 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Windows Me / System Tools / June 2004DSO Exploit
I've done a search on this here (but it didn't clear up my problem) and on MS KB, etc., and elsewhere. The only place with a reference to it is the SpyBot homepage. SpyBot is finding this 'DSO Exploit'. So I remove it, and then it just comes back the next time. Anyone help with how to remove it for good, do I actually need to, and er... what is it? cheers, Ian S Which DSO Exploit? What's the EXACT description Spigot gives it? Where?  SignatureNoel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/features/2001/Mar01/Mar27pmvp.asp > I've done a search on this here (but it didn't clear up my > problem) and on MS KB, etc., and elsewhere. The only place [quoted text clipped - 8 lines] > cheers, > Ian S Just ran SpyBot again - the reference given was - DSO Exploit Data source object exploit HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersio n\Internet Settings\Zones\0\1004!=W=3 does that help at all? regards, IanS >-----Original Message----- >Which DSO Exploit? [quoted text clipped - 15 lines] > >. The "\0\" points to the My Computer Zone. The key "1004" holds the value for the specific setting "Download unsigned ActiveX controls". The "!=" means "not equal". "<B style="color:black;background-color:#99ff99">W=3</B>" (word value of 3) specifically means "disabled". Therefore, Spybot is finding that this setting is not disabled for various users defined on the system. Try resetting your Internet Security zones to Default, if that's what you want SignatureNoel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/features/2001/Mar01/Mar27pmvp.asp > Just ran SpyBot again - the reference given was - > [quoted text clipped - 39 lines] > > > >. Noel, thanks for that. But I'm confused now! As you say, the selection I have in the Internet Security settings are for unsigned ActiveX to be disabled. I'd rather not reset to default - what do I have to change in the settings (or elsewhere) to make SpyBot happy? Or is this something I needn't really worry about? SpyBot, after all, was concerned earlier that my home page pointed to 'blank' and was deeply suspicious! regards, Ian S >-----Original Message----- > [quoted text clipped - 11 lines] >> DSO Exploit >> Data source object exploit HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersio >> n\Internet Settings\Zones\0\1004!=W=3 >> [quoted text clipped - 37 lines] > >. Hehe - I've told it to ignore that (the homepage hijack) on my box<g>. Just be aware that if you do that, it removes a potential lifebelt from Spybot - because there is a hijacker that uses the 'about: home' page to script its entry into your system. Personally, I'd set the ActiveX control to what *I* want it to be, and the hell with what Spybot thinks it should be (which, AFAIK are the default settings for IE) - again, be aware of the consequences if you tell Spybot to get lost, so perhaps just ignore (but note) it yourself, rather than tell Spybot to do so. HTH SignatureNoel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/features/2001/Mar01/Mar27pmvp.asp > Noel, > thanks for that. But I'm confused now! [quoted text clipped - 85 lines] > > > >. Oh, that's interesting. How do you tell the difference then between a real hijack and SpyBot's nitpicking? Sorry to harp on about this, but, if the threat is from unsigned ActiveX, and these are disabled, then what is the threat? Am I missing something here? puzzled, Ian S >-----Original Message----- >Hehe - I've told it to ignore that (the homepage hijack) on my box<g>. Just [quoted text clipped - 55 lines] >> >> DSO Exploit >> >> Data source object exploit HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersio >> >> n\Internet Settings\Zones\0\1004!=W=3 >> >> [quoted text clipped - 41 lines] > >. The 'threat' is that the setting is not the default - spybot doesn't keep a list of correct settings for this - only the defaults. How do you tell? either ask, or search Google for references from reliable sources (that's what I did - unfortunately I can't attribute the clip, as it's unsigned) SignatureNoel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/features/2001/Mar01/Mar27pmvp.asp > Oh, that's interesting. How do you tell the difference > then between a real hijack and SpyBot's nitpicking? [quoted text clipped - 137 lines] > > > >. Thanks for all this, appreciated. there was this link http://security.greymagic.com/adv/gm001-ie/ Many thanks, Ian S >-----Original Message----- >The 'threat' is that the setting is not the default - spybot doesn't keep a [quoted text clipped - 96 lines] >> >> >> DSO Exploit >> >> >> Data source object exploit HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersio >> >> >> n\Internet Settings\Zones\0\1004!=W=3 >> >> >> [quoted text clipped - 46 lines] > >. That's probably what sparked the 'threat' notice in Spybot - but unless you have the other signs of an infection, then it's likely that you need not worry. SignatureNoel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/features/2001/Mar01/Mar27pmvp.asp > Thanks for all this, appreciated. > [quoted text clipped - 182 lines] > > > >. Yes, that impression is beginning to be had! Cheers, IanS >-----Original Message----- >That's probably what sparked the 'threat' notice in Spybot - but unless you [quoted text clipped - 131 lines] >> >> >> >> DSO Exploit >> >> >> >> Data source object exploit HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersio >> >> >> >> n\Internet Settings\Zones\0\1004!=W=3 >> >> >> >> [quoted text clipped - 56 lines] > >. Actually, it was Ad-aware that spotted the about:blank 'hijack', not SpyBot... Oh heck, what's on the telly? IanS >-----Original Message----- >That's probably what sparked the 'threat' notice in Spybot - but unless you [quoted text clipped - 131 lines] >> >> >> >> DSO Exploit >> >> >> >> Data source object exploit HKEY_USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersio >> >> >> >> n\Internet Settings\Zones\0\1004!=W=3 >> >> >> >> [quoted text clipped - 56 lines] > >. On Sat, 19 Jun 2004 21:27:54 +0100, "Noel Paton" >The 'threat' is that the setting is not the default - spybot doesn't keep a >list of correct settings for this - only the defaults. I don't think that's the mechanism here. It's the mechanism behind Ad-Aware's alerts on about:blank, yes; if you set that as the IE home page (as I do; saves having to wait for a site I don't want to look at anyway), then Ad-Aware ASSumes this is the result of a hijack technique used by CoolWebSearch etc al. No matter that the actual about:blank file has zero changes from standard and thus contains zero active content, etc. But in Spybot's case, it's more likely the MS duhfault settings that it is objecting to - and we all know how objectionably clueless MS duhfault settings can be! I say this, because Spybot will *always* alert on this, plus Alexa, when it's run on a freshly-built XP PC. I would NOT set settings back to defaults; I would allow Spybot to "fix" it (which it will likely do by setting stronger, non-default settings to wall out this risk). >--------------- ----- ---- --- -- - - - Never turn your back on an installer program >--------------- ----- ---- --- -- - - - Chris.... if you read down the thread a bit, you'll see that it emerged that the warning was from AdAware, rather than Spybot. SignatureNoel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/features/2001/Mar01/Mar27pmvp.asp > On Sat, 19 Jun 2004 21:27:54 +0100, "Noel Paton" > [quoted text clipped - 22 lines] > Never turn your back on an installer program > >--------------- ----- ---- --- -- - - - On Mon, 21 Jun 2004 17:13:17 +0100, "Noel Paton" >Chris.... if you read down the thread a bit, you'll see that it emerged that >the warning was from AdAware, rather than Spybot. Ah, that's interesting! I don't remember seeing AdAware alert on DSO before - unless maybe it's seeing Spybot-fixed DSO as non-standard and thus flagging it for that reason, much as it does about:blank ? >------------ ----- ---- --- -- - - - - Our senses are our UI to reality >------------ ----- ---- --- -- - - - - Hi, Well, I do have a problem here. It started a couple of days ago, when I open IE and the page address is "about:blank" but a directory page opens. So I cleared it out and even have gone as far as updating Ad Aware, and Win Patrol, and updating my windows, and office, and clearing and resetting everything in zone alarm. I've cleared all of my temporary internet files and history, fixed the Zones setting in the registry to 3 as described in the security description as mentioned in prior post. I've even set my IE to open to a blank file on my C drive. Something continually is exploiting my computer because it keeps being reset to the directory page even though when Win Patrol pops up a window that says A change has been detected in your IE Start Page Your new page is about:blank" etc. and I say "No", it still keeps happening. Ad Aware keeps finding CoolWebSites cookies so I assume it has to do with them. Also Spy Bot keeps finding "DSO Exploit" and even when I remove it, it comes back. Any additional help would be appreciated as I've probably spent about 6 hours messing around with this problem, and it is driving me batty! Thanks. > On Sat, 19 Jun 2004 21:27:54 +0100, "Noel Paton" > [quoted text clipped - 22 lines] > Never turn your back on an installer program > >--------------- ----- ---- --- -- - - - Well, now, add 5 more hours to this mess. I've gone in a cleared out many more registry settings, using several other Spyware packages to identify the problem, and then manually making adjustments. And still... the problem persists. My internet start page keeps being reset and Win Patrol warns me and I say "No." What's happening with this? Any insites... Thanks. > Hi, Well, I do have a problem here. It started a couple of days ago, when I open IE and the page address is "about:blank" but a directory page opens. So I cleared it out and even have gone as far as updating Ad Aware, and Win Patrol, and updating my windows, and office, and clearing and resetting everything in zone alarm. I've cleared all of my temporary internet files and history, fixed the Zones setting in the registry to 3 as described in the security description as mentioned in prior post. I've even set my IE to open to a blank file on my C drive. > [quoted text clipped - 28 lines] > > Never turn your back on an installer program > > >--------------- ----- ---- --- -- - - - Reboot to Safe Mode and run CWShredder - to remove what is almost certainly a variant of the CoolWebSearch hijacker. http://www.merijn.org/cwschronicles.html Use CWShredder, the removal tool: http://www.merijn.org/files/cwshredder.zip http://www.merijn.org/files/CWShredder.exe http://www.spywareinfo.com/downloads/tools/CWShredder.exe http://www.zerosrealm.com/downloads/CWShredder.zip SignatureNoel Paton (MS-MVP 2002-2004, Win9x) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm Please read http://dts-l.org/goodpost.htm on how to post messages to NG's or http://www.microsoft.com/presspass/features/2001/Mar01/Mar27pmvp.asp > Well, now, add 5 more hours to this mess. I've gone in a cleared out many more registry settings, using several other Spyware packages to identify the problem, and then manually making adjustments. And still... the problem persists. My internet start page keeps being reset and Win Patrol warns me and I say "No." What's happening with this? Any insites... > Thanks. > > > Hi, Well, I do have a problem here. It started a couple of days ago, when I open IE and the page address is "about:blank" but a directory page opens. So I cleared it out and even have gone as far as updating Ad Aware, and Win Patrol, and updating my windows, and office, and clearing and resetting everything in zone alarm. I've cleared all of my temporary internet files and history, fixed the Zones setting in the registry to 3 as described in the security description as mentioned in prior post. I've even set my IE to open to a blank file on my C drive. > > Something continually is exploiting my computer because it keeps being reset to the directory page even though when Win Patrol pops up a window that says A change has been detected in your IE Start Page Your new page is about:blank" etc. and I say "No", it still keeps happening. Ad Aware keeps finding CoolWebSites cookies so I assume it has to do with them. Also Spy Bot keeps finding "DSO Exploit" and even when I remove it, it comes back. > > Any additional help would be appreciated as I've probably spent about 6 hours messing around with this problem, and it is driving me batty! Thanks. > > [quoted text clipped - 24 lines] > > > Never turn your back on an installer program > > > >--------------- ----- ---- --- -- - - - On Sun, 27 Jun 2004 19:17:01 -0700, "Save my system" >Any insites... Executive summary: http://cquirke.mvps.org/9x/virtest.htm - formal av www.f-prot.com - free DOS-based av + updates www.sophos.com - free fresh DOS-based av www.nod32.com - free fresh DOS-based av http://cquirke.mvps.org/9x/riskfix.htm - see networking http://cquirke.mvps.org/9x/dataman.htm - see networking Find and run CWShredder On http://cquirke.mvps.org/9x/riskfix.htm pay particular attention to networking, i.e. File and Print Sharing, what you bind that to, and what you full share. Read up some descriptions of OpaServ as an example of why this matters as much as it does. The same topic may be covered in http://cquirke.mvps.org/9x/dataman.htm >--------------- ----- ---- --- -- - - - Hello DOS mode my old friend I've come to hack with you again >--------------- ----- ---- --- -- - - - On Sun, 27 Jun 2004 17:22:01 -0700, "Save my system" >I open IE and the page address is "about:blank" but a directory page opens. OK; "about:blank" is supposed to be null HTML, but in a bit of bad design (that I hadn't thought of as such either at the time) IE looks to an actual HTML file for this non-content. So the opportunity exists for malware to insert itself into that file, as been done here. >So I cleared it out and even have gone as far as updating >Ad Aware, and Win Patrol, and updating my windows, and >office, and clearing and resetting everything in zone alarm. OK, but you're closing up holes while there's malware's still possibly active in the house. That may invalidate your moves. >I've cleared all of my temporary internet files and history, That's good for the initial inactive form of some malware that enter via that route, but these usually throw themselves forward into the system and (get the system to) run themselves from there. >fixed the Zones setting in the registry to 3 as described in the >security description as mentioned in prior post. I've even set >my IE to open to a blank file on my C drive. That's good, but I missed "did a formal virus scan" as a step earlier in the process (before the first "even have gone as far" <g> ) >Something continually is exploiting my computer because it >keeps being reset to the directory page even though when >Win Patrol pops up a window that says A change has been >detected in your IE Start Page Your new page is about:blank" >etc. and I say "No", it still keeps happening. HOSTS comes to mind as the only passive re-infection vector I can think of, but all of these anti-commercial-malware tools should be well aware of that. So it's either a really aggressive commercial malware - as the focus of its attentions suggest - or it's a traditional malware that you'd need a formal av scan for. In both cases, thinking of a persistance of the malware that re-seeds itself. CWShredder's a free tool dedicated to one of the most widely mutated and aggressive commercial malware, while www.f-prot.com, www.sophos.com and www.nod32.com have free DOS-based av that you can use as per http://cquirke.mvps.org/9x/virtest.htm to formally scan for traditional malware. WinME means no NTFS, means you can do this. The other possibility is no persistant malware, no passive re-infection hook, no broken code holes (you say you've patched) but just really baaaad settings that keep the door wide open by design. Make sure you don't have File and Print Sharing bount to your Internet connection and that you don't have the whole of C:\ full-shared so that any system in the world can seed your startup axis! Else it's like trying to secure a particul;ar square meter of space in the middle of a football pitch. It's just never going to happen. >Ad Aware keeps finding CoolWebSites cookies so I assume it >has to do with them. CWShredder it is, then. Get a fresh copy - it's updated so often they don't even bother with build numbers - rather than use a hand-me-down. CWS must have done some very elegant legal footwork to stay in the water as a visible commercial entity while still exploiting OS defects in new ways every few days to penetrate systems. I suspect their winning model is "we don't do any of this ourselves, but we can't be held responsible for the over-zealous actions of the scumbags our incentive program attracts". Hopefully they'll get wiped one day. >Also Spy Bot keeps finding "DSO Exploit" and even when I >remove it, it comes back. That's interesting. I wonder if there's some other protective layer that's walling out Spybot's changes? >------------ ----- --- -- - - - - Drugs are usually safe. Inject? (Y/n) >------------ ----- --- -- - - - - |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.