Problems removing CleverIEHooker.Jeired

Problems removing CleverIEHooker.Jeired

........I've run both Ad-aware and Spybot.

Ad-aware only finds an assortment of cookies.

Spybot detects CleverIEHooker.Jeired and removes the Registry entries,
but the problem keeps re-appearing after a restart.

Can anyone help

Thanks.

**************
Ad-aware finds -

ArchiveData(auto-quarantine- 26-04-2004 13-23-37.bckp)
======================================================

TRACKING COOKIE
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=File : c:\documents and settings\ian\cookies\ian@0[2].txt
obj[1]=File : c:\documents and settings\ian\cookies\ian@2o7[1].txt
obj[2]=File : c:\documents and settings\ian\cookies\ian@advertising[1].txt
obj[3]=File : c:\documents and settings\ian\cookies\ian@casalemedia[1].txt
obj[4]=File : c:\documents and settings\ian\cookies\ian@cgi-bin[1].txt
obj[5]=File : c:\documents and settings\ian\cookies\ian@counter.hitslink[2].txt
obj[6]=File : c:\documents and settings\ian\cookies\ian@counter2.hitslink[2].txt
obj[7]=File : c:\documents and settings\ian\cookies\ian@doubleclick[1].txt
obj[8]=File : c:\documents and settings\ian\cookies\ian@ehg-learningco.hitbox[2].txt
obj[9]=File : c:\documents and settings\ian\cookies\ian@hitbox[2].txt
obj[10]=File : c:\documents and settings\ian\cookies\ian@qksrv[1].txt
obj[11]=File : c:\documents and settings\ian\cookies\ian@servedby.advertising[2].txt
obj[12]=File : c:\documents and settings\ian\cookies\ian@tribalfusion[1].txt

************


StartupList report, 26/04/2004, 11:00:50 AM
StartupList version: 1.52
Started from : D:\My Documents\My Received Files\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\temp\jow2h54m.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\WinFax\WFXCTL32.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\System32\Qzyg0.exe
C:\Program Files\Norton SystemWorks\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\GftmBT.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\My Documents\My Received Files\StartupList.exe
C:\Program Files\Messenger\msmsgs.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Ian\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Controller.LNK = C:\Program Files\Norton SystemWorks\WinFax\WFXCTL32.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

WFXSwtch = C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
WinFaxAppPortStarter = wfxsnt40.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
Mirabilis ICQ = C:\Program Files\ICQ\NDetect.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
TV Media = C:\Program Files\TV Media\Tvm.exe
jow2h54m.exe = C:\windows\temp\jow2h54m.exe
449AQR9438ATQ@ = C:\WINDOWS\System32\Pwbm74i.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PopUpStopperFreeEdition = "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
TV Media = C:\Program Files\TV Media\Tvm.exe
ClockSync = C:\PROGRA~1\CLOCKS~1\Sync.exe /q
WNST = C:\WINDOWS\System32\wnsapisv.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[DSS]
= C:\WINDOWS\\BBStore\DSS\dssagent.exe

[OptionalComponents]
*No values found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\WINDOWS\System32\nzdd.dll - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://active.macromedia.com/director/cabs/sw.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\yacscom.dll
CODEBASE = http://cs5.chat.sc5.yahoo.com/v45/yacscom.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[{7A32634B-029C-4836-A023-528983982A49}]
CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

[{91BE8DAC-957E-416C-B735-E2B63CDB915B}]
CODEBASE = http://www.myemessenger.com/activex/MyEMessengerSetupProject.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38020.547337963

[CSonyPicturesGameDownloaderCtl Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SonyPicturesGameDownloader.ocx
CODEBASE = http://www.shockwave.com/content/angelx/SonyPicturesGameDownloader.cab

[{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}]
CODEBASE = http://install.wildtangent.com/bgn/partners/shockwave/meninblackII/install.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://chat.msn.com/bin/msnchat45.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 8,932 bytes
Report generated in 0.901 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Thanks

 

Hi iedau,

Welcome to Wilder's!!!!!

Go here HERE and follow the instructions. Since you have already ran SpyBot and/or AdAware, skip step 1 and go to step 2.

Regards,
Kent

 

Hi Kent

Thanks for your help.

I discovered that the offending program (Jeired) had somehow been given a name change - and called TV MEDIA!!

It had to be be firstly uninstalled via the Control Panel.

Instead of being in the system32 folder it was found in the Autorun entries of the Registry!! HKLM & HKCU.
as TV Media C:\Program Files\TV Media\Tvm.exe

I removed the entries using Regedit, rebooted and then ran Spybot to check that all was OK.

Following some other hints I also used tools to delete the Temporary internet files.

It now all seems OK..

Thank you