IE Exploit?

Discussion in 'SpywareBlaster & Other Forum' started by Slater, Dec 1, 2003.

Thread Status:
Not open for further replies.
  1. Slater
    Offline

    Slater Registered Member

    Does anyone have any more information in IE Exploit (as reported in Spyware Blaster)?

    The CLSIDs are:

    F935DC22-1CF0-11D0-ADB9-00C04FD58A0B
    72C24DD5-D70A-438B-8A42-98424B88AFB8

    It seems that some of the machines at my company have this IE Exploit, but when I run HijackThis everything looks normal.

    When I search Google for the first CLSID, I get snippets of Microsoft VM exploit code from various security sites that references the CLSID. I have verified that the affected machines are on the latest MS VM.

    When Google the second CLSID, I get references to the Windows Script Host Shell Object, also legitimate.

    Is it possible that SB got some bogus information and that these are legit CLSIDs?

    Or does SB add these CLSIDs killbits to PREVENT an exploit? For example, I found some java code on the Net that can add shortcuts to the desktop just by browsing an html page. The code contained the second CLSID. Is this why the "IE Exploit" killbits are in SB?

    Any help or more information would be appreciated...

    Here are 3 of the HJT logs:

    ------------------------------------------------
    ------------------------------------------------

    Logfile of HijackThis v1.97.1
    Scan saved at 3:54:36 PM, on 12/1/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\System32\llssrv.exe
    C:\Program Files\Network Associates\NetShield 2000\Mcshield.exe
    C:\Program Files\Network Associates\NetShield 2000\VsTskMgr.exe
    C:\EPOAgent\naimas32.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Websense\EIM\bin\XidDcAgent.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\cidaemon.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\atiptaxx.exe
    C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE
    C:\EPOAgent\naimag32.exe
    C:\Program Files\IDETOOL\IDETOOL.EXE
    C:\WINNT\System32\MsiExec.exe
    C:\Documents and Settings\beammeup\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
    O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37893.5375231481
    O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.3.0.0) Control) - http://10.100.130.10/cab/Live.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{202252C6-23C8-4918-A087-806DF45B4FD6}: NameServer = 24.29.1.218,24.29.1.219
    O17 - HKLM\System\CS1\Services\Tcpip\..\{202252C6-23C8-4918-A087-806DF45B4FD6}: NameServer = 24.29.1.218,24.29.1.219
    O17 - HKLM\System\CS2\Services\Tcpip\..\{202252C6-23C8-4918-A087-806DF45B4FD6}: NameServer = 24.29.1.218,24.29.1.219

    ------------------------------------------------
    ------------------------------------------------

    Logfile of HijackThis v1.97.1
    Scan saved at 3:30:30 PM, on 12/1/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
    C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\EPOAgent\naimas32.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Websense Reporter\Reporter\WsScheduler.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SOUNDMAN.EXE
    C:\WINNT\system32\atiptaxx.exe
    C:\Program Files\PopupRemover\PopRController.exe
    C:\WINNT\System32\hpnra.exe
    C:\EPOAgent\naimag32.exe
    C:\Program Files\AltDesk\altdesk.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Look@LAN\LookAtHost.exe
    C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
    C:\Program Files\12Ghosts\12sync.exe
    C:\Program Files\12Ghosts\12wash.exe
    C:\Documents and Settings\mmatzko\Start Menu\Programs\Startup\HIDEIT.EXE
    C:\Program Files\Software by Design\PassKeep.exe
    C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\mmatzko\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkagogo.com/go/Home
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3D2C1DA4-BCD3-4317-9548-2E08BD222FF0} - C:\PROGRA~1\POPUPR~1\POPUPS~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [PopupRemoverCtrl] C:\Program Files\PopupRemover\PopRController.exe
    O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
    O4 - HKCU\..\Run: [AltDesk] C:\Program Files\AltDesk\altdesk.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Startup: 12Ghosts Synchronize.lnk = C:\Program Files\12Ghosts\12sync.exe
    O4 - Startup: 12Ghosts Wash.lnk = C:\Program Files\12Ghosts\12wash.exe
    O4 - Startup: HIDEIT.EXE
    O4 - Startup: Password Keeper.lnk = C:\Program Files\Software by Design\PassKeep.exe
    O4 - Global Startup: Look@Host.lnk = C:\Program Files\Look@LAN\LookAtHost.exe
    O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA1} (WDCapture Class) - https://wip3.webdialogs.com/components/WDATL2.cab
    O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
    O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.3.0.0) Control) - http://lv-dvss/cab/Live.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1A577663-A7CA-4A11-9AA7-1A56F884FB2B}: NameServer = 24.29.1.218,24.29.1.219
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1A577663-A7CA-4A11-9AA7-1A56F884FB2B}: NameServer = 24.29.1.218,24.29.1.219
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1A577663-A7CA-4A11-9AA7-1A56F884FB2B}: NameServer = 24.29.1.218,24.29.1.219

    ------------------------------------------------
    ------------------------------------------------

    Logfile of HijackThis v1.97.1
    Scan saved at 3:22:39 PM, on 12/1/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
    C:\Windows\system32\spoolsv.exe
    C:\Windows\System32\Ati2evxx.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
    C:\EPOAgent\naimas32.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Compaq\EAB\EabServr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\EPOAgent\naimag32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
    C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\temp1\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O1 - Hosts: 63.210.252.106 mdaweb
    O1 - Hosts: 63.210.252.105 webview
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4F9BBD4B-6F71-4EA0-B2B9-2DEBBC1D27E6} (LVSecurity Class) - https://63.210.252.102/sysadmin/LVWebSecurity.dll
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://63.210.252.107/tsweb/msrdp.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.2856134259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/229/webolr/OCX/FlashAX.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5A3B1C25-0376-4CD9-872C-4504221DB23E}: NameServer = 192.168.0.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5A3B1C25-0376-4CD9-872C-4504221DB23E}: NameServer = 192.168.0.1

    ------------------------------------------------
    ------------------------------------------------
  2. javacool
    Offline

    javacool BrightFort Moderator

    You're exactly right here - they were added to help prevent various exploits.

    So there's no need to worry. But you can sleep a little more soundly at night. ;)

    Best regards,

    -Javacool
  3. Slater
    Offline

    Slater Registered Member

    So it appears that there are 3 types of entries in SB: cookie-blocks, killbits for actual spyware controls, and "anti-exploit" killbits.

    Is the IE Exploit the only 2 anti-exploit killbits currently? Is there any more of these exploit-blocking CLSIDs that I should know about?

    The reason I am asking is because I integrated a javascript "spyware scanner" in the main page a my corporate Intranet webpage by looking for CLSIDs loaded on client machines. The IE Exploit killbits were setting off false positives on machines not because they were infected by the IE Exploit spyware like I thought, but rather because they were missing the "anti-exploit killbit" meant to prevent the IE Exploit.

    Therefore it would be helpful to know what other non-real-spyware-killbits there are so I can only scan for actual spyware/adware in my scanner.

    Thanks so much!

    - Slater
  4. javacool
    Offline

    javacool BrightFort Moderator

    Currently those should be the only two "anti-exploit" killbits.

    I'll make sure to mark any future exploit protections similarly. :)

    Best regards,

    -Javacool
  5. Slater
    Offline

    Slater Registered Member

    Awesome, that would help out a ton.

    Thanks!

    - Slater
Thread Status:
Not open for further replies.