New Computer Spybot Scan

I just helped my sister with her new computer. One of the tools we downloaded was Spybot S & E v1.4. The first scan turned up two Security issues regarding the firewall notification and Virus notification. Since I have turned off MS Security Center these will come up and can be ignored. She is going to use her Mcafee Security Center to notify her. However, there were two other things that came up:

1 ShowWnd with 1 registry entry - my search reveals this as a bad name for something gateway uses on their system for their wireless keyboards

1 DSO Exploits with 5 registry entries - she is fully uptodate with Windowx XP SP2 updates and do not know why this is coming up. Is this something to be investigated further or can they be ignored or should they be fixed. If fixed, should it be in safe mode.

Any help would be appreciated.

Security Software on Machine:
2Wire Router DSL connection
Mcafee Viruscan 10
Mcafee Firewall Plus
Spybot S&E v1.4
Spysweeper 4.0
Xcleaner - scanner
Adaware SE w/vx2 addin
Spyware Blaster
Window Washer - Webroot


KM1

 

Ok, this is very interesting. Got home to my own computer. Spybot has been clean since day one. Just updated to new defs and got the exact same DSO Exploits. Probably like the way version 1.3x did before the fix. However, I am using version 1.4. I have another machine I will run a spybot scan before the update then after and see what happens. All machines I am testing here are Windows XP w/sp2 fully uptodate. I will post back with my results.

The computer the original post was referring to is a brand new gateway. Have done some searchin on that ShowWnd and found this link for Gateway's:

http://support.gateway.com/s/SOFTWARE/Medialess/MLXPMC0/MLXPMC0il.shtml

also this:

http://www.bleepingcomputer.com/forums/ShowWndexe-is-not-always-a-virus-tx27411-0.html#entry154640


Chaslang would you still like to see the log from the original Gateway? It is my sisters, which I have been trying to set up and make sure is clean. Will let you know about my computer and what it finds with these NEW DSO Exploits by Spybot.

KM1

 

They are todays defs. 2005/8/19. In about 20 minutes I will run a scan with the old defs on my other machine, update, and run a new scan. This machine was also clean before today so I will post back as soon as I get that info. I will post the log file from one of my computers. I cannot post the file from my sisters yet because I am not there. What did you think about those two links and the ShowWnd on the Gateway?

KM1

 

OK, did a spybot scan with just last known defs and congratulations no problems. Updated spybot with todays defs, ran a scan and bam DSO exploits, 5 of them. I will attach the spybot log. Now I have 3 machines, 2 dell & 1 Gateway, all showing DSO Exploits. I would venture to guess that they are all the same exploit. Here is the log Chaslang

 

Chaslang,

Three clean computers all clean before these definitions, all of a sudden all three with same DSO Exploits. That is awful strange and sounds very similar to the new defs they came out with a couple weeks ago that notified you of the Security Center being disabled. Are you sure these are not either false positives or new informational type warnings like the ones regarding the Security Center a couple of weeks ago. Just seems so strange.

KM1

 

Chaslang,

Have a post at Castle Cops in their spybot section. They have seen this as well. There was a link to the forum for spybot here is the link:

http://forums.net-integration.net/index.php?showtopic=32787&st=0&#entry156892

I guess some are getting it and some are not. Both W2k and Windowx XP SP2 fully updated. Interesting.

What exactly does the DSO Exploit have to do with, I mean is it part of internet conectivith, what does it exactly do on a computer this zone value thing? Sorry for my ignorance.

KM1

 

Not at this point. There tend to be to camps on this one right now. Onc camp is recomending to fix with spybot while the other is recomending to use the ignore option. I read the info on the links you sent, interesting. I have also read a post and a link that talked about the idea that Spybot is actually looking for the patch that microsoft used way back with SP1 to fix this vulnerability. (I think this was in my castle cops posting) I am on SP2 so I should have all the past patches or fixes. Somehow the program is either false notifying of the missing patch or it is actually reporting the regkey value as being incorrect and needing to be fixed as is stated by your links. I have an email into spybot themselves and am waiting for a reply before I figure out what is the best solution. Keep me posted on whatever elxe you find and I will do the same.

KM1

 

I'm not real comfortable going in the registry even to just check an item. My luck with such things is not good. Is there an easy way to check it withoug going into regedit???

KM1

 

Chaslang,

Sorry for taking so long to get back to you. Had some other issues to deal with. In the meantime, had gotten an email back from Spybot and they said could fix but if I had another Security Center Running could ignore. I do have another security center running but it seemed to be an either/or option so I chose to fix to see if that would work before I applied the patch. It worked, it no longer comes back on 2 computers and the 3rd is at college so I will have to take care of that when I get up there. Thanks for all your help. Continued good luckk with spyware removal.

KM1

 

Yes, when I first got Mcafee Products they recomended using their security center and turning off Windows security center. They conflicted in some way, however, I think they have fixed that but I still leave it off and run only theirs. It might be best for me to copy the emails I got right here. I am sure you will be able to interpret what they meant much better than I. I just chose to "fix it" based on their first email. Here they are:


Hello Kirk,

DSO-Exploit is a security gap in Internet Explorer, Outlook and Outlook Express. Microsoft did already close this gap with security updates, so with current Windows updates and patches installed, it will no longer be a threat to your system. Spybot-S&D will still detect the DSO-Exploit, but instead of fixing it for good, it will unfortunately again set an invalid value. Therefore it will again be found with every scan. This little bug in Spybot-S&D has already been repaired.
Please download our new version Spybot Search and Destroy 1.4. That should fix it.
You will find links to several download locations for this new version on our web site: http://www.safer-networking.org/en/mirrors/index.html
Please search for new updates after installing Spybot S&D 1.4.
If the DSO Exploit still exists please have a look at our forum: http://forums.net-integration.net/index.php?showtopic=32787
Some users have reported that it still won't be fixed. That can happen if you run an other security software (like microsoft antispyware) or if you do not have admin rights.
If this is not the problem please e-mail back to support@spybot.info . It is important to know if it is found once or more times and if you tried to fix it. If you tried to fix it please let us know if you get any message that it can't be fixed. So please attach a bug report to your e-mail.
Notice: You can also exclude the DSO Exploit from the search.

Best regards,
Sandra
Team Spybot


Hello Kirk,

With version 1.4 it should be no longer come up.
If you want to stay with the 1.3 you can ignore it.
You do not need to turn off your other security softwares.

Best regards,
Sandra
Team Spybot

Please give us your feedback: this mail was
helpful http://feedback.spybot.info/index.php?h=1MzU0Nzk6MTc3Njg3MzgwOjI
partly helpful http://feedback.spybot.info/index.php?h=1MzU0Nzk6MTc3Njg3MzgwOjE
not helpful http://feedback.spybot.info/index.php?h=1MzU0Nzk6MTc3Njg3MzgwOjA

 

Yes I know the first part of that first email seems strange to me because I told them I am running 1.4. The second one also seems out of place but the last 1/2 of the first one says to go to that link if 1.4 finds it, which I did, and the in there there suggests either using fix to fix the problem permanently or to ignore if you are up to date with Windows XP. I think one of the members of the Spybot Team is posting in that area as well and agrees with the suggestions. Either of them was supposed to work so I used "fix" and it has not shown up again on subsequent scans. Strange. Hope the fix was the right thing to do. I was expecting it not to work and then applying your patch but I never got that far since it is not coming back up.

KM1

 

Interesting. So what do you think about my situation along with the others at the spybot forums were they chose to fix with 1.4 and it did not return. I have done this on two machines already and it did fix the issue. So should I just leave well enough alone and since it is not coming up anymore in spybot assume that the keys are now correct?


On a side note, I recently did a panda online scan, which has always come up clean before, and that son of a gun came up with this:


Incident Status Location

Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET


What the heck is this dialer.bjp. Panda says it was found on July 8 2005 so it is recent but you can't hardly find a thing when you google it, except in Italian. I ran Adware SE, Ewido, MSAS, Xcleaner, CCleaner, Spybot, Mcafee Viruscan, and Trend Micro Online Spyware/Virus scan and they all come up clean. Even compared my hijackthis log to my old clean log and nothing has changed accept for things I know I added. Plus, I run on a cable modem, dial up modem is not even connected. I can locate that exact key down to the ARCHIVIOSEX.NET folder which has two keys in it. Do you know what this thing is. I don't go to any sites that might have this and have no idea where this sucker came from. Did the panda scan because Inoticed an extra process running in processes 41 instead of my usuall 40,

KM1

 

Well what do you know. I did not even have to go into the registry. I went right into IE and into the restricted zone and here is what I found in there:

dialercjb.net

So this is what Panda found in my registry. How the heck are the consumers like me suppose to know something like this. What tipped you off to this? What would have happened if I had deleted this key from the registry? Would it have been added back in again once I updated my spybot or spywareblaster? Well thanks, I am pretty sure this is what it is now

KM1

 

further inspection found this:

archiviosex.net

which is the last part of the Hkey entry that Panda is identifying:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET

So is this exactly what Pand has found and if so then there is no need to delete the key, right.

KM1

PS - Chaslang how the heck did you put that together!!!!

 

Man you are good. I would never have even to thought to check this. Do you see any further need to actually go in and check the value of the key at this point based on what I found in IE restricted zpne. If so I am not familiar enough with how the registry to see if the value of the key is a 2 or a 4. I know how to get into regedit and manually move to the key but I do not know where to locate this value. Do you feel a need to still do this at this point.

KM1

Thanks for all your help, what a relief.

 

Thought I would drop you one more note chaslang. It appears that the Online Scanner from Panda is starting to identify dialers in this restricted zone more often. Just thought I would let you know. You guys might be getting posts regarding this that are really not worth investigating. I just did another panda online scan and as soon as it got to Explorer it found another dialer. Now it says I have two, so I took your advice and went into the restricted zone and found that one too. Here is the log:


Incident Status Location

Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET
Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ
This could get a little annoying after a while. At this rate I will have 100's of new malware according to panda and it is really locating keys in my restricted zone. Just like ARCHIVIOSEX.NET was found in this zone so was SGRUNT.BIZ and neither are in my Trusted Zone. That box is blank. This just started happening this week so you guys might be getting posts like mine in the near future from people who use spybot, spywareblaster, and then Panda online Scan. Thanks for everything, I have learned so much in the last 6 months and it is very interesting. Good Luck Malware Hunting and Killem all


KM1