____________________________________________
* Moderator's edit *

If you are having trouble regarding the DSO Exploit, please take a look at http://www.pchell.com/support/dsoexploit.shtml. It will answer the most common questions.

Happy holidays,
~psi42

* End edit *

Original text as follows:
____________________________________________


What is a DSO Exploit??

I ran the spybot program on my computer (windows 98 se) One of the things it found was something called DSO Exploit. Says it's a registry change. The path is HKEY-users\default\software\microsoft\windows\current version\internet settings. There's a message about being a security hole in IE allowing websites to execute code.
Can anyone tell me what this means and if I should get rid of it or not? Is this something that's dangerous and that is hurting or messing up my computer?
What happens if I get rid of it?

Thanks

Hi kat555lady,

By all means, let Spybot get rid of it for you, you don't want it on the computer. Have you seen a web page with a name like CoolSearch, or somethng similar? If yes, you will want to download CWShredder from:

http://www.spywareinfo.com/~merijn/cwschronicles.html

Hope this helps!
Whiskey14 :)

Thank you whiskey, I appreciate it.

Kat.

I'm getting the same DSO exploit message after running Spy Bot. I tried to get rid of it. I even ran the Shredder and it still comes back. Does anyone have a fix?

Try downloading Spy Sweeper from:

http://www.webroot.com/wb/products/spysweeper/index.php

Once it's removed, go to Windows Update and download any CRITICAL UPDATE(S) available, also keep the antivirus program up to date.

Hope this helps!
Whiskey14

I've tried both "Spybot - Seach & Destroy" and "Spy Sweeper" in an effort to solve the same problem you have. No luck for me. Any success on your end?

Check out the following site for information:

http://www.annoyances.org/exec/forum/winme/t1075260322

Whiskey14

I'm not evensure what a DSO Exploit even is... can someone tell me please?

Kat.

Hi Kat,

The following site explains:

http://www.nsclean.com/dsostop.html

Hope this helps!
Whiskey14

I finally got rid of DSO Exploit using "Spybot Search & Destroy" with the following method:

Have "Search & Destroy" look for problems the usual way and then (1) highlight one of the "Data source object exploit" items, (2) Right click the highlighted item to bring up the menu list and select "More details", (3) Now click "Jump to location", (4) You are now viewing the Registry and can use the path shown in the Search & Destroy window to get to the key shown, (5) I manually deleted each of 5 keys and no longer have it coming back. I haven't noticed any change in performance so I trust that I did no harm but I am happy not to have the damned thing any more.

I am having the same problems. Using spybot I have come up with a registery file named " Patrick Dugan" can I delete this file using the method suggested by Cellarius without any problems?
Thanks

If all your critical updates are installed you are protected against DSO Exploit and the finding in Spybot is just a nuisance. Eliminate this by doing the following:

1 Open Spybot and select 'advanced' mode.
2 Select 'settings' in the left column.
3 Select 'ignore product' in the left column.
4 Select 'security' tab.
5 Place check mark in box beside DSO Exploit.
6 Close program
7 Open Spybot and run a scan.

You will find that DSO Exploit has been eliminated and if your computer does not harbour any other spyware you will see a congratulatory message.

Thank you for your help! ;D ;D

I'm having the same DSO exploit problem, I've run spybot, fixed the prob, and it still comes back. I followed the steps to get to the registry editor, but I don't understand how to delete the keys using the path in spybot... please help!

Follow the directions that Sudbury suggested. Spy Bot is aware of the problem and will correct it on the next release.
Rodgdog :o

I followed Sudbury's suggestion and the DSO Exploit is gone from my system. But do I now have to unclick the "Advanced Mode" in my Spybot?

No. Leave it as is. ;)

The reason that I ask is that when I switched to the Advanced Mode, a box came up that said that the Advanced Mode offered more options but some of these options might do harm to my system. Do you know what they meant by this?

I believe it means that you are allowed to do more changes in advanced mode that could screw up your system if you are not aware of what you are doing.
Be careful! Ask first if you are not sure.
Rodgdog

Wait! Wouldnt' that just ignore the dso exploits that pop up? It wouldn't read any dso exploits.. it would just ignore them and skip over them and not put them in the list of stuff that is on your computer.
I may be wrong on that.. please tell me if I am

Im confused now. I also have that DSO exploit. After I changed the settings it doesn't pick it up at all. If spybot just ignores the DSO exploit how is that going to help anything? A problem that I picked up at the same time as the DSO exploit is TIBS, which was found by spyware, and it also keeps coming back and ideas on that?

If you are current with your windows updates then you are ALREADY protected from the DOS Exploit.

The reason it keeps showing in Spybot is because of an oversight in the coding of Spybot... it is not checking to see if you have the Windows Update installed, thus falsely reporting a problem.

Sudbury instructions are telling you how to set Spybot to ignore the error.

Way to go! I entered DSO Exploit in Google and got this site. Steps for eradicating DSO exploit were very detailed and easy to follow. Indeed registry edits did get rid of the exploit. Only I was confused to see that I had to remove five 1004 keys from folders 0 through 4 but Alicka says we have to remove 10 files?
I have Lavasoft Ad-Aware and Spybot program and both found different stuff on my computer. Lavasoft kept finding CoolWebSearch and Spybot mostly complained about DSO Exploit. I have hopefully removed both and updated by Win98 from MS webpage.
QUESTION is that should I change my passwords to credit card, bank accounts, stocks, Amazon and all other place I have visited and entered passwords online to get in? I had these two problems for over a week before I finally got rid of them.

Thanks

Good on yer alicka. I came across this site after having grief over DSO Exploit. As all of you say Spybot can't get the bugger out. For weeks I have been trying so thanks again alicka.
Also I have Web Dialer coming up often. I have done the same process on that. Do you think that will keep it off my PC.

I too am cursed with the DSO Exploit thing. I followed all the instructions to get rid of it but when I look in the folders under "0" it wasn't in all of them... 1004 file. I did delete it in two of them but it simply isn't in the other folders . Yet when I do another scan it finds it with three incidents instead of the original five. I've looked over and over again and there is no 1004... what's up with that? Now when I get rid of this thing is this going to get rid of this horrible pornographic site that keeps coming up (no pun intended)?? This is really annoying me terribly. My firewire is on, my Microsoft critical up dates are all fine, new virus definitions, same with not one but three different spy catcher softwares. What more can I do??
Thanks for all help in advance.

Hey sudbury----- great work!! Your process to remove that b--ch dso exploit was quick& easy. KEEP UP THE GOOD WORK!
LHR

I ran spybot to find dso exploit.
I expanded the list, and used spybot app reganalyzer to go to the 1004 entry.  Then I highlighted, hit shift key and delete key simultaneously, and clicked yes to delete to free space, bypassing the recycle bin.  
It is your registry, so wise to back up the registry.  
Anyway, no more problems with dso!

And thanks to Sudbury for how to use advanced tabs!

Alicka, I am sorry to change direction from DSO exploit to CoolWebSearch but I looked in all of Google and can't find a fix that works. I have coolwebsearch Searchx curse on my computer. I deleted MS Java and installed Sun Java, I got all updates for my Win 98 and then I went into registry and deleted a few entries with cool and coolweb in the comment column.
Every time I startup my PC the browser is hijacked, I remove the spyware using AdAware, spybot and CWshredder and it is gone. Next time I start my PC and it's there again! PLEASE HELP!! :(

If you are having problems in locating the HKEY_USER files to delete ask me! There are approximately 10 files you must remove to get rid of DSO exploit.


I am asking for help. There are thousands of files with loooong file names.

Can't seem to find the right one.

Thanks in advance!

Also...

I have Comcast cable connect, and when I click on IE on my desktop, I find that my browser has been hyjacked from the MSN home to here.res://vkkit.dll/index.html#37049

This normally didn't concern me, but know when I click on one of my favorites, it won't take me there. Doesn't matter which one I click on, I am stuck using my AOL, or Mozilla.

How do I get my IE browser back?
Thanks

??
I followed the instructions as far as altering (deleting) those registery keys, using regedit, however, even upon restart of the computer and re running my SpyBot I still see this DSL Exploit. Before deleting registry keys I was getting DSL Exploit 5, afterwards I am getting DSL Exploit 3.

IBM Machine, WIndows XP Pro

All windows updates are totally up to date... Total confusion here... any ideas?

I'm having the same problem. I wiped out the registry codes like the guy said. I got it again this morning, so I wiped out the new registry codes that popped up. I keep getting these porn site pop ups. One is like p****pool (excuse my language) and the other two were like deep-anal.us and teeny site. It gets annoying real fast when I'm trying to work on something and these pages pop up. I've tried to get rid of it with spybot and I used spy sweeper the other day and it didn't help. I need to know if there is anything else I can do to get rid of it.

Yep, me too. I did delete that 1004 file but only found it in two of the five folders. Now it is still there but instead of having five tracers it has three. I was having the same porn sites as you pop up and it's extremely irritating when you have a ten year old standing by you! I would really like to see these idiots go to jail or pay a big fat fine. I down loaded SpywareBlaster and I think that's helping as I haven't had those porno sites pop up the last couple of days. Make sure you also down load the latest up date for Windows that became available on Friday. It's an important security patch and I think that's helping also. However when I do a scan that DSO Exploit is still there.

A Google search brought me here and I want to add my appreciation for this fix. It occurs on ALL our PC's but I sincerely hope this works! Thank you.

Hi kat555lady,

By all means, let Spybot get rid of it for you, you don't want it on the computer. Have you seen a web page with a name like CoolSearch, or somethng similar? If yes, you will want to download CWShredder from:

http://www.spywareinfo.com/~merijn/cwschronicles.html

Hope this helps!
Whiskey14 :)

Tried to access the above site but its dead right now. I was able to download from here: http://www.majorgeeks.com/download4086.html

I have used it before but it hasn't found anything - so far!

So Alicka... what DO you do? This hole that's now in the regetit... how do you fix this?? Was that what this latest patch was that Microsoft made available on Friday. I'm sure they've been aware of this weakness in their operating system for some months now. I am no longer having these porno site come up but the DosExploit thing is still there when I do a scan. I want it gone! Could you walk us through it carefully, step by step and if you've already done it but only found the 1004 file in two of the folders why is that, is there a different file number that needs to be deleted? Thanks as all help is greatly appreciated.

:'(
I am listed as a "newbie" on this site, and I have to say
I am disappointed. The one person listed as an "expert" seems short tempered... VERY VERY smart... but short temptered all the same.

When you tell someone especially a "newbie" to delete things in the registry and they do JUST THAT, you shouldn't come back and type things like

>>>>>>>>>>>> FOCUS>>>>>>>>>>>>>>>>>

That makes "newbies" feel pretty stupid. I THOUGHT this would be a good idea to post a question here
And get help from people who "wanted" to spend time helping others that just 'don't get it'

But I can see that is not the case. I will not be posting here anymore, Im almost afraid to ask another question.

OK right, If no one's noticed yet, the DSO Exploit is caused by microsofts Internet Explorer, one of the most popular yet least secure Internet Browsers avalabel, any way, you stand little chance of getting rid of the DSO Explait (unlees you "locked" your registry and "unlocked" when you wanted to install some thing)... I wonder what the Microsoft Tech support would say if you asked them about it, well any way, if you serach for DSO Exploit on microsoft.com (I mean a full search including every thing) you get 11 results that arnt relevant to the fixing of the DSO Exploit so ither Microsoft don't know it exsists OR they denie it exsists, ither way there a bunch of idots, any way, if Microsoft don't know about it/denie it what chance dose any one have of removing it (Come to think of it, it's almost exacly the same problem with ISS webhosting, Microsoft carnt make it secure, who can? I've said what I wanted to say, now I'm leaving)

Hi,

I feel the same way as Beanie, if you get fed up answering the same questions day in and day out, why not copy and paste it, it makes so much easier.

Remember not everyone knows a lot about computers or anything else for that matter. I'd rather give someone an answer starting with a step one. When you answer questions online, you do NOT know how much the person asking the question knows, they might even be more knowlegable in other areas of computing than you.

Regards,
Whiskey14

I am a newbie and have the same persitent problem. Can DSO Exploit be avoided by using another browser such as Netcaptor or Mozilla? If so, any recommendations? Thanks.

I just wanted to thank Alicka for his advice - followed your instructions & it's passed on to a better place!

Cheers! :)

I've tried Alicka's method and I'm still having problems

One thing I haven't heard is what DSO exploit does to your system... I know I have DSO.. SPYBOT tells me so
But I can't get to regedit nor can I get to task manager,
Is this symptomatic of DSO?
Following Alicka's method I get to step 4 but I get lost with step 5 any help please... >:(

Hello,

I am new to this forum, but I have had a similar problem. I had mutliple adware coming back after running spybot, adaware and norton antivirus. The problem was that the adware would only reappear after running internet explorer. The problem was a service that was tied to IE, so that it would only launch when I run IE and put files in the windows dir and system32 dir and make changes to the registry. This could be everyone's problem (ie not exactly the same but similar) is a service that either runs when windows startup or when you run some other program. The problem is that there is no easy cure. I had to look at each process in the Windows Task Manager (Ctrl Alt Delete) click on the Processes tab and Google each process running. Once you find it, you have to end that process before you can delete the file as windows will tell you that it is currently using that file and won't let you delete it. Then you should go though the registry and remove keys referring to that file. You should also check and see if it has a CLSID for that file and search through the registry using the CLSID and remove those keys as well. For me I had one process spawn more processes/services and it took me a day once I knew what I had to do. A word to the warning, some site will tell you that a process is a virus / spyware / adware when it is not and it is a window system file that is needed! Check mutliple sites to see where the process should be running from to see if the process is a bad one or good one. Also a good tool is Hijackthis.

Well, this may have been too much information for beginners, but this might get the experts here something to think about when a beginner tells them that they followed the experts advice but the spyware keeps come back.

Hope this helps in some small way.
Case

First timer here... on my hubbys puter, he has the DSO Exploit that he has tried everything to get rid of it, but it keeps coming back... he has a pop up that continually shows up that says its Microsoft Explorer and it says 'spyware detected'... that pop up is driving him nuts...

We've gone into the keys as you suggested and as soon as we reboot and run a scan, they are all back... that quick...

He also has 'webdialer' that he can't get rid of either...

His Norton is up to date, and everything else is current... this just started two days ago...

Sorry to sound like a beginner but I thank you for all of your help in advance...

Hi Kat,

The following site explains:

http://www.nsclean.com/dsostop.html

Hope this helps!
Whiskey14
I used this and it said it worked (we will see if it comes back) I try to run it a second time and it said it was gone!

How would I make a password without using spacebar as a keystroke?
Does this question make sense? I think I know what I'm asking but I'm not sure.

Zeala

All right, I have tried every single thing in this forum, and DSO exploit is still running on my comp, it always DC's me from my games I am playing, and is starting to severely piss me off. I really need help, there is no delete option and no "0" folder, a 1,2,3,4 folder or anything, no 1004, I have 1005. I'd really apprecaite any help you guys have. Thanks a ton.

Hi Everyone,
 I have read through all 4 pages of posts and I think I can add some light to some of the confusion and problems people are having with the recommended fix.  PLEASE NOTE.  This fix is recommending you edit your registry file.  If you make a mistake and delete or modify something you shouldn't, there is a chance you could mess up your computer.  I would recommend getting a registry backup program and back your registry before you attempt the fix.  You can find a registry backup utility at www.zdnet.com under downloads and search for registry backup.  That being said...

I attempted to do the steps and when I selected the Jump to Location. The Registry editor opened but not to the location of the key referenced by Spy Bot.  I have a feeling this same thing is happening to others.  The trick is to navigate to the very top of the Left hand pane.  Then from there you can locate the keys by double clicking on the folders referenced in the path to the key.  Also once there, under the Zones folder you will see the 0,1,2,3,4 folders and in each of them is a 1004 key.  In my instance, I actually had Spy Bot list 6 registry entries. See below

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1708537768-789336058-725345543-3254\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1708537768-789336058-725345543-1183\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\Zones\0\1004!=W=3


I have not finished yet but I imagine that I will have the 0,1,2,3,4 folders under each Zones folder.

I saw also that several people were asking how to delete.  To delete the registry keys, right click on the 1004 key in the right hand pane of the registry editor and select delete form the drop down.  You can also left click the 1004 key and then hit your <delete> key on your keyboard.

Good luck out there.

UPDATE: I removed the 1004 key from all 6 of the 0,1,2,3,4 folders and now the DSO Exploit is eliminated.

Happy Hunting. ;D ;D ;D ::)

Thanks for all the info on this thread, I have followed it and it has enabled me to get rid of DSO exploit, however I still have a problem, which may or may not be linked to it. When I log onto the internet, the number of bytes sent is always at least twice the amount received and information is transferred even when on a static page.
I have run Norton Anti-Virus (updated), Ad-Aware and Spybot but nothing is now found.
Any ideas? I am connecting through YahooBTOpenworld using a standard dial up connection.

Help would be gratefully received

I dowloaded Mozilla and am using it as my browser. Problem solved. I am glad because I am not comfortable with altering my registry. Mozilla's tabbed browsing function is cool too. Maybe DSO Explout was a blessing in disguise.

wow... I did what sudbury said...

1. open spy bot
2. selct advanced mode
3. select the settings tab
4. select block products
5. select security tab
6. check off the box for DSO exploit
7 CLOSE spy bot
8. open spy bot
9 run a scan!!
AND IT WORKED!!
:) :) ;)  ::) :P :P :P :P :P ;D ;D ;D


Listen Dude/Dudette

You just don't get it.
Unless you remove DSO from your machine, YOU STILL HAVE IT!!

"blocking it" just excludes it from your list of results (basically just closing your eyes).

The block feature is there in case something that you want on your machine, (continually comes up, annoying), you are able to block it from the next scan.

If you think you have removed the exploit from your machine, you are sadly mistaken.

Unless you DELETE the files, IT IS STILL THERE.

Check out the following site:

http://www.nsclean.com/dsostop.html

Whiskey14

Whiskey14, this software seems to do AUTOMATICALLY what alicka is telling us to do MANUALLY. Right, no? If this is the case do we need to get the software? Or can we just do the clean up manually (per alicka suggestions)?

You can do either way, automatically with a free tool or manually. If you don't feel secure editing the registry, perhaps the tool is for you.

Hope this helps!
Whiskey14

I can see your retarded ;D

All right guys, back to the subject at hand...

1st of all thanks alicka for your help.

2nd, I read all of the posts on DSO and had a problem getting rid of it. I couldn't find a way to get to the correct file, until I read PH_Man's suggestion (on page 4) to go to the top of the tree and drill down through the directories to the '0' folder and there I found the 1004 key. All done. Didn't have 10 files just 5 (I think). The .Default folder didn't even have the 1004 key but was listed as a DSO folder on the S&D tool's list of problems. What gives? And how do I find the other 5 or 6 DSO locations (DSO doesn't come up in S&D search anymore)?

On second thought - could the number of location where the 1004 key is present/or has been changed be different for different people depending on their system configs? In which case it would make sense why different folks get different number of problems in their D&S search results. What say U?

3rd, I also keep getting the "about:blank" as my home page. I've done all of the near-fixes you mentioned previously (update IE, update Symantec, latest S&D tool, reboot, etc... ) noting helps. How do I get my home page back? BTW, right clicking on the page doesn't open a window (I wanted to check page's properties), does this mean it's a template and not a real web address?

To remove About Blank, download Ad-aware 6, a free program that you can download at:

http://www.lavasoftusa.com/support/download/

Check for updates before running program. Then follow the directions here to do a full scan:

The following explains how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:

Scan within archives

Under Memory & Registry, Check EVERYTHING

In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:

Unload recognized processes during scanning

Include info about ignored objects in logfile, if detected in scan

Include basic Ad-aware settings in logfile

Include additional Ad-aware settings in logfile

Include used command line parameters in logfile

In Cleaning Engine:

XP/2000: Allow unloading explorer to unload shell extensions prior to deletion

Let Windows remove files in use at next reboot

UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.

After running Ad-aware, you must reboot your computer. It may be necessary to run Ad-aware two or three times if you have a lot of spyware, rebooting each time in between.

RESOLUTION



Users that knowingly have about:blank set as their homepage, and have no issues with a homepage hijack, can prevent this item from being presented on future scans by checking the box next to listings indicating about:blank, then right-clicking one of the checked items, and then choosing "Add selection to ignorelist."

Users that have a CoolWebSearch variant present on their system that wish to remove it completely can select the CoolWebSearch items, along with the about:blank listings, to fully remove the variant, and its changes, from their systems.

From: http://www.lavahelp.com/articles/v6/04/05/1801.html

Hope this helps!
Whiskey14

Users that knowingly have about:blank set as their homepage, and have no issues with a homepage hijack,

Hope this helps!
Whiskey14


Thanks Whiskey, but I did not have an issue with about blank for about a week, then, I was not able to access my Favorites, and I now have a major issue with "about blank"














                                       

I've been thinking...  When I run spybot it keeps showing me WebDialer and it doesn't get rid of it.  Is this the bug that keeps giving me about:blank home page in IE?  If that's the case my spybot is showing that it is residing in:

HKEY_USERS\S-1-5-21-1454471165-1801674531-839522115-1003\Software\Microsoft\Internet Explorer\Main\HOMEOldSP

Can I just go into the registry and do something to get rid of it, ala DOS Exploit?

Try running Ad-aware as explained or download CWShredder from:

http://www.spywareinfo.com/~merijn/cwschronicles.html

Either one should remove AboutBlank.

Hope this helps!
Lorry

Whiskey14, I appreciate the input and will try your solution/s, but my question stands for one simple reason. I need to know if webdialer is causing the about:blank IE page?

Yes, the web dialer is the culprit. Remove it.

Hope this helps!
Whiskey14

Well, I've read all five pages and I'm still not sure I'm getting all of this. (I have ADD so please be kind.)

I too have DSO Exploit, 6 entries showing on Spybot. When I right click on DSO Exploit "more details" "jump to location" it then sends me to the Register Editor with an open folder named "settings" on the left side.

On the right side are six files with a little {ab} boxed before the following six names:
Default
Anchor color
Anchor color visited
Background color
Text color
Use anchor hover color

I don't see a folder called "zones" and I don't see this 1004 file you guys are talking about. Am I missing something here or am I misunderstanding what to do?

Any help would be appreciated. Thanks.

Spock, initially I had the same problem.  When you get to location (link you clicked from spybot's page) and you see an inventory of folders, find the one that is listed in the spybot's list.  Then click on the plus sign to the left of the folder name and it will open up.  Go into it and keep clicking plus signs next to appropriate names of folders and they'll keep opening up until you get to the end (I think folder "0").  In there you'll see the key you need to delete.

To Clueless,

Thank you. Your directions were simpler and just what the doctor ordered. I had six entries Spybot found of DSO Exploit, and now I have one. For some reason that final one doesn't want to leave. I did exactly the same steps as given, but I can't seem to find this last 1004 file in all five folders - 0,1,2,3,4.

Oh well, I'll get it sooner or later.

I couldn't find one DSO as well, it was supposed to sit in the .Default folder, I never found it. Nevertheless spybot never showed it being there after I was done deleting the rest of them. Go figure...

In Spybot, the DSO Exploit should point you to a registry key like... Zones\0\1004.
It could be folder 01 instead of 0, but open the registry and go there. Don't depend on the "jump to" feature of spybot to do this.

The 1004 is called a DWORD. You'll notice that it's icon is different than most of the icons there. Here's what you have to do.

Right click on 1004 and delete it.
Right click on folder 0 (or 01) and create a new DWORD called 1004.
Double click on your new 1004 and give it a value of 3. Make sure the "Base" is chosen as "hexadecimal" (it is by default).
Click on OK and close the registry. You're all set.

I FINALLY got rid of DSO blah blah blah... I read in this forum about what to try.. I went to the advanced mode and took a chance. I hope I didn't screw up our computer. I'm still not clear how that helps... all I know is that DSO is gone... for now.

For anyone with those awful porno pop-ups... I downloaded CWShredder and it did the trick. I currently have Spybot Search and Destroy, Spyware Blaster and CWShredder. It is THE only way I've been able to use the computer without the porn and other stuff. My only complaint now is something called Best Online Casino that pops up and becomes an icon on my desktop. Can anyone tell me what to do about that?

Sudbury,
I tried to do what is listed below and I thought it worked. The problem is that now the porn that was a problem before is back. I had to go back and uncheck the DSO and get out of advanced mode. The porn is gone now , but DSO is back. I don't get it. Any ideas?
Counselor

If all your critical updates are installed you are protected against DSO Exploit and the finding in Spybot is just a nuisance. Eliminate this by doing the following:

1 Open Spybot and select 'advanced' mode.
2 Select 'settings' in the left column.
3 Select 'ignore product' in the left column.
4 Select 'security' tab.
5 Place check mark in box beside DSO Exploit.
6 Close program
7 Open Spybot and run a scan.

You will find that DSO Exploit has been eliminated and if your computer does not harbour any other spyware you will see a congratulatory message.

]... but DSO is back. I don't get it.  Any ideas?
Counselor


It must be a coincidence. They aren't related. All you've been doing is telling Spybot to ignore the DSO Exploit.

When you run spybot, it gets rid of the DSO Exploit. The problem is that a bug in spybot's fix changes the DWORD 1004 in the... Internet Settings\Zones\0 folder into a String Value 1004. When you run spybot again, it sees that this area is incorrect and identifies it, again, as the DSO because it thinks that any problem in this area is the DSO Exploit. Sudbury's fix simply tells spybot to ignore it from now on. This is probably OK since the DSO is actually gone. However, if you get it again, spybot won't see it.

If you want to put everything back properly, you need to:
1. Open the 0 folder
2. In the right pane, right click on 1004 and delete it
3. Right click on the 0 folder and choose New then DWORD Value
4. A new DWORD key will appear named New Value #1. Rename it to 1004 and hit Enter
5. Hit Enter again (or double click 1004) to open your new 1004 DWORD
6. A dialog box will appear. The Name Value at the top will be 1004. On the left is a box to enter a Value data. Place a 3 in this box. On the right is a place to choose the BASE. Make sure hexadecimal is chosen
7. Click OK and close the registry

The next time you run spybot, the problem should be gone, and you don't have to tell spybot to ignore it.

GTX or wateva, if you don't know what your going on about then don't give advice.
Well, isn't that ironic? I've got an illiterate kid and self proclaimed "full expert" attacking me.
The GREAT N POWERFUL ALICKA (as he calls himself) simply doesn't understand the problem.

Just about everyone here has run Spybot, told it to get rid of the DSO Exploit, run Spybot again and found the DSO still there. It's not. It's a bug in Spybot that will be fixed with the next update. They already have the fix for it, but it didn't make it into the last update.

After you run Spybot the second time, it will tell you the DSO is still there. Click each check box and find all the 1004 locations that it points to. It may be only one, or it may be several.
Open your registry (Start/Run/and type in regedit). Don't bother with the "jump to" option of Spybot, it may only confuse you.
Follow the steps I've outlined in my previous post for each instance of 1004 that Spybot says is still infected.

As backup for my claim, I'm going to point you to the Official Spybot Forum. I don't know if I'm allowed to give you the link, so I'll post it in a separate reply (below) just in case it gets deleted. In the meantime, you can find the official forum by opening spybot, clicking on the "Info & License" box and then on "Credits". At the bottom of the page it gives you the forum address.
When you get there, click "forums" at the top of the page and then "enter forum" at the bottom of the next page. Browse down to the "Official Spybot Search & Destroy Forums" sections and choose "Spybot Search & Destroy 1.X" At the top of the page you'll see the pinned topic "DSO Exploit reappears after fixing".

OR... if you hold "The GREAT N POWERFUL ALICKA" in as high esteem as he holds himself, you can try to follow his misguided directions (which may or may not work, I haven't tried them).

Here's the Official Spybot forum. The first link is to the main page, the 2nd to the topic.

http://forums.net-integration.net/

http://forums.net-integration.net/index.php?showtopic=17159

Guys... can we all just get along?.  Nah, just kidding.  But seriously, most of us, mere mortals, only care about fixing our systems not who's a bigger expert.

GTX, why did you suggest not just deleting the 1004 key out of the registry but also to replace it with a new key?  I followed alicka's advice from before to delete 1004 key and it worked.  What will happen if I leave my registries without the 1004 key (PC seems to work fine)?

Thanks for all the info.

I have used the advanced mode to hide Dso but new want to reverse this.

How do you ge t to the O folder which is the first step?

Thanks

Peter

1004 is a security setting. It sets the policy (rules) when a url wants to take control of security settings in downloading unsigned activeX. The value of 3 (0x03 actually) sets URLaction_Download_Unsigned ActiveX to DISALLOW.
Here's one link explaining it. I'm sure you can find more if you're interested in these things.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wceurlmn/html/cooriURLMONRegistryKeys.asp

How important this setting is to your computer is up to you to decide. Before you got the DSO Exploit and ran Spybot, 1004 existed and most likely had the setting of 3. It takes less than 10 seconds to put it back to the way it was.

Clueless, it makes no difference to me what you do to fix the problem. I'm glad you fixed it and you're happy. The real question, though, should probably be why someone would advise you to delete the key altogether, not why I suggest putting things back the way they were.
I'm not "great and powerful" or a "full expert", I'm just a guy.

1004 is a security setting. It sets the policy (rules) when a url wants to take control of security settings in downloading unsigned activeX. The value of 3 (0x03 actually) sets URLaction_Download_Unsigned ActiveX to DISALLOW.
Here's one link explaining it. I'm sure you can find more if you're interested in these things.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wceurlmn/html/cooriURLMONRegistryKeys.asp

How important this setting is to your computer is up to you to decide. Before you got the DSO Exploit and ran Spybot, 1004 existed and most likely had the setting of 3. It takes less than 10 seconds to put it back to the way it was.

Clueless, it makes no difference to me what you do to fix the problem. I'm glad you fixed it and you're happy. The real question, though, should probably be why someone would advise you to delete the key altogether, not why I suggest putting things back the way they were.
I'm not "great and powerful" or a "full expert", I'm just a guy.



FINALLY, someone who writes comprehensibly, actually explains what things actually do, and provides links.

Sorry, but I couldn't resist jumping in here.

I have been watching the DSO Exploit-related questions/pleas and "answers" coming in and out of here for quite a while.
I had decided to let them be...


I keep watching "THE GREAT N POWERFUL ALICKA" flaming other members in this thread whenever they offer a different idea or opinion. In this case GTX_SlotCar is bringing information from the Spybot developers themselves, which I suppose has got to be worth something.


I would suggest everyone interested read the ENTIRE Spybot forum thread. It will tell you everything you need to know to fix the problem on your system, and understand why it occurs and why it needs to be stoppered...


To "THE GREAT N POWERFUL ALICKA":
You are not always right. You may think you are, but the world just doesn't work that way. You need to Stop flaming everyone who disagrees with you. What makes you think you are the final authority on everything?


Oh, and GTX... the 1004 DWORD... If it _is_ deleted, what will IE do with itself? Logically, one would think the key would be recreated, with the default value of 0x03, the way it should be, but who knows..


Oh, and by the way, _please_ stop using Internet Explorer. It is bad.



:)

~psi42

I followed Sudbury's directions and they seem to have worked. Thanks :D

GTX, it seems like you're defending your position.  The problem is, no one is attacking it.  Read my question again.

I couldn't care less if I delete a key or change it back to the original setting, I just don't know enough to make the right call (that's why I'm asking).  If you would have come along first, then I would've changed it back to the original setting instead of deleting it.  I thought 1004 key was created by the virus not changed by it, which meant I needed to delete it.  Enough on semantics.

So...
1st, GTX and psi42, which one is it?  Do I check to see if IE recreated the key or do I go and recreate it myself?  Also, by recreating the key to it's default setting am I setting it to allow the same virus to enter my PC and start this cycle all over?  If the answer is no, then please explain what has changed.

2nd, I have a few viruses that are quarantined by Symantec AntiVirus but that are not showing up during the S&D search. Viruses like: Trojan.BiteVerify, MHTMLRedir.Exploit, Download.Ject. Any insight?

To Clueless... Hello how are you? Listen about your antivirus scanner. I would recommend downloading one of the best anti-virus scanners out there it is called F-Secure Anti-virus by DataFellowes. I have been using it at work, it is on the network at work, and I have been using it at home. It picks up viruses that norton and mcafee won't and it also picks up malicious (bad) code that aren't identifiable. About that download.ject virus. Microsoft, on their website about a week and a half ago, had a patch for the download.ject virus. Go here to download the tool from Microsoft http://www.microsoft.com/downloads/details.aspx?FamilyId=FC84B8B5-A64D-4837-B65F-96925A514F71&displaylang=en Make sure you read the page and follow the directions As for the anti-virus, go here http://esd.element5.com/demoreg.html?productid=513510&languageid=1 and download the trial version, but remove your other anti-virus scanner first. Symantec has been known to be a "corporate" business out there to make money, there are other companies who do "real" work and "care" about their customers. Learn how to use the program, it is not difficult. And make sure you update those virus defintions. Any problems, you jot it in the forum and I will try to assist ANYONE...

I've been on vacation for a few days, so please excuse the belated reply.

GTX, it seems like you're defending your position.  The problem is, no one is attacking it.
My position was attacked by one person, but I wasn't suggesting that you were doing it also. I was sincere in saying that I'm happy that you found a cure that satisfies you.


]So...
1st, GTX and psi42, which one is it?  Do I check to see if IE recreated the key or do I go and recreate it myself?  Also, by recreating the key to it's default setting am I setting it to allow the same virus to enter my PC and start this cycle all over?  
To the best of my knowledge, Windows will not automatically recreate 1004. It may do it if you change your security settings as each user on your computer, but I don't know. Doing it in the registry is faster and a sure thing. The DSO Exploit is not a virus.
The DSO Exploit would probably create the key if it wasn't there, so that's no protection. If you have all your current Windows updates, you won't get this DSO Exploit again. This door has been closed and can't be exploited again.


]2nd, I have a few viruses that are quarantined by Symantec AntiVirus but that are not showing up during the S&D search.
The programs shouldn't find the same problems. One is anti-virus, the other is anti- adware/spyware/malware.

1. Open the 0 folder
2. In the right pane, right click on 1004 and delete it
3. Right click on the 0 folder and choose New then DWORD Value
4. A new DWORD key will appear named New Value #1. Rename it to 1004 and hit Enter
5. Hit Enter again (or double click 1004) to open your new 1004 DWORD
6. A dialog box will appear. The Name Value at the top will be 1004. On the left is a box to enter a Value data. Place a 3 in this box. On the right is a place to choose the BASE. Make sure hexadecimal is chosen
7. Click OK and close the registry

The next time you run spybot, the problem should be gone, and you don't have to tell spybot to ignore it.


I did this, ran Spybot, and it did not find DSO Exploit anymore :). This is easy fix, just delete one value, and add one. Thanks GTX for the tip.

I got to this forum because I did a search for "DSO," which is what spybot said I have. I think I effectively removed it following all previous instructions. Thanks. But, my problem still remains... When ever I open IE browser it is hijacked to http://ssearch.biz/?wmid=1010 and I can't use the forward or back buttons. Please help
THANKS IN ADVANCE

You might want to try running cwshredder which can be found here:
http://www.spywareinfo.com/~merijn/downloads.html

Thanks GTX. I tried that. No Luck though. I ran a program callede HIJACK THIS and I save the following log. Maybe someone can identify the culprit for me from the list.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0001.1004\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0001.1004\en-us\msntb.dll (file missing)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0001.1004\en-us\msntb.dll (file missing)
O4 - HKLM\.. \Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\.. \Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\.. \RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\.. \Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\.. \Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: AirFortress® Client.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: One-VA VPN Client.lnk.disabled
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

Thanks for any help.

All right.. so I just spent the last hour reading all the replies to this DSO Exploit thing and don't have all the answers I need because so many different people have given different ways of fixing it. Can someone please give me answers to the following questions:

1) How can I completely delete it of my computer without harming anything or deleting anything of importance.

2) What is this DSO exploit anyway so many people have asked and there haven't been any answers... does anyone even know how harmful it is to my computer... Ive gone to the link that is apparently supposed to tell you what this thing is and it didn't explain anything.

Thanks ahead of time for the advice and sorry if you have to repeat yourself to tell me how to delete it, its just because I don't know who instructions to follow.

Katdaddi

Ssearch.biz is a hard one to get rid of.
Try Adware Away at this link:
http://www.adwareaway.com/ssearchbiz.htm

Thanks GTX. OUTSTANDING. It's gone and browser functions have returned. Truly grateful.

What site can I download spy bot from?

http://www.safer-networking.org/en/download/index.html

G'day all~
Well well well... Ok peeps n perps Microsoft have finally brought out some vulnerablity patches, these patches are for the OS security flaws and IE security flaws. That's it, all your problems rectified.


Réδ√röv¿╦ûΓÜ√○b!!   ;D ;D ;D

alicka,
So you say the problem can be fixed... awsome but how do I do it... sorry I'm allitle computer slow... so if you could explain that would be awsome. Thnxs! ;D

Hey matey, yea don't sweat your not slow your just lazy :P hehe, yea all you have to do is go to microsofts patch site and get the cumulative and vulnerablitly patches MS04-022,-023 ,-024. IF you haven't already got IE6 wiv service pack 1a, then plezzzz get it~


Um its not to hard to find the patches but if you do have trouble then get back to me and il show you the exacto mondo spot! Okiely dokiely

Regards~ ;D

Wow, THX Cellarius and all the other helpful techies! I fixed the DSO problem, and it seems my computer is going faster than it was a few minutes ago, or I might be hallucinating due to my extreme happiness of getting rid of that darned thing! Thanks again! ;D

THANK YOU "GTX Slotcar"! The information in your posts is priceless. After reading your posts I have a good understanding of DSO Exploit and why SpyBot kept detecting it even after I went through the necessary steps to remove it. After following your easy-to-follow, step-by-step instructions, I now finally receive the SpyBot congratulatory message "no immediate threats found". Thanks for taking the time to post!

Hello

Just run spybot s&d, dubble click on the problem, right mouse click on it, then details, go to location, then delete it in the register,

Greetz ::)

Why didn't I think of that! :o
On the rite track lad, but jumping to location doesn't always take you to the exact file you need to delete.
It usually goes to the last location you were in prior.

Doesn't sudbury's thing just ignore it? How do u GET RID of it?

Yes, it just ignores it. And hear I thought I was talking a nother language :D. The manual fix is in here, or you can just get the latest Service packs and patches for IE 6 preferably n The OS you are using.

Regards~

How are you doin'? 8) I'm new here, but that sure doesn't mean that I'm stupid or annything. I have the DSO problem( if you could call it a problem). OK, so I got Spybot, Ad-aware, McAfee. Well, I'm all good, except when I run Spybot I keep gettin' the 5 DSO Exploit errors. You know. Then I fix 'em, and everythin' is good again. Then the other day I scan again, and I get the DSO's AGAIN, I fix them AGAIN, and everything is good AGAIN. Then the other day, I scan AGAIN, I get DSO's AGAIN... you get the picture ;)
But what I am askin' about is - I DON"T HAVE ANY PROBLEMS with DSO's. I mean, everythin' works fine, I only get the DSO's in SpyBot every time. But that doesn't seem to harm me, you know? Do I still have to go to the registry and fix the problem? And if yes, then please tell me if I am right - I go there and delete the 1004 from those five files? Is that right?
Thanks guys. I really appreciate your help.

I think you're saying that you fix the DSO and a few days later you run Spybot and it's there again. Right?
If you've added the security updates to windows, it's not a problem. You won't get it again, even though spybot shows it.
Here's what happens. Run spybot and get rid of the DSO, then run it again, right away, and you'll see it's still there. But, it's really not. Spybot just thinks it is because things in the registry haven't been put back together correctly.
If you don't fix the registry, you'll never know whether you've actually got the DSO again or not because it'll always show up like it's there. (If you've added the security updates, it really won't matter.)


If you want to put everything back properly, you need to:
1. Open the 0 folder (s)
2. In the right pane, right click on 1004 and delete it
3. Right click on the 0 folder and choose New then DWORD Value
4. A new DWORD key will appear named New Value #1. Rename it to 1004 and hit Enter
5. Hit Enter again (or double click 1004) to open your new 1004 DWORD
6. A dialog box will appear. The Name Value at the top will be 1004. On the left is a box to enter a Value data. Place a 3 in this box. On the right is a place to choose the BASE. Make sure hexadecimal is chosen
7. Click OK and close the registry
The next time you run spybot, the DSO should be gone.

Gary

DSO Exploit

DSO Exploit is a glitch with spybot itself.
Here's hot to get rid of it.

1. Open Spybot and select "Advanced" mode.
2. Select "Setting" in left column.
3. Select "Ignore Product" on left.
4. Select "Security" Tab.
5. Put a checkmark in the little square beside DSO EXPLOIT.
6. Close Program.
7. Open Spybot and run a scan.

DSO Be Gone! :)

I turn first to the Internet. For instance, this week I have
Several questions about DSO Exploit. When I put that name in
Google (http://www.google.com), it returned 100 pages.
From them, I learned that DSO Exploit is actually a flaw in Internet
Explorer. It has been patched by Microsoft. However, according to
Several Web sites, a bug in Spybot Search and Destroy causes it to
Continually pop up. You should be OK, so long as Windows is updated.
Also, be sure Spybot is updated. You may be running an old version.

From Kim Komando Newsletter

Hope this helps!
Whiskey14

I'm surprised this thread is still going. I think all the misinformation is because people don't know what the DSO Exploit is.

1st, I wouldn't advise anyone to tell spybot to just ignore this. It only takes a few seconds to fix it right.

2nd, DSO's are part of Windows, much the same as dll's are (files with the .dll extension). They are Dynamic Shared Objects. You shouldn't say "DSO be Gone!", you should be saying "Exploit be Gone!"
DSO Exploit is not a flaw in Windows. There was a security flaw in this DSO (which is part of Windows) and someone has Exploited it (taken advantage of it). Now MS has patched it so that exploit can't happen on that DSO anymore.
Spybot gets rid of this exploit, but unless you do a security patch update on windows, you could get it again. Unfortunately, Spybot doesn't put the registry entry/entries back the correct way, so when you run spybot again, it thinks the exploit is still there and reports it again.
It only takes a short time to fix this the right way.

Gary

And the RIGHT way is... this, huh?
1. Open the 0 folder (s)
2. In the right pane, right click on 1004 and delete it
3. Right click on the 0 folder and choose New then DWORD Value
4. A new DWORD key will appear named New Value #1. Rename it to 1004 and hit Enter
5. Hit Enter again (or double click 1004) to open your new 1004 DWORD
6. A dialog box will appear. The Name Value at the top will be 1004. On the left is a box to enter a Value data. Place a 3 in this box. On the right is a place to choose the BASE. Make sure hexadecimal is chosen
7. Click OK and close the registry

And the RIGHT way is... 8) this, huh?
1. Open the 0 folder (s)
2. In the right pane, right click on 1004 and delete it
3. Right click on the 0 folder and choose New then DWORD Value
4. A new DWORD key will appear named New Value #1. Rename it to 1004 and hit Enter
5. Hit Enter again (or double click 1004) to open your new 1004 DWORD
6. A dialog box will appear. The Name Value at the top will be 1004. On the left is a box to enter a Value data. Place a 3 in this box. On the right is a place to choose the BASE. Make sure hexadecimal is chosen
7. Click OK and close the registry

And the RIGHT way is... 8) this, huh?


Yes :D

Ok, there is one more thing. This isn't quite about DSO's. It's about Win Update, which is about DSO's. 8) So, I need to be up-to-date with my security, huh? But what if I got some burnt programs on my PC, like Musicmatch jukebox, burnt Microsoft XL, Word and Outlook, burnt RecordNow Max. Can an Update detect my burnt programs and do anything bad??

I don't know how it could, so I'll have to say "no".
The update only patches windows files. It doesn't look for other programs.

Cause, you see, I had a burnt Windows before (which I did not know :o) and I updated my PC through Win Update, and after that it began tellin' me to activate my Win Xp Home. I pressed the activation button, but it said that there was some kind of an error (well, duh, my Windows is burnt :-/), so I had to buy a new one, and all the previous programs were lost, so my friend gave me the copies of his programs. And, you know, after that, I'm afraid to update my system. My Word, my XL, my Outlook, my RecordNow Max, my Musicmatch Jukebox... If I lose those programs... Well... I think the Update is just not going to be worth it... :-/

Don't bother updating, if your using a pirate version of windows and are on the net they know. You not the first nor the last, but you're an amateur. Your breaking the law mate... your a smartie alrite ;D

Slot<stil giving advice good to see 8) , anyone seen my cain??

Yo, yo, yo. I just said: I had a pirated Windows BEFORE. I updated it. Next thing I know I got to buy a new Windows ;D. Yeah, so, you see, I'm paranoid now about updating :-/. Cause I still got some pirated programs on my PC. I'm afraid to lose 'em.

Yo, yo, yo. I just said: I had a pirated Windows BEFORE. I updated it. Next thing I know I got to buy a new Windows ;D. Yeah, so, you see, I'm paranoid now about updating :-/. Cause I still got some pirated programs on my PC. I'm afraid to lose 'em.

Well AFAIK, Microsoft does not look for _other_ burnt programs on your system _yet_
I would think if you went to MS-office update, it would detect your office had a pirate cdkey... but I really doubt ms would go so far as to start deleting stuff _yet_

But you never know...

Just make sure to do a full backup... :)

Well, if that's the case, then which is the best program to do that? And where do I get it? Thanks.

Hi
I'm New here
And I too found this site by a Google search that brought me here because of the DSO Exploit.
I did all that was suggested here and get rid
Of the anoying DSO Exploit, also I switched my
Spybot program to the Advanced Mode.
But after I run a new scan with the Spybot
Program, it found me another problem
Called: Avenue A, Inc.
And when I pressed on the Plus that's what opend:
Tracking cookie (Internet Explorer: Atid) (Cookie, nothing done)

My Qustion is:
What it means??
And do I need to fix it??

Thanks in advance for any help.

Sudbury person from up there where all that cold air comes from. Your simple , easy to understand , cure
Worked like a charm. New at this site and illiterate on a computer. I appreciate your cure for the DSO problem. Tnx. Grady

I finally got rid of DSO Exploit using "Spybot Search & Destroy" with the following method:

Have "Search & Destroy" look for problems the usual way and then (1) highlight one of the "Data source object exploit" items, (2) Right click the highlighted item to bring up the menu list and select "More details", (3) Now click "Jump to location", (4) You are now viewing the Registry and can use the path shown in the Search & Destroy window to get to the key shown, (5) I manually deleted each of 5 keys and no longer have it coming back.  I haven't noticed any change in performance so I trust that I did no harm but I am happy not to have the damned thing any more.
:-*

THIS REALLY GETS RID OF IT. If you follow the other posts and just IGNORE the product in Spybot, IT'S STILL THEREThanks for your good words Cellarius, hope to return the favour someday 8)

Hi all, yes I am a newbie. Boy, am I grateful about not being the only one in this situation. I thought I had done something wrong! :-[
When I found this website I tried Sudbury's fix and I am free of
Dso! Thank you, Thank you, Thank you!

Willowtree

Obviously these people who are happy with that fix haven't read all the posts.

Okay GTX, what am I looking forward to? I take by your answer this is not the fix.

Am I "Jumping the Gun."

Willow

Am I "Jumping the Gun."

Willow
Yes.
And I hope you're not free of DSO, but free of the exploit. You might want to read pages 5 through 7 of this thread.

If Willowtree and Grady and countless others are happy with getting DSO Exploit off their screens with a minimum amount of fuss and bother that's fine with me. Check Spybot regularly for updates because they are going to issue a permanent fix soon.

Sudbury

I want to thank you both for your imput. I am not a super computer person. I am just learning as I go along. So, at this point I can use all the help I can get. All I am looking for is something that works and something even I can understand.
Take care,
Willow

If Willowtree and Grady and countless others are happy with getting DSO Exploit off their screens with a minimum amount of fuss and bother that's fine with me.
Sudbury

I don't know if the others are 'countless', but it's fine with me, too. I think they should realize they're running without a security setting there doing it that way, but as long as they're happy...
Yes, spybot already has a fix for this. They had if for their last release, but it didn't make it in. It will be in their next release, soon, but we've been saying this since this thread began, April 16th.
I think people find this thread looking for help. Most of them start reading at the beginning, try stuff until something seems to work and never bother reading further.
If it really bothered me, I'd start a new thread ;)

Hold the phone.
Here is the real solution to the problem:
http://www.experts-exchange.com/Security/Win_Security/Q_21054787.html

Disabling the DSO Exploit check is really silly advice.
By the same logic, you could just uninstall SpyBot and not get any notifications from it.

The DSO Exploit is an important security hole to know about. The other advice above describing the Exploit and steps to manually remove it by making changes in your registry are the right way to go. Read the registry change instructions carefully and everything will be fine.

I came here looking for help. If I have done something wrong, I need to know. I love my computer. It is not only a tool, it is a gateway to the world for me. The websites that have taught me so many things and lets me keep in touch with my family and friends at the touch of a keyboard.
Most of the things, you all talk about, I have never heard or know about.
Everything, so far, I have taught myself. So, I am open to anything that teaches me how to take better care of my computer.
Thank you all for your help.

Willow ;)

Hold the phone.
Here is the real solution to the problem:
http://www.experts-exchange.com/Security/Win_Security/Q_21054787.html


I find it rather amusing that the first post in that thread points right back to this mess...

;D

I don't suppose someone who has posted on the first page could edit their post to reflect the fix? That way maybe a few less people could do the Wrong Thing?

Do not go the above link for the experts exchange. You have to sign up to even read the forums, and get bombarded with scripts upon entering. It is sites like that which are half the problem and should be avoided. Any real solutions should be posted here for all to see freely. Could you post the answer from that site here? Also, I changed all the registry key values to 3 like suggested, and 2 entries still show up on spybot. Is this an issue with spybot or what?

 Any real solutions should be posted here for all to see freely.  Could you post the answer from that site here?  

It is posted here.
I've posted this in 5 forums and this is the only one that still has activity on it. On those others, I didn't even go into detail about what a DSO is or how it's "Exploited", or why Spybot keeps identifying it when it's gone. I've checked my procedure with the "official spybot forum" and it's correct. I've even given the link to that forum.

In this thread, you have basically 3 opinions of what to do. One says to tell spybot to ignore the DSO Exploit once it's found it the first time. The other says to look up the DWORD in the registry and just delete it (actaully, at that point it's a String Value), and the other says to delete the String Value 1004 (each occurance) and create a DWORD 1004 (which is what it was before spybot mis-recreated it) because it's a security setting that shouldn't be ingored.
All of them say you should run Windows Update for the security patches so you won't get this exploit again.

Now it's up to you to decide which fix is right for you :)

Gary

Do not go the above link for the experts exchange. You have to sign up to even read the forums, and get bombarded with scripts upon entering.

Um... I didn't have to sign up for anything..?



Now, I think it's time we really cleaned this thing up. This thread is 10 pages long because we have three conficting "solutions."

One is to ignore the problem
One is to fix the problem
One is to delete the 1004 key

Now, can somebody who deleted the key please go back into the registry, and see if it was recreated, and what value it holds? Then maybe we can see if deleting the String Value entirely fixes the problem, or if it doesn't. Obviously changing it to a DWORD with a value of 0x03 _does_ fix the problem, we've established that. Now let's try to break the confusion, and figure out just what happens when the 1004 String Value is deleted.
(I'd do it myself, but I haven't got a windows box handy at the moment ;D).

:)

~psi42

Anti DSO Exploit Manual Fix Locate DSO Exploit by Spybot - Search and Destroy

Mostly we recognise that infected by DSO Exploit when run SpyBot Search and Destroy.

To check if SpyBot not ignoring DSO proceed:



1)      Choose from Mode / Advanced Mode

2)      Enter Settings

3)      Ignore products

4)      Security

5)      Uncheck DSO Exploit if checked in box.

6)      GoTo Spybot-S&D

7)      Check for problems


Fix the problem manually in Registry

If you see DSO Exploit (usually 5) select if first and

Fix selected problems

Then do operation below



1)      Open regedit from run mode:

2)      GoTo:

HKEY_USERS/DEFAULT/Software/Microsoft/Windows/

CurrentVersion/Internet Settings/Zones/0

3)      See if 1004 is REG_SZ or REG_DWORD

Most likely its REG_SZ because of DSO Exploit.

4)      First delete 1004 Value - its wrong.

5)      Proceed to Zones/0 , right click 0 File and

add new DWORD Value. (New/DWORD Value)

6)      Change Name of this Value as 1004 ,

right click to 1004 and change Value Data from 0 to 3.

7)      Check if there is 1206 already exist.

8)      If not process same operation as for 1004

and leave Value Data of 1206 as 0.



This operation needs to be done in all of these files:



 I.      HKEY_USERS/DEFAULT/Software/Microsoft/

Windows/CurrentVersion/Internet Settings/Zones/0

II.      HKEY_USERS/S-1-5-18/Software/

Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0

III.      HKEY_USERS/S-1-5-19/Software/

Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0

IV.      HKEY_USERS/S-1-5-20/Software/

Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0

V.      HKEY_USERS/S-1-5-21/Software/

Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0

Check the result

When operation is done check the registry codes (should be as shown in picture beside) and run Spybot for final check up. Hope you won't see DSO Exploit anymore.

Spybot - Search and Destroy

If you don't have Spybot Search and Destroy (its COMPLETELLY FREE) you can download it just clicking on that link: ftp://ftp.download.com/pub/win95/utilities/spybotsd13.exe

http://www.ramesses.8m.com/images/anti_dso_exploit_in_regedit.jpg

Enjoy your surf!

P.S. Also you can find it on http://www.ramesses.8m.com/custom.html

P.S. Thanks GTX for locating a mistake - I've wrote Explicit instead Exploit before. :)) Was very sleepy because didn't sleep for 30 hours to that moments. ;-)

I think it recreates some of them if you delete them, so they keep showing up again on spybot. It DOES stop showing up if you find each individual 1004 entry that remains, delete it, then recreate it with a value of 3, like GTX said. Use the pane on the left in the registry to find the DEFAULT, S-1-5-18 through -21 individually (or whatever keys spybot lists) and change the values to 3. I think those were the same 5 entries I kept getting, so I tried that and it worked! Thanks computer geeks. I am going to school to become one myself, but never worked with the registry much. They said not to mess with it unless you know exactly what you're doing, so only change those entries showing up on spybot- nothing else... Thanks again.

Air Scorpio, please change:
"Locate DSO Explicit by Spybot " to read "Locate DSO Exploit by Spybot". It may confuse the already confused. Thanks buddy.

I'm sorry I haven't had time to answer all the private messages and email (from those who were resourceful enough to look up my email address through Tweaks & Reviews).
I've reviewed Air_Scorpio's post and it reiterates what I've been saying. It even goes a step further and shows you how to make sure you haven't left spybot in a state where it ignores this DSO Exploit.
He's taken the time to give you the exact locations to look for the problem in the registry for those who can't follow it in spybot.
Follow his instructions or mine, whichever is easiest for you to understand.
Don't forget to UPDATE WINDOWS to get the new security patches. Do you want to go through this again?

Here are answers to the 2 most frequent questions I've been asked privately.

To open the registry, click your "Start" button and then click "Run". A dialog box opens. Type in the word regedit and click OK. It will open your registry.

The other one concerns changing the entry in 1004 to 3, but spybot continues to see it. You don't change the entry to 3. You delete 1004 (because it's a String Value and should be a DWORD) and create a new DWORD 1004 and give it a hex value of 3.

I'm going to try to make this my last post here. Please understand that I'm not out of patience, just out of time.

Gary

Hey all. I thought for one last effort and since he works in Seattle for Microsoft and thank the Lord he is my nephew, I woud give him a shot at this. I just now emailed him and when I get a reply I will be very happy to share it with everyone.
You all have been so helpful and kind. I want to thank you for that.
Take care. Will be back as soon as I can!
Thanks again,
Willow :D

hey guys/gurls~
Gezz this page still going! Well your all a bit late, because the problems been sorted... and to all newbies, don't take these guys advice to likely, they most likely are amateurs, and its not hard to see that when they are telling you to change values in the regedit.
If you knew what Exploit actually did, or has already done then you's would know(obviously you dont) that changing values does absolutely stuff all. These process Has done what it needs to do.

Don't try be something your not, you'll just make a fool of yaself! Oops to late ;D

~ Do not worry about doing ne of this, you'll just create more work for the guy(proberly me:P) who will have to fix it. (Your PC that is)

Regards~ alicka~
I love this place~~~~

don't take these guys advice to likely, they most likely are amateurs, and its not hard to see that when they are telling you to change values in the regedit.
If you knew what Exploit actually did, or has already done then you's would know(obviously you dont) that changing values does absolutely stuff all. These process Has done what it needs to do.


And the online source that backs this up is... where?


]
Don't try be something your not, you'll just make a fool of yaself! Oops to late ;D

Indeed.

To alicka & psi42...

You better tell people what should be done instead telling people that everything is wrong. You drive people nuts. If you know so much tell them what to do. Yes, we are newbies (at least I am) but at least we try to help people as we can, not like you just laughing and no help. And I think if you really knew what to do you would tell.

Regards ,
Scorp

Dear Air scorpio,
Your thread touched me! No really it did ;D, yes what am I thinking ::) well dearest scorpio if you've been here since the start you'd know that I've posted numerous Exploit Fixes on here, but do people listen! No, and I don't care. Well I do care but I only care about the people who are genuinely stuck in a pickle! Its just the regedit is not something you want to play around with if you don't know what you are doing.
And I don't know what these other guys here are doing, but where I am its my job. I work for government IT, so I think I'd know... <well that's for me to know and for you's to decide>


Regards~ alicka~
Deus t@ Am3n

And almost forgot, deffinitly take PSI's advice, if your using Internet Explorer, that's where half you problems come from! Get Mozilla and see the difference! :o ;D

Regards~ Alicka alota~

To alicka & psi42...

You better tell people what should be done instead telling people that everything is wrong. You drive people nuts. If you know so much tell them what to do.

Well, it really looks like we are trying to do that. What's going on here is that there is rather a bit of a disagreement. The problem is, a few of you guys think there is some sort of war on or something ;D.


]
Yes, we are newbies (at least I am) but at least we try to help people as we can, not like you just laughing and no help. And I think if you really knew what to do you would tell.


Okay, for the last time:

This vulnerability was patched by Microsoft a long time ago. It _does_ _not_ matter if you do anything about it or not at this point in time, as long as you've kept up with your security updates.

Will everyone please confirm the above statement so we can all agree on something?

So you _don't_ need to fuss _if_ you've been patching your system. If you haven't been patching your system, well, that's bad. :)

If you like to have everything just right just in case, then you're going to have to figure out on your own which "solution" you're going to follow.

Here, take a look at this site:
http://www.greymagic.com/security/advisories/gm001-ie/

Go to the very bottom, and try the "Demonstration." If the program it specifices runs on your system, then you are vulnerable.






Now a good flame war is always fun, but this isn't a very good one.

Oh, and alicka. You're pretty confident of your position, I respect that. Unfortunately, it seems that every source I've seen on the net rather disagrees with you.
Now if you posted a link to a nice piece of writing that backed up what you were saying, we could all be happy. :)

~psi42

I just wanted to say that for the "newbies" and I know I am one too... listen to what the "experts" have to say. Don't just insult them they are here to help and you are here to get some help. I know personally that Alicka has helped me a lot to clear things up even when he gave me a solution that I didn't really understand because I'm a little computer slow he took it a step further to explain things better to me. So in his defence which I'm sure he doesn't really need it... he is and expert and you are a newbie and if you were serious about getting rid of this thing you would either look at the post that he has made and get a solution for you or would ask him personaly so he could give you a hand. He has been a huge help to me and I'm sure if you would just stop and listen instead of being hard headed you would get a proper solution.

Thanks Mankilla, I appreciate your support.
If you need any help what so ever, I will be glad to give any assistance possible. And that's to all, I'm here to help, that's all~

PSI, I run the states regional Hospitals IT. Yes in government. If there's an exploit, I have to find it and kill it. I do this for a living mate. And no I can't give you ne links, they're all encrypted 1048, so good luck~

Regards~ alicka~

If all your critical updates are installed you are protected against DSO Exploit and the finding in Spybot is just a nuisance. Eliminate this by doing the following:

1 Open Spybot and select 'advanced' mode.
2 Select 'settings' in the left column.
3 Select 'ignore product' in the left column.
4 Select 'security' tab.
5 Place check mark in box beside DSO Exploit.
6 Close program
7 Open Spybot and run a scan.

You will find that DSO Exploit has been eliminated and if your computer does not harbour any other spyware you will see a congratulatory message.

Well thank you for trying to help. I didn't bother to read all 10 pages of replies, but dude, if you did this carefully, you would have noticed that "Ignore" ignores it when it finds it on your computer, meaning that you told it that its okay when it runs over it. So what does this mean? Its still on your computer. Lets face the music kids, it keeps coming up because you can't get away from it.

Are you sure? Your not pulling our leg here??
Gezz you can tell this is an american forum ;D ::)

Such a smartie ::)

]Well thank you for trying to help. I didn't bother to read all 10 pages of replies, but dude, if you did this carefully, you would have noticed that "Ignore" ignores it
ThisTastesNasty:
You don't think that others have noticed this therefor not done it. IF YOU HAD READ ALL THE 10 PAGES... then you would have noticed and been able to have done a better solution,, use your head here buddy. ;)

People, re the problem with the pop-ups Tickle IQ test and the Security Warning that seems to be associated with DSO Exploit and [deleted].com, I complained to [deleted].com today and they traced it to one of their clients, [deleted] who is responsible for these pop-ups. They told me to contact him at this email address:

[deleted]

Write and tell him that this crap was put onto your computer without your knowledge or permission and ask him to send you his adware remover.
Once you receive it, unzip it and install it but make sure you close all your Windows Explorer stuff first. It only took about one second to get rid of it.

Bunnyc

Sure mate ::) that's the biggest load of shait I've ever bloody heard. Get a life and stop wasting forum space tos-ser

People, re the problem with the pop-ups Tickle IQ test and the Security Warning that seems to be associated with DSO Exploit and [deleted].com, I complained to [deleted].com today and they traced it to one of their clients, [deleted] who is responsible for these pop-ups. They told me to contact him at this email address:

[deleted]

Write and tell him that this crap was put onto your computer without your knowledge or permission and ask him to send you his adware remover.
Once you receive it, unzip it and install it but make sure you close all your Windows Explorer stuff first. It only took about one second to get rid of it.

Bunnyc





ROFL! What have you been smoking?

http://ask-leo.com/whats_a_dso_exploit_and_how_do_i_get_rid_of_it.htm l


As I told you a week or so ago, I have a nephew that works at Microsoft. He said this site is our best bet. You can do whatever you think is best!

We are waiting to see what Hurricane Frances has in store for us. (Not looking forward to this)! But anyway, take it easy all... Willowtree

ROFL!  What have you been smoking?[/quote]

What's that smart remark supposed to mean?? I was a first-time poster who thought a solution to the problem would be welcome on here. I didn't expect to be spat on. Did any of you 'experts' find a solution except for advising what I consider risky measures for a newbie, to change the register?
Never joined a forum before where you get treated like crap first time around. You know what you can do!!

What's that smart remark supposed to mean?? I was a first-time poster who thought a solution to the problem would be welcome on here. I didn't expect to be spat on. Did any of you 'experts' find a solution except for advising what I consider risky measures for a newbie, to change the register?
Never joined a forum before where you get treated like crap first time around. You know what you can do!! Bunnyc, if you are really giving what you believe to be honest information here, I thoroughly apologize.

That said, let me explain my "smart remark." Although feeding trolls is rather fun, I'm really going to do this for the benefit of others. Now then:


People, re the problem with the pop-ups Tickle IQ test and the Security Warning that seems to be associated with DSO Exploit
re? Re what?


[deleted].com[deleted].com is an advertising site, so far so good. Although what that has to do with the DSO expoit is a little fuzzy...


I complained to [deleted].com today and they traced it to one of their clients, [deleted] who is responsible for these pop-ups. They told me to contact him at this email address:
What pop-ups? What does this have to do with the DSO exploit?


[deleted]

Write and tell him that this crap was put onto your computer without your knowledge or permission and ask him to send you his adware remover.
Once you receive it, unzip it and install it but make sure you close all your Windows Explorer stuff first. It only took about one second to get rid of it.
Um, okay. So you are advising people to e-mail the guy who supposedly has been sending them pop-ups, get a binary executable from said unsavory character, and run it? If "[deleted]" is in fact putting spyware on your computer, he will probably just bundle a trojan with his "remover." How about that for "risky measures for a newbie?"

Second of all, the DSO exploit is not a virus. It is an exploit. It was not put on your computer by anybody but Microsoft.

So it all boils down to one of the following:
a) You didn't read the thread, which is bad
b) You didn't follow the links in the thread, which is bad
c) You are trolling, and in very poor taste, so it's a bad troll, which is bad


~psi42

Here here!

So damn true!

Hi all..

I was having the same problem with DSO Exploit showing up after I deleted it with Spybot.. I did what Sudbury said in his/her post and it has worked for me so far.. just wanted to let others know so they could try it...
Thanks for the help.. ;D

Oh. My. God. ::)

Good for you, Miissty.

You can leave it like that until Spybot releases the permanent fix (which they say is ready) and if all your Windows critical updates are installed you have nothing to worry about.

Sudbury

I'm getting the same DSO exploit message after running Spy Bot.   I tried to get rid of it.  I even ran the Shredder and it still comes back.  Does anyone have a fix?

YES!
Problem:
Spybot S&D does have a bug relating to a false positive report of a "DSO Exploit." The "DSO exploit" is a trick that takes advantage of an old security hole in IE. However if your copy of IE is up to date, it will have long been patched for this weakness.
Thus it can safely be ignored during the search for Malware.
This Spybot "DSO Exploit" false-positive bug has been identified and will be corrected in the next update to Spybot. Meanwhile here is a manual workaround for SpyBot's over-reporting.
Eliminate this nuisance by doing the following:

Solution:
1) Open Spybot and select 'advanced' mode.
2) Select 'settings' in the left column.
3) Select 'ignore product' in the left column.
4) Select 'security' tab.
5) Place check mark in box beside DSO Exploit.
6) Close program
7) Open Spybot and run a scan.

After a new scan this “DSO Exploit” will not reappear. Assuming the scanned PC does not harbour any other spyware/malware, then a brief congratulatory message will appear.
Voilà

I am new at this I got DSO Eploit. I have tried spybot and its not working. Can someone please help me?

I am confused in trying to follow the instructions on how to get rid of this. If anyone can help someone who is NOT a computer expert, please let me know.

Thanks

Update ;)

Check to see if you are using the latest version of Spybot S&D (version 1.3) and that all your Windows Critical Updates are installed, then follow the instructions listed in Reply # 11 of this post. This will enable Spybot to ignore the false-positive finding of DSO Exploit (which Microsoft has fixed) until the permanent fix is released by Spybot When the permanent fix is released, you can uncheck DSO Exploit in the 'ignore products' section and it will be gone forever.

Hope this helps.

Sudbury

:P Sorry but I've got to ask. I've been reading this thread with interest and some amusement and my head is thoroughly spinning.

Running Spybot v1.3
Brand new computer 2 weeks old
Updated to Windows XP Home SP2
Spybot finds DSO Exploit

1. It has been said if your patches are up to date you are protected - with SP2 I would think I'm up to date

2. It has been said this is a bug in Spybot and change the Spybot settings to ignore until they update.

If number 1 is right then number two makes sense at least it does to me. Am I right, wrong or somewhere in the middle?

Thanks for letting me ask.

Hi All
I have to agree with AF_Vet's comment having installed SP2 and all the other fixes DSO Exploit still raises it's ugly head.

Setting ignore product in Spy Bot does not remove the problem but just hides it.

What I cannot glean from all the forum is what does DSO Exploit do?

R.O.

Richard, to answer your question, I posted a Web site that I got from my nephew that works for Microsoft. It is on page 10 under Willowtree with Duffy Duck.
Believe me I was asking all the same questions, also.
Anyway, I hope that helps you. Take care.

Willowtree ;D

You run spybot and it finds the DSO Exploit. Spybot will identify 1 to 5 areas in your registry where the problem exists. The areas all end in "...Internet settings\Zones\0", 0 being the folder and 1004 is the affected DWORD.
1004 is a security setting. It sets the policy (rules) when a url (a web site) wants to take control of security settings in downloading unsigned activeX. The value of 3 (0x03 actually) sets URLaction_Download_Unsigned ActiveX to DISALLOW. If you don't have it set to 3, malicious activeX scripts can be run on your computer. This is what Spybot has found happening on your computer.

DSO's are part of Windows, much the same as dll's are (files with the .dll extension). They are "Dynamic Shared Objects". Windows uses dso's and dll's so programs can share a lot of things. If you've been into computing for a long time and remember the good old days of DOS, you'll remember needing a different printer driver for each program, a different sound driver, modem driver and video driver for each program. What a mess. You couldn't even copy and paste between programs. With Windows, all these things are shared.

Unfortunately, a Windows security flaw exists that allows activeX scripts to be run through the DSO regardless of the security setting you have chosen. In other words, someone has figured out a way around the DWORD = 3 setting which supposedly stops unsigned acitiveX scripts from being downloaded. Microsoft is aware of it and has fixed it in it's latest security patches.

When you run spybot, it gets rid of the DSO Exploit. The problem is that a bug in spybot's fix changes the DWORD 1004 in the... Internet Settings\Zones\0 folder(s) into a String Value 1004. When you run spybot again, it sees that this area is incorrect and identifies it, again, as the Exploit because it thinks that any problem in this area is the DSO Exploit. You see, a String Value 1004 is worthless. It's like having no security setting at all. Can you see the problem with this?

Some people here are saying you can just set Spybot to ignore the DSO Exploit. Others say to just delete the 1004 entries. The reasoning behind this is that updating windows with the latest security patches fixes things so you can't get this DSO Exploit again.

However... there are still unanswered questions about the new security patch. If, as I assume it does, it fixes the security hole that allows someone to exploit the DWORD = 3 security setting (fixes the hole so nobody can get around it), then don't you still need the security setting to be there in order for the patch to work?
Before you got the DSO Exploit and ran Spybot, the DWORD 1004 existed and most likely had the setting of 3. It takes less than 10 seconds to put it back to the way it was. I have several posts on this thread explaining how to do this. Also, Spybot gives you the url for their official forum. You can look it up there and they'll tell you the same thing. Patch windows with the latest security patches. Delete the String Value 1004 entries and create new DWORD 1004 entries with the value of 3. It doesn't take long to do it the right way and then you're sure to be covered.

Gary

Gary, God you're good! How long have you been messing with computers? As you can tell I am still a very new newbie. I don't know about anyone else, but I am truly impressed! Seriously! I really enjoy reading your posts.
Anyway, take care. We are dealing with some really bad weather. Ivan go far away, please!!

Willow

I don't know if this solutions has already been posted, but it will fix the problem without any need to go into the registry.

http://forums.net-integration.net/index.php?showtopic=17159&view=findpost&p=94923

Spybot has released a new set of detection updates today.

Spybot has released a new set of detection updates today.
I hope that anytime someone runs Spybot (or any spyware or anti-virus program) they check for update files first. For those that don't, please do.

OK, there's a new beta version of Spybot S&D. It's version 1.3.1 and it should fix the DSO exploit bug in Spybot 1.3.
It's a beta version, so be warned that it may have other bugs. Since the beta is out, I assume that the next version of Spybot is just around the corner and advise everyone to wait for the released version.
That being said, I'm sure everyone will ignore my advice and want to try the beta anyway.
If you don't know how to get the beta version, it means that you really haven't explored Spybot; and, judging by the amount of people here that think ignoring a problem is the best way to fix it, I'm going to assume this is true and tell you how to download the beta version. BUT First, if you have already told Spybot to just ignore the DSO Exploit, get back in and tell it not to ignore it anymore. Otherwise this beta version won't help you. It won't fix it if it's been told to ignore it, get it?
OK,
1. open Spybot version 1.3
2. click on the "settings" tab (it's on the left)
3. click on the "settings" icon (it's in the right pane)
4. a list of topics and sub-topics will appear
5. scroll down to "web update"
6. put a check mark beside "display available beta versions"
--------------------------
7. Now, on the left again, click the tab for "Spybot-S&D"
8. click the box that  says "Search for Updates"
9. when the updates are found, click the box that says "Download Updates"

The beta installs right over the 1.3 released version and there is no need to restart the program. Just run Spybot.
I don't have the Exploit problem, but I did change the DWORD 1004 value in one of my "HKEY_USERS\......\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\Zones\0" folders and running the new beta version put it back the correct way.

Gary

Hi Gary,
I'm new to all of this, been reading all the dso exploit posts for the past month and just registered on here tonight so that I could personally thank you. I had the same problem as everyone else even know all of my updates were current. I installed the beta version of spybot like you said in your post and it finally got rid of those very annoying dso exploit entries that kept coming up.

Thanks again,
Robert 8)

Ok yet another newbie here... I read the first 5 pages yesterday and the rest today so this is what I did yesterday... I ran spybot 1.3 it told me I had DSO X then ran again, same thing so on someone's advice in this thread I downloaded "DSOSTOP2" -- Installed it ran it and then tried spybot again and no DSO X. So is that little program going to fix my registry properly since I don't mess with that stuff or I'm I going to have to do the registry thing.. (I have 2 computers Win98 & XP sp2 but I only have the problems with 98se, all updates with Windows are done and spybot.)

Why even bother!
This has been fixed for the last couple of months and this threads still going... gezzz guys and girls get with it.

Anybody running Win Xp just Sp2 and your problems will be solved~! Plus No MORE bloody POP-UPS ;D ;D ;D :P

Regards!~

just Sp2 and your problems will be solved~!

Yeah, right. :D

Yeah, right. :D


LOL! Sp2 crashed my computer twice, because there was a compatiibility issue with some of my programs. Best advice a newbie can give is WAIT 3 months before installing sp2! ;D

Robert

Huh, and you reacon use Linux! :o
Well yes and No. Ive bin trialling Sp2 since its release with no probs, I administor a rather large Government network. Which we'll be putting out Sp2 within the next few months.
Robert were you using Xp Home or Pro?

Regards Alicka

Hi there,
I'm using xp home edition.

Robert

Don't mess with the registry. Go to my website and read all about the DSO Exploit. Then follow the instructions for removal.

www.remotecomputerhelp.com

If all your critical updates are installed you are protected against DSO Exploit and the finding in Spybot is just a nuisance. Eliminate this by doing the following:

1 Open Spybot and select 'advanced' mode.
2 Select 'settings' in the left column.
3 Select 'ignore product' in the left column.
4 Select 'security' tab.
5 Place check mark in box beside DSO Exploit.
6 Close program
7 Open Spybot and run a scan.

You will find that DSO Exploit has been eliminated and if your computer does not harbour any other spyware you will see a congratulatory message.

I'm sorry, but I just don't believe that Sudbury's method eliminates DSO Exploit, as the instructions for the "ignore product" section SPECIFICALLY say "If you check a product here, it will not be found during a scan. Use this list if you know you have some threat on your computer, but need to keep it." That means that SPYBOT IS IGNORING A STILL VERY PRESENT "DSO Exploit". I don't see any reason why I need to keep it; maybe someone else does need it...

Um, sorry about that apparently useless first post of mine; for some combination of a few reasons, I didn't see 'til just now that this topic is 12 or so pages long. I must be the fifth or so person to point out what I pointed out, and it was a pretty obvious pointing-out, too. Y'all prob'ly won't be hearing much from me again. Best Wishes & Peace to all.

TIME TO MAKE DAMNED SURE YOU"RE REGISTERED TO VOTE, AND MAKE SURE YOU DO VOTE ON THE DAY!!
These are perilous times, and the fewer eligible people who vote, the more perilous the times will get!!

My question (somewhat rhetorical I suppose) is, when is PepiMK Software and/or SoftSpy going to fix the problem of DSO Exploit supposedly being fixed, but showing up again and again on the next Scan and each additional Scan?

They and many others on various message boards say that DSO Exploit is actually being removed during the Scan and showing up on the next Scan is just a glitch (solutions on some boards just discuising the glitch at best)

SoftSpy and others say the glitch will be corrected on the next update, BUT THIS HAS BEEN GOING ON FOR A VERY LONG TIME, MANY MONTHS OR MORE

I can't find a Home Page for PepiMK Software when I do a search, so that I can ask them directly, WHAT GIVES ON THES PROBLEM??

It's gotten way old. Sorry for beig so long winded and non-technical

If anyone knows how to reach PepiMK Software or SoftSpy, by email, url or phone, please advise. I'm tired of wasting time on this and it seems many others are as well

I would like to get to the bottom of this once and for all

It seems all that's going on so far is TALK, and as an old friend of mine used to say, this is nothing but MENTAL MASTURBA..!

Well you know!!

drphilohio needed a link to PepiMK software. Try this.
http://www.snapfiles.com/authorinfo/apps-7115596.html

I don't know this for sure but I read an article a while back that said that the DSO exploit has already been addressed by Microsoft and although it continues to show up after each spybot scan, it really does the system no harm whatsoever. I've had it on my main computer for months and my system has had not problems at all. Since reading that article, I simply just ignore it and continue computing.

I used GTX's approach to resolivng the DSO Exploit on my computer and it worked fine. Spybot now shows no threats. However, when I attempted the same approach on a colleague's computer, I ran into a problem. I found a faulty "AB-1004" entry under the HKEY_CURRENT USERS" path and removed it. But there was another one under the ".Default" tree of the the "HKEY_USERS" main folder. When I tried to delete the faulty AB-1004 key from there I got the message, "Unable to delete specific values". I tried to reboot, thinking that it was because something was already running. But that didn't help. How do I go about getting that key out of the registry?

Thanks,

Brian

Hi all.

This is the most helpful forum I have found so far for this problem of DSO exploit, but I still have a query. I used GTX’s advice on the registry keys, and although Spybot still shows DSO exploit up, I am not so concerned as this is reportedly a bug in Spybot, and your computer is safe if you have updates up to date, which I have. So thank you!

But I hope that I can explain the rest of this coherently. I have not seen this answered in any of the forums I have looked at, including this one I think. On both my computers, at work and home, I have an issue with aggressive advertising:
- I get a blue Casino bar across the bottom of IE (which I don't use anymore because of this)
- I get another sort of unsolicited search bar across the top of IE
- I get six/ seven icons for casino sites/ travel sites/ printer cartridge sites etc. which keep appearing on my desktops.
- I keep having “advertisement” sites (for casinos etc. again) added to my favourites folder, which then annoyingly transfer themselves to Mozilla favourites too!
- Finally, Spybot keeps finding 103 instances of coolWWWsearch that it advises me to get rid of, which I do each time.

Is this all caused by DSO exploit, or is there something else that I worry about? How does this/ DSO exploit get on your system to begin with?

Also, although I have managed to remove the problem with DSO exploit using Spybot (even though it is still finding it), I still have the above problems occasionally, so I don’t really understand what is going on with my PCs.

Can anyone help? Thank you.

Try by starting Windows in SAFE MODE.
See http://www.computerhope.com/issues/chsafe.htm
If you don't know how to do it.

The reason spybot search and destroy shows that your have a dso exploit is because there is a bug in spybot search and destroy! This dso exploit is security flaw in internet explorer that has been fixed, but spybot still thinks it hasn't been so it list it as a problem. If you don't believe me get it right out of the horses mouth http://forums.net-integration.net/index.php?showtopic=17159

The bug is in IE. Until you have updated IE, you are vulnerable. When the MS patch is installed, you are not vulnerable anymore, but Spybot still detects it.
But, who are you, with your first append, to call us stupid? A lot of people have not updated their IE. If you want to learn us something, go ahead, but don't lecture us. And don't insult us.
Behave yourself. Dropping in with a maiden-update yelling at people is not decent.

I'm with you on this one Urmod4U! I had 2 entries in my Spybot of DSO. I downloaded DSOSTOP2 to my desktop... and it now says I'm safe... but when I run Spybot it still keeps showing that I have one entry of DSO Exploit. Also... now you're going to think me REALLY dumb... BUT... do I have to keep DSOSTOP2 on my desktop or can I put it in trash? :confused:

Many Thanks!! :)

I've tried to get rid of DSO Exploit and I don't know if I've done it, S&D still shows it but I know that might still happen even if it's gone. I don't know if it's related but since I've had these problems I seem to have adverts and pop ups appearing even though Norton is fully updated. This never used to happen, adverts appeared as blank spaces.

Can anyone help?

Thanks,
Mark

This program is designed specifically to deal with DSOexploit for those having trouble. I haven't tested the program so scan it with a virus scanner first but it sounds pretty easy.

http://www.nsclean.com/dsostop.html

I did not go through the entire thread, but I have a problem that can only seem somehow related to the DSO exploit or Spybot. First off, this is only happening on an IBM R40 laptop with XP and service pack 2 installed. However, the laptop will not gain Internet access over any broadband connection unless Spybot has been run and has removed the DSO exploit. Once that has been done, the system can access the Internet just fine. The computer can sit, connected to the Internet, for an hour without an Internet connection until Spybot has cleaned the exploit. This has been happening for over a week. All other computers on the network are fine. Plus, I use Firefox and never IE. Any ideas? I'm about to format and re-install everything. I've tried various virus scans, and nothing is detected. Also, other spyware cleaners find nothing. Thanks.

The previous version of spybot, spybotsd13rc5.exe is able to remove the DSO Exploit.

You can download it from this link.
http://www.spybot-updates.com/files/spybotsd13rc5.exe

Hi I'm new and I have a question..
My com's been laggin lately.. and in task manager.. I notice something strange..
There is 3 rundll32 running and is that harmful or nothing is wrong..
I'm spyware free and virus and trojans.. free too
Thanks for you help
Sry for my english

hi im new and i have a question..
my com's been laggin lately.. and in task manager.. i notice something strange..
there is 3 rundll32 running and is that harmful or nothing is wrong..
im spyware free and virus and trojans..free too
thanks for ya help
sry for my english

Please post your question in a separate thread. That way, you will get your answer faster, and other people with the same question will be able to benefit from any responses. Thanks.

~psi42

Just go to regedit then the following:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet
Settings\Zones\0\1004!=W=3*
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net
Settings\Zones\0\1004!=W=3*
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter net
Settings\Zones\0\1004!=W=3*
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net
Settings\Zones\0\1004!=W=3*
HKEY_USERS\S-1-5-21-796845957-746137067-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings\Zones\0\1004!=W=3*

after you get to each folder go through the steps to get to the Zones folder anything with 1004 nuke it!

Also don't use Internet Explorer if you don't have to use Mozilla,Opera,Firefox anything but I.E.
safe bet also use BLANK start up page and as always have all windows updates in and have a antivirus running and updated and a good spyware program Spybot and Ad-Aware will do and the usual safety steps don't open it if you don't who it is from as I tell my people stay away from the porno sites but to each his own and last but not least is a FIREWALL there's a few out there but ZONE ALARM will do and one more thing don't sign up for everything on the net if you don't need it leave it alone that's how they get your email address and if your going to BUY anything online please have all the above done and make sure the url in the address bar starts with the following HTTPS: and the padlock is locked, if you at least have this done and your email set up to nuke spam you should have happy surfing but if your using I.E. please clean out the crap as I call it (Cookies,Tempory Internet Files) its none of their business were you have been online so in closing HAVE A NICE DAY!

I've had dso exploit for a couple weeks now and I want to get rid of it.
I did a windows update. I have norton's updated and ad-aware updated-both which don't show any problems.
But, spybot finds 5 entries of DSO exploit. I can "fix" the problem but spybots finds it again after I restart my computer.
I don't want to go into my registry and change anything.
Basically, I'm hoping someone can give me the best instructions for getting rid of this thing.
I've read all th eother fixes listed around here, but there are so many , so I'm hoping to hear from someone who can fix this good.
Thank you very much ;)

The only real way to get rid of DSO is go to regedit and the folders I posted yesterday keep everything updated and you might reset your ad-aware settings
so backup your reg. if your not sure and only go to the folders your supposed to
thats it unless someone comes up with a quicker way this works.

In Documents and Settings/allusers/applicationsdata/spybot.. /Recovery there are a lot of serially numbered DSOExploit*.zip files. It is easyto select them all and delete them. Then to the recycle bin to delete all found there. Recheck to be sure that all bad files in the directory site above are gone. Run Spybot and, voilà, one or more DSOExploit.zip files have been rewritten.

Anyone have an explanation for this?

Well that should cure the problem all the way around then I dont use recovery dont need the headache with virus and trogans thats were most of em go to these days anyway so less hassle that way, but your way is worth checking into but did you have any of the files in regedit still?

Well guess I read your post to fast thought you were talking about XP's recovery not Spybots but re-checked myself and yes what you replied was there and did work,thanks, but does it take care of the ones in regedit to, have my doubts, so with both solutions I would imagine this should take care of any DSO problem for good if they have their pc's updated all the way around!

Thaks for the advice hef, but I don't know really what you mean :(
I know nothing about regedit and the lst thing I want to do is screw my computer up myself. I need to be told in baby steps how to get rid of this. Here's my original post again:

--------------------------------------------------------------------------------

I've had dso exploit for a couple weeks now and I want to get rid of it.
I did a windows update. I have norton's updated and ad-aware updated-both which don't show any problems.
But, spybot finds 5 entries of DSO exploit. I can "fix" the problem but spybots finds it again after I restart my computer.
I don't want to go into my registry and change anything.
Basically, I'm hoping someone can give me the best instructions for getting rid of this thing.
I've read all th eother fixes listed around here, but there are so many , so I'm hoping to hear from someone who can fix this good.
Thank you very much

DSO is simply a URL or address placed in the registry by a site you have visited. It relays information from your computer back to advertising sites.
It is NOT a virus. But, if you don't want to be used by advertisers, then get rid of it.
It will come back; by going to certain sites... and you never know which one will place it back in your registery. It is NOT harmful, like a virus or Trojan.
There are 2 great free programs, that you can scan your computer with, then safely delete everything they find.
If interested, here are links to both:

http://www.security-related.com/download2.htm
Download: SpyBot Search & Destroy; 1.3

AdAware at:
www.lavasoftusa.com

Best wishes,
fredg

Earlier post with spybot and ad-aware have been used and no luck but with the post I posted the DSO problem was cured but you still need to use spybot and ad-aware anyway just in case any spyware period gets in so the best bet is always stay updated you are never going to get away from spyware its like a virus and trogan you just have to keep cleaning them out and watch were you go and stay updated,there is a post from someone about changing your ad-aware settings to,that would be a good idea,yes DSO is nothing major but its just the idea that its there and no one should be in your pc but you but if you can get away from I.E. that would help to as of yet havent had the DSO problem again but have techs on the look out for one that is infected so if and when we get another one we'll try the spybot recovery first and see if that does it then if not go with the regedit way one of the two should do it!

This wont help with the DSO problem but another program to try out is the X-Cleaner it along with Spybot and Ad-Aware and all updates for everything such as windows to should help you out.

Is this adware BS Exploit crap even legal? I mean, it most definitely shouldn't be. :mad: :mad: :mad:

Ah spyware the only thing you can do for spyware is 1. never turn your pc on again or 2. keep your pc cleaned out and updated because there aint anyway around it they find new ways to slip it in everyday so all ya can do is keep it updated and as far as legal whose got the money to fight em if ya catch em.

A very good tutorial is found here. It did for me what spybot S&R was unable to do so. Every time I ran S&D, although it did find DSO Exploit, and removed it, the next it showed up again. This requires work with the registry settings. Good Luck

http://www.pchell.com/support/dsoexploit.shtml

Good someone did have this problem listed online but earlier post we have posted covered that problem they talk about so both ways will take care of the problem so thanks for the link though!

The recurring dso exploit is a bug otherwise known as a glitch with spybot and it is nothing to worry about. If you have windows service pack 2 or the most recent updates for windows you are fine. The spybot program displays this regardless if you have'nt noticed from the rest of the reports in this forum. My email [email protected]

Well another point that as we all know already the DSO problem is a I.E. problem so the steps that have been posted already do the job and not everyone is happy with XP-SP2, best way there re-install Windows then load XP-SP2 (FIRST) but it depends on what software people have on there pcs not all software works with it so the I think the post pretty much cover the problem unless you know were you got the DSO in the first place then stay away from it.

I'm sorry I don't have the patience to read everything about DSO exploit. It seems a very hot issue. I am just getting to it... The other night I peaked in and read this and it sounded good until I went to do it...

Written by user name: Sudbury

Re: DSO Exploit
« Reply #11 on: May 22nd, 2004, 1:31pm » Quote Modify

--------------------------------------------------------------------------------
If all your critical updates are installed you are protected against DSO Exploit and the finding in Spybot is just a nuisance. Eliminate this by doing the following:

1 Open Spybot and select 'advanced' mode.
2 Select 'settings' in the left column.
3 Select 'ignore product' in the left column.
4 Select 'security' tab.
5 Place check mark in box beside DSO Exploit.
6 Close program
7 Open Spybot and run a scan.

You will find that DSO Exploit has been eliminated and if your computer does not harbour any other spyware you will see a congratulatory message.

It occurred to me that I was asking the program to ignore DSO Exploi, not fit it, thereby telling Spybot to act as though it doesn't exist rather than eliminating it. IS this thing benign anyway?? Can we just ignore it?

Okay, I tried username: Cellarius, suggestion:

I finally got rid of DSO Exploit using "Spybot Search & Destroy" with the following method:

Have "Search & Destroy" look for problems the usual way and then (1) highlight one of the "Data source object exploit" items, (2) Right click the highlighted item to bring up the menu list and select "More details", (3) Now click "Jump to location", (4) You are now viewing the Registry and can use the path shown in the Search & Destroy window to get to the key shown, (5) I manually deleted each of 5 keys and no longer have it coming back. I haven't noticed any change in performance so I trust that I did no harm but I am happy not to have the damned thing any more.

... and it didn't work. It would not give me the option of delete on the folders and I could not highlight and press the delete button. If I manually broke down the files, I could, somewhat, not the folders, just the files, and it was hit and miss, but there are TOO many files and it wasn't working that great.

DSO Expolit There is now a download on Major Geeks to rectify this DSO Exploit. You must have the latest progrmme od Spy bot . I have downloaded it I do not get any more DSO Explot now when I run Spy Bot

I ran Spy Bot and Adware a couple of days ago and have had mega problems since (this is being sent on my laptop!) I can still access my email but cannot access the web using IE, although I can access a bank account direct, but apparently nothing else direct. The computer is running very slowly as well. I use XP home and Broadband. I have tried to restore to pre Spy Bot without luck. Any ideas what's gone on?

I recently installed the 131tx update, exploit doesn't show up anymore, I get congratulatory message now. Great, right? But...

is 131tx just a disguise for DSO Exploit? Is it still there? If it is am I vulnerable?

The reason I ask all this...

Before I installed 131tx I kept getting the exploit after running Spybot. I then downloaded 131tx, ran Spybot and it was gone. So out of curiosity and to make sure 131tx wasn't just a disguise I deleted 131tx and then uninstalled Spybot, restarted my CPU, reinstalled Spybot and I continued to not get the DSO Exploit. What's going on? Since I deleted the 131tx fix, uninstalled and reinstalled Spybot shouldn't I then get the DSO Exploit again? I did all this within minutes apart of each other. I also tried to use all of my browsers (IE, NS, and MF) to try to get the exploit back but it never did come back. I first discovered the exploit using IE but no matter if I use it now I don't get the exloit. I haven't upgraded IE during any of this either.

I also went to http://www.greymagic.com/security/advisories/gm001-ie/ and ran the calculator test. It says:

Executing arbitrary commands without Active Scripting or ActiveX
Running "c:/winnt/system32/calc.exe"..

I don't see a calculator so I'm guessing it's not running and I'm safe, right? I went to greymagic before I installed 131tx and I think I ran the test and got the same result I mentioned above. But in all the confusion I'm not really sure if I ran the test to be honest.

Does any of what I'm saying make sense? Anybody? Suggestions? Answers? Please? Going crazy!

PS. I'm stating right now for the record that I did not mess with the registry and change any or delete any values for the DSO Exploit just in case anyone thinks I may have screwed something up there.

Also...

I read this advice in another forum...


"download and install spyware blaster, from the immunize page of spybot, and configure it with maximum protection.
go to tools then custom blocking. click the add button and follow the on-screen directions.
type in the name: dso exploit
type in the following clsid:
S-1-5-21-220523388-152049171-854245389-1001\Softw are\Microsoft\Windows\Current Version|internet settings\Zones\0\1004!=W=3
this is the address where the hack lives.
check the box next to the name and click "protect against checked items".
now run spybot and there you have it ~ GONE!"


I haven't tried it yet. Will this advice work?

I also went to http://www.greymagic.com/security/advisories/gm001-ie/ and ran the calculator test. It says:

Executing arbitrary commands without Active Scripting or ActiveX
Running "c:/winnt/system32/calc.exe"..

I don't see a calculator so I'm guessing it's not running and I'm safe, right? I went to greymagic before I installed 131tx and I think I ran the test and got the same result I mentioned above. But in all the confusion I'm not really sure if I ran the test to be honest.


The reason you _never_ saw the calculator was this: The DSO exploit is an old problem that was patched by Microsoft a long time ago. So if you have been current with your patching, the issue was fixed on your system long before you started wrangling with the spybot problem.

Spybot scans for the DSO Exploit by looking at a few registry keys that are supposed to be set to the numerical value 3. Even after installing the Microsoft patch, these keys still hold the incorrect value. Spybot tries to fix them "just in case" you haven't been patching.

So it looks at these keys, sees they are not set to 3, and tries to fix them. But due to the now-infamous spybot bug, it sets them to 1003 instead of 3. So on the next scan, spybot sees they are still not set to 3, causing it to report the problem again.

I am assuming the spybot update causes spybot to properly set the value to 3. So even after reverting to the old spybot version, spybot will scan the key, see that it is really set to 3, and not report a problem.

Bottom line, if you have been patching, you are fine as far as the DSO exploit is concerned. Period. Worry about the bofra virus. :)


~psi42

I have all the critical Microsoft updates(I have XP:Home), Spybot is fully updated and I still get the same DSO Exploit problem. I don't want to ignore it by doing this:

1 Open Spybot and select 'advanced' mode.
2 Select 'settings' in the left column.
3 Select 'ignore product' in the left column.
4 Select 'security' tab.
5 Place check mark in box beside DSO Exploit.
6 Close program
7 Open Spybot and run a scan.

I want it eradicated
So is there something I can do to remove it?

If you have all updates, then the DSO exploit is not a thread.
****
If you want to get rid of it, you will have to edit the registry:
1) Make a note of the location of the exploit shown in Spybot, something similar to:

HKEY_USERS\S-1-5-21-1614895754-73586283-725345543-500\Software\Microsoft\Windows\CurrentVersion\Inte rnet Settings\Zones\0\1004!=W=3

2) Click on Start, Run, and type REGEDIT and Press Enter to open the Windows Registry Editor

3) Find the location of the exploit above in the registry by clicking on the pluses(+) next to each title

4) After opening the Zones section and clicking on '0' look to the right window, under 'name' is the key '1004' and the type is REG_SZ simply right click and delete this REG_SZ value.Then right click and create new>DWORD Value, name it 1004, then right click on that and go to modify, give it the Hex Value of 3, Click OK.

If there is only a DWORD Value for the key (in this case 1004), then double click on the key and change the HEX value to 3 and click Ok.

5) Close the Registry Editor and reboot your computer

This was copied from:
http://www.pchell.com/support/dsoexploit.shtml
Many other sites carry this information.

I went through Regedit, and deleted the 1004's. I then ADDED new 1004's and made the value 3. It worked perfectly, and I have no more "DSO Exploit".
YOU GUYS ROCK>
(I did need help with the registry, from a bud who knows a little more than I do. He had it too. We followed the thread together, and got it, no problem)
Thanks again!!

Using Spybot Search & Destroy look for the DSO Exploit and then:
1) First, click the DSO Exploit Fix.
2) Disconnect your internet connection
3) Reboot your computer the standard way
4) Run Spy bot
5) Enter the registry by clicking on the start menu, then run, type regedit and choose OK
6) Now locate each one of the registy entries that Spy Bot said it found the DSO exploit in.
7) Rename the 1004 files to 1003 then exit regedit
8) Shut down your computer
9) Reconnect your internet connection
10)Restart your computer
11)Run Spy Bot again to verify the DSO Exploit has been removed

:) Wot's the problem and I am no techie?

I have just reinstalled my W2K Pro et al - 5hrs lateredi! - had trouble going online and found DSO Exploit when I ran SpyBot. Scoured web, found this erudite site, read all of 12 months worth of postings, did what Alicka Alota advised...

:p Flash, bang, wallop - I'm a photographer! - problem solved. Checked with SpyBot and been on/off line 10 times to make sure it was OK.

;) She knows what she's talking about - for some reason the thread it came up in was DSO- Porn- casino- *Someone pls help - and if you follow her destructions faithfully, you won't go wrong. Remember to do the regedit clearout for each user on the machine! Fortunately, I only had 2 to contend with. Something tells me that Alicka said her destructions are for W2K only but the idea is the same for other OSs..

:confused: How DSO got in beats me as all MS SPs for everything were loaded but I suppose it doesn't take much of a loophole for these little mites to sneak in.. Jesus H. Christ, how do these people know all this ess aitch one tee, anyhow..

BIG thanks to Alicka, Petrujczech.

Hi,
I used Cellarius's method for removing the DSO Exploit. IT WORKS!,
Without harming the computer.
THANK YOU, Cellarius.
fredg

:confused: I recently solved this problem by following the recommendations made by Alicka Alota and all is well, SpyBot scans clear. I have been trawling through previously missed items and found a suggestion made by the Moderator, to a "kat555lady" posting of 16 April 2004, leading to a PC Hell site for resolution; www.pchell.com/support/dsoexploit.shtm.

:eek: In addition to the 2 registry locations listed by Alicka, I found a third one at HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/Current Version/Internet Settings/Zones-0, -1, -2, -3, -4. All zones have a file 1004.

:( The PC Hell advice is at variance with Alicka's. Can they both be correct?
Does the third location found by me need modifying?

:) Suggestions appreciated; I have a copy of the original Registry.

Cheers, Petrujczech.

:confused: I recently solved this problem by following the recommendations made by Alicka Alota and all is well, SpyBot scans clear. I have been trawling through previously missed items and found a suggestion made by the Moderator, to a "kat555lady" posting of 16 April 2004, leading to a PC Hell site for resolution; www.pchell.com/support/dsoexploit.shtm.

:eek: In addition to the 2 registry locations listed by Alicka, I found a third one at HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/Current Version/Internet Settings/Zones-0, -1, -2, -3, -4. All zones have a file 1004.

:( The PC Hell advice is at variance with Alicka's. Can they both be correct?
Does the third location found by me need modifying?

:) Suggestions appreciated; I have a copy of the original Registry.

Cheers, Petrujczech.

Hmm. What really actually matters is the value of the 1004 DWORD. It should be 3. If it is 3, you are fine.

If Spybot doesn't pick it up, either the value is set to 3 already, or you found a bug in spybot.

Either way, it essentially doesn't matter what you do, because as long as you are current with your MS patches, this exploit will be patched on your system.

Hallo psi42.

:) Thanks for info.

I am not 100% savvy on computers let alone Registry matters. I follow the premise of what one fool can do, so can another... I have yet to understand the mysteries of the Registry and why it can create such mayhem.

Is the file "value" you mention, the same item as the "Data", please?

The Zone 1004 file "Data" in the location listed to-day, are as follows:
Zone 0 0x00000000 (0)
Zone 1 0x00000003 (3)
Zone 2 0x00000001 (1)
Zone 3 0x00000003 (3)
Zone 4 0x00000003 (3)

What does it mean, please?

Cheers.

:o OK, now I know what a Registry "Value" file is, having scanned the Registry and found 32 assorted file values 1004! I assume that they cannot all be trouble.

:confused:
Question 1/. What is "DSO Exploit" and what is it exploiting? In fact, what is one looking for?
Question 2/. In addition to the 10 deleted 1004 REG_DWORD files as advised by Alicka, my Registry contains a further 11 similar, on one User Profile alone. That is they are all linked variously to Internet Settings/Zones. Do these need to be deleted?

My OS is W2K Pro, with SpyBot and SpyBlaster and everything is updated regularly.

Any ideas anyone, please?

Hi,
Cellarius's answer WORKS!
In more wording, here is how to get rid of it:

The following editing the Registry is the ONLY way to get rid of DSO Exploit. Be VERY CAREFUL when editing the Registry; your computer might not re-boot. So first, shut down the computer, then turn it back on. Windows will back up your registry for you.
1. Run the SpyBot scan as usual.
2. When finished, left click on the + sign to the left of DSO Exploit, to expand it. There may be more than one listing of pathways. If you have more than one listing, you will have to do the same below for each separately.
3. Left click on one of the "Data Source Object Exploit" to highlight it. Then write down the full path; such as, HKEY_Users/Default/Software/Microsoft/Windows/Current Version/Internet Settings/Zones/O/1004, etc.
4. Right click anywhere on the highlighted area, and Left click on "More Details", then on "Jump to Locations". This takes you to the Registry.
5. Now, keep Left clicking on the + signs to the left of the pathway folders, until you get to the folder 0.
6. Left click on the folder 0, to highlight it.
7. On the right hand side, look for 1004 under the heading "Name", and Left click on 1004 to highlight it.
8. Right click on the highlighted area, and Left click on "Delete", then on "Yes".
9. At the top, Left click on Registry, and Exit.
10. Re-boot.

The DSO Exploit should now be gone. Run SpyBot again to prove it to yourself!

Best wishes,
fredg
PS; The DSO Exploit is a flaw in Internet Explorer 6; it allows advertising to run from and to your computer. If you downloaded the Cumulative Security Patch for IE, it will take care of it. OR, you can use the method above.

Ys, Ihave found a way to patch that DSO exploit. Here's what you need to do and this works.
1. Download a program called DSO Stop - url to follow
2. Install program, this only patches but will not get rid of exploit.
3. Download Spybot update v1.3TX
4. Install v1.3TX
5. Run Spybot - DSO will show after 14,000 items scanned but only 4 items
6. Run Spybot 1 more time
7. It will fix all DSO items after 3rd scan.

This works, I have done it 27 times on different PC's and the Exploit does not come back. e-mail me if you want if you have any question or can not find the downloads. [B]When this works pass it around.

ebyte

Whew long thread. I found my fix by combining Clueless's Post #65 and GTX Post #71. (I needed step by step all the way) :D

Needless to say I pursued a lot of junk along the way. It would help if someone would pick the correct fix, eliminate all the continued chatter and just post the fix and close the thread. I noticed that the are threads in other forums going down the same road as well. :eek:

A big thank you to Clueless and GTX Slotcar.

Along the way I found MS-AntiSpyware Beta 1 anyone running Windows should look at this, it is rich in features and seems to roll up all the small utilities into one. Download free at MS downloads. I find it works great on my machine. However it does not remove the existing DSO Exploit, I would think this is because MS plugged that particular hole and it just ignores it.

It did find several cases of spyware that the latest versions of Spybot, AD-Aware and CWshedder did not.

Nuf Said, Thanks to All

JohnD :D

Needless to say I pursued a lot of junk along the way. It would help if someone would pick the correct fix, eliminate all the continued chatter and just post the fix and close the thread. I noticed that the are threads in other forums going down the same road as well. :eek:

I did. Notice the very first post in this thread, it has been edited. That was in December. :)

I haven't closed the thread, in case anyone had something else to contribute...

:eek: Whoops my apologies. A search engine threw me in somewhere in the miiddle of an older forum page actually, that thread ended in July/04 it had 13 pages it has grown to 24?

It would be interesting to know if MS-Spyware would remove the ESO Exploit on a machine that had not been tampered with other utilities like Spybot or suchlike.

:)


Hi All,

Ran MS Spyware and then Spybot Search and Destroy on another computer.

Ran MS Spyware: It cleaned up a bunch of spyware but did not report DSO Exploit

Ran Spybot S&D: Found 24 instances of Spyware that MS Spyware missed and reported 5 DSO Exploit instances.

So MS spyware does not report or remove DSO Exploit.

Also given the reverse order of running the Antispyware programs and they both found spyware that each had missed, although Spybot found more than MS(lets also bear in mind that it was 2 computers that could have had different spyware in them) I for one will run more than one spyware program on my computers.

Regards,
JohnD

Hmm. What really actually matters is the value of the 1004 DWORD. It should be 3. If it is 3, you are fine.

If Spybot doesn't pick it up, either the value is set to 3 already, or you found a bug in spybot.

Either way, it essentially doesn't matter what you do, because as long as you are current with your MS patches, this exploit will be patched on your system.


Hallo psi42.

:o Posted a thanks and a couple more postings since your advice but forgot to "quote" you.

So thanks again!

Any more ideas on subsequent items, please?

Cheers.

Hi,
Cellarius's answer WORKS!!
In more wording, here is how to get rid of it:

The following editing the Registry is the ONLY way to get rid of DSO Exploit. Be VERY CAREFUL when editing the Registry; your computer might not re-boot. So first, shut down the computer, then turn it back on. Windows will back up your registry for you.
1. Run the SpyBot scan as usual.
2. When finished, left click on the + sign to the left of DSO Exploit, to expand it. There may be more than one listing of pathways. If you have more than one listing, you will have to do the same below for each separately.
3. Left click on one of the "Data Source Object Exploit" to highlight it. Then write down the full path; such as, HKEY_Users/Default/Software/Microsoft/Windows/Current Version/Internet Settings/Zones/O/1004, etc.
4. Right click anywhere on the highlighted area, and Left click on "More Details", then on "Jump to Locations". This takes you to the Registry.
5. Now, keep Left clicking on the + signs to the left of the pathway folders, until you get to the folder 0.
6. Left click on the folder 0, to highlight it.
7. On the right hand side, look for 1004 under the heading "Name", and Left click on 1004 to highlight it.
8. Right click on the highlighted area, and Left click on "Delete", then on "Yes".
9. At the top, Left click on Registry, and Exit.
10. Re-boot.

The DSO Exploit should now be gone. Run SpyBot again to prove it to yourself !!

Best wishes,
fredg
PS; The DSO Exploit is a flaw in Internet Explorer 6; it allows advertising to run from and to your computer. If you downloaded the Cumulative Security Patch for IE, it will take care of it. OR, you can use the method above.


Hallo fredg.

:) Thanks for the info but I have already removed DSO Exploit via the Alicka Alota route as stated in in my previous posting on 17 January. SpyBot is clear.

:confused: Being curious, I scanned the Registry again and came up with the results listed in subsequent postings. The machine runs OK, I simply wondered what the significance of these findings was if any and if someone was able to throw any light on them.

:cool: I am running W2K Pro, SpyBot and SpyBlaster along with McAfee ViruScan and Firewall; everything is fully updated, regularly.

Cheers and thanks again.

The free ware at http://www.nsclean.com/dsostop.html DOES work! Use it

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm <-------List all windows processes for Windows 95/98/ME/NT4/2000/XP/2003
I don't know if ti's appropriate for this thread, but I feel more complete being able to look up processes.

Whiskey14
Junior Expert wrote:

By all means, let Spybot get rid of it for you, you don't want it on the computer. Have you seen a web page with a name like CoolSearch, or somethng similar? If yes, you will want to download CWShredder from:

My question is this. Every time I run Spybot it detects DSO Exploit with 5 entries. I tell Spybot to fix it. Spybot tells me it is fixed. When I run it again, the same thing happens. I'm leery about changing registry. I have Windows XP and the Windows XP Service Pack 2. Do I need to be anymore updated than that. Can I just ignore the DSO Exploit?

Thanks!

Robert

I have Windows XP and the Windows XP Service Pack 2. Do I need to be anymore updated than that. Can I just ignore the DSO Exploit?


Yes...

Yes........


Yes, I am updated enough, or yes, I can ignore the DSO threats, or both? I have told Spybot to ignore it. I did run the DSO Stop software you or someone mentioned, and it fized one of the five DSO threats, and one non DSO threat, but it wouldn't do anything to the other 4 DSO's. I told Spybot to just ignore them, but when I ran it again, they showed up, the remaining 4. Anyway, I do use FireFox, and since have mabe one or 2 spyware found during a scan as opposed to literally hundreds when I was using IE. Things seem to be fine.

Thanks, Robert

Hi,
Here are steps for getting rid of the DSO Exploit. This Exploit is part of Internet Explorer that allows advertising signals to be sent back and forth to your computer.

The following editing the Registry is the ONLY way to get rid of DSO Exploit. Be VERY CAREFUL when editing the Registry; your computer might not re-boot. So first, shut down the computer, then turn it back on. Windows will back up your registry for you.
1. Run the SpyBot scan as usual.
2. When finished, left click on the + sign to the left of DSO Exploit, to expand it. There may be more than one listing of pathways. If you have more than one listing, you will have to do the same below for each separately.
3. Left click on one of the "Data Source Object Exploit" to highlight it. Then write down the full path; such as, HKEY_Users/Default/Software/Microsoft/Windows/Current Version/Internet Settings/Zones/O/1004, etc.
4. Right click anywhere on the highlighted area, and Left click on "More Details", then on "Jump to Locations". This takes you to the Registry.
5. Now, keep Left clicking on the + signs to the left of the pathway folders, until you get to the folder 0.
6. Left click on the folder 0, to highlight it.
7. On the right hand side, look for 1004 under the heading "Name", and Left click on 1004 to highlight it.
8. Right click on the highlighted area, and Left click on "Delete", then on "Yes".
9. At the top, Left click on Registry, and Exit.
10. Re-boot.

The DSO Exploit should now be gone. Run SpyBot again to prove it to yourself!

Best wishes,
fredg

Hi to everyone!
I am new here, but I registeter right away when I realized that this is the community to interact with for any help.

About the DSO Exploit I have solved my problems following ebyte's way:


ys, Ihave found a way to patch that DSO exploit. Here's what you need to do and this works.
1. Download a program called DSO Stop - url to follow
2. Install program, this only patches but will not get rid of exploit.
3. Download Spybot update v1.3TX
4. Install v1.3TX
5. Run Spybot - DSO will show after 14,000 items scanned but only 4 items
6. Run Spybot 1 more time
7. It will fix all DSO items after 3rd scan.

This works, I have done it 27 times on different PC's and the Exploit does not come back. e-mail me if you want if you have any question or can not find the downloads. When this works pass it around.

ebyte

At first next pass of Sysbot I already have NO DSO Exploits!
I think this is the most simpler way ever because it does not assume the user to interact with the Windows registry.

Cheers. :)

Dose dso dissconnect you when trying to download programs?

I've very recently been having problems with my downloads cuting out... and I've just downloaded spybot ( delated dso but its come back... )
If dso isn't cutting me off when I'm downloading I think I won't pick this scab.

I don't think it's the DSO Exploit.
You better check your connection or do some worm check, and you better remove the DSO Exploit to prevento any future problem.