Okay, aturnerj, I think we need to go through this step-by-step (and
please humor me if I ask you to repeat something you've already done,
and do it again anyway).
Make sure you have backed up all of your important document files.
Disable System Restore, following these instructions from
Symantec:(http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
Then, open up your Norton Anti-Virus dialog box and select
"LiveUpdate" in the upper left-hand corner to download any needed
additions to the program and its virus definitions. If NAV wants you
to restart your system, let it do so. Then, from the NAV dialog box,
click "Full System Scan" and "Scan Now".
Then, please download, install, and run the following free utilities:
[I know you said you've got Ad-Aware installed, but to be sure you've
got the latest-and-greatest, please download it anew -- and be sure
to heed the advice below about "Checking for Updates" first, before
actually running each program.]
Spybot Search & Destroy
http://www.security.kolla.de
AdAware
http://www.lavasoft.de
*** IMPORTANT ***
The first time you run them, or if you already have Spybot and/or
AdAware installed on your PC, be sure to download the latest updates
first **each time you run them**.
*****************
HijackThis!
http://www.spychecker.com/program/hijackthis.html OR
http://www.net-integration.net/tools/hijackthis.html
Please post here a copy of your HijackThis! scan log.
Something to keep in mind is that even if these programs give your
system a "clean bill of health", it does *not* mean that you can be
absolutely sure that your system is clean. It is only a *reasonable
assurance* that it is clean.
Please let me know whether these steps resolve your problem, or
whether you need more assistance.
Before Rating my Answer, if you have any Questions about the above
information, please post a Request for Clarification, and I will be
glad to see what I can do for you.
Regards,
aceresearcher |
Request for Answer Clarification by
aturnerj-ga
on
07 Jun 2004 14:11 PDT
I followed your suggestions and still I have that awful
annoyance---ERRORPLACE. It continues to hijack my computer. OK, here
is what I have done thus far. I downloaded spybobt search &
destroy----I did the check for problems, clicked on fix selected
problems. When I do this, the system scans and always (more than 10
times) comes back with 5 problems. The 5 problems are always the
same. There is always "Error during check! Xabot (Ungultiger
Datentyp fur) and DSO Exploit.
THere is always a + beside the DSO Exploit and when I click on it, I
get 5 different versions of the error. Here they are:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Error during check!: Xabot (Ungültiger Datentyp für '') ()
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-823518204-1606980848-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
--- Spybot - Search && Destroy version: 1.3 ---
2004-05-25 Includes\Cookies.sbi
2004-05-29 Includes\Dialer.sbi
2004-05-28 Includes\Hijackers.sbi
2004-05-28 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-28 Includes\Malware.sbi
2004-05-04 Includes\Revision.sbi
2004-04-12 Includes\Security.sbi
2004-05-28 Includes\Spybots.sbi
2004-05-24 Includes\Tracks.uti
2004-05-28 Includes\Trojans.sbi
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Error during check!: Xabot (Ungültiger Datentyp für '') ()
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-823518204-1606980848-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
--- Spybot - Search && Destroy version: 1.3 ---
2004-05-25 Includes\Cookies.sbi
2004-05-29 Includes\Dialer.sbi
2004-05-28 Includes\Hijackers.sbi
2004-05-28 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-28 Includes\Malware.sbi
2004-05-04 Includes\Revision.sbi
2004-04-12 Includes\Security.sbi
2004-05-28 Includes\Spybots.sbi
2004-05-24 Includes\Tracks.uti
2004-05-28 Includes\Trojans.sbi
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Error during check!: Xabot (Ungültiger Datentyp für '') ()
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-823518204-1606980848-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
--- Spybot - Search && Destroy version: 1.3 ---
2004-05-25 Includes\Cookies.sbi
2004-05-29 Includes\Dialer.sbi
2004-05-28 Includes\Hijackers.sbi
2004-05-28 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-28 Includes\Malware.sbi
2004-05-04 Includes\Revision.sbi
2004-04-12 Includes\Security.sbi
2004-05-28 Includes\Spybots.sbi
2004-05-24 Includes\Tracks.uti
2004-05-28 Includes\Trojans.sbi
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Error during check!: Xabot (Ungültiger Datentyp für '') ()
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-823518204-1606980848-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
--- Spybot - Search && Destroy version: 1.3 ---
2004-05-25 Includes\Cookies.sbi
2004-05-29 Includes\Dialer.sbi
2004-05-28 Includes\Hijackers.sbi
2004-05-28 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-28 Includes\Malware.sbi
2004-05-04 Includes\Revision.sbi
2004-04-12 Includes\Security.sbi
2004-05-28 Includes\Spybots.sbi
2004-05-24 Includes\Tracks.uti
2004-05-28 Includes\Trojans.sbi
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Error during check!: Xabot (Ungültiger Datentyp für '') ()
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-823518204-1606980848-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
--- Spybot - Search && Destroy version: 1.3 ---
2004-05-25 Includes\Cookies.sbi
2004-05-29 Includes\Dialer.sbi
2004-05-28 Includes\Hijackers.sbi
2004-05-28 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-28 Includes\Malware.sbi
2004-05-04 Includes\Revision.sbi
2004-04-12 Includes\Security.sbi
2004-05-28 Includes\Spybots.sbi
2004-05-24 Includes\Tracks.uti
2004-05-28 Includes\Trojans.sbi
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
=================================================================
AFTER I WOULD CLICK THE FIX SELECTED PROBLEMS, I WOULD THEN CLICK ON
IMMUNIZE. WHEN DOING THAT, I GET "aLL KNOWN BAD PRODUCTS ARE BLOCKED
ALREADY." WHEN SEEING THIS, I CLICK ON "OK".
============================================================================
I also downloaded spyware blaster------clicked on enabled all
protection---clicked on internet explorer, restricted sites, and
mozilla/firefox clicked on protect against checked items.
mozilla/firefox comes up mozilla/firefox not detected.
I also downloaded Hijackthis but did not down anything with it because
when the menue of things to download came up, I did not know what to
delete. I heeded the opinion o f the instructions that cautioned
against deleting things that one did not know anything about.
|
Clarification of Answer by
aceresearcher-ga
on
07 Jun 2004 14:21 PDT
Just to doublecheck --
Did you disable System Restore before running AdAware and Spybot?
Did you download a new copy of AdAware and a new copy of Spybot?
Did you click "Check for Updates" in each of those programs before running them?
Have you shut down your system and restarted it?
If the answer to any of the above is "no", please complete that item
and proceed through all the steps after it.
Once you have done all the steps -- in that order -- please run
HijackThis! and click the option "Save log". Then, please post a copy
of that log here.
ace
|
Request for Answer Clarification by
aturnerj-ga
on
07 Jun 2004 18:51 PDT
Thanks again for your reply. I had previously done all of the things
that you have suggested. So here is the hihackthis log. Thanks for
working with me to resolve this problem.
Logfile of HijackThis v1.97.7
Scan saved at 9:44:38 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Linksys\Wireless-B USB Network Adapter\NICServ.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\program files\altnet\points manager\points manager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\SNDVOL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Arthur\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6C5F05E4-3E7E-4EDF-8630-13C659AF5B68} -
C:\WINDOWS\aqhtjxx.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe"
"C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P
Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points
manager\points manager.exe -s
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mmtask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk =
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Wireless-B USB Network Adapter Utility.lnk =
C:\Program Files\Linksys\Wireless-B USB Network Adapter\WUSB11Cfg.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/1182989795e121011301/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38080.6173611111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
|
Clarification of Answer by
aceresearcher-ga
on
07 Jun 2004 23:11 PDT
aturnerj,
When you say that you "still have Errorplace", can you describe the
symptoms you're getting that cause you to know this?
Thanks,
ace
|
Clarification of Answer by
aceresearcher-ga
on
08 Jun 2004 00:01 PDT
Okay, we're going to use HijackThis! to delete some things.
First, reenable your System Restore functionality through your System
Properties menu.
Then run HijackThis!, and remove the following entries:
This is TwainTech AdWare - might be the main source of your problems
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
This one's also highly suspicious; remove it, too
O2 - BHO: (no name) - {6C5F05E4-3E7E-4EDF-8630-13C659AF5B68} -
C:\WINDOWS\aqhtjxx.dll
If you're *really* fond of mp3 file-sharing, I know that you
won't want to delet this. Howeverk, you should know that Kazaa and
KazaaLite are frequently carriers of nasty vermin. You'll have to
choose whether you are willing to delete this:
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe"
"C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
This is spyware from RealPlayer; it runs independently of the Player:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
This is TightVNC Remote Network Spyware:
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
P2P Networking Adware:
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P
Networking\P2P Networking.exe /AUTOSTART
TopSearch Adware (bundled with Kazaa)
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points
manager\points manager.exe -s
FASH Spyware
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
PopUpStopper - has been reported by some to hijack Search Results
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]
"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
Claims to be an adware remover; it's actually known as "extortion ware"
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
MS Office 2000 Resource hog which is not necessary
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
(see note above)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
MS Messenger, in my opinion, is like putting a doormat out for
hackers into your computer. But if you use it all the time with your
friends, you may feel that it's worth the risk. If you choose to
uninstall this, first do so with the "Add/Remove Programs" in your
control panel. If HijackThis! still shows components hanging around
afterward, use HT to remove them.
Likewise, I personally despise MusicMatch, because it's an "ET"
(it phones home without your permission, and in violation of its own
published privacy policy).
[I use the good old cdplayer.exe -- it's tiny (37kb), uses very few
system resources, and doesn't spy on you and report back on your
listening habits. The downside is it won't automatically pull up the
titles and artist. Frankly, I don't care -- I've got the CD jacket for
that if I want to see it.]
You'll have to choose whether you want to get rid of MusicMatch. You
can read more here:
http://www.jms1.net/mmjb.html
Some people don't mind their listening habits and CD collection being
monitored, because it's worth it to have the song and album titles and
artist names automatically show up.
Again, if you choose to uninstall MusicMatch, first do so with the
"Add/Remove Programs" in your control panel. If HijackThis! still
shows components hanging around afterward, use HT to remove them.
Once you've done cleanup with these items, shut down and restart your
computer. (If for some reason you then have problems, you may have to
use your System Restore to recover.)
Then run HijackThis! and post the log again here.
ace
|
