Jump to content


Photo

DSO exploit


  • This topic is locked This topic is locked
8 replies to this topic

#1 busch

busch

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 July 2004 - 02:13 PM

I ran spybot 1.3 and it told me that I have DSO exploit on my computer. After running fix it I ran the program again and the same DSO exploit came back up. I did some research on DSO exploit and found out that I need to run hijackthis. I told me to ask the experts on which file I can remove. Here are the files that came up using hijackthis. Can you help? :unsure:

Logfile of HijackThis v1.97.7
Scan saved at 11:43:22 AM, on 7/8/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\elevate.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\b0337694\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.boeing.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.boeing.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.boeing.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.boeing.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-support...31060/proxy.pac
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GreyStart] C:\WINNT\dhcpg32.EXE /roam
O4 - HKLM\..\Run: [ECSStub] C:\WINNT\ECSStub.vbs
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0\CalCheck.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O15 - Trusted Zone: http://inside.boeing.com
O15 - Trusted Zone: http://proxy-support.boeing.com
O15 - Trusted Zone: http://rain.cs.boeing.com
O15 - Trusted Zone: http://www.boeing.com
O15 - Trusted Zone: http://*.webex.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sw.nos.boeing.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sw.nos.boeing.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sw.nos.boeing.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = sw.nos.boeing.com

#2 busch

busch

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 14 July 2004 - 09:36 AM

I posted this question on July 8th and I havn't gotten an answer. Can someone please help.... :ph34r:

#3 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 14 July 2004 - 02:01 PM

Hi,
DSO Exploit:
As long as you have all the "Critical Updates" installed, this is not an issue. It a minor bug in SpyBot and you can simply ignore it. [more info]

As for you log, you do have a few suspicious looking files ...

Do you know what these are:

C:\WINNT\System32\elevate.exe
C:\WINNT\dhcpg32.EXE
C:\WINNT\ECSStub.vbs


Go to Posted Image Kaspersky Test one file
Click Browse, navigate to C:\WINNT\System32\elevate.exe
Highlight (single-click) and click Submit
Wait for the results, if "detected\infected" copy and paste the info in your next post.

Repeat for: C:\WINNT\dhcpg32.EXE

Do the same here:

Go to Posted Image Jotti's Malware Scanner
Click Browse, navigate to C:\WINNT\System32\elevate.exe
Highlight (single-click) and click Submit
Wait for the results, if "detected\infected" copy and paste the info in your next post.

Repeat for: C:\WINNT\dhcpg32.EXE

Posted ImageImportant! Your system is severly out of date!
Visit Posted Image Windows Update and install all the "Critical Updates"
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#4 busch

busch

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 15 July 2004 - 11:52 AM

First off thanks for replying.

This scan is from Kaspersky

Scanned file: elevate.exe
elevate.exe - OK
Statistics:
Known viruses: 92981 Updated: 15-07-2004
File size (Kb): 64 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

Scanned file: dhcpg32.exe
dhcpg32.exe - OK
Statistics:
Known viruses: 92981 Updated: 15-07-2004
File size (Kb): 196 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

This scan if from Jott's
Service load: 0% 100%

File: elevate.exe
Status: OK

AntiVir No viruses found (2.68 seconds taken)
BitDefender No viruses found (4.75 seconds taken)
ClamAV No viruses found (8.18 seconds taken)
F-Prot Antivirus No viruses found (2.01 seconds taken)
F-Secure Anti-Virus No viruses found (6.49 seconds taken)
Kaspersky Anti-Virus No viruses found (6.95 seconds taken)
McAfee VirusScan No viruses found (6.42 seconds taken)
Norman Virus Control No viruses found (7.05 seconds taken)

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 15 July 2004 - 12:46 PM

Hi,
Since the file "appear" clean ... my next question is do you know who\what\where?
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#6 busch

busch

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 15 July 2004 - 01:31 PM

:wtf: I'm not sure I understand what your asking.

I was not able to update my system because it said I need admin. access.

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 15 July 2004 - 02:58 PM

Hi,

not able to update my system because it said I need admin. access.

See if this helps ...
http://v4.windowsupd...m/troubleshoot/
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#8 busch

busch

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 July 2004 - 08:48 AM

:D Thanks for the tip. My computer is now updated and it works great. :keybrd:

#9 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 16 July 2004 - 11:11 AM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button