Spyware removal

Discussion in 'adware, spyware & hijack cleaning' started by TopNacker, Jun 5, 2004.

Thread Status:
Not open for further replies.
  1. TopNacker

    TopNacker Registered Member

    Joined:
    May 23, 2004
    Posts:
    2
    I have something on my machine that reduces the speed of internet use and infects search engines, and also seems to increase pop-up activity. I have run Adware 6.0 and Spybot but neither seem to remove the offending item which I think is called DSO Exploit. I have run HiJackThis before and posted the log on this site. Peter took a look - I followed his instructions but still have the problem. Have just run another HijackThis and the log is posted below :

    Logfile of HijackThis v1.97.7
    Scan saved at 10:47:39, on 05/06/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\PGPSDKSERV.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
    C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
    C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
    C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
    C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
    C:\WINDOWS\DOCKAPP.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\PRPCUI.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
    C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPTRAY.EXE
    C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
    C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iesearch.freeserve.com/iesearch/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.compuserve.co.uk/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.compuserve.co.uk/search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.compuserve.co.uk/search
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [BayMgr] DockApp.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [CreateCD50] "c:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [SynSetup] SynTP.tmp\RunOnce.exe
    O4 - HKLM\..\Run: [NAI_INSTALL_SCAN] "c:\Program Files\Common Files\Network Associates\On Demand Scanner\Scan32\scan32.exe" c:\ /autoscan /autoexit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [PGPSDKSVC] C:\WINDOWS\SYSTEM\PGPsdkServ.exe
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
    O4 - Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows 98\PGPtray.exe
    O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38112.6984606481
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

    <snipped 4 duplicate logs- Pieter>

    The path for the item that Spybot scan picks up but cannot remove is HKEYUSERS\Dunkerg1\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0\1004!=W=3

    Is it safe to delete this ?

    Thanks very much.
    TopNacker
     
    Last edited by a moderator: Jun 5, 2004
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey TopNacker,

    The experts will be along shortly to review your HJT log. As for the....DSO Exploit entry....is that a result of a Spybot scan ? If so and your Windows updates are current it's simply an error\minor bug on the part of Spybot and will be fixed in an upcoming update.

    If by chance you'd like to fix it manually with regedit - "just edit the key and set it to a DWORD value of 3. Or make a REG file and merge the change in. (The example below if merged into the registry just fixes the one for the above entry you referenced)

    Code:
    REGEDIT4
    
    [HKEY_USERS\Dunkerg1\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings\Zones\0]
    "1004"=dword:00000003
    
    Edit: Sp
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi TopNacker,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL

    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL

    O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe

    Then reboot into safe mode and delete:
    C:\Program Files\Common files\WinTools <= entire folder
    C:\TV MEDIA <= entire folder
    C:\WINDOWS\SYSTEM\msmc.exe

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.