Welcome to Windrivers Takeit
Glad you got it fixed.
Printable View
Welcome to Windrivers Takeit
Glad you got it fixed.
I downloaded Spybot S&D updates and all 5 of my DSO exploit were removed
coming from a canadian tech. this rant is directed at "suddbury'........please keep your ill-advised(stupid) theories to yourself....how in the world does unchecking DSO Exploits in Spybot(as you posted... do anything other than avoid checking for DSO exploits...??? please stop posting your idotic method for resolving this issue...and to anyone who really would like to resolve this annoyance, please check 'noonoo's post... http://forums.net-integration.net/in...howtopic=15308
Welcome to WD ladyNY .Quote:
Originally Posted by ladyNY
Glad you sorted your problems and hope some of the info at WD has help you .
Welcome to Windrivers ITwrangler... and thanks for the support. https://forums.windrivers.com/images.../2007/09/1.gifQuote:
Originally Posted by ITWrangler
I wouldn't say the DSO exploit is causing your problems on that. If you had the coolsearch spyware, that is the likely culprit. This has been one of the hardest bugs to remove in my experience. Here has been my fix.Quote:
Originally Posted by Liamm83
After running SB and Adaware, all would seem fine until the user went on the web and clicked a few times. XXX sites started popping up. Only thing I could find was a strange .exe in the Registry RUN location. Located the file and the properties added to the suspicion. So I deleted, removed from Registry. Problem still exist and the file would recreate itself when I deleted it. Finally in safe mode I renamed the file from ????.exe to ????.ex_ and success. It didn't recreate itself.
That has happened on about 3 XP machines I have cleaned. All of them had Coolsearch spyware as the common theme.
But NooNoo's suggestion to do a system restore maybe easier at this point.
Hi Terry,Quote:
Originally Posted by terryq
I also have exactly the same problem you described,with my IE page appearing as "about:blank" no matter how many times I reset my preferred homepage, numerous pop-up messages stating that i have spyware on my pc.. and Spybot claiming that I have web dialer and DSO Exploit on my pc.. I remove them and do a clean scan only for them to show up again.
There's a lot of talk about removing DSO Exploit.. what is it exactly? And I"ve looked in pages about Web Dialer and apparently it's a system whereby the inflicted victim's internet account dials up an international number and is charged similar to a 900 phone account ending up with hefty phone bills.
Have you figured out how to clear the DSO Exploit AND web dialer? I'm in no way a techie so would appreciate any simple tips you have!
I have also downloaded a lot of anti-virus & anti-spyware programmes, such as:
AVG
Ad-Aware
Spyware Guard
Spyware Doctor
Spybot
Kerio Personal Firewall
..and it's only Spybot which pick up on DSO Exploit & web dialer..
Do you think that maybe the two are connected with Spybot??
Cheers,
Jaz
Welcome to WD jaz.
No I don't think so.
Do this: go to the following link and try ALL the suggestions first, as you have done already for the most part, but, after you have done ALL of this, come back and start a new thread with a log of your HiJack This! Then we can help more.:
http://forums.windrivers.com/showpos...64&postcount=1
Also, something that should be included in that link that is not yet: after the downloads, do it in SAFE mode.
Then get back to us with the HJ log.
Good luck.
Thanks for all your help TripleR..Quote:
Originally Posted by TripleRLtd
I"m just a bit hesitant about all the updating downloads in case that web dialer is dialing up some expensive bill to my internet line! (I'm typing this on a friends computer just in case!).
And also what bit should i be doing in Safe Mode?
Will start the updating of the virus/spyware checkers now.
Thanks, Jaz
Here's the Hijack This log.. also currently downloading spyware blaster which failed first time around.. Hope this log makes sense to you!Quote:
Originally Posted by TripleRLtd
Cheers, Jaz
Logfile of HijackThis v1.97.7
Scan saved at 3:58:10 p.m., on 24/06/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINNT\Explorer.exe
C:\WINNT\System32\WF2K.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\loadqm.exe
C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Excite\PrvtMsgr\bin\x8SkPlay.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {09D62756-4725-4905-9A0A-84E1E667DDF6} - C:\WINNT\System32\fpjmo.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFoxV2] C:\WINNT\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Excite Community Tools Notifier] "C:\Program Files\Excite\PrvtMsgr\bin\x8SkPlay.exe" Notifier
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {C3D96A02-EEA7-4264-98D7-D882A7338DE5} (Excite Installer Start) - http://imgfarm.com/images/nocache/co...tup1.0.0.4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50D06032-8F9F-4187-ABAD-434748ADFD5F}: NameServer = 202.27.158.40 202.27.184.3
Hey jaz , if you need to use your PC to update the programs just unplug the phone cord before you start it up and when your ready to Dial-up plug it back in , you'll know if yours dials or the dialer , (those dialers normal only try to dial out randomly or every so often) .
same problem guys, i have the about blank IE problem , i did this
uninstall any mis programs
all temp folders
reg scan
Used
NoAdware
Ad-aware 6
Spy bot
hijackthis
BHOdemon
regcleaner
spy sweeper
updated norton ran that. also all windows files uptodate as well as all programs upto date , I CANT GET RID OF THIS !! i also deleted all my extra tool bars which i thought might cause this. here is my hijackthis log and that search blank in included but keeps comign back.
Logfile of HijackThis v1.97.7
Scan saved at 12:01:38 AM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ghost\Desktop\HijackThis.exe
C:\Documents and Settings\Ghost\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Ghost\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Ghost\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Ghost\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Ghost\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Ghost\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Ghost\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {4F3F0DF2-9940-4616-9D09-1624800A6CDC} - C:\WINDOWS\System32\jke.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...991.8568865741
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yaho...opper1_1us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
I also had this come up on the BHODemon check. Not sure if it means anything..
fpjmo.dll
{09D62756-4725-4905-9A0A-84E1E667DDF6}
dlprotect.dll
{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SDHelper.dll
{53707962-6F74-2D53-2644-206D7942484F}
NavShExt.dll
{BDF3E430-B101-42AD-A544-FADC6B084872}
i think that i foudn out the problem guys, this just worked for me. Boot into safe mode. Find these two files , SDhelper and also jke.dll , delete them both in safe mode it will not allow you too in normal mode. i also tried to find it in task manager with no luck . Anyway deleted both of these and you should be good to go. When you first load IE it comes up blank. I gave it a homepage shut it down restarted it and it was good to go (remember homepage)
Hi Talonboy..
I've also got SDhelper listed on my log but isn't that part of Spybot?
So essentially might that just be the part of Spybot which picks up the spyware/malware/whateverware??
Cheers, Jaz
Have hijack this fix these entries, reboot to safe mode (press f8 at startup) and go and find and delete the filenames - eg fpjmo.dllQuote:
Originally Posted by Jaz
You will probably need to uninstall yahoo and excite first and turn off system restore.
You were also asked to put your hijack log in a new thread so that we did not have confusion over who's log is whos. Next time, please do so.
Quote:
Originally Posted by Talonboy
SDhelper is part of spybot... jke.dll would be the culprit I imagine... never heard of it.
well whatever it is , It's backkkkkkkkkkkkkkkkkkkkkkk
I am new to this form but want to thank you for your help with dso. I followed your instructions and it was simple and painless.Quote:
Originally Posted by ITguy
thanks again!!!
Welcome to Windrivers texomabus. Glad you found the forum helpful.
Hi All,Quote:
Originally Posted by 2cool4skool1983
Killer advice here. I did the same thing ITguy suggested. Followed Spybot into the registry and changed the file name. I'm not a full fleged geek, so I sweated a bit on the next startup - everything works fine though. (Came here to make sure I wasn't screwing myself.)
I just went through a complete format after doing battle with CoolWWWSearch. It was hijacking my browser and forcing me into some lame homepage. I could never get rid of it and crashed my registry using 3 different apps while trying. I had to put the drive into my buddy's tower to recover some essentials. Here's what I did to avoid that fiasco again. (Some of this might help you 2cool.)
1. After the format, I partitioned my HD into 2 drives. C: is about 10 Gigs, I am using this drive for the OS and any application files. Everything I never want to lose goes on the other "half" of the drive and need never be formatted in an OS related emergency. Also, no .exe files on this part of the drive unless they are part of a .zip file and prescanned for viruses.
2. Check out CNET.com's spyware pack. I use Ad-Aware, Spybot, and Zone Alarm. (I recommend DLing these from the mfg's websites - much quicker.) I check for updates everyday on Ad-Aware and Spybot. XP should check for updates from Microsoft automatically. (If your's isn't 2cool, look on your start menu to do it manually.)
Even after all of that I still had Alexa and DSO Exploit. Spybot got Alexa and I renamed the 1004 files by hand. Looks OK now. I'll keep my fingers crossed.
I hope any of this helps,
Foxy
Hi again,
Here is a fairly specific technical explaination of what Spybot is telling us.
And I quote . . .
"Basically what's happening is that Spybot is finding that the security setting for "Download unsigned ActiveX controls" for the (normally) hidden "My Computer" zone in Internet Explorer is not set to disabled.
Given that anyone who is properly patched (via Windows Update) is not vulnerable to this exploit anymore, this is really not a serious issue, so provided your system is patched, you have nothing to worry about and can just ignore this until the fix comes out.
As to why Spybot isn't fixing it right, and what exactly it is doing when it goes to fix the value, here's a little analysis from testing this a few minutes ago...
Decoding the values displayed:
.\Internet Settings\Zones\0\1004!=W=3
The "\0\" points to the My Computer Zone. The key "1004" holds the value for the specific setting "Download unsigned ActiveX controls". The "!=" means "not equal". "W=3" (word value of 3) specifically means "disabled". Therefore, Spybot is finding that this setting is not disabled for various users defined on the system.
When it actually goes to fix that value, (ie. to simply change whatever it is set to currently to a value of 3), the bug is that it isn't setting it to the proper type of data element - a DWORD value. Therefore, that registry item ends up with no value at all after the fix is performed, and so every time you run a scan again, Spybot still finds that the value in that/those keys is not equal to 3.
As I say, a minor bug that should be fixed soon."
For thems who understand such things.
Welcome to Windrivers Foxy.
Yes sound advice on the splitting up of the hard drive. Something I always do. I also advocate moving temporary internet files, outlook express files and my documents into the data section. That way you don't have a problem digging about trying to find where windows really puts them, makes them easy to back up and if you have to go digging around in command line, you know you don't have to remember incredibly long path names shortened to dos names.
Thanks I.T. Guy I agree it's better to disable dso than to simply ignore it. for all non techies, simply cut and paste I.T. guys directions to a text file, log off of the net, open the text file after rebooting, and follow the directions. You also could print them out. Now how hard is that?Quote:
Originally Posted by ITguy
Welcome to Windrivers 1petros
Hopefully people won't find it hard.
After running spybot check and fix, double click DSO EXPLOIT. Entries will appear with long paths, ending with Zones\0\1004 etc.. Double click building blocks on right of screen. Registry files will appear in split screen. If 1004 is highlighted on right screen, delete it. If 1001 is highlighted, DO NOT DELETE!. If 0 is highlighted under zones in left screen, close window and double click the highlighted selection in spybot. Registry screen will appear again, this time 1004 will be highlighted in the right screen. If any other file is highlighted, ignore, close window, then go back to spybot and repeat the process for the next 4 DSO EXPLOIT entries. All 5 entries will be deleted, even if you only deleted 1004 four times. This process works with Windows XP, I don't know if it will work with other versions.Quote:
Originally Posted by jackpot316
Welcome to Windrivers edpol and thanks for the tip.
http://www.greymagic.com/security/advisories/gm001-ie/
Go there, this site will tell you how to work around this bug that was injected into your directory.
Quote:
Originally Posted by jackpot316
Hey all, brand new to this forum too. (Found it by searching for DSO Exploit). Just want to say I spent 2 days straight trying to find a way to remove About:Blank (CoolWebSearch).
CWShredder removes it (and also checks for other crap.)
http://www.majorgeeks.com/download4086.html
just download it (free) and run it.
Welcome to WD PCDummie .Quote:
Originally Posted by PCDummie
So you cleared yours up ?
CWShredder , SpyBot ,Ad-aware and so on , along with instuctions are linked on this page ;
http://forums.windrivers.com/showthread.php?t=57348
I am new to this site. I found it by googling DSO exploit also, and have been struggling with the same problems for the last few weeks, and obsessively last few days.
I discovered that a company named mx-targeting.com had bugged my PC. a Few files named mxtarget were installed in my hard drive I went to the start menu and then searched for mxtarget and deleted those files. It seems to have done the trick. The files I deleted were in the temp, temporary and windows folders.
I hope this is of help.
Welcome to Windrivers hoyanny and thanks for the tip!
I just deleted the registry entries. That was weeks ago and haven't had any problems since, but changing the entry names is a better idea "just in case".
i use spybot and found the famous 5 entries for dso exploit. i disabled my internet link and deleted them and ran spybot again. they reappeared, so there is something else embedded in our computers that automatically re-creates these entries when deleted. i have never edited the registry, but may check that out. has anyone any thoughts on this ?
Welcome to WD douglas .Quote:
Originally Posted by douglas
You can start here ;
http://forums.windrivers.com/showthread.php?t=57348
and do those and wait on touching Registry until need to .
And you can start a new thread if you have questions or problems so you don't get lost in the crowd . :D
[SIZE=7][COLOR=DarkOrange]Quote:
Originally Posted by ITguy
easier said than done but I'll try. meanwhile can you tell me exactly what this threat is?
Hi again, I opened regedit and, honestly, at this point, I'm afraid of touching anything! How do I rename the 1004 files?Quote:
Originally Posted by ITguy
Ok, I found the files but I'm not able to modify the 'value name'. Now what?Quote:
Originally Posted by anasteele
Welcome to Windrivers anasteele
this answers some of your questions - bet you wish you hadn't asked now!
ok, you right click on the key (not file I know it looks like a file, but it's called a key) and select modify - you will get up a little box to type in the new value - type in 1003 and click ok. Do that for each key. Then close regedit - it automatically saves. You must be logged in as Administrator to do this.
About the DSO exploit issue in SpyBot.
I also have had the above issue and the DSO exploit kept
coming back after I would re-run SpyBot the next time.
Tried everything ... CWShredder, SpyWareBlaster, et al.
and nothing seemed to work to get rid of this annoyance.
Finally got rid of it !!! Right clicked on the registry icon
at the end of the line and then one of the drop down
buttons said "Jump to registry" and all I did was delete
the registry entry ... now it's gone !!!
Monk would be proud of me!!