• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
martinst

DSO Exploit spyware

11 posts in this topic

I have used SpySweeper and SpyBot and followed all of your directions and guidelines. After removal by SpySweeper and Spybot the spyware returns in seconds...in SpySweeper, the item is 3MCRKBTFGLGWZ (search-exe hijacker) and in SPYBOT the returning items are listed under DSO Exploit.

...there is a run statement that changes the exe file everytime you remove it... in the following hijack this log you will see it as windows/system32/bin9.exe..there are two other exe files that revolve after every removal. I have spent days on this and finally am asking you...

Thanks, Steve

 

Logfile of HijackThis v1.98.0

Scan saved at 10:13:24 PM, on 7/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\Dbp69iNO.exe

C:\WINDOWS\System32\ZxdXc.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\hijack\HijackThis.exe

C:\WINDOWS\System32\notepad.exe

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.easysearch.cc/search.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easysearch.cc/search.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [3MCRKBT3FGLGWZ] C:\WINDOWS\System32\Bin9.exe

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

Share this post


Link to post
Share on other sites

Download CWShredder install, run and click fix.

 

Download PeperFix

Save it to your Desktop.

Click on the PeperFix.exe to launch it.

 

Click the Find and Fix button.

 

It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.

Ensure that you are online before starting the fix. Make sure to run the fix twice.

 

Now close all open windows AND browsers and check these items for HJT to fix(a fair amount of these are likely to be gone because of CWShredder):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.easysearch.cc/search.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easysearch.cc/search.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O4 - HKLM\..\Run: [3MCRKBT3FGLGWZ] C:\WINDOWS\System32\Bin9.exe

 

 

 

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.

* C:\Windows\Temp\

* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet

content including cookies. This is recommended and strongly suggested.

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

* Empty your "Recycle Bin".

 

Then disable your system restore

 

1 Right-click My Computer, and then click Properties.

2 Click the System Restore tab.

3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.

4 Click Apply

5 this will delete all existing restore points. Click Yes to do this.

6 Click OK.

 

Reboot into normal mode enable System Restore and post a fresh log in this thread to give you further recommendations.

Share this post


Link to post
Share on other sites

Martinst,

 

Disregard the returning DSO Exploits, it's a bug in spybot. Should be fixed around next update.

Share this post


Link to post
Share on other sites

I am wondering if doing all of that to rid DSO Exploit will make any difference. I have two other machines that are now infected with that...msn.com is my home page and I don't really surf much...so it must be generating from there...is there anyway to block DSO Exploit from reoccuring or occuring in the first place?

Steve

Share this post


Link to post
Share on other sites

I followed all the steps that you sent ..here is the latest hijack log. When I run SpySweeper -- it still says I have search-exe hijacker...and CWS shredder didn't find anything...

Logfile of HijackThis v1.98.0

Scan saved at 11:32:00 AM, on 8/3/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Messenger\MSMSGS.EXE

C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\hijack\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

Share this post


Link to post
Share on other sites

I forgot to add that no matter how many times I run hijack this and delete the R1-HKCU\software\microsoft\internet explorer\main,Search Bar= about:blank...it comes back immediately.

 

Steve

Share this post


Link to post
Share on other sites

Restart the computer and post a fresh log please.

Share this post


Link to post
Share on other sites

Here is the latest log, per your request.

 

Logfile of HijackThis v1.98.0

Scan saved at 9:03:19 PM, on 8/5/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Messenger\MSMSGS.EXE

C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\hijack\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

Share this post


Link to post
Share on other sites

There´s no evidence of spyware in this log, are you still having any problems?

Share this post


Link to post
Share on other sites

Steve,

 

I too have problems with the DSO Exploit.

Maybe my logfile posted in the message titled " IadHide4.dll " can help us both.

In respect for the rules, I didn't post my logfile in your message.

 

Zuccherino

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0