i keep running spybot and it finds a problem ( DSO Exploit 5 entries) and i click fix and go back and scan again and its right back can anyone help on this?
Printable View
i keep running spybot and it finds a problem ( DSO Exploit 5 entries) and i click fix and go back and scan again and its right back can anyone help on this?
We need to know what the DSO is for starters. Also, try the other help listed in the "sticky" at the top of AV/Security forum. One more option is to do all of this while in safe mode and check your msconfig to see what is starting up that should not be there.
I am stumped on this one. I ran all the programs as you said on my girlfriends comp. And found a few things with spybot, Its saying its (dso exploit 5 entries) So I clicked fix. And did the rest of the stuff, And rebooted and scanned again with spybot. And it was right back, So i went and found that I needed to update windows. And did so and scan again in safe mode with system restore off. And its back again, But with ony 2 entries. IF someone knows of A fix for this problem please let me know i want it off thank you.Quote:
Originally Posted by TripleRLtd
this is what i ment to post first sorry i didnt put everything in the first post i did all of that but it keeps comimg back i am running it again will let you know in a sec i am on my pc right now yeap its back and guess what it now has 4 entries not 2 ?
Tell us the name of this "exploit" Jackpot. Did you check the thread I pointed you to? Do you know about HiJack This as a tool?
http://forums.windrivers.com/showthread.php?t=57348
Logfile of HijackThis v1.97.7Quote:
Originally Posted by TripleRLtd
Scan saved at 2:31:58 PM, on 5/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Documents and Settings\Owner\My Documents\spybot\SpybotSD.exe
C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...mmapi_0727.dll
I see the Yahoo Companion and Toolbar. Do you use these? Again, I ask what does SpyBot find that won't remove properly? Otherwise, unless I am missing something, I don't see any real nasties.
this is what spybot showed meQuote:
Originally Posted by TripleRLtd
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\Zones\0\1004!=W=3
I also get the same 5 also, (DSO Exploit 5 entries) Spybot fixes them but they keep reappearing.
Spybot will ignore the finding of DSO exploit when you do the following:
Open Spybot and select advanced mode / settings / ignore products / security tab.
Place check mark in each box beside DSO Exploit.
Exit Spybot. Restart Spybot and run a scan.
Providing that there is no other spyware on your computer you will get a congratulatory message informing you that your computer is clean.
Instead of telling Spybot to ignore the DSO exploit, use the information Spybot gives you and get rid of it.
Disconnect your internet, reboot your computer (you don't have to go into safemode to do this just boot normally), run Spybot. Go into the registry by going to the start menu then run, type in the word regedit and hit the OK button. Now locate one by one all the registy entries that Spybot said it found the DSO exploit in. Rename the 1004 files to 1003 then exit regedit. Shut down your computer. Plug your computer back into the internet, and restart your computer. Run Spybot again and you will see it is no longer there. Congratulations it gone. pretty simple huh?
ITguy
The solution that I gave for DSO Exploit is quick and easy and does not involve any registry key changes, which a lot of people find intimidating and confusing, and will avoid at all costs. So here again is a easy-to-follow fix that will stop DSO Exploit showing up in Spybot:
1 Open Spybot and select 'advanced' mode
2 Select 'settings' in the left column
3 Select 'ignore products' in the left column
4 Select 'security' tab
5 Place check mark in the box(s) beside DSO Exploit
6 Exit Spybot
7 Restart Spybot and run a scan
Providing that there is no other spyware on your computer, you will get a congratulatory message telling you that all is well, and the nuisance will be eliminated.
Suddbury
new to this and not a techie. do not want to make registry changes, but the solution you propose simply means that Spy Bot will not alert you to DSO Exploit - it will still be there. I keep finding a web dialer in Spy Bot with DSO Exploit...am I right in thinking that this is dialing some horribly expensive line? Keep removing them, but every time i re-connect to Internet, they re-appear. Have used Adaware, Windows Updates, Norton Anti-Virus, Spyware Blaster, dsostop2...none of these have made any difference. have all IE settings set to maximum (no cookies etc.). however, keep finding that home page is titled 'about:blank' but show unnamed search page, followed by three pop-ups in quick succession that all tell me that I have spyware on my computer. I do not want to follow the links to these pages as I do not trust them. I am at the end of my tether. Can somebody provide a simple (ish) solution?Quote:
Originally Posted by Suddbury
Hi, terryq
You are quite correct in that Spybot is ignoring the finding of DSO Exploit on your computer but the fact that it is still there does not mean that it is a problem. Assurances have been given that, if Microsoft Updates are current and installed, that you are protected, and can safely ignore the exploit finding and wait for Spybot to release a 'fix'
I do not know how you can remedy your other problems since I am not a techie either but I am sure that others will be able to help you.
thanks for reply. having spent a lovely sunny weekend in front of computer, I understand your solution. I have also (very reluctantly) gone into the registry to solve the other problems...so far, so good.Quote:
Originally Posted by Suddbury
I must confess, it has been interesting looking at so many techie pages. it feels quite good to have done more with a computer than just use the internet and Word. I might almost consider myself an apprentice geek now!
Hi guys, i have the same problem with dso exploit and spybot. i read the messages posted but dont want to sound stupid cuz am not a techie, is it agreed that changing the registry only hides exploit from showing up? but it doesnt harm my p.c right? -If i can just hide it thats great but where do i download the microsoft updates to keep me in the clear? -oh and by the way, im having another problem with a "common hijacker" -has anyone dealt with this before? -if so could you possibly offer some advice as i am losing hair at a predigious rate. it says "common" but i figure it cant be that common as spybot wont remove it(exactly the same way as with dso exploit) and i cant find anything else to get rid of it with! its a real bastard as it has hijacked my home internet connection (wont let me connect at all let alone click on the icon)and media players etc.. please please help me!
I had the same problem with that search page opening up each time I would use IE. It was a browser hijacker (it essentially takes over your browser). I purchased SpySweeper from Webroot and it killed two birds with one stone- it prevents my homepage from being hijacked, and it detected and got rid of the web dialer. I highly recommend it. Spysweeper detects things that seem to evade most of the other spykilling software out there. The other spyware killing software that I recently purchased, that seems highly effective so far is Pest Patrol. I've evaluated approx. 20 titles and these seem to be the two best so far. That said, this type of software is still in it's infancy, compared to say virus software, and has a long way to go, so the best thing you can do for now is to at least 2 or 3 different spyware killing programs running on your computer, for a couple of more years, until they make enough inroads where a single program will catch just about everything. As far as this DSO Exploit, I'm in the same boat as you right now, I have not been able to permanently get rid of it, although I don't believe it's really all that harmful. I will probably try to edit the registry and if that does not work, I'll probably talk to the techies' at Spysweeper and or Pest Patrol and get there thoughts. Good Luck.Quote:
Originally Posted by terryq
Rick
Quote:
Originally Posted by Suddbury
Wow. I definitely do not agree with this whatsoever.
Granted, in this situation, the problem may not be serious, but ignoring anything that is not a required piece of a program (kazza for instance has things that must be ignored) is a big mistake.
This will not solve your problem at all, it will just leave it there, andnever tell you about it again.
Assuming a comp is secure solely from windows updates is nto wise at all. This is only protection from automatic infiltration of spyware/adware, and is not 100% protection.
You must also take into consideration the people who manually download spyware into their system without knowing.
Windows offers no protection for ignorance, if a user downloads something himself, your method may have him ignoring that malware through spybot.
After spybot is run, there should be a link to more info regarding the dso exploits. you can download the patch for that through that link.
I know because i had it too (in respnse to the first problem), and the fix was at http://www.greymagic.com/security/advisories/gm001-ie/
as this has not been fully tested on all common system setups, it has not been adopted by Microsoft as an official patch, so it may not work for everyone.
Hello all, I have been working on my laptop all weekend and can't get it to work right. On Friday morning my laptop had a couple of pop-up's come up and then my screen came up with a picture stating "WARNING YOU"RE IN DANGER!" along with a black and white picture of some sort of porn saying spyware etc could look at my PC and to click here to get ride of problem, a dialer also installed, Also when I open the Internet Explorer I get a warning page saying that my computer is being watched and it has my IP address listed on a blue page, when I try to go to the address line and change it so that I can go to another page it chages back really fast to (C:\WINNT\secure) if I don't get the address there and press Enter fast, When I do try to go to another page I get a page that I can not close that comes up with porn on it in addition to the IE page that I can use although my pc is moving very slow . I deleted the dialer to the recycle bin. I then Downloaded Ad-aware 6.0 which came up with a lot that needed to be removed. With no luck of fixing the problem I then read about and downloaded Spybot, I used the Search and Destroy and found two problems.1. ( MySearch - Global settings - HKEY_LOCAL_MACHINE\Software\MySearch ) and,also 2. ( DSO Exploit - Data source object expoit - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\Zones\0\1004!=W=3 )
I did go into the registry to try and locate and also chage 1004 to 1003 but when in registry I can not find the problem exactly as it comes up in Spybot (problems).
Also, should I try to change or look for dialer that I only sent to recycle bin?
*OS Windows 2000 XP*
Anyone who can give me detailed instructions on how to fix this problem PLEASE HELP!!!!
I am not going to work on it untill I get some word back, I don't want to make the problem any larger.
[email protected]
2cool, re: the "common hijacker" problem, I'd suggest running Hijack This and/or CWShredder to find out what you're up against. Since you obviously have internet access on a different PC, use that one to download these apps (you should be able to find them easily with a search engine), save them to a disk, and then install and run them on your affected PC. Even if they don't get rid of the problem permanently, at least you'll know your enemy.Quote:
Originally Posted by 2cool4skool1983
FYI, I just spent most of the last two days trying to get rid of that heinous nkvd.us hijacker before finally succeeding a short time ago. That one was also identified by Spybot as a "common hijacker". I doubt if yours is the same one (nkvd certainly didn't affect my internet connection, it just messed with my browser), but Hijack this or CWShredder did identify the problem and at least temporarily revert my registries to the correct settings (I had to track down and delete a certain .dll file before it finally went away for good).
Please refer to my post (#11) above for a simple solution to removing the annoyance of seeing DSO Exploit each time you run a scan. This does not involve any registry changes. The experts at Spybot say that DSO exploit is not a threat, and that they are working on a permanent fix which should be available soon.
As for your Windows Updates, click on the "tools' tab of your browser and select "Windows Update", let Windows scan your system and select ALL the critical updates that it recommends. You would be wise to do this on a weekly basis.
Thanks, this worked great.
Quick question. How did you know to put 1003 where 1004 was? I see in Spybot about the 1004 registry location, but wasn't sure how I might know to change to 1003?
Anyway, thanks a lot. I've had this problem a second time. First time, didn't know how to rid myself of it, so we formatted drive, and reloaded software. Using your suggestion the 2nd time was easy.
-------------------------------------------------
Quote:
Originally Posted by ITguy
HIQuote:
Originally Posted by terryq
Not a techie. I have your problem of finding that home page is titled 'about :blank' showing unnamed search page, followed by three pop-ups in quick succession that all tell me that I have spyware on my computer. Wou;d you please tell me how you solved it?
Ravi
Sudbury, you have been banging on about this, and you agree you are Not a tech. Take it from a tech, your "fix" is damn dangerous.Quote:
Originally Posted by Suddbury
Welcome to Windrivers RaviQuote:
Originally Posted by rrvarma
Start here Go through the thread and do what you can, then post your hijackthis log in a NEW thread- it gets too confusing when people post lots of logs in the same thread. We can then help you with the stuff that hijack finds.
Fix those two items, uninstall Yahoo and then reboot. Reinstall Yahoo.Quote:
Originally Posted by jackpot316
Keep your shirt on and then explain why a simple glitch in Spybot which is responsible for 'detecting' DSO Exploit cannot be ignored. As a 'Tech' you have a responsibility to enlighten folk if you tell them that a fix is 'dangerous'Quote:
Originally Posted by NooNoo
Perhaps it is because your supposed "fix" is to tell the fixing program to ignore potential exploits. That is NOT a fix! And, it can be dangerous. Perhaps you can "talk" to the SpyBot people about this and get a real answer.
Granted, there can be "false positives" which seems to be the case for the originator of this thread, but to ignore ALL DSO Exploet threats is no answer to that.
TripleRLtdQuote:
Originally Posted by TripleRLtd
The experts at Spybot have said this: "The problem with the DSO Exploit is a little bug. We have already been able to locate and fix it, but unfortunately it was not included with the last update. It will hopefully be with the next one. The DSO Exploit is a security gap in IE. Microsoft did already repair this, so if you have all Windows updates and patches installed, it is not dangerous for your system. The solution is just waiting for the update"
I hope that helps.
Suddbury
What's the effect of changing those registry settings from 1004 to 1003? Does that remove the problem?
Spybot tells me, along with the registry listings:
"Company: Microsoft
Product: Internet Explorer
Threat: Security hole
"Description
There'a a security hole in IE allowing websites to execute code without asking you first."
That doesn't sound a mere hiccup in Spybot that the next update (of Spybot) will cure.
Let's back up a little here because there appears to be some misunderstanding. Microsoft did acknowlege that there was a security hole in IE and when they became aware of it they issued a patch to fix it. That's why it is vital that all your Microsoft Updates be current and be installed. If your Microsoft Updates are all up to date then the security hole has been fixed. However, because of a bug in the current version of Spybot, Spybot continues to find the security hole that Microsoft has already fixed. Spybot knows about the bug in its program, has got a fix for it, and is issuing the fix shortly with its next update. They (Spybot) suggest that you don't do anything except wait until the update is released.
I hope that helps.
What update Suddbury? They just came out with a new version. So, do you have a link to what they advise, or at least a copy of what they told you to settle our "nerves" about what you are saying?
I am using Spybot Version 1.3
Are you saying that there is a later version?
No, that is the latest version, and it just came out. So: answer the question.
Triple and others there is a really good explanation here
Suddbury - I was not aware, when I posted my comments that it was a bug. By the looks of it, neither were you. As Triple said, ignoring DSO exploits is a dangerous thing to do.
In your earliest two posts on the subject you did not mention having to patch with critical updates, in the third you mentioned it as an also ran. Few users can be bothered with the updates since they take forever to download. The likelihood of users taking your advice without having the ms patches is very high. Hence your advice as it stood is dangerous.
Welcome to Windrivers f@@lpr@@fQuote:
Originally Posted by f@@lpr@@f
This explains the problem
Hello guys. firstly I've never been here before and only just found it after searching for DSO exploit on google but felt that I should reply to this thread after reading it. oh, I have very little computer knowledge!
I've had my laptop for two weeks now and for the last few days the internet has been running slowly, often hanging, and randomly re-directing to porn sites. This is despite having all the most recent updates of windows (I'm running XP) and virus checks, Spybot etc.
Anyway, we've got rid of everything we've been alerted to apart from this 'DSO exploit' so it means that it's this causing all my problems. So ignoring it isn't an option I'm afraid - and that's why I'm posting. Maybe ignoring it will work for some people but at the moment it's currently making my brand new computer pretty useless so I wouldn't personally recommend it.
Bah humbug.
Liam
Triple,
It may help to calm some nerves by checking out the following statement by a member of the Spybot development team which I quoted in my post of June 16:
http://forums.net-integration.net/in...howtopic=17159
I must apologise for not stating that Microsoft Updates should be current and installed, I just assumed everyone did that as a matter of course, but apparently not. I was rather surprised when I asked around at work.
While I appreciate that Suddbury, most REAL techs keep up on the critical updates. But, when statements are made concerning "ignoring" DSO exploits without any "evidence" it needs to be addressed. And, as NooNoo and I stated, it is not good to ignore such threats.
That being said, now that NooNoo has provided the links and evidence that you failed to produce before, I am confident that all is well.
Lliam Welcome to Windrivers. The work around for the spybot problem is quite dangerous for a novice - ie you can end up having to reinstall. The "fix is described here - use at your own risk.Quote:
Originally Posted by Liamm83
If you say you have only had the lappie for two weeks, I would imagine you have not built up much in the way of critical data. Back up the files you want and do a system restore. This will eliminate 99.9% of all known germs :) Then go straight to windows updates and get those. I don't often recommend a system restore, however, due to your circumstances, it may well be the quickest, safest option for you at the moment.
Do you have antivirus? Do you have a firewall? Those two things should also be loaded and kept up to date.
Thanks I have done this and did a scan and its goneQuote:
Originally Posted by ITguy
Thanks again
Takeit