Temporarily Pinned/stuck: DSO Exploit keeps coming back! & bad checksum

Hello all!

Wondering why every time you run Spybot v1.3 it finds and fixes the same DSO Exploit, even when you just scanned and fixed it? Rest easy! It's because of a bug in the new version that hasn't been fixed yet. Assurance has been given that this bug will be addressed in an update yet to come. More information as well as several suggestions/instructions on how to stop the false DSO Exploit being reported can be found in both of the following links.

http://forums.net-integration.net/index.php?showtopic=15308&st=0

http://forums.net-integration.net/index.php?showtopic=17159&st=30

You will find it is said repeatedly when you read through these, if you are currently up-to-date with Microsoft Windows Security Updates, your system is protected against these exploits! If the repeated reports bother you, feel free to use one of the suggested fixes, or exclude them from Spybot's scan for now.

 

noahdfear: Earlier today Oscar raised this very point. I was curious about the same issue, and then JohnB posted similar information to what you just offered. Here's the link to that thread:

http://www.windowsbbs.com/showthread.php?t=33003

It doesn't offer the workarounds that your first link does, however. Personally, although I've worked with RegEdit before, I think I'll wait until Spybot provides an update containing a fix. As has been made clear already, the bug is harmless and messing with the Registry isn't worth the potential risk, to me at least.

 

Here are couple more that we should not be concerned with,,
Both false possitives.
VX2/f: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Vendor
http://forums.net-integration.net/index.php?showtopic=19521&st=0&#entry89133

Possible Extension Hijack
http://forums.net-integration.net/index.php?showtopic=19542

 

!!! bad checksum ! when downloading
http://www.net-integration.net/tools/sbsdupdate.html

 

Wow thanks all.....I also have that problem of not being able to download that Explorer update....It says i need IE 6.0 to install and thats what i have..I'll go and look up that number that was posted in one of the forums....but knowing this about spybot i don't have to worry so much.

thanks bunches
ann

 

DSO Exploit in Spybot

To all of you that cannot remove DSO Exploit from Spybot. The manufacture states on their web site that their next update will resolve the problem. I have downloaded and installed 3 updates and it was still present.

However, I did find a sure simple way for it's removal. I can't take any credit for it as I read it in one of Langalist's news letter. Which I recommend as a must read.

So here goes guys and gals it works as well as being simple.
1. Open Spybot & select " Advanced Mode ".
2. Select : Settings in the left column
3. Select " Ignore" product in the left column
4. Select " Security Tab "
5. Place a check mark in box beside "DSO Exploit ".
6 Close program
7. Open Spybot & run a scan.

I haven't seen DOS Exploit since. Good luck.

 

You can wait for the next version or in settings check to get the beta updates then ony get the beta main app update, not the includes, unless you intend to always check at the forum befor fixing.

when you first check for problems it might find the DSO once fix it, on subsequent scans it will not.

Or temporaraly exclude/ignore as Oscar has mentioned

 

Could someone here please comment on this procedure that I found elsewhere on the net for getting rid of the DSO Exploit?

RE: dso exploit

Hi Barry,

Regarding your post on removing DSO Exploit, please review the following
steps:

PROBLEM:

Spybot Search & Destroy identifies malware called "DSO Exploit" is
infecting your registry but Spybot S&D is unable to remove or correct the
problem. Because Spybot S&D cannot resolve the problem it may report the
symptom each time you scan. Spybot S&D may identify a DSO exploit in any of
the following five registry keys.

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004
HKEY_USERS\S-1-5-21-746137067-1677128483-854245398-1003\Software\Microsoft\W
indows\CurrentVersion\Internet Settings\Zones\0\1004
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004

Note: The long number <GUID> in the second key (after S-5-21-) varies from
machine to machine.

CAUSE:

Spybot S&D cannot correct the problem because the registry keys in question
are corrupt. The registry keys identified above are legitimate but the data
type has been changed by a 3rd party program from the original type:
REG_DWORD to a different type: REG_SZ. This type setting prevents Spybot
S&D from resolving this issue.

RESOLUTION:

Change all of the [1004] keys from type Reg_SZ to type REG_DWORD and XXX
ign
each a value = 3.

Note: as a precaution you should back up each key prior to making the
changes.

SPECIFIC STEPS:

1. Click Start, then Run..

2. Type REGEDIT in the Run box and either hit Enter or click OK.

3. Locate the following registry key:

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004

4. Right-click on the 1004 key and select Rename

5. Rename this key to -1004. <minus 1004>

Note: this -1004 key will be the backup of the original key.

6. Click on the Edit menu, then New and select DWORD value.

7. Give the new Key a name of 1004.

8. Right-click the new 1004 key, select Modify, give it a value 3 and click
OK.

9. Repeat steps 3-7 for each of the above registry keys.

Note: remember that the long number after S-1-5-21 above will differ on
each machine.

10. Close the registry editor.

11. Click Start, then Control Panel.

12. Click Network And Internet Options, then click Internet Options to open
up the Internet properties.

13. Click on the Security tab, then click the Internet icon, then click
Custom level.

14. Ensure that Download unsigned ActiveX controls is set to Disable.

15. Click [OK] on Security Settings and then click [OK] to close Int
ernet
Properties.

16. Run Spybot S&D again, this time DSO Exploit should not show up.

=========

This posting is provided "AS IS" with no warranties, and confers no rights.

MBSA Homepage:
http://www.microsoft.com/MBSA

Windows XP Security Homepage:
http://www.microsoft.com/windowsxp/security/default.asp

Windows 2000 Security Homepage:
http://www.microsoft.com/windows200..ity/default.asp

Top 10 Windows Newsgroups Security Questions:
http://www.microsoft.com/technet/ne..technet/newsgro
ups/nodepages/sectop10.asp

=========
Paul Hayes, MCSE
Product Support Services
Microsoft Corporation
pauly@online.microsoft.com

--------------------

 

I applied the regestry fix outlined above for the "1004" entries. Opened Spybot S&D and removed the ignore DSOExploit check mark and ran the program. Also had new defs dl'ed. I got no hits on anything.

If the new defs didn't fix it then the regestry fix must have.