Prob with Shield after malware attack

[Raccoon]

Had a big malware/trojan attack (XP pro) recently. Luckily
had MS Anti Spy real time protection on. Immediately got
several msgs (1 msg. identified CWS) from MS AntiSpy &
disallowed all changes to my system, but one problem
persists - now everytime I try open Win Explorer, MSAS
shield immediately warns something like 'IE shell browser
MS Shell Browser UI library (browseui.dll) is trying to
load and is being prevented from doing so by the shelid.
The path is to the C:/Windows/System32 folder; and there
seem to be 2 files there - browseui.dll & BROWSEUI(2).DLL !
!!

This seems very suspicious to say the least. Can anyone
pleseeeeeeeeee tell me what the problem might be???

Besides MS, iv run Spysweeper, Spy Doc, AdAware, Bazooka,
X-Cleaner. Even run 2 online AV tests.

 

[Ron Chamberlin]

Hi Raccoon,
On one hand I'm glad the MSAS worked. OTOH, too bad it didn't completely
kick it to the curb.
Try this, and let the group know if it worked:

Boot into Safe Mode (F8) at startup;
Empty your temporary files AND your Temporary Internet Files C:\Documents
and Settings\Username\Local Settings\Temporary Internet Files folder ;
Run the scan while in safe mode;
If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recognize.

Ron Chamberlin
MS-MVP

 

[Raccoon]

Thanks so much for the response!
Actually had already scanned in safe mode (after running scans in normal
mode), a day after the attack, using MSAS and Webroot. Found nothing.
However will do so again ...but I find that the signature version is 5691
dated 19 Feb, 05. Is this the latest version? Attempts to update give the
msg. that I already have the latest version installed. Is there a web page
somewhere which mentions the latest version?
Sorry if this is a repeat question, but I couldnt find an answer using
"search".
Also, as mentioned elsewhere, Im unable to use the spyware report tool
either. Getting a proxy error (am not using one).

Thanks again.

 

[Raccoon]

I tried doing all that. Scanned in safe mode using 3 updated scanners
....nothing!
Scanned the browseui.dll & BROWSEUI(2).DLL online at
http://virusscan.jotti.org ...nothing!!
Checked all the BHOs also - all are legit.
Problem still persists.
Pleaseeeeeeeee advice....

 

[Bill Sanderson]

Can you restart, perhaps in safe mode, command prompt--and rename
browesui(2).dll?

It might be useful to hit each of these two files with the tools, advanced
tools, advanced (!!!) file analyzer, and post the results here, along with
your OS version and service pack level, so that we can compare.

There appear to be some situations in which a warning is given about this
file in apparently innocent situations--one of which appears to be associate
with having Google set as the search to be used when you press the Search
button on the IE toolbar.

 

[Raccoon]

Thanks so much for the response.

Hope this helps-

I am able to rename BROWSEUI(2).DLL without going in safe mode!

Well, the list is pretty long, but here goes:


+++++++
Detailed File Analysis
Display name: Microsoft Shell Browser UI Library
Name: browseui.dll
Description: Shell Browser UI Library
Publisher: Microsoft Corporation
Path: C:\WINDOWS\system32\browseui.dll
Version: 6.0.2900.2578
Size: 1016832 bytes
Copyright: © Microsoft Corporation. All rights reserved.

MD5: 691b1420ada790e9cda5356ee752f3a3

This file is a registered COM object

CLSID: {00BB2763-6A77-11D0-A535-00C04FD7D062}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {00BB2764-6A77-11D0-A535-00C04FD7D062}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {00BB2765-6A77-11D0-A535-00C04FD7D062}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {01E04581-4EEE-11d0-BFE9-00AA005B4383}
CLSID name: Microsoft Shell Browser UI Library
CLSID is an Internet Explorer ShellBrowser Hook

CLSID: {03C036F1-A186-11D0-824A-00AA005B4383}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {07798131-AF23-11d1-9111-00A0C98BA67D}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {169A0691-8DF9-11d1-A1C4-00C04FD75D13}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {22BF0C20-6DA7-11D0-B373-00A0C9034938}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {30D02401-6A81-11d0-8274-00C04FD5AE38}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {3CCF8A41-5C85-11d0-9796-00AA00B90ADF}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {3F4EEF80-BFE8-11d0-A3A5-00C04FD706EC}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {4AF4A5FC-912A-11D1-B945-00A0C90312E1}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {4D5C8C2A-D075-11d0-B416-00C04FB90376}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {5E6AB780-7743-11CF-A12B-00AA004AE837}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {603D3800-BD81-11d0-A3A5-00C04FD706EC}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {603D3801-BD81-11d0-A3A5-00C04FD706EC}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {6413BA2C-B461-11d1-A18A-080036B11A03}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {6756A641-DE71-11d0-831B-00AA005B4383}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {7376D660-C583-11d0-A3A5-00C04FD706EC}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {7BA4C742-9E81-11CF-99D3-00AA004AE837}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {7e653215-fa25-46bd-a339-34a2790f3cb7}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {8C7461EF-2B13-11d2-BE35-3078302C2030}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {91EA3F8B-C99B-11d0-9815-00C04FD91972}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {A08C11D2-A228-11d0-825B-00AA005B4383}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {acf35015-526e-4230-9596-becbe19f0ac9}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {AF4F6510-F982-11d0-8595-00AA004CD6D8}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {AF604EFE-8897-11D1-B944-00A0C90312E1}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {DD313E04-FEFF-11d1-8ECD-0000F87A470C}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {E0E11A09-5CB8-4B6C-8332-E00720A168F2}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {E56829C9-2D59-11d2-BE38-3078302C2030}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {ECD4FC4C-521C-11D0-B792-00A0C90312E1}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {ECD4FC4D-521C-11D0-B792-00A0C90312E1}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {ECD4FC4E-521C-11D0-B792-00A0C90312E1}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {EFA24E63-B078-11d0-89E4-00C04FC9E26E}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {F3368374-CF19-11d0-B93D-00A0C90312e1}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {F61FFEC1-754F-11d0-80CA-00AA005B4383}
CLSID name: Microsoft Shell Browser UI Library

CLSID: {F8383852-FCD3-11d1-A6B9-006097DF5BD4}
CLSID name: Microsoft Shell Browser UI Library
+++++++++

Detailed File Analysis
Display name: Microsoft Shell Browser UI Library
Name: BROWSEUI(2).DLL
Description: Shell Browser UI Library
Original file name: BROWSEUI.DLL
Publisher: Microsoft Corporation
Path: C:\WINDOWS\system32\BROWSEUI(2).DLL
Version: 6.0.2600.0
Size: 1020416 bytes
Copyright: © Microsoft Corporation. All rights reserved.
Create date: Thursday August 23, 2001
Access date: Saturday February 26, 2005
Modified date: Thursday August 23, 2001

MD5: e34bfbd49d84ed7fde527d6930e0c494


+++++++++

 

[Raccoon]

Forgot to mention - am running XP Pro on SP2 (with all other security
patches).

Please hellpppppp!

 

[Bill Sanderson]

Well--I didn't check out all the long numbers for the ID's, but I did look
at the first part, includng the MD5 hash for the browseui.dll, and it is
identical to mine on Windows XP Pro, SP2, with current patches.

The data for the other file could be the original file from xp gold--I
haven't tried to verify that. If you can rename that file, I suspect that
it is an extraneous leftover of some sort, and probably irrelevant to the
warning you are now getting.

So--either there's something in place that we haven't spotted--nor have
others also seeing this issue--there are a number of folks with the problem,
or it is a bug of some sort within Microsoft Antispyware. One thread about
this message associates it with having Google set as the search to be used
when you hit the Search button in the IE toolbar. Do you have that setting?

 

[plun]

Well--I didn't check out all the long numbers for the ID's, but I did look
at the first part, includng the MD5 hash for the , and it is
identical to mine on Windows XP Pro, SP2, with current patches.

The data for the other file could be the original file from xp gold--I
haven't tried to verify that. If you can rename that file, I suspect that
it is an extraneous leftover of some sort, and probably irrelevant to the
warning you are now getting.

So--either there's something in place that we haven't spotted--nor have
others also seeing this issue--there are a number of folks with the problem,
or it is a bug of some sort within Microsoft Antispyware. One thread about
this message associates it with having Google set as the search to be used
when you hit the Search button in the IE toolbar. Do you have that setting?

Found this about registry "hacks" and browseui.dll.

http://www.winguides.com/forums/sho...umber=119130&page=0&view=collapsed&sb=1&part=

Maybe worth to check ?

 

[Bill Sanderson]

Hmm - could be!

Raccoon - are you able to navigate very carefully to the registry key cited
in PLUN's URL, and export it, and open the export in notepad and cut and
paste it to this thread?

 

[Raccoon]

Hello!

Bill, I'v set the homepage as Google.com in IE. But I guess thats not the
same as the case you've mentioned.

Heres my reg key:

++++++++++
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383}]
@="&Address"
"MenuTextPUI"="@browselc.dll,-13137"

[HKEY_CLASSES_ROOT\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383}\Implemented
Categories]

[HKEY_CLASSES_ROOT\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383}\Implemented
Categories\{00021492-0000-0000-C000-000000000046}]

[HKEY_CLASSES_ROOT\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,62,00,72,00,\
6f,00,77,00,73,00,65,00,75,00,69,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

++++++++++

Does that help at all?

Thanks again.


__________

 

[Bill Sanderson]

What do you get when you hit the search button?

Your reg key looks proper to me--it isn't the modified form mentioned in the
URL that Plun posted.

I know that a bug has been filed, and I assume not closed yet, about this
issue, especially in relation to having Google set as the action of the
Search key.

So--I don't think this helps you out much, and I can't tell you when or if
this will get fixed--but I don't think you are seeing some really subtle
form of bad stuff on your machine.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Hello!

Bill, I'v set the homepage as Google.com in IE. But I guess thats not the
same as the case you've mentioned.

Heres my reg key:

++++++++++
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383}]
@="&Address"
"MenuTextPUI"="@browselc.dll,-13137"

[HKEY_CLASSES_ROOT\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383}\Implemented
Categories]

[HKEY_CLASSES_ROOT\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383}\Implemented
Categories\{00021492-0000-0000-C000-000000000046}]

[HKEY_CLASSES_ROOT\CLSID\{01E04581-4EEE-11d0-BFE9-00AA005B4383}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,62,00,72,00,\
6f,00,77,00,73,00,65,00,75,00,69,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

++++++++++

Does that help at all?

Thanks again.


__________

Hmm - could be!

Raccoon - are you able to navigate very carefully to the registry key
cited
in PLUN's URL, and export it, and open the export in notepad and cut and
paste it to this thread?

 

[Raccoon]

Phew ...thats mighty relieving; esp. since I want to trim away all these
security measures as they are making my system crawl!!! AV, MSAS, Ewido,
firewall, et all. Anyway, since the prob occured immediately after the
malware attack, I'd think that it was linked. So I'm still a bit
suspicious...
About the search ...I'v never noticed anything abnormal? I assume you mean
the big search button on the top bar. Just tried again and that doesent
seem to be a problem. Anyway, I'v almost stopped using IE, as Iv discoved
1st hand that its the gateway to hell...


Thanks!

 

[Bill Sanderson]

What I was wondering was which search engine the search button brings
up--Google, MSN, or what?

Microsoft Antispyware helps lock down IE pretty well.

If you are seeing a performance impact from Microsoft Antispyware, in
particular, I believe there is either a bug in the program, or, perhaps,
spyware which we haven't been able to spot which is creating this effect.
The Windows firewall shouldn't have noticable impact on performance.

 

[Raccoon]

Sorry for the late reply. Have been having problems...

Firstly, hitting the "Search" button on the top toolbar seems to bring out
the a modified form of the Windows search utlity ...and on using it I find
myself with results from http://search.msn.com. Obviously thats the
default, so I guess no problems there. Actually have almost never used it
as I mostly use Google ...which as I mentioned is my default homepage.

MSAS, I guess does an ok job of locking down IE, but doesen't that make IE
sound like crippleware??? Anyway, like it or not, still need IE for some
sites, so I now mostly load MSAS only when I'm on IE. One imp. issue: even
after deselecting all options, it seems one MSAS component still loads in
memory; eating up quite a chunk of precious RAM ...apparently doing
nothing (while real time monitoring is disabled). I know you can disable
it using msconfig, but I think the option should be available within the
software ...else its a case of bad design. I have about half dozen of
these malware scanners. Imagine how much RAM I'd have left if all of them
started keeping 'stubs' in memory!

As for the situation currently, had removed everthing and was giving
Kaspersky AV a try; esp. since its supposed to catch spyware too. Went
well for less than 2 days & comp was significantly faster too (with only
Kaspersky + firewall{not XP} for protection) ...and suddenly had a major
crash and it said databases are corrupted, etc - reinstall! Reinstallation
dosent help at all!! Was without an AV for sometime and am trying out
Antivir (will try to seek support from Kaspersky). Antivir seems really
amazing at detection and it caught few things which all the others
missed! However updates are too big and VERY slow. Also no support for
POP3 mail.

Still wondering if all my probs are caused by some yet undetected, really
mean code...

Meanwhile, loads of thanks for all the inputs here!

 

[Bill Sanderson]

Interspersed:

Sorry for the late reply. Have been having problems...

Firstly, hitting the "Search" button on the top toolbar seems to bring out
the a modified form of the Windows search utlity ...and on using it I find
myself with results from http://search.msn.com. Obviously thats the
default, so I guess no problems there. Actually have almost never used it
as I mostly use Google ...which as I mentioned is my default homepage.

OK - There's a reg file at Googles site somewhere that will make that search
button use Google, fwiw. I use the deskbar myself.

MSAS, I guess does an ok job of locking down IE, but doesen't that make IE
sound like crippleware??? Anyway, like it or not, still need IE for some
sites, so I now mostly load MSAS only when I'm on IE. One imp. issue: even
after deselecting all options, it seems one MSAS component still loads in
memory; eating up quite a chunk of precious RAM ...apparently doing
nothing (while real time monitoring is disabled). I know you can disable
it using msconfig, but I think the option should be available within the
software ...else its a case of bad design. I have about half dozen of
these malware scanners. Imagine how much RAM I'd have left if all of them
started keeping 'stubs' in memory!

The difficulty here, I think, is that the real-time protection is effective
because it uses the shellexecute hook to do its work. And that hook
requires a reboot to emplace or remove.
I don't know if they can do this better in future builds or not--I'm sure
we'll find out.

As for the situation currently, had removed everthing and was giving
Kaspersky AV a try; esp. since its supposed to catch spyware too. Went
well for less than 2 days & comp was significantly faster too (with only
Kaspersky + firewall{not XP} for protection) ...and suddenly had a major
crash and it said databases are corrupted, etc - reinstall! Reinstallation
dosent help at all!! Was without an AV for sometime and am trying out
Antivir (will try to seek support from Kaspersky). Antivir seems really
amazing at detection and it caught few things which all the others
missed! However updates are too big and VERY slow. Also no support for
POP3 mail.

Interesting. I know very knowledgable folks who like Kaspersky quite well,
and there have been occasions when their cleaning tools have been the best
available for some bugs.

Pop3 support doesn't bother me--I find that kind of proxy stuff often more
trouble than it is worth. OTOH, for the "average user" it is very nice to
get the attachments stripped before they have a chance to open them.

Still wondering if all my probs are caused by some yet undetected, really
mean code...

Well - if you want to look for hard to detect stuff--check out:

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

Oops--I forgot--you have, I think one of the cases which cause this tool to
not work well--you can try it out anyway. Read the help example
carefully--this presents a raw report of items which are "odd" in a certain
way. The problem is that a certain number (10 or so) normal NTFS structures
are "odd", and on some machines, hundreds of thousands of such structures
exist--making it hard to sort wheat from chaff. But on some workstations
and simple servers, the number of entries is reasonable and you can spot
anything that shouldn't show up there--mainly executable code.

Meanwhile, loads of thanks for all the inputs here!

You're welcome!

 

[Raccoon]

Hello!

As far as Kaspersky AV goes, it seems it was a univeral problem - people
who tried to upgrade around that day all came down with corrupted bases
....totally disabled AV protection for couple days! Scary!! Seems they have
fixed the problem and I reinstalled; and it seems to be going well. Just
wasted several hours. :-( In fact was considering a reformat. Am using
only Kaspersky personal and firewall now and my system seems SIGNIFICANTLY
faster, for sure, than when I was using McAfee & MSAS. In fact discovered
that McAfee v8 had 5 components sucking up around 35-40 MB RAM!!! MSAS is
no miser when it comes to RAM usage either. Kaspersky Personal seems to be
happy with around 10! besides McAfee is no good with spyware, etc. :-(
Would you have any inputs on how well my system will be protected with
Kaspersky in the absence of real-time dedicated spyware protection? In
fact, on the flip side, Kaspersky has locked me out of even mIRC and
similar stuff classyfing it as riskware! LOL!

Antivir, though free & pretty good at detection, methinks, but just isnt
workable cus of slow update process & ridiculously frequent engine
upgrades. Cant manage over a dial up! But it did find stuff like Micro-128
(C) & Worm/VB.CT, etc, missed by the others ...even Kaspersky! While the
1st I find isn't really malevolent, the 2nd one dosent seem to be detected
by other scanners even when I scanned the file at Jotti's... Strange!

About POP3, if it was just as simple as deleting infected attachments it
would be cool, but as u'd know, its hardly that simple. Iv been in the
past with stuff in OE going active by just previewing it, etc, etc! Never
had any issues after I had McAfee 8 filter all the malevolent stuff. So
mail filteration seems to be the sane thing to do, esp. when using high
risk stuff like OE or Outlook.

That rootkit stuff is very intresting ...will need a little time to go
through that in detail & doit. Thanks a heap for the additional inputs...

 

[Raccoon]

One more thing ...Im just noticing various directories on my system with
the name format
<folder name>(n) where n = 1,2, etc.
I dont think iv seen these kind of names on my system before. Since this
problem came up I did do a couple of system restores and noticed one
message from the utility that some file names have been changed to
preserve files ...and the format was same - xyz(2), abc(3), etc. Could the
BROWSEUI(2).DLL have been created by the system restore? Would it be safe
to delete these files & folders with the "(n)" suffix, to clear out the
junk? Could someone shed some light on this pleseeeeee???

Thanks in advance.