Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

It won't uninstall!

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

It won't uninstall!

Old 07-31-04, 03:25 AM
  #1  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
It won't uninstall!

Hey, I have a program called "Search Assistant" on my computer and it won't uninstall through "Add or Remove Programs". When I click "Change/Remove" the screen just flashes once and the program remains. No results come up when I search, either. It's causing some problems with Internet Exporer so I'd really like to get rid of it. Any ideas?

Last edited by Li; 07-31-04 at 12:27 PM.
Old 07-31-04, 04:22 AM
  #2  
Suspended
 
Join Date: Mar 2003
Location: 5 Point West Side
Posts: 2,171
Likes: 0
Received 0 Likes on 0 Posts
Don't you just love crapware?

Well, if add/remove doesn't work, go into the directories and delete the folder manually. Then go into registry and delete the program from there as well.

Or, you can install the program again and use add/remove. Could be corrupted uninstall file in the current install.
Old 07-31-04, 09:37 AM
  #3  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
What operating System do you have?? Win 95, 98, ME, 2000, Xp or....??
Download and run the following tools:
Post your HiJack Log hereand I will look at it!!!

CWShredder 1.59.1(http://www.majorgeeks.com/download4086.html)
Adaware6.181(http://www.download.com/3000-2144-10...age&tag=button)
(Run Adaware in Full Scan Mode as described at the bottom of the post)
HiJackThis 1.98 http://www.majorgeeks.com/download3155.html
Directions for HijackThis:
Run a scan, when the scan is finshed then button will change to "save Log". Save the log to the hard drive. Open the log with notepad or any editor(make sure always open with is unchecked), copy and paste the contents here and I will look for anything suspicious.


ADWARE CONFIGURATION

1) ADAWARE 6.181
In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:

Scan within archives

Under Memory & Registry, Check EVERYTHING

In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:

Unload recognized processes during scanning

Include info about ignored objects in logfile, if detected in scan

Include basic Ad-aware settings in logfile

Include additional Ad-aware settings in logfile

Include used command line parameters in logfile


In Cleaning Engine:

XP/2000: Allow unloading explorer to unload shell extensions prior to deletion

Let Windows remove files in use at next reboot

UNCHECK: Automatically try to unregister objects prior to deletion


Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.
Old 07-31-04, 01:50 PM
  #4  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
Well, after doing all you suggested Shelby, while the program is still on the the Add or Remove Program list, it doesn't seem to be affecting Internet Explorer like it was before. Thanks!


Also, there's also another problem I'm having that you might know how to fix. I've never had this happen before but somehow an add was directly overlaid onto my desktop background and it won't go away! I actually was able to delete the image of the ad, but now it's just a white image instead of an ad. Any ideas?
Old 07-31-04, 07:52 PM
  #5  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
What Operating System? Please specify. Also post your hiJackThis log to confirm a clean system!

You can download TweakUI, it has the option in the "Control Panel" Applet in Win 98 to delete already removed programs in the Add/remove applet.
TweakUi for Win 95, 98, ME and 2000 (NOT XP) is version 1.33
TweakUi for XP (which is par tof the powertoy collection)
NOTE: I don't see that option fo rthe Xp version. I know there is a regedit version to remove the unwanted entry in the add/remove program list, though).
The manual method is:
Run the Registry Editor (REGEDIT.EXE).
Open HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall, and remove any unwanted keys under "Uninstall."
CAUTION: Backup/export the key PRIOR to deleting any item!!!!


http://www.annoyances.org/exec/show/tweakui
Old 07-31-04, 07:54 PM
  #6  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by Li


Also, there's also another problem I'm having that you might know how to fix. I've never had this happen before but somehow an add was directly overlaid onto my desktop background and it won't go away! I actually was able to delete the image of the ad, but now it's just a white image instead of an ad. Any ideas?
What was the name and/or location of the ad that you had deleted? It should still be in the recycle bin, look there if you don't remember.
Old 07-31-04, 09:59 PM
  #7  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by 68ShelbyGT500KR
What was the name and/or location of the ad that you had deleted? It should still be in the recycle bin, look there if you don't remember.

Well, it's been deleted entirely... under properties it said the address to the image was file://C:\WINDOWS\Web\desktop.html, so I went to that and deleted the contents and now it's just a white nothing.

Last edited by Li; 07-31-04 at 11:20 PM.
Old 07-31-04, 11:33 PM
  #8  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Try this:
Go to Control Panel, Display, then select the Desktop tab, then click the Customize Desktop button, then select the Web tab then highlight the 'Security' web page (or any other web page that is shown on your active desktop) then click the Delete button to get rid of it.

If Active Desktop enabled, then uncheck "View my Active Desktop as a web page" and the click OK
Old 08-01-04, 01:15 AM
  #9  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
You, my good sir, are a genius. Your advice worked perfectly. Thank you very much!
Old 08-01-04, 01:19 AM
  #10  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
However, the damn Search Assistant is back.... It impenatrable...
Old 08-01-04, 01:53 AM
  #11  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
Here's what comes up using HijackThis...

When I deleted it all the first time I ran it the program did go away, but something keeps regenerating it...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SahAgent.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\iesx_xx0c.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\igmn20.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Program Files\SysAI\SysAI.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Shawn Nuckles\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [t3oX3qX] iesx_xx0c.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
Old 08-01-04, 07:03 AM
  #12  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by Li
Here's what comes up using HijackThis...

When I deleted it all the first time I ran it the program did go away, but something keeps regenerating it...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SahAgent.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\iesx_xx0c.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\igmn20.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Program Files\SysAI\SysAI.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Shawn Nuckles\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [t3oX3qX] iesx_xx0c.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
Li,
There are some suspcius items in this PARTIAL log. I need the full log. Re-Run Hijack This and save the log to the hard drive. Open Notepad and click on "edit">"select all"
"Edit">Copy"
Then Paste into this thread!
(Note: The top of the log will say the date, time, version of HJThis, OS and Browser. The bottom of the log generally goes into the <018> to <020).


Thank You!
Old 08-01-04, 01:29 PM
  #13  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
Ok, I copied everything this time.


Logfile of HijackThis v1.98.0
Scan saved at 1:28:54 PM, on 8/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\iesx_xx0c.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Shawn Nuckles\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8B5D3A31-448B-4D14-99DD-2A2A4B2F578C} - C:\WINDOWS\System32\ieo.dll
O4 - HKLM\..\Run: [t3oX3qX] iesx_xx0c.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Filter: text/html - {C682F04F-1C1C-4E91-ADF7-9519E3A35129} - C:\WINDOWS\System32\ieo.dll
O18 - Filter: text/plain - {C682F04F-1C1C-4E91-ADF7-9519E3A35129} - C:\WINDOWS\System32\ieo.dll
Old 08-01-04, 02:11 PM
  #14  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Did you do anything between the 1st and 2nd Hijack Logs???? There are some items that had disappeared that I was targeting.


Make sure you have these items on your computer PRIOR to doing anything
Adaware6.181(http://www.download.com/3000-2144-10...lpage&tag=butt
on) {GET THE UPDATED DEFINITIONS PRIOR TO GOING TO SAFE MODE}
HiJackThis 1.98 http://www.majorgeeks.com/download3155.html
CWShredder 1.59.1 (http://www.majorgeeks.com/download4086.html)

Reboot to Safe-Mode either the F8 way or via msconfig.
Do to it in msconfig
Click on Start>Run>type in "msconfig" (Without the quotes) and click OK.
Click on the "Boot.ini" tab and Check the "/SAFEBOOT" option, and then click OK.
Reboot the system automatically into safemode

When in safe Mode

1)Keep all Browser Windows and programs closed.
2)Configure AdAware for FullScan mode as I posted in the forst reply. Run Adaware It can take a few minutes to finish. Delete anything it finds.
3)Run CWShredder and click on the "FIX" button. Let CWS scan the system
4)Run HiJackThis, let it fix the items listed below

C:\WINDOWS\System32\iesx_xx0c.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
O2 - BHO: (no name) - {8B5D3A31-448B-4D14-99DD-2A2A4B2F578C} - C:\WINDOWS\System32\ieo.dll
O18 - Filter: text/html - {C682F04F-1C1C-4E91-ADF7-9519E3A35129} - C:\WINDOWS\System32\ieo.dll
O18 - Filter: text/plain -{C682F04F-1C1C-4E91-ADF7-9519E3A35129} - C:\WINDOWS\System32\ieo.dll

END OF HIJACKTHIS FIX


ReRun Hijackthis and confirm these items are not Listed.
IN SAFE MODE, Go back to Msconfig and uncheck the /Safeboot option and click ok. This will let Windows boot normally. Disregard msconfig IF you booted with the F8 option.

When back in "Normal" mode,
Run CWS SHredder and HiJackThis and post the contents of your log here.

Last edited by 68ShelbyGT500KR; 08-01-04 at 02:14 PM.
Old 08-01-04, 04:40 PM
  #15  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
Ok, I did everything! And this is what shows up now...

Logfile of HijackThis v1.98.0
Scan saved at 4:39:19 PM, on 8/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\iesx_xx0c.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Shawn Nuckles\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O4 - HKLM\..\Run: [t3oX3qX] iesx_xx0c.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
Old 08-01-04, 05:33 PM
  #16  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
God, it's back... Why must it haunt me so?
Old 08-01-04, 05:39 PM
  #17  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Bring up the task manager via CTRL ATL DEL and click on the"processes" tab, click where is says "image name"(this will sort alphabetically) and look for:
t3oX3qX or iesx_xx0c.exe
If either one appears in task manager, highlight the name and click the "end Process" button. Kills the process, then
Have HiJackThis fix these 2 items

C:\WINDOWS\System32\iesx_xx0c.exe
O4 - HKLM\..\Run: [t3oX3qX] iesx_xx0c.exe
(I missed them on the last Log)
Once you let HJT fix those 2 items, Re-Boot Normally and Run HijackThis Again to confirm that these entries are gone. If not, Go to safe mode and do the above.

EDIT: It could be back because I didn't "see" the 2 items that I want deleted. This is NOT a Windows File!!!!

Run a New HiJackThis Log in Normal mode, Not Safe Mode

Last edited by 68ShelbyGT500KR; 08-01-04 at 07:04 PM.
Old 08-01-04, 08:58 PM
  #18  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
Well, I deleted what you suggested in Safe Mode and, like always, it seemed to work. That is, until it came back all of a sudden. I've never come across anything so hard to get rid of! Anyway, here's what Hijackthis found, any other suggetions? By the way, thanks so much for the help with this!

Logfile of HijackThis v1.98.0
Scan saved at 8:54:33 PM, on 8/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Shawn Nuckles\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAWNN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {86D05908-1B13-4B1A-9196-21D76F09642B} - C:\WINDOWS\System32\daoh.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Filter: text/html - {8D594D80-19B4-4C64-B144-6E59BEE7042C} - C:\WINDOWS\System32\daoh.dll
O18 - Filter: text/plain - {8D594D80-19B4-4C64-B144-6E59BEE7042C} - C:\WINDOWS\System32\daoh.dll
Old 08-01-04, 09:17 PM
  #19  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Some of these are a real pain to get rid of...Sorry for the delay...
Try this little app:
AboutBuster
http://www.atribune.org/downloads/AboutBuster.zip
Close Internet Explorer and Extract the contents of the zip file to a folder, click on the aboutbuster.exe, Click Start>Ok to start scanning.
Restart your computer and run it once more for good luck and to remove the rest of the objects that could still remain.
It should find/remove the "daoh.dll" files and refernces.
I have only used this once, which was a few minutes ago....
Post back with your results
Current Hijack Log also

Thanks
Old 08-01-04, 10:06 PM
  #20  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
EDIT:
I found this if "aboutblank" doesn't solve your problem.

Also Download reglite from this site:
http://www.securiteam.com/securityre...RP0L0UD5U.html

Last edited by 68ShelbyGT500KR; 08-01-04 at 10:18 PM.
Old 08-01-04, 11:19 PM
  #21  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
I used the AboutBuster and this is what it said:

-- Scan 1 --------
About:Buster Version 2.0
Removed! : C:\WINDOWS\System32\daoh.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.0
Attempted Clean Of Temp folder.
Pages Reset... Done!

It looks like it removed that file, and for now the program's not running.

EDIT: It's back...

Last edited by Li; 08-01-04 at 11:46 PM.
Old 08-01-04, 11:49 PM
  #22  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
I downloaded Reglite but I'm not sure what to do with it.
Old 08-02-04, 05:41 AM
  #23  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Likes: 0
Received 0 Likes on 0 Posts
Regeditlite is a program that will acutally"show" you the hidden file that makes the hijacker come back. There are 2 files that need to be deleted (a hidden one and one that HijackThis will find)
Read the instructions with the link provided.
http://www.securiteam.com/securityre...RP0L0UD5U.html

Read the article. It show you what to do. AboutBuster will delete the randomly named file and regeditlite will show and allow you to delete the Hidden file.
Basically you will navigate to the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\\
AppInit_DLLs.


Here is the whole artilcle:
Manual step-by-step:
If a persistent hijacker is not removed by the tools listed above, manual removal should be used.

To Remove "About:Blank" Hijacker Adware In Windows XP Home edition Service Pack 1 with Internet Explorer 6.0
(probably works in NT and 2000 with some directory name changes only) follow this procedure:

Programs Needed:
* Reglite.exe

* Microsoft Recovery Console (an application available on your Windows installation disc). To access the recovery console run the following command: D:\i386\winnt32.exe /cmdcons
(Where D should be replaces with the CD driveletter)

* HiJackThis.exe

Removal Procedure:
There are two application extensions (.dll) files that Need to be deleted. One is hidden (thanks Akadia!), one is detected with "HiJackThis.exe"

1) With "Reglite.exe" find name of hidden file:
Double Click on "AppInit_DLLs" located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\ The "value" window reveals the hidden file name. (mine was "hlpl.dll", yours may be different!)
In this example we'll call it "hidden.dll"
Browse to the file, right click it, select Properties. Under the General tab, uncheck Hidden and Read-Only. Select the Security tab and Check the 'Full control' check box to allow deleting it.
Try deleting the file (Shift + Del or right click and Delete) If it was impossible to delete the file, continue to step 2. Otherwise skip to step 3.

2) Rename the hidden file:
Close Windows and reboot using "Windows Recovery Console"
Bwose to the system32 directory located at: C:\Windows\system32\
Replace this path with your system32 dir. In order to know your system32 run cmd and type:
echo %WINDIR%\System32

After finding your system32 directory do the following:
a) Change file from read only by typing attrib -r hidden.dll
b) Rename the file (For some reason this only works after rename) type: rename hidden.dll nasty.dll
(and remember that "hidden.dll" is for this explanation only use the name you found earlier)
Type "exit" and reboot to Windows.

3) Edit registry to remove hidden file:
Run "reglite.exe" again.
Double Click on "AppInit_DLLs" located in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\
Delete the file in "value" window, the "size" window changes also.
"Apply" changes and exit "reglite.exe"

4) Edit registry to remove the second file:
Run HiJackThis.exe and scan the registry.
Check the boxes to remove the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\System32\jheckb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP =
about:blank
(as you can see the second .dll in the example was called "jheckb.dll" yours may be different) For this example let's call it "obvious.dll".

* Note: As there are MANY variations to this hijacker, the registry entries might differ from the ones listed above. If the entries are different, look for entries containing the name of the second dll, in this example jheckb.dll.

Finally delete the two .dlls ("hidden.dll" and "obvious.dll")

That's it! You should be running again

By the way, if you go offline with Internet Explorer and type OK To these nasty adware windows you will see the guys who benefit from this hijacker.

ope this explains the attempted removal for you. The reg key is why HijackThis is showing a differnet file each time

Last edited by 68ShelbyGT500KR; 08-02-04 at 05:43 AM.
Old 08-02-04, 01:14 PM
  #24  
DVD Talk Legend
 
Join Date: Jan 2001
Location: MA
Posts: 12,695
Received 10 Likes on 8 Posts
Have you tried this yet to remove Seach Assistant?

Type the command in RUN box.

Regsvr32 /u C:\Windows\System32\omniband.dll
Old 08-02-04, 01:29 PM
  #25  
Li
Senior Member
Thread Starter
 
Join Date: Jul 2001
Location: Columbus, Ohio
Posts: 978
Likes: 0
Received 0 Likes on 0 Posts
I got stuck at the part that says:

"Browse to the file, right click it, select Properties. Under the General tab, uncheck Hidden and Read-Only. Select the Security tab and Check the 'Full control' check box to allow deleting it."

Those options don't appear to be under properties. Here's what does come up:


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.