Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
3 edits
1 recommendation |
Dustyn
Premium Member
2004-May-20 11:40 pm
SPYBOT S&D 1.3 - DSO EXPLOIT GONE!NOTE: ==== THIS IS A MANUAL FIX I USED WITH THE ASSISTANCE OF GREY MAGICS REPORT TO REMOVE THE 2002 DSO EXPLOIT OFF MY SYSTEM, IF MAY JUST REMOVE DETECTION FROM SPYBOT S&D, I CAN NOT SAY IF IT ACTUALLY FIXES THE ISSUE. IT DOES HOWEVER APPLY THE REGISTRY CHANGE CAUSING SPYBOT S&D TO NO LONGER REPORT THE DSO EXPLOIT. IT MAY BE EASIER TO GO ON IGNORING THE ISSUE BY "EXCLUDING" IT, BUT I WANTED TO TO TRY A DIFFERENT APPROACH============================================================ Anybody notice the exploit reported by Grey Magic is never fixed properly with Spybot Search & Destroy? Each time you try to run it and fix the affected registry keys (5) they come back! A MANUAL registry patch did the trick for me. I did it myself. Now Spybot Search & Destroy no longer detects the DSO exploit. It requires DELETING the original key and replacing the 1004 key with the DWORD as the field, and inserting "3" for the value. This is what Spybot S&D can't do because it can never alter the original key as the value is not DWORD to begin with. But Spybot S&D has a neat feature that can TAKE you to the exact location of the key within the registry. The first time I clicked the registry icon in the far right hand corner... it did not take me there. Instead it just opened up the registry (but not to the exact key). I re-clicked icon in spybot and THEN it took me to the exact key located within the registry. Change the value of "1004" (DWORD) to 3. Do this for EACH entry Spybot reports. Delete the original key and replace the key "1004" and create the DWORD field with a value of 3. Does this work for you? It very well may, and it very well may not. For myself, it did. Thanks Grey Magic for your help!! » www.greymagic.com/securi ··· m001-ie/ |
|
Dustyn |
Dustyn
Premium Member
2004-May-21 10:28 pm
Nobody try it or can confirm? |
|
|
Dustyn 3 edits |
Dustyn
Premium Member
2004-May-21 10:45 pm
» forums.net-integration.n ··· ic=15308READ THE ABOVE THREAD... THIS IS AN INVALUABLE RESOURCE AND IT TURNS OUT I FIXED MY REGISTRY CORRECTLY What amazes me is there are over 100 unique visitors who have spent the time to read my topic yet nobody cares nor wishes to reply. Oh well. I thought this was of some interest and wanted to help you guys out in fixing the DSO exploit detection problem as so many of you complain about Spybot not being able to fix it. The fix is now here if you want it? ? |
|
dadkinsCan you do Blu? MVM join:2003-09-26 Hercules, CA |
to Dustyn
Nope, the one time I actually removed them, it hosed my XP. Now, the first thing I do is "Exclude" them, don't want to go through that again. |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
2 edits |
Dustyn
Premium Member
2004-May-21 11:12 pm
Thanks for the info. Changes were applied yesterday evening and all is working fine. By the way... your not REMOVING anything, your correcting a registry key by entering in the new updated values. Spybot has NEVER tried to DELETE this DSO exploit. It tries to MODIFY the key. Although the Spybot S&D program makes you think that when the DSO exploit is found, your REMOVING the affected registry key. That is not the case...your simply modifying the key. But it simply fails when using Spybot. A manual change is safe. I've performed it on two PC's so far. I hope you may try again.. but try to correct it manually. If not, cool. I just wanted to share my successful results. |
|
BubbaGIT-R-DONE MVM join:2002-08-19 St. Andrews |
to Dustyn
Thanks for taking the time to post your info. This is also whats being recommended @ Spybots Official Forums until a patch is released. • Thread at Spybot's Forum---> Dso Exploit, Spbot fix but returnsBubba |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
2 edits |
Dustyn
Premium Member
2004-May-21 11:31 pm
No prob! I also provided the same link. Although I found this link only AFTER I provided this fix. Interesting to see I got the fix right!! I also saw you postings there too. When you mean a new patch, do you mean one provided by Microsoft? Or by Spybot S&D?This "user friendly" patch would provide the same exact fix as the one I did on my PC? Am I correct? |
|
keith2468 Premium Member join:2001-02-03 Winnipeg, MB |
to Dustyn
People may be grateful, but they don't always have time to come back and say thanks. |
|
dadkinsCan you do Blu? MVM join:2003-09-26 Hercules, CA 1 edit |
to Dustyn
Thanks, I'll try a manual change later. |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
|
Dustyn
Premium Member
2004-May-22 12:07 am
..... yes keyword: "CHANGE" Cool, I'm sure it will work for you too. Also? I will bump the post up tomorrow if there are no replies as threads here at the "SECURITY" forum tend to slip off the first page within an hour or so. |
|
Dustyn |
Dustyn
Premium Member
2004-May-22 8:48 pm
-bump- |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
|
|
dadkinsCan you do Blu? MVM join:2003-09-26 Hercules, CA |
to Dustyn
Thanks Steele Wolf! So far so good! |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
1 edit |
to Name Game
Thanks. Microsoft (supposedly) has patched the issue "THEIR WAY". However, Grey Magic, along with Spybot S&D still acknowledge that the DSO exploit remains to be seen as an ongoing issue. Even AFTER the MS FIX. It's just some bad entries in the registry that need cleaned up. ( altered) |
|
Dustyn |
to dadkins
|
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
to Dustyn
said by Dustyn: Thanks.
Microsoft (supposedly) has patched the issue "THEIR WAY". However, Grey Magic, along with Spybot S&D still acknowledge that the DSO exploit remains to be seen as an ongoing issue. Even AFTER the MS FIX. It's just some bad entries in the registry that need cleaned up. (altered)
It is not an on going issue..no matter what they (Grey Magic) acknowledge. When you find someone that is patched and has been exploited..let us know. |
|
Name Game 1 edit
1 recommendation |
to Dustyn
Also FYI for the Internet.. » www.greymagic.com/securi ··· m001-ie/[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] Change the value of "1004" (DWORD) to 3. Then read Microsoft's KB article: How to Enable the My Computer Security Zone in Internet Options » support.microsoft.com/?k ··· d=315933This tells you how to add My Computer to the Security tab of Internet Options. Doing this lets you modify the security for the My Computer security zone (zone 0) because it won't be hidden anymore (by changing the Value Name "Flags" from a Value Data of "21" to "47"). The "1004" Value Name mentioned in the article from greymagic.com is the "Download unsigned ActiveX controls" setting you can now see in the My Computer security zone. The suggested value of 3 for this setting disables it. Mine was already set to 3 so I don't know if it got set by using Spybot or AdAware to fix the DSO exploit or if Windows XP, IE6, or a Windows Update set it to 3 (disabled). I don't know why Microsoft decided to use numbers, like 1004, for Value Names of the settings within a security zone rather than something useful, like "Download unsigned ActiveX controls". When you find articles like greymagic.com's, and many others, just telling you to alter the value of an item named "1004", the first thing I start to wonder about is what the hell is a "1004" item. And that of course you can set yourself in any IE by putting a dot in the disable "Download unsigned ActiveX controls" to give it a value of 3. |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN 4 edits |
to Name Game
If you believe it's no longer an issue, cool. That is interesting info about the hidden My Computer zone. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
Name Game
Premium Member
2004-May-22 11:55 pm
said by Dustyn: If you believe it's no longer an issue, cool.
That is interesting info about the hidden My Computer zone.
Well that was good info you posted..but i am sure spybot will fix their thingie in the next update..but in anycase I am sure you are OK |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
2 edits |
Dustyn
Premium Member
2004-May-23 6:26 pm
One more thing I need to ask... is it a good idea to REVEAL the "My Computer" zone for Internet Explorer 6 in Windows XP Pro? I know I would have to make a registry change just as you mentioned to reveal the zone. Why does Microsoft hide it in the first place? For security reasons? Have you revealed your "My Computer" zone? Are there any other options that could/should be tweaked for that zone if I decided to reveal the zone? I'm just wondering about if I decided to REVEAL this hidden zone, if it would change anything or mess up something? Thanks... a lot of questions I know so thanks for your (or anyones) patience! ~Steele Wolf~ |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI 1 edit |
The person you want to discuss these changes and options would be a member at our forum with the nickname of R2. But you can read some here about options. How to Enable the My Computer Security Zone in Internet Options » support.microsoft.com/?k ··· d=315933Hacking IE Security Zones» weblogs.asp.net/ptorr/ar ··· 215.aspxLock Down My Computer The next thing to do is lock down the My Computer zone, just as I recommend doing with .NET security policy. This is likely to break any applications you have that show HTML UI from the local machine, so you may want to experiment with this for a bit. Make sure you back up this key before hand (as instructed above)! The main reason you would want to lock down My Computer is that most of the recent exploits for IE have relied on the fact that you can either "trick" the browser into thinking it is loading content off the local machine when really it is just reading cached content from the web, or you can overwrite a file in a well-known location and get the browser to load it. Basically this means that someone can send you to a webpage that downloads malicious code to your local machine and then re-directs IE to the downloaded version, and gets it to run with elevated privileges because it's considered to be on the (trusted) local machine rather than the (untrusted) internet. » added new IE zone question» Re: Analysis of Microsoft XP Service Pack 2 |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN |
Dustyn
Premium Member
2004-May-23 7:37 pm
Thanks a lot man for your help! I may give R2 an IM when I get the chance. Those links are quite interesting. VERY informative! ~Steele~ |
|
|
to Dustyn
NOOB-Question!!!!!
This thing about the DSO Exploit just happened to me as well. I installed spybot S&D after my Antivir had found the SpyBot.DG worm on my system. I deleted it but was not sure if it still was inside my system. So I found spybot S&D installed and checked System. My Problem is that I am not that good at english and the Instructions above are hard to handle.
Question 1: Is that Exploit a failure in SpyBot or is it cause that worm i had is still on my system.
Question 2: If it is a Problem of SpyBot S&D is it ok to ignore it or must it be solved.
Would be very nice if anybody could help my cause I have already spent hours trying to find a Repairtool
Thx |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
1 recommendation |
Dustyn
Premium Member
2004-May-26 6:58 pm
Hi HMan: It's a Spybot Search & Destroy bug that is okay to ignore. But I decided to go a head and fix it manually by cleaning up the bad registry keys. The creator of Spybot S&D will be coming out with an automatic fix to patch the DSO exploit in the future. So you can fix it manually, ignore it, or wait until a patch from Spybot S&D is released. As for your first question I'm not 100% sure what your asking? Hopefully somebody else can help? |
|
Dustyn |
to Name Game
Thanks for the encouragement Name Game! Also, there has been a Spybot S&D update. ========================== TEA-TIMER: ENGLISH HELP FILE========================== You can download it through the Spybot S&D with the online tool update program. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI
1 recommendation |
Name Game
Premium Member
2004-May-28 12:16 am
Nothing gives me more pleasure in this forum than to see a member who started a thread with a difficult question..to then read trough all the posts..then come back to help even others like you have with an excellent summation...that is what DSLR Security is all about. Sharing then what you have learned. |
|
|
to Dustyn
Thanks for your help:D |
|
|
works to Dustyn
Anon
2004-Jun-2 10:38 am
to Dustyn
This fix worked for me. |
|
Hutchy Premium Member join:2000-10-14 australia430 2 edits
1 recommendation |
to dadkins
said by dadkins: Nope, the one time I actually removed them, it hosed my XP. Now, the first thing I do is "Exclude" them, don't want to go through that again.
Yep hosed my XP System as well. But i have followed the instructions and all is well now. Thanks for taking the time and effort Dustyn |
|