• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 586
  • Last Modified:

Keylogger Problem? DSO Exploit

I am playing an on-line game out of Germany called Tibia.  There is another thread about it here.  There are a lot of hackers playing this game and visiting any of the fan-sites is likely to lead to some kind of infection.  I don't go to them.

I have two accounts.  I logged into the Tibia home site on account 1 using Mozilla Firefox and was doing some account maintenance when a pop-up window appeared and invited me to change my password for account 2.  This appeared several times.   I logged out and ran Spybot and found DSO Exploit and removed it.  My operating system is Windows 2000 Personal Edition.  I am pretty sure it is at the correct patch level.

I don't know that the IE exploit DSO is anyhow related to my experience using Firefox but I have some evidence that there is a problem.  I also have Norton Firewall, Norton Anti-Virus, Adaware, and Hijack This on this machine but haven't run scans with these latter yet.  

What's going on?  Where do I start?  I am not looking for an exhaustive list of all possible removal tools but analyze the problem if you can, provide a solution or further troubleshooting steps.
  • 3
  • 3
  • 2
1 Solution

First, off I wouldn't worry about the DSO exploit. Spybot finds that on almost every computer. As far as having to worry about little script kiddies trying to infect your system, if you follow advise today, those problems and worries will end. Security is only as good as the user, so educating yourself about the latest threats, exploits, tools to use to protect yourself will pay off greatly. I'm going to list some great program along with a few sites to use for research.

Kaspersky Antivirus 5.0 (new version) http://www.kaspersky.com/personal
This program is the best by far. It updates every 3 hours, scans web browser scripts also.
I've tested many other virus scanners through the years and this is by far the best.

AVG is also a great virus scanner (more for home user) not to mention they have a wonderful FREE edition.

Sygate Personal Firewall Pro - Compared to ZoneAlarm or Nortons which both have tons of exploits to drop their service like a fly. Sygate is the choice for a software firewall.

Sygate has a home editon for free as well.  www.sygate.com

AD-AWARE - www.lavasoftusa.com
If you can afford it by the PRO version, the extra feature AD-WATCH is well worth it for it monitors your registry and notifies you of any changes made allowing you to ALLOW or REJECT the request on the fly.

RegistryProt 2.0 - http://www.diamondcs.com.au/index.php?page=regprot
This is a free program to monitor all changes to registry. This is a must in security for you windows machine. Big help in eliminating spyware, Trojans, backdoors, etc..

BHO Demon - www.majorgeeks.com/download3550.html  (mirrored)
This is a must now-a-days if your running Internet Explorer! BHO is used in a lot of the recent IE exploits as well as keyloggers. Windows XP SP2 offers something along these lines, but why trust M$.

IDS ( Intrusion Detection System ): - snort.org
I was reading my Windows & .NET Magazine, and it has a great article on SNORT. Setting it up and everything. Page 51! Or you can buy the book SNORT 2.1 Second Edition. This program is absolutly promising, this is for extreme paranoid users & advanced users.

http://isc.sans.org/index.php?off=diary -Everyday info on the latest exploits/virus/security issues.
http://eeye.com - perfect for advisories and the best security software.
www.majorgeeks.com - Every program a nerd could think of!!
www.sygate.com – Great Software firewall.
www.kaspersky.com – Best AV on the market.
www.lavasoftusa.com – Best spyware removal program.
http://www.grisoft.com – Wonderful FREE AV.

Let me know if you have any questions or need any further assistance.



The DSO exploits flagged by Spybot S&D are caused by a bug in its current release.

This will be sorted in the next release.

Latest news on this:

>>Please note the current beta release of the application (v 1.3.1b) corrects the DSO bug. If you are not comfortable with installing the beta ignore the DSO items until the final is released. Again, please note it is an application update and not an includes update that fixes this bug<<



DonFreemanAuthor Commented:
What I want to do is figure out what is happening in the case.  I have been reviewing the products listed by knoxj81 and see some stuff I am going to install.  However, I want to know what is on my machine now.   It seems to know when I log into the Tibia home site and then spoof the password change interface.  How does it do that?  I want to see what's in the process list when it happens.  What should I be looking for?  

Spybot didn't find it and I want to run the other programs when I get off of work.  Obviously, if nothing finds it then I need to work with Adaware or Spybot support to figure out what it is.

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Its not going to be in your processes. Most likly its just a popup from the website. If in fact it is a program running on your PC, All you have to do is run, Adaware scan and an updated virus scan, and anything of that nature would be removed. I would install the programs I listed then I would update them all.

Also: If you using Mozilla, I would recommend uninstalling your current version and updating to there latest release, to patch for the found exploits.
http://www.majorgeeks.com/download2248.html - This version of Mozilla Firefox was released yesterday.

Let me know if you have any further concerns,


I wonder if that pop-up isn't Firefox save password feature, because as you probably know Firefox can store several auto logon passwords for the same site.

Try this:

Tools > Options > Privacy > Saved Passwords

Click the "Clear" button to delete all stored passwords.

When logging on to the Tibia site, and asked to save, click "Never for this site" (or similar wording). I suspect this will end the pop-ups, but you will need to retype the name and password every time you want to log on to that site.

Interesting will be Process Explorer:


Download, install and run.

This will show you All processes running and their details.

Maybe you can find something suspicious there...??

Post back if you have any doubts.

Good luck,

DonFreemanAuthor Commented:
knoxj81, When I get home I'll try what you are suggesting. I did run Adaware last night and it didn't find anything significant either.  I logged onto the site again this morning and it very reliably invites me to change the password for my second account.  I can't imagine that this thing is a feature of the Tibia Cipsoft home.  The dialog box isn't inviting me to SAVE the password, it's inviting me to CHANGE the password.  I figure once I do that and put in my old password I'm toast.  I'm too chicken to select yes and see what comes next.

I agree with your "chicken" decison, but that is also the wise decision.

Maybe worth a try:

Logon with your second account and change password from within the Tibia interface.

Save and check if the problem persits.

That popup could also be, and there are some sites that do that, a reminder for old passwords that should be periodically changed, as a safety precaution.

But, I'm only guessing, of course.

Regardless of weather its locally or remotely. If you have the right tools, thit doesn't have to be a concern.

If, it was a keylogger, you wouldn't have to be asked to enter your password. They would see you login and that would be that.

Either way: You need to run the best security tools, fully updated.

Good Luck,

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now