I have been hit with this as well after a PC rebuild

before I could get all my security set up.



Need help





>-----Original Message-----

>how can i get rid of dso exploit

>.

>

Hi Bill,



Regarding your post on removing DSO Exploit, please review the following

steps:



PROBLEM:



Spybot Search & Destroy identifies malware called "DSO Exploit" is

infecting your registry but Spybot S&D is unable to remove or correct the

problem. Because Spybot S&D cannot resolve the problem it may report the

symptom each time you scan. Spybot S&D may identify a DSO exploit in any of

the following five registry keys.



HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter  net

Settings\Zones\0\1004

HKEY_USERS\S-1-5-21-746137067-1677128483-854245398-1003\Software\Microsoft\W

indows\CurrentVersion\Internet Settings\Zones\0\1004

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter  net

Settings\Zones\0\1004

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter  net

Settings\Zones\0\1004

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur  rentVersion\Internet

Settings\Zones\0\1004



Note: The long number <GUID> in the second key (after S-5-21-) varies from

machine to machine.



CAUSE:



Spybot S&D cannot correct the problem because the registry keys in question

are corrupt. The registry keys identified above are legitimate but the data

type has been changed by a 3rd party program from the original type:

REG_DWORD to a different type: REG_SZ. This type setting prevents Spybot

S&D from resolving this issue.



RESOLUTION:



Change all of the [1004] keys from type Reg_SZ to type REG_DWORD and assign

each a value = 3.



Note: as a precaution you should back up each key prior to making the

changes.



SPECIFIC STEPS:



1. Click Start, then Run...



2. Type REGEDIT in the Run box and either hit Enter or click OK.



3. Locate the following registry key:



HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter  net

Settings\Zones\0\1004



4. Right-click on the 1004 key and select Rename



5. Rename this key to -1004.  <minus 1004>



Note: this -1004 key will be the backup of the original key.



6. Click on the Edit menu, then New and select DWORD value.



7. Give the new Key a name of 1004.



8. Right-click the new 1004 key, select Modify, give it a value 3 and click

OK.



9. Repeat steps 3-7 for each of the above registry keys.



Note: remember that the long number after S-1-5-21 above will differ on

each machine.



10. Close the registry editor.



11. Click Start, then Control Panel.



12. Click Network And Internet Options, then click Internet Options to open

up the Internet properties.



13. Click on the Security tab, then click the Internet icon, then click

Custom level.



14. Ensure that Download unsigned ActiveX controls is set to Disable.



15. Click [OK] on Security Settings and then click [OK] to close Internet

Properties.



16. Run Spybot S&D again, this time DSO Exploit should not show up.



=========



This posting is provided "AS IS" with no warranties, and confers no rights.



MBSA Homepage:

http://www.microsoft.com/MBSA



Windows XP Security Homepage:

http://www.microsoft.com/windowsxp/security/default.asp



Windows 2000 Security Homepage:

http://www.microsoft.com/windows2000...ty/default.asp



Top 10  Windows Newsgroups Security Questions:

http://www.microsoft.com/technet/new...echnet/newsgro

ups/nodepages/sectop10.asp



=========

Paul Hayes, MCSE

Product Support Services

Microsoft Corporation

pauly@online.microsoft.com

-------------------

Content-Class: urn:content-classes:message

| From: "Bill Kane" <anonymous@discussions.microsoft.com>

| Subject: dso exploit

| Date: Sat, 4 Sep 2004 14:28:31 -0700

|

| I have been hit with this as well after a PC rebuild

| before I could get all my security set up.

|

| Need help

|

|

| >-----Original Message-----

| >how can i get rid of dso exploit

| >.

| >

|

Paul,



Your post was really helpful - unfortunately I think I may have read it too

late. I recognised that Spybot wasn't able to deal with the problem and

rather foolishly I decided to delete the "1004" keys. Has this had the same

effect or have I created further problems for myself?

Secondly, in spite of deleting the keys, my internet explorer is still

defaulting to "On-search portal" which then launches a combination of

hard-core porn/gambing sites. Is this connected to the spyware? I'm at the

stage now where I'm thinking of cleaning the computer right down and

re-loading XP...will that fix it?



Cheers,



Chris.



"pauly  [MSFT]" wrote:



>

> Hi Bill,

>

> Regarding your post on removing DSO Exploit, please review the following

> steps:

>

> PROBLEM:

>

> Spybot Search & Destroy identifies malware called "DSO Exploit" is

> infecting your registry but Spybot S&D is unable to remove or correct the

> problem. Because Spybot S&D cannot resolve the problem it may report the

> symptom each time you scan. Spybot S&D may identify a DSO exploit in any of

> the following five registry keys.

>

> HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter  net

> Settings\Zones\0\1004

> HKEY_USERS\S-1-5-21-746137067-1677128483-854245398-1003\Software\Microsoft\W

> indows\CurrentVersion\Internet Settings\Zones\0\1004

> HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter  net

> Settings\Zones\0\1004

> HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter  net

> Settings\Zones\0\1004

> HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur  rentVersion\Internet

> Settings\Zones\0\1004

>

> Note: The long number <GUID> in the second key (after S-5-21-) varies from

> machine to machine.

>

> CAUSE:

>

> Spybot S&D cannot correct the problem because the registry keys in question

> are corrupt. The registry keys identified above are legitimate but the data

> type has been changed by a 3rd party program from the original type:

> REG_DWORD to a different type: REG_SZ. This type setting prevents Spybot

> S&D from resolving this issue.

>

> RESOLUTION:

>

> Change all of the [1004] keys from type Reg_SZ to type REG_DWORD and assign

> each a value = 3.

>

> Note: as a precaution you should back up each key prior to making the

> changes.

>

> SPECIFIC STEPS:

>

> 1. Click Start, then Run...

>

> 2. Type REGEDIT in the Run box and either hit Enter or click OK.

>

> 3. Locate the following registry key:

>

> HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter  net

> Settings\Zones\0\1004

>

> 4. Right-click on the 1004 key and select Rename

>

> 5. Rename this key to -1004.  <minus 1004>

>

>  Note: this -1004 key will be the backup of the original key.

>

> 6. Click on the Edit menu, then New and select DWORD value.

>

> 7. Give the new Key a name of 1004.

>

> 8. Right-click the new 1004 key, select Modify, give it a value 3 and click

> OK.

>

> 9. Repeat steps 3-7 for each of the above registry keys.

>

>  Note: remember that the long number after S-1-5-21 above will differ on

> each machine.

>

> 10. Close the registry editor.

>

> 11. Click Start, then Control Panel.

>

> 12. Click Network And Internet Options, then click Internet Options to open

> up the Internet properties.

>

> 13. Click on the Security tab, then click the Internet icon, then click

> Custom level.

>

> 14. Ensure that Download unsigned ActiveX controls is set to Disable.

>

> 15. Click [OK] on Security Settings and then click [OK] to close Internet

> Properties.

>

> 16. Run Spybot S&D again, this time DSO Exploit should not show up.

>

> =========

>

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

> MBSA Homepage:

> http://www.microsoft.com/MBSA

>

> Windows XP Security Homepage:

> http://www.microsoft.com/windowsxp/security/default.asp

>

> Windows 2000 Security Homepage:

> http://www.microsoft.com/windows2000...ty/default.asp

>

> Top 10  Windows Newsgroups Security Questions:

> http://www.microsoft.com/technet/new...echnet/newsgro

> ups/nodepages/sectop10.asp

>

> =========

> Paul Hayes, MCSE

> Product Support Services

> Microsoft Corporation

> pauly@online.microsoft.com

> -------------------

> Content-Class: urn:content-classes:message

> | From: "Bill Kane" <anonymous@discussions.microsoft.com>

> | Subject: dso exploit

> | Date: Sat, 4 Sep 2004 14:28:31 -0700

> |

> | I have been hit with this as well after a PC rebuild

> | before I could get all my security set up.

> |

> | Need help

> |

> |

> | >-----Original Message-----

> | >how can i get rid of dso exploit

> | >.

> | >

> |

>

>