Nothing will get rid of it!

Korny

Hey guys

I've been infected with a spyware/adware which is hijacking my homepage and continually changing it to some search page,which is then sending me loads of pop-ups.

Now,I'm running the lates versions of Ad-Aware and Spybot,and have just updated them both fully.I have also recently updated my NAV too.

Now Ad-Aware doesn't seem to be able to fix this bugger,however I believe Spybot is detecting the problem although despite it saying it will get rid of the problem it still finds the same bug the next time I scan.

As annoying as the pop-ups are I could deal with them,but I'm afraid that my bandwidth is being nicked.Take for example this:I've been connected now for 23 mins at a speed of 512 KBS,and I have recieved nearly 4,000,000 bytes despite this being the only site I've visited.Within an hour that figure could be as high as 40,000,000.Is that not unusually large? Maybe I'm being paranoid :-)?

Anyways,this bug;which Spybot dubs DSO Exploit,is described as "a security hole in IE allowing websites to execute code without asking you first. You can find more information at http://security.greymagic.com/adv/gm001-ie/" is really annoying me and I'd be very greatful if anyone could help me.

Cheers in advance

kmick

First Option - If you are running XP do a system restore to a version which did not have the poblem and then immmediately do a windows update.

Option 2 0 - Do a windows update first then shut down your network connection ie in settings\control panel go to network settings and right click on your device and choose disable. Then run ad aware etc. Also run stinger.exe (Get this before you shut off your network connection) from Mcafee I think. Then delete any dodgy folders in Program Files that you can see.

First option is probably better.

Sleipnir

Have you patched XP?

Korny

Patched XP?

Patched it with what patch exactly?

cournioni

Yeah, DSO Exploit is a bit of a bastard alright.

Best thing to do to get rid of it is to go into the registry folder:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

Then delete the affected 1004 .reg file and create it again as a DWORD file, to the hexidecimal value of 3.

You can do this by right clicking the screen. Then when you have it created you can change the value to hex = 3. It's not too hard. And it will get rid of DSO Exploit.

cournioni

By the way, I have the same problem as you have as regard to the pop ups. Every time I connect to the internet this hidden IE window appears in Task Manager and tries to send me viruses. It also slows down my machine. I tried everything to get rid of it even blocking the sites don't work. The only thing that works is to persist in closing the hidden windows in task manager.

I'm not quite sure how to get rid of it either. Any help would be very welcome.

Korny

Yeah I read that Pornapster,how exactly do I access the registry folder?

Do I just copy that filepath into the address bar?

And then,how do I recreate this affected file?

Sorry but I pretty amateurish when it comes to technicalities :-).

PS I see you're an FF fan,I have every single one of their CDs ever released,including the rare stuff...!

cournioni

LOL, I am too don't worry about it. If you asked me to do this last week I wouldn't have a clue. But I done alot of reading on it and it worked for me.

To get to the regestry you have to run a scan on Spybot, then click on one of the DSO Exploit icons when they appear. This will bring you to the folder holding all of the windows registries. You will see a load of numbered files like 1001, 1004 etc.

You will notice that 1004 has a different icon than the rest of them except for a select few with names at the bottom of the folder. You have to delete 1004 and 1004 only.

Then you can recreate the affected file by right clicking in the folder itself, a number of options will come up. Of these options select "DWORD". Then it will create the file. You can then change its name to 1004. Then right click on the file and go to Modify.

You will then get a number of options, make sure the Hexidecimal radio button is checked. Then in the field beside it enter the number 3.

This should sort out the problem for you.

Korny

Yeah I've tried right clicking on them in Spy-bot and then clicking "Jump to location" but nowt happens :-S.

Tis grand now though,I was stupid and forgot I could just to to Start>Run>Regedit

Cheers for your help Pornapster mate,much appreciated.

Mile buiochas duit

cournioni

Double click in Spybot and a folder opens with all of the registries. Then you can change the 1004 registry.

Korny

Aww I'm starting to give up!

Right,Ad-Aware is finding about 4 infected files in the registry,and one of them is most definately my homepage hijacker.However,as with Spy-Bot,when Ad-Aware's telling me it'll delete it it doesn't actually.

So my question is,is it safe for me to simply go into the registry and manually delete these files myself?

cournioni

Well it worked for me. All you are doing is deleting the files and creating another one to replace them.

Korny

Ok,Spy-Bot is still finding DSO Exploiter bastards,although this time there is only 4 instead of 5.

So,one has been eliminated when I deleted the affected 1004 .reg file.

Still,4 left,I imagine these are the same ones that Ad-Aware is picking up.

But neither will delete them so...manually delete?

PS I should take down the specifics of the files I delete so that I recreate them to exactly the same settings right?

cournioni

Yeah, that means you have five users of your computer. You must do the same as you did with the last one for each user account on the computer.

So basically just do the same as you did there for all of the DSO exploit's that appear in Spybot.

Don't forget to create a new 1004 file for every one you delete.

Korny

Right,I've done all that now.

However (there's always a however),Ad-Aware has directly found my problem in the registry,it's found 3 "Possible browser hi-jack attempts" with URLs that match the one's that are bothering me.

Is it ok to simply manually delete these registry entries?

Also,it's finding some malware registry entries,is it ok to simply manually delete these too?

Cheers again

Korny

This is insane.

All of the 1004 .reg files I deleted then recreated,well as soon as I recreate them as DWORd files etc and then exit,as soon as I go back into the registry they're there again as the original infected files.

This has obviosly got something to do with the other registry entries Ad-Aware is finding,so delete the entries Ad-Aware's finding and then re-delete the 1004 .reg files?

cournioni

I'm not too sure. That never happened to me... I'd say it would be a good idea to delete anything suspicious. Including AdAware entries.

Sleipnir

if your machine is fully patched (i.e., at least all the Internet Explorer patches anyway) then it shouldn't really be a problem.
The problem is more with Spybot reporting DSO exploit incorrectly. DSO exploit is not, in itself, spyware, it's more of a hole in IE.

Have you run windows update and installed all the relevant IE patches?

From Spybot's wesite
http://www.safer-networking.org/en/paragraphs/currentfaqs.html

We noticed that many of the eMails that come in point to questions which are already available in our FAQ-List.
Especially concerning a "bad checksum" error during update.
The DSO Exploit problem is known and will be fixed with the coming update.
So please read our FAQs carefully before you contact our Support-Team.

Thank you!!!

http://ask-leo.com/archives/000315.html

The short answer: it's a bug in Internet Explorer that could, under certain circumstances, allow untrusted software to run - in other words, a vulnerability. The good news is that it's been fixed.


The confusion arises from the fact that at least on popular Spyware detection program reports the problem, but fails to apply its work around, and hence continually reports the problem. Even though it might not be a problem any more.

First, let's be clear. The vulnerability in Internet Explorer has been corrected. If you've patched IE and are staying up to date with current patches from Microsoft, you're safe, even if a DSO exploit is reported.

The confusion arises from a bug in Spybot Search and Destroy that continues to report the DSO Exploit problem, anyway. There are ways to force the report to go away, but it's more trouble than it's worth.

The bottom line: If you're fully up-to-date on Internet Explorer patches, you can safely ignore Spybot's report of a DSO Exploit. And update Spybot from time to time as well ... they do plan to fix the reporting problem.