Pls help w/my HijackThis log file - payment via paypal

Joep · Cadet Joined: May 29, 2004 Posts: 1 Location: USA

Hello all -- I've been working on this for sometime and have deleted most of what I read was related to the "amazing auto search" It's still infecting my machine and I'm sure I've missed something along the way.

When I run spybot everytime I geta new registry entry change called "dso exploit"

Help is requested and will be paid upon a sucessful deletion of this crap. I appreciate your time so if you indeed do help me and it works I will send along a personal payment via paypal.

Thank You
Joe

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\live bat win\shim jump.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MCI TotalAccess\TaskPanl.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Joe Pater\Desktop\hijackthis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\MCI TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8AD6BD15-1EE5-5084-6180-1E8117C74C32} - C:\PROGRA~1\MATHTE~1\book gram.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\MCI TotalAccess\PnEL.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [boreburn] C:\PROGRA~1\live bat win\shim jump.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\MCI TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26c8e4abc9f50f989d...xIE601.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.nugs.net/dev/dlControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab

archimedes · Lieutenant Joined: May 21, 2004 Posts: 155 Location: USA

the DSO exploit is apparently from everything I have read, a bug in SpyBot. the DSO is related to alexa. there is a browser hijacker called alexa if memory serves but this is most likely not the case in your situation the alexa spybot found is most likely from microsoft.
http://www.microsoft.com/windows/ie/pre...efault.asp
to check it out

C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
this entry was the only one I noticed as bad.
this is not my area of expertise mind you I am simply trying to help out the other members of this site as it seems there are lots of people using hijackthis.
A simple program designed to allow you to choose which programs start up is called winpatrol
http://www.winpatrol.com/
this program will also give some info on the startup items.
let hijack fix the one mentioned and repost, and as always, make sure hijack is installed into it's oqn folder in C:/program files as it creates backups.
and make sure you have set to show hidden files in explorer.
good luck

Prince_Serendip · Posted: Sun May 30, 2004 7:43 am Post subject:

Hi Joe!

Archimedes is not a HijackThis Log expert. You have to be on staff here to do that. Wink

Please move your HijackThis to a regular folder, such as C:\Program Files\HijackThis\HijackThis.exe. It cannot save backups in a Temp folder nor on the desktop.

Copy and paste these instructions into Notepad for easy reference.

Please run HijackThis, put a check beside each of the following entries, be sure all windows and browsers are closed, then click "fix checked."

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26c8e4abc9f50f989d...xIE601.cab

O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.nugs.net/dev/dlControl.CAB

Check your Add/Remove Programs for New.Net. If it's there, remove it.

Both of the following programs will automatically detect and remove NewDotNet.

ADAWARE - Removes spywares and adwares from your computer

1. Download and install Adaware (free edition). (Click on "Adaware" in the left-hand column near the top at their website to download the free edition.)

2. After installing go to Start > Programs > Lavasoft and click on AdAware 6 to open the program

3. Look at the icons on the top right of the page and click on the world and let AdAware update the spyware reference list (Note: Always update Adaware before you scan.)

4. Once the update is finished click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
ˇ Automatically save log-file
ˇ Automatically quarantine objects prior to removal
ˇ Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :
ˇ Scan Within Archives
ˇ Scan Active Processes
ˇ Scan Registry
ˇ Deep Scan Registry
ˇ Scan my IE favorites for banned URLs
ˇ Scan my Hosts file
ˇ Under Click here to select drives + folders, choose:
ˇ All of your hard drives

3. Click on the Advanced button on the left and select:
ˇ Include additional process information
ˇ Include additional file information
ˇ Include environment information
ˇ Include additional object details

4. Click the Tweak button and select:
ˇ Under the Scanning Engine:
ˇ Unload recognized processes during scanning
ˇ Include basic Ad-aware settings in logfile
ˇ Include additional Ad-aware settings in logfile
ˇ Under the Cleaning Engine:
ˇ Let Windows remove files in use at next reboot

5. Click on Proceed to save the settings.

6. Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
ˇ Use Custom Scanning Options

7. Click Next and AdAware will scan your hard drive(s) with the options you have selected.

8. Save the log file when it asks and then click finish

9. REBOOT
----------------------------------------------------------
SPYBOT SEARCH & DESTROY - Removes spywares, spybots, and adwares

1. Next, download and install Spybot Search and Destroy.

2. Go to Start > Programs >Spybot - Search & Destroy and choose Spybot S&D - easy mode

3. Close ALL windows except Spybot S&D

4. Click the button to Search for Updates and download and install the Updates.

5. Next click the button Check for Problems

6. When Spybot is complete, it will be showing RED entries BLACK entries and GREEN entries in the window

7. Put a check mark beside the RED entries ONLY.

8. Choose Fix Selected Problems and allow Spybot to fix the RED entries.

9. REBOOT

Keep these updated and run regular scans with them to keep your PC clean. (I do these every 2 days.)

Please post a fresh HijackThis log here when you have done all that.

Best regards Very Happy

Prince_Serendip · Posted: Sun May 30, 2004 7:58 am Post subject:

Hi Joe!

An add-on. Do you recognize this file:
C:\PROGRA~1\live bat win\shim jump.exe ?

and this O4 - HKLM\..\Run: [boreburn] C:\PROGRA~1\live bat win\shim jump.exe ?

If you don't, then fix them with HijackThis. Wink


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 715 pages served in previous 5 minutes. Page Rendered: 0.406 seconds.