0

Hi,
I scaned with spybot SD this win 98 and found 2 threats:
DSO exploit and Download Accelerator.
Tried to fix, said DSO was fixed and Download Acc in next scan
on reboot. After rebooting both appear...
(not so fixed seems)

Hijack this log is:

Logfile of HijackThis v1.97.7
Scan saved at 08:48:40 p.m., on 20/06/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\ARCHIVOS DE PROGRAMA\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\ARCHIVOS DE PROGRAMA\AGATE TIOMAN\TIOMAN.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\ARCHIVOS DE PROGRAMA\IHATESPAM OUTLOOK EXPRESS EDITION\PIISERVICEOE.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYMANTEC SHARED\CCAPP.EXE
C:\ARCHIVOS DE PROGRAMA\BABYLON\BABYLON.EXE
C:\ARCHIVOS DE PROGRAMA\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\ARCHIVOS DE PROGRAMA\PROGRAMA DE UTILIDAD CONFIGURACIĆ³N\TASKBAR.EXE
C:\ARCHIVOS DE PROGRAMA\BABYLON\utils\shlhook.exe
D:\HIJACKTHIS.EXE
D:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vnculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [TiomanExe] C:\Archivos de programa\Agate Tioman\Tioman.Exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [piiserviceOE] "C:\ARCHIVOS DE PROGRAMA\IHATESPAM OUTLOOK EXPRESS EDITION\piiserviceOE.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] c:\ARCHIV~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\ARCHIV~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [Babylon Client] C:\Archivos de programa\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\ARCHIV~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Archivos de programa\Archivos comunes\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\ARCHIVOS DE PROGRAMA\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Startup: ConfiguraciĆ³n de ThinkPad.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: &Google Search - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\ARCHIVOS DE PROGRAMA\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://c:\ARCHIV~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: &Document Tree (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38145.7209375
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab


Can you help me please?
Thank you!

5
Contributors
10
Replies
11
Views
13 Years
Discussion Span
Last Post by deonnanicole
0

Have HJT fix this entry:

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

Please go here & install ALL critical updates required for your system.

Check for updates with spybot. Do you have the latest version? 1.3 is the latest. If you still have the warning come up (DSO), try the spybot forums as this has been a recent problem with spybot.

0

i just found out how to get rid of the DSO EXPLOIT:
run regedit and find all those values that spybot reported to have a problem, one by one. Spybot also gives you their full paths, so it's easy to find them. if they are "DWORD" values, just right-click on them, choose to modify them, and set them to 3. if they are not "DWORD" values, but "SZ" values, delete them first, then right-click (anywhwre in that window) and chose "new" and "dword value" -> now you have a new dword, set it's name to the name of the value you deleted, and set it's value to 3.

0

I did changed to 3 the value of DSO in the entry, but spybot stills find it.
cant you just delete it?
what about Download Accelerator?

Thanks!

0

set spybot to ignore them ,as long as you have all your windows updates it will be ok .In spybot go to mode /check advanced ,then go to settings ,click on ignore programs and scroll down to DSO expoits and check to ignore .

0

sorry , it worked for me..... after setting them to 3 , spybot doesn't complain about them anymore.

0

Thanks!

Can some one tell me a manual removal or product to get rid of it please?
Still having in my system that pest...

0

Thanks!

Can some one tell me a manual removal or product to get rid of it please?
Still having in my system that pest...

Finding it is a bug in spybot ,so you should just set it to ignore it .

0

Finding it is a bug in spybot ,so you should just set it to ignore it .

Do you mean is not evil? How do you know that?

0

No it is not evil!1I only know that because the people in the know ,who created spybot and run the board where i Learned to read hijackthis logs ,Tell me its ok to just let spy-bot ignore it !

0

Thanks for letting us know...because I was beginning to wonder why spybot was constantly picking it up when I ran the scans too! :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.