I can't tell if Spybot is doing this intentionally or is it incompletely fixing a problem...can you?


These five keys are detected by Spybot S&D 1.3

-------------------------------------------------------------------------
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21--1004\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1004!=W=3
----------------------------------------------------------------------------

Spybot appears to fix it, but when you run a scan it comes back...only, not

really. Instead of having all the original data it only leaves one string value

at each of the keys, 1004...whithout even the "!"

I am confused by this because you have two choices at this point:

1) you can delete the string value of 1004, and then it is never detected again,

nor does it appear to resurface anywhere else. Or

2) you can leave the string value, spybots will continue to detect and "remove"

it every time it is run (there maybe ignore or something thats not my concern)


If you follow procedure (1) (Navigate to the keys in regedit and delete the

stringvalues for 1004), you can no longer use the host program.

If you follow procedure (2) you can


I am registry challanged. i do not know if the 1004 is just a "dummy" value.

what is the purpose of a "string value"?

I could see myself continuing to use the program if (1) really fixes it, but

mainy I just want to recognize what is happening, if it knowable.



-HandsOff

It's nothing more than a Bug in SB Mate...I think!......Which version are you using?.......I have the beta version..1.4.2.....I don't get that DSO exploit anymore......... ;D



Cochise, 8)

spybot S&D 1.3 - no betas

No, I don't think it is a bug because the problem was not there until after the installation of a few programs...

But I just realized something that makes that behavior very useful. By spybot detecting and removing what i believe is the payload, but not crippling the program by leaving a dummy, it is possible for the user to manually delete the strings, and then run your most recently installed software and see which one no longer works. Now you know which peace of software was the culprit. I gather a lot of the time you don't know which program wrote the bad reg keys? if my antispy program does not tell me, i know i can't usually know...but sure wish i did!

BTW, i meant to say in the original, that i DON'T want to continue using the program anyway

-{ Quote: "spybot S&D 1.3 - no betas

No, I don't think it is a bug because the problem was not there until after the installation of a few programs...

But I just realized something that makes that behavior very useful. By spybot detecting and removing what i believe is the payload, but not crippling the program by leaving a dummy, it is possible for the user to manually delete the strings, and then run your most recently installed software and see which one no longer works. Now you know which peace of software was the culprit. I gather a lot of the time you don't know which program wrote the bad reg keys? if my antispy program does not tell me, i know i can't usually know...but sure wish i did!

BTW, i meant to say in the original, that i DON'T want to continue using the program anyway" }-
Hands,
b'4 you ditch the superb S & D you might want to take a look at S & D's forum re. your problem,
http://forums.net-integration.net/index.php?act=idx

click on ANNOUNCEMENTS-then the top entry, Spybot 1.3 issues
explained by Galadriel.

HTH.

Regards.

Micro -

I'm not planning on ditching it at all. It is an outstanding program. What I meant was do they fix the problem this way intentionally, or is something being missed. Since I see it is actually more useful to have the DSO handled that way i don't see it as a bug at all.

since i don't really understand what the registry keys do, i was hoping to get a little more information. I don't know what links a key to instructions elsewhere on the computer. Is a string value benign?

BTW i usually run a search on a CLSID if it is suspected of being malware. Thats what lead me to the information on why it kept being detected, and yet it did not appear to be causing any code to actually run.

-HandsOff


- HandsOff

ok i have this back on my computer as well. i did the search and took out all the others. but there are several of us using the computer dont know if that has anything to do with it but i ran spybot search and destroy on the other side this is what i come up with :DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-21-3976243432-1123569960-941548136-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

this time i cant get this one out . have any suggestions !!! thanks

All I did was delete 1004. Spybot, then, never found any more DSO entries. It congratulates me every time I run Spybot and tells me that nothing was found on mny computer. So juyst go ahead and delete 1004.

Mike

runnin 1.4 beta too. no dso's here.

Star -

Sorry, I did not see your question earlier. Your question sounds very different from my situation. I don't understand a couple of things. Why would your log say nothing done? Presumably you checked the box and said remove...then it would have given you a message like "1 problem fixed"

Here is a bit of extra info on how my problem was. I would run SS&D and it would detect 5 exploits, i would check all five boxes (actually, if you dont expand it it lists it as one problem). Then fix it, and SS&D would say 5 problems fixed....you knew all that...

...now, if i ran SS&D again, without even rebooting, the problem would be detected again. so you see, it continued to detect AFTER the problem was fixed. However, it was NOT detecting the original problem. the registry keys were changed, and possibly rendered harmless (I am still unclear on that point, and I am not sure anyone out there knows, or is saying...)

Here is the deal: Go to start>run>regedit and do a search. Search for
1004!=W=3, or even just 1004!. If nothing is found I THINK you are ok.

Otherwise navigate in regedit to
HKEY_USERS\S-1-5-21-3976243432-1123569960-941548136-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3 and delete the key, however, if you do so you will likely soon discover that some program you have installed will no longer function.

if on the other hand, you delete the key containing 1004! and it comes back, then clearly the malware is being reinstalled. If for instance, it does not reinstall when you reboot, but does after some other user has logged on, it would suggest that they are loading the infected program.

Everyone always says don't mess around with the registry...I would say: Have a good backup at all times. as you know i was able to identify the infected program. it was the one that would not work after i deleted the offending keys.

This almost certainly doesnt apply, but you need to have administrator priveleges. i doubt you could have installed SS&D without, but who knows.

- HandsOff

If you do not want them there to even show up in Sybot no matter what veriosn of it displays the line items... then do this


This self-help guide will walk you through the steps to remove the DSO Exploit


http://www.bleepingcomputer.com/forums/index.php?showtopic=3408&st=0&#entry23523

You will need spybot 1.31 TX
that fixes the DSO flaw.
sorry for the obnoxious text fx.... but I had to grab attention some way.. note that TX is an UPDATE ONLY version.

its also never supposed to have been released but i got it from majorgeeks and installed it overtop 1.3 then i got the beta from kolla and installed overtop 1.3.1TX and i have no problems and it works like a trooper.

Hey Primrose,

I did read the article you bookmarked, and give it high marks for describing the steps one could take to fix this problem. I was sufficiently impressed that I have added it to my "Computer Tweaker Websites" folder of internet sites...however...

There is not alot said about what these changes mean. Maybe it's not that interesting, after all, but i wish I could pull off nodding sagely when someone says, 'I have activated the legitimate My Computer = Zone 0....

Or could give a general answer to 'where do they come up with

HKEY_USERS\S-1-5-21..... why not HKEY_USERS\H-13-7-11?

Is there some underlying logic that ties this all together? I am guessing, no!


- HandsOff

-{ Quote: "Or could give a general answer to 'where do they come up with

HKEY_USERS\S-1-5-21..... why not HKEY_USERS\H-13-7-11?" }-I'm not clear on what you are asking....but the S-1-5-21 is one of the number of security identifier (SID)....with it's accompanying unique alphanumeric character string....that identifies each created account of a Win NT\2K\XP OS ?

Well-Known Security Identifiers (http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnc_sid_cids.asp)

Hi Bubba-

you are very close to what I am asking...I just mean why THOSE particular numbers the S and the 4 integers. I assume they mean something.

an automobile analogy: I heard that Olds'(mobile) 442 derrived from the fact that this old muscle car came equiped with 4-barrel carburator, 4-on the floor, and 2 (front) disk brakes. I don't know if its true, but notice i still remember the numbers and have a mental image of the 442. Now, I havent seen many, so you can figure its just because the 442 was given some meaning.

the other part of the question about zone 0... I just don't even understand the concept, and I am sure its a bit much to explain. Maybe someone knows a link or something to an explanation? The two things I understand the least about my computer are: 1) the meaning of the catagories and data field types in the registry. And 2) Everything else.


- HandsOff