Keylogger Problem?  DSO Exploit

Posted on 2004-10-05
Last Modified: 2013-11-16
I am playing an on-line game out of Germany called Tibia.  There is another thread about it here.  There are a lot of hackers playing this game and visiting any of the fan-sites is likely to lead to some kind of infection.  I don't go to them.

I have two accounts.  I logged into the Tibia home site on account 1 using Mozilla Firefox and was doing some account maintenance when a pop-up window appeared and invited me to change my password for account 2.  This appeared several times.   I logged out and ran Spybot and found DSO Exploit and removed it.  My operating system is Windows 2000 Personal Edition.  I am pretty sure it is at the correct patch level.

I don't know that the IE exploit DSO is anyhow related to my experience using Firefox but I have some evidence that there is a problem.  I also have Norton Firewall, Norton Anti-Virus, Adaware, and Hijack This on this machine but haven't run scans with these latter yet.  

What's going on?  Where do I start?  I am not looking for an exhaustive list of all possible removal tools but analyze the problem if you can, provide a solution or further troubleshooting steps.
Question by:DonFreeman
  • 3
  • 3
  • 2

Accepted Solution

knoxj81 earned 250 total points
ID: 12229589

First, off I wouldn't worry about the DSO exploit. Spybot finds that on almost every computer. As far as having to worry about little script kiddies trying to infect your system, if you follow advise today, those problems and worries will end. Security is only as good as the user, so educating yourself about the latest threats, exploits, tools to use to protect yourself will pay off greatly. I'm going to list some great program along with a few sites to use for research.

Kaspersky Antivirus 5.0 (new version)
This program is the best by far. It updates every 3 hours, scans web browser scripts also.
I've tested many other virus scanners through the years and this is by far the best.

AVG is also a great virus scanner (more for home user) not to mention they have a wonderful FREE edition.

Sygate Personal Firewall Pro - Compared to ZoneAlarm or Nortons which both have tons of exploits to drop their service like a fly. Sygate is the choice for a software firewall.

Sygate has a home editon for free as well.

If you can afford it by the PRO version, the extra feature AD-WATCH is well worth it for it monitors your registry and notifies you of any changes made allowing you to ALLOW or REJECT the request on the fly.

RegistryProt 2.0 -
This is a free program to monitor all changes to registry. This is a must in security for you windows machine. Big help in eliminating spyware, Trojans, backdoors, etc..

BHO Demon -  (mirrored)
This is a must now-a-days if your running Internet Explorer! BHO is used in a lot of the recent IE exploits as well as keyloggers. Windows XP SP2 offers something along these lines, but why trust M$.

IDS ( Intrusion Detection System ): -
I was reading my Windows & .NET Magazine, and it has a great article on SNORT. Setting it up and everything. Page 51! Or you can buy the book SNORT 2.1 Second Edition. This program is absolutly promising, this is for extreme paranoid users & advanced users.

References: -Everyday info on the latest exploits/virus/security issues. - perfect for advisories and the best security software. - Every program a nerd could think of!! – Great Software firewall. – Best AV on the market. – Best spyware removal program. – Wonderful FREE AV.

Let me know if you have any questions or need any further assistance.


LVL 29

Expert Comment

ID: 12229900

The DSO exploits flagged by Spybot S&D are caused by a bug in its current release.

This will be sorted in the next release.

Latest news on this:

>>Please note the current beta release of the application (v 1.3.1b) corrects the DSO bug. If you are not comfortable with installing the beta ignore the DSO items until the final is released. Again, please note it is an application update and not an includes update that fixes this bug<<



Author Comment

ID: 12230093
What I want to do is figure out what is happening in the case.  I have been reviewing the products listed by knoxj81 and see some stuff I am going to install.  However, I want to know what is on my machine now.   It seems to know when I log into the Tibia home site and then spoof the password change interface.  How does it do that?  I want to see what's in the process list when it happens.  What should I be looking for?  

Spybot didn't find it and I want to run the other programs when I get off of work.  Obviously, if nothing finds it then I need to work with Adaware or Spybot support to figure out what it is.

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.


Expert Comment

ID: 12230144
Its not going to be in your processes. Most likly its just a popup from the website. If in fact it is a program running on your PC, All you have to do is run, Adaware scan and an updated virus scan, and anything of that nature would be removed. I would install the programs I listed then I would update them all.

Also: If you using Mozilla, I would recommend uninstalling your current version and updating to there latest release, to patch for the found exploits. - This version of Mozilla Firefox was released yesterday.

Let me know if you have any further concerns,

LVL 29

Expert Comment

ID: 12231518

I wonder if that pop-up isn't Firefox save password feature, because as you probably know Firefox can store several auto logon passwords for the same site.

Try this:

Tools > Options > Privacy > Saved Passwords

Click the "Clear" button to delete all stored passwords.

When logging on to the Tibia site, and asked to save, click "Never for this site" (or similar wording). I suspect this will end the pop-ups, but you will need to retype the name and password every time you want to log on to that site.

Interesting will be Process Explorer:

Download, install and run.

This will show you All processes running and their details.

Maybe you can find something suspicious there...??

Post back if you have any doubts.

Good luck,


Author Comment

ID: 12237206
knoxj81, When I get home I'll try what you are suggesting. I did run Adaware last night and it didn't find anything significant either.  I logged onto the site again this morning and it very reliably invites me to change the password for my second account.  I can't imagine that this thing is a feature of the Tibia Cipsoft home.  The dialog box isn't inviting me to SAVE the password, it's inviting me to CHANGE the password.  I figure once I do that and put in my old password I'm toast.  I'm too chicken to select yes and see what comes next.
LVL 29

Expert Comment

ID: 12237642

I agree with your "chicken" decison, but that is also the wise decision.

Maybe worth a try:

Logon with your second account and change password from within the Tibia interface.

Save and check if the problem persits.

That popup could also be, and there are some sites that do that, a reminder for old passwords that should be periodically changed, as a safety precaution.

But, I'm only guessing, of course.


Expert Comment

ID: 12242374
Regardless of weather its locally or remotely. If you have the right tools, thit doesn't have to be a concern.

If, it was a keylogger, you wouldn't have to be asked to enter your password. They would see you login and that would be that.

Either way: You need to run the best security tools, fully updated.

Good Luck,


Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter ( that massive stores of data have been leaked by CloudFlare, a company that provide…
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question