DSO Exploit

Discussion in 'privacy problems' started by stephanieK, Jun 19, 2004.

Thread Status:
Not open for further replies.
  1. stephanieK

    stephanieK Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1
    Folks: I'm not computer saavy so please bear with me...

    I am typing this from a Dell Inspiron 2600 laptop that was full of pop ups and auto porn dial ups (the laptop was given to me by a friend). It was so infected that it eventually required that the installation software be reinstalled. My husband is a professor at a local university and brought the laptop to the IT department; they cleaned up the whole computer, reinstalled the original software, and basically saved me and the computer! However, when I run Spybot (which is every time I turn on the computer) and I select “Search and Destroy”, it always comes up with “DSO Exploit – 5 entries”. When I select “fix” a popup appears stating “creating system restore points”, then asks “remove deleted entries”, which I then select “yes”. It comes back with a popup stating “5 problems fixed”, and I then select “ok”. When I select “immunize” it comes back stating “all known bad products are already blocked”. If I leave Spybot and go back into Spybot without even opening another program or go online, the same problem of “DSO Exploit – 5 entries” comes up again! I’ve learned the hard way that if the computer goes to standby without running Spybot and deleting this, forget shutting down – it refuses to go through the normal shutdown process and the computer won’t turn off, even manually, until the battery runs out. Of course, as soon as I turn it on again, I immediately run Spybot and find the same message, once again. Not only is this driving me crazy, but I feel like it’s beat-the-clock as to how often I need to run Spybot while I’m using the computer. Can anyone out there help with this problem? A million thanks…Stephanie



    Logfile of HijackThis v1.97.7
    Scan saved at 3:27:32 PM, on 6/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\BellSouth\Connection Tool\IPClient.exe
    C:\Program Files\BellSouth\Connection Tool\IPMon32.exe
    C:\Program Files\BellSouth Accelerator Technology\propelac.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.bellsouth.net/brw_minisearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ww.msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bellsouth.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bellsouth® Internet Service
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://home.bellsouth.net/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\BellSouth\Connection Tool\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\BellSouth\Connection Tool\IPMon32.exe"
    O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\propelac.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://home.bellsouth.net
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://accelerator.bellsouth.net/sdccommon/download/tgctlcm.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38125.4847800926
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6F0264AE-B01A-49B0-835D-790F8C7F351C}: NameServer = 205.152.37.23 205.152.144.23
     
    stephanieK, Jun 19, 2004
    #1
  2. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    stephanieK, and welcome to Wilders. :)

    I am not seeing anything in your log that would indicate an infection.

    As for the DSO Exploit entries that Spybot S&D is alerting to, this is a small bug in the most recent build (1.3) of Spybot S&D, and hopefully will be fixed soon.

    Here is a thread that will better explain it:

    https://www.wilderssecurity.com/showthread.php?t=32387

    Regards,

    snap
     
    snapdragin, Jun 20, 2004
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...