Jump to content


Photo

Spybot S&D detects CleverIEHooker.Jeired


  • Please log in to reply
1 reply to this topic

#1 Bree

Bree

    Member

  • New Member
  • Pip
  • 1 posts

Posted 21 July 2004 - 11:49 AM

Thank you so much for any assistance you can offer. Here is my log file.

- Bree

Logfile of HijackThis v1.98.0
Scan saved at 9:37:51 AM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Deadline\bin\DeadlineLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp3\winampa.exe
C:\documents and settings\administrator\local settings\temp\ZBIO7kY.exe
C:\documents and settings\administrator\local settings\temp\Rl6.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\getst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\piadmod.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DF Render Node\DFRNode.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\OpenOffice.org1.1.1\program\soffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ESET\nod32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ftp://eyeon:jusdepomme@ftp.franticfilms.com/
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [DeadlineLauncher] C:\Deadline\bin\DeadlineLauncher.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ZBIO7kY.exe] C:\documents and settings\administrator\local settings\temp\ZBIO7kY.exe
O4 - HKLM\..\Run: [Rl6.exe] C:\documents and settings\administrator\local settings\temp\Rl6.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [x3tO3mj] getst.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [g02ERgH2j] piadmod.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: OpenOffice.org 1.1.1.lnk = C:\Program Files\OpenOffice.org1.1.1\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DF Render Node.lnk = C:\Program Files\DF Render Node\DFRNode.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark...en/AMClient.cab
O17 - HKLM\Software\..\Telephony: DomainName = rofer.la
O17 - HKLM\System\CCS\Services\Tcpip\..\{B098A610-FD42-4DCD-BC0C-07E4D112F122}: NameServer = 192.168.100.50,206.13.29.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rofer.la,private.wot
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rofer.la,private.wot
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rofer.la,private.wot
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

#2 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 21 July 2004 - 06:59 PM

Hi there,

I need you to do this first;

Go Start>Control Panel>Add/Remove Programs, Remove all instances of, if they are there,

TV Media
SEP


Next;

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

PLEASE READ THESE IN RED

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll


O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [DeadlineLauncher] C:\Deadline\bin\DeadlineLauncher.exe
O4 - HKLM\..\Run: [ZBIO7kY.exe] C:\documents and settings\administrator\local settings\temp\ZBIO7kY.exe
O4 - HKLM\..\Run: [Rl6.exe] C:\documents and settings\administrator\local settings\temp\Rl6.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [x3tO3mj] getst.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [g02ERgH2j] piadmod.exe<<Do you know of this? if so keep it, if not fix it


O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O17 - HKLM\Software\..\Telephony: DomainName = rofer.la<<Do you know of these? if so keep them, if not fix them.
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = rofer.la,private.wot<<<<
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = rofer.la,private.wot<<<<
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = rofer.la,private.wot<<<<


Restart your computer in
Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,


C:\documents and settings\administrator\local settings\temp\ZBIO7kY.exe<<<<File
C:\documents and settings\administrator\local settings\temp\Rl6.exe<<<<File
C:\WINDOWS\System32\IEHost.exe<<<<File
C:\WINDOWS\System32\getst.exe<<<<File
C:\WINDOWS\System32\ms.exe<<<<File
C:\Program Files\TV Media\TvmBho.dll<<<<Folder
C:\Program Files\SEP\sep.dll<<<<Folder
C:\Program Files\Common Files\midaddle\midaddle.dll<<<<Folder


Reboot, then post a fresh logfile so that I can check to see if it is clean.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button