Jump to content

Persistant spyware problems


Recommended Posts

I found spyware on my laptop and downloaded Spybot. It found a bunch of stuff and deleted it. I thought all was good, but it continues to find what it calls a DSO exploit and can't remove it. I think this launches something else because next time I boot up there will be a bunch of other stuff that pops up. Spybot will clean the new stuff, but it comes back every reboot.

 

What is a DSO exploit?

 

I found a folder called DSO which the stated location is com/ms/xml. I also have a file called xmldso.class which I am suspicious of.

 

Another program found

ISTbar

Msopt

Powerscan

 

 

I can't seem to remove those either. Any help is appreciated

Link to comment
Share on other sites

  • Replies 14
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Some IST bars are incredibly annoying to remove. You might wanna find out what one it is and download an actual removal tool, they work in a jiffy.

 

We had one recently that was loading a search bar, i think it was called "iwantsearch" or some other nonsense. The easiest way to get rid of it was a small removal program.

 

I have hijack this, noadware, adaware and a few other programs installed for emergencies ;) *Shakes her fist*

Link to comment
Share on other sites

OK, to fix this you will need to go into your regtistry. Not sure of your expertise level, so forgive me if these are over simplified ;)

 

A DS0 exploit takes advantage of a Windows IE feature. Basically, DSO will let you hide what application is passing data to the presentation layer. The DSO exploit works by changing 5 registry keys.

 

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1004!=W=3

HKEY_USERS\S-1-5-21-746137067-1677128483-854245398-1003\Software\Microsoft\Windows\C

urrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1004!=W=3

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1004!=W=3

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1004!=W=3

 

 

Originally these five registry keys are REG_DWORD's with a value of 0, but if you

tell Spybot Search & Destroy to Fix the problem they will change to REG_SZ and the

data value will be blank and they will continually show up as a problem each time

you run Spybot Search & Destroy until you fix them manually. All of these keys

start HKEY_USERS\ and end \Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1004!=W=3, the only difference being the second element in each

key path.

 

Spybot even tells you why these keys are a problem, albeit indirectly. At the end

of each key we see 1004!=W=3, what this means is the key 1004 is not equal (!=) to

a DWORD (W) with a value of 3 (=3). Therefore it is a relatively simple process of

changing all of these keys to type REG_DWORD with a value of 3.

 

1. Click Start, then Run...

2. Type REGEDIT in the Run box and either hit Enter or click OK.

3. Locate the

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\Zones\0\1004 registry key.

4. Right-click on the 1004 key and select Delete and click Yes when prompted to

confirm.

5. Click on Edit, then New and select DWORD.

6. Give the new Key a name of 1004.

7. Right-click the new 1004 key and select Modify and give it a value 3 and click

OK.

8. Repeat steps 3-7 for each of the above registry keys, remembering that the long

number afte S-1-5-21 will differ on each machine.

9. Close the registry editor.

10. Click Start, then Control Panel.

11. Click Network And Internet Options, then click Internet Options to open up the

Internet properties.

12. Click on the Security tab, then click the Internet icon, then click Custom

level.

13. Ensure that Download unsigned ActiveX controls is set to Disable and then click

OK on Security Settings and then click OK to close Internet Properties.

14. Run Spybot Search & Destroy again, this time DSO Exploit will not show up.

 

 

Good luck!

 

 

-Madrogran

 

PS, working for MS has it's advantages! ;)

Link to comment
Share on other sites

Errex, I think it will prevent future DSO issues but will not fix old ones that are already on the system. This is one of the reasons why they tell you to clean it up before putting on the newest patch. Good ol microsoft, let the customers do the work and then they fix the problem.

Link to comment
Share on other sites

I use Mozilla on the home PC, but there are still all of the viruses and other issues with MS products. As long as MS is king of the hill by such huge margins they will always be the target and therefore endanger us to such attacks.

 

I don't really game on my PC anymore. I bought a game system for that.

Link to comment
Share on other sites

Its more than being the king of the hill...

 

MS has left a major vulverability that they can't get around...without stating they where wrong...and that is to allow there applications the ability to execute code from outside sources without the users intervention or ability to say no to the code...

 

Firefox and Netscape...don't execute code without your permission...also give you the ability to uninstall objects that you install on your browser. The worst spyware you will get on these browsers is cookies...which are easily removed...

 

Just SAY NO TO IE and Outlook/Outlook Express

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...