Jump to content


Photo

DSO Exploit -- still not gone --


  • Please log in to reply
3 replies to this topic

#1 steblein

steblein

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 12:53 PM

I've worked with a young lady from another office for several hours now. We have used Spybot, Adware, and CW Shredder. I've even taken advice and used them together. I've gone through all the preliminary suggestions on your website, but had trouble with Pacman's list coming up, but nothing is totally eliminating the DSO Exploit. It's not just that DSO appears in Spybot. She continues to get numerous pop-ups and ad windows after running and "removing" any found and KNOWN spyware.

I'm posting the HiJack this log, maybe someone can help. We are at the point of taking the computer and paying someone $85 to wipe it, because we've spent so much time already. I don't see anything suspicious in the log, but perhaps I am missing something.

Logfile of HijackThis v1.97.7
Scan saved at 10:45:14 AM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Documents and Settings\Kathie Morris\My Documents\Kathies TEMP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fws.gov/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mail2web.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fws.gov/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.weather.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.altavista.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fws.gov/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fws.gov/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 164.159.171.101 IFW9BCT-PT1
O1 - Hosts: 164.159.102.70 fw5romail
O1 - Hosts: 164.159.176.248 fwsmobile1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [BHOUE] C:\WINDOWS\BHOUE.exe
O4 - HKLM\..\Run: [FQBLVDN] C:\WINDOWS\FQBLVDN.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~2\SRClean.exe"
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: WebConnect Pro 5.1.7 - https://mantis.fws.g...ebConnectDU.cab
O16 - DPF: WebConnect Pro 6.2.14 - https://mantis.fws.g...ebConnectDU.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab



THANKS for any help you can provide. ~ Tina :wave:

#2 Tarl

Tarl

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 30 June 2004 - 01:06 PM

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe



I just spent a couple of hours yesterday getting rid of this on one of my user's machines. It's called Wintools, and was causing problems with FTP connections and popping up ads, among other things. The way I was finally able to stomp it out was by following the instructions here:

http://www.pchell.co.../wintools.shtml

#3 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 30 July 2004 - 11:46 AM

The DSO exploit is just a bug in Spybot SD - ignore it. Will be fixed in next update. For details visit the SSD forum, link is in my signature, below.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#4 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 30 July 2004 - 12:28 PM

The update to fix the dso exploits reappearing bug is out already, its been out for about 3 days now.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button