.
Hi try this small programme so that I can see what is on the system
Download OTL to your Desktop
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs
I’m doing that now mate, takes an age on this laptop at the moment 
It can be run from safe mode if that makes it any faster
:-[
At last.
If the :-[ is because you don’t know how to get into safe mode.
The normal method is to keep tapping away on the F8 key whilst booting. Unfortunately some notebooks may use alternative keys to get into safe mode, some may use F8 as normal, some the F2 key and some might use others.
You could check on-line google your notebook (brand name) and how to boot into safe mode, see example if you had an Acer notebook, http://www.google.co.uk/search?q=how+to+boot+into+safe+mode+acer+notebook.
EDIT: I see your scan finished OK then.
Yeah it was more of a “d’oh why didn’t I think of that” moment ;D
Not a great deal showing, I feel it may just be a lack of TLC… But,we will confirm that it is clean first
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (MediaBar) - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - Reg Error: Value error. File not found O3 - HKLM\..\Toolbar: (MediaBar) - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - Reg Error: Value error. File not found O3 - HKU\S-1-5-21-4057904701-3521791404-1003775009-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. [2006/05/30 15:58:10 | 000,589,824 | ---- | C] () -- C:\WINDOWS\AntiV.EXE [2006/05/30 15:58:10 | 000,002,772 | ---- | C] () -- C:\WINDOWS\AntiV.INI:Files
ipconfig /flushdns /c:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Thanks essexboy. Here’s the OTL quick scan result mate.
I do not think combofix will find anything of note, but better safe than sorry. Once I have seen that we will look at the speeding up aspect ;D
Thanks again, I will let you know what happens when combofix finishes (it’s been on the autoscan screen for over 30 mins now)
If the system is slow then that will have a knock on effect as Combofix scans all files
Still scanning (in safe mode).
Ok, I left it running all night and Nothing seems to have happened. The blue autoscan box is on the screen but there are no signs of any progress.
Is it because I ran it in safe mode or shouldn’t it make any difference?
Thanks.
A few things may help you.
To get into safe mode press F8 during the boot cycle. It works on ALL computers that boot to Windows. This is a Windows Function not the Laptop. When you see F2 or F10 on start-up, these are coming from the COMPUTER BIOS. The BIOS then hands off control to the Operating SYSTEM (in this case windows). One of the first things Windows does while booting is check to see if F8 was pressed. So just start pressing when you see the First splash screen.
Second your computer is most likely running slow do to Spyware or Male-ware. I say this because you mention Bearshare. Bearshare is a “FREE” peer to peer files sharing program. The program is used to share (pirate) music and movies. Music being the most common. Notice I said it was “FREE”. Nothing is FREE. Everything has its price. When Bearshare installed it AUTOMATICALLY installs other 3rd party software without your permission or knowledge. These 3rd party programs are the Spyware and Male-ware programs. The writers of these programs pay Bearshare money to be installed when the Bearshare program installs. These programs are now running on your machine and Bearshare got paid for it so now Bearshare wasn’t FREE. Most of these programs collect data and send it back to there servers. They start when you computer starts. You may notice the computer and net access being really slow during the first 10 minutes or so after start up. This is because all of those Spyware programs are starting and trying to CHECK IN over the net at the same time. Then your computer becomes a little better as they all settle down in to a normal routine. You would think you could just uninstall Bearshare. This would remove Bearshare from your system but NOT the 3rd party programs it installed! There will be no mention of these programs in the Add Remove section of Control Panel.
You need to run a Spyware removal program. Problem is you said it was running Windows 98. Combo Fix will not run on Win98. Nor will Win98 support AVG or Superantispyware. You need to find a older version of a Anti Spyware program to run. Or edit the registry yourself if you know how.
Hope this helps you…
Thanks for the reply, but I can already boot into safe mode and am running XP home SP3 as mentioned earlier, not Win 98.
Combofix is still on, tried to get task manager up but nothing happening. Can move the mouse pointer but nothing else responding.
No it should not make any difference at all
Stop the programme, in the next set of instructions ignore the AV part and go direct to the system analysis portion. You will need to upload the entire zip file to an online hosting site like mediafire, as this forum does not allow that type of attachment
Download AVPTool from Here to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif
On completion click the link to locate the zip file to upload and attach to your next post
http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif
Thanks again mate. Here is the zip.
http://www.megaupload.com/?d=2HUK1KJS
The good news is I can see no apparent malware, so it looks as though it is a system problem and I suspect a driver incompatability. We will now find out which one it is
Step 1:
Start the System Configuration Utility
Click Start, click Run, type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.
Step 2:
Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.
Step 3: Log on to Windows
If you are prompted, log on to Windows.
When you receive the following message, click to select the Don’t show this message or launch the System Configuration Utility when Windows start check box, and then click OK.
You have used the System Configuration Utility to make changes to the way Windows starts. The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts. Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility.
Now we get to the tedious part,:
If windows behaves itself then do the following
Restart MSConfig and select half of the disabled services and reboot
Is the problem still present ?
If Yes then deselect half of the services that you resumed and reboot
If no then select half of the remaining services and reboot
The intention here is to isolate the one service/driver that is causing the problem