Ran Adaware after this message appeared but nothing showed up.

Discussion in 'adware, spyware & hijack cleaning' started by donna68ca, Jun 25, 2004.

Thread Status:
Not open for further replies.
  1. donna68ca

    donna68ca Registered Member

    Joined:
    May 12, 2004
    Posts:
    14
    (Mod Note: Member has posted a hijackthis log, which has been merged into this current thread (see post #2) - snap)


    I run Win Patrol, it let me know that a Internet Explorer Helper " related.htm " wanted to run from C:\Windows\web\related.htm I said no since I did not know anything about it. I ran adaware after this and nothing showed up. What is this?

    I also ran SpyBot search and destroy and it came up with these, tried to delete them, but when I reboot and rerun SB they seem to be right back, what gives?

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-1229272821-2000478354-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    --- Spybot - Search && Destroy version: 1.3 ---
    2004-06-16 Includes\Cookies.sbi
    2004-06-16 Includes\Dialer.sbi
    2004-06-17 Includes\Hijackers.sbi
    2004-06-16 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-06-16 Includes\Malware.sbi
    2004-06-16 Includes\Revision.sbi
    2004-06-16 Includes\Security.sbi
    2004-06-16 Includes\Spybots.sbi
    2004-06-16 Includes\Tracks.uti
    2004-06-16 Includes\Trojans.sbi


    Donna
     
    Last edited by a moderator: Jun 26, 2004
  2. donna68ca

    donna68ca Registered Member

    Joined:
    May 12, 2004
    Posts:
    14
    Advised to post my Hijackthis log.

    After having ran Adaware not show up with the DSO exploits, only SpyBot, I have run both as advised by another Senior Member. Followed all the steps that the thread # 15913 had told me to do. SpyBot said it removed the DSO exploits but when I rebooted and ran it again they were back. Also earlier yesterday a related.htm tried to run, but I wouldn't allow it. So here is both the SpyBot log, and the Hijackthis log.

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-1229272821-2000478354-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    --- Spybot - Search && Destroy version: 1.3 ---
    2004-06-16 Includes\Cookies.sbi
    2004-06-16 Includes\Dialer.sbi
    2004-06-17 Includes\Hijackers.sbi
    2004-06-16 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-06-16 Includes\Malware.sbi
    2004-06-16 Includes\Revision.sbi
    2004-06-16 Includes\Security.sbi
    2004-06-16 Includes\Spybots.sbi
    2004-06-16 Includes\Tracks.uti
    2004-06-16 Includes\Trojans.sbi



    Logfile of HijackThis v1.97.7
    Scan saved at 11:48:49 PM, on 6/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    C:\Program Files\Linksys\LogViewer\LogViewer.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Messenger\msmsgs.exe
    D:\downloads\Hijackthis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?gcs=1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O4 - Global Startup: LogViewer.lnk = C:\Program Files\Linksys\LogViewer\LogViewer.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EF5B56B7-9E28-43BD-A762-5E71F8C610C7}: NameServer =


    Donna
     
    Last edited: Jun 28, 2004
  3. donna68ca

    donna68ca Registered Member

    Joined:
    May 12, 2004
    Posts:
    14
    I removed my Wan Dns numbers in my HJT log while I await someone to vie the SB log and the HJT log.



    Donna
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  5. donna68ca

    donna68ca Registered Member

    Joined:
    May 12, 2004
    Posts:
    14
    Which resources would your remove then in your opinon?



    Donna
     
  6. donna68ca

    donna68ca Registered Member

    Joined:
    May 12, 2004
    Posts:
    14
    Would Like to say Thank You. Without this forum and all the sections that we have available to use to learn we would be complely lost and open prey. I commend all of you for the work and time that you put in on this site.



    Donna
     
  7. donna68ca

    donna68ca Registered Member

    Joined:
    May 12, 2004
    Posts:
    14
    Looked at the resources running, and noticed an uh oh!!!!

    As in an earlier post it was suggested that I was wasting a lot of resources, so I decided to go in and look to see what was running. I pressed CTRl-Alt_Del. I then noticed that there is explorer.exe running under User name ( My log in Name), CPU 00 Mem Usage 27,348K, but I also noticed there is another running but spelt differently " IEXPLORE.EXE " under user name ( My log in Name) CPU 00 Mem Usage 25,960.

    So I ran my updated Norton Antivirus, Adaware, and SpyBot.
    Checked againts a startup list that I have, and that is as confusing as heck on this one o_O?

    Should there be 2 running?


    Donna
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi donna68ca,

    Explorer.exe is the browser you use to look up files on your computer (or on your workgroup etc.)
    Iexplore.exe is Internet Explorer. The one you use to browse the internet.

    Both are nothing to worry about.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.