Check out some similar questions!

GTX_SlotCar · Aug 20, 2004, 07:58 PM

Am I "Jumping the Gun."

Willow

Yes.
And I hope you're not free of DSO, but free of the exploit. You might want to read pages 5 through 7 of this thread.

Sudbury · Aug 20, 2004, 09:38 PM

If Willowtree and Grady and countless others are happy with getting DSO Exploit off their screens with a minimum amount of fuss and bother that's fine with me. Check Spybot regularly for updates because they are going to issue a permanent fix soon.

Sudbury

Willowtree · Aug 21, 2004, 07:27 AM

I want to thank you both for your imput. I am not a super computer person. I am just learning as I go along. So, at this point I can use all the help I can get. All I am looking for is something that works and something even I can understand.
Take care,
Willow

GTX_SlotCar · Aug 21, 2004, 08:22 AM

If Willowtree and Grady and countless others are happy with getting DSO Exploit off their screens with a minimum amount of fuss and bother that's fine with me.
Sudbury

I don't know if the others are 'countless', but it's fine with me, too. I think they should realize they're running without a security setting there doing it that way, but as long as they're happy...
Yes, spybot already has a fix for this. They had if for their last release, but it didn't make it in. It will be in their next release, soon, but we've been saying this since this thread began, April 16th.
I think people find this thread looking for help. Most of them start reading at the beginning, try stuff until something seems to work and never bother reading further.
If it really bothered me, I'd start a new thread ;)

gusreiber · Aug 21, 2004, 08:43 AM

Hold the phone.
Here is the real solution to the problem:
http://www.experts-exchange.com/Secu..._21054787.html

Disabling the DSO Exploit check is really silly advice.
By the same logic, you could just uninstall SpyBot and not get any notifications from it.

The DSO Exploit is an important security hole to know about. The other advice above describing the Exploit and steps to manually remove it by making changes in your registry are the right way to go. Read the registry change instructions carefully and everything will be fine.

Willowtree · Aug 21, 2004, 10:09 AM

I came here looking for help. If I have done something wrong, I need to know. I love my computer. It is not only a tool, it is a gateway to the world for me. The websites that have taught me so many things and lets me keep in touch with my family and friends at the touch of a keyboard.
Most of the things, you all talk about, I have never heard or know about.
Everything, so far, I have taught myself. So, I am open to anything that teaches me how to take better care of my computer.
Thank you all for your help.

Willow ;)

psi42 · Aug 21, 2004, 11:14 AM

Hold the phone.
Here is the real solution to the problem:
http://www.experts-exchange.com/Secu..._21054787.html

I find it rather amusing that the first post in that thread points right back to this mess...

;D

I don't suppose someone who has posted on the first page could edit their post to reflect the fix? That way maybe a few less people could do the Wrong Thing?

tickedOff · Aug 21, 2004, 01:44 PM

Do not go the above link for the experts exchange. You have to sign up to even read the forums, and get bombarded with scripts upon entering. It is sites like that which are half the problem and should be avoided. Any real solutions should be posted here for all to see freely. Could you post the answer from that site here? Also, I changed all the registry key values to 3 like suggested, and 2 entries still show up on spybot. Is this an issue with spybot or what?

GTX_SlotCar · Aug 21, 2004, 02:49 PM

Any real solutions should be posted here for all to see freely. Could you post the answer from that site here?

It is posted here.
I've posted this in 5 forums and this is the only one that still has activity on it. On those others, I didn't even go into detail about what a DSO is or how it's "Exploited", or why Spybot keeps identifying it when it's gone. I've checked my procedure with the "official spybot forum" and it's correct. I've even given the link to that forum.

In this thread, you have basically 3 opinions of what to do. One says to tell spybot to ignore the DSO Exploit once it's found it the first time. The other says to look up the DWORD in the registry and just delete it (actaully, at that point it's a String Value), and the other says to delete the String Value 1004 (each occurance) and create a DWORD 1004 (which is what it was before spybot mis-recreated it) because it's a security setting that shouldn't be ingored.
All of them say you should run Windows Update for the security patches so you won't get this exploit again.

Now it's up to you to decide which fix is right for you :)

Gary

psi42 · Aug 21, 2004, 04:59 PM

Do not go the above link for the experts exchange. You have to sign up to even read the forums, and get bombarded with scripts upon entering.

Um... I didn't have to sign up for anything..?

Now, I think it's time we really cleaned this thing up. This thread is 10 pages long because we have three conficting "solutions."

One is to ignore the problem
One is to fix the problem
One is to delete the 1004 key

Now, can somebody who deleted the key please go back into the registry, and see if it was recreated, and what value it holds? Then maybe we can see if deleting the String Value entirely fixes the problem, or if it doesn't. Obviously changing it to a DWORD with a value of 0x03 _does_ fix the problem, we've established that. Now let's try to break the confusion, and figure out just what happens when the 1004 String Value is deleted.
(I'd do it myself, but I haven't got a windows box handy at the moment ;D).

:)

~psi42

Air_Scorpio · Aug 22, 2004, 06:47 AM

Anti DSO Exploit Manual Fix Locate DSO Exploit by Spybot - Search and Destroy

Mostly we recognise that infected by DSO Exploit when run SpyBot Search and Destroy.

To check if SpyBot not ignoring DSO proceed:

1) Choose from Mode / Advanced Mode

2) Enter Settings

3) Ignore products

4) Security

5) Uncheck DSO Exploit if checked in box.

6) GoTo Spybot-S&D

7) Check for problems

Fix the problem manually in Registry

If you see DSO Exploit (usually 5) select if first and

Fix selected problems

Then do operation below

1) Open regedit from run mode:

2) GoTo:

HKEY_USERS/DEFAULT/Software/Microsoft/Windows/

CurrentVersion/Internet Settings/Zones/0

3) See if 1004 is REG_SZ or REG_DWORD

Most likely its REG_SZ because of DSO Exploit.

4) First delete 1004 Value - its wrong.

5) Proceed to Zones/0 , right click 0 File and

add new DWORD Value. (New/DWORD Value)

6) Change Name of this Value as 1004 ,

right click to 1004 and change Value Data from 0 to 3.

7) Check if there is 1206 already exist.

8) If not process same operation as for 1004

and leave Value Data of 1206 as 0.

This operation needs to be done in all of these files:

I. HKEY_USERS/DEFAULT/Software/Microsoft/

Windows/CurrentVersion/Internet Settings/Zones/0

II. HKEY_USERS/S-1-5-18/Software/

Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0

III. HKEY_USERS/S-1-5-19/Software/

Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0

IV. HKEY_USERS/S-1-5-20/Software/

Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0

V. HKEY_USERS/S-1-5-21/Software/

Microsoft/Windows/CurrentVersion/Internet Settings/Zones/0

Check the result

When operation is done check the registry codes (should be as shown in picture beside) and run Spybot for final check up. Hope you won't see DSO Exploit anymore.

Spybot - Search and Destroy

If you don't have Spybot Search and Destroy (its COMPLETELLY FREE) you can download it just clicking on that link: [ftp]ftp://ftp.download.com/pub/win95/utilities/spybotsd13.exe[/ftp]

Enjoy your surf!

P.S. Also you can find it on http://www.ramesses.8m.com/custom.html

P.S. Thanks GTX for locating a mistake - I've wrote Explicit instead Exploit before. :)) Was very sleepy because didn't sleep for 30 hours to that moments. ;-)

tickedOff · Aug 22, 2004, 08:41 AM

I think it recreates some of them if you delete them, so they keep showing up again on spybot. It DOES stop showing up if you find each individual 1004 entry that remains, delete it, then recreate it with a value of 3, like GTX said. Use the pane on the left in the registry to find the DEFAULT, S-1-5-18 through -21 individually (or whatever keys spybot lists) and change the values to 3. I think those were the same 5 entries I kept getting, so I tried that and it worked! Thanks computer geeks. I am going to school to become one myself, but never worked with the registry much. They said not to mess with it unless you know exactly what you're doing, so only change those entries showing up on spybot- nothing else... Thanks again.

GTX_SlotCar · Aug 22, 2004, 09:39 AM

Air Scorpio, please change:
"Locate DSO Explicit by Spybot " to read "Locate DSO Exploit by Spybot". It may confuse the already confused. Thanks buddy.

I'm sorry I haven't had time to answer all the private messages and email (from those who were resourceful enough to look up my email address through Tweaks & Reviews).
I've reviewed Air_Scorpio's post and it reiterates what I've been saying. It even goes a step further and shows you how to make sure you haven't left spybot in a state where it ignores this DSO Exploit.
He's taken the time to give you the exact locations to look for the problem in the registry for those who can't follow it in spybot.
Follow his instructions or mine, whichever is easiest for you to understand.
Don't forget to UPDATE WINDOWS to get the new security patches. Do you want to go through this again?

Here are answers to the 2 most frequent questions I've been asked privately.

To open the registry, click your "Start" button and then click "Run". A dialog box opens. Type in the word regedit and click OK. It will open your registry.

The other one concerns changing the entry in 1004 to 3, but spybot continues to see it. You don't change the entry to 3. You delete 1004 (because it's a String Value and should be a DWORD) and create a new DWORD 1004 and give it a hex value of 3.

I'm going to try to make this my last post here. Please understand that I'm not out of patience, just out of time.

Gary

Willowtree · Aug 22, 2004, 05:25 PM

Hey all. I thought for one last effort and since he works in Seattle for Microsoft and thank the Lord he is my nephew, I woud give him a shot at this. I just now emailed him and when I get a reply I will be very happy to share it with everyone.
You all have been so helpful and kind. I want to thank you for that.
Take care. Will be back as soon as I can!
Thanks again,
Willow :D

alicka · Aug 26, 2004, 12:28 AM

hey guys/gurls~
Gezz this page still going! Well your all a bit late, because the problems been sorted... and to all newbies, don't take these guys advice to likely, they most likely are amateurs, and its not hard to see that when they are telling you to change values in the regedit.
If you knew what Exploit actually did, or has already done then you's would know(obviously you dont) that changing values does absolutely stuff all. These process Has done what it needs to do.

Don't try be something your not, you'll just make a fool of yaself! Oops to late ;D

~ Do not worry about doing ne of this, you'll just create more work for the guy(proberly me:P) who will have to fix it. (Your PC that is)

Regards~ alicka~
I love this place~~~~

psi42 · Aug 26, 2004, 01:29 AM

don't take these guys advice to likely, they most likely are amateurs, and its not hard to see that when they are telling you to change values in the regedit.
If you knew what Exploit actually did, or has already done then you's would know(obviously you dont) that changing values does absolutely stuff all. These process Has done what it needs to do.

And the online source that backs this up is... where?

]
Don't try be something your not, you'll just make a fool of yaself! Oops to late ;D

Indeed.

Air_Scorpio · Aug 26, 2004, 05:22 AM

To alicka & psi42...

You better tell people what should be done instead telling people that everything is wrong. You drive people nuts. If you know so much tell them what to do. Yes, we are newbies (at least I am) but at least we try to help people as we can, not like you just laughing and no help. And I think if you really knew what to do you would tell.

Regards ,
Scorp

alicka · Aug 26, 2004, 05:15 PM

Dear Air scorpio,
Your thread touched me! No really it did ;D, yes what am I thinking ::) well dearest scorpio if you've been here since the start you'd know that I've posted numerous Exploit Fixes on here, but do people listen! No, and I don't care. Well I do care but I only care about the people who are genuinely stuck in a pickle! Its just the regedit is not something you want to play around with if you don't know what you are doing.
And I don't know what these other guys here are doing, but where I am its my job. I work for government IT, so I think I'd know... <well that's for me to know and for you's to decide>

Regards~ alicka~
Deus t@ Am3n

alicka · Aug 26, 2004, 05:18 PM

And almost forgot, deffinitly take PSI's advice, if your using Internet Explorer, that's where half you problems come from! Get Mozilla and see the difference! :o ;D

Regards~ Alicka alota~

psi42 · Aug 27, 2004, 01:20 AM

To alicka & psi42...

You better tell people what should be done instead telling people that everything is wrong. You drive people nuts. If you know so much tell them what to do.

Well, it really looks like we are trying to do that. What's going on here is that there is rather a bit of a disagreement. The problem is, a few of you guys think there is some sort of war on or something ;D.

]
Yes, we are newbies (at least I am) but at least we try to help people as we can, not like you just laughing and no help. And I think if you really knew what to do you would tell.

Okay, for the last time:

This vulnerability was patched by Microsoft a long time ago. It _does_ _not_ matter if you do anything about it or not at this point in time, as long as you've kept up with your security updates.

Will everyone please confirm the above statement so we can all agree on something?

So you _don't_ need to fuss _if_ you've been patching your system. If you haven't been patching your system, well, that's bad. :)

If you like to have everything just right just in case, then you're going to have to figure out on your own which "solution" you're going to follow.

Here, take a look at this site:
http://www.greymagic.com/security/advisories/gm001-ie/

Go to the very bottom, and try the "Demonstration." If the program it specifices runs on your system, then you are vulnerable.

Now a good flame war is always fun, but this isn't a very good one.

Oh, and alicka. You're pretty confident of your position, I respect that. Unfortunately, it seems that every source I've seen on the net rather disagrees with you.
Now if you posted a link to a nice piece of writing that backed up what you were saying, we could all be happy. :)

~psi42