DSOEXPLOIT

explaination is that there is a hole in IE that let this into my PC.how do i
remove this?

Your security program is showing a false positive...download
the latest version. Also, install Service Pack 2 for Windows XP.

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/secu...t/default.aspx

------------------------------------------------------------------------------------

"wpc0101" wrote:

| explaination is that there is a hole in IE that let this into my PC.how do i
| remove this?

If you are using Spybot and keep finding this so-called exploit,
here's how to get rid of it :

How To: Configure SpyBot Not to Flag DSO Exploit
http://forum.aumha.org/viewtopic.php?t=8435

If you've IE up to date with all Critical updates and have an
updated antivirus program installed then the DSO Exploit is mitigated.

MowGreen [MVP]
===============
*-343-* FDNY
Never Forgotten
===============


wpc0101 wrote:

> explaination is that there is a hole in IE that let this into my PC.how do i
> remove this?

On Thu, 28 Oct 2004 09:17:07 -0700, "wpc0101"
<> wrote:

>explaination is that there is a hole in IE that let this into my PC.how do i
>remove this?

Here's my standard blurb on the DSO Exploit flagged by Spybot S&D, with a NEW
ADDENDUM about the recently released Spybot S&D update that finally patches the
DSO Exploit problem. (I left the "standard blurb" in, just in case you were
interested in the explanation):

Basically, Spybot is finding that the security setting for "Download unsigned
ActiveX controls" for the (normally) hidden "My Computer" zone in Internet
Explorer is not set to disabled, and a minor bug is preventing Spybot from
repairing it properly so it is again detected on the next scan.

You are probably seeing several keys similar to this one:

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet
Settings\Zones\0\1004!=W=3

The "\0\" points to the My Computer Zone. The key "1004" holds the value for
the specific setting "Download unsigned ActiveX controls". The "!=" means "not
equal". "W=3" (word value of 3) specifically means "disabled". Spybot is
finding that this setting is not disabled for various users defined on the
system.
When it actually goes to fix that value (setting the value to 3) it isn't
setting it to the proper type of data element - a DWORD value. So, that registry
item ends up with no value at all after the fix is performed, and each time you
scan again Spybot will find the value in those keys is still not equal to 3.

You can fix it manually if you're comfortable with editing the registry - just
run regedit and edit the keys to a DWORD value of 3. Go to each specific key
Spybot flagged and right-click on the bad 1004 key (will show a REG_SZ instead
of a REG_DWORD for data type) in the right panel and select Delete. Then in a
blank section in that same right panel in regedit, do a right-click and add a
"New" > "DWORD" value. Name the new DWORD value 1004 (like the one you just
deleted). When it is created, double-click on it and enter a value of 3. If
you have multiple versions of this under different users on your system, you'll
need do the same thing for each of them.
After manually repairing the keys run Spybot again to see if you missed any
keys. Don't let Spybot try to fix any of the keys, just use it to find the
specific problem locations.
Or, you could write a REG file to merge all the fixes at one time. I'm not
going to cover that, but I mention it just to try to cover all your options.

If you are up to date on all of your Windows patches you should be protected
from this exploit and you could wait until Spybot is finally patched. The
general expectation was this would be corrected in 1.3, but it wasn't (nor in
1.3.1).
So you can leave it as is and wait for a patched Spybot S&D, set Spybot S&D to
ignore it, or correct it manually.


***** ADDENDUM *****
Spybot S&D 1.3.1 TX, which finally corrects the DSO EXPLOIT problem, has been
released. When installed this patch will replace the Spybot S&D main
application executable and will then show as "Spybot - Search & Destroy 1.3.1
TX" when run. This update is NOT a definition update, it only replaces the
executable to correct the DSO EXPLOIT problem.

NOTE: You MUST have Spybot S&D 1.3 FINAL or Spybot S&D 1.3.1 BETA installed
before applying this patch.

Available from MajorGeeks:
<http://www.majorgeeks.com/download4392.html>

--
dak