|
|
#1
December 1st, 2003, 04:14 PM
|
|||
|
|||
IE Exploit?
Does anyone have any more information in IE Exploit (as reported in Spyware Blaster)?
The CLSIDs are: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B 72C24DD5-D70A-438B-8A42-98424B88AFB8 It seems that some of the machines at my company have this IE Exploit, but when I run HijackThis everything looks normal. When I search Google for the first CLSID, I get snippets of Microsoft VM exploit code from various security sites that references the CLSID. I have verified that the affected machines are on the latest MS VM. When Google the second CLSID, I get references to the Windows Script Host Shell Object, also legitimate. Is it possible that SB got some bogus information and that these are legit CLSIDs? Or does SB add these CLSIDs killbits to PREVENT an exploit? For example, I found some java code on the Net that can add shortcuts to the desktop just by browsing an html page. The code contained the second CLSID. Is this why the "IE Exploit" killbits are in SB? Any help or more information would be appreciated... Here are 3 of the HJT logs: ------------------------------------------------ ------------------------------------------------ Logfile of HijackThis v1.97.1 Scan saved at 3:54:36 PM, on 12/1/2003 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\msdtc.exe C:\WINNT\System32\cisvc.exe C:\WINNT\System32\llssrv.exe C:\Program Files\Network Associates\NetShield 2000\Mcshield.exe C:\Program Files\Network Associates\NetShield 2000\VsTskMgr.exe C:\EPOAgent\naimas32.exe C:\WINNT\system32\regsvc.exe C:\Program Files\Websense\EIM\bin\XidDcAgent.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\System32\inetsrv\inetinfo.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\cidaemon.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\atiptaxx.exe C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE C:\EPOAgent\naimag32.exe C:\Program Files\IDETOOL\IDETOOL.EXE C:\WINNT\System32\MsiExec.exe C:\Documents and Settings\beammeup\Desktop\HijackThis.exe O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37893.5375231481 O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.3.0.0) Control) - http://10.100.130.10/cab/Live.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{202252C6-23C8-4918-A087-806DF45B4FD6}: NameServer = 24.29.1.218,24.29.1.219 O17 - HKLM\System\CS1\Services\Tcpip\..\{202252C6-23C8-4918-A087-806DF45B4FD6}: NameServer = 24.29.1.218,24.29.1.219 O17 - HKLM\System\CS2\Services\Tcpip\..\{202252C6-23C8-4918-A087-806DF45B4FD6}: NameServer = 24.29.1.218,24.29.1.219 ------------------------------------------------ ------------------------------------------------ Logfile of HijackThis v1.97.1 Scan saved at 3:30:30 PM, on 12/1/2003 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\msdtc.exe C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\WINNT\System32\svchost.exe C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\EPOAgent\naimas32.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Websense Reporter\Reporter\WsScheduler.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Program Files\Network Associates\VirusScan\Webscanx.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\SOUNDMAN.EXE C:\WINNT\system32\atiptaxx.exe C:\Program Files\PopupRemover\PopRController.exe C:\WINNT\System32\hpnra.exe C:\EPOAgent\naimag32.exe C:\Program Files\AltDesk\altdesk.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Look@LAN\LookAtHost.exe C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe C:\Program Files\12Ghosts\12sync.exe C:\Program Files\12Ghosts\12wash.exe C:\Documents and Settings\mmatzko\Start Menu\Programs\Startup\HIDEIT.EXE C:\Program Files\Software by Design\PassKeep.exe C:\Program Files\Microsoft ActiveSync\WCESMgr.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\mmatzko\Local Settings\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkagogo.com/go/Home R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {3D2C1DA4-BCD3-4317-9548-2E08BD222FF0} - C:\PROGRA~1\POPUPR~1\POPUPS~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [PopupRemoverCtrl] C:\Program Files\PopupRemover\PopRController.exe O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe O4 - HKCU\..\Run: [AltDesk] C:\Program Files\AltDesk\altdesk.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - Startup: 12Ghosts Synchronize.lnk = C:\Program Files\12Ghosts\12sync.exe O4 - Startup: 12Ghosts Wash.lnk = C:\Program Files\12Ghosts\12wash.exe O4 - Startup: HIDEIT.EXE O4 - Startup: Password Keeper.lnk = C:\Program Files\Software by Design\PassKeep.exe O4 - Global Startup: Look@Host.lnk = C:\Program Files\Look@LAN\LookAtHost.exe O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite (HKLM) O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA1} (WDCapture Class) - https://wip3.webdialogs.com/components/WDATL2.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.3.0.0) Control) - http://lv-dvss/cab/Live.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1A577663-A7CA-4A11-9AA7-1A56F884FB2B}: NameServer = 24.29.1.218,24.29.1.219 O17 - HKLM\System\CS1\Services\Tcpip\..\{1A577663-A7CA-4A11-9AA7-1A56F884FB2B}: NameServer = 24.29.1.218,24.29.1.219 O17 - HKLM\System\CS2\Services\Tcpip\..\{1A577663-A7CA-4A11-9AA7-1A56F884FB2B}: NameServer = 24.29.1.218,24.29.1.219 ------------------------------------------------ ------------------------------------------------ Logfile of HijackThis v1.97.1 Scan saved at 3:22:39 PM, on 12/1/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Windows\System32\smss.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe C:\Windows\system32\spoolsv.exe C:\Windows\System32\Ati2evxx.exe C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe C:\EPOAgent\naimas32.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\Network Associates\VirusScan\Webscanx.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Windows\Explorer.EXE C:\Windows\System32\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Compaq\EAB\EabServr.exe C:\Program Files\QuickTime\qttask.exe C:\EPOAgent\naimag32.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\temp1\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O1 - Hosts: 63.210.252.106 mdaweb O1 - Hosts: 63.210.252.105 webview O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4F9BBD4B-6F71-4EA0-B2B9-2DEBBC1D27E6} (LVSecurity Class) - https://63.210.252.102/sysadmin/LVWebSecurity.dll O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://63.210.252.107/tsweb/msrdp.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.2856134259 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/229/webolr/OCX/FlashAX.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5A3B1C25-0376-4CD9-872C-4504221DB23E}: NameServer = 192.168.0.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{5A3B1C25-0376-4CD9-872C-4504221DB23E}: NameServer = 192.168.0.1 ------------------------------------------------ ------------------------------------------------ |
|
#2
December 1st, 2003, 05:11 PM
|
|||
|
|||
|
Re:IE Exploit?
Quote:
You're exactly right here - they were added to help prevent various exploits. So there's no need to worry. But you can sleep a little more soundly at night.  Best regards, -Javacool
__________________
*Official BrightFort Website* *SpywareBlaster* *Please note: I am not responsible if any advice herein causes any trouble whatsoever *
|
|
#3
December 1st, 2003, 08:14 PM
|
|||
|
|||
|
Re:IE Exploit?
So it appears that there are 3 types of entries in SB: cookie-blocks, killbits for actual spyware controls, and "anti-exploit" killbits.
Is the IE Exploit the only 2 anti-exploit killbits currently? Is there any more of these exploit-blocking CLSIDs that I should know about? The reason I am asking is because I integrated a javascript "spyware scanner" in the main page a my corporate Intranet webpage by looking for CLSIDs loaded on client machines. The IE Exploit killbits were setting off false positives on machines not because they were infected by the IE Exploit spyware like I thought, but rather because they were missing the "anti-exploit killbit" meant to prevent the IE Exploit. Therefore it would be helpful to know what other non-real-spyware-killbits there are so I can only scan for actual spyware/adware in my scanner. Thanks so much! - Slater |
|
#4
December 1st, 2003, 09:29 PM
|
|||
|
|||
|
Re:IE Exploit?
Quote:
Currently those should be the only two "anti-exploit" killbits. I'll make sure to mark any future exploit protections similarly.  Best regards, -Javacool
__________________
*Official BrightFort Website* *SpywareBlaster* *Please note: I am not responsible if any advice herein causes any trouble whatsoever *
|
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
