Jump to content


Photo

CleverIEhooker.jeird and others HJT log


  • Please log in to reply
5 replies to this topic

#1 drwizgeek

drwizgeek

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 14 June 2004 - 01:12 AM

Please help me cleaning up my tennis partner's laptop. I have run spybot and ad-aware and cleaned up as much as possible. Here is my HJT log of the remaining spyware. CleverIEhooker.jeird and DealHelper are specially troublesome. Please help me identify and fis all the "bad guys." His internal modem is not working (Error 633, modem or connecting device cannot be opened ...) any more. You are all providing a great service; we both appreciate your assistance on this problem ASAP.

Thanks!


Logfile of HijackThis v1.97.7
Scan saved at 2:20:57 PM, on 6/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taskmgr.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [oqoook] C:\WINDOWS\pyjpl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [omsvcsc] C:\WINDOWS\System32\omsvcsc.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/p...13/invinstl.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://meridianlink....ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0755FB32-5B5A-4559-8B3D-8E87C8E433E8}: NameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F82F46B0-05D6-4194-B5E2-8759B9C78EBD}: NameServer = 192.168.10.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0755FB32-5B5A-4559-8B3D-8E87C8E433E8}: NameServer = 192.168.10.1 :wtf: :wtf: :wtf:

#2 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 14 June 2004 - 06:28 PM

Hi drwizgeek-
Run both of these programs in safe mode. You may need to download them and place them on the other machine if you don't have internet access-You want to make sure you have the latest versions of both.
First run Spybot S&D. You can get it here-
Spybot
Unzip, and update. Install the updates and run. Delete all that it marks in red.
Or --(Itís a good idea to run both)
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

After rebooting make sure all browsers are closed and rerun HJT. Check and click fix checked for the following-
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [oqoook] C:\WINDOWS\pyjpl.exe
O4 - HKLM\..\Run: [omsvcsc] C:\WINDOWS\System32\omsvcsc.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab

Restart your computer in safe mode and delete-
c:\installer\id53.exe <=File
C:\WINDOWS\pyjpl.exe <=File
C:\Program Files\TV Media <=Folder
Find this one and post it's properties-
C:\WINDOWS\System32\omsvcsc.exe

You need to make sure your 017 entry leads to your school,company or ISP too.

Edited by OlTramp, 14 June 2004 - 06:31 PM.


#3 drwizgeek

drwizgeek

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2004 - 12:58 PM

Hello OlTramp:

Thank you very much for your precise instructions on how to proceed. Even though I had installed and run Spybot S&D and Ad-Aware exactly as you advised, I repeated the process again and found CleverIEHooker and DSO exploit again by Spybot and a few more by Ad-Aware. I cleaned them all up. I knew that DSO was probably flagged again due to a bug in Spybot code. But, CleverIEHooker is a pesky animal.

Then, I rebooted in normal mode, made sure all browsers were closed, and reran HJT. Checked all items you listed above and clicked "fix checked" for all of them. Next, I restarted computer in safe mode and deleted the only item that I could find: C:\Program Files\TV Media <=Folder. I think the rest had already been cleaned up by my previous scans.

Since I remembered that I had unchecked a few startup items that I knew were malware, I started computer in normal mode, checked all back in and repeated the whole process. Checked these new malware items and clicked "fix checked" for all of them, and rebooted.

The good new is that all are gone, including CleverIEHooker! I think even IE has been restored now based HJT scan! I cannot post the log because I can't go online on my friend's PC (his modem is still giving error 633). But, I carefully examined them; everything looks fine except these new ones that I am not sure:

R 1 - HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL=http://www.toshiba.com

R 09 - Extra button: Real.com (HKLM)
R 014 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

My hunch is that R 1 and R 014 confirm that IE has been restored and defaults to toshiba.com. R 09 looks suspicious to me.

Please let me know what you think and whether I should post a new HJT log. Also, I did not disable the System Restore beforehand just in case I needed to go back. Should I do so and run the process again to ensure nothing is left in the System Restore folder?

Once again, thank you very much for your support. Thanks to you even pesky CleverIEHooker is history!

Best regards,
drwizgeek

#4 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 15 June 2004 - 04:15 PM

Hi
Your entries are all OK. Real.com can be removed without a problem if you wish. It has to do with Realnetworks.
I would like to see te properties on this file before you purge your restore point.
C:\WINDOWS\System32\omsvcsc.exe
If it is obviously new or not what it should be go ahead and delete it. I'm pretty sure it is no good because I can find nothing on it.

#5 drwizgeek

drwizgeek

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 16 June 2004 - 12:18 AM

Hello OlTramp:

Great news; I ran NAV in safe mode as well, found three more adware that it could not delete:

ahem.exe in c:\documents and settings\nelson\local settings\temp\alchem.cab
c:\documents and settings\nelson\local settings\temp\cdt_bbi8016.exe
c:\windows\preinstt.exe

I deleted all three and a few more shortcuts to the recycle bin using windows explorer. I will delete them there if no disaster occurred!

IE is back, except the Search engine. But, Modem is still generating Error 633. I will have to repair Win XP files and find a way to close the unknown application that has kept Toshiba Satellite's COM3 port open (any ideas?).

I cannot find C:\WINDOWS\System32\omsvcsc. But, I think it might be ScanSoft's omniPagePro OCR S/W that I might have removed from the system tray for faster reboot.

Again, thank you very much for a job well done! We both appreciate your valuable advice on this menace.

Best regards,
Wiz

#6 OlTramp

OlTramp

    SWI Junkie

  • Trusted Advisor
  • PipPipPip
  • 148 posts

Posted 16 June 2004 - 08:24 PM

You are ery welcome.I am glad we could help. Wish I could help you with your modem problem but I am afraid that is out of my area. You might check to make sure there are no conflicts or maybe even reinstall it? Wish you the best.

Edited by OlTramp, 16 June 2004 - 08:26 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button