Passthrough Hijack

Discussion in 'adware, spyware & hijack cleaning' started by myles5, Apr 12, 2004.

Thread Status:
Not open for further replies.
  1. myles5

    myles5 Registered Member

    Joined:
    Dec 17, 2003
    Posts:
    4
    I am getting jacked by a passthrough called amazingsearch. I have ran spybot, adaware, and hijackthis but still can not figure out how it keeps coming back.
    Can someone help me please.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:20:21 AM, on 4/12/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\cidaemon.exe
    C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINNT\system32\Atiptaxx.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\FOURBL~1\driveremote.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe
    C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
    C:\Program Files\Handspring\HOTSYNC.EXE
    E:\Program Files\Trillian\trillian.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
    C:\Program Files\UltraEdit\uedit32.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    E:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myacxiom/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [bowsdumb] C:\PROGRA~1\FOURBL~1\driveremote.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: Trillian.lnk = E:\Program Files\Trillian\trillian.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Shortcut to Microsoft Outlook.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: Contains -
    O16 - DPF: DownloadInformation -
    O16 - DPF: InstalledVersion -
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {037790A6-1576-11D6-903D-00105AABADD3} (Seagull Web-to-Host Control Module v3) - http://cwywem/bluezone/sglw2hcm.ocx
    O16 - DPF: {13991839-0420-11D5-BDA3-00A0C982BA51} (PDAnalyzeCtrl Class) - http://www.raxco.com/analyze/PDWeb.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19ABA587-AE2C-11D6-8130-00B0D091734E} (OrderDetails.ucUserControl1) - http://ibeoespval/OrderDetails.CAB
    O16 - DPF: {1E1BC012-AC2A-403F-AEE4-A32E1F18986C} (Logoff Class) - https://pwreset.corp.acxiom.net/psynch/docs/pslogoff.dll
    O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://acxicbt/cbtweb/english/cbtweb/AXClientUtil.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {328ABF59-AE29-11D6-8130-00B0D091734E} (StartOrder.ucStartOrder) - http://ibeoespval/StartOrder.CAB
    O16 - DPF: {45DD5759-24F7-41AB-9888-25910BF36709} (MDBrowser.ctlMDBrowser) - http://dca/tools/ocx/mdb/cab/MDB.CAB
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
    O16 - DPF: {70A274AD-3D87-4482-A724-152D61E6CB59} (SDM35.ctlSourceDataMapper) - http://dca/tools/ocx/sdm/SDM3.5.1.CAB
    O16 - DPF: {737B9254-AE47-11D6-8130-00B0D091734E} (Elements.frmElements) - http://ibeoespval/Elements.CAB
    O16 - DPF: {75AD299E-A37C-11D4-8556-00B0D01A8101} (SDM2.ctlSourceDataMapper) - http://dcadev/dcatools/sdm/SDM2.CAB
    O16 - DPF: {7CFA19EC-9B79-4BF4-8F7E-08DDB7532032} (OrderDetails.ucUserControl1) - http://ibeoespval/OrderDetails.CAB
    O16 - DPF: {856B62A5-AE3B-11D6-8130-00B0D091734E} (Validate.ucValidate) - http://ibeoespval/Validate.CAB
    O16 - DPF: {88E48871-88E6-4480-9921-F1EC4EB9AB74} (FileReadCtrl Class) - http://www.raxco.com/fileaccesstimer/WebTimedRead.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37418.3151273148
    O16 - DPF: {A4A39E83-AE3E-11D6-8130-00B0D091734E} (FinalizeOrder.ucFinalizeOrder) - http://ibeoespval/FinalizeOrder.CAB
    O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - http://directory/cabs/whip.cab
    O16 - DPF: {BA55D0C6-4923-417D-B892-31F6C877DFBE} (PackageInstallerControl.Installer) - http://ibeoespval/PackageInstallerControl1.0.0.3.CAB
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {E45713A7-103E-4FE3-BC95-88A123178E8F} (Services.cls_Services) - http://dcadev/dcatools/Services/Services.CAB
    O16 - DPF: {F1AC7CFA-AE23-11D6-8130-00B0D091734E} (UserLogon.ucUserLogon) - http://ibeoespval/UserLogon.CAB
    O16 - DPF: {F91CD821-AED5-11D6-8130-00B0D091734E} (Components.ucComponents) - http://ibeoespval/Components.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Corp.Acxiom.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Corp.Acxiom.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Corp.Acxiom.net
     
    myles5, Apr 12, 2004
    #1
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi myles5,

    Check the following item in HijackThis.
    Close all windows except HijackThis and click Fix checked:
    O4 - HKLM\..\Run: [bowsdumb] C:\PROGRA~1\FOURBL~1\driveremote.exe

    Then reboot into safe mode and delete:
    C:\PROGRAM FILES\FOURBL~1 <= the entire folder that holds the file driveremote.exe

    Regards,

    Pieter
     
    Pieter_Arntz, Apr 12, 2004
    #2
  3. myles5

    myles5 Registered Member

    Joined:
    Dec 17, 2003
    Posts:
    4
    Worked like a charm.
    thanks Pieter........
    This is the 3rd time ya'll have bailed me out.
    thanks............


     
    myles5, Apr 12, 2004
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...