I've run SpyBot in 'Safe' mode to remove the DSO exploit, but yes.. it keeps returning. Then I find out that it is actually a Microsoft security hole. I did a Yahoo! search and found a "patch" called DSOstop2.exe (free). This found and stopped the DSO, supposedly and reported the hole as patched.. twenty minutes later it was back again. (sigh) I'm ready to back-up my files and baseline my computer at this point. Both my laptop and main PC have been hit in the same week. I tried "Bazooka" from Download.com, but that didn't even find it, let alone fix it. If anybody knows a fix for this DOS-exploit.., e-mail me. Henry V. Editor; www.InTruth.net www.LifeGoesOn.net

0

Could this DSO exploit be causing my computer to disconnect constantly? I just got a new Dell computer and can't stay connected to the internet. I have all the Windows Updates, have checked for viruses, even ran the Sasser Worm Removal Tool but it said that I didn't have the worm. I've checked all my settings and the whole bit but can NOT find the reason for this problem to keep occurring. I'm surprised I stayed connected long enough to write and send this message. VERY FRUSTRATING!!

0

▫ Ad-aware (Lavasoft) ▫ [blocker] SpywareBlaster (Javacoolsoftware) ▫ [on-line] TrojanScan (GFi) ▫ TDS-3 (DiamondCS) ▫ Pest Patrol ▫ CWShredder (Merijn.org) Keep in mind that some of them may need to be updated over the web first when started, and before zapping the baddies! Try SpywareBlaster. If you don't have a firewall running, then here's a free one (XP also has built-in firewall, but the exploit may be about that - I don't know): ▫ [firewall] Zone Alarm (Zone Labs) ___________________________________________ ☺ [Belgium, GMT+1]_________________________svg

0

▫ DSO exploit explanation (GreyMagic) The exploit is a Microsoft bug that allows outsiders to run whatever program they want on your computer. But the info on that page is from February 2002, so I can't believe this would actually still pose any threat, but then again... This was taken from that page: Since the injected <object> runs in the "My Computer" Zone changing the Internet Zone's settings didn't affect it, but changing the correct zone's settings will prevent this exploit from running. Here is the registry information: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Change the value of "1004" (DWORD) to 3. Spybot may not have permissions to make that change to the registry, so its attempts to alter it may just be failing. Type regedit into the run-box, browse to the registry-key above in the left pane, and check/change the value in the right pane. Be very careful when changing anything in the registry - there is no undo funtion, and changing the wrong key can have serious consequences, so make sure you select the right key in the left pane (the 0 key/folder), and then doubleclick the "1004" in the right pane to change it to 3. I find it hard to believe that this exploit would already be "in use", so the cause of those disconnects is probably something else. This program will let you log all of the net-activity in real-time. ▫ TDIMon [WinNT] (SysInternals) Just start it, let it run while you surf on the web, and when you get disconnected, check the last entries on the log for "disconnect event" (in the 'other' column). The information on that line could tell you more about which program / IP / port caused the event. ___________________________________________ ☺ [Belgium, GMT+1]_________________________svg

0

A note on svg's explanation (which seems to be very accurate): There were many "1004" values in my computer: in CURRENT_USER, USERS/.DEFAULT, and LOCAL_MACHINE and for many zones ranging from 0 to 5. Only that in most cases, "1004" value for Zones/0 was not a REG_DWORD but a REG_SZ (string), empty or having a "3" alphanumeric value. This might also be why Spybot couldn't change them. I deleted those, inserted new "1004" REG_DWORD values and gave them 3 (0x00000003) values, and Spybot didn't warn me of any exploits. I don't know the extent to which this solution of mine is safe or if it could alter internet/intranet zones behavior. Use it under your own risk. ;) PS: for a thorough search of this keys, I suggest you use the Edit>Search command of your RegEdit, looking for Values having "1004" (no quotes) as complete strings. Lex Lythius

0

lexlythius, That's a great HeadsUp! I only find one 1004 under the "0" key, and it's a DWORD value, so I'd never have guessed that could be a problem. ___________________________________________ ☺ [Belgium, GMT+1]_________________________svg

0

Hmmm...i even deleted it from my recovery section in spybot, but the computer is still working fine and so is the internet, now spybot finds it all the time i just disregard it. anyway i heard that microsoft are gonna release SP2 soon, and that it makes IE much more safer and is very good. so maybe that will fix the problem too. :) Ullysis Professional Gaming www.ullysis.com

0

I got same problem on dso exploit. sp2 rc1 does not solve the problem. what i did: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] Change the value of "1004" (DWORD) to 3. I deleted the key "1004" since its not a not a (DWORD) in my system (REG_SZ) & create key DWORD 1004 with a value of 3. Restart, run all my applications, fine. Run spybot was able to get 4 dso exploit out of 5 previously. I Eliminated them one at a time by doing above procedure. Just follow the path spybot give to change your registry. Change one key at a time,reboot and run spybot. REMEMBER: FIDDLING WITH YOUR REGISTRY IS NOT FOR FAINT HEARTED IT CAN DESTROY YOUR SYSTEM. BACKUP YOUR REGISTRY BEFORE DOING ANYTHING. DO IT AT YOUR OWN RISK I'M NOT RESPONSIBLE FOR ANYTHING BAD THAT GOES WRONG OF DOING ABOVE PROCEDURE. try this link for a start. http://www.greymagic.com/security/advisories/gm001-ie/

0

Hello. Im aware that this post has not been touched since May 19th but i have some question about this DSO exploit. What does it actually do? If i dont fittle with the registry (which i really, really dont want to do) and leave the DSO explot alone will my computer be in any harm?

0

Hi Jenna_B, In my response #10, there's a "greymagic" link. If you want a full explanation of what the exploit can do, just click on that link. In short: An exploit means your computer has a security-bug which can be exploited. This DSO-exploit: By putting a certain ActiveX element(like a 'search' button to click on, or a textbox) on a webpage, the "baddies" can execute any program they choose on the computer of whomever is visiting that webpage. So, you have to visit a particular page, and use a particular ActiveX element before this exploit is available. Personally, I wouldn't rate this as a high threat but I can understand people who don't feel safe about having this. Your sentiments about the registry are very healthy :) but once you know what a change to a registry-key is all about, then it's safe to make the change. You can even export(=save to file) the key before making the change, so that you can re-import the saved key-value later if something went wrong. However, making random changes in the registry is very bad ! So always make sure you've selected the right key before making a change to its value. ___________________________________________ ☺ [Belgium, GMT+1]_________________________svg

0

Thanks, svg! That made sence (hurray). If i have spare time in the near future i'll possibly attempt to get rid of it but for right now its gonna have to chill. thank, once again.

0

No problemo, _B !:) cYa l8r !! ___________________________________________ ☺ [Belgium, GMT+1]_________________________svg

0

Please help! I've tried changing the registry as suggested (giving 1004 a value of 3), but Spybot keeps finding the virus. Has it morphed? Mike

0

Hi Mike, It's not a virus, it's just a bug in Windows that could be exploited (I explained above how) Try kaqza's response #14. The Registry-key on your system may be a different type of value (A string instead of a DWORD value) Apparently, Spybot may be looking for DWORD values only - it's possible that string-values are enough to close the exploit, but Spybot wrongly says it's still open. You can create a new Registry-Key-Value by rightclicking the right pane in Regedit, and on the rightclick-menu, select: NEW>DWORD Value Name: 1004 Rightclick the new 1004 to change its value to 3. You will have to remove the original 1004 entry first though. So make sure you are in the correct place in the left pane. ___________________________________________ ☺ [Belgium, GMT+1]_________________________svg

0

Thanks, SVG, for your help. Some background: I first noticed something was wrong today when Spysweeper began alerting me that my homepage on IE6 was being changed to a search page called "about:blank", and I was given a choice whether to allow it to go ahead. Although I said no, every so often the homepage would be changed. After reading of others' similar predicament, I followed their advice and installed and ran Spybot 1.3, which found five instances of DSO Exploit. I went ahead and changed all the registry settings under HKEY_CURRENT_USER and HKEY_USER, where the 1004 in Zone 0 was REG_SZ (I deleted this entry and replaced it with REG_DWORD, value 3). All was seemingly okay. I ran Spybot and it found no traces of DSO EXPLOIT. However, spysweeper continues to alert me to the same old problem, i.e. that my homepage is being changed to the "about:blank" page. Any suggestions? Thanks, Mike

0

I don't know about SpySweeper - I think someone once mentioned it was crap, but I'm not sure about that. If you need good advise on free tools and comparisons on their effectiveness: ▫ Wilders.org I just noticed there is a DSOStop program in their list of free tools... Anyway, in my opinion, these are the ones you should have on your system: ▫ Spybot Search & Destroy (Safer Networking) ▫ Ad-aware (Lavasoft) ▫ [blocker] SpywareBlaster (Javacoolsoftware) Keep in mind that some of them may need to be updated over the web first when started, and before zapping the baddies! Also check for updates regularly like you would with an Anti-Virus program. Spybot has an 'immunize' feature(check the Spybot-help) that lets you lock your IE settings and keeps them from being changed. If things get really bad, then it's probably the baddies from CoolWeb, and against those, there's CWShredder: ▫ CWShredder (Merijn.org) Another useful tip that keeps a lot of baddies off your system: browse to this folder: C:\WINDOWS\system32\drivers\etc Rightclick on the Hosts file and make it read-only. Lots of Hijackers will put their website in the Hosts file, which will slow you down immensely. You can check the contents of the Hosts file by opening it in Notepad. The lines that start with # are just comments, and usually, the only active entry will be: 127.0.0.1 localhost which is your computer itself. There may also be an IP for your InternetService Provider, but I don't think that's necessary though. If you find other IPs, post them here and I'll try to check them out. PS: anti-spyware-sites can be down from time to time, so try again later if that's the case. ___________________________________________ ☺ [Belgium, GMT+1]_________________________svg

0

Check this one out too: http://www.computing.net/security/wwwboard/forum/12189.html ___________________________________________ ☺ [Belgium, GMT+1]_________________________svg

0

Hi, I have read through this stuff and tried most of it. I was able to remove the DSO exploit, but one of these posts got my attention. About 10 days ago I was unable to get on the net. Finally it came through, but disconnected (cable) for about 30 secs, then returned. Went away for a week, and on my return no net (expect through dial up without problem). Hardware and software techs from the ISP have run out of ideas. Modem and signal appear to be good. Did a system restore without sucess. PC seems to work fine other than that... suggestions? rgd

0

Hi rgd, Have a look at this thread - it looks like a similar problem, but disconnection issues can be hard to track down: http://www.computing.net/windowsxp/wwwboard/forum/107715.html Try WinsockFix.zip first: http://www.dslreports.com/forum/remark,9548698~mode=flat (if the download link has disappeared in that link, then let me know: I downloaded the program and will mail it to you) It might be a virus or spyware. Something seems to be on the lookout for active connections. Here are some good, free programs: Anti-Virus (pick one/two): ▫ [on-line] BitDefender Anti-Virus ▫ [on-line] RAV Anti-Virus (AV Security) ▫ [on-line] ActiveScan Anti-Virus (Panda) ▫ [on-line] HouseCall Anti-Virus (Trend Micro) ▫ nod32 Anti-Virus (eset) ▫ Avast! Anti-Virus (Avast) ▫ F-Prot Anti-Virus (F-Secure) ▫ AVG Anti-Virus (Grisoft) Anti-Spyware (all of them): ▫ Spybot Search & Destroy (Safer Networking) ▫ Ad-aware (Lavasoft) ▫ [blocker] SpywareBlaster (Javacoolsoftware) ▫ CWShredder (Merijn.org) Keep in mind that they may need to be updated over the web first when started, and before zapping the baddies! If you want to trace what's happening to your connections, then these tools will be very handy: ▫ TDIMon & TcpView (SysInternals) ▫ FileMonitor & RegMonitor (SysInternals) The programs will show you in real-time what's going on with your computer (connection, files, registry). You can start/stop logging the activity, and then check afterwards what happened. Not a direct solution, but it may help you trace what's causing this. And this is the most general answer about checking your TCP/IP connectivity: http://support.microsoft.com/default.aspx?scid=kb;EN-US;314067 And it also may still be a hardware problem. Modem & signal may be good, but how about the cables (<>wireless?), interference from electrical cables or other hardware, or a Network Adapter (the NIC / port on your computer) that's biting the dust. ___________________________________________ ☺ [Belgium, GMT+1]_________________________svg

0

Hi SVG, Thanks for the suggestions. Been away for a few days (problem still exists- hoping it would magically go away!), but will give these a try. RGD

0