Jump to content


Photo

DSO Exploit - persistent


  • This topic is locked This topic is locked
7 replies to this topic

#1 CoachNed

CoachNed

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 May 2004 - 12:26 AM

I've read the FAQ's and I'm familiar with the procedure. This is my 16 year old daughter's computer. She is supposed to be using this computer only for homework and homework-related browsing. Yeah, right! Her complaint is basically slow booting (3-4 minutes) and slow operation. Spyware S&D shows "DSO Exploit" as the spyware problem. I delete it--it comes back on re-boot. Over and over. I'm guessing that this is a simple fix, but what do I know? Appreciate any help or advice.

Here is my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 10:05:54 PM, on 5/22/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\LINKSYS\WPC11 CONFIG UTILITY\WPC11CFG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMFILES\ADOBEACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot S&D\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] c:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] c:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [AIM] C:\MY DOCUMENTS\PHYSICS\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office Find Fast Indexer.lnk = C:\ProgramFiles\MSOffice\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office Fast Start.lnk = C:\ProgramFiles\MSOffice\Office\FASTBOOT.EXE
O4 - Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7910.6673958333
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://kungfuchess.c...ivex/web665.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 23 May 2004 - 07:46 AM

Hi,
As long as your system is fully patched = all Windows Update "Critical Updates" installed. Then this is a non-issue and you can put that item in the "Ignore List"

Run SpyBot, click Settings, select: "Ignore Products"
Click the Security tab and place a check in "DSO Exploit"

As for running slow ...
I don't see any nasties in your log ...

It could be just too much running in the background (loading from Startup)

[Example]
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - Startup: Microsoft Office Find Fast Indexer.lnk = C:\ProgramFiles\MSOffice\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office Fast Start.lnk = C:\ProgramFiles\MSOffice\Office\FASTBOOT.EXE


You could have HijackThis "fix" those optional entries, these are not really required and do not affect the operation of the programs themselves.

Then do the usual stuff ... Defrag, Scandisk, etc.

Note: for a 16 yr. old that log is very clean ...
Give her a pat on the back ...

Edited by WinHelp2002, 23 May 2004 - 07:47 AM.

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 CoachNed

CoachNed

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 May 2004 - 11:09 AM

This is a Celeron 466 with limited RAM so good suggestions on dumping some of the background apps. Yes, Win 98 is updated (by me) pretty regularly. But I'm not sure I understand your instructions about DSO Exploit. Are you saying that this is not spyware and that I should just ignore it and instruct Spybot to ignore it?

#4 morcheeba

morcheeba

    Member

  • Retired Staff - Helper
  • Pip
  • 96 posts

Posted 23 May 2004 - 11:24 AM

Hi,
The persistent DSO exploit is a bug in Spybot Search & Destroy 1.30 which hopefully they'll fix in the next update. If you can't wait and are happy with editing the registry, there's a fix here which I've tried and seems to work nicely.
http://forums.net-in...showtopic=15308

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 23 May 2004 - 11:29 AM

Coach,

Yes, Win 98 is updated (by me) pretty regularly.

When you go to Windows Update and run a scan, is there any "Critical Updates" offered? If so install them all!

Are you saying that this is not spyware

Exactly, SpyBot is detecting an internal Registry setting, that has nothing to do with "spyware".

I should just ignore it and instruct Spybot to ignore it?

Only if properly patched ... if so then add that entry to the "Ignore List"
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#6 CoachNed

CoachNed

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 24 May 2004 - 01:44 AM

Thanks. I ran Windows Update again and there were no Criticals to install. I reduced the number of background programs. Then I started a full system scan using NAV. That's when Norton came back and said that there was not enough free disk space to run NAV.

"What the heck?", I said to myself, "this computer has a 6 gig hard drive--how much homework is she storing on here?" So I took a look, and sure enough there was only 10mb free. Using Windows Explorer, I took a closer look and found nearly 5 gigs of data in "My Music!" She does not have Kazza or any file sharing apps, so I questioned the 16 year old directly. Turns out that she likes to listen to music while she's doing her homework and because she does not have a stereo in her room, she has been copying all her music CD's to her hard drive. (Light bulb comes on over dense Dad's head.) We are now picking and choosing which CD's to delete in order to free up some space.

So, not malware at all, just your run of the mill PEBKAC.

(Problem Exists Between Keyboard And Chair)

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 24 May 2004 - 03:26 AM

Coach,

Turns out that she likes to listen to music while she's doing her homework

You could have had a 16 yr. old son with a hard drive full of ... well you know what I mean.

We are now picking and choosing which CD's to delete

Hint: when you go to delete them, hold down the "Shift" key to bypass the Recycle Bin, otherwise you will not gain any space as they will just be stored there instead of My Music.

Once you get things cleaned up ... resize the browser cache
http://www.mvps.org/...02/delcache.htm
The default 10% is way too big. 50 mb is fine ...

Important: restart in Safe Mode and run Scandisk, then Defrag to clear up the "Free Space", etc.

Don't forget that "pat on the back" she sounds like a good kid!

Platform: Windows 98 SE (Win9x 4.10.2222A)

Hey Dad you think it's time for a upgrade? {grin}
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#8 redfive

redfive

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 24 May 2004 - 03:33 AM

O4 - HKCU\..\Run: [AIM] C:\MY DOCUMENTS\PHYSICS\aim.exe -cnetwait.odl

LOL @ sticking AIM in the Physics folder so Dad can't find it




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button