Re: Computer freezes when scanning for updates
From: dak (microsoft-public-windowsupdate_at_spamtrap.cjb.net)
Date: 08/01/04
- Next message: ABNER: "UNABLE TO INSTALL KB838358"
- Previous message: Gav: "windows update v5 install but autoupdate only set to download - not install!"
- In reply to: Bill Pressegh: "RE: Computer freezes when scanning for updates"
- Next in thread: Bill Pressegh: "Re: Computer freezes when scanning for updates"
- Reply: Bill Pressegh: "Re: Computer freezes when scanning for updates"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 01 Aug 2004 06:36:04 -0500
On Sat, 31 Jul 2004 14:51:01 -0700, "Bill Pressegh" <Bill
Pressegh@discussions.microsoft.com> wrote:
>I have the same problem with DSO Exploit, and I followed your suggestion but could not
>delete the registry entry, it would not delete all values. When I first did it
>it showed one default item which I tried to delete. I then reran spybot and now
>there are many items in the register zone, nonre highlighted. Any ideas would
>be appreciated
My standard blurb on the DSP Exploit flagged by Spybot S&D:
Basically, Spybot is finding that the security setting for "Download unsigned
ActiveX controls" for the (normally) hidden "My Computer" zone in Internet
Explorer is not set to disabled, and a minor bug is preventing Spybot from
repairing it properly so it is again detected on the next scan.
You are probably seeing several keys similar to this one:
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3
The "\0\" points to the My Computer Zone. The key "1004" holds the value for
the specific setting "Download unsigned ActiveX controls". The "!=" means "not
equal". "W=3" (word value of 3) specifically means "disabled". Spybot is
finding that this setting is not disabled for various users defined on the
system.
When it actually goes to fix that value (setting the value to 3) it isn't
setting it to the proper type of data element - a DWORD value. So, that registry
item ends up with no value at all after the fix is performed, and each time you
scan again Spybot will find the value in those keys is still not equal to 3.
You can fix it manually if you're comfortable with editing the registry - just
run regedit and edit the keys to a DWORD value of 3. Go to each specific key
Spybot flagged and right-click on the bad 1004 key (will show a REG_SZ instead
of a REG_DWORD for data type) in the right panel and select Delete. Then in a
blank section in that same right panel in regedit, do a right-click and add a
"New" > "DWORD" value. Name the new DWORD value 1004 (like the one you just
deleted). When it is created, double-click on it and enter a value of 3. If
you have multiple versions of this under different users on your system, you'll
need do the same thing for each of them.
After manually repairing the keys run Spybot again to see if you missed any
keys. Don't let Spybot try to fix any of the keys, just use it to find the
specific problem locations.
Or, you could write a REG file to merge all the fixes at one time. I'm not
going to cover that, but I mention it just to try to cover all your options.
If you are up to date on all of your Windows patches you should be protected
from this exploit and you could wait until Spybot is finally patched. The
general expectation was this would be corrected in 1.3, but it wasn't.
So you can leave it as is and wait for a patched Spybot, set Spybot to ignore
it, or correct it manually.
-- dak
- Next message: ABNER: "UNABLE TO INSTALL KB838358"
- Previous message: Gav: "windows update v5 install but autoupdate only set to download - not install!"
- In reply to: Bill Pressegh: "RE: Computer freezes when scanning for updates"
- Next in thread: Bill Pressegh: "Re: Computer freezes when scanning for updates"
- Reply: Bill Pressegh: "Re: Computer freezes when scanning for updates"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
