Friday
2008-11-28, 19:20
The following instructions have been created to help you to get rid of "180Solutions.SearchAssistant" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
spyware
Description:
Renaming the zanu.exe to searchassistant.exe causes the file to register itself as searchassistant in Sytemstart. Also the boomerangg.exe is installed in the windowsdirectory under a variable filename, it is also registered in Systemstart with this variable value. Boomerang.exe does not show up on screen. User IS asked for consent prior to installation of searchassistant but not for Boomerang.
Also the searchassistant.exe has no option for shutting itself down. And since it is also in Systemstart it will practically always run and will always look for updates on 180Solutions Server and install them without user consent.
Depending on the filename the searchassitant has, the behavior may differ a bit. Some variant do NOT ask for any consent and they do NOT show any licesense agreement or privacy policy.
Some variants also do not install the Boomerang.exe
filename variants for the searchassistant.exe are:
zanu.exe
zango.exe
msbb.exe
sac.exe
sau.exe
bmrg.exe
saap.exe
180sa.exe
sahra.exe
180ax.exe
samds.exe
sain.exe
saip.exe
sahrb.exe
sahrc.exe
sahrd.exe
Supposed Functionality:
"180search Assistant" is a permission-based search assistant application that provides access to a wide range of websites, applications and information powered by 180solutions, Inc. ("180solutions"). This means that 180search Assistant will periodically direct you to our sponsors' websites. 180search Assistant will collect information about the websites you visit, but will not collect any information that will be used by 180solutions to identify you personally. The information that 180search Assistant collects and transmits to 180solutions will be used to provide you with access to comparative shopping opportunities at times when we consider them most relevant. 180search Assistant can be uninstalled at any time by going to the "Add/Remove Programs" menu on your computer and clicking the "Remove" button next to the entry or entries for 180search Assistant.
Privacy Statement:
Opt In Information. Occasionally, 180solutions may display additional questions to you, inviting you to opt in and supply information that may include demographic information. This demographic information may include, but is not limited to, your age, gender, geographic region and interests. This demographic information is linked to your Anonymous User ID, and is not connected or linked to information that will be used to identify you personally. Any answers you supply are covered by this privacy policy. 180solutions uses this information to learn more about its audience and may share this information with third parties. 180solutions also uses this demographic information to provide you with content and information most likely to be relevant to you.
IP Addresses. Your use of the 180search Assistant software will involve the transmission of your Internet protocol address ("IP Address") to 180solutions' servers. This IP Address is necessary for communication with you via the Internet and may be used and stored on our servers. With the cooperation of your Internet service provider, it is possible for your IP Address to be used to identify you personally, however, 180solutions agrees that it will not use it for this purpose, unless required to by law.
Third Party Collection. We may use other third party services to assist us in providing targeted websites to you. These services may place cookies on your hard drive and use the cookies to tailor delivery of these websites to you by profiling your use of a site or advertisements that you select. These services may collect information such as your IP address, your browser type and the date and time that targeted websites were served to you. You should refer to the websites and privacy policies of the services we use, which may include, but are not limited to: Doubleclick, 24/7 Connect, Fastclick, and Commission Junction. To learn about how they collect and use information visit
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "msbb" and pointing to "msbb.exe".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
A file with an unknown location named "more.bmp".
A file with an unknown location named "msbb.exe".
A file with an unknown location named "msbb_gdf.dat".
A file with an unknown location named "msbb_hpk.dat".
A file with an unknown location named "msbb_kyf_update.dat".
A file with an unknown location named "msbbau.dat".
Make sure you set your file manager to display hidden and system files. If 180Solutions.SearchAssistant uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "msbb" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "{BCC48442-166E-2EE8-B2E9-0224A7F844F3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "msbb" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If 180Solutions.SearchAssistant uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
spyware
Description:
Renaming the zanu.exe to searchassistant.exe causes the file to register itself as searchassistant in Sytemstart. Also the boomerangg.exe is installed in the windowsdirectory under a variable filename, it is also registered in Systemstart with this variable value. Boomerang.exe does not show up on screen. User IS asked for consent prior to installation of searchassistant but not for Boomerang.
Also the searchassistant.exe has no option for shutting itself down. And since it is also in Systemstart it will practically always run and will always look for updates on 180Solutions Server and install them without user consent.
Depending on the filename the searchassitant has, the behavior may differ a bit. Some variant do NOT ask for any consent and they do NOT show any licesense agreement or privacy policy.
Some variants also do not install the Boomerang.exe
filename variants for the searchassistant.exe are:
zanu.exe
zango.exe
msbb.exe
sac.exe
sau.exe
bmrg.exe
saap.exe
180sa.exe
sahra.exe
180ax.exe
samds.exe
sain.exe
saip.exe
sahrb.exe
sahrc.exe
sahrd.exe
Supposed Functionality:
"180search Assistant" is a permission-based search assistant application that provides access to a wide range of websites, applications and information powered by 180solutions, Inc. ("180solutions"). This means that 180search Assistant will periodically direct you to our sponsors' websites. 180search Assistant will collect information about the websites you visit, but will not collect any information that will be used by 180solutions to identify you personally. The information that 180search Assistant collects and transmits to 180solutions will be used to provide you with access to comparative shopping opportunities at times when we consider them most relevant. 180search Assistant can be uninstalled at any time by going to the "Add/Remove Programs" menu on your computer and clicking the "Remove" button next to the entry or entries for 180search Assistant.
Privacy Statement:
Opt In Information. Occasionally, 180solutions may display additional questions to you, inviting you to opt in and supply information that may include demographic information. This demographic information may include, but is not limited to, your age, gender, geographic region and interests. This demographic information is linked to your Anonymous User ID, and is not connected or linked to information that will be used to identify you personally. Any answers you supply are covered by this privacy policy. 180solutions uses this information to learn more about its audience and may share this information with third parties. 180solutions also uses this demographic information to provide you with content and information most likely to be relevant to you.
IP Addresses. Your use of the 180search Assistant software will involve the transmission of your Internet protocol address ("IP Address") to 180solutions' servers. This IP Address is necessary for communication with you via the Internet and may be used and stored on our servers. With the cooperation of your Internet service provider, it is possible for your IP Address to be used to identify you personally, however, 180solutions agrees that it will not use it for this purpose, unless required to by law.
Third Party Collection. We may use other third party services to assist us in providing targeted websites to you. These services may place cookies on your hard drive and use the cookies to tailor delivery of these websites to you by profiling your use of a site or advertisements that you select. These services may collect information such as your IP address, your browser type and the date and time that targeted websites were served to you. You should refer to the websites and privacy policies of the services we use, which may include, but are not limited to: Doubleclick, 24/7 Connect, Fastclick, and Commission Junction. To learn about how they collect and use information visit
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "msbb" and pointing to "msbb.exe".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
A file with an unknown location named "more.bmp".
A file with an unknown location named "msbb.exe".
A file with an unknown location named "msbb_gdf.dat".
A file with an unknown location named "msbb_hpk.dat".
A file with an unknown location named "msbb_kyf_update.dat".
A file with an unknown location named "msbbau.dat".
Make sure you set your file manager to display hidden and system files. If 180Solutions.SearchAssistant uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "msbb" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "{BCC48442-166E-2EE8-B2E9-0224A7F844F3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "msbb" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If 180Solutions.SearchAssistant uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.