PDA

View Full Version : Adware keeps reappearing



paulbemis
2008-08-22, 18:41
I am a new user and have run the spybot search and destroy scanner. I comes up with 5 DSO Exploit problems (see below) and seems to destroy them. I then run fine for awhile, until the unwanted browsers start appearing again. I then rerun the spybot scanner, and it picks up the same exact problems. How do I keep these DSO Exploit problems from reappearing?

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-65919605-242604490-1238627039-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

blues
2008-08-22, 18:49
i can see that you have spybot 1.3, spybot 1.6 is the latest one so i will recommend you to update to 1.6 as it scans faster and i guess it is better than 1.3 in some other ways too.

i remember that dso exploit was detected on my computer years ago and it was detected right after formatting too, i dont remember if it reappeared after being fixed.

here is about dso exploit:

If you use Spybot Search and Destroy or another spyware removal tool, it may find an item called DSO Exploit. This exploit is a bug in Internet Explorer that under certain circumstances would allow untrusted software to run on the computer. In other words, its a hole in Internet Explorer that hackers could use to gain access to your system.
However, if you are running the latest version of Internet Explorer and have all your Windows Updates installed, the bug has been patched and is not a threat to your computer system. Even though Spybot may still show it as a threat.

drragostea
2008-08-22, 19:04
Paul, what version is your Internet Explorer? It seems that there might be something "out-of-the-ordinary" from your Internet Zones.

Can you go to: Internet Properties>Security(tab)> and reset all of them to default?

blues
2008-08-22, 19:08
doesnt this mean that it is not updated since 2004? i may be wrong.


2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

drragostea
2008-08-22, 19:15
Hello blues. I thought about what you said... so I got a full report from Spybot. Here's a portion:

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-08-18 TeaTimer.exe (1.6.2.23)
2008-07-08 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-07-07 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll

2008-08-05 Includes\Adware.sbi
2008-08-19 Includes\AdwareC.sbi
2008-08-19 Includes\Beta.sbi
2007-11-06 Includes\Beta.uti
2008-06-03 Includes\Cookies.sbi
2008-06-03 Includes\Dialer.sbi
--
My assumption was that the list of components are for the specific version, if you know what I mean.

In other words, it wasn't that Spybot's components weren't updated, but they were for the program itself.

tashi
2008-08-22, 19:55
Hello paulbemis,

--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

Please update and check your other security applications to make sure they also are updated.

Best regards.

paulbemis
2008-08-22, 22:01
Thanks Blues for you help. I did upgrade to 1.6 and so far, so good.

Paul


i can see that you have spybot 1.3, spybot 1.6 is the latest one so i will recommend you to update to 1.6 as it scans faster and i guess it is better than 1.3 in some other ways too.

i remember that dso exploit was detected on my computer years ago and it was detected right after formatting too, i dont remember if it reappeared after being fixed.

here is about dso exploit:

If you use Spybot Search and Destroy or another spyware removal tool, it may find an item called DSO Exploit. This exploit is a bug in Internet Explorer that under certain circumstances would allow untrusted software to run on the computer. In other words, its a hole in Internet Explorer that hackers could use to gain access to your system.
However, if you are running the latest version of Internet Explorer and have all your Windows Updates installed, the bug has been patched and is not a threat to your computer system. Even though Spybot may still show it as a threat.

paulbemis
2008-08-22, 22:02
Yes, they were off a bit. So I set them to default and updated to 1.6. So far, so good...

P


Paul, what version is your Internet Explorer? It seems that there might be something "out-of-the-ordinary" from your Internet Zones.

Can you go to: Internet Properties>Security(tab)> and reset all of them to default?

paulbemis
2008-08-22, 23:05
Hi Again,
OK, so I did everything you all recommended (thanks) and I'm still getting an occasionaly window poping up (this time it was the "dumb test" window). I did another scan and here is what came of it (below). I went ahead and fixxed it, but have some doubts still. Any comments about this?

Thanks,

Paul
___________________________________________________________

Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-65919605-242604490-1238627039-1008\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALM ACHINE_LOCKDOWN\iexplo
re.exe
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---
2008-08-14 blindman.exe (1.0.0.8)
2008-08-14 SDFiles.exe (1.6.0.4)
2008-08-14 SDMain.exe (1.0.0.6)
2008-08-14 SDShred.exe (1.0.2.3)
2008-08-14 SDUpdate.exe (1.6.0.9)
2008-08-14 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-08-18 TeaTimer.exe (1.6.2.23)
2004-04-27 unins000.exe (51.13.0.0)
2008-08-22 unins001.exe (51.49.0.0)
2008-08-14 Update.exe (1.6.0.7)
2008-08-14 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-08-14 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-08-14 Tools.dll (2.1.5.7)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2008-08-05 Includes\Adware.sbi (*)
2008-08-19 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-08-05 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-08-19 Includes\Hijackers.sbi (*)
2008-08-19 Includes\HijackersC.sbi (*)
2008-08-05 Includes\Keyloggers.sbi (*)
2008-08-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-08-20 Includes\Malware.sbi (*)
2008-08-19 Includes\MalwareC.sbi (*)
2008-08-05 Includes\PUPS.sbi (*)
2008-08-19 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-08-19 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-08-12 Includes\Spyware.sbi (*)
2008-08-12 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-08-05 Includes\Trojans.sbi (*)
2008-08-20 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

blues
2008-08-22, 23:15
does this helps you, maybe it is the same but i cant say for sure: http://forums.spybot.info/showthread.php?t=32849

paulbemis
2008-08-25, 22:01
Hi Again,
So I am still fighting this adware issue. When I run spybot, I get the following issue report. I go ahead and fix it, only to have the browser open a new window and take me somewhere again shortly there after. Any suggestions today?

Paul
____________________________________________________________
Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-65919605-242604490-1238627039-1008\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALM ACHINE_LOCKDOWN\iexplo
re.exe
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---
2008-08-14 blindman.exe (1.0.0.8)
2008-08-14 SDFiles.exe (1.6.0.4)
2008-08-14 SDMain.exe (1.0.0.6)
2008-08-14 SDShred.exe (1.0.2.3)
2008-08-14 SDUpdate.exe (1.6.0.9)
2008-08-14 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-08-18 TeaTimer.exe (1.6.2.23)
2004-04-27 unins000.exe (51.13.0.0)
2008-08-22 unins001.exe (51.49.0.0)
2008-08-14 Update.exe (1.6.0.7)
2008-08-14 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-08-14 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-08-14 Tools.dll (2.1.5.7)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2008-08-05 Includes\Adware.sbi (*)
2008-08-19 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-08-05 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-08-19 Includes\Hijackers.sbi (*)
2008-08-19 Includes\HijackersC.sbi (*)
2008-08-05 Includes\Keyloggers.sbi (*)
2008-08-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-08-20 Includes\Malware.sbi (*)
2008-08-19 Includes\MalwareC.sbi (*)
2008-08-05 Includes\PUPS.sbi (*)
2008-08-19 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-08-19 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-08-12 Includes\Spyware.sbi (*)
2008-08-12 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-08-05 Includes\Trojans.sbi (*)
2008-08-20 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

drragostea
2008-08-25, 23:13
Good to hear that you've upgraded to the latest version.
http://forums.spybot.info/showpost.php?p=226640&postcount=3
--
Can you do that for me?

In addition, after resetting the zones to default go the 'Advanced' tab in Internet Explorer and click "Restore to Advanced Settings".

See if Spybot still detects it.

paulbemis
2008-08-26, 17:05
Hi,
Yes I did that. Set them all to default. I am running IE 7.0. The Spybot is updated to the most recent level, but the browser is still getting hijacked and taking me to various sites. Thankfully, none of them are porn, but it is still very annoying.

Thanks for your continued help with this...

Paul


Paul, what version is your Internet Explorer? It seems that there might be something "out-of-the-ordinary" from your Internet Zones.

Can you go to: Internet Properties>Security(tab)> and reset all of them to default?

drragostea
2008-08-26, 19:42
In addition, after resetting the zones to default go the 'Advanced' tab in Internet Explorer and click "Restore to Advanced Settings".

See if Spybot still detects it.

How about the 'Advanced Tab'?

A HiJacked browser? Do you mean a changed homepage? Or just random redirections out of no where?

What kind of sites were they? The cheap search engine sites? Poker?

paulbemis
2008-08-26, 19:50
Yes, I did change the advance tabs back to "defaults" as well. The sites are random redirections of the browser. It just opens new windows (tabs) and points to things like Antivirus 2009, "the dumb test" and other advertising kinds of sites etc. Spybot is detecting nothing at this point.


How about the 'Advanced Tab'?

A HiJacked browser? Do you mean a changed homepage? Or just random redirections out of no where?

What kind of sites were they? The cheap search engine sites? Poker?

drragostea
2008-08-26, 19:53
That's not good... a browser HiJacker?
However, I can confirm that XPAntiVirus [Pro] 2006/07/08/09 is definately malware. Thing is Spybot does not currently detect the variants at the moment.

:fear:

Do you use a firewall? How about an anti-virus program? Currently, some anti-virus programs (such as avast!) detects this.

I'll be right back...

paulbemis
2008-08-26, 20:31
I went ahead and downloaded the Malwarebytes Anti-malware program and did a scan. The output is below, and it seems to have fixed the problem for the moment. Time will tell...

_____________________________________
Edit; removed

tashi
2008-08-26, 20:45
Hello paulbemis,

If you still experience problems please follow the procedure in this link: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)


Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a helper will advise you as soon as available.

Cheers.