Cant remove DSO Exploit using Spybot search & destroy

kittykatpoop
kittykatpoop used Ask the Experts™
on
When I run Spybot it finds two entries for DSO Exploit which it continues to successfully remove, however on subsequent searches two entries for DSO Exploit show up again. I have 5 different user profiles of this PC and have tried on each to see if it makes a difference - it doesn't. What am I doing wrong??
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2004

Commented:
Hi kittykatpoop,

Make sure you got the lastest spybot
www.softpedia.com/public/cat/10/17/10-17-21.shtml

Check if that would remove the DSO exploit.

Follow instructions here
http://www.askmehelpdesk.com/cgi-bin/yabb/YaBB.cgi?board=computers_for_beginners;action=display;num=1082096807

SR..
Hi!
Here's some links to information on this DSO exploit problem:
http://forums.net-integration.net/index.php?showtopic=15308
Pinned explanation at SSD's forum http://forums.net-integration.net/index.php?showtopic=17159 pinned

For a l o o n g explanation on DSO: http://forums.net-integration.net/index.php?showtopic=15308
Good luck
RF
Your question about can be solved with my link below, but it doesn't help unless you decides to protect your computer in the future.

As you can see in my url below there are at least 7 different issues, where you should decide 1 of each.

The reason is, that the many different programs not always protects against each other, and each of them doesn't protect equally.

It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html#Spyware

BTW: I'm using the Trend Micro anti-virus-suite and SoftScan anti-spam, and haven't got any of my servers or computers infected since 1999, and I'm using PestPatrol anti-spyware since 2004.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

Top Expert 2005

Commented:

Have you tried running Spybot S&D in Safe Mode?

Zee
Top Expert 2005
Commented:

Also found this:

It seems that Spybot removes the DSO exploit but doesn't clean the registry. Hence the reappearance.

Start>Run type 'regedit' (without the qoutes)

Follow to the keys that spybot catches as dso exploits, for me it was 5 of them, eg.

HKEY_USERS\S-1-5-18\Software|Microsoft\Windows\Current Version\Internet Settings\Zones\0\1004!=W=3

After opening zones and clicking on '0' look to the right window, under 'name' is the key '1004' and the type is REG_SZ simply right click and delete this REG_SZ value.

Then right click and create new>DWORD Value, name it 1004, right click on that and goto modify, give it the Hex Value of 3, Click ok.

You may have to restart your pc for changes to take effect... i didn't.

Run Spybot again and you will have one less dso exploit.... repeat for each of the other values flagged in spybot (should all be 1004)...

Zee
Top Expert 2005

Commented:

Great!
:)

Zee

Author

Commented:
Followed the instructions on manual registry cleaning and the DSO exploit no longer appears, thanks for the help guys, really appreciate it!
Top Expert 2005

Commented:

Glad I could help.

I know the developers of Spybot S&D are aware of this problem and is expected to be resolved with the next release.

Zee
DSO Exploit

Here is response given.  I am unable to do this.  I cannot edit this line item in "regedit"  it will not let me make the change.  Also, I already have "DWORD" rather than "REG_SZ". It has a value of "0", but like I say cannot delete or modify.  The error block I get is "Error Editing Value" with a red x and the description, "Cannot edit 1004; Error writing the value's new contents".

I have run Spybot in "Safe Mode" and get the same two DSO exploit discrepancy.  Also get an "Alexa Related" line item that cannot be removed.

Anyone have a suggestion?

-------------------------------------------------------------

It seems that Spybot removes the DSO exploit but doesn't clean the registry. Hence the reappearance.

Start>Run type 'regedit' (without the qoutes)

Follow to the keys that spybot catches as dso exploits, for me it was 5 of them, eg.

HKEY_USERS\S-1-5-18\Software|Microsoft\Windows\Current Version\Internet Settings\Zones\0\1004!=W=3

After opening zones and clicking on '0' look to the right window, under 'name' is the key '1004' and the type is REG_SZ simply right click and delete this REG_SZ value.

Then right click and create new>DWORD Value, name it 1004, right click on that and goto modify, give it the Hex Value of 3, Click ok.

You may have to restart your pc for changes to take effect... i didn't.

Run Spybot again and you will have one less dso exploit.... repeat for each of the other values flagged in spybot (should all be 1004)...

Zee
Top Expert 2005

Commented:

Bob,

You have to post your own question.

This one is closed.

Zee

Commented:
Or just download todays main update to version 1.3.1 *hurray*
I had this problem too, but discovered the solution was simple ...

When Spybot finds the DSO exploit(s) click the "+" next to it so all occurances are displayed - click the registry icon at the end of the first line - PAUSE for several seconds whilst registry editor starts up - then click on the same icon again - this time registry editor will advance to the offending entry (1004) - simply right click to delete.

Repeat the above for all remaining lines that spybot finds, but make sure the one it highlights is the 1004 entry - often it can't find the 1004 entry in the last one you try to fix - in which case it highlights a 1001 entry - don't delete this one!

When you tell Spybot to fix the selected problems it complains that it can't fix them (not surprisingly as you've just done it manually) - but when you rescan they won't appear again. I've done this to dozens of PCs now and haven't had a single problem.

Cheers,

Mav
I am currently not at my work computer.  I have had a severe accident which will prevent me from going to work for a few more days.  I have already missed all of this week.  Having said that, this seems like a workable solution.  I will try it immediately after I return to work.  Thank you.

Commented:
It appears more and more Spy ware is becoming malicious to anti Spy ware like Spy Bot Search and Destroy.    It seems that after you have updated SB S&D to the latest version which I believe is 1.3.1 and you are still having problems then…..

Experts Only Corner – This process is Dangerous to your computer and can cause it to stop working where you may have to reload it.  

************************Proceed at your own risk.****************************

Come up in Safe Mode
First go into regedit
MAKE A BACKUP OF YOUR REGISTRY (I CAN NOT STRESS THIS ENOUGH)
Go to the key:
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Check to see if only valid applications are running there.  If you are not sure then You can type the name of the application into Google and it will usually tell you If it is spyware, lameware, adware, etc…  
If you have identified a key that is invalid then delete the key.
Next check the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Do the same process.
Next check the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Do the same process
Next check the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Bottom line is I check everything in my registry that says Run or RunOnce.  I usually search on “runonce” and find from there. That seems to go fastest.

I also check the startup directory for any applications, I check the win.ini and the system.ini then I reboot the system.  When the system is up I bring up Taskman and check all the processes and look for any unfamiliar process.  Again if you see an unfamiliar process, type it into Google to see if it is spyware, lameware, adware, etc…

Good luck,

Mark Cutshall

Commented:
The best solution for spyware-adware is this, in my opinion;
 Create a BART-PE disk containing spybot, use it to boot, clean away.
 Nothings "in use" so nothings left behind.

Commented:
ohhh...in case you dont know where to get it....
 http://www.nu2.nu/pebuilder/

Commented:
One more note, you have to update the thing often, I update about once a month.....new cd every month....
Asta CuTechnical consultant & graphic design
Top Expert 2004

Commented:
Great information here, just curious if when you updated Spybot S&D with all fixes, did you also run the "Immunize" function which currently blocks roughly 1944 known bad products/exploits and blocks them?

Asta

Commented:
Yup, I sure did/do, but usually after cleaning.

Commented:
Note to add to Cutshall's comment: "When the system is up I bring up Taskman and check all the processes and look for any unfamiliar process.  Again if you see an unfamiliar process, type it into Google to see if it is spyware, lameware, adware, etc…"

Here's where to look for what each process is:

http://www.greatis.com/regrun3appdatabase.htm

http://www.answersthatwork.com/
     [click on 'Task List' for alphabetical listings of processes]

These are fairly comprehensive databases of known processes (good, bad, otherwise).  The greatis database is organized according to 'Necessary', 'At Your Option', 'Useless', and 'Dangerous'.

Commented:
actually if you install or have messenger installed it recreates it also every time you start it (atleast it did on mine till I removed it for good)

trillium is my im now and has no problems with this and I can access icq/aim/msn/yahoo/irc all with one client and read all email and use winamp with it aswell :)
Hello all!!!!!!!  Anyone know a safe place to download current version of SpyBot 1.4....?  Thanks.
Asta CuTechnical consultant & graphic design
Top Expert 2004

Commented:

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial