Need help removing Search Assistant Toolbar

Discussion in 'adware, spyware & hijack cleaning' started by keith523, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. keith523

    keith523 Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    2
    So I was fixing my friend's laptop which had the famed BlazeMedia Search Assistant Toolbar that pops up on the start bar whenever you boot, and stops the loading of other programs that run on startup. I fixed that computer but a couple days later, the same malware ended up on my computer. The only problem is, I can't get rid of it.

    So far, I tried the same removal technique I used on the laptop which I heard other people used successfully, which is fixing the registry entry UserInit. (Deleting the corrupted UserInit with wsaupdater.exe as a value and renameing OldUserInit to UserInit) Then I deleted the wsaupdater.exe file from my system32 folder. Unfortunately, I still get the toolbar upon startup.

    Any ideas? I get a clean bill of health from Adaware 6 and my HJT Log is below. Thanks in advance for the help!

    Logfile of HijackThis v1.97.7
    Scan saved at 2:22:54 PM, on 7/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    D:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
    D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    D:\Program Files\Logitech\MouseWare\system\em_exec.exe
    D:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    D:\Program Files\iPod\bin\iPodService.exe
    D:\Program Files\V-Stream\PVR Plus\TVR\Scheduled.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\WindowsSA\omniscient.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Keith\Application Data\Microsoft\Internet Explorer\Quick Launch\IEXPLORE.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Keith\Desktop\dl\Apps\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slickdeals.net/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [PVR Agent] D:\Program Files\V-Stream\PVR Plus\TVR\Scheduled.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
    O4 - Startup: G6 FTP Server 2.0 beta 6.lnk = D:\Program Files\G6 FTP Server\G6FTPSrv.exe
    O4 - Startup: SimpleServer.WWW (2).lnk = D:\Program Files\AnalogX\SimpleServer\WWW\http.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: TV Remote Control.lnk = D:\Program Files\V-Stream Multimedia\TV878 Utilities\C7XRCtl.exe
    O4 - Global Startup: Wireless Configuration Utility.lnk = D:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.10\WlanCU.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
  2. keith523

    keith523 Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    2
    Update:
    I've noticed recently that when explorer restarts (and redraws the start bar) the search assistant toolbar comes back. Don't know if it helps. Thanks again.
     
Thread Status:
Not open for further replies.