DSO Problems

[Klutz_atlantis]

Hello:

I've scanned a few times with Spybot S&D and came up with 5 DSO enteries. I've tried getting rid of them in Safe Mode and in regular mode, but have had no luck thus far.

S&D Report:

-- Search result list ---
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1844237615-1004336348-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3






--- Process list ---
Spybot - Search && Destroy process list report, 12/2/2004 10:51:39 AM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 212 (1988) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PID: 216 (1988) C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
PID: 224 (1988) C:\WINDOWS\system32\sstray.exe
PID: 232 (1988) C:\Program Files\FaxTalk NetOnHold\FTNOHMgr.EXE
PID: 256 (1988) C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
PID: 264 (1988) C:\Program Files\MSN Messenger\MsnMsgr.Exe
PID: 424 ( 920) wdfmgr.exe
PID: 580 ( 920) C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
PID: 592 ( 920) C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
PID: 780 ( 4) \SystemRoot\System32\smss.exe
PID: 852 ( 780) csrss.exe
PID: 876 ( 780) \??\C:\WINDOWS\system32\winlogon.exe
PID: 920 ( 876) C:\WINDOWS\system32\services.exe
PID: 932 ( 876) C:\WINDOWS\system32\lsass.exe
PID: 1088 ( 920) C:\WINDOWS\System32\Ati2evxx.exe
PID: 1100 ( 920) C:\WINDOWS\system32\svchost.exe
PID: 1172 ( 920) svchost.exe
PID: 1312 ( 920) C:\WINDOWS\System32\svchost.exe
PID: 1364 ( 920) svchost.exe
PID: 1404 ( 920) svchost.exe
PID: 1832 ( 920) alg.exe
PID: 1840 ( 920) C:\WINDOWS\system32\spoolsv.exe
PID: 1864 ( 876) C:\WINDOWS\system32\Ati2evxx.exe
PID: 1988 (1896) C:\WINDOWS\Explorer.EXE
PID: 2484 ( 920) C:\WINDOWS\System32\svchost.exe
PID: 3564 (1988) C:\Program Files\Internet Explorer\iexplore.exe
PID: 3820 (1988) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe





I read the information given by Spybot on this DOS security hole, and I have two questions remaining: 1)How do I delete/get rid of what's in my registry. 2)How do I plug the security hole?

Note: Spybot makes a back up of my registry, so can I switch out the back up for the registry that I have now?



thanks,

klutz

[mrmister1]

Have you tried deleting them from Spybot?

[Klutz_atlantis]

Do you mean purge them?


kltuz

[mrmister1]

I beleive that's what it's called.

[Klutz_atlantis]

Yeah, I've tried that, but it didn't work.

klutz

[mrmister1]

Did it give you an error?

[Klutz_atlantis]

No, I went to recovery, then hit the butten "Purge Selected Items."

thanks for the help

klutz

[mrmister1]

So, what did happen when you pressed the button? Did it show them as deleted, but not actually delete them?

[Klutz_atlantis]

Ok, let me update you mrmister1. While we've been chatting I went through the registry and deleted the 5 files manually, and I worked. For some reason when I hit "Fix selected problems" I wouldn't do it, so I just dbl clicked the reqistry icon next to each DSO and deleted it that way and then rescanned, and now it says it's ok.

However, I"m still left with one final question: How do I block the hole that the DSOs came through? What patch do I need to download from M$?

thanks again for your help,

klutz

[mrmister1]

It's may not be a hole. It could have been in a file that you downloaded or a website that you visited. Just make sure from now on that you don't go to any suspicious websites or open any unknown files. Also, run AdAware and Spybot regularly.

Also, use Windows update to check for any new updates.

[04nmr85]

I've gotten those DSO exploit entries every time i've run Spybot. They keep coming back. It doesn't seem like they really do anything tho so i haven't been to worried about it. I've noticed them on the computers here at school too(ITT Tech in Mechanicsbug, PA). Does anyone know what it is?

[Klutz_atlantis]

I don't know what it its, but when I hit the reqedit buttion along side the entries (Spybot S&D) it went right the entry and I deleted it manually that way, but for all the computers on such a big network...good luck.

klutz

[thefultonhow]

Quote:

Originally Posted by 04nmr85

I've gotten those DSO exploit entries every time i've run Spybot. They keep coming back. It doesn't seem like they really do anything tho so i haven't been to worried about it. I've noticed them on the computers here at school too(ITT Tech in Mechanicsbug, PA). Does anyone know what it is?

The DSO thing is just a bug in Spybot. It's safe to ignore those entries.

[glc]

Why does DSO Exploit return?

DSO-Exploit is a security gap in Internet Explorer, Outlook and Outlook Express. Microsoft did already close this gap with security updates, so with current Windows updates and patches installed, it will no longer be a threat to your system.
Spybot-S&D will still detect the DSO-Exploit, but instead of fixing it for good, it will unfortunately again set an invalid value. Therefore it will again be found with every scan.
This little bug in Spybot-S&D has already been repaired and the respective fix will soon be available as a program update.