Jump to content


Photo

hijack by amazingautosearch


  • Please log in to reply
1 reply to this topic

#1 09876543210

09876543210

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 13 July 2004 - 04:31 PM

when launching ie it automatically has a bar on the bottom indicating that it comes from autoamazingsearch. I used spybot and ad-aware to try to get rid of this but it pops up when rebooting. Also used ie-spyad but still comes up after rebooting. have the hijack log for anyone who can help decode.

Logfile of HijackThis v1.97.7
Scan saved at 4:09:03 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\IntraPort Client\vpn5000service.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\STARTF~1\Extra Locks Film.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jennhanser\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautoss.../searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautoss.../searchbar.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {733BD26E-14DF-F4F7-7D12-B3E1928299CE} - C:\PROGRA~1\MEALDO~1\ISO NEW.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Rule Vc City - {DFF8BA30-23BB-DDE6-A7EA-298883F8582F} - C:\PROGRA~1\MEALDO~1\ISO NEW.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Mpegbolt] C:\PROGRA~1\STARTF~1\Extra Locks Film.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo...g-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.po...n-ob-assets.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {5CA42785-ABC3-11D2-9F81-00104B2225C5} (Immersion Web ActiveX Control) - http://www.immersion...gins/ImmWeb.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7930.5353009259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} (DocumentAccessor Class) - https://billmanager....loginHelper.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.aol.aoltw.net
O17 - HKLM\Software\..\Telephony: DomainName = ad.aol.aoltw.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.aol.aoltw.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.aol.aoltw.net

Edited by 09876543210, 13 July 2004 - 04:34 PM.


#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 13 July 2004 - 04:44 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautoss.../searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautoss.../searchbar.html

O2 - BHO: (no name) - {733BD26E-14DF-F4F7-7D12-B3E1928299CE} - C:\PROGRA~1\MEALDO~1\ISO NEW.dll

O3 - Toolbar: Rule Vc City - {DFF8BA30-23BB-DDE6-A7EA-298883F8582F} - C:\PROGRA~1\MEALDO~1\ISO NEW.dll

O4 - HKLM\..\Run: [Mpegbolt] C:\PROGRA~1\STARTF~1\Extra Locks Film.exe


Reboot and delete

folders
C:\PROGRA~1\STARTF~1
C:\PROGRA~1\MEALDO~1

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button