180search assistant

novice · #1 July 19th, 2004, 11:34 PM

My computer stalls and then I get about 30 popups telling me that 180 search assistant needs to be reinstalled. I've tried uninstalling this program without success. I recently found suggests from various places on the web, but they all suggest something different. If someone could help me figure out how to get rid of this, I would appreciate it. I'm at the point now where I'm tempted to give in and just install the software so I don't keep getting the popups. I've cut and pasted the suggestions that I gathered below, along with my hijack log. Thanks very much.

Suggestions from various places on web:

1) You may uninstall via the Add/Remove Programs in the Start Menu

Go to Start Menu
Under Settings select Control Panel
Select Add or Remove Programs
Click on Uninstall 180search Assistant
(If you are running an older version of our software, this will be named PAD Lookups by N-Case)
Select Remove and follow instructions until prompted with "You have successfully uninstalled 180search Assistant"

2) Can I uninstall 180search Assistant?

Yes you can uninstall 180search Assistant at any time. However, 180search Assistant makes money for our sponsored online publishers by showing you websites, offers, information and products that you are looking for when either searching or shopping online. Uninstalling 180search Assistant will prevent you from seeing products and offers that you might miss out on the next time you are searching or shopping online. Removing 180search Assistant may cripple software applications you like and use everyday.

Why do I have to download something to uninstall 180search Assistant and why do I have to be connected to the Internet?

It is necessary to download the 180search Assistant uninstaller because it is the cleanest and simplest way to ensure that 180search Assistant is completely uninstalled from your computer. Note that sometimes after you click "OK" in a dialog box telling you that you must be connected, that another browser window may open with further instructions.

3) My friends and I have found those pop-out for 180search re-installing are actually task in "windows task manager". When we delete each pop-out, there is a corresponding task vanished.
Then, we went to "regedit" and deleted their registration under the HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/currentversion/run/. Also, the exeuction files are all in C:/Windows/ and are deleted. After that, there is no pop-out after rebooting the computer.
In total, about 36 execution files (atav.exe, azobghyv.exe,...) are deleted. They are all 92kBites in size, and all excuted by user once after the windows begining. They are all hiden file, too. I have try to excute those file manually, and in about 5-10mins the pop-out shows, which I think they should be the sources.

I am not quite sure whether are we doing the right things, and whether it is completely cleaned. Here is the new HJT log.

4) Manual Removal: Follow these steps to remove 180Solutions.com SurfAssistant from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
Stop Running Processes:

Kill these running processes with Task Manager:

poh.exe

Unregister DLLs:

Unregister these DLLs with Regsvr32, then reboot:

systemroot+\system\saiemod.dll
systemroot+\system32\saiemod.dll

Clean Registry:

Remove these registry items (if present) with RegEdit:

HKEY_CLASSES_ROOT\clsid\{5dafd089-24b1-4c5e-bd42-8ca72550717b}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}
HKEY_LOCAL_MACHINE\clsid\{5dafd089-24b1-4c5e-bd42-8ca72550717b}
HKEY_LOCAL_MACHINE\software\180solutions\msbb\boom
HKEY_LOCAL_MACHINE\software\180solutions\msbb\did
HKEY_LOCAL_MACHINE\software\180solutions\msbb\duid
HKEY_LOCAL_MACHINE\software\180solutions\msbb\partner_id
HKEY_LOCAL_MACHINE\software\180solutions\msbb\product_id
HKEY_LOCAL_MACHINE\software\180solutions\msbb\smt
HKEY_LOCAL_MACHINE\software\classes\clsid\{5dafd089-24b1-4c5e-bd42-8ca72550717b}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}

Remove Files:

Remove these files (if present) with Windows Explorer:

poh.exe
systemroot+\system\saiemod.dll
systemroot+\system32\saiemod.dll

Research

5) The following instructions pertain to all Symantec antivirus products that support Expanded Threat detection.

Update the definitions.
Uninstall Adware.180Search using the Add/Remove Programs utility.
Run a full system scan and delete all the files detected as Adware.180Search.
Delete the value that was added to the registry.

For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To uninstall the Adware

Do one of the following:
On the Windows 98 taskbar:
Click Start > Settings > Control Panel.
In the Control Panel window, double-click Add/Remove Programs.

On the Windows Me taskbar:
Click Start > Settings > Control Panel.
In the Control Panel window, double-click Add/Remove Programs.
If you do not see the Add/Remove Programs icon, click "...view all Control Panel options."

On the Windows 2000 taskbar:
By default, Windows 2000 is set up the same as Windows 98, so follow the instructions for Windows 98. If otherwise, click Start, point to Settings > Control Panel, and then click Add/Remove Programs.

On the Windows XP taskbar:
Click Start > Control Panel.
In the Control Panel window, double-click Add or Remove Programs.

Click 180Search Assistant.

--------------------------------------------------------------------------------
Note: You may need to use the scroll bar to view the whole list.
--------------------------------------------------------------------------------

Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

3. To scan for and delete the files

Start your Symantec antivirus program, and then run a full system scan.
If any files are detected as Adware.180Search , click Delete.

--------------------------------------------------------------------------------
Notes:
If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.
If you ran the Add/Remove programs applet as described in the previous section, all the files may have been removed, and thus none of them will be detected.
--------------------------------------------------------------------------------

4. To delete the value from the registry

--------------------------------------------------------------------------------

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Note: This is done to make sure that all the keys are removed. They may not be there if the uninstaller removed them.

Click Start > Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"MSBB"=[Path to adware file]

Exit the Registry Editor.

HIJACK THIS LOG

Logfile of HijackThis v1.97.7
Scan saved at 10:33:57 PM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\DUMBBE~1\Build Four.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\wpwin9.exe
C:\Documents and Settings\Sheila\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthr....net/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Plangrid - {71FF9BD6-DF30-667A-5C7C-83E745BD0DAA} - C:\PROGRA~1\ONCEMF~1\BalmLite.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [axqn] C:\WINDOWS\axqn.exe
O4 - HKLM\..\Run: [glorklcx] C:\WINDOWS\glorklcx.exe
O4 - HKLM\..\Run: [xkzyrgx] C:\WINDOWS\xkzyrgx.exe
O4 - HKLM\..\Run: [Atom user] C:\PROGRA~1\DUMBBE~1\Build Four.exe
O4 - HKLM\..\Run: [qbizyfov] C:\WINDOWS\qbizyfov.exe
O4 - HKLM\..\Run: [cbyfazcz] C:\WINDOWS\cbyfazcz.exe
O4 - HKLM\..\Run: [bup] C:\WINDOWS\bup.exe
O4 - HKLM\..\Run: [lsp] C:\WINDOWS\lsp.exe
O4 - HKLM\..\Run: [fipytkb] C:\WINDOWS\fipytkb.exe
O4 - HKLM\..\Run: [ahgpyzwh] C:\WINDOWS\ahgpyzwh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.8148958333
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

Gavin - DiamondCS · #2 July 23rd, 2004, 01:12 PM

Hi,

Close all browser windows and tick these items
Then choose fix checked, reboot, and post a new log

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passth...t.net/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O3 - Toolbar: Plangrid - {71FF9BD6-DF30-667A-5C7C-83E745BD0DAA} - C:\PROGRA~1\ONCEMF~1\BalmLite.dll

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [axqn] C:\WINDOWS\axqn.exe
O4 - HKLM\..\Run: [glorklcx] C:\WINDOWS\glorklcx.exe
O4 - HKLM\..\Run: [xkzyrgx] C:\WINDOWS\xkzyrgx.exe
O4 - HKLM\..\Run: [Atom user] C:\PROGRA~1\DUMBBE~1\Build Four.exe
O4 - HKLM\..\Run: [qbizyfov] C:\WINDOWS\qbizyfov.exe
O4 - HKLM\..\Run: [cbyfazcz] C:\WINDOWS\cbyfazcz.exe
O4 - HKLM\..\Run: [bup] C:\WINDOWS\bup.exe
O4 - HKLM\..\Run: [lsp] C:\WINDOWS\lsp.exe
O4 - HKLM\..\Run: [fipytkb] C:\WINDOWS\fipytkb.exe
O4 - HKLM\..\Run: [ahgpyzwh] C:\WINDOWS\ahgpyzwh.exe

novice · #3 July 24th, 2004, 08:08 AM

Here is my new log. I do not get 180search assistance, but there is trouble opening internet explorer. It takes a long time and I get some error messages and eventually I get a notice that the page cannot be opened. At that point, I can enter a specific internet address (or click on a favorite) and I can go to a specific web page. Is there a way that, when I click on the internet explorer icon on my desktop, I can go to the Comcast homepage? Thanks very much. Novice.

Logfile of HijackThis v1.97.7
Scan saved at 7:05:19 AM, on 7/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\DUMBBE~1\Build Four.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Documents and Settings\Sheila\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthr...://about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.8148958333
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

Taz71498 · #4 July 30th, 2004, 10:42 PM

Hello,

Reboot the computer into safe mode

Run Hijackthis again and check these items and then on Fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passth...p://about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/p...im/install.cab

Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

Find and delete these files/folders:

C:\WINDOWS\wt

Reboot and run HJT again and post a new log here.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search