I can't tell if Spybot is doing this intentionally or is it incompletely fixing a pro

Discussion in 'other anti-malware software' started by HandsOff, Jan 7, 2005.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I can't tell if Spybot is doing this intentionally or is it incompletely fixing a problem...can you?


    These five keys are detected by Spybot S&D 1.3

    -------------------------------------------------------------------------
    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21--1004\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings\Zones\0\1004!=W=3
    ----------------------------------------------------------------------------

    Spybot appears to fix it, but when you run a scan it comes back...only, not

    really. Instead of having all the original data it only leaves one string value

    at each of the keys, 1004...whithout even the "!"

    I am confused by this because you have two choices at this point:

    1) you can delete the string value of 1004, and then it is never detected again,

    nor does it appear to resurface anywhere else. Or

    2) you can leave the string value, spybots will continue to detect and "remove"

    it every time it is run (there maybe ignore or something thats not my concern)


    If you follow procedure (1) (Navigate to the keys in regedit and delete the

    stringvalues for 1004), you can no longer use the host program.

    If you follow procedure (2) you can


    I am registry challanged. i do not know if the 1004 is just a "dummy" value.

    what is the purpose of a "string value"?

    I could see myself continuing to use the program if (1) really fixes it, but

    mainy I just want to recognize what is happening, if it knowable.



    -HandsOff
     
  2. Cochise

    Cochise A missed friend

    Joined:
    Jan 26, 2003
    Posts:
    2,549
    Location:
    North Thoresby Lincs Good Olde England
    It's nothing more than a Bug in SB Mate...I think!......Which version are you using?.......I have the beta version..1.4.2.....I don't get that DSO exploit anymore......... :D



    Cochise, :cool:
     
  3. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    spybot S&D 1.3 - no betas

    No, I don't think it is a bug because the problem was not there until after the installation of a few programs...

    But I just realized something that makes that behavior very useful. By spybot detecting and removing what i believe is the payload, but not crippling the program by leaving a dummy, it is possible for the user to manually delete the strings, and then run your most recently installed software and see which one no longer works. Now you know which peace of software was the culprit. I gather a lot of the time you don't know which program wrote the bad reg keys? if my antispy program does not tell me, i know i can't usually know...but sure wish i did!

    BTW, i meant to say in the original, that i DON'T want to continue using the program anyway
     
  4. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Hands,
    b'4 you ditch the superb S & D you might want to take a look at S & D's forum re. your problem,
    http://forums.net-integration.net/index.php?act=idx

    click on ANNOUNCEMENTS-then the top entry, Spybot 1.3 issues
    explained by Galadriel.

    HTH.

    Regards.
     
  5. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Micro -

    I'm not planning on ditching it at all. It is an outstanding program. What I meant was do they fix the problem this way intentionally, or is something being missed. Since I see it is actually more useful to have the DSO handled that way i don't see it as a bug at all.

    since i don't really understand what the registry keys do, i was hoping to get a little more information. I don't know what links a key to instructions elsewhere on the computer. Is a string value benign?

    BTW i usually run a search on a CLSID if it is suspected of being malware. Thats what lead me to the information on why it kept being detected, and yet it did not appear to be causing any code to actually run.

    -HandsOff


    - HandsOff
     
  6. Star

    Star Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    4
    ok i have this back on my computer as well. i did the search and took out all the others. but there are several of us using the computer dont know if that has anything to do with it but i ran spybot search and destroy on the other side this is what i come up with :DSO Exploit: Data source object exploit (Registry change, nothing done)

    HKEY_USERS\S-1-5-21-3976243432-1123569960-941548136-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    this time i cant get this one out . have any suggestions !!! thanks
     
  7. Mike Goodfellow

    Mike Goodfellow Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    17
    All I did was delete 1004. Spybot, then, never found any more DSO entries. It congratulates me every time I run Spybot and tells me that nothing was found on mny computer. So juyst go ahead and delete 1004.

    Mike
     
  8. scott lang

    scott lang Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    211
    Location:
    claremore,ok
    runnin 1.4 beta too. no dso's here.
     
  9. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Star -

    Sorry, I did not see your question earlier. Your question sounds very different from my situation. I don't understand a couple of things. Why would your log say nothing done? Presumably you checked the box and said remove...then it would have given you a message like "1 problem fixed"

    Here is a bit of extra info on how my problem was. I would run SS&D and it would detect 5 exploits, i would check all five boxes (actually, if you dont expand it it lists it as one problem). Then fix it, and SS&D would say 5 problems fixed....you knew all that...

    ...now, if i ran SS&D again, without even rebooting, the problem would be detected again. so you see, it continued to detect AFTER the problem was fixed. However, it was NOT detecting the original problem. the registry keys were changed, and possibly rendered harmless (I am still unclear on that point, and I am not sure anyone out there knows, or is saying...)

    Here is the deal: Go to start>run>regedit and do a search. Search for
    1004!=W=3, or even just 1004!. If nothing is found I THINK you are ok.

    Otherwise navigate in regedit to
    HKEY_USERS\S-1-5-21-3976243432-1123569960-941548136-1012\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3 and delete the key, however, if you do so you will likely soon discover that some program you have installed will no longer function.

    if on the other hand, you delete the key containing 1004! and it comes back, then clearly the malware is being reinstalled. If for instance, it does not reinstall when you reboot, but does after some other user has logged on, it would suggest that they are loading the infected program.

    Everyone always says don't mess around with the registry...I would say: Have a good backup at all times. as you know i was able to identify the infected program. it was the one that would not work after i deleted the offending keys.

    This almost certainly doesnt apply, but you need to have administrator priveleges. i doubt you could have installed SS&D without, but who knows.

    - HandsOff
     
  10. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  11. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    You will need spybot 1.31 TX
    that fixes the DSO flaw.

    sorry for the obnoxious text fx.... but I had to grab attention some way.. note that TX is an UPDATE ONLY version.
     
  12. scott lang

    scott lang Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    211
    Location:
    claremore,ok
    its also never supposed to have been released but i got it from majorgeeks and installed it overtop 1.3 then i got the beta from kolla and installed overtop 1.3.1TX and i have no problems and it works like a trooper.
     
  13. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hey Primrose,

    I did read the article you bookmarked, and give it high marks for describing the steps one could take to fix this problem. I was sufficiently impressed that I have added it to my "Computer Tweaker Websites" folder of internet sites...however...

    There is not alot said about what these changes mean. Maybe it's not that interesting, after all, but i wish I could pull off nodding sagely when someone says, 'I have activated the legitimate My Computer = Zone 0....

    Or could give a general answer to 'where do they come up with

    HKEY_USERS\S-1-5-21..... why not HKEY_USERS\H-13-7-11?

    Is there some underlying logic that ties this all together? I am guessing, no!


    - HandsOff
     
  14. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I'm not clear on what you are asking....but the S-1-5-21 is one of the number of security identifier (SID)....with it's accompanying unique alphanumeric character string....that identifies each created account of a Win NT\2K\XP OS ?

    Well-Known Security Identifiers
     
  15. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi Bubba-

    you are very close to what I am asking...I just mean why THOSE particular numbers the S and the 4 integers. I assume they mean something.

    an automobile analogy: I heard that Olds'(mobile) 442 derrived from the fact that this old muscle car came equiped with 4-barrel carburator, 4-on the floor, and 2 (front) disk brakes. I don't know if its true, but notice i still remember the numbers and have a mental image of the 442. Now, I havent seen many, so you can figure its just because the 442 was given some meaning.

    the other part of the question about zone 0... I just don't even understand the concept, and I am sure its a bit much to explain. Maybe someone knows a link or something to an explanation? The two things I understand the least about my computer are: 1) the meaning of the catagories and data field types in the registry. And 2) Everything else.


    - HandsOff
     
Loading...
Thread Status:
Not open for further replies.