DSO Exploit - Is there an expert on this???

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

qblitz

Thread Starter
Joined
Jun 18, 2001
Messages
81
I have Windows XP pro
I have been contracting this problem off and on for the past two months. The typical result is that my machine can no longer connect to the web (no ip, mail, iam, etc.). As a result, my startup doesn't complete b/c mcafee, etal cannot get to the web to update their products.

My recover procedure varies but usualling includes these steps, but the order is different each time
1) spybot detects it and gets rid of it (two passes)
2) restore back to a good date
3) remove IAM
4) run ipconfig/renew

Tonight no good --
spybot finds DSO Exploit, but after running many times, with each time, it reports it has been removed on the next run, it is still there.

Can someone give me the correct removal/restore procedure and software. I will manually go into the registry if I have to.

Help!!!
 

qblitz

Thread Starter
Joined
Jun 18, 2001
Messages
81
Thank you Bob. I am so glad to hear from someone.

Tried that --- it works!!!

but how to recover. When i log on my admin account or a user account, i still don't have internet connectivity. some bad is left in the wake of dso exploit. see my procedure above. use to work, but now doesn't. Any ideas? MS IE can't find the hompage. etc.
 
Joined
Nov 2, 2002
Messages
22,468
WINSOCK2 FIX
=============
If you can't access the Internet with programs like IE, Outlook Express, or other web browsers, you may have corrupted Winsock entries.

To Remove the existing winsock2 registry entries (regardless of the OS) run:
http://www.onecomputerguy.com/reg/xp_del_winsock.reg

To add WindowsXP clean entries back in again, run:
http://www.onecomputerguy.com/reg/xp_winsock.reg

WINDOWSXP with SP2

There is a new command you can run with SP2 which will reset the Winsock2 registry entries back to their default setting:
netsh winsock reset catalog

TCP/IP RESET
=============
If you need to reset the TCP/IP protocol stack with XP you need to run a small script:

netsh int ip reset [ log_file_name ]

the log_file_name needs to be specified.
e.g. - netsh int ip reset ip_reset.txt
 

qblitz

Thread Starter
Joined
Jun 18, 2001
Messages
81
i tried the winsock delete/add programs you recommended. There was no impact.

funny, i can get to the web under safe mode w/ networking, but not when i log on normally. Any ideas on what the differences are? maybe the startup is changing the settings. Will you assist me with a startup debug?
what must I do?

your thoughts?
 
Joined
Nov 2, 2002
Messages
22,468
At least you need to download more Spyware and Trojan Removal programs. Never found one that gets them all.

SpySweeper:
http://www.webroot.com/wb/products/spysweeper/index.php
This will also protect your home page from being hijacked.

Ad-Aware:
http://www.lavasoft.de/

The new one from MS.

With any of the above three programs, just like with Anti-Virus software, should have the latest updates installed before doing a scan. You might also want to do a scan in safe mode.

CWShredder:
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

KazaaBeGone
http://www.spywareinfo.com/~merijn/files/kazaabegone.zip

Programs that can help prevent getting infected:

Spyware Blaster
http://www.javacoolsoftware.com/spywareblaster.html

Spyware Guard
http://www.wilderssecurity.net/spywareguard.html
 

qblitz

Thread Starter
Joined
Jun 18, 2001
Messages
81
i no longer have netscape radio, never had PCTEL Speaker Phone, and i currently have iam uninstalled. so why is my hijackthis log showing these. can i remove them. The only way for me to come up is to disable programs that access the net upon startup. sometimes, if i can move fast enought, i am able to click on the IE and get the web. It is a function of time however. When i click early, it can't find its homepage. after about a minute or so, i click IE home page and I get thehome page. if, after logging on, I wait, my screen freezes. Clicking no longer possible, although i get mouse movement.

What is going on here?



Logfile of HijackThis v1.99.0
Scan saved at 12:39:36 AM, on 2/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [[email protected]] C:\Program Files\[email protected]\[email protected]
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://access.hersheymed.net/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105289659268
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4365/mcfscan.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NeroSVC - Unknown - C:\Program Files\Ahead\Nero\Misc\NeroSVC.exe
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top