IE Exploit?

Does anyone have any more information in IE Exploit (as reported in Spyware Blaster)?

The CLSIDs are:

F935DC22-1CF0-11D0-ADB9-00C04FD58A0B
72C24DD5-D70A-438B-8A42-98424B88AFB8

It seems that some of the machines at my company have this IE Exploit, but when I run HijackThis everything looks normal.

When I search Google for the first CLSID, I get snippets of Microsoft VM exploit code from various security sites that references the CLSID. I have verified that the affected machines are on the latest MS VM.

When Google the second CLSID, I get references to the Windows Script Host Shell Object, also legitimate.

Is it possible that SB got some bogus information and that these are legit CLSIDs?

Or does SB add these CLSIDs killbits to PREVENT an exploit? For example, I found some java code on the Net that can add shortcuts to the desktop just by browsing an html page. The code contained the second CLSID. Is this why the "IE Exploit" killbits are in SB?

Any help or more information would be appreciated...

Here are 3 of the HJT logs:

------------------------------------------------
------------------------------------------------

Logfile of HijackThis v1.97.1
Scan saved at 3:54:36 PM, on 12/1/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\NetShield 2000\Mcshield.exe
C:\Program Files\Network Associates\NetShield 2000\VsTskMgr.exe
C:\EPOAgent\naimas32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Websense\EIM\bin\XidDcAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE
C:\EPOAgent\naimag32.exe
C:\Program Files\IDETOOL\IDETOOL.EXE
C:\WINNT\System32\MsiExec.exe
C:\Documents and Settings\beammeup\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\NetShield 2000\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37893.5375231481
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.3.0.0) Control) - http://10.100.130.10/cab/Live.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{202252C6-23C8-4918-A087-806DF45B4FD6}: NameServer = 24.29.1.218,24.29.1.219
O17 - HKLM\System\CS1\Services\Tcpip\..\{202252C6-23C8-4918-A087-806DF45B4FD6}: NameServer = 24.29.1.218,24.29.1.219
O17 - HKLM\System\CS2\Services\Tcpip\..\{202252C6-23C8-4918-A087-806DF45B4FD6}: NameServer = 24.29.1.218,24.29.1.219

------------------------------------------------
------------------------------------------------

Logfile of HijackThis v1.97.1
Scan saved at 3:30:30 PM, on 12/1/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\EPOAgent\naimas32.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Websense Reporter\Reporter\WsScheduler.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\PopupRemover\PopRController.exe
C:\WINNT\System32\hpnra.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\AltDesk\altdesk.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Look@LAN\LookAtHost.exe
C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
C:\Program Files\12Ghosts\12sync.exe
C:\Program Files\12Ghosts\12wash.exe
C:\Documents and Settings\mmatzko\Start Menu\Programs\Startup\HIDEIT.EXE
C:\Program Files\Software by Design\PassKeep.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\mmatzko\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.linkagogo.com/go/Home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3D2C1DA4-BCD3-4317-9548-2E08BD222FF0} - C:\PROGRA~1\POPUPR~1\POPUPS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PopupRemoverCtrl] C:\Program Files\PopupRemover\PopRController.exe
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKCU\..\Run: [AltDesk] C:\Program Files\AltDesk\altdesk.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: 12Ghosts Synchronize.lnk = C:\Program Files\12Ghosts\12sync.exe
O4 - Startup: 12Ghosts Wash.lnk = C:\Program Files\12Ghosts\12wash.exe
O4 - Startup: HIDEIT.EXE
O4 - Startup: Password Keeper.lnk = C:\Program Files\Software by Design\PassKeep.exe
O4 - Global Startup: Look@Host.lnk = C:\Program Files\Look@LAN\LookAtHost.exe
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4AA40B45-EC35-45C3-B4EA-D04E85917DA1} (WDCapture Class) - https://wip3.webdialogs.com/components/WDATL2.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.3.0.0) Control) - http://lv-dvss/cab/Live.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A577663-A7CA-4A11-9AA7-1A56F884FB2B}: NameServer = 24.29.1.218,24.29.1.219
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A577663-A7CA-4A11-9AA7-1A56F884FB2B}: NameServer = 24.29.1.218,24.29.1.219
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A577663-A7CA-4A11-9AA7-1A56F884FB2B}: NameServer = 24.29.1.218,24.29.1.219

------------------------------------------------
------------------------------------------------

Logfile of HijackThis v1.97.1
Scan saved at 3:22:39 PM, on 12/1/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\NetScreen\NetScreen-Remote\IreIKE.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\NetScreen\NetScreen-Remote\IPSecMon.exe
C:\EPOAgent\naimas32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\EPOAgent\naimag32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\temp1\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 63.210.252.106 mdaweb
O1 - Hosts: 63.210.252.105 webview
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\NetScreen\NetScreen-Remote\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F9BBD4B-6F71-4EA0-B2B9-2DEBBC1D27E6} (LVSecurity Class) - https://63.210.252.102/sysadmin/LVWebSecurity.dll
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://63.210.252.107/tsweb/msrdp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.2856134259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/229/webolr/OCX/FlashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A3B1C25-0376-4CD9-872C-4504221DB23E}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A3B1C25-0376-4CD9-872C-4504221DB23E}: NameServer = 192.168.0.1

------------------------------------------------
------------------------------------------------

 

You're exactly right here - they were added to help prevent various exploits.

So there's no need to worry. But you can sleep a little more soundly at night.

Best regards,

-Javacool

 

So it appears that there are 3 types of entries in SB: cookie-blocks, killbits for actual spyware controls, and "anti-exploit" killbits.

Is the IE Exploit the only 2 anti-exploit killbits currently? Is there any more of these exploit-blocking CLSIDs that I should know about?

The reason I am asking is because I integrated a javascript "spyware scanner" in the main page a my corporate Intranet webpage by looking for CLSIDs loaded on client machines. The IE Exploit killbits were setting off false positives on machines not because they were infected by the IE Exploit spyware like I thought, but rather because they were missing the "anti-exploit killbit" meant to prevent the IE Exploit.

Therefore it would be helpful to know what other non-real-spyware-killbits there are so I can only scan for actual spyware/adware in my scanner.

Thanks so much!

- Slater

 

Currently those should be the only two "anti-exploit" killbits.

I'll make sure to mark any future exploit protections similarly.

Best regards,

-Javacool

 

Awesome, that would help out a ton.

Thanks!

- Slater