180loader.exe attempting to access internet

I got this message from my firewall--and I have loaded no new software lately. I am unable to find any reference to this specific program in any search engine. 180loader.exe is in C:\windows\ with today's date. However, I found a new folder with today's date, c:\windows\180solutions. I can only figure that this is a new spyware loader (probably added thanks to a teenage household member on my PC).

I did try to run the uninstall from the 180 solutions site, but it is looking for a different program which I have not found on my PC

Has anyone seen this?

Thanks much for any hints or ideas.

 

I also found 180LOADER.EXE-3309FF43.pf with today's date in c:\windows\prefetch\

 

Thanks, robo. I had run spybot, and it reported a couple of small unrelated things which I deleted (and sidestep, which I use). I did try to run the uninstall from the 180 solutions site, but it was looking for files which I don't have.

Maybe the 180loader.exe is the install file? Hmmm . . . but would it be trying to access the internet to install?

I'll go ahead and delete it and the other 180 stuff. Sure wish I could find info on 180loader.exe to know exactly what it is, though.

 

1st turn off System Restore and reboot.

Go to Control Panel > Add or Remove Programs and uninstall:
180Solutions
DownloadPlus
CommonName
if they are there.

Is this the uninstaller you ran?
http://www.n-case.com/ncaseuninstall.html
If not, download and run it.

Then please do all of this:

Update them all before you scan.

If you're still having problems after all of that here's info on manually removing 180Solutions:
http://pestpatrol.com/pestinfo/other/180solutions.asp

If that doesn't fix it post a HijackThis log.

Enable System Restore again only after you know you're clean.

 

Okay - didn't find any of those programs in the add/remove software list.

When running this installer http://www.n-case.com/ncaseuninstall.html , I got this error:
"We're sorry, n-CASE could not be found in the proper registry startup location. Please do a search for msbb.exe on your hard drive and delete all copies that you find. Uninstall will then be complete."
I searched for msbb.exe and did not find it.

I updated adaware, cwshredder, and spybot, and ran them and removed a couple of minor things.

I deleted the following:
c:\windows\prefetch\180LOADER.EXE-3309FF43
c:\windows\180solutions (empty folder)

I deleted this from the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\SurfAssistant.com]
"CI"="BEB133E5-FD72-43b7-8AFF-681831CC72D9"
"UT"="Thu May 20"
"RI"="0"
"EC"="101"
"ID"="38f55c5d6cbb4efed831500b558464d9e411a3d0d46c89df"

I deleted an n-case cookie.

I did not find anything that is shown at this link - http://pestpatrol.com/pestinfo/other/180solutions.asp

Here's my hijack this log:
Logfile of HijackThis v1.97.7
Scan saved at 10:36:40 PM, on 5/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blah..blah..blah
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://blah..blah..blah"); (C:\Documents and Settings\bb\Application Data\Mozilla\Profiles\default\mh1quuwn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\xx\Application Data\Mozilla\Profiles\default\mh1quuwn.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_1_1_0.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_1_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [SpyBotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37571.2865509259
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccommon/download/sonyctl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FCE6B9E-5CC4-4B0E-B233-F4EA858316C6}: NameServer = 207.69.188.186 207.69.188.185
O17 - HKLM\System\CS3\Services\Tcpip\..\{2FCE6B9E-5CC4-4B0E-B233-F4EA858316C6}: NameServer = 207.69.188.186 207.69.188.185

Thanks very much for your help

 

Hmmm, this must be some brand new variant of 180Solutions, but it's still good that you did all that. I also couldn't find any info on 180loader.exe.

Your HJT log is pretty (blah blah blah ) clean, but there are a few bad lines:
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll (as was pointed out above)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
Close everything but HJT and fix those lines.

In these lines...
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://blah..blah..blah"); (C:\Documents and Settings\bb\Application Data\Mozilla\Profiles\default\mh1quuwn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\xx\Application Data\Mozilla\Profiles\default\mh1quuwn.slt\prefs.js)

...do you know what this dir\file is?
\mh1quuwn.slt\prefs.js
Alphabet soup stuff like that is usually spyware, but I'm not familiar with Netscape, so it may be OK.

Then reboot to Safe Mode and delete this file:
C:\WINDOWS\wiesasp2.dll
and that 180loader.exe file if you can find it anywhere on your drive.

Regarding 180loader.exe, there may be reference(s) to it in your registry and your firewall program control setup that you may need to delete.

Other than that I can't see anything else wrong...

 

Good, thanks for the input. I thought it might be OK, but I decided to bring it up since this problem is kinda strange.

 

Done. (Removed c:\windows\180loader.exe last night but brain too fuzzy to remember to type it in at the time.)

The blah blah blah url is my yahoo! store. Not exactly sure of the info that they use to feed into it other than prefs that I've set. I use Netscape for some stuff and IE for some stuff just to keep it confusing.

Thanks. I think my PC has a clean bill of health. For the moment, anyway.

I really appreciate all of your help. Hope to be able to return the favor at some point.