1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

DSO Exploit - Is there an expert on this???

Discussion in 'Virus & Other Malware Removal' started by qblitz, Feb 8, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. qblitz

    qblitz Thread Starter

    Joined:
    Jun 18, 2001
    Messages:
    81
    I have Windows XP pro
    I have been contracting this problem off and on for the past two months. The typical result is that my machine can no longer connect to the web (no ip, mail, iam, etc.). As a result, my startup doesn't complete b/c mcafee, etal cannot get to the web to update their products.

    My recover procedure varies but usualling includes these steps, but the order is different each time
    1) spybot detects it and gets rid of it (two passes)
    2) restore back to a good date
    3) remove IAM
    4) run ipconfig/renew

    Tonight no good --
    spybot finds DSO Exploit, but after running many times, with each time, it reports it has been removed on the next run, it is still there.

    Can someone give me the correct removal/restore procedure and software. I will manually go into the registry if I have to.

    Help!!!
     
  2. Bob Cerelli

    Bob Cerelli

    Joined:
    Nov 2, 2002
    Messages:
    22,468
  3. Bob Cerelli

    Bob Cerelli

    Joined:
    Nov 2, 2002
    Messages:
    22,468
  4. qblitz

    qblitz Thread Starter

    Joined:
    Jun 18, 2001
    Messages:
    81
    Thank you Bob. I am so glad to hear from someone.

    Tried that --- it works!!!

    but how to recover. When i log on my admin account or a user account, i still don't have internet connectivity. some bad is left in the wake of dso exploit. see my procedure above. use to work, but now doesn't. Any ideas? MS IE can't find the hompage. etc.
     
  5. Bob Cerelli

    Bob Cerelli

    Joined:
    Nov 2, 2002
    Messages:
    22,468
  6. Bob Cerelli

    Bob Cerelli

    Joined:
    Nov 2, 2002
    Messages:
    22,468
    WINSOCK2 FIX
    =============
    If you can't access the Internet with programs like IE, Outlook Express, or other web browsers, you may have corrupted Winsock entries.

    To Remove the existing winsock2 registry entries (regardless of the OS) run:
    http://www.onecomputerguy.com/reg/xp_del_winsock.reg

    To add WindowsXP clean entries back in again, run:
    http://www.onecomputerguy.com/reg/xp_winsock.reg

    WINDOWSXP with SP2

    There is a new command you can run with SP2 which will reset the Winsock2 registry entries back to their default setting:
    netsh winsock reset catalog

    TCP/IP RESET
    =============
    If you need to reset the TCP/IP protocol stack with XP you need to run a small script:

    netsh int ip reset [ log_file_name ]

    the log_file_name needs to be specified.
    e.g. - netsh int ip reset ip_reset.txt
     
  7. qblitz

    qblitz Thread Starter

    Joined:
    Jun 18, 2001
    Messages:
    81
    i tried the winsock delete/add programs you recommended. There was no impact.

    funny, i can get to the web under safe mode w/ networking, but not when i log on normally. Any ideas on what the differences are? maybe the startup is changing the settings. Will you assist me with a startup debug?
    what must I do?

    your thoughts?
     
  8. Bob Cerelli

    Bob Cerelli

    Joined:
    Nov 2, 2002
    Messages:
    22,468
    At least you need to download more Spyware and Trojan Removal programs. Never found one that gets them all.

    SpySweeper:
    http://www.webroot.com/wb/products/spysweeper/index.php
    This will also protect your home page from being hijacked.

    Ad-Aware:
    http://www.lavasoft.de/

    The new one from MS.

    With any of the above three programs, just like with Anti-Virus software, should have the latest updates installed before doing a scan. You might also want to do a scan in safe mode.

    CWShredder:
    http://www.spywareinfo.com/downloads/tools/CWShredder.exe

    KazaaBeGone
    http://www.spywareinfo.com/~merijn/files/kazaabegone.zip

    Programs that can help prevent getting infected:

    Spyware Blaster
    http://www.javacoolsoftware.com/spywareblaster.html

    Spyware Guard
    http://www.wilderssecurity.net/spywareguard.html
     
  9. qblitz

    qblitz Thread Starter

    Joined:
    Jun 18, 2001
    Messages:
    81
    i no longer have netscape radio, never had PCTEL Speaker Phone, and i currently have iam uninstalled. so why is my hijackthis log showing these. can i remove them. The only way for me to come up is to disable programs that access the net upon startup. sometimes, if i can move fast enought, i am able to click on the IE and get the web. It is a function of time however. When i click early, it can't find its homepage. after about a minute or so, i click IE home page and I get thehome page. if, after logging on, I wait, my screen freezes. Clicking no longer possible, although i get mouse movement.

    What is going on here?



    Logfile of HijackThis v1.99.0
    Scan saved at 12:39:36 AM, on 2/9/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\HJT\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [[email protected]] C:\Program Files\[email protected]\[email protected]
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://access.hersheymed.net/dana-cached/setup/NeoterisSetup.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105289659268
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4365/mcfscan.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
    O23 - Service: NeroSVC - Unknown - C:\Program Files\Ahead\Nero\Misc\NeroSVC.exe
    O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/328329

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice