DSO exploit and xedso

With a little bit of search you would see that the DSO Exploit issue with SpyBot has been discussed a couple thousand times. It's a bug you can ignore. Just veryify you have all your MS Critical (now call High Priority) Updates installed.

What does this mean:
"yet everytime i go back on to IE, the xedso comes up on a different page"

What is the xedso?

 

By the way do not install SP2 yet. There are lots of issues people are having with it. See the software forum. At a minimum you want to check for software compatibility issues.

 

Yes, that's better. I believe this is part of the "abetterinternet" family of crap! Do the following:

1) Download HijackThis from here
2) Read information about using HJT and posting HJT logs (as text attachments) here
3) Download the VX2 finder, run it and select "click to find abetterinternet". Then select "make log" and copy/paste the log back here (also as an attachment).

 

I changed it to an attachment for you. Take a look. You just needed to save the logs to a text file (a .txt suffix) and then upload it using the manage attachments button from advanced mode of adding your message.

 

You have a bunch of things wrong including some trojans. You need to run some online scans before we do anything else. Run the following and let me know if they find anything ( Select Auto Clean as appropirate with these):

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.ravantivirus.com/scan/
http://www.trojanscan.com/

Run HijackThis and put checks on the following items and then click Fix:
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025960.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...382/mcfscan.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn298.exe

There is more but we need to do the above before continuing. Now post me a new HijackThis log but do it as an attachment.

 

Are you logged in with Administrator priveledges?

 

When fighting problems like these it is best to follow the directions we give you and not jump around and do other things on your own or to try working the problem on multiple help forums simultaneously (which others have done). As a I said in my previous messages there were multiple issues to worry about. We need to be careful what we did. I was worried that deleting the some items without taking certain precautions could make the computer non-bootable. And now that could be what has happed due to uninstalling NAV and using Panda. The lines from you log that were of concern to me were:

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {62AC4609-BD40-7692-8003-64550DA72A1A} - C:\WINDOWS\System32\fbyxdt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\Run: [Microsoft IT Update] dwervdl32.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [Microsoft Java Virtual Machine] javams.exe
O4 - HKLM\..\Run: [Shell Monitor] taskmgr32.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syslx32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe
O4 - HKLM\..\RunServices: [Microsoft IT Update] dwervdl32.exe
O4 - HKLM\..\RunServices: [Microsoft Java Virtual Machine] javams.exe
O4 - HKLM\..\RunServices: [Shell Monitor] taskmgr32.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syslx32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [Microsoft IT Update] dwervdl32.exe
O4 - HKCU\..\Run: [Microsoft Java Virtual Machine] javams.exe
O4 - HKCU\..\Run: [Shell Monitor] taskmgr32.exe
O4 - HKCU\..\Run: [Microsoft WinUpdate] syslx32.exe

Deleting the wsaupdater.exe file (which the virus scan may have done), without fixing the registry, Windows XP will never log on again. It'll show the welcome screen and everything, but will immediately log off if you attempt to log on. (by any means, including safe mode command prompt)

Now you will need to boot with the Windows XP CD to the recovery console, and copy userinit.exe to wsaupdater.exe. And the we may be able to boot back normally and repair the registry entry.

So boot from your WinXP CD and when you reach the setup screen, press R to start the Recovery Console.

Choose the installation to log on to (if there's just one, hit enter). When prompted for password, just hit enter unless you have set a password for the user "Administrator" (it's blank by default in XP)

When you get logged onto the Recovery Console, go to c:\windows\system32 (or wherever Windows is installed).

Use the following commands.

cd \windows\system32

copy userinit.exe wsaupdater.exe

Take the CD out of the drive, and type exit to quit the recovery console and restart Windows normally.

Let me know if you can get to this point and we will then look into repair the registry.

 

Are you the Administrator of the PC and do you know the Administrator password?

Is this your PC?

 

Try booting as the Administrator and just hit return for a "blank" password thats the default.
See if that works.

When you loging now as a particular user, you do not have admin capabilities?

 

Where are you logging in from right now?

There is small little application that can be run to erase the Administrator password but you need to boot from either a CD or a floppy disk with this application on it. See this link: http://home.eunet.no/~pnordahl/ntpasswd/

Once you have blanked out the Administrator password, we could than try using you WinXP CD to boot to the recovery console. You do have your original WinXP CD don't you and is it a bootable CD?

 

Okay let me know when you have gotten your password blanked out.

 

John,

It isn't too difficult. I know it can look confusing. But all you have to do is download a compressed file (a ZIP file) and extract the files and then run a a command that will make a boot floppy for you. Obviously you need a formatted floppy disk too. After that you just boot the disk and basically accept all the defaults until you get to the point about the password. There you just use the option to blank it out rather than change it. Just go here to get the ZIP file I'm talking about and save it to a directory on your computer:

ftp://listsoft.ru/pub/12378/bd040116.zip

Be patient after clicking on that link. It sometimes takes a while to start downloading.

Then unzip it, put a formatted floppy in your floppy drive, run the install.bat file by double clicking on it, give the letter of your floppy drive (which is always "a"). And it will make a bootable floppy with the NT Password Reset tool on it.

How else are you going to use this PC if you don't fix it? Are you just planning to reinstall WinXP all over again? That takes some work too and you could loose anything you have not backed up on the hard disk. Also, you will have to reinstall and reconfigure any applications that you use too.

 

John,

The ZIP file I sent you the address of had rawrite2 already in it. Are you able to boot this computer now in normal mode?

How are you attempting to get into safe mode and exactly what happens?

 

Please clarify your statements.

If you login, there must be something showing in Task Manager under Processes.

What do you mean there isn't anything in safe mode? I thought you could not boot in safe mode?

 

Okay so booting in safe mode comes up with nothing. Not even the Taskbar at the bottom of the screen where you can click Start?

What about booting normal mode?

And are you saying you booted from the XP CD to the recovery console and did a repair?

 

You're welcome John!

Make sure you get your system protected from reoccurrence of issues like this. Here are some simple steps you can take to reduce the chance of infection in the future. I strongly encourage you to do them all.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly
patched OS.
a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
Do this at least once a month.
b. Never add any site to your Trusted Sites Zone.

2) Anti Virus: make sure you have one and keep it updated. Here are some good free ones:
http://majorgeeks.com/download1968.html Avast
http://majorgeeks.com/download886.html AVG
The top two hands down. Better than Norton or McAfee!
Only run ONE AV!

3) Firewall: if you don't have one get one of these below. The last two are free versions:
Don't care if your on dial up or High Speed....you must have a firewall
http://majorgeeks.com/download738.html Kerio Personal Firewall
http://majorgeeks.com/download3356.html Sygate Personal Firewall Free
http://www.majorgeeks.com/download388.html ZoneAlarmFree

4) Get a Temp File/Cookies/index.dat cleaner
http://majorgeeks.com/download4191.html CCleaner (Crap Cleaner)

5) SpyWare Prevention (These prevent, they are not scanners. Scanners are listed later.)
http://majorgeeks.com/download2859.html SpyWare Blaster
http://majorgeeks.com/download3045.html SpyWare Guard

6) SpyWare Scanners/Removers
http://majorgeeks.com/download2471.html SpyBot (Use the Immunize feature. I don't activate the TeaTimer)
http://majorgeeks.com/download506.html Ad-aware SE
http://download.lavasoft.de.edgesui...lvx2cleaner.exe VX2 Cleaner Plug-In for Ad-Aware

 

John,

Since this is a new problem not pertaining to the info in the title of this thread, it would be better if you started a new thread for this problem. Please clearly explain the exact problem. Are you being hijacked, getting popups ? What is happening? And make sure you follow ALL the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal >

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Tell us what you have run and the results of each step so we know what you have executed and what problems may have been present on your system.