Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

DSO Exploit [RESOLVED]


  • This topic is locked This topic is locked

#16
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Your ActiveScan log is fine! Both of those items are completely legitimate.

This is how to remove the dumprep entry:

Right-clicking on My Computer, select Properties and then the Advanced tab. Click on the Settings button in 'Startup and Recovery'. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out

Then reboot your computer.

After reboot, Run HiJackThis. Place a check next to these items and click FIX CHECKED:

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Registration .LNK = C:\Program Files\UBISOFT\Myst IV - Revelation\support\register\na\RegistrationReminder.exe


Close HiJackThis.

p.s. what is that trojan.byteverify in Symantec autoprotect and why does it keep coming up?

Do you mean that Norton keeps picking it up?

Edited by Michelle, 29 August 2005 - 09:52 AM.

  • 0

Advertisements


#17
richardlaura

richardlaura

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Yes, I am talking about Norton. This is what pops up:



Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan.ByteVerify
File: C:\DOCUME~1\Feldmans\LOCALS~1\Temp\AAWTMP\C269640\2AF702\javainstaller\InstallerApplet.class
Location: C:\DOCUME~1\Feldmans\LOCALS~1\Temp\AAWTMP\C269640\2AF702\javainstaller
Computer: DENCOMPUTER
User: Feldmans
Action taken: Delete succeeded : Access denied
Date found: Monday, August 29, 2005 9:43:49 A



I did what you said but the dumprep 0 -k entry is still in MSCONFIG, startup tab. The AOL and registration is however gone. Thank you.
  • 0

#18
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Run HiJackThis. Place a check next to this item and click FIX CHECKED:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Close HiJackThis.

You have to be very careful about the websites you visit. There are some websites (when you use Firefox) that you click "NO" to the java applet and it will still load it on your computer... Whatever site it was that you visited and asked if you wanted to load the java applet, avoid going there!

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\DOCUME~1\Feldmans\LOCALS~1\Temp\AAWTMP\C269640\2AF702\javainstaller\InstallerApplet.class

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, post a new HiJackThis log and let me know if you're still getting notifications from Norton about it.
  • 0

#19
richardlaura

richardlaura

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Here is the new HijackThis log. When I deleted that file through Killbox I received a Window with a red x "pendingfilerenameoperations Please see the attachment, I made a copy of it. I just rebooted manually.







Logfile of HijackThis v1.99.1
Scan saved at 11:14:42 PM, on 8/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Feldmans\My Documents\My Downloads\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1110768546093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Attached Files


  • 0

#20
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I see that AIM put itself back in startup. It will probably continue to do so unless uninstalled, so either uninstall it or don't worry about it :) You really don't have hardly anything on startup so I doubt it will cause any kind of slowness :tazz:

Are you still getting notifications from Norton about that InstallerApplet.class?
  • 0

#21
richardlaura

richardlaura

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I haven't gotten any notifications from Norton about that InstallerApplet.class yet. It ususally pops up about once a week and usually when I uninstall something. The Norton picked it up once when I was following something you advised me to do. I will let you know if it happens again.

I was hoping you'd notice that AIM reinstalled itself. I can't delete the program, my kids are addicted to talking to their friends. I don't want it to automatically start but I don't know what else to do. It takes a little longer to boot up the computer because of it but its not really a problem.

Thank you so much for helping me. This is the second time I've used this website and I'm very impressed with the knowledge of the "geeks". I would love to get a job in this field, any suggestions on where I can learn more?


Laura
  • 0

#22
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
AIM puts itself back on startup. There is not anything you can do to keep it from doing that aside from completely uninstalling it.

I would love to get a job in this field, any suggestions on where I can learn more?

Absolutely! Just post to this topic that you would like to join:

http://www.geekstogo...?showtopic=4817

You will be added to GeekU and the fun begins! We would love to have you aboard :tazz:
  • 0

#23
richardlaura

richardlaura

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Thank you, Michelle for your instructions. They were precise and clear and hopefully my computer will stay spyfree for awhile. I posted to the link you sent me. I can't wait to learn more.

Laura
  • 0

#24
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're very welcome!

I strongly advise installing XP Service Pack 2 now that your system has been cleaned. Go here http://www.microsoft.com click on "Microsoft Update" on the left then install all of the latest security updates.

You will need protection programs to help prevent this from happening again.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:

Edited by Michelle, 30 August 2005 - 09:06 PM.

  • 0

#25
richardlaura

richardlaura

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I downloaded Spywareguard but it won't open. I got a message from Scotty the watch dog asking if I would approve it in the startup and I clicked "yes" but it still doesn't open?
  • 0

Advertisements


#26
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
hmm, did you ever get Spywareguard to work?

Make sure to download the other programs as well, especially if Spywareguard is not working.
  • 0

#27
richardlaura

richardlaura

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Yes, it is working now, thank you.
  • 0

#28
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
ok, great! :tazz:
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP