 |
Check to see if you are using the latest version of Spybot S&D (version 1.3) and that all your Windows Critical Updates are installed, then follow the instructions listed in Reply # 11 of this post. This will enable Spybot to ignore the false-positive finding of DSO Exploit (which Microsoft has fixed) until the permanent fix is released by Spybot When the permanent fix is released, you can uncheck DSO Exploit in the 'ignore products' section and it will be gone forever.
Hope this helps.
Sudbury
:P Sorry but I've got to ask. I've been reading this thread with interest and some amusement and my head is thoroughly spinning.
Running Spybot v1.3
Brand new computer 2 weeks old
Updated to Windows XP Home SP2
Spybot finds DSO Exploit
1. It has been said if your patches are up to date you are protected - with SP2 I would think I'm up to date
2. It has been said this is a bug in Spybot and change the Spybot settings to ignore until they update.
If number 1 is right then number two makes sense at least it does to me. Am I right, wrong or somewhere in the middle?
Thanks for letting me ask.
Hi All
I have to agree with AF_Vet's comment having installed SP2 and all the other fixes DSO Exploit still raises it's ugly head.
Setting ignore product in Spy Bot does not remove the problem but just hides it.
What I cannot glean from all the forum is what does DSO Exploit do?
R.O.
Richard, to answer your question, I posted a Web site that I got from my nephew that works for Microsoft. It is on page 10 under Willowtree with Duffy Duck.
Believe me I was asking all the same questions, also.
Anyway, I hope that helps you. Take care.
Willowtree ;D
You run spybot and it finds the DSO Exploit. Spybot will identify 1 to 5 areas in your registry where the problem exists. The areas all end in "...Internet settings\Zones\0", 0 being the folder and 1004 is the affected DWORD.
1004 is a security setting. It sets the policy (rules) when a url (a web site) wants to take control of security settings in downloading unsigned activeX. The value of 3 (0x03 actually) sets URLaction_Download_Unsigned ActiveX to DISALLOW. If you don't have it set to 3, malicious activeX scripts can be run on your computer. This is what Spybot has found happening on your computer.
DSO's are part of Windows, much the same as dll's are (files with the .dll extension). They are "Dynamic Shared Objects". Windows uses dso's and dll's so programs can share a lot of things. If you've been into computing for a long time and remember the good old days of DOS, you'll remember needing a different printer driver for each program, a different sound driver, modem driver and video driver for each program. What a mess. You couldn't even copy and paste between programs. With Windows, all these things are shared.
Unfortunately, a Windows security flaw exists that allows activeX scripts to be run through the DSO regardless of the security setting you have chosen. In other words, someone has figured out a way around the DWORD = 3 setting which supposedly stops unsigned acitiveX scripts from being downloaded. Microsoft is aware of it and has fixed it in it's latest security patches.
When you run spybot, it gets rid of the DSO Exploit. The problem is that a bug in spybot's fix changes the DWORD 1004 in the... Internet Settings\Zones\0 folder(s) into a String Value 1004. When you run spybot again, it sees that this area is incorrect and identifies it, again, as the Exploit because it thinks that any problem in this area is the DSO Exploit. You see, a String Value 1004 is worthless. It's like having no security setting at all. Can you see the problem with this?
Some people here are saying you can just set Spybot to ignore the DSO Exploit. Others say to just delete the 1004 entries. The reasoning behind this is that updating windows with the latest security patches fixes things so you can't get this DSO Exploit again.
However... there are still unanswered questions about the new security patch. If, as I assume it does, it fixes the security hole that allows someone to exploit the DWORD = 3 security setting (fixes the hole so nobody can get around it), then don't you still need the security setting to be there in order for the patch to work?
Before you got the DSO Exploit and ran Spybot, the DWORD 1004 existed and most likely had the setting of 3. It takes less than 10 seconds to put it back to the way it was. I have several posts on this thread explaining how to do this. Also, Spybot gives you the url for their official forum. You can look it up there and they'll tell you the same thing. Patch windows with the latest security patches. Delete the String Value 1004 entries and create new DWORD 1004 entries with the value of 3. It doesn't take long to do it the right way and then you're sure to be covered.
Gary
Gary, God you're good! How long have you been messing with computers? As you can tell I am still a very new newbie. I don't know about anyone else, but I am truly impressed! Seriously! I really enjoy reading your posts.
Anyway, take care. We are dealing with some really bad weather. Ivan go far away, please!!
Willow
I don't know if this solutions has already been posted, but it will fix the problem without any need to go into the registry.
http://forums.net-integration.net/in...ndpost&p=94923
Spybot has released a new set of detection updates today.
I hope that anytime someone runs Spybot (or any spyware or anti-virus program) they check for update files first. For those that don't, please do.Quote:
Spybot has released a new set of detection updates today.
OK, there's a new beta version of Spybot S&D. It's version 1.3.1 and it should fix the DSO exploit bug in Spybot 1.3.
It's a beta version, so be warned that it may have other bugs. Since the beta is out, I assume that the next version of Spybot is just around the corner and advise everyone to wait for the released version.
That being said, I'm sure everyone will ignore my advice and want to try the beta anyway.
If you don't know how to get the beta version, it means that you really haven't explored Spybot; and, judging by the amount of people here that think ignoring a problem is the best way to fix it, I'm going to assume this is true and tell you how to download the beta version. BUT First, if you have already told Spybot to just ignore the DSO Exploit, get back in and tell it not to ignore it anymore. Otherwise this beta version won't help you. It won't fix it if it's been told to ignore it, get it?
OK,
1. open Spybot version 1.3
2. click on the "settings" tab (it's on the left)
3. click on the "settings" icon (it's in the right pane)
4. a list of topics and sub-topics will appear
5. scroll down to "web update"
6. put a check mark beside "display available beta versions"
--------------------------
7. Now, on the left again, click the tab for "Spybot-S&D"
8. click the box that says "Search for Updates"
9. when the updates are found, click the box that says "Download Updates"
The beta installs right over the 1.3 released version and there is no need to restart the program. Just run Spybot.
I don't have the Exploit problem, but I did change the DWORD 1004 value in one of my "HKEY_USERS\......\Software\Microsoft\Windows\Curr entVersion\Internet Settings\Zones\0" folders and running the new beta version put it back the correct way.
Gary
Hi Gary,
I'm new to all of this, been reading all the dso exploit posts for the past month and just registered on here tonight so that I could personally thank you. I had the same problem as everyone else even know all of my updates were current. I installed the beta version of spybot like you said in your post and it finally got rid of those very annoying dso exploit entries that kept coming up.
Thanks again,
Robert 8)
Ok yet another newbie here... I read the first 5 pages yesterday and the rest today so this is what I did yesterday... I ran spybot 1.3 it told me I had DSO X then ran again, same thing so on someone's advice in this thread I downloaded "DSOSTOP2" -- Installed it ran it and then tried spybot again and no DSO X. So is that little program going to fix my registry properly since I don't mess with that stuff or I'm I going to have to do the registry thing.. (I have 2 computers Win98 & XP sp2 but I only have the problems with 98se, all updates with Windows are done and spybot.)
Why even bother!
This has been fixed for the last couple of months and this threads still going... gezzz guys and girls get with it.
Anybody running Win Xp just Sp2 and your problems will be solved~! Plus No MORE bloody POP-UPS ;D ;D ;D :P
Regards!~
Yeah, right. :DQuote:
just Sp2 and your problems will be solved~!
LOL! Sp2 crashed my computer twice, because there was a compatiibility issue with some of my programs. Best advice a newbie can give is WAIT 3 months before installing sp2! ;DQuote:
Yeah, right. :D
Robert
Huh, and you reacon use Linux! :o
Well yes and No. Ive bin trialling Sp2 since its release with no probs, I administor a rather large Government network. Which we'll be putting out Sp2 within the next few months.
Robert were you using Xp Home or Pro?
Regards Alicka
Hi there,
I'm using xp home edition.
Robert
Don't mess with the registry. Go to my website and read all about the DSO Exploit. Then follow the instructions for removal.
www.remotecomputerhelp.com
I'm sorry, but I just don't believe that Sudbury's method eliminates DSO Exploit, as the instructions for the "ignore product" section SPECIFICALLY say "If you check a product here, it will not be found during a scan. Use this list if you know you have some threat on your computer, but need to keep it." That means that SPYBOT IS IGNORING A STILL VERY PRESENT "DSO Exploit". I don't see any reason why I need to keep it; maybe someone else does need it...Quote:
If all your critical updates are installed you are protected against DSO Exploit and the finding in Spybot is just a nuisance. Eliminate this by doing the following:
1 Open Spybot and select 'advanced' mode.
2 Select 'settings' in the left column.
3 Select 'ignore product' in the left column.
4 Select 'security' tab.
5 Place check mark in box beside DSO Exploit.
6 Close program
7 Open Spybot and run a scan.
You will find that DSO Exploit has been eliminated and if your computer does not harbour any other spyware you will see a congratulatory message.
Um, sorry about that apparently useless first post of mine; for some combination of a few reasons, I didn't see 'til just now that this topic is 12 or so pages long. I must be the fifth or so person to point out what I pointed out, and it was a pretty obvious pointing-out, too. Y'all prob'ly won't be hearing much from me again. Best Wishes & Peace to all.
TIME TO MAKE DAMNED SURE YOU"RE REGISTERED TO VOTE, AND MAKE SURE YOU DO VOTE ON THE DAY!!
These are perilous times, and the fewer eligible people who vote, the more perilous the times will get!!
My question (somewhat rhetorical I suppose) is, when is PepiMK Software and/or SoftSpy going to fix the problem of DSO Exploit supposedly being fixed, but showing up again and again on the next Scan and each additional Scan?
They and many others on various message boards say that DSO Exploit is actually being removed during the Scan and showing up on the next Scan is just a glitch (solutions on some boards just discuising the glitch at best)
SoftSpy and others say the glitch will be corrected on the next update, BUT THIS HAS BEEN GOING ON FOR A VERY LONG TIME, MANY MONTHS OR MORE
I can't find a Home Page for PepiMK Software when I do a search, so that I can ask them directly, WHAT GIVES ON THES PROBLEM??
It's gotten way old. Sorry for beig so long winded and non-technical
If anyone knows how to reach PepiMK Software or SoftSpy, by email, url or phone, please advise. I'm tired of wasting time on this and it seems many others are as well
I would like to get to the bottom of this once and for all
It seems all that's going on so far is TALK, and as an old friend of mine used to say, this is nothing but MENTAL MASTURBA..!
Well you know!!
drphilohio needed a link to PepiMK software. Try this.
http://www.snapfiles.com/authorinfo/apps-7115596.html
I don't know this for sure but I read an article a while back that said that the DSO exploit has already been addressed by Microsoft and although it continues to show up after each spybot scan, it really does the system no harm whatsoever. I've had it on my main computer for months and my system has had not problems at all. Since reading that article, I simply just ignore it and continue computing.
I used GTX's approach to resolivng the DSO Exploit on my computer and it worked fine. Spybot now shows no threats. However, when I attempted the same approach on a colleague's computer, I ran into a problem. I found a faulty "AB-1004" entry under the HKEY_CURRENT USERS" path and removed it. But there was another one under the ".Default" tree of the the "HKEY_USERS" main folder. When I tried to delete the faulty AB-1004 key from there I got the message, "Unable to delete specific values". I tried to reboot, thinking that it was because something was already running. But that didn't help. How do I go about getting that key out of the registry?
Thanks,
Brian
Hi all.
This is the most helpful forum I have found so far for this problem of DSO exploit, but I still have a query. I used GTX’s advice on the registry keys, and although Spybot still shows DSO exploit up, I am not so concerned as this is reportedly a bug in Spybot, and your computer is safe if you have updates up to date, which I have. So thank you!
But I hope that I can explain the rest of this coherently. I have not seen this answered in any of the forums I have looked at, including this one I think. On both my computers, at work and home, I have an issue with aggressive advertising:
- I get a blue Casino bar across the bottom of IE (which I don't use anymore because of this)
- I get another sort of unsolicited search bar across the top of IE
- I get six/ seven icons for casino sites/ travel sites/ printer cartridge sites etc. which keep appearing on my desktops.
- I keep having “advertisement” sites (for casinos etc. again) added to my favourites folder, which then annoyingly transfer themselves to Mozilla favourites too!
- Finally, Spybot keeps finding 103 instances of coolWWWsearch that it advises me to get rid of, which I do each time.
Is this all caused by DSO exploit, or is there something else that I worry about? How does this/ DSO exploit get on your system to begin with?
Also, although I have managed to remove the problem with DSO exploit using Spybot (even though it is still finding it), I still have the above problems occasionally, so I don’t really understand what is going on with my PCs.
Can anyone help? Thank you.
Try by starting Windows in SAFE MODE.
See http://www.computerhope.com/issues/chsafe.htm
If you don't know how to do it.
The reason spybot search and destroy shows that your have a dso exploit is because there is a bug in spybot search and destroy! This dso exploit is security flaw in internet explorer that has been fixed, but spybot still thinks it hasn't been so it list it as a problem. If you don't believe me get it right out of the horses mouth http://forums.net-integration.net/in...howtopic=17159
The bug is in IE. Until you have updated IE, you are vulnerable. When the MS patch is installed, you are not vulnerable anymore, but Spybot still detects it.
But, who are you, with your first append, to call us stupid? A lot of people have not updated their IE. If you want to learn us something, go ahead, but don't lecture us. And don't insult us.
Behave yourself. Dropping in with a maiden-update yelling at people is not decent.
I'm with you on this one Urmod4U! I had 2 entries in my Spybot of DSO. I downloaded DSOSTOP2 to my desktop... and it now says I'm safe... but when I run Spybot it still keeps showing that I have one entry of DSO Exploit. Also... now you're going to think me REALLY dumb... BUT... do I have to keep DSOSTOP2 on my desktop or can I put it in trash? :confused:
Many Thanks!! :)
I've tried to get rid of DSO Exploit and I don't know if I've done it, S&D still shows it but I know that might still happen even if it's gone. I don't know if it's related but since I've had these problems I seem to have adverts and pop ups appearing even though Norton is fully updated. This never used to happen, adverts appeared as blank spaces.
Can anyone help?
Thanks,
Mark
This program is designed specifically to deal with DSOexploit for those having trouble. I haven't tested the program so scan it with a virus scanner first but it sounds pretty easy.
http://www.nsclean.com/dsostop.html
I did not go through the entire thread, but I have a problem that can only seem somehow related to the DSO exploit or Spybot. First off, this is only happening on an IBM R40 laptop with XP and service pack 2 installed. However, the laptop will not gain Internet access over any broadband connection unless Spybot has been run and has removed the DSO exploit. Once that has been done, the system can access the Internet just fine. The computer can sit, connected to the Internet, for an hour without an Internet connection until Spybot has cleaned the exploit. This has been happening for over a week. All other computers on the network are fine. Plus, I use Firefox and never IE. Any ideas? I'm about to format and re-install everything. I've tried various virus scans, and nothing is detected. Also, other spyware cleaners find nothing. Thanks.
The previous version of spybot, spybotsd13rc5.exe is able to remove the DSO Exploit.
You can download it from this link.
http://www.spybot-updates.com/files/spybotsd13rc5.exe
Hi I'm new and I have a question..
My com's been laggin lately.. and in task manager.. I notice something strange..
There is 3 rundll32 running and is that harmful or nothing is wrong..
I'm spyware free and virus and trojans.. free too
Thanks for you help
Sry for my english
Please post your question in a separate thread. That way, you will get your answer faster, and other people with the same question will be able to benefit from any responses. Thanks.Quote:
Originally Posted by EpiC2z
~psi42
Just go to regedit then the following:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet
Settings\Zones\0\1004!=W=3*
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net
Settings\Zones\0\1004!=W=3*
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter net
Settings\Zones\0\1004!=W=3*
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net
Settings\Zones\0\1004!=W=3*
HKEY_USERS\S-1-5-21-796845957-746137067-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings\Zones\0\1004!=W=3*
after you get to each folder go through the steps to get to the Zones folder anything with 1004 nuke it!
Also don't use Internet Explorer if you don't have to use Mozilla,Opera,Firefox anything but I.E.
safe bet also use BLANK start up page and as always have all windows updates in and have a antivirus running and updated and a good spyware program Spybot and Ad-Aware will do and the usual safety steps don't open it if you don't who it is from as I tell my people stay away from the porno sites but to each his own and last but not least is a FIREWALL there's a few out there but ZONE ALARM will do and one more thing don't sign up for everything on the net if you don't need it leave it alone that's how they get your email address and if your going to BUY anything online please have all the above done and make sure the url in the address bar starts with the following HTTPS: and the padlock is locked, if you at least have this done and your email set up to nuke spam you should have happy surfing but if your using I.E. please clean out the crap as I call it (Cookies,Tempory Internet Files) its none of their business were you have been online so in closing HAVE A NICE DAY!
I've had dso exploit for a couple weeks now and I want to get rid of it.
I did a windows update. I have norton's updated and ad-aware updated-both which don't show any problems.
But, spybot finds 5 entries of DSO exploit. I can "fix" the problem but spybots finds it again after I restart my computer.
I don't want to go into my registry and change anything.
Basically, I'm hoping someone can give me the best instructions for getting rid of this thing.
I've read all th eother fixes listed around here, but there are so many , so I'm hoping to hear from someone who can fix this good.
Thank you very much ;)
The only real way to get rid of DSO is go to regedit and the folders I posted yesterday keep everything updated and you might reset your ad-aware settings
so backup your reg. if your not sure and only go to the folders your supposed to
thats it unless someone comes up with a quicker way this works.
In Documents and Settings/allusers/applicationsdata/spybot.. /Recovery there are a lot of serially numbered DSOExploit*.zip files. It is easyto select them all and delete them. Then to the recycle bin to delete all found there. Recheck to be sure that all bad files in the directory site above are gone. Run Spybot and, voilà, one or more DSOExploit.zip files have been rewritten.
Anyone have an explanation for this?
Well that should cure the problem all the way around then I dont use recovery dont need the headache with virus and trogans thats were most of em go to these days anyway so less hassle that way, but your way is worth checking into but did you have any of the files in regedit still?
| All times are GMT -7. The time now is 11:58 AM. |