Helping people with computers... one answer at a time.

A 'DSO exploit' is a bug in IE that might possibly allow untrusted software to run. Make sure you're up-to-date and you should be safe.

What's a 'DSO exploit' and how do I get rid of it?

The short answer: it's a bug in Internet Explorer that could under certain circumstances allow untrusted software to run. In other words, it's a vulnerability. The good news is that it's been fixed.

The confusion arises from the fact that at least on popular Spyware detection program reports the problem, but fails to apply its work around, and hence continually reports the problem. Even though it might not be a problem any more. (Update: that program has reportedly been fixed. See below.)

First, let's be clear. The vulnerability in Internet Explorer has been corrected. If you've patched IE and are staying up to date with current patches from Microsoft, you're safe, even if a DSO exploit is reported.

The confusion arises from a bug in Spybot Search and Destroy that continues to report the DSO Exploit problem, anyway. There are ways to force the report to go away, but it's more trouble than it's worth.

The bottom line: If you're fully up-to-date on Internet Explorer patches, you can safely ignore Spybot's report of a DSO Exploit. And update Spybot from time to time as well; they do plan to fix the reporting problem.

UPDATE: Spybot Search and Destroy has reportedly been fixed. My recommendation now is to download the latest version, and make sure you have it update its database of spyware to check prior to your next scan. It's possible that it may report DSO exploit once, but if you elect to fix it, then the report should go away on your next scan. I can confirm that it no longer reports DSO exploit on my system.

And remember, as long as you were up-to-date with Internet Explorer patches, DSO exploit was not an issue for you, regardless of what the scanner said.

Article C2135 - July 23, 2004 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

89 Comments
avathor
July 25, 2004 5:18 PM

Thanx for your help. This same problem has been driving me crazy recently until I foubd your post.
Thanx a lot

aaronmoyle
July 26, 2004 7:47 AM

ok well it is a fault in spybot you can get rid of it bu running advanced mode in spybot

Jason
July 28, 2004 11:37 AM

Thanks for the explanation, Leo. I appreciate the information that is easy for us "non-technical" types to understand. I'll be bookmarking your homepage.

Steven a
July 31, 2004 7:33 AM

I am running XP and have the latest updates. I have cleaned the registry once of the entires 1004 but can find no other entries as you describe. When I load my browser I am still getting about:blank as my browser's home page and a bunch of pop ups about spyware. Internet options won't get rid of it. This is driving me nuts!

Ron
August 1, 2004 11:15 AM

All you have to do to permantly remove the DSO exploit is: First download Spybot search and destroy, then run a scan. Spybot can't fix the DSO exploit but it does tell you exactly where to find it. Go to the run command on your start menu and type in "regedit", then just follow the path to the source listed in the Spybot search results and delete it manually. It's that easy. You can e-mail or IM me and I will walk you through the process. l9ron@aol.com
(Thats L9, not 19)

Jim Moore
August 2, 2004 4:31 PM

Leo,

Dig it. I read your take on the DSO exploit, and you are right on track. You are now a favorite!

Thanks..

willl
August 3, 2004 6:44 PM

i can't get rid of it and my critical updates from microsoft wont load. the machine will not update IE with patch and the pop ups keep coming!

luis
August 3, 2004 11:39 PM

1 Open Spybot and select 'advanced' mode
2 Select 'settings' in the left column
3 Select 'ignore products' in the left column
4 Select 'security' tab
5 Place a check mark in the box(s) beside DSO Exploit
6 Exit Spybot
7 Restart Spybot and run a scan.

Luis Padua/HigŁey/Dom. Republic

luis
August 3, 2004 11:52 PM

I got the DSO EXPLOIT when i downloaded a pacman 2 game from internet and when i ran spybot, two more programs were in my pc (SEEKSEEK and VIRTUAL BOUNCER). I was able to delete them both with SPYBOT S&D but DSO EXPLOIT stayed in.
I tried to delete pacman 2, but a msg said it was been used by another program. I did the 7 previous steps and DSO exploit was gone, so i was able to send pacman to hell....beware of pacman 2.....regards Luis Padua from HigŁey in the Dominican Republic.

dm
August 25, 2004 8:51 AM

Love this site! Can you post the steps to remove (manually) DSO explit entries from my registry. Thanks in advance =)

pennywise
August 27, 2004 4:39 AM

tks for the info

Bob Canterbury
September 1, 2004 3:15 AM

This one of the best thing I have found on my PC.I done just what you said to do, and got rid of DSO Exoloit. I tryed every thing I could, and could not get it off my PC. But this really worked.I will us this all the time now. Thank you very much. To all you people out there in PC land, use this site. Thanks again.

Linda Bond
September 3, 2004 4:29 PM

Leo, My brotherinlaw's son, Kevin Goodier told me you were the best at this. This question has nothing to do with DSO. Today I tried to install SP2, with my Windows XP home edition. It failed to install. It downloaded fine. But failed at the end.I have done everything it has told me to do.(Wizard). Got any advice on this one.....? I appreciate your help in advance....Thanks, Linda

Leo
September 3, 2004 4:35 PM

Depends on how it failed. Any error messages?

jim
September 5, 2004 6:41 PM

To fix this probelem please follow the steps below. As usual, registry editing can stuff up your system completely or have unexpected results. Make sure you have a backup before attemting this procedure.

Right click the error found in spybot and select "more details","jump to location". This will open registry editor and go to the correct registry entry to modify. Sometime Spybot doesn't do the jump the first time for some reason, just do it again to kick it into action.

You will see it has focused on an entry which is 1004 of the type "reg_sz", this should actually be a "reg_dword".

You will need to delete the 1004 entry.

Create a new DWORD called 1004 by right clicking on the folder which contained this entry (normally "0"), select New, DWORD value. The default value it's given is "0"

Double click 1004 and change "0" to "3".

This will need to be done for every DSO exploit entry that Spybot has found.

As usual, registry editing can stuff up your system completely or have unexpected results. Make sure you have a backup before attemting this procedure.

Leo
September 5, 2004 10:00 PM

As stated in the article, there is no need to do that. All you need do is make sure IE is up to date, and then ignore the warning in SpyBot, until SpyBot is updated to fix it.

John Smith ;-)
September 7, 2004 10:52 PM

Question for Leo...
What harm would it do to simply delete the DSO exploit,(1004) as suggested by L9Ron in a previous post. I have done just that, with no ill effects. If deleting the 1004 entry can cause problems, what would those problems be? Could you please give the exact details of any problems this has caused for you, or others, that you know of? I am confident that you have the answer for this querry. Thanks for your time, and I am looking forward to a comprehensive explanation.
John Smith ;)

Leo
September 8, 2004 10:13 PM

I never said it would harm anything. Only that if IE is up to date, it's simply not neccessary to take those steps - you can safely ignore the DSO exploit warnings in Spybot.

jim
September 9, 2004 6:11 PM

Hi John,

As Leo says, as long as you are fully patched there is no need to concern yourself with the DSO exploit.

The entry "1004" that this relates to is in the "My Computer Zone" and is the setting for "Allow download of unsigned ActiveX control". When set to a DWord value of 3, this setting is disabled.

When it was not disabled on unpatched PC's, it was possible for malicious code to be run on your PC without your consent.

Microsoft released a patch some time ago addressing the problem which was also included in Service Pack 1 (As well as Service pack 2). When you are patched, you can't be "unpatched". It other words this exploit cannot happen as your machine can't become vulnerable again to this particular problem.

From my understanding, whether disabled or not, or if you have even deleted this entry, as long as you are patched there will be no adverse affect to your PC.

Again, as Leo says, as long as you are patched, you can safely choose to ignore the error. If it annoys you to see it turn up in the scan, tell the scan to ignore it or modify the registry to correct the problem manually, but there is really no need.

John :-)
September 9, 2004 11:31 PM

Thanks Leo and Jim...
As I mentioned before, I had already deleted the 1004 entry from the registry, and was hoping I hadn't harmed my computer in some way that I am not yet aware of. If there is anything that you know of, or that you find out in the future, that could cause a problem as a result of deleting the 1004 entry, could you please post it here and let me know. Thanks again, John :-)

BTW, You might want to consider taking the ad for "Spyware Nuker" off of your site... it has "Gator" and a Keylogger in it.

harry
September 10, 2004 7:40 PM

Will reloading all software from original boot disks/system restore disks get rid of all spyware including "DSO exploit"?
thanks

Leo
September 11, 2004 9:14 AM

DSO exploit is not spyware. It's a vulnerability in Internet Explorer that is resolved by keeping IE up to date with the latest patches.

Ron
September 11, 2004 8:46 PM

As I understand things Harry, the DSO exploit is more like a back door in the Windows operating system, that has been left unlocked. As I have heard here, there is a patch that puts a lock on this back door. I myself chose to delete it altogether. (although I have heard on more than one occasion that, that was not necessary) My best guess would be that reinstalling Windows would restore the DSO exploit, rather than getting rid of it. I do know that when I recieved my PS2 update from Microsoft, (although I had deleted the 1004 entry from my registry) my DSO exploit had returned. (so I deleted it again) For me it was a "peace of mind" thing, and efficiency didn't play a large role in my decision making process. Hope this helps, as it is "to the best of my knowledge" and "as I understand it". (L9)Ron

Nichole
September 13, 2004 10:09 AM

This may be a stupid question but how do I know I have IE updated with the latest patches! Thanks

DJ Kinney
September 14, 2004 6:11 AM

All this advice hinges on the fact that staying up-to-date with patches will solves the problem. This is untrue. I am running XP Pro service pack 2 with all patches and am infected by the CWS (aka about:blank) about once every 48-72 hours. It is cleaned to a high degree of confidence with a cross check of several programs (ad aware, spybot, and manual removal) only to return with a DSO exploit and a reinstallation of all the malicious registry keys. I am not running antivirus or a firewall (beyond the XP) because I am trying to deal with the problem on a more fundamental level at this point. Rather than plug the dyke, I want to fix the hole.

These are the facts. The vulnerability must still be in the system.

What now?

Dracarius
September 14, 2004 9:44 PM

Try this!

http://www.nsclean.com/dsostop.html

All the info you want on dso exploit is there. Keep in mind, Microsoft has a fix for it already, but for those of you who keep worrying....

ted fritsch
September 17, 2004 1:43 PM

I have purchased adware, spybot, spyvest, and desostop2, and all have identified the problem, and some are saying they have deleted the culprit.

However, when I open up IE my home page web site still wants to go to the promptview.info web site, I have changed it via the IE tools, it works until I reboot, than that sucker returns to the stupid search site as my home page.

Can someone show me how to get rid of this thing, or point me to the person who did it, so I can personnaly ring that jerks neck.

PhantomSteve
September 18, 2004 8:51 AM

> Today I tried to install SP2.... Posted by: Linda Bond at September 3, 2004 04:29 PM

Linda, I don't know if you got a solution, but my advice:
Order the SP2 CD from MS (it's free... takes "4-6 weeks", but I got mine in 2 weeks) - you can order it from the Win Update site. I'm just thinking that maybe there was a fault in the download? I know the CD works, cos it worked perfectly on my machine.

Regards,
PhantomSteve

kayle
September 18, 2004 4:40 PM

Sometimes for no reason and without warning that stupid "microsoft has had an encounted a problem and needs to close" message comes up, it is very frustrating and now even my programs are doing it. Is DSO exploit responsible for this, if not can you tell me what is. Thanks

Leo
September 18, 2004 7:58 PM

No, that's probably not related to DSO exploit in anyway. That message happens when a program misbehaves, typically due to a bug in the program. What to do will depend on what program you were running at the time, or the program that should have been mentioned in the error message. If it was Internet Explorer, you can check this article for more: http://ask-leo.com/iexploreexe_has_generated_an_error_now_what.html

hyattf
September 22, 2004 4:56 AM

i have found one sure fire way to end this dso... once & for all. i bought a mac!

conventional wisdom is that scumbags that write this stuff do not do so for mac & unix. don't know how true that is but i have been running netscape 7.2 on os 10 & have yet to experience any problems

Bridie
September 22, 2004 9:41 AM

All this advice of not to worry is complete junk!
Do not tell me not to worry about DSO Exploit when I can see things happening to my system. If you can't be bothered to offer advice not tainted with the Microsoft company line then just don't bother at all. Are you in a relationship with Bill? DSO Exploit is a problem for anyone whom thinks it is! Stop posting patronising advice and just deal with it or go talk about something else. Example how great you think Bill and his rubbish IE really is.
Leo poor show!

Leo
September 22, 2004 9:48 AM

Sorry you feel that way. I think you've misunderstood what I'm saying, though.

To clarify for subsequent readers:

DSO *is* something you want to fix. Just make sure that you have all the latest Internet Explorer Patches installed, and you're done.

After updating IE to the latest set of patches, folks using Spybot Search and Destroy may continue to see reports of the DSO Exploit as being a vulnerability on their machine. This is an acknowledged bug in Spybot Search and Destroy. Check out the link to the Net Integration Forums listed with the article above.

So to summarize:
- If your IE is NOT up to date with patches: get it up to date.
- If your IE *is* up to date with patches, and spybot reports DSO exploit, you may safely ignore Spybot's report.

Or, as others have suggested you can use another browser. I'm fairly happy with Firefox these days.

Dave
September 22, 2004 11:28 AM

For those asking about IE patches: http://www.windowsupdate.com is where you want to go. It's the only site I use IE to visit any longer.

CoolWebSearch is one of the nastiest pieces of software written to date and it's author(s) really should be jailed.

CoolWebShredder does a fair job at removing most versions:
http://www.spychecker.com/program/coolwebshredder.html

About.Buster does a good job of fixing About.blank or RES:// hijacks:
http://www.malwarebytes.biz/

However, my best advice matches the comment Leo made - switch to Mozilla or Firefox. Both can be obtained from http://www.mozilla.org. I happen to use the Mozilla suite as I use it for email as well as browsing, and Mozilla has a Quick Launch feature that makes it open browser windows even faster than IE (because it preloads like IE does - a feature not yet available in Firefox.) Mozilla browsers can not be affected by spyware (yet...I wouldn't put it past these spyware autors to try if Mozzie gets more popular), have a built-in popup blocker that actually WORKS, and built-in junk mail filter.

If only I could give my customers this advice, I'd be a happy man. (I work as a tech support agent for MSN. I deal with spyware calls for at least 10 hours a week - and CoolWebSearch is the nastiest one of all.)

Joe
September 24, 2004 6:30 AM

Folks,

I have all my ie patches installed and up to date running XP and IE. BUT this week I started getting popups. This seems related to an 'automatic update' from microsoft which popped up this week for KB833989. I stupidly installed it, even though I always manually go to the windowsupdate page, and since then i've been getting the popups. Oddly enough this exact same set of circumstances happened to a coworker this week. Anyone have any thoughts?

Maybe this was actually a bit of spyware that looked like an MS update?

Joe

Ray
September 25, 2004 10:52 PM

An interestingly riveting read. I just got my cable internet installed with Cox. I talked with the guy who installed it about this exact subject. He said that it was a supposedly unbeatable program that no one could erase. Of course I had my suspicions because I knew that there is no such thing as an unbeatable piece of software. So I looked up DSO Exploit and found this site. Of course I've been watching the Screen Savers for a while, and the staff always solved all of my problems when other people called about them, so I trust everyone there.

My point is (if there is one), is that I can see why people are scared of this exploit. It's because there is a sort of confusion even amongst some professionals. Either that or the cable guy was pulling stuff out of his butt. I don't know.

Mike
September 26, 2004 10:12 AM

THank you all. THIs has helped me imensly. I need not now worry about the reported DSO exploit. THanks again.

chris
September 27, 2004 1:43 PM

ok, originally i had 5 entires of dso exploit when i searched under spybot, and when i tried to delete them, it would delete it and then would come back next search. then i found sme stps involving chaning some number from 1004 to 3 perfectly, and then i downloaded dsostop and it says its activated and prevents any dso exploit, but that doesnt do any good, because now when i use spybot it picks up 4 instead of 5 entires for dso exploit. when i search for it regularly on my comp it finds NOTHING. even in hidden and compressed files, also, i "immunized" my system because it recommended it using one of anti-spyware sofwares, and now every time i sign online i hear 3 "drops" and if i do a spybot search, it picks up 3 new pieces of spyware, 2 from advertising.com and 1 from avenue a, along with my original 4 dso exploit entries, i can delete these 3 and when i research it wont pick them up, UNTIL i restart my internet connection, and then i search and theyre back. it was not like this befor

Grahame Gould
October 1, 2004 1:33 AM

Hey, Leo, I must give you a massive congratulation on your response. Not so much to content as the tone. It would have been easy to respond by telling Bridie to pull her/his head in and you may well have been justified in doing so, it appears to me. However you clearly and calmly restated your advice and did so without rising to the bait. (Although your last note that you use firefox may have had the slightest tinge of "so there" about it, but I certainly can't begrudge you that. I don't know that my repsonse in a similar situation would have been anywhere near to gracious!!) Anyway, congrats!

Hugh
October 4, 2004 1:33 PM

Ive been on hloiday and come back to a host of spywhere programms do u know how 2 get rid of 180ax???

Leo
October 5, 2004 11:38 AM

Get one (or more) of several good spyware scanners and run 'em. Recommendations here: http://ask-leo.com/d-recommend

Sharon
October 7, 2004 8:52 AM


I've never consciously done anything with IE. How can I know if I'm up-to-date?

Leo
October 7, 2004 9:11 AM

Visit Windows Update (This'll get you there: http://ask-leo.com/d-winupdate ) and follow the instructions to scan, and then possibly install, any critical updates.

Tsaeler
October 11, 2004 3:09 PM

My browser is firefox and I also use Mozilla.
Internet explorer may be somewhwere on my computer.
I use 98lite.
Updates to MS stuff causes me more pain than needed.
SpyBot reports the dos exploit on reboot.
Do I have to update IE in order for SpyBot to stop reporting the DOS exploit.
If I never use IE would the DOS exploit still be a threat. I was not always confused (well Uh maybe).

T(om)

Leo
October 11, 2004 5:14 PM

"Do I have to update IE in order for SpyBot to stop reporting the DOS exploit."

As the article states, Spybot has a bug which will continue to report DSO exploit, even after you've updated IE.

"If I never use IE would the DOS exploit still be a threat."

IF IE has not been updated, then yes, it could still be a threat. Even though you use firefox, other applications often use core IE components and could be vulnerable. Also, some sites only work with IE (most notably Windows Update), so you'll be firing up IE at some point anyway.

My best advice: update IE.

Sharon
October 13, 2004 8:34 PM

Hi, Leo,
Thanks for the link, but 'wow,' they suggest a lot of updates. Many of them are once added/cannot remove types. Should I be concerned about how much space these updates will take?

Also, is it correct to assume I don't have to uninstall anything these update are updating? I ask because when I 'updated' my security to the '04 version, I had some problems and was told I was supposed to have removed the old '03 version first. I had thought an update meant they were working from the same basic material and were only tweaking it.

Thanks for any further help.

Sharon

Anonymous
October 26, 2004 5:22 AM

Great Help !

Billy D. Shaw
October 27, 2004 5:09 PM

Hi Leo, have followed you for a couple of years now and think you are the WIZ. I got the SP2 disk since I only have dial-up capability's. I d/l'ed a prog. from MS that told me I need MS 042-038 or close to that and when I d/led it my machine went heywire. Any thoughts thundermoon

Mike
October 31, 2004 11:06 AM

hi leo!
I have this problem where i cannot change my homepage for more than a day. There are two sites that like to be fighting over which one is my homepage and they are:
- www.othersearch.com
- www.worldsex.co.yu
Its the worldsex which is the worst because when u start up explorer is begins recieving exploit viruses which are annoying to remove. I also have this annoying search toolbar that keeps on appearing after its been uninstalled.
I hope u can help cause no spyware program can find anything!

Leo
October 31, 2004 8:45 PM

I found this thread on othersearch: http://ask-leo.com/d-41031a

This thread is a specific situation that clears up a number of infestations, including worldsex. I'm not sure if it will help you specifically, but it may, and if not the forum there is a good resource.

In general, file sharing programs like Kazaa seem to be the biggest source of these parasites. Avoid installing those types of programs if at all possible.

Dale Edens
November 6, 2004 4:40 AM

I got rid of 'DSO' exploit my doing the following.
Open Spybot and select'advanced' mode.
Select 'settings' in the left column.
Select 'ignore product' in the left column.
Select 'security' tab.
Place check mark in box beside DSO exploit.
Close program.
Open Spybot and run a scan.

You will find that 'DSO' exploit has been eliminated.

Leo
November 6, 2004 9:39 AM

SPYBOT is reported to be fixed. I've updated the article accordingly.

j. ron
November 11, 2004 9:11 AM

i'm running firefox and i tend to get the dso exploit reappearing contstantly. patches for ie are up to date, but i like firefox better. is there a weakness in firefox? why does dso exploit appear on every scan with spybot?

thanks for your help,

j.

nat
November 12, 2004 3:18 AM

dale edens you said

"
Select 'ignore product' in the left column."

but wont that jsut simply igbore the DSO?...

wayne
November 23, 2004 10:02 AM

The latest version of Spybot (11-23-04) finds DSO and says it has removed it but if you scan again it finds it again and again. In my case in 5 places each time.

Lavender
November 24, 2004 6:23 AM

Hi,
DSO exploit pops up when I do a Spybot scan, only it says and there is also something written in another language.
Would appreciate any advice.
Thankyou,
Lavender!

Anonymous
November 26, 2004 3:47 PM

Ignoring the DSO Exploit will not get rid of the problem. It will just "ignore it". I suggest googling for a solution as it does require registry key editing to fix. Computing.net has an answer for this problem which is an IE exploit that allows programs to be run on your computer without your permission. It's probably not a big deal if you use firefox, but the solution is simple enough.

Leo
November 26, 2004 3:49 PM

I'll keep saying it, as I said in the article: as long as your Internet Explorer has been fully patched, you may safely ignore DSO Exploit warnings.

maureen
November 26, 2004 11:12 PM

Hi;

How do I fully patch Internet Explorer?? I have done the lastest windows updates, is that one in the same?? Sorry I am new user, not overly technical but I also have the DSO Exploit coming up when I run Spybot Search & Destroy. Any help you could provide would be appreciated. Tkx!!

Leo
November 26, 2004 11:28 PM

Yes, exactly. Make sure you have all the latest windows updates and all should be well.

maureen
November 26, 2004 11:47 PM

Hi Leo;

Tkx sooo much for your help with my question above - It gives me peace of mind to know that by doing the windows updates I don't have to worry about DSO Exploit - have a good one. )))))

Roxanne
November 29, 2004 12:42 PM

Okay, probably I'm being an idiot, here, but... I'm using Firefox, but I still have IE on my machine because sometimes I have to use it since it has so many hooks into windows. I'm on crappy dialup and it takes forEVER to download patches, so I'd rather not if I don't have to. Must I do this if I never use IE unless I am forced and I have Zone Alarm running constantly? A further comment... I was going to remove DSO Exploit from my machine manually, but the location is so long that SpyBot doesn't display the whole thing. Am I missing some simple command to show the entire location?

many thanks

Anonymous
December 1, 2004 6:01 PM

Is it just me or has Spybot not fixed??? I have version 1.3 of Spybot and have updated it several times so the definitions should be up to date - and the DSO exploit message keeps coming back! My IE updates are up to date so I am not worrying.

Thanks.

nigel
December 4, 2004 6:17 AM

Read all the articles, I have noted experts comments and spent hours surfing, I do have all the patches updates sp2 etc however it took a manual edit to remove this pest, It is all very well saying keep updated or ignore it but why should we? microsoft has a patch i read, or its not a problem, as Im a gentleman I wont swear! I have spybot adaware spysweeper etc the list goes on and on, speaking as a relative necomer to xp It is no longer a pleasure to use my pc . sick of having to research and pay for software etc I do not really want a pc crammed with anti this and that! Im of two minds to pull the plug reinstall my system to its virgin state and not venture onto the net except via the public library , why cant some one write a simple program to automatically correct the registry error, I had to pay 20 pound to get mine done then I promptly backed up my pc so if it comes back i can sort it out, sp2 was supposed to be great solve most things NOT SO It should be made a criminal offence

audrey
December 4, 2004 10:30 AM

i've run spy bot several times and it keeps finding dso exploit AND my internet doesn't work. iexplorer just goes to res:shdoclc.dll/dnserror.htm and doesn't find the page or reverts to wtn-eto.comhp.htm2id=632 and mozilla will allow me to access one page and then it stops trying to build new pages and outlook can't reach the server.
i've recently installed xp and installed updates so don't know what else to do.
plese help.

Larry
January 10, 2005 3:38 PM

Is the new exploit going to be a problem.
Internet Explorer has become an even bigger security risk -- even on Windows XP SP2 -- with the publication of a new and extensive exploit. Security researchers have warned that the exploit -- which takes advantage of known loopholes in SP2 -- could allow an attacker to run script code on a user's system via a specially crafted Web page. The holes involved have been known publicly for more than two months, but previous exploit techniques required the user to take actions such as dragging an image from one part of a Web page to another. The new exploit is fully automated, requiring the user only to visit a Web page in Explorer. Other browsers and operating systems aren't affected. Microsoft has warned users to turn off IE's "Drag and drop or copy and paste files" option as a partial solution. The danger can also be lessened by setting security levels to high for the "Internet" zone or, as several security firms pointed out, using another browser. Researchers have identified three separate, but related issues in IE. The first problem can be avoided by disabling the "Drag and drop or copy and paste files" option, but the new exploit doesn't rely on this particular bug

Anne
February 5, 2005 12:57 PM

I regularly check for and update (weekly) all Microsoft patches/updates along with any updates for spybot version 1.3. These products are right up to date. However, I continue to get the DSO Exploit in a number of registries when I run Search & Destroy. Thanks to all your information, I know I can safely ignore as I am up to date with all my updates etc. However,it is still very annoying. I thought the problem with the Spybot Search & Destroy program had been solved with a fix in one of its updates? Is this in fact, not the case? Am I missing something somewhere?

John Doe
February 5, 2005 3:17 PM

You can find the solution to your DSO Exploit problems here http://www.icervasoftware.ca/Home/DSOExploit.asp

Marina
February 6, 2005 12:06 PM

I dont know what causes the DSO exploit. But if you go to Major Geeks downloads, there in the spyware section there is a download that will fix it. you must have the latest programme of spybot installed for it to work.

Steve
February 11, 2005 3:55 PM

Leo, Thanks for the information. I have been trying to get this darn thing off of my registry for the past few days. Have done everything that I know of. Thanks for the information that it may in fact now not be a problem. Thanks again. Steve

Flash
February 13, 2005 10:04 PM

I found that my computer has "DSO exploit" and i thoought "no biggy" till it never went away and i was forced into a mess of spayware popups i get 20-30 a day of these little things that clam i have "spyware on your computer" and such at first i didnt belive it because it told me to go to some gay site named something like "www.Fixyman.com" or "www.Fixyurboxnow.com" and such till one day it asked me to increase my ..body part and my mother found it and freaked out now i must get rid of this thing because my mom now thinks i look up mas amounts of porn. i have tried as much as i can have reformated at least 20 times this year because of this thuing and im now grabbing the power of the internet to lend me a hand to kill it...any pointers?

-thanks flash

Joe
February 16, 2005 7:53 PM

Leo, I'm not sure if this new spybot down load is real or not. I upgraged the spybot and did a new search and it did not find the DSO EXPLOIT instead it showed all clear congratulations but it never asked me to fix the problem.

Elliott
February 17, 2005 7:17 AM

"The short answer: it's a bug in Internet Explorer . . ."

I use Mozilla Firefox for my browser, and Thunderbird for news-email. Does this mean that I don't have to worry about the DSO Exploit?

Leo
February 17, 2005 8:29 PM

No, and yes. You still have Internet Explorer on your machine, and it's used by certain applications, and is required for things like Windows Update. So you should still make sure that it's fully up to date, after which you need no longer worry about DSO exploit.

kareme
February 18, 2005 11:56 AM

Their is this ugly searh bar at the bottom of my computer screen and its so annoying i cant get rid of it please help me.

Leo
February 19, 2005 9:06 AM

I'd start with a spyware scan: http://ask-leo.com/spyware_how_do_i_remove_and_avoid_spyware.html

Rebecca
May 24, 2005 9:07 PM

thanks soo much for the help! I've finally removed DSO!!

Insolado
May 25, 2005 2:31 PM

Hola!
I might be wrong, but you can't get rid of a DSO Exploit. As I understand it, it is a Data Source Object vulnerability in Internet Explorer, Outlook and Outlook Express (something like a security hole that spyware uses). These types of spyware can be difficult to remove, and if removal is successful, it often returns soon after. Even when ActiveX controls have been disabled, a DSO Exploit is capable of operating and invading a PC. Even if you are up to date on your Microsoft Patches, like I am, programs like Spybot Search and Destroy will keep reporting it.
To fix the problem (which is the vulnerability, not getting rid of the exploit) I used a small program, which is a freebie, by the name DSO Stop 2. It will patch the hole and you will never see the red lettering "DSO" after you run Spybot.

Leo
May 27, 2005 7:24 PM

That program is unnessary. As the article clearly states, ALL you have to do is keep Internet Explorer up to date. That's all.

Thierry
July 2, 2005 9:46 AM

i have spybot updated and there is nothong that removes the blue tool bar at the bottom of my screen, it appears every time i open internet explorer and the bar doesn't respond anymore.
--> i'll describe it to u so u can see if u've seen it before : there is 6 links : 1.Make Money,2.Music,3.Casino,4.Investing,5.Travel,6.Mortgage, then 6 scroll bar -->DAting,Travel , Careeres, Credit, Computer and insurance. After, there is a search space were u can write somthing. It has the skin of Windows XP and the little 'x' to close the window is inactive... Can someone help?

Leo
July 2, 2005 8:43 PM

Definitely sounds like spyware. I'd try another spyware program like Microsoft's AntiSpyware scanner.

bubba
August 25, 2005 1:47 PM

try this:

http://www.pchell.com/support/dsoexploit.shtml

Rich E
August 25, 2005 8:02 PM

I have many protections on my computer, they are: Spybot search&destroy
Spyware Blaster
Microsofts antispyware beta
Adaware
Winpatrol
Spyware doctor
All of these programs are kept updated. A few days ago my browser became hijacked, so I ran several scans and discovered a nasty trojan and a variant of cws. Worse thing is they keep returning. I have my windows updates turned on, so I should be up to date. During a routine scan Dso exploit came up.
Can you help me?

Chris.g
August 26, 2005 8:27 PM

get someone help me get rid of this plz:

Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET
Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ .

ive used the following programs to get rid of them with no luck:

Search and destroy
Spyware doctor
ad-adware se personal
spywareblaster

and yet i still have these dialers!!! im usuing Panda active scan
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

and it keeps telling me i have these two dialers... plz help!

John Susi
September 14, 2005 8:05 AM

Dso canot be removed with spyware programs.the reason is that it comes with a Dll.
you must edit the regestry. henkey users/software
microsoft/internet settings/ zones.


if you leave dso in your registry you may begin
have a problem with your internet.Spybot will find
dso but will not remove it.Dso may remain on a
disk that you may copyfrom a program.

Duffy
November 21, 2005 10:21 AM

dso found by spybot. dso shown up by McAfee.. but ist still ther in zipped files. Anyone knopw if I can put them thru the McAfee shredder with a hope of success Or will it hide them and let them operate

matt
November 22, 2005 3:14 AM

I've followed the directions for updating the registry to fix the DSO Exploit problem, and yet the Exploit continues to return. It hasn't worked for me. Exploit continues to cause IE to attempt to connect at start-up. Any other suggestions?

Harborsidefx
December 16, 2005 11:43 AM

1) Make a note of the location of the exploit shown in Spybot, something similar to:
HKEY_USERS\S-1-5-21-1614895754-73586283-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
2) Click on Start, Run, and type REGEDIT and Press Enter to open the Windows Registry Editor
3) Find the location of the exploit above in the registry by clicking on the pluses(+) next to each title
4) After opening the Zones section and clicking on '0' look to the right window, under 'name' is the key '1004' and the type is REG_SZ simply right click and delete this REG_SZ value.Then right click and create new>DWORD Value, name it 1004, then right click on that and goto modify, give it the Hex Value of 3, Click ok.
If there is only a DWORD Value for the key (in this case 1004), then double click on the key and change the HEX value to 3 and click Ok.
5) Close the Registry Editor and Reboot your computer
6) The DSO Exploit should now be removed and it should no longer appear in the Spybot Search and Destroy log as a problem.

Neil
April 23, 2007 7:47 AM

I have found DSO Exploit does prevent certain Web pages from loading - eg Oracle Forms applications (doesn't affect Mozilla Firefox).

Going to try editing the registry - is this going to remove DSO exploit for good (Spybot removes it but it returns)

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.