Check out some similar questions!

Sudbury · Sep 13, 2004, 08:37 PM

Check to see if you are using the latest version of Spybot S&D (version 1.3) and that all your Windows Critical Updates are installed, then follow the instructions listed in Reply # 11 of this post. This will enable Spybot to ignore the false-positive finding of DSO Exploit (which Microsoft has fixed) until the permanent fix is released by Spybot When the permanent fix is released, you can uncheck DSO Exploit in the 'ignore products' section and it will be gone forever.

Hope this helps.

Sudbury

AF_Vet · Sep 15, 2004, 08:45 PM

:P Sorry but I've got to ask. I've been reading this thread with interest and some amusement and my head is thoroughly spinning.

Running Spybot v1.3
Brand new computer 2 weeks old
Updated to Windows XP Home SP2
Spybot finds DSO Exploit

1. It has been said if your patches are up to date you are protected - with SP2 I would think I'm up to date

2. It has been said this is a bug in Spybot and change the Spybot settings to ignore until they update.

If number 1 is right then number two makes sense at least it does to me. Am I right, wrong or somewhere in the middle?

Thanks for letting me ask.

Richard_Oakley · Sep 16, 2004, 01:21 AM

Hi All
I have to agree with AF_Vet's comment having installed SP2 and all the other fixes DSO Exploit still raises it's ugly head.

Setting ignore product in Spy Bot does not remove the problem but just hides it.

What I cannot glean from all the forum is what does DSO Exploit do?

R.O.

Willowtree · Sep 16, 2004, 03:21 AM

Richard, to answer your question, I posted a Web site that I got from my nephew that works for Microsoft. It is on page 10 under Willowtree with Duffy Duck.
Believe me I was asking all the same questions, also.
Anyway, I hope that helps you. Take care.

Willowtree ;D

GTX_SlotCar · Sep 16, 2004, 08:48 AM

You run spybot and it finds the DSO Exploit. Spybot will identify 1 to 5 areas in your registry where the problem exists. The areas all end in "...Internet settings\Zones\0", 0 being the folder and 1004 is the affected DWORD.
1004 is a security setting. It sets the policy (rules) when a url (a web site) wants to take control of security settings in downloading unsigned activeX. The value of 3 (0x03 actually) sets URLaction_Download_Unsigned ActiveX to DISALLOW. If you don't have it set to 3, malicious activeX scripts can be run on your computer. This is what Spybot has found happening on your computer.

DSO's are part of Windows, much the same as dll's are (files with the .dll extension). They are "Dynamic Shared Objects". Windows uses dso's and dll's so programs can share a lot of things. If you've been into computing for a long time and remember the good old days of DOS, you'll remember needing a different printer driver for each program, a different sound driver, modem driver and video driver for each program. What a mess. You couldn't even copy and paste between programs. With Windows, all these things are shared.

Unfortunately, a Windows security flaw exists that allows activeX scripts to be run through the DSO regardless of the security setting you have chosen. In other words, someone has figured out a way around the DWORD = 3 setting which supposedly stops unsigned acitiveX scripts from being downloaded. Microsoft is aware of it and has fixed it in it's latest security patches.

When you run spybot, it gets rid of the DSO Exploit. The problem is that a bug in spybot's fix changes the DWORD 1004 in the... Internet Settings\Zones\0 folder(s) into a String Value 1004. When you run spybot again, it sees that this area is incorrect and identifies it, again, as the Exploit because it thinks that any problem in this area is the DSO Exploit. You see, a String Value 1004 is worthless. It's like having no security setting at all. Can you see the problem with this?

Some people here are saying you can just set Spybot to ignore the DSO Exploit. Others say to just delete the 1004 entries. The reasoning behind this is that updating windows with the latest security patches fixes things so you can't get this DSO Exploit again.

However... there are still unanswered questions about the new security patch. If, as I assume it does, it fixes the security hole that allows someone to exploit the DWORD = 3 security setting (fixes the hole so nobody can get around it), then don't you still need the security setting to be there in order for the patch to work?
Before you got the DSO Exploit and ran Spybot, the DWORD 1004 existed and most likely had the setting of 3. It takes less than 10 seconds to put it back to the way it was. I have several posts on this thread explaining how to do this. Also, Spybot gives you the url for their official forum. You can look it up there and they'll tell you the same thing. Patch windows with the latest security patches. Delete the String Value 1004 entries and create new DWORD 1004 entries with the value of 3. It doesn't take long to do it the right way and then you're sure to be covered.

Gary

Willowtree · Sep 16, 2004, 09:13 AM

Gary, God you're good! How long have you been messing with computers? As you can tell I am still a very new newbie. I don't know about anyone else, but I am truly impressed! Seriously! I really enjoy reading your posts.
Anyway, take care. We are dealing with some really bad weather. Ivan go far away, please!!

Willow

burnthis · Sep 16, 2004, 05:18 PM

I don't know if this solutions has already been posted, but it will fix the problem without any need to go into the registry.

http://forums.net-integration.net/in...ndpost&p=94923

Sudbury · Sep 16, 2004, 07:15 PM

Spybot has released a new set of detection updates today.

GTX_SlotCar · Sep 16, 2004, 08:00 PM

Spybot has released a new set of detection updates today.

I hope that anytime someone runs Spybot (or any spyware or anti-virus program) they check for update files first. For those that don't, please do.

GTX_SlotCar · Sep 16, 2004, 08:21 PM

OK, there's a new beta version of Spybot S&D. It's version 1.3.1 and it should fix the DSO exploit bug in Spybot 1.3.
It's a beta version, so be warned that it may have other bugs. Since the beta is out, I assume that the next version of Spybot is just around the corner and advise everyone to wait for the released version.
That being said, I'm sure everyone will ignore my advice and want to try the beta anyway.
If you don't know how to get the beta version, it means that you really haven't explored Spybot; and, judging by the amount of people here that think ignoring a problem is the best way to fix it, I'm going to assume this is true and tell you how to download the beta version. BUT First, if you have already told Spybot to just ignore the DSO Exploit, get back in and tell it not to ignore it anymore. Otherwise this beta version won't help you. It won't fix it if it's been told to ignore it, get it?
OK,
1. open Spybot version 1.3
2. click on the "settings" tab (it's on the left)
3. click on the "settings" icon (it's in the right pane)
4. a list of topics and sub-topics will appear
5. scroll down to "web update"
6. put a check mark beside "display available beta versions"
--------------------------
7. Now, on the left again, click the tab for "Spybot-S&D"
8. click the box that says "Search for Updates"
9. when the updates are found, click the box that says "Download Updates"

The beta installs right over the 1.3 released version and there is no need to restart the program. Just run Spybot.
I don't have the Exploit problem, but I did change the DWORD 1004 value in one of my "HKEY_USERS\......\Software\Microsoft\Windows\Curr entVersion\Internet Settings\Zones\0" folders and running the new beta version put it back the correct way.

Gary

robert33 · Sep 19, 2004, 02:11 AM

Hi Gary,
I'm new to all of this, been reading all the dso exploit posts for the past month and just registered on here tonight so that I could personally thank you. I had the same problem as everyone else even know all of my updates were current. I installed the beta version of spybot like you said in your post and it finally got rid of those very annoying dso exploit entries that kept coming up.

Thanks again,
Robert 8)

LaLa · Sep 20, 2004, 10:02 AM

Ok yet another newbie here... I read the first 5 pages yesterday and the rest today so this is what I did yesterday... I ran spybot 1.3 it told me I had DSO X then ran again, same thing so on someone's advice in this thread I downloaded "DSOSTOP2" -- Installed it ran it and then tried spybot again and no DSO X. So is that little program going to fix my registry properly since I don't mess with that stuff or I'm I going to have to do the registry thing.. (I have 2 computers Win98 & XP sp2 but I only have the problems with 98se, all updates with Windows are done and spybot.)

alicka · Sep 20, 2004, 09:07 PM

Why even bother!
This has been fixed for the last couple of months and this threads still going... gezzz guys and girls get with it.

Anybody running Win Xp just Sp2 and your problems will be solved~! Plus No MORE bloody POP-UPS ;D ;D ;D :P

Regards!~

psi42 · Sep 21, 2004, 02:56 AM

just Sp2 and your problems will be solved~!

Yeah, right. :D

robert33 · Sep 21, 2004, 05:48 AM

Yeah, right. :D

LOL! Sp2 crashed my computer twice, because there was a compatiibility issue with some of my programs. Best advice a newbie can give is WAIT 3 months before installing sp2! ;D

Robert

alicka · Sep 21, 2004, 09:23 PM

Huh, and you reacon use Linux! :o
Well yes and No. Ive bin trialling Sp2 since its release with no probs, I administor a rather large Government network. Which we'll be putting out Sp2 within the next few months.
Robert were you using Xp Home or Pro?

Regards Alicka

robert33 · Sep 22, 2004, 12:49 PM

Hi there,
I'm using xp home edition.

Robert

DBrock4316 · Sep 28, 2004, 04:06 AM

Don't mess with the registry. Go to my website and read all about the DSO Exploit. Then follow the instructions for removal.

www.remotecomputerhelp.com

idwita · Oct 2, 2004, 04:23 PM

If all your critical updates are installed you are protected against DSO Exploit and the finding in Spybot is just a nuisance. Eliminate this by doing the following:

1 Open Spybot and select 'advanced' mode.
2 Select 'settings' in the left column.
3 Select 'ignore product' in the left column.
4 Select 'security' tab.
5 Place check mark in box beside DSO Exploit.
6 Close program
7 Open Spybot and run a scan.

You will find that DSO Exploit has been eliminated and if your computer does not harbour any other spyware you will see a congratulatory message.

I'm sorry, but I just don't believe that Sudbury's method eliminates DSO Exploit, as the instructions for the "ignore product" section SPECIFICALLY say "If you check a product here, it will not be found during a scan. Use this list if you know you have some threat on your computer, but need to keep it." That means that SPYBOT IS IGNORING A STILL VERY PRESENT "DSO Exploit". I don't see any reason why I need to keep it; maybe someone else does need it...

idwita · Oct 2, 2004, 04:43 PM

Um, sorry about that apparently useless first post of mine; for some combination of a few reasons, I didn't see 'til just now that this topic is 12 or so pages long. I must be the fifth or so person to point out what I pointed out, and it was a pretty obvious pointing-out, too. Y'all prob'ly won't be hearing much from me again. Best Wishes & Peace to all.

TIME TO MAKE DAMNED SURE YOU"RE REGISTERED TO VOTE, AND MAKE SURE YOU DO VOTE ON THE DAY!!
These are perilous times, and the fewer eligible people who vote, the more perilous the times will get!!