Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

First time user


  • This topic is locked This topic is locked
4 replies to this topic

#1 Lyquid

Lyquid

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 25 May 2004 - 05:02 PM

My family is filled with careless siblings and parents, so naturally spyware on my computer is common, but recently pop ups have been showing up randomly, even when a browser isnt open

i ran Spybot S&D, Ad-aware, CWshredder, and HijackThis!

i think i am on a good track to fix the problem, but i dont know what to fix when i searched my computer with HijackThis, please help!!!

Logfile of HijackThis v1.97.7
Scan saved at 5:46:06 PM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\cwtrr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nate\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://halo.bungie.org/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {AF9118B5-D861-4818-90E2-946641DCC561} - C:\WINDOWS\areeqhzb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Nate\Desktop\Winamp\winampa.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [wydw] C:\WINDOWS\cwtrr.exe
O4 - HKLM\..\Run: [sfsfazep] C:\WINDOWS\sfsfazep.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [awhdqpb] C:\WINDOWS\System32\numgudob.exe
O4 - HKLM\..\Run: [mbqlibsz] C:\WINDOWS\mbqlibsz.exe
O4 - HKLM\..\Run: [yhqd] C:\WINDOWS\yhqd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Startup: StripSaver.lnk = C:\Program Files\StripSaver\StripSaver.exe
O4 - Startup: VirtuaGirl2.lnk = C:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-p3.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_6390.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://www.shizmoo.com/activex/web665.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/chedownzip.cab

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Xemus

Xemus

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 25 May 2004 - 07:20 PM

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
This file is your sound driver's error reporting feature. I recommend removing it and verifiying that your sound still works. Technically, it's not totally malicous, just not nessicary however, so you may leave it.


Kill these entries:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {AF9118B5-D861-4818-90E2-946641DCC561} - C:\WINDOWS\areeqhzb.dll
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
Registration reminder. Kill if you don't want to register.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Quicktime does not need to load at startup.
O4 - Startup: StripSaver.lnk = C:\Program Files\StripSaver\StripSaver.exe
O4 - Startup: VirtuaGirl2.lnk = C:\Program Files\Vg\VirtuaGirl2.exe
O4 - Global Startup: VTAgentReboot.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_6390.dll' missing
This one can probably be fixed by the LSPfix utility.
http://cexx.org/lspfix.htm
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/chedownzip.cab
---
O4 - HKLM\..\Run: [awhdqpb] C:\WINDOWS\System32\numgudob.exe
O4 - HKLM\..\Run: [mbqlibsz] C:\WINDOWS\mbqlibsz.exe
O4 - HKLM\..\Run: [yhqd] C:\WINDOWS\yhqd.exe
These three entries look viral in their random names. Have the latest definitions for Norton? Ran it lately? Tried an online scan to double verify?
Links to various online scanners here:
http://www.closedsocket.com/links.html

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 25 May 2004 - 07:57 PM

Lyquid, hold off on fixing the following--it could be legitimate and improperly removing LSP's could have serious consequences like losing your internet connection.

O10 - Broken Internet access because of LSP provider 'xfire_lsp_6390.dll' missing

I think Xemus is right about the others, but let me check on them first.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 25 May 2004 - 10:36 PM

OK, Xemus got most of them right but he missed a few. And we're going to concentrate on malware removal first & if you want to manage your startups that can be done later. The 010 entry I think should be left alone--unless you're experiencing any problems with xfire.

We need to get you set up right first. You need to move HijackThis off your Desktop and into its own folder. It's best to run it out of a folder in your root folder or at least anything outside of Documents and Settings--that way it will scan and fix for all user accounts if you have more than one. See THESE INSTRUCTIONS.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
For XP:
How to see hidden files in Windows

Scan again with HijackThis. Close all other windows, put a checkmark by these entries, double-checking to be sure that only these entries are checked & then click the "Fix checked" button.

O2 - BHO: (no name) - {AF9118B5-D861-4818-90E2-946641DCC561} - C:\WINDOWS\areeqhzb.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [wydw] C:\WINDOWS\cwtrr.exe
O4 - HKLM\..\Run: [sfsfazep] C:\WINDOWS\sfsfazep.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [awhdqpb] C:\WINDOWS\System32\numgudob.exe
O4 - HKLM\..\Run: [mbqlibsz] C:\WINDOWS\mbqlibsz.exe
O4 - HKLM\..\Run: [yhqd] C:\WINDOWS\yhqd.exe
O4 - Global Startup: VTAgentReboot.exe
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/chedownzip.cab


These two should be fixed if you don't know what they are and don't use them. The second should probably be removed anyway.

O4 - Startup: StripSaver.lnk = C:\Program Files\StripSaver\StripSaver.exe
O4 - Startup: VirtuaGirl2.lnk = C:\Program Files\Vg\VirtuaGirl2.exe


Reboot your computer into Safe Mode and delete the following files if they exist:

In C:\WINDOWS
areeqhzb.dll
cwtrr.exe
sfsfazep.exe
mbqlibsz.exe
yhqd.exe

C:\WINDOWS\System32\numgudob.exe
C:\Program Files\Viewpoint <--The Viewpoint folder.

In C:\
VTAgentReboot.exe
ALCXMNTR.EXE

Run HijackThis again and post another log, please.

BTW, the Searchhook entry can't be fixed by HijackThis as long as it contains the underscore ( _ ). There's a reg file to fix that after you post your next log.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#5 Xemus

Xemus

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 26 May 2004 - 12:31 PM

areeqhzb.dll
cwtrr.exe
sfsfazep.exe
mbqlibsz.exe
yhqd.exe

I'd be interested in knowing whether these files are viral or just malware...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users