1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spybot/Adaware/HijackThis

Discussion in 'Virus & Other Malware Removal' started by Calkins, Jan 23, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Calkins

    Calkins Thread Starter

    Joined:
    Dec 12, 2004
    Messages:
    18
    Can someone take a look at the following items and let me know what I can do? Thanks.

    1. Spybot keeps picking up the following entries:

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-1645522239-879983540-1417001333-118653\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    Haxdoor-H: Settings (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\System\RAdmin\v2.0\Server\Parameters\DisableTrayIcon!=B=0

    2. Adaware keeps hanging when it reaches the following point:

    Current Operation: Deep Scanning Local Registry
    Objects Scanned: 48295
    CLSID\{8EAF0F93-6802-4FE6-9BDB-CADAB90120BB}

    3. My HijackThis log file looks like this right now:

    Logfile of HijackThis v1.99.0
    Scan saved at 10:51:25 PM, on 1/23/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\r_server.exe
    C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
    C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINDOWS\System32\CCM\CcmExec.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
    C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\orcec000\My Documents\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sysco.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = corppx.sysco.com:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.dp240.sysco.com;*.sysco.com;*.na.sysco.net;MS240*;10.*;192.168.*;172.*;intranet.sysco.ca ;<local>
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
    O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
    O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 02
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O15 - Trusted Zone: *.netglearning.com
    O15 - Trusted Zone: *.netglearning.com (HKLM)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097179328815
    O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
    O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.sysco.com/main/Install/en/US/CentraDownloader.cab
     
  2. Sponsor

  3. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Hi and welcome to TSG :)

    DSO Exploit is a bug within SpyBot

    Do this:

    Open SpyBot
    Go to Settings
    Go to Ignore Products
    Go to Security tab
    Put a check on DSO Exploit

    As far as Ad-Aware hanging, have you tried running it in Safe Mode?
     
  4. Calkins

    Calkins Thread Starter

    Joined:
    Dec 12, 2004
    Messages:
    18
    I disabled the DSO Exploit in Spybot; however, this message is still coming up each time I run Spybot:

    Haxdoor-H: Settings (Registry change, fixed)
    HKEY_LOCAL_MACHINE\System\RAdmin\v2.0\Server\Parameters\DisableTrayIcon!=B=0

    Each time I delete it and each time it returns. Any thoughts on this?

    Also, I tried running Adaware in Safe Mode, but the same thing still happens: it hangs when it gets to the point I mentioned in my first thread.

    Any other ideas?

    Thanks again.
     
  5. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    51,590
    You can't fix that one with spybot

    I assume that this is a company laptop with a remote admin tool installed, if so then the company sys admin have set the remote admin tool to be hidden and not show any icon in the system tray

    The settings are inside the program and every time you fix it with spybot, the program will put that entry back

    If you don't have a legit remote access installed then post back and we'll look at removing it entirely

    Which version of adaware are you using and what reference file is installed
     
  6. Calkins

    Calkins Thread Starter

    Joined:
    Dec 12, 2004
    Messages:
    18
    Yes, it's a company laptop with a remote admin tool. (So that's what that is.)

    As for Adaware, I have SE Personal build 1.05 with definitions file SE1R25 11.01.2005 loaded.
     
  7. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    51,590
    I'm not sure what adaware hangs at that location but I've seen it mentioned several times

    you could try asking in their support forum for help on that

    http://www.lavasoftsupport.com/

    As to the remote admin entry add that one to spybot exclude list as well next time you scan
     
  8. Calkins

    Calkins Thread Starter

    Joined:
    Dec 12, 2004
    Messages:
    18
    I appreciate it!
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/322783