Jump to content


Photo

Hijack of MSIE to About:Blank by DSO Exploit(?)


  • Please log in to reply
1 reply to this topic

#1 jasonts

jasonts

    Member

  • New Member
  • Pip
  • 2 posts

Posted 27 June 2004 - 06:21 PM

My MSIE is being hijacked to About:Blank upon launch. In addition, I get pop a pop up banner indicating Mediacom HSI has detected spyware on launch of MSIE, or any software that checks the internet automatically for program updates.

I am able to check my internet settings during any single session. That is, I can change the homepage from About:Blank to my preferred homepage. However, the settings I choose are then lost when I close and re-open MSIE.

Here are the steps I took to try and fix this problem:
1. Downloaded and ran Spyware Doctor. Found and fixed many problems but didn't resolve problem.

2. Downloaded and ran Spybot S&D. Found and fixed many problems not found by Spyware Doctor. But again, did not resolve problem.

Note: Each time I run Spybot S&D the program finds 5 instances of DSO Exploit in HKey_Users registry. I 'fix' the problem but it keeps recurring. The log of these 5 files follow the HijackThis log toward the end of the post.

3. Read and followed the directions in the FAQ on this site (or tried to :unsure: ).

Note: There are four files in my temp folder under Documents and Settings/Owner/Local Settings/Temp that I cannot remove with the error message: Cannot delete (filename). It is being used by another person or program. These files begin with 'me_' followed by a long alphanumeric string.

I would greatly appreciate any suggestions for next steps as this is driving me insane :grrr: . Thank you in advance for responding to this post!!


Following is the log from my HijackThis scan:

Logfile of HijackThis v1.97.7
Scan saved at 5:59:27 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CAPDPSRV.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Compaq A4000\CPQA4000.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E365E3E-695A-4A45-B8EB-CCAA0CC1B38B} - C:\WINDOWS\System32\ebpne.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\System32\PD6000SM.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [defscan_install.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\EACDownload\defscan_install.exe -k
O4 - HKLM\..\Run: [CAPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CAPDPSRV.EXE
O4 - HKLM\..\Run: [BroadbandClient] C:\Program Files\Mediacom\BBClient\Programs\RegCon.exe /admincheck
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Compaq A4000 Settings Utility.lnk = C:\Program Files\Compaq A4000\CPQA4000.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Following is the log of the Spybot S&D scan:

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1757981266-117609710-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-06-16 Includes\Cookies.sbi
2004-06-16 Includes\Dialer.sbi
2004-06-17 Includes\Hijackers.sbi
2004-06-16 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-06-16 Includes\Malware.sbi
2004-06-16 Includes\Revision.sbi
2004-06-16 Includes\Security.sbi
2004-06-16 Includes\Spybots.sbi
2004-06-16 Includes\Tracks.uti
2004-06-16 Includes\Trojans.sbi

#2 mme_nrd

mme_nrd

    Member

  • Full Member
  • Pip
  • 38 posts

Posted 27 June 2004 - 11:10 PM

I had the same problem. This posting helped me solve it:

http://www.spywarein...ST&f=18&t=10027

Hope this helps. Good luck.

I also read somewhere that the DSO thing is a bug in Spybot and no big deal. I have the same thing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button