Passthrough Hijack

Discussion in 'adware, spyware & hijack cleaning' started by myles5, Apr 12, 2004.

Thread Status:
Not open for further replies.
  1. myles5

    myles5 Registered Member

    Joined:
    Dec 17, 2003
    Posts:
    4
    I am getting jacked by a passthrough called amazingsearch. I have ran spybot, adaware, and hijackthis but still can not figure out how it keeps coming back.
    Can someone help me please.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:20:21 AM, on 4/12/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\cidaemon.exe
    C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINNT\system32\Atiptaxx.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\FOURBL~1\driveremote.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe
    C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
    C:\Program Files\Handspring\HOTSYNC.EXE
    E:\Program Files\Trillian\trillian.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
    C:\Program Files\UltraEdit\uedit32.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    E:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myacxiom/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [bowsdumb] C:\PROGRA~1\FOURBL~1\driveremote.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: Trillian.lnk = E:\Program Files\Trillian\trillian.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Shortcut to Microsoft Outlook.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: Contains -
    O16 - DPF: DownloadInformation -
    O16 - DPF: InstalledVersion -
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {037790A6-1576-11D6-903D-00105AABADD3} (Seagull Web-to-Host Control Module v3) - http://cwywem/bluezone/sglw2hcm.ocx
    O16 - DPF: {13991839-0420-11D5-BDA3-00A0C982BA51} (PDAnalyzeCtrl Class) - http://www.raxco.com/analyze/PDWeb.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19ABA587-AE2C-11D6-8130-00B0D091734E} (OrderDetails.ucUserControl1) - http://ibeoespval/OrderDetails.CAB
    O16 - DPF: {1E1BC012-AC2A-403F-AEE4-A32E1F18986C} (Logoff Class) - https://pwreset.corp.acxiom.net/psynch/docs/pslogoff.dll
    O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://acxicbt/cbtweb/english/cbtweb/AXClientUtil.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {328ABF59-AE29-11D6-8130-00B0D091734E} (StartOrder.ucStartOrder) - http://ibeoespval/StartOrder.CAB
    O16 - DPF: {45DD5759-24F7-41AB-9888-25910BF36709} (MDBrowser.ctlMDBrowser) - http://dca/tools/ocx/mdb/cab/MDB.CAB
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
    O16 - DPF: {70A274AD-3D87-4482-A724-152D61E6CB59} (SDM35.ctlSourceDataMapper) - http://dca/tools/ocx/sdm/SDM3.5.1.CAB
    O16 - DPF: {737B9254-AE47-11D6-8130-00B0D091734E} (Elements.frmElements) - http://ibeoespval/Elements.CAB
    O16 - DPF: {75AD299E-A37C-11D4-8556-00B0D01A8101} (SDM2.ctlSourceDataMapper) - http://dcadev/dcatools/sdm/SDM2.CAB
    O16 - DPF: {7CFA19EC-9B79-4BF4-8F7E-08DDB7532032} (OrderDetails.ucUserControl1) - http://ibeoespval/OrderDetails.CAB
    O16 - DPF: {856B62A5-AE3B-11D6-8130-00B0D091734E} (Validate.ucValidate) - http://ibeoespval/Validate.CAB
    O16 - DPF: {88E48871-88E6-4480-9921-F1EC4EB9AB74} (FileReadCtrl Class) - http://www.raxco.com/fileaccesstimer/WebTimedRead.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37418.3151273148
    O16 - DPF: {A4A39E83-AE3E-11D6-8130-00B0D091734E} (FinalizeOrder.ucFinalizeOrder) - http://ibeoespval/FinalizeOrder.CAB
    O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - http://directory/cabs/whip.cab
    O16 - DPF: {BA55D0C6-4923-417D-B892-31F6C877DFBE} (PackageInstallerControl.Installer) - http://ibeoespval/PackageInstallerControl1.0.0.3.CAB
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {E45713A7-103E-4FE3-BC95-88A123178E8F} (Services.cls_Services) - http://dcadev/dcatools/Services/Services.CAB
    O16 - DPF: {F1AC7CFA-AE23-11D6-8130-00B0D091734E} (UserLogon.ucUserLogon) - http://ibeoespval/UserLogon.CAB
    O16 - DPF: {F91CD821-AED5-11D6-8130-00B0D091734E} (Components.ucComponents) - http://ibeoespval/Components.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Corp.Acxiom.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Corp.Acxiom.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Corp.Acxiom.net
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi myles5,

    Check the following item in HijackThis.
    Close all windows except HijackThis and click Fix checked:
    O4 - HKLM\..\Run: [bowsdumb] C:\PROGRA~1\FOURBL~1\driveremote.exe

    Then reboot into safe mode and delete:
    C:\PROGRAM FILES\FOURBL~1 <= the entire folder that holds the file driveremote.exe

    Regards,

    Pieter
     
  3. myles5

    myles5 Registered Member

    Joined:
    Dec 17, 2003
    Posts:
    4
    Worked like a charm.
    thanks Pieter........
    This is the 3rd time ya'll have bailed me out.
    thanks............


     
Thread Status:
Not open for further replies.