Jump to content


Photo

DSO Exploit


  • Please log in to reply
1 reply to this topic

#1 brianrogers

brianrogers

    Member

  • New Member
  • Pip
  • 1 posts

Posted 26 June 2004 - 07:23 PM

I've been hijacked, and have tried various methods over the past 5 days to get rid of CoolWeb. The about:blank hijack goes away for a while, then returns. Each time, I've run a variety of tools, but CoolWeb keeps returning.

Spybot gives me a "DSO Exploit" with two HKEY_USERS listings, and when I "fix" the item, and re-run Spybot, it's still there.

Ad-Aware finds up to 5 new Registry keys, 13 Registry values, and other new files.

The Killbox fix and reboot doesn't seem to make any difference.

CWShredder finds and fixes about every fifth run (about once a day), but to no avail.

After running Hijack This, I deleted all 05 06 07, and all unidentified BHOs and all 04s that were not identified in the link within the FAQ.

Norton AV hasn't found anything.

Trojan Hunter found no trojans (but was unable to unpack one file).

The only other clue I've found is that several programs are not letting go of memory, and grow until virtual memory is filled -- especially vpc32.exe and rtvscan.exe. MS programs are unwilling to release memory, sometimes after closing.

Here's my Hijack This file:
Logfile of HijackThis v1.97.7
Scan saved at 3:18:18 PM, on 6/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\brogers.INFOINSIGHTS\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Third Sector Technologies
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://137.229.42.10...sCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7627.5207986111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = infoinsights.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A33A35D6-9E6E-4F47-A3EC-A740671DCA72}: NameServer = 209.193.4.7,209.193.4.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = infoinsights.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = infoinsights.com


Any ideas out there? Thanks to all who've posted before, and especially for the FAQ, which helped me with portions of this problem.

#2 Bobc

Bobc

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 26 June 2004 - 08:58 PM

I had the same DSO Exploit results on Spy Bot. I took the advice of BobO. See
his post 6:49am 6/26 for his solution. It worked for me. Good luck.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button