DSO Exploit glitch in Spybot?

[KillerQ]

Hey all,

This is my first post on here -- so I hope that this is in the correct
section. I have had my battles with virii and spyware in the past, as
well as homepage hijackings, etc..... And since I run AVG, Adaware,
and now spybot, regularly, there seems to be nothing that i cannot get
rid of for good. I have recently run cwshredder, and removed some
things as well....

Anyway, my question is -- even after everything seems clean, when i
run spybot i get the following results (the top part is self
explanitory to me, it's the DSO EXPLOIT reg-entry part at the bottom
that I do not totally understand). ALso, I hear that this may be
glitch that is known in the current version of Spybot -- I just wante
to make sure that it's nothing to worry about -- and I have updated al
thye critical patches for XP home, as well..... Here is the info:


-----------

DoubleClick: Tracking cookie (Internet Explorer: Matt) (Cookie,
nothing done)


Avenue A, Inc.: Tracking cookie (Internet Explorer: Matt) (Cookie,
nothing done)


DSO Exploit: Data source object exploit (Registry change, nothing
done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing
done)
HKEY_USERS\S-1-5-21-1307759246-3641812577-2111303108-1008\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing
done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing
done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing
done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-07-09 Includes\Cookies.sbi
2004-07-09 Includes\Dialer.sbi
2004-07-09 Includes\Hijackers.sbi
2004-07-09 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-07-09 Includes\Malware.sbi
2004-07-09 Includes\Revision.sbi
2004-07-02 Includes\Security.sbi
2004-07-09 Includes\Spybots.sbi
2004-07-09 Includes\Tracks.uti
2004-07-09 Includes\Trojans.sbi

-----------------------


Well, there it is.... Now since the DSO entries each say "Registry
change, nothing done" i don't know if this is something that windows
automatically changes all the time, and this is normal for this to
show in the scan results - or if it's a harmless preference that
change that makes those appear or what..... Or if it is, in fact, th
glitch. I looked on the spybot FAQ and they didn't really go iont
detail...If you could explain this
to me -- i would greatly appreciate it!!!


Thanks in advance,

Matt
([email protected])

P.S. Has anyone noticed that cwshredder is not able to update via the
program lately

 

[Carey Frisch [MVP]]

Basically what's happening is that Spybot is finding that the security setting
for "Download Unsigned ActiveX controls" for the (normally) hidden
"My Computer" zone in Internet Explorer is not set to disabled.

Visit http://forums.net-integration.net/index.php?showtopic=15308
for additional info.

Make sure you visit the Windows Update website and download any
recommended Critical Updates.

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

--------------------------------------------------------------------------------

|
| Hey all,
|
| This is my first post on here -- so I hope that this is in the correct
| section. I have had my battles with virii and spyware in the past, as
| well as homepage hijackings, etc..... And since I run AVG, Adaware,
| and now spybot, regularly, there seems to be nothing that i cannot get
| rid of for good. I have recently run cwshredder, and removed some
| things as well....
|
| Anyway, my question is -- even after everything seems clean, when i
| run spybot i get the following results (the top part is self
| explanitory to me, it's the DSO EXPLOIT reg-entry part at the bottom
| that I do not totally understand). ALso, I hear that this may be a
| glitch that is known in the current version of Spybot -- I just wanted
| to make sure that it's nothing to worry about -- and I have updated all
| thye critical patches for XP home, as well..... Here is the info:
|
|
| -----------
|
| DoubleClick: Tracking cookie (Internet Explorer: Matt) (Cookie,
| nothing done)
|
|
| Avenue A, Inc.: Tracking cookie (Internet Explorer: Matt) (Cookie,
| nothing done)
|
|
| DSO Exploit: Data source object exploit (Registry change, nothing
| done)
| HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings\Zones\0\1004!=W=3
|
| DSO Exploit: Data source object exploit (Registry change, nothing
| done)
| HKEY_USERS\S-1-5-21-1307759246-3641812577-2111303108-1008\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings\Zones\0\1004!=W=3
|
| DSO Exploit: Data source object exploit (Registry change, nothing
| done)
| HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings\Zones\0\1004!=W=3
|
| DSO Exploit: Data source object exploit (Registry change, nothing
| done)
| HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings\Zones\0\1004!=W=3
|
| DSO Exploit: Data source object exploit (Registry change, nothing
| done)
| HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
| Settings\Zones\0\1004!=W=3
|
|
| --- Spybot - Search && Destroy version: 1.3 ---
| 2004-07-09 Includes\Cookies.sbi
| 2004-07-09 Includes\Dialer.sbi
| 2004-07-09 Includes\Hijackers.sbi
| 2004-07-09 Includes\Keyloggers.sbi
| 2004-05-12 Includes\LSP.sbi
| 2004-07-09 Includes\Malware.sbi
| 2004-07-09 Includes\Revision.sbi
| 2004-07-02 Includes\Security.sbi
| 2004-07-09 Includes\Spybots.sbi
| 2004-07-09 Includes\Tracks.uti
| 2004-07-09 Includes\Trojans.sbi
|
| -----------------------
|
|
| Well, there it is.... Now since the DSO entries each say "Registry
| change, nothing done" i don't know if this is something that windows
| automatically changes all the time, and this is normal for this to
| show in the scan results - or if it's a harmless preference that I
| change that makes those appear or what..... Or if it is, in fact, the
| glitch. I looked on the spybot FAQ and they didn't really go ionto
| detail...If you could explain this
| to me -- i would greatly appreciate it!!!
|
|
| Thanks in advance,
|
| Matt
| ([email protected])
|
| P.S. Has anyone noticed that cwshredder is not able to update via the
| program lately?
|
|
| --
| KillerQ

 

[JAX]

DSO Exploit is a known issue in S&D and they are working on a fix for it.
You will see 5 instances of DSO every time you scan. There is nothing to
worry about, just ignore it. You can find the same information by doing a
Google search for DSO Exploit.

JAX

 

[Ricky]

You can highlight the entry in Spybot..right click and have Spybot
ignore it on future searches.

DSO Exploit is a known issue in S&D and they are working on a fix
for it.
You will see 5 instances of DSO every time you scan. There is
nothing to
worry about, just ignore it. You can find the same information by
doing a
Google search for DSO Exploit.

JAX

 

[Bruce Chambers]

Greetings --

The DSO exploit was patched long ago by IE Cumulative Update
MS02-015, in March of 2002. If you've installed this specific patch,
or any subsequent IE Cumulative Updates, or Service Pack 1, you're
safe. It would appear that the latest version of Spybot S&D is only
checking for Internet zone settings in the registry that could be used
as work-around protection, and not for the presence of any corrective
patches. Hopefully, the makers of Spybot will soon fix this bug.

MS02-015 March 28, 2002 Cumulative Patch for Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;EN-US;319182

If you like, you can test your system for this particular
vulnerability at this web site:
http://www.greymagic.com/security/advisories/gm001-ie/

The makers of SpyBot S&D have acknowledged the problem and will
fix it on their next update:
http://www.safer-networking.org/index.php?page=paragraphs&detail=currentfaqs

In the meantime, in SpyBot S&D, click Mode > Advanced > Settings >
Ignore Products > Security > DSO Exploit, to turn off the false alarm.


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH

 

[Guest]

There are several web sites that offer free instructions on removing dso
exploit, and I did so, thinking it was spyware. Now 2 web sites I like to use
don't work, as they require the dso exploit file to install spyware in
exchange for the "free" service they provide. Now I don't know how to restore
the thing. Help!

 

[Guest]

My reply of 9/4/04 was, it seems, incorrect. Removing dso exploit (HKEY_USER
file 1004) may not have been the problem. Those web sites are working for me
again, and all I did was lower my security setting to allow (most or all)
cookies. I only do this when I want to enter one of those 2 problem web sites.
Obviously, I am just a beginner, but I really thought I had messed up my PC.
This all may not seem that complex to you guys, but I feel a headache coming
on.

 

[Guest]

My Internet Explorer is set as suggested and I still get DSO. I do not get a
hit with AD-aware 6.0 when I run it. I have completely reloaded my PC and
still get hits with Spybot. Spybot says it "fixed" it but not.

 

[Mike Hall]

Open Spybot.. run in advanced mode.. click on SETTINGS.. click on IGNORE
PROGRAMS.. check the DSO EXPLOITS box.. exit Spybot..