BBS not responding

I am on another computer at present.

My regular computer has funny things happening.

1. I have good spyware programs, anti virus etc.

2. Yet, when we run Windows BBS it comes up then locks up.
A task manager check says the program is not responding.
So, we ask for the task to be ended.
It ends that entry but another Windows BBS pops back.
It is a loop - end task - back -end task etc.
However on this computer Windows BBS works fine.
Anyone know what this is about ?

3. A new task bar has appeared on Internet Explorer. Duplicate items so we don't need another one. It reduces the screen visibility. The task bar is called "SEARCHnow ".
How do we eliminate that task bar ?

4. Each time we log onto Windows BBs we get "spyware installed.
It is called "blast" . Is this a feature of the BBS ?

5. When we request programs to be run the computer is slow - slow.
So, what do you think we got.

None of our spyware antivirus or trojan detect programs indicate a problem.

This has just recently happened. Yes we do search the net a lot.
Cannot identify where we picked up these problems.

Thanks

 

Download HijackThis from the CWShredder link in my signature. Since you have another PC available, I'd suggest just putting it on a floppy then transfer to the ailing PC. Place it in a permanent folder. Open and hit scan, then save log. Once it is saved it will open in notepad. Select all from the edit button, copy and paste the results here. Don't fix anything with it yet! Someone experienced with the logs will tell you what/how to fix.

 

That hijacker program ran good.

Took some time - but finally found out the problem was a Trogan.

Removed that - and back to normal.

Thanks

 

You really should post a current log, unless you are experienced enough to know what all the log file shows, or posted it to another forum where someone experienced helped you.

 

Not Responding still a problem

All Antivirus, Norton and on line scans show no virus.
Ad-Ware and NoAdware programs show no spyware.
Cleared all cookies,temp files, etc. with Windows and Tracks Erasurer.

Still hang up with that "Not Responding" thing.

Here is the current Hijack list:

Logfile of HijackThis v1.97.7
Scan saved at 10:24:52 AM, on 5/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Parsons Technology\Screen Shot\Sshot.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\LWB\My Documents\My Music\Wav\MoreTwo\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: HyperBHO - {4B2F5308-2CB0-40E2-8030-59936ED5D22C} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Startnow - {1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Reboot.exe
O4 - Startup: Screen Shot.lnk = C:\Program Files\Parsons Technology\Screen Shot\Sshot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2814616bc80705814f15/netzip/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.648599537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Scan with HJT again and fix these.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
O2 - BHO: HyperBHO - {4B2F5308-2CB0-40E2-8030-59936ED5D22C} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O3 - Toolbar: Startnow - {1BC1FC4B-B0D2-4D8D-9307-2E40E2A8C257} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Reboot.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2814616...ip/RdxIE601.cab


If there is a reboot.exe in the running processes of task manager, end task on it. Then search the drive, including hidden files and folders for that file and delete all found. If necessary boot to safe mode and delete.

Follow the instructions here to manually unregister and remove all files and registry entries related to StartNow.HyperBar.

Again, disable system restore, empty ALL Temp folders and Prefetch folder(C:\Windows\Prefetch). Finally, empty recycle bin and reboot. Post another log after trying things out and report behavior.

 

Dave - curious about the recommendation to get rid of reboot.exe.

From Here

and similar info from a couple other sources.

 

Newt,

From Top Cat's what is reboot.exe page,

Should not be in use on this machine, if it's even the "real" reboot.exe. Also found references to this executable being used by trojans. Better safe than sorry

 

Thanks Dave. Good to know.

 

Yep

jbarker, how's it going?

 

Hey, Dave,
I know my start up menu by heart, and was surprised to find "reboot.exe" as a new addition to my start up folder. It doesn't do anything- though it claims to be an application. How did it get there? What could it have piggybacked on? I deleted it, ran every scan known to man, everything seems fine, but I sure didn't put an ancient DOS program in my start up menu, and I can't find anything else out of the ordinary. Know any more about this?
TIA
Johanna

 

Hi Johanna,

Sorry to say I can't find any 'good hard evidence' from any AV providers, or even any spyware/adware detection providers. I'm wondering if it's something new. Here's what I have found though.

http://delltalk.us.dell.com/support...essage.id=11392&view=by_date_ascending&page=2

http://forum.misec.net/board/Trojans/1072222157

And a quote from another

There are definitely some viruses (trojans) associated with this file, but they appear to run out of the C:\Windows folder. I did find one reference possibly linking it to a BIOS flash. I followed alot of links to HijackThis logs and the 04-[Global Startup] reboot.exe entry was always recommended for removal. One thing is clear. It's a recent entry on YOUR machine, put there without your knowledge. Needs some more investigation! Check the properties for info. Do you have Power Archiver? It will show the contents. You can always mail me a copy too. Rename it to .old for now. Lets see what we can find out about it.