• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
drwizgeek

CleverIEhooker.jeird and others HJT log

6 posts in this topic

Please help me cleaning up my tennis partner's laptop. I have run spybot and ad-aware and cleaned up as much as possible. Here is my HJT log of the remaining spyware. CleverIEhooker.jeird and DealHelper are specially troublesome. Please help me identify and fis all the "bad guys." His internal modem is not working (Error 633, modem or connecting device cannot be opened ...) any more. You are all providing a great service; we both appreciate your assistance on this problem ASAP.

 

Thanks!

 

 

Logfile of HijackThis v1.97.7

Scan saved at 2:20:57 PM, on 6/13/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\CePMTray.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\taskmgr.exe

C:\hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [oqoook] C:\WINDOWS\pyjpl.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [omsvcsc] C:\WINDOWS\System32\omsvcsc.exe

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab

O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://meridianlink.webex.com/client/lates...ort/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0755FB32-5B5A-4559-8B3D-8E87C8E433E8}: NameServer = 192.168.10.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{F82F46B0-05D6-4194-B5E2-8759B9C78EBD}: NameServer = 192.168.10.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{0755FB32-5B5A-4559-8B3D-8E87C8E433E8}: NameServer = 192.168.10.1 :wtf::wtf::wtf:

Share this post


Link to post
Share on other sites

Hi drwizgeek-

Run both of these programs in safe mode. You may need to download them and place them on the other machine if you don't have internet access-You want to make sure you have the latest versions of both.

First run Spybot S&D. You can get it here-

Spybot

Unzip, and update. Install the updates and run. Delete all that it marks in red.

Or --(It’s a good idea to run both)

Ad-Aware

Install and update by using the globe icon. Restart your computer and run Ad-Aware.

Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

 

After rebooting make sure all browsers are closed and rerun HJT. Check and click fix checked for the following-

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [oqoook] C:\WINDOWS\pyjpl.exe

O4 - HKLM\..\Run: [omsvcsc] C:\WINDOWS\System32\omsvcsc.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab

 

Restart your computer in safe mode and delete-

c:\installer\id53.exe <=File

C:\WINDOWS\pyjpl.exe <=File

C:\Program Files\TV Media <=Folder

Find this one and post it's properties-

C:\WINDOWS\System32\omsvcsc.exe

 

You need to make sure your 017 entry leads to your school,company or ISP too.

Edited by OlTramp

Share this post


Link to post
Share on other sites

Hello OlTramp:

 

Thank you very much for your precise instructions on how to proceed. Even though I had installed and run Spybot S&D and Ad-Aware exactly as you advised, I repeated the process again and found CleverIEHooker and DSO exploit again by Spybot and a few more by Ad-Aware. I cleaned them all up. I knew that DSO was probably flagged again due to a bug in Spybot code. But, CleverIEHooker is a pesky animal.

 

Then, I rebooted in normal mode, made sure all browsers were closed, and reran HJT. Checked all items you listed above and clicked "fix checked" for all of them. Next, I restarted computer in safe mode and deleted the only item that I could find: C:\Program Files\TV Media <=Folder. I think the rest had already been cleaned up by my previous scans.

 

Since I remembered that I had unchecked a few startup items that I knew were malware, I started computer in normal mode, checked all back in and repeated the whole process. Checked these new malware items and clicked "fix checked" for all of them, and rebooted.

 

The good new is that all are gone, including CleverIEHooker! I think even IE has been restored now based HJT scan! I cannot post the log because I can't go online on my friend's PC (his modem is still giving error 633). But, I carefully examined them; everything looks fine except these new ones that I am not sure:

 

R 1 - HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL=http://www.toshiba.com

 

R 09 - Extra button: Real.com (HKLM)

R 014 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

 

My hunch is that R 1 and R 014 confirm that IE has been restored and defaults to toshiba.com. R 09 looks suspicious to me.

 

Please let me know what you think and whether I should post a new HJT log. Also, I did not disable the System Restore beforehand just in case I needed to go back. Should I do so and run the process again to ensure nothing is left in the System Restore folder?

 

Once again, thank you very much for your support. Thanks to you even pesky CleverIEHooker is history!

 

Best regards,

drwizgeek

Share this post


Link to post
Share on other sites

Hi

Your entries are all OK. Real.com can be removed without a problem if you wish. It has to do with Realnetworks.

I would like to see te properties on this file before you purge your restore point.

C:\WINDOWS\System32\omsvcsc.exe

If it is obviously new or not what it should be go ahead and delete it. I'm pretty sure it is no good because I can find nothing on it.

Share this post


Link to post
Share on other sites

Hello OlTramp:

 

Great news; I ran NAV in safe mode as well, found three more adware that it could not delete:

 

ahem.exe in c:\documents and settings\nelson\local settings\temp\alchem.cab

c:\documents and settings\nelson\local settings\temp\cdt_bbi8016.exe

c:\windows\preinstt.exe

 

I deleted all three and a few more shortcuts to the recycle bin using windows explorer. I will delete them there if no disaster occurred!

 

IE is back, except the Search engine. But, Modem is still generating Error 633. I will have to repair Win XP files and find a way to close the unknown application that has kept Toshiba Satellite's COM3 port open (any ideas?).

 

I cannot find C:\WINDOWS\System32\omsvcsc. But, I think it might be ScanSoft's omniPagePro OCR S/W that I might have removed from the system tray for faster reboot.

 

Again, thank you very much for a job well done! We both appreciate your valuable advice on this menace.

 

Best regards,

Wiz

Share this post


Link to post
Share on other sites

You are ery welcome.I am glad we could help. Wish I could help you with your modem problem but I am afraid that is out of my area. You might check to make sure there are no conflicts or maybe even reinstall it? Wish you the best.

Edited by OlTramp

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0