dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3435

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

3 edits

1 recommendation

Dustyn

Premium Member

SPYBOT S&D 1.3 - DSO EXPLOIT GONE!

NOTE:
==== THIS IS A MANUAL FIX I USED WITH THE ASSISTANCE OF GREY MAGICS REPORT TO REMOVE THE 2002 DSO EXPLOIT OFF MY SYSTEM, IF MAY JUST REMOVE DETECTION FROM SPYBOT S&D, I CAN NOT SAY IF IT ACTUALLY FIXES THE ISSUE. IT DOES HOWEVER APPLY THE REGISTRY CHANGE CAUSING SPYBOT S&D TO NO LONGER REPORT THE DSO EXPLOIT. IT MAY BE EASIER TO GO ON IGNORING THE ISSUE BY "EXCLUDING" IT, BUT I WANTED TO TO TRY A DIFFERENT APPROACH
============================================================
Anybody notice the exploit reported by Grey Magic is never fixed properly with Spybot Search & Destroy?

Each time you try to run it and fix the affected registry keys (5) they come back!

A MANUAL registry patch did the trick for me.
I did it myself.
Now Spybot Search & Destroy no longer detects the DSO exploit.

It requires DELETING the original key and replacing the 1004 key with the DWORD as the field, and inserting "3" for the value. This is what Spybot S&D can't do because it can never alter the original key as the value is not DWORD to begin with. But Spybot S&D has a neat feature that can TAKE you to the exact location of the key within the registry. The first time I clicked the registry icon in the far right hand corner... it did not take me there. Instead it just opened up the registry (but not to the exact key). I re-clicked icon in spybot and THEN it took me to the exact key located within the registry.

Change the value of "1004" (DWORD) to 3.
Do this for EACH entry Spybot reports. Delete the original key and replace the key "1004" and create the DWORD field with a value of 3.

Does this work for you?
It very well may, and it very well may not.
For myself, it did.

Thanks Grey Magic for your help!!
»www.greymagic.com/securi ··· m001-ie/
Dustyn

Dustyn

Premium Member

Nobody try it or can confirm?
Dustyn

3 edits

Dustyn

Premium Member

»forums.net-integration.n ··· ic=15308
READ THE ABOVE THREAD... THIS IS AN INVALUABLE RESOURCE AND IT TURNS OUT I FIXED MY REGISTRY CORRECTLY

What amazes me is there are over 100 unique visitors who have spent the time to read my topic yet nobody cares nor wishes to reply.

Oh well.
I thought this was of some interest and wanted to help you guys out in fixing the DSO exploit detection problem as so many of you complain about Spybot not being able to fix it.

The fix is now here if you want it? ?

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

dadkins to Dustyn

MVM

to Dustyn
Nope, the one time I actually removed them, it hosed my XP. Now, the first thing I do is "Exclude" them, don't want to go through that again.

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

2 edits

Dustyn

Premium Member

Thanks for the info.
Changes were applied yesterday evening and all is working fine.

By the way... your not REMOVING anything, your correcting a registry key by entering in the new updated values. Spybot has NEVER tried to DELETE this DSO exploit. It tries to MODIFY the key. Although the Spybot S&D program makes you think that when the DSO exploit is found, your REMOVING the affected registry key. That is not the case...your simply modifying the key. But it simply fails when using Spybot.

A manual change is safe.
I've performed it on two PC's so far.
I hope you may try again.. but try to correct it manually. If not, cool. I just wanted to share my successful results.

Bubba
GIT-R-DONE
MVM
join:2002-08-19
St. Andrews

Bubba to Dustyn

MVM

to Dustyn
Thanks for taking the time to post your info. This is also whats being recommended @ Spybots Official Forums until a patch is released.

• Thread at Spybot's Forum---> Dso Exploit, Spbot fix but returns

Bubba

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

2 edits

Dustyn

Premium Member

No prob!
I also provided the same link. Although I found this link only AFTER I provided this fix. Interesting to see I got the fix right!!
I also saw you postings there too.

When you mean a new patch, do you mean one provided by Microsoft? Or by Spybot S&D?

This "user friendly" patch would provide the same exact fix as the one I did on my PC?

Am I correct?

keith2468
Premium Member
join:2001-02-03
Winnipeg, MB

keith2468 to Dustyn

Premium Member

to Dustyn
People may be grateful, but they don't always have time to come back and say thanks.

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

1 edit

dadkins to Dustyn

MVM

to Dustyn
Thanks, I'll try a manual change later.

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

Dustyn

Premium Member

..... yes keyword: "CHANGE"

Cool, I'm sure it will work for you too.

Also? I will bump the post up tomorrow if there are no replies as threads here at the "SECURITY" forum tend to slip off the first page within an hour or so.
Dustyn

Dustyn

Premium Member

-bump-

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

said by Dustyn:
-bump-

»www.mcse.ms/message678292.html

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

dadkins to Dustyn

MVM

to Dustyn
Thanks Steele Wolf! So far so good!

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

1 edit

Dustyn to Name Game

Premium Member

to Name Game
Thanks.

Microsoft (supposedly) has patched the issue "THEIR WAY". However, Grey Magic, along with Spybot S&D still acknowledge that the DSO exploit remains to be seen as an ongoing issue. Even AFTER the MS FIX. It's just some bad entries in the registry that need cleaned up. (altered)
Dustyn

Dustyn to dadkins

Premium Member

to dadkins


I told ya!
I'm so happy it worked.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Dustyn

Premium Member

to Dustyn
said by Dustyn:
Thanks.

Microsoft (supposedly) has patched the issue "THEIR WAY". However, Grey Magic, along with Spybot S&D still acknowledge that the DSO exploit remains to be seen as an ongoing issue. Even AFTER the MS FIX. It's just some bad entries in the registry that need cleaned up. (altered)

It is not an on going issue..no matter what they (Grey Magic) acknowledge.

When you find someone that is patched and has been exploited..let us know.
Name Game

1 edit

1 recommendation

Name Game to Dustyn

Premium Member

to Dustyn
Click for full size
Also FYI for the Internet..

»www.greymagic.com/securi ··· m001-ie/

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
Change the value of "1004" (DWORD) to 3.

Then read Microsoft's KB article:

How to Enable the My Computer Security Zone in Internet

Options

»support.microsoft.com/?k ··· d=315933

This tells you how to add My Computer to the Security tab of Internet Options. Doing this lets you modify the security for the My Computer security zone (zone 0) because it won't be hidden anymore (by changing the Value Name "Flags" from a Value Data of "21" to "47").

The "1004" Value Name mentioned in the article from greymagic.com is the "Download unsigned ActiveX controls" setting you can now see in the My Computer security zone. The suggested value of 3 for this setting disables it. Mine was already set to 3 so I don't know if it got set by using Spybot or AdAware to fix the DSO exploit or if Windows XP, IE6, or a Windows Update set it to 3 (disabled).

I don't know why Microsoft decided to use numbers, like 1004, for Value Names of the settings within a security zone rather than something useful, like "Download unsigned ActiveX controls". When you find articles like greymagic.com's, and many others, just telling you to alter the value of an item named "1004", the first thing I start to wonder about is what the hell is a "1004" item.

And that of course you can set yourself in any IE by putting a dot in the disable "Download unsigned ActiveX controls" to give it a value of 3.


Dustyn
Premium Member
join:2003-02-26
Ontario, CAN

4 edits

Dustyn to Name Game

Premium Member

to Name Game
If you believe it's no longer an issue, cool.

That is interesting info about the hidden My Computer zone.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

said by Dustyn:
If you believe it's no longer an issue, cool.

That is interesting info about the hidden My Computer zone.

Well that was good info you posted..but i am sure spybot will fix their thingie in the next update..but in anycase I am sure you are OK

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

2 edits

Dustyn

Premium Member


One more thing I need to ask... is it a good idea to REVEAL the "My Computer" zone for Internet Explorer 6 in Windows XP Pro? I know I would have to make a registry change just as you mentioned to reveal the zone.

Why does Microsoft hide it in the first place? For security reasons? Have you revealed your "My Computer" zone?

Are there any other options that could/should be tweaked for that zone if I decided to reveal the zone? I'm just wondering about if I decided to REVEAL this hidden zone, if it would change anything or mess up something?

Thanks... a lot of questions I know so thanks for your (or anyones) patience!

~Steele Wolf~

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 edit

Name Game

Premium Member

The person you want to discuss these changes and options would be a member at our forum with the nickname of R2.

But you can read some here about options.
How to Enable the My Computer Security Zone in Internet Options

»support.microsoft.com/?k ··· d=315933

Hacking IE Security Zones

»weblogs.asp.net/ptorr/ar ··· 215.aspx

Lock Down My Computer

The next thing to do is lock down the My Computer zone, just as I recommend doing with .NET security policy. This is likely to break any applications you have that show HTML UI from the local machine, so you may want to experiment with this for a bit. Make sure you back up this key before hand (as instructed above)!

The main reason you would want to lock down My Computer is that most of the recent exploits for IE have relied on the fact that you can either "trick" the browser into thinking it is loading content off the local machine when really it is just reading cached content from the web, or you can overwrite a file in a well-known location and get the browser to load it. Basically this means that someone can send you to a webpage that downloads malicious code to your local machine and then re-directs IE to the downloaded version, and gets it to run with elevated privileges because it's considered to be on the (trusted) local machine rather than the (untrusted) internet.

»added new IE zone question

»Re: Analysis of Microsoft XP Service Pack 2

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN

Dustyn

Premium Member

Thanks a lot man for your help!
I may give R2 an IM when I get the chance.

Those links are quite interesting.
VERY informative!

~Steele~
HMan1980
join:2004-05-25

HMan1980 to Dustyn

Member

to Dustyn
NOOB-Question!!!!!

This thing about the DSO Exploit just happened to me as well. I installed spybot S&D after my Antivir had found the SpyBot.DG worm on my system. I deleted it but was not sure if it still was inside my system. So I found spybot S&D installed and checked System.
My Problem is that I am not that good at english and the Instructions above are hard to handle.

Question 1: Is that Exploit a failure in SpyBot or is it cause that worm i had is still on my system.

Question 2: If it is a Problem of SpyBot S&D is it ok to ignore it or must it be solved.

Would be very nice if anybody could help my cause I have already spent hours trying to find a Repairtool

Thx

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

1 recommendation

Dustyn

Premium Member

Hi HMan:

It's a Spybot Search & Destroy bug that is okay to ignore. But I decided to go a head and fix it manually by cleaning up the bad registry keys. The creator of Spybot S&D will be coming out with an automatic fix to patch the DSO exploit in the future. So you can fix it manually, ignore it, or wait until a patch from Spybot S&D is released.

As for your first question I'm not 100% sure what your asking? Hopefully somebody else can help?
Dustyn

Dustyn to Name Game

Premium Member

to Name Game
Thanks for the encouragement Name Game!

Also, there has been a Spybot S&D update.
==========================
TEA-TIMER: ENGLISH HELP FILE
==========================

You can download it through the Spybot S&D with the online tool update program.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 recommendation

Name Game

Premium Member

Nothing gives me more pleasure in this forum than to see a member who started a thread with a difficult question..to then read trough all the posts..then come back to help even others like you have with an excellent summation...that is what DSLR Security is all about. Sharing then what you have learned.
HMan1980
join:2004-05-25

HMan1980 to Dustyn

Member

to Dustyn
Thanks for your help:D

works
@grandvirtual.com

works to Dustyn

Anon

to Dustyn
This fix worked for me.

Hutchy
Premium Member
join:2000-10-14
australia430

2 edits

1 recommendation

Hutchy to dadkins

Premium Member

to dadkins
said by dadkins:
Nope, the one time I actually removed them, it hosed my XP. Now, the first thing I do is "Exclude" them, don't want to go through that again.

Yep hosed my XP System as well.

But i have followed the instructions and all is well now. Thanks for taking the time and effort Dustyn See Profile