Results 1 to 8 of 8
  1. #1
    schmevinaz
    Guest

    Default Can't remove DSO Exploit (HJT)

    My friend started having trouble with his computer (pop-ups, hijacked web pages, etc.) he was without Anti-virus, firewall... big suprise. Installed/ran Ad-aware, Zonealarm, Winpatrol, AVG anti-virus, CWshredder. Cleaned out countless viruses & hijackers, etc.

    I have completed your first steps for computer help. When I run Spybot, I still get a DSO exploit. I clean it, run Spybot, and it is back. Sometimes it has only 1 entry or sometimes up to 5.

    Spybot log:
    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    Someone suggested just changing to 1004 value to 1003 in regedit. Don't know if that will work or even if this DSO exploit is a problem.

    I also have noticed hostak.exe trying to access the internet through zonealarm. I googled "hostak.exe" and found nothing.

    Here is the Hijack this log...

    Logfile of HijackThis v1.98.0
    Scan saved at 4:06:24 PM, on 7/23/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\SPYWARE\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\SYSTEM\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O16 "\\TYLER\EPSONSty" /M "Stylus C64"
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [ICSDCLT] ndll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/def...caploader1.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab


    If you could let me know if you see anything suspicious I would greatly apprecite it. Thanks much.

  2. #2
    Guest

    Default

    HI Concerning the DSO Exploit take a look at what steam says it seems that it is a small prob that will be fixed by a spybot update
    see this post and scroll down see steams answer
    Here http://www.help2go.com/postt8241.html

    You may have to wait a while for steam to look at your log as he is real busy.

    Regards Stoney

  3. #3
    Member Schmevin's Avatar
    Join Date
    Jul 2004
    Posts
    3
    Points
    0

    Default Thanks again, any idea about hostak.exe?

    Thanks for the quick reply. I have seen where some say that the DSO exploit is just a glitch, and some say it is more. Since going through all the cleansing steps this "hostak.exe" trying to access the internet is the only suspicious activity I've seen so far. The last virus I deleted was "BookedSpace" and I had to do that manually. Don't know if they are related.

    If someone can check out my HJT log just in case, that would be great. If Steam is the man, I will wait patiently. I can understand how busy you guys must be, and believe me, the effort is appreciated. You guys deserve a raise.

  4. #4
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    First Download this program lspfix<<<< click here to download You need to save this program some place on your PC that you can find it. It is in regards to a winsock error that is showing up in your log.

    Agree that the DSO error is not a problem.

    Cheers

  5. #5
    Member Schmevin's Avatar
    Join Date
    Jul 2004
    Posts
    3
    Points
    0

    Default isp fix download ... what next?

    Glad that DSO is no worry, but I have a winsock error? ISPFIX is downloaded.
    Ready for the next step.

    PS - hostak.exe mean anything to you?

    Thanks!

  6. #6
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    I found nothing on the file :

    hostak.exe

    It may be awhile before our expert can have a look at your log.

    Don't worry about the winsock error at this time, as long as the PC can get on the internet.

    Cheers

  7. #7
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    The dso exploit IS a glitch in spybot ... Which is supposed to have been fixed...

    Make sure you have the latest version and updates.

    Or you could get spybot to ignore it...

    Or you could edit the registry manualy...

    Or you could make a reg file...

    If you open a notepad and copy the bold text below ... save as "all files" name it fix.reg and save it to the desktop ... doubleclick it and marge to the registry.

    This is for current user....


    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    "1004"=dword:00000003


    for your example....

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    you would need to change the HKEY_CURRENT_USER to HKEY_USERS\.DEFAULT

    ----
    Then download LSPfix from here: http://www.cexx.org/lspfix.htm

    Launch the application, and click the "I know what I'm doing" checkbox.

    Check all instances of lspak.dll (and nothing else) , and move them to the "Remove" pane.
    Then click Finish.

    Then find and delete the c:\windows\system\lspak.dll file.

    ----
    As for "hostak.exe"

    Find this file: hostak.exe
    and go here :- http://www.kaspersky.com/remoteviruschk.html
    and upload it.

    Post the results.

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  8. #8
    Member Schmevin's Avatar
    Join Date
    Jul 2004
    Posts
    3
    Points
    0

    Default Thanks Steamwiz

    Made the fixes you suggested. Understand about the DSO exploit, not a problem, mad a reg file. Removed lspak.dll with ispfix and from c:\windows\system\ (had to reboot to SAFEMODE to remove it).

    I read your advice for another user and already looked up "hostake.exe" at the site you suggested. It found nothing. I must have been feeling lucky, because I deleted it (it was in the windows\system file & the temp file). Have not noticed any ill-effects.

    Hope this is it, thank you for your time... looking at the other posts, I don't know how you and the other moderators do it.

    Thank you,
    Schmevin