Hi Everyone, im sure your all sick of hearing about DSO Exploit but i am one of many users struggling to remvoe it, so far ive tried : Spybot SD, Ad-Aware, Spyware Doctor, CWShredder, HijackThis and updating my windows all to no avail. That is everytime i start my internet explorer my homepage is changed to an annoying webiste and everytime an incorect web adress is entered it will redirect me to a adult website. I have also tried several other peoples ideas but folders they mention i cannot find, so here is my hijack this log, any help is very much appreciated.


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\helput.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\wputlwg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Wizards of the Coast\Magic Online\magic115541.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - URLSearchHook: (no name) - {9AE4D58C-0F45-BD19-B3EB-93CC017BF797} - C:\WINDOWS\system32\helput.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [BACA56CE] C:\WINDOWS\system32\d3drfi.exe
O4 - HKLM\..\Run: [0D847366] C:\WINDOWS\system32\tresatt.exe
O4 - HKLM\..\Run: [A56C3CCB] C:\WINDOWS\system32\helput.exe
O4 - HKLM\..\Run: [F096D846] C:\WINDOWS\system32\cctri3ror.exe
O4 - HKLM\..\Run: [F009A753] C:\WINDOWS\system32\ldpRSdosy.exe
O4 - HKLM\..\Run: [FC8610E6] C:\WINDOWS\system32\libidcl.exe
O4 - HKLM\..\Run: [CB46C97E] C:\WINDOWS\system32\apPLW.exe
O4 - HKLM\..\Run: [9B74BE56] C:\WINDOWS\system32\e32sfertra.exe
O4 - HKLM\..\Run: [17FB46C6] C:\WINDOWS\system32\ddrsvmgr.exe
O4 - HKLM\..\Run: [FC9A1253] C:\WINDOWS\system32\apppa3asfs.exe
O4 - HKLM\..\Run: [EBAC3B0E] C:\WINDOWS\system32\ivadj3.exe
O4 - HKLM\..\Run: [9BA64EF3] C:\WINDOWS\system32\cnape.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BACA56CE] C:\WINDOWS\system32\d3drfi.exe
O4 - HKCU\..\Run: [0D847366] C:\WINDOWS\system32\tresatt.exe
O4 - HKCU\..\Run: [A56C3CCB] C:\WINDOWS\system32\helput.exe
O4 - HKCU\..\Run: [F096D846] C:\WINDOWS\system32\cctri3ror.exe
O4 - HKCU\..\Run: [F009A753] C:\WINDOWS\system32\ldpRSdosy.exe
O4 - HKCU\..\Run: [FC8610E6] C:\WINDOWS\system32\libidcl.exe
O4 - HKCU\..\Run: [CB46C97E] C:\WINDOWS\system32\apPLW.exe
O4 - HKCU\..\Run: [9B74BE56] C:\WINDOWS\system32\e32sfertra.exe
O4 - HKCU\..\Run: [17FB46C6] C:\WINDOWS\system32\ddrsvmgr.exe
O4 - HKCU\..\Run: [FC9A1253] C:\WINDOWS\system32\apppa3asfs.exe
O4 - HKCU\..\Run: [EBAC3B0E] C:\WINDOWS\system32\ivadj3.exe
O4 - HKCU\..\Run: [9BA64EF3] C:\WINDOWS\system32\cnape.exe
O4 - HKCU\..\Run: [shdmqla] c:\windows\rmejkma.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105736704061
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.248/504//main.chm::/update.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EDF6BB9-6E64-479A-9281-071E72915A70}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{68C9CAB8-4993-4839-83F5-9E6DA0C09B95}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\Tcpip\..\{2EDF6BB9-6E64-479A-9281-071E72915A70}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\Tcpip\..\{2EDF6BB9-6E64-479A-9281-071E72915A70}: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Recommended Answers

All 5 Replies

Before anything else, go here and select a site to download about:buster from:
http://www.majorgeeks.com/download4289.html

That should cleanup some of this. After you run it, close all browser windows, scan with HJT again, and post a new log. Don't reboot or turn off your computer after your next scan until you get a response from us (some of these files may have a tendancy to morph when rebooted).

heres log after doing what you said:

Logfile of HijackThis v1.99.0
Scan saved at 7:12:52 PM, on 14/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\d3drfi.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\rmejkma.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-search4u.com/index.htm
R3 - URLSearchHook: (no name) - {9AE4D58C-0F45-BD19-B3EB-93CC017BF797} - C:\WINDOWS\system32\d3drfi.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [BACA56CE] C:\WINDOWS\system32\d3drfi.exe
O4 - HKLM\..\Run: [0D847366] C:\WINDOWS\system32\tresatt.exe
O4 - HKLM\..\Run: [A56C3CCB] C:\WINDOWS\system32\helput.exe
O4 - HKLM\..\Run: [F096D846] C:\WINDOWS\system32\cctri3ror.exe
O4 - HKLM\..\Run: [F009A753] C:\WINDOWS\system32\ldpRSdosy.exe
O4 - HKLM\..\Run: [FC8610E6] C:\WINDOWS\system32\libidcl.exe
O4 - HKLM\..\Run: [CB46C97E] C:\WINDOWS\system32\apPLW.exe
O4 - HKLM\..\Run: [9B74BE56] C:\WINDOWS\system32\e32sfertra.exe
O4 - HKLM\..\Run: [17FB46C6] C:\WINDOWS\system32\ddrsvmgr.exe
O4 - HKLM\..\Run: [FC9A1253] C:\WINDOWS\system32\apppa3asfs.exe
O4 - HKLM\..\Run: [EBAC3B0E] C:\WINDOWS\system32\ivadj3.exe
O4 - HKLM\..\Run: [9BA64EF3] C:\WINDOWS\system32\cnape.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BACA56CE] C:\WINDOWS\system32\d3drfi.exe
O4 - HKCU\..\Run: [0D847366] C:\WINDOWS\system32\tresatt.exe
O4 - HKCU\..\Run: [A56C3CCB] C:\WINDOWS\system32\helput.exe
O4 - HKCU\..\Run: [F096D846] C:\WINDOWS\system32\cctri3ror.exe
O4 - HKCU\..\Run: [F009A753] C:\WINDOWS\system32\ldpRSdosy.exe
O4 - HKCU\..\Run: [FC8610E6] C:\WINDOWS\system32\libidcl.exe
O4 - HKCU\..\Run: [CB46C97E] C:\WINDOWS\system32\apPLW.exe
O4 - HKCU\..\Run: [9B74BE56] C:\WINDOWS\system32\e32sfertra.exe
O4 - HKCU\..\Run: [17FB46C6] C:\WINDOWS\system32\ddrsvmgr.exe
O4 - HKCU\..\Run: [FC9A1253] C:\WINDOWS\system32\apppa3asfs.exe
O4 - HKCU\..\Run: [EBAC3B0E] C:\WINDOWS\system32\ivadj3.exe
O4 - HKCU\..\Run: [9BA64EF3] C:\WINDOWS\system32\cnape.exe
O4 - HKCU\..\Run: [xscxvpb] c:\windows\qqonmyr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105736704061
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.248/504//main.chm::/update.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EDF6BB9-6E64-479A-9281-071E72915A70}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{68C9CAB8-4993-4839-83F5-9E6DA0C09B95}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\Tcpip\..\{2EDF6BB9-6E64-479A-9281-071E72915A70}: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Download CWShredder 2 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

I've already installed shredder and have run it several times, however everytime i press fix it starts and then gets to a certain point/file and closes itself which brings up a windows report error message. However my download of shredder is stand alone and i didnt download spysubtract with it, not sure if thats important. Also 1 question, is DSO reposnsible for bringing up the adult sites, adding things to my favourites and the win min error when i shut down?

Thanks heaps, Tom.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my-search4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my-search4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my-search4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-search4u.com/index.htm
R3 - URLSearchHook: (no name) - {9AE4D58C-0F45-BD19-B3EB-93CC017BF797} - C:\WINDOWS\system32\d3drfi.exe

O4 - HKLM\..\Run: [BACA56CE] C:\WINDOWS\system32\d3drfi.exe
O4 - HKLM\..\Run: [0D847366] C:\WINDOWS\system32\tresatt.exe
O4 - HKLM\..\Run: [A56C3CCB] C:\WINDOWS\system32\helput.exe
O4 - HKLM\..\Run: [F096D846] C:\WINDOWS\system32\cctri3ror.exe
O4 - HKLM\..\Run: [F009A753] C:\WINDOWS\system32\ldpRSdosy.exe
O4 - HKLM\..\Run: [FC8610E6] C:\WINDOWS\system32\libidcl.exe
O4 - HKLM\..\Run: [CB46C97E] C:\WINDOWS\system32\apPLW.exe
O4 - HKLM\..\Run: [9B74BE56] C:\WINDOWS\system32\e32sfertra.exe
O4 - HKLM\..\Run: [17FB46C6] C:\WINDOWS\system32\ddrsvmgr.exe
O4 - HKLM\..\Run: [FC9A1253] C:\WINDOWS\system32\apppa3asfs.exe
O4 - HKLM\..\Run: [EBAC3B0E] C:\WINDOWS\system32\ivadj3.exe
O4 - HKLM\..\Run: [9BA64EF3] C:\WINDOWS\system32\cnape.exe
O4 - HKCU\..\Run: [BACA56CE] C:\WINDOWS\system32\d3drfi.exe
O4 - HKCU\..\Run: [0D847366] C:\WINDOWS\system32\tresatt.exe
O4 - HKCU\..\Run: [A56C3CCB] C:\WINDOWS\system32\helput.exe
O4 - HKCU\..\Run: [F096D846] C:\WINDOWS\system32\cctri3ror.exe
O4 - HKCU\..\Run: [F009A753] C:\WINDOWS\system32\ldpRSdosy.exe
O4 - HKCU\..\Run: [FC8610E6] C:\WINDOWS\system32\libidcl.exe
O4 - HKCU\..\Run: [CB46C97E] C:\WINDOWS\system32\apPLW.exe
O4 - HKCU\..\Run: [9B74BE56] C:\WINDOWS\system32\e32sfertra.exe
O4 - HKCU\..\Run: [17FB46C6] C:\WINDOWS\system32\ddrsvmgr.exe
O4 - HKCU\..\Run: [FC9A1253] C:\WINDOWS\system32\apppa3asfs.exe
O4 - HKCU\..\Run: [EBAC3B0E] C:\WINDOWS\system32\ivadj3.exe
O4 - HKCU\..\Run: [9BA64EF3] C:\WINDOWS\system32\cnape.exe
O4 - HKCU\..\Run: [xscxvpb] c:\windows\qqonmyr.exe

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.248/504//main.chm::/update.exe
Adult Content Dialer

Reboot into safe mode following the instructions here and navigate to and delete the following if found:

C:\WINDOWS\system32\d3drfi.exe
C:\WINDOWS\system32\tresatt.exe
C:\WINDOWS\system32\helput.exe
C:\WINDOWS\system32\cctri3ror.exe
C:\WINDOWS\system32\ldpRSdosy.exe
C:\WINDOWS\system32\libidcl.exe
C:\WINDOWS\system32\apPLW.exe
C:\WINDOWS\system32\e32sfertra.exe
C:\WINDOWS\system32\ddrsvmgr.exe
C:\WINDOWS\system32\apppa3asfs.exe
C:\WINDOWS\system32\ivadj3.exe
C:\WINDOWS\system32\cnape.exe
C:\WINDOWS\system32\d3drfi.exe
C:\WINDOWS\system32\tresatt.exe
C:\WINDOWS\system32\helput.exe
C:\WINDOWS\system32\cctri3ror.exe
C:\WINDOWS\system32\ldpRSdosy.exe
C:\WINDOWS\system32\libidcl.exe
C:\WINDOWS\system32\apPLW.exe
C:\WINDOWS\system32\e32sfertra.exe
C:\WINDOWS\system32\ddrsvmgr.exe
C:\WINDOWS\system32\apppa3asfs.exe
C:\WINDOWS\system32\ivadj3.exe
C:\WINDOWS\system32\cnape.exe
c:\windows\qqonmyr.exe

Reboot normally after doing the above, rescan with hijackthis, then post that log here please.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.