Is this spyware?

Discussion in 'adware, spyware & hijack cleaning' started by garyland, Nov 17, 2003.

Thread Status:
Not open for further replies.
  1. garyland

    garyland Guest

    Hi,

    Can someone tell me which entries in this log are spyware?


    Logfile of HijackThis v1.97.6
    Scan saved at 4:52:15 PM, on 11/17/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    E:\phpdev\Apache\Apache.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\WINDOWS\System32\gksuib18.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\35473269.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Eric Landers\Application Data\caot.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    E:\phpdev\Apache\Apache.exe
    C:\WINDOWS\System32\BjfPoX4n.exe
    C:\WINDOWS\System32\GdytuJ.exe
    E:\Program Files\WebWriter3\WebWrite.exe
    C:\Program Files\PHP Coder\PHPCoderPro.exe
    E:\Program Files\Adobe\Photoshop 6.0\ImageReady.exe
    C:\WINDOWS\explorer.exe
    E:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe
    E:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
    C:\DOCUME~1\ERICLA~1\LOCALS~1\Temp\~e5d141.tmp
    C:\DOCUME~1\ERICLA~1\LOCALS~1\Temp\~e5d141.tmp
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Netscape\Netscape 6\Netscp.exe
    E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=DIST1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=132702
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.viaccess.net:8080
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/
    R3 - URLSearchHook: (no name) - - (no file)
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://lw10fd.law10.hotmail.msn.com/cgi-bin/hmhome?curmbox=F000000001&a=4e698702e4737a945e656383a283d9bd&fti=yes&_lang=EN"); (C:\Documents and Settings\Eric Landers\Application Data\Mozilla\Profiles\default\czl8lxqe.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Eric Landers\Application Data\Mozilla\Profiles\default\czl8lxqe.slt\prefs.js)
    O1 - Hosts: 209.132.200.78 auto.search.msn.com
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1211.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
    O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\System32\expext.dll
    O2 - BHO: (no name) - {24180B00-2EB6-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\ToolBar\toolbar.dll
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - e:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: Search - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll (file missing)
    O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER COMPANION\POPUPUS.DLL (file missing)
    O3 - Toolbar: TracerLock - {57645A55-64CF-11D5-A196-00E07D8A45E8} - C:\WINDOWS\SYSTEM32\tltoolbardll.dll
    O3 - Toolbar: &Visual Marks - {3F753E5A-DF80-4850-801C-35880F80756C} - C:\PROGRA~1\VISUAL~1\VMARKS.DLL (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: Trellian Toolbar - {71AAABE5-1F0F-11d7-BD6F-004854603DCE} - C:\Program Files\TRELLIAN\ToolBar\toolbar.dll
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Explkw] C:\WINDOWS\System32\expup.exe
    O4 - HKLM\..\Run: [4Q3PP7R47FJ87S] C:\WINDOWS\System32\Tgr89m24.exe
    O4 - HKLM\..\Run: [gksuib18.exe] C:\WINDOWS\System32\gksuib18.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
    O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\ERICLA~1\LOCALS~1\Temp\tb_setup.exe /dcheck
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [32737368.exe] C:\WINDOWS\System32\32737368.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Unlo] C:\Documents and Settings\Eric Landers\Application Data\caot.exe
    O4 - HKCU\..\Run: [gksuib18.exe] C:\WINDOWS\System32\gksuib18.exe
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Grab &Selected Text... - res://C:\PROGRAM FILES\COGITUM CO-CITER\COGITUMHELPERS.DLL/ctGrab.htm
    O8 - Extra context menu item: Save with Download Manager... - e:\Program Files\J River\Media Jukebox\DMDownload.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Co-Citer (HKLM)
    O9 - Extra 'Tools' menuitem: Cogitum &Co-Citer (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O9 - Extra button: Netnews (HKCU)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: Win32 Classes -
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab
    O16 - DPF: {2646205B-878C-11D1-B07C-0000C040BCDB} (NSIEMisc Class) - file://D:\autorun\x86\bin\nskey.dll
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_72/QDow.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37863.5117361111
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFullSInst.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/download.CAB
    O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.climaxbucks.com/internet-optimizer/080703/MultiDist.CAB
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hi gary,
    i saw ur hijack that u got spybot... hav u run that?? :doubt:.. if any spyware exists in ur comp let it scan 1st
    ofcourse chk for update 1st
    i will recommend 2 more softwares.. spywareblaster and CWshredder..
    just do the scan
    and then let me kno
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi garyland,

    Not all spyware. One Trojan, a few dialers and some orphaned entries.

    Download and run this file to fix Peper Trojan:
    http://home01.wxs.nl/~kleyn080/uninst.exe
    double click on 'uninst.exe', let it run and terminate.
    To delete all the associated files download the following tool:
    http://www.mjc1.com/files/mo/drpeper.html
    It will self extract to C:.
    Find :
    C:\drpeper\Find backup and Delete Peper files.vbs file and double click.
    On the first prompt copy and paste:
    BjfPoX4n.exe
    And hit ok.
    You will get a confirmation and proceed:
    On the second, paste:
    Tgr89m24.exe
    And hit ok

    It will find all the files, delete them and will make backups in the same folder.
    It'll open a text file (Peper.txt) with the list of all files deleted.
    Could you please post the content of that log file so we can check if no vital files were removed.

    Then check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=DIST1

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=132702

    R3 - URLSearchHook: (no name) - - (no file)

    O1 - Hosts: 209.132.200.78 auto.search.msn.com
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1211.dll

    O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
    O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\System32\expext.dll

    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL

    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: Search - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll (file missing)
    O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER COMPANION\POPUPUS.DLL (file missing)

    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Explkw] C:\WINDOWS\System32\expup.exe
    O4 - HKLM\..\Run: [4Q3PP7R47FJ87S] C:\WINDOWS\System32\Tgr89m24.exe
    O4 - HKLM\..\Run: [gksuib18.exe] C:\WINDOWS\System32\gksuib18.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
    O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\ERICLA~1\LOCALS~1\Temp\tb_setup.exe /dcheck

    O4 - HKLM\..\Run: [32737368.exe] C:\WINDOWS\System32\32737368.exe

    O4 - HKCU\..\Run: [Unlo] C:\Documents and Settings\Eric Landers\Application Data\caot.exe
    O4 - HKCU\..\Run: [gksuib18.exe] C:\WINDOWS\System32\gksuib18.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)

    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_72/QDow.cab

    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFullSInst.cab

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/download.CAB

    Then reboot and delete:
    C:\PROGRAM FILES\INCREDIFIND <= entire folder
    C:\Program Files\ISTbar <= entire folder
    C:\Program Files\ISTsvc <= entire folder
    C:\WINDOWS\System32\expup.exe
    C:\WINDOWS\System32\32737368.exe

    And could you please mail:
    C:\WINDOWS\System32\gksuib18.exe
    C:\Documents and Settings\Eric Landers\Application Data\caot.exe
    to the email-address in my profile.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.