Check out some similar questions!

Lucid · Jul 8, 2004, 07:19 AM

I just wanted to thank Alicka for his advice - followed your instructions & it's passed on to a better place!

Cheers! :)

garyo · Jul 8, 2004, 01:27 PM

I've tried Alicka's method and I'm still having problems

One thing I haven't heard is what DSO exploit does to your system... I know I have DSO.. SPYBOT tells me so
But I can't get to regedit nor can I get to task manager,
Is this symptomatic of DSO?
Following Alicka's method I get to step 4 but I get lost with step 5 any help please... >:(

Case · Jul 9, 2004, 01:03 PM

Hello,

I am new to this forum, but I have had a similar problem. I had mutliple adware coming back after running spybot, adaware and norton antivirus. The problem was that the adware would only reappear after running internet explorer. The problem was a service that was tied to IE, so that it would only launch when I run IE and put files in the windows dir and system32 dir and make changes to the registry. This could be everyone's problem (ie not exactly the same but similar) is a service that either runs when windows startup or when you run some other program. The problem is that there is no easy cure. I had to look at each process in the Windows Task Manager (Ctrl Alt Delete) click on the Processes tab and Google each process running. Once you find it, you have to end that process before you can delete the file as windows will tell you that it is currently using that file and won't let you delete it. Then you should go though the registry and remove keys referring to that file. You should also check and see if it has a CLSID for that file and search through the registry using the CLSID and remove those keys as well. For me I had one process spawn more processes/services and it took me a day once I knew what I had to do. A word to the warning, some site will tell you that a process is a virus / spyware / adware when it is not and it is a window system file that is needed! Check mutliple sites to see where the process should be running from to see if the process is a bad one or good one. Also a good tool is Hijackthis.

Well, this may have been too much information for beginners, but this might get the experts here something to think about when a beginner tells them that they followed the experts advice but the spyware keeps come back.

Hope this helps in some small way.
Case

Ninee · Jul 9, 2004, 04:31 PM

First timer here... on my hubbys puter, he has the DSO Exploit that he has tried everything to get rid of it, but it keeps coming back... he has a pop up that continually shows up that says its Microsoft Explorer and it says 'spyware detected'... that pop up is driving him nuts...

We've gone into the keys as you suggested and as soon as we reboot and run a scan, they are all back... that quick...

He also has 'webdialer' that he can't get rid of either...

His Norton is up to date, and everything else is current... this just started two days ago...

Sorry to sound like a beginner but I thank you for all of your help in advance...

Dare-x · Jul 9, 2004, 11:14 PM

Hi Kat,

The following site explains:

http://www.nsclean.com/dsostop.html

Hope this helps!
Whiskey14

I used this and it said it worked (we will see if it comes back) I try to run it a second time and it said it was gone!

Zeala · Jul 10, 2004, 02:12 AM

How would I make a password without using spacebar as a keystroke?
Does this question make sense? I think I know what I'm asking but I'm not sure.

Zeala

Wars · Jul 10, 2004, 01:55 PM

All right, I have tried every single thing in this forum, and DSO exploit is still running on my comp, it always DC's me from my games I am playing, and is starting to severely piss me off. I really need help, there is no delete option and no "0" folder, a 1,2,3,4 folder or anything, no 1004, I have 1005. I'd really apprecaite any help you guys have. Thanks a ton.

PH_Man · Jul 10, 2004, 09:17 PM

Hi Everyone,
I have read through all 4 pages of posts and I think I can add some light to some of the confusion and problems people are having with the recommended fix. PLEASE NOTE. This fix is recommending you edit your registry file. If you make a mistake and delete or modify something you shouldn't, there is a chance you could mess up your computer. I would recommend getting a registry backup program and back your registry before you attempt the fix. You can find a registry backup utility at www.zdnet.com under downloads and search for registry backup. That being said...

I attempted to do the steps and when I selected the Jump to Location. The Registry editor opened but not to the location of the key referenced by Spy Bot. I have a feeling this same thing is happening to others. The trick is to navigate to the very top of the Left hand pane. Then from there you can locate the keys by double clicking on the folders referenced in the path to the key. Also once there, under the Zones folder you will see the 0,1,2,3,4 folders and in each of them is a 1004 key. In my instance, I actually had Spy Bot list 6 registry entries. See below

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1708537768-789336058-725345543-3254\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1708537768-789336058-725345543-1183\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\Zones\0\1004!=W=3

I have not finished yet but I imagine that I will have the 0,1,2,3,4 folders under each Zones folder.

I saw also that several people were asking how to delete. To delete the registry keys, right click on the 1004 key in the right hand pane of the registry editor and select delete form the drop down. You can also left click the 1004 key and then hit your <delete> key on your keyboard.

Good luck out there.

PH_Man · Jul 10, 2004, 09:50 PM

UPDATE: I removed the 1004 key from all 6 of the 0,1,2,3,4 folders and now the DSO Exploit is eliminated.

Happy Hunting. ;D ;D ;D ::)

awizzbang · Jul 11, 2004, 08:25 AM

Thanks for all the info on this thread, I have followed it and it has enabled me to get rid of DSO exploit, however I still have a problem, which may or may not be linked to it. When I log onto the internet, the number of bytes sent is always at least twice the amount received and information is transferred even when on a static page.
I have run Norton Anti-Virus (updated), Ad-Aware and Spybot but nothing is now found.
Any ideas? I am connecting through YahooBTOpenworld using a standard dial up connection.

Help would be gratefully received

Runner · Jul 11, 2004, 12:27 PM

I dowloaded Mozilla and am using it as my browser. Problem solved. I am glad because I am not comfortable with altering my registry. Mozilla's tabbed browsing function is cool too. Maybe DSO Explout was a blessing in disguise.

Notpil22 · Jul 11, 2004, 04:00 PM

wow... I did what sudbury said...

1. open spy bot
2. selct advanced mode
3. select the settings tab
4. select block products
5. select security tab
6. check off the box for DSO exploit
7 CLOSE spy bot
8. open spy bot
9 run a scan!!
AND IT WORKED!!
:) :) ;) ::) :P :P :P :P :P ;D ;D ;D

Listen Dude/Dudette

You just don't get it.
Unless you remove DSO from your machine, YOU STILL HAVE IT!!

"blocking it" just excludes it from your list of results (basically just closing your eyes).

The block feature is there in case something that you want on your machine, (continually comes up, annoying), you are able to block it from the next scan.

If you think you have removed the exploit from your machine, you are sadly mistaken.

Unless you DELETE the files, IT IS STILL THERE.

Whiskey14 · Jul 11, 2004, 07:28 PM

Check out the following site:

http://www.nsclean.com/dsostop.html

Whiskey14

clueless · Jul 11, 2004, 07:46 PM

Whiskey14, this software seems to do AUTOMATICALLY what alicka is telling us to do MANUALLY. Right, no? If this is the case do we need to get the software? Or can we just do the clean up manually (per alicka suggestions)?

Whiskey14 · Jul 11, 2004, 08:49 PM

You can do either way, automatically with a free tool or manually. If you don't feel secure editing the registry, perhaps the tool is for you.

Hope this helps!
Whiskey14

alicka · Jul 11, 2004, 10:36 PM

I can see your retarded ;D

clueless · Jul 12, 2004, 06:39 AM

All right guys, back to the subject at hand...

1st of all thanks alicka for your help.

2nd, I read all of the posts on DSO and had a problem getting rid of it. I couldn't find a way to get to the correct file, until I read PH_Man's suggestion (on page 4) to go to the top of the tree and drill down through the directories to the '0' folder and there I found the 1004 key. All done. Didn't have 10 files just 5 (I think). The .Default folder didn't even have the 1004 key but was listed as a DSO folder on the S&D tool's list of problems. What gives? And how do I find the other 5 or 6 DSO locations (DSO doesn't come up in S&D search anymore)?

On second thought - could the number of location where the 1004 key is present/or has been changed be different for different people depending on their system configs? In which case it would make sense why different folks get different number of problems in their D&S search results. What say U?

3rd, I also keep getting the "about:blank" as my home page. I've done all of the near-fixes you mentioned previously (update IE, update Symantec, latest S&D tool, reboot, etc... ) noting helps. How do I get my home page back? BTW, right clicking on the page doesn't open a window (I wanted to check page's properties), does this mean it's a template and not a real web address?

Whiskey14 · Jul 12, 2004, 07:48 AM

To remove About Blank, download Ad-aware 6, a free program that you can download at:

http://www.lavasoftusa.com/support/download/

Check for updates before running program. Then follow the directions here to do a full scan:

The following explains how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:

Scan within archives

Under Memory & Registry, Check EVERYTHING

In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:

Unload recognized processes during scanning

Include info about ignored objects in logfile, if detected in scan

Include basic Ad-aware settings in logfile

Include additional Ad-aware settings in logfile

Include used command line parameters in logfile

In Cleaning Engine:

XP/2000: Allow unloading explorer to unload shell extensions prior to deletion

Let Windows remove files in use at next reboot

UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.

After running Ad-aware, you must reboot your computer. It may be necessary to run Ad-aware two or three times if you have a lot of spyware, rebooting each time in between.

RESOLUTION

Users that knowingly have about:blank set as their homepage, and have no issues with a homepage hijack, can prevent this item from being presented on future scans by checking the box next to listings indicating about:blank, then right-clicking one of the checked items, and then choosing "Add selection to ignorelist."

Users that have a CoolWebSearch variant present on their system that wish to remove it completely can select the CoolWebSearch items, along with the about:blank listings, to fully remove the variant, and its changes, from their systems.

From: http://www.lavahelp.com/articles/v6/04/05/1801.html

Hope this helps!
Whiskey14

Notpil22 · Jul 12, 2004, 07:55 AM

Users that knowingly have about:blank set as their homepage, and have no issues with a homepage hijack,

Hope this helps!
Whiskey14

Thanks Whiskey, but I did not have an issue with about blank for about a week, then, I was not able to access my Favorites, and I now have a major issue with "about blank"

clueless · Jul 12, 2004, 08:30 AM

I've been thinking... When I run spybot it keeps showing me WebDialer and it doesn't get rid of it. Is this the bug that keeps giving me about:blank home page in IE? If that's the case my spybot is showing that it is residing in:

HKEY_USERS\S-1-5-21-1454471165-1801674531-839522115-1003\Software\Microsoft\Internet Explorer\Main\HOMEOldSP

Can I just go into the registry and do something to get rid of it, ala DOS Exploit?