"DSO Exploit"

[Daniel]

Hello once again,

I run spybot and it constantly finds something called "DSO Exploit". I
understand it's a "hole" in IE which allows all sorts of crap into your pc,
like ads etc ... Ok, so spybot "cleans" this exploit but then I find, upon
startup, that pop-ups occur again and again of various porn sites. I then
scan again and spybot finds that same "DSO Exploit" issue. I have got rid of
/ prevented viruses and stopped hackers (with your help) but those damn
popups are really making me sick. Is there a way to "prevent" these ? Please
help!

Daniel

PS: I miss my Win98 sooooo much! (((((

 

[Tumbleweed]

Hello once again,

I run spybot and it constantly finds something called "DSO Exploit". I
understand it's a "hole" in IE which allows all sorts of crap into your pc,
like ads etc ... Ok, so spybot "cleans" this exploit but then I find, upon
startup, that pop-ups occur again and again of various porn sites. I then
scan again and spybot finds that same "DSO Exploit" issue. I have got rid of
/ prevented viruses and stopped hackers (with your help) but those damn
popups are really making me sick. Is there a way to "prevent" these ? Please
help!

Daniel

PS: I miss my Win98 sooooo much! (((((

Use Mozilla Firefox. Even when this exploit is patched there will be another
and another, IE has been nothing but a hackers paradise for the last 3 or 4
years.

 

[Phil]

Turn on your firewall.
Install a pop-up blocker or use a browser that more secure and has a pop-up
blocker built in, like FireFox.
Also run these tools, weekly, just spybot isn't enough.
Spybot -- http://www.safer-networking.org/
Ad-aware -- http://www.lavasoftusa.com/
CWShredder: http://209.133.47.200/~merijn/files/CWShredder.exe

 

[Carey Frisch [MVP]]

Basically what's happening is that Spybot is finding that the security setting
for "Download Unsigned ActiveX controls" for the (normally) hidden
"My Computer" zone in Internet Explorer is not set to disabled.

Visit http://forums.net-integration.net/index.php?showtopic=15308
for additional info.

Make sure you visit the Windows Update website and download any
recommended Critical Updates.

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

------------------------------------------------------------------------------------


| Hello once again,
|
| I run spybot and it constantly finds something called "DSO Exploit". I
| understand it's a "hole" in IE which allows all sorts of crap into your pc,
| like ads etc ... Ok, so spybot "cleans" this exploit but then I find, upon
| startup, that pop-ups occur again and again of various porn sites. I then
| scan again and spybot finds that same "DSO Exploit" issue. I have got rid of
| / prevented viruses and stopped hackers (with your help) but those damn
| popups are really making me sick. Is there a way to "prevent" these ? Please
| help!
|
| Daniel
|
| PS: I miss my Win98 sooooo much! (((((

 

[Larry Samuels]

So is Mozilla, only they are slower to patch.

Don't get me wrong--Firefox is a nice browser, but switching browsers to
avoid security problems is an exercise in futility.

Check out
http://www.google.com/search?hl=en&ie=UTF-8&q=mozilla+security+patch for
more info on Mozilla security holes. You may be surprised.

--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Expert Zone -
Unofficial FAQ for Windows Server 2003 at
http://pelos.us/SERVER.htm

 

[Tumbleweed]

I am. though most exploits go after IE because it simply wouldnt be
worthwhile attacking firefox..yet.

 

[Larry Samuels]

Exactly--as soon as Firefox gains in popularity it will become a target.

--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Expert Zone -
Unofficial FAQ for Windows Server 2003 at
http://pelos.us/SERVER.htm

 

[Daniel]

Thanks guys for the most prompt response!

I'm currently running and constantly updating several software like
PC-cillin, Ad-aware, CWshredder, spybot, BHO demon, Hijackthis and have a
hardware firewall. All but one problem (with the startup popups) have been
eliminated thanks to these. I'm seeing no "messenger" when these porn popups
happen so I'm not sure if it's the messenger service or not. I did a scan
(with Hijackthis) and here's what I get:

Logfile of HijackThis v1.97.7
Scan saved at 2:46:41 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\PDSched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuamagr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Documents and Settings\DANIEL\Desktop\Xp protect software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\Run: [A73EF5DB] C:\WINDOWS\System32\dqbkelxximtcv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin
2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin
2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin
2002\Pop3trap.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\RunServices: [1365D161] C:\WINDOWS\System32\dqbkelxximtcv.exe
O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download
Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38165.5726157407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[Hilary Karp]

Daniel, don't post the hijack log here. Post it to one of the security
forums:

http://www.spywareinfo.com/forums/
http://forum.aumha.org/viewforum.php?f=30
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

Thanks guys for the most prompt response!

I'm currently running and constantly updating several software like
PC-cillin, Ad-aware, CWshredder, spybot, BHO demon, Hijackthis and have a
hardware firewall. All but one problem (with the startup popups) have been
eliminated thanks to these. I'm seeing no "messenger" when these porn popups
happen so I'm not sure if it's the messenger service or not. I did a scan
(with Hijackthis) and here's what I get:

Logfile of HijackThis v1.97.7
Scan saved at 2:46:41 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\PDSched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuamagr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Documents and Settings\DANIEL\Desktop\Xp protect software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\Run: [A73EF5DB] C:\WINDOWS\System32\dqbkelxximtcv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin
2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin
2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin
2002\Pop3trap.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP
Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\RunServices: [1365D161] C:\WINDOWS\System32\dqbkelxximtcv.exe
O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O4 - Startup: BHODemon.lnk = C:\Program Files\BHODemon\BHODemon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download
Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) -
http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38165.5726157407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[MowGreen [MVP]]

Is Firefox more secure than Internet Explorer?
http://texturizer.net/firefox/faq.html#mozvsie

Decide for yourself . Remember that this is on a Firefox site,
though. If you install the Sun java package than you are once more
exposed to the JavaByteVerifier exploit no matter what Sun claims.

" No spyware/adware software can automatically install in Firefox
just by visiting a web site. " ... take this with a grain of salt.
User decision is the rule here, not an absolute. If the User allows
"things" to install, they will .
All in all, I'll take my chances with Firefox. YMMV ...


MowGreen [MVP}

*-343-* FDNY
Never Forgotten

 

[Bruce Chambers]

Greetings --

The DSO exploit was patched long ago by IE Cumulative Update
MS02-015, in March of 2002. If you've installed this specific patch,
or any subsequent IE Cumulative Updates, or Service Pack 1, you're
safe. It would appear that the latest version of Spybot S&D is only
checking for Internet zone settings in the registry that could be used
as work-around protection, and not for the presence of any corrective
patches. Hopefully, the makers of Spybot will soon fix this bug.

MS02-015 March 28, 2002 Cumulative Patch for Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;EN-US;319182

If you like, you can test your system for this particular
vulnerability at this web site:
http://www.greymagic.com/security/advisories/gm001-ie/

The makers of SpyBot S&D have acknowledged the problem and will
fix it on their next update:
http://www.safer-networking.org/index.php?page=paragraphs&detail=currentfaqs


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH

 

[Plato]

Use Mozilla Firefox. Even when this exploit is patched there will be another
and another, IE has been nothing but a hackers paradise for the last 3 or 4
years.

Not only that, but those ten dollar dialups like peoplepc and juno can
totally phark up IE so it's practically unusable. Heck, let them. I've
been using Firefox more and more lately also. One of these days I'll
have to spend the time to find where to set the download thinggy to
something other than the desktop tho

 

[Phil]

Not only that, but those ten dollar dialups like peoplepc and juno can
totally phark up IE so it's practically unusable. Heck, let them. I've
been using Firefox more and more lately also. One of these days I'll
have to spend the time to find where to set the download thinggy to
something other than the desktop tho

Ditto. I use FireFox exclusively now.
BTW - in firefox: tools, options, downloads.

 

[Plato]

Ditto. I use FireFox exclusively now.
BTW - in firefox: tools, options, downloads.

Ahhh, the icon on the left