I just wanted to thank Alicka for his advice - followed your instructions & it's passed on to a better place!
Cheers! :)
|
I just wanted to thank Alicka for his advice - followed your instructions & it's passed on to a better place!
Cheers! :)
I've tried Alicka's method and I'm still having problems
One thing I haven't heard is what DSO exploit does to your system... I know I have DSO.. SPYBOT tells me so
But I can't get to regedit nor can I get to task manager,
Is this symptomatic of DSO?
Following Alicka's method I get to step 4 but I get lost with step 5 any help please... >:(
Hello,
I am new to this forum, but I have had a similar problem. I had mutliple adware coming back after running spybot, adaware and norton antivirus. The problem was that the adware would only reappear after running internet explorer. The problem was a service that was tied to IE, so that it would only launch when I run IE and put files in the windows dir and system32 dir and make changes to the registry. This could be everyone's problem (ie not exactly the same but similar) is a service that either runs when windows startup or when you run some other program. The problem is that there is no easy cure. I had to look at each process in the Windows Task Manager (Ctrl Alt Delete) click on the Processes tab and Google each process running. Once you find it, you have to end that process before you can delete the file as windows will tell you that it is currently using that file and won't let you delete it. Then you should go though the registry and remove keys referring to that file. You should also check and see if it has a CLSID for that file and search through the registry using the CLSID and remove those keys as well. For me I had one process spawn more processes/services and it took me a day once I knew what I had to do. A word to the warning, some site will tell you that a process is a virus / spyware / adware when it is not and it is a window system file that is needed! Check mutliple sites to see where the process should be running from to see if the process is a bad one or good one. Also a good tool is Hijackthis.
Well, this may have been too much information for beginners, but this might get the experts here something to think about when a beginner tells them that they followed the experts advice but the spyware keeps come back.
Hope this helps in some small way.
Case
First timer here... on my hubbys puter, he has the DSO Exploit that he has tried everything to get rid of it, but it keeps coming back... he has a pop up that continually shows up that says its Microsoft Explorer and it says 'spyware detected'... that pop up is driving him nuts...
We've gone into the keys as you suggested and as soon as we reboot and run a scan, they are all back... that quick...
He also has 'webdialer' that he can't get rid of either...
His Norton is up to date, and everything else is current... this just started two days ago...
Sorry to sound like a beginner but I thank you for all of your help in advance...
I used this and it said it worked (we will see if it comes back) I try to run it a second time and it said it was gone!Quote:
How would I make a password without using spacebar as a keystroke?
Does this question make sense? I think I know what I'm asking but I'm not sure.
Zeala
All right, I have tried every single thing in this forum, and DSO exploit is still running on my comp, it always DC's me from my games I am playing, and is starting to severely piss me off. I really need help, there is no delete option and no "0" folder, a 1,2,3,4 folder or anything, no 1004, I have 1005. I'd really apprecaite any help you guys have. Thanks a ton.
Hi Everyone,
I have read through all 4 pages of posts and I think I can add some light to some of the confusion and problems people are having with the recommended fix. PLEASE NOTE. This fix is recommending you edit your registry file. If you make a mistake and delete or modify something you shouldn't, there is a chance you could mess up your computer. I would recommend getting a registry backup program and back your registry before you attempt the fix. You can find a registry backup utility at www.zdnet.com under downloads and search for registry backup. That being said...
I attempted to do the steps and when I selected the Jump to Location. The Registry editor opened but not to the location of the key referenced by Spy Bot. I have a feeling this same thing is happening to others. The trick is to navigate to the very top of the Left hand pane. Then from there you can locate the keys by double clicking on the folders referenced in the path to the key. Also once there, under the Zones folder you will see the 0,1,2,3,4 folders and in each of them is a 1004 key. In my instance, I actually had Spy Bot list 6 registry entries. See below
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1708537768-789336058-725345543-3254\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1708537768-789336058-725345543-1183\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\Zones\0\1004!=W=3
I have not finished yet but I imagine that I will have the 0,1,2,3,4 folders under each Zones folder.
I saw also that several people were asking how to delete. To delete the registry keys, right click on the 1004 key in the right hand pane of the registry editor and select delete form the drop down. You can also left click the 1004 key and then hit your <delete> key on your keyboard.
Good luck out there.
UPDATE: I removed the 1004 key from all 6 of the 0,1,2,3,4 folders and now the DSO Exploit is eliminated.
Happy Hunting. ;D ;D ;D ::)
Thanks for all the info on this thread, I have followed it and it has enabled me to get rid of DSO exploit, however I still have a problem, which may or may not be linked to it. When I log onto the internet, the number of bytes sent is always at least twice the amount received and information is transferred even when on a static page.
I have run Norton Anti-Virus (updated), Ad-Aware and Spybot but nothing is now found.
Any ideas? I am connecting through YahooBTOpenworld using a standard dial up connection.
Help would be gratefully received
I dowloaded Mozilla and am using it as my browser. Problem solved. I am glad because I am not comfortable with altering my registry. Mozilla's tabbed browsing function is cool too. Maybe DSO Explout was a blessing in disguise.
Quote:
wow... I did what sudbury said...
1. open spy bot
2. selct advanced mode
3. select the settings tab
4. select block products
5. select security tab
6. check off the box for DSO exploit
7 CLOSE spy bot
8. open spy bot
9 run a scan!!
AND IT WORKED!!
:) :) ;) ::) :P :P :P :P :P ;D ;D ;D
Listen Dude/Dudette
You just don't get it.
Unless you remove DSO from your machine, YOU STILL HAVE IT!!
"blocking it" just excludes it from your list of results (basically just closing your eyes).
The block feature is there in case something that you want on your machine, (continually comes up, annoying), you are able to block it from the next scan.
If you think you have removed the exploit from your machine, you are sadly mistaken.
Unless you DELETE the files, IT IS STILL THERE.
Check out the following site:
http://www.nsclean.com/dsostop.html
Whiskey14
Whiskey14, this software seems to do AUTOMATICALLY what alicka is telling us to do MANUALLY. Right, no? If this is the case do we need to get the software? Or can we just do the clean up manually (per alicka suggestions)?
You can do either way, automatically with a free tool or manually. If you don't feel secure editing the registry, perhaps the tool is for you.
Hope this helps!
Whiskey14
I can see your retarded ;D
All right guys, back to the subject at hand...
1st of all thanks alicka for your help.
2nd, I read all of the posts on DSO and had a problem getting rid of it. I couldn't find a way to get to the correct file, until I read PH_Man's suggestion (on page 4) to go to the top of the tree and drill down through the directories to the '0' folder and there I found the 1004 key. All done. Didn't have 10 files just 5 (I think). The .Default folder didn't even have the 1004 key but was listed as a DSO folder on the S&D tool's list of problems. What gives? And how do I find the other 5 or 6 DSO locations (DSO doesn't come up in S&D search anymore)?
On second thought - could the number of location where the 1004 key is present/or has been changed be different for different people depending on their system configs? In which case it would make sense why different folks get different number of problems in their D&S search results. What say U?
3rd, I also keep getting the "about:blank" as my home page. I've done all of the near-fixes you mentioned previously (update IE, update Symantec, latest S&D tool, reboot, etc... ) noting helps. How do I get my home page back? BTW, right clicking on the page doesn't open a window (I wanted to check page's properties), does this mean it's a template and not a real web address?
To remove About Blank, download Ad-aware 6, a free program that you can download at:
http://www.lavasoftusa.com/support/download/
Check for updates before running program. Then follow the directions here to do a full scan:
The following explains how to set Ad-aware's settings to perform a "Full Scan."
In Ad-aware click the Gear to go to the Settings area.
The following items should be on a green check, not on a red X.
Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected
Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)
Under the Tweak button...
Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.
In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile
In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion
Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.
After running Ad-aware, you must reboot your computer. It may be necessary to run Ad-aware two or three times if you have a lot of spyware, rebooting each time in between.
RESOLUTION
Users that knowingly have about:blank set as their homepage, and have no issues with a homepage hijack, can prevent this item from being presented on future scans by checking the box next to listings indicating about:blank, then right-clicking one of the checked items, and then choosing "Add selection to ignorelist."
Users that have a CoolWebSearch variant present on their system that wish to remove it completely can select the CoolWebSearch items, along with the about:blank listings, to fully remove the variant, and its changes, from their systems.
From: http://www.lavahelp.com/articles/v6/04/05/1801.html
Hope this helps!
Whiskey14
Quote:
Users that knowingly have about:blank set as their homepage, and have no issues with a homepage hijack,
Hope this helps!
Whiskey14
Thanks Whiskey, but I did not have an issue with about blank for about a week, then, I was not able to access my Favorites, and I now have a major issue with "about blank"
I've been thinking... When I run spybot it keeps showing me WebDialer and it doesn't get rid of it. Is this the bug that keeps giving me about:blank home page in IE? If that's the case my spybot is showing that it is residing in:
HKEY_USERS\S-1-5-21-1454471165-1801674531-839522115-1003\Software\Microsoft\Internet Explorer\Main\HOMEOldSP
Can I just go into the registry and do something to get rid of it, ala DOS Exploit?
Try running Ad-aware as explained or download CWShredder from:
http://www.spywareinfo.com/~merijn/cwschronicles.html
Either one should remove AboutBlank.
Hope this helps!
Lorry
Whiskey14, I appreciate the input and will try your solution/s, but my question stands for one simple reason. I need to know if webdialer is causing the about:blank IE page?
Yes, the web dialer is the culprit. Remove it.
Hope this helps!
Whiskey14
Well, I've read all five pages and I'm still not sure I'm getting all of this. (I have ADD so please be kind.)
I too have DSO Exploit, 6 entries showing on Spybot. When I right click on DSO Exploit "more details" "jump to location" it then sends me to the Register Editor with an open folder named "settings" on the left side.
On the right side are six files with a little {ab} boxed before the following six names:
Default
Anchor color
Anchor color visited
Background color
Text color
Use anchor hover color
I don't see a folder called "zones" and I don't see this 1004 file you guys are talking about. Am I missing something here or am I misunderstanding what to do?
Any help would be appreciated. Thanks.
Spock, initially I had the same problem. When you get to location (link you clicked from spybot's page) and you see an inventory of folders, find the one that is listed in the spybot's list. Then click on the plus sign to the left of the folder name and it will open up. Go into it and keep clicking plus signs next to appropriate names of folders and they'll keep opening up until you get to the end (I think folder "0"). In there you'll see the key you need to delete.
To Clueless,
Thank you. Your directions were simpler and just what the doctor ordered. I had six entries Spybot found of DSO Exploit, and now I have one. For some reason that final one doesn't want to leave. I did exactly the same steps as given, but I can't seem to find this last 1004 file in all five folders - 0,1,2,3,4.
Oh well, I'll get it sooner or later.
I couldn't find one DSO as well, it was supposed to sit in the .Default folder, I never found it. Nevertheless spybot never showed it being there after I was done deleting the rest of them. Go figure...
In Spybot, the DSO Exploit should point you to a registry key like... Zones\0\1004.
It could be folder 01 instead of 0, but open the registry and go there. Don't depend on the "jump to" feature of spybot to do this.
The 1004 is called a DWORD. You'll notice that it's icon is different than most of the icons there. Here's what you have to do.
Right click on 1004 and delete it.
Right click on folder 0 (or 01) and create a new DWORD called 1004.
Double click on your new 1004 and give it a value of 3. Make sure the "Base" is chosen as "hexadecimal" (it is by default).
Click on OK and close the registry. You're all set.
I FINALLY got rid of DSO blah blah blah... I read in this forum about what to try.. I went to the advanced mode and took a chance. I hope I didn't screw up our computer. I'm still not clear how that helps... all I know is that DSO is gone... for now.
For anyone with those awful porno pop-ups... I downloaded CWShredder and it did the trick. I currently have Spybot Search and Destroy, Spyware Blaster and CWShredder. It is THE only way I've been able to use the computer without the porn and other stuff. My only complaint now is something called Best Online Casino that pops up and becomes an icon on my desktop. Can anyone tell me what to do about that?
Sudbury,
I tried to do what is listed below and I thought it worked. The problem is that now the porn that was a problem before is back. I had to go back and uncheck the DSO and get out of advanced mode. The porn is gone now , but DSO is back. I don't get it. Any ideas?
Counselor
Quote:
If all your critical updates are installed you are protected against DSO Exploit and the finding in Spybot is just a nuisance. Eliminate this by doing the following:
1 Open Spybot and select 'advanced' mode.
2 Select 'settings' in the left column.
3 Select 'ignore product' in the left column.
4 Select 'security' tab.
5 Place check mark in box beside DSO Exploit.
6 Close program
7 Open Spybot and run a scan.
You will find that DSO Exploit has been eliminated and if your computer does not harbour any other spyware you will see a congratulatory message.
It must be a coincidence. They aren't related. All you've been doing is telling Spybot to ignore the DSO Exploit.Quote:
]... but DSO is back. I don't get it. Any ideas?
Counselor
When you run spybot, it gets rid of the DSO Exploit. The problem is that a bug in spybot's fix changes the DWORD 1004 in the... Internet Settings\Zones\0 folder into a String Value 1004. When you run spybot again, it sees that this area is incorrect and identifies it, again, as the DSO because it thinks that any problem in this area is the DSO Exploit. Sudbury's fix simply tells spybot to ignore it from now on. This is probably OK since the DSO is actually gone. However, if you get it again, spybot won't see it.
If you want to put everything back properly, you need to:
1. Open the 0 folder
2. In the right pane, right click on 1004 and delete it
3. Right click on the 0 folder and choose New then DWORD Value
4. A new DWORD key will appear named New Value #1. Rename it to 1004 and hit Enter
5. Hit Enter again (or double click 1004) to open your new 1004 DWORD
6. A dialog box will appear. The Name Value at the top will be 1004. On the left is a box to enter a Value data. Place a 3 in this box. On the right is a place to choose the BASE. Make sure hexadecimal is chosen
7. Click OK and close the registry
The next time you run spybot, the problem should be gone, and you don't have to tell spybot to ignore it.
Well, isn't that ironic? I've got an illiterate kid and self proclaimed "full expert" attacking me.Quote:
GTX or wateva, if you don't know what your going on about then don't give advice.
The GREAT N POWERFUL ALICKA (as he calls himself) simply doesn't understand the problem.
Just about everyone here has run Spybot, told it to get rid of the DSO Exploit, run Spybot again and found the DSO still there. It's not. It's a bug in Spybot that will be fixed with the next update. They already have the fix for it, but it didn't make it into the last update.
After you run Spybot the second time, it will tell you the DSO is still there. Click each check box and find all the 1004 locations that it points to. It may be only one, or it may be several.
Open your registry (Start/Run/and type in regedit). Don't bother with the "jump to" option of Spybot, it may only confuse you.
Follow the steps I've outlined in my previous post for each instance of 1004 that Spybot says is still infected.
As backup for my claim, I'm going to point you to the Official Spybot Forum. I don't know if I'm allowed to give you the link, so I'll post it in a separate reply (below) just in case it gets deleted. In the meantime, you can find the official forum by opening spybot, clicking on the "Info & License" box and then on "Credits". At the bottom of the page it gives you the forum address.
When you get there, click "forums" at the top of the page and then "enter forum" at the bottom of the next page. Browse down to the "Official Spybot Search & Destroy Forums" sections and choose "Spybot Search & Destroy 1.X" At the top of the page you'll see the pinned topic "DSO Exploit reappears after fixing".
OR... if you hold "The GREAT N POWERFUL ALICKA" in as high esteem as he holds himself, you can try to follow his misguided directions (which may or may not work, I haven't tried them).
Here's the Official Spybot forum. The first link is to the main page, the 2nd to the topic.
http://forums.net-integration.net/
http://forums.net-integration.net/in...howtopic=17159
Guys... can we all just get along?. Nah, just kidding. But seriously, most of us, mere mortals, only care about fixing our systems not who's a bigger expert.
GTX, why did you suggest not just deleting the 1004 key out of the registry but also to replace it with a new key? I followed alicka's advice from before to delete 1004 key and it worked. What will happen if I leave my registries without the 1004 key (PC seems to work fine)?
Thanks for all the info.
I have used the advanced mode to hide Dso but new want to reverse this.
How do you ge t to the O folder which is the first step?
Thanks
Peter
1004 is a security setting. It sets the policy (rules) when a url wants to take control of security settings in downloading unsigned activeX. The value of 3 (0x03 actually) sets URLaction_Download_Unsigned ActiveX to DISALLOW.
Here's one link explaining it. I'm sure you can find more if you're interested in these things.
http://msdn.microsoft.com/library/de...gistryKeys.asp
How important this setting is to your computer is up to you to decide. Before you got the DSO Exploit and ran Spybot, 1004 existed and most likely had the setting of 3. It takes less than 10 seconds to put it back to the way it was.
Clueless, it makes no difference to me what you do to fix the problem. I'm glad you fixed it and you're happy. The real question, though, should probably be why someone would advise you to delete the key altogether, not why I suggest putting things back the way they were.
I'm not "great and powerful" or a "full expert", I'm just a guy.
FINALLY, someone who writes comprehensibly, actually explains what things actually do, and provides links.Quote:
1004 is a security setting. It sets the policy (rules) when a url wants to take control of security settings in downloading unsigned activeX. The value of 3 (0x03 actually) sets URLaction_Download_Unsigned ActiveX to DISALLOW.
Here's one link explaining it. I'm sure you can find more if you're interested in these things.
http://msdn.microsoft.com/library/de...gistryKeys.asp
How important this setting is to your computer is up to you to decide. Before you got the DSO Exploit and ran Spybot, 1004 existed and most likely had the setting of 3. It takes less than 10 seconds to put it back to the way it was.
Clueless, it makes no difference to me what you do to fix the problem. I'm glad you fixed it and you're happy. The real question, though, should probably be why someone would advise you to delete the key altogether, not why I suggest putting things back the way they were.
I'm not "great and powerful" or a "full expert", I'm just a guy.
Sorry, but I couldn't resist jumping in here.
I have been watching the DSO Exploit-related questions/pleas and "answers" coming in and out of here for quite a while.
I had decided to let them be...
I keep watching "THE GREAT N POWERFUL ALICKA" flaming other members in this thread whenever they offer a different idea or opinion. In this case GTX_SlotCar is bringing information from the Spybot developers themselves, which I suppose has got to be worth something.
I would suggest everyone interested read the ENTIRE Spybot forum thread. It will tell you everything you need to know to fix the problem on your system, and understand why it occurs and why it needs to be stoppered...
To "THE GREAT N POWERFUL ALICKA":
You are not always right. You may think you are, but the world just doesn't work that way. You need to Stop flaming everyone who disagrees with you. What makes you think you are the final authority on everything?
Oh, and GTX... the 1004 DWORD... If it _is_ deleted, what will IE do with itself? Logically, one would think the key would be recreated, with the default value of 0x03, the way it should be, but who knows..
Oh, and by the way, _please_ stop using Internet Explorer. It is bad.
:)
~psi42
I followed Sudbury's directions and they seem to have worked. Thanks :D
GTX, it seems like you're defending your position. The problem is, no one is attacking it. Read my question again.
I couldn't care less if I delete a key or change it back to the original setting, I just don't know enough to make the right call (that's why I'm asking). If you would have come along first, then I would've changed it back to the original setting instead of deleting it. I thought 1004 key was created by the virus not changed by it, which meant I needed to delete it. Enough on semantics.
So...
1st, GTX and psi42, which one is it? Do I check to see if IE recreated the key or do I go and recreate it myself? Also, by recreating the key to it's default setting am I setting it to allow the same virus to enter my PC and start this cycle all over? If the answer is no, then please explain what has changed.
2nd, I have a few viruses that are quarantined by Symantec AntiVirus but that are not showing up during the S&D search. Viruses like: Trojan.BiteVerify, MHTMLRedir.Exploit, Download.Ject. Any insight?
To Clueless... Hello how are you? Listen about your antivirus scanner. I would recommend downloading one of the best anti-virus scanners out there it is called F-Secure Anti-virus by DataFellowes. I have been using it at work, it is on the network at work, and I have been using it at home. It picks up viruses that norton and mcafee won't and it also picks up malicious (bad) code that aren't identifiable. About that download.ject virus. Microsoft, on their website about a week and a half ago, had a patch for the download.ject virus. Go here to download the tool from Microsoft http://www.microsoft.com/downloads/d...displaylang=en Make sure you read the page and follow the directions As for the anti-virus, go here http://esd.element5.com/demoreg.html...0&languageid=1 and download the trial version, but remove your other anti-virus scanner first. Symantec has been known to be a "corporate" business out there to make money, there are other companies who do "real" work and "care" about their customers. Learn how to use the program, it is not difficult. And make sure you update those virus defintions. Any problems, you jot it in the forum and I will try to assist ANYONE...
| All times are GMT -7. The time now is 06:27 AM. |