Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

DSO Exploit & GoInDirect

Started by BrianM , Jan 23 2005 03:43 PM

  • Please log in to reply

#1
BrianM
Posted 23 January 2005 - 03:43 PM

BrianM

    New Member

  • Member
  • Pip
  • 4 posts
Hello, 1st posting here and I've read around and your solutions all appear good.

My I have been cleaning up my daughter's computer following your instructions (lots of stuff has been 'fixed' by AdAware and Spybot (nothing showed using CSShredder).

My original objective was to uninstall a program she accidentally installed called Lemontonic (messenger) and in the course of looking over her system found have been busy doing a general cleanup. While doing this Spybot could not remove 2 registry entries associated with DSO Exploit and one registry entry associated with GoInDirect.

(As an aside, I went to download HijackThis and one of the links from one of your signature links sent me to a different site that prompts you to download alertspy, which is not a free program (scan is free, removal is not).)

Anyway, I got to the Hijackthis site and, assuming you will need the Hijack log if you're going to be able to help out, it is as follows:

Logfile of HijackThis v1.99.0
Scan saved at 1:26:45 PM, on 1/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\OfficeScan NT\tmlisten.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\temp\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINNT\system32\NDrv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PATCHE~1\AIM\aim.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7AF47882-331B-4AA3-AFCB-C154F8E9856C} - http://download.lemo...icMessenger.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {EF940351-1503-11D4-8F57-0050DAC67B1E} (Collect Class) - http://gizmoz.zapa.c.../GCSetup153.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = turnermeakin.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE297888-CA6C-4C2A-8D7E-4E06AECD7A40}: NameServer = 192.168.1.200,216.251.128.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = turnermeakin.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = turnermeakin.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: OfficeScanNT Listener - Unknown - C:\OfficeScan NT\tmlisten.exe

End of log.

So, Any assistance you can offer will be gratefully appreciated. :tazz:

Many thanks
Brian
  • 0

Advertisements

#2
BrianM
Posted 23 January 2005 - 07:46 PM

BrianM

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello again,

I located and ran the DSO Exploit fix on MajorGeeks and it seems to have worked, but the GoInDirect issue remains.

Brian :tazz:
  • 0

#3
admin
Posted 24 January 2005 - 12:26 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Great job Brian!

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINNT\system32\NDrv.dll

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINNT\system32\NDrv.dll

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:
  • 0

#4
BrianM
Posted 24 January 2005 - 10:26 PM

BrianM

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello again!

I did as recommended and the latest HiJackThis log is below.

When I went to delete the NDrv.dll file it was not to be found (yes, folder options are set to show hidden files). As an additional exercise I searched the entire c drive for that filename and found no instances of it anywhere.

I then ran an updated spybot scan and the GoInDirect item is listed.

Here's the log:

Logfile of HijackThis v1.99.0
Scan saved at 8:15:54 PM, on 1/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINNT\system32\ctfmon.exe
C:\temp\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.library.ubc.ca:8000
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PATCHE~1\AIM\aim.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7AF47882-331B-4AA3-AFCB-C154F8E9856C} - http://download.lemo...icMessenger.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {EF940351-1503-11D4-8F57-0050DAC67B1E} (Collect Class) - http://gizmoz.zapa.c.../GCSetup153.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = turnermeakin.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE297888-CA6C-4C2A-8D7E-4E06AECD7A40}: NameServer = 192.168.1.200,216.251.128.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = turnermeakin.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = turnermeakin.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: OfficeScanNT Listener - Unknown - C:\OfficeScan NT\tmlisten.exe

End of log.

I also note a number of new spyware items have shown up since the last scan (my daughter has been online today so that is surely the culprit there). Perhaps I ought to have done so, but I have not used spybot to 'clean' those entries at this point, pending your further advice. :tazz:

Many thanks.

Brian
  • 0

#5
admin
Posted 24 January 2005 - 11:10 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
I'm not too familiar with GoInDirect. There are no signs of it in your log, but you can find manual removal instructions here: http://www.doxdesk.c...lerActiveX.html

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

In addition you may want to enable Spybot's TeaTimer, and install WinPatrol.

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)
  • 0

#6
BrianM
Posted 28 January 2005 - 01:36 AM

BrianM

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi there.

Until now I haven't had the chance to tackle the (last?) step, however I tried the solution in the link provided and got a dialogue box message from the regsvr32 command that reads:

LoadLibrary("dialer_activex.ocx") failed - The specified module could not be found.

So, I'm not really sure what to do, if anything, next. Seems that maybe it's just 'gone' and maybe there's something hiding somewhere else. It doesn't seem to be much of a threat at the moment.

Anyway, if we're 'at the end of the line' on this topic then maybe it's time to retire it.

Many thanks again for your excellent help.

Brian...................
  • 0
Back to Web Browsers and Email · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Software
  3. Web Browsers and Email

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP