Unknown URL exec Hook

[Louis]

I have found three unknown URL Exec Hooks shown in the
Windows Shell Execute Hooks area of Microsoft Antispyware
version 1.0.509 Two were similar and one was not
unfortunately I did not save the name of one, the other
two is shell32.dll found in C:\Windows\System32 folder.

I have sent them to Spynet for analysis.

I am also finding adware on each computer using another
program, these are not found by Microsoft AntiSpyware.

Is there a list of trojans, spyware, and adware that
MicrosoftAntiSpyware should be able to locate?

Louis.

 

[plun]

I am also finding adware on each computer using another
program, these are not found by Microsoft AntiSpyware.

Is there a list of trojans, spyware, and adware that
MicrosoftAntiSpyware should be able to locate?

Yes ! A serchable list as this for Adaware.

http://www.lavasoftnews.com/ms/tac_main.shtml

 

[Bill Sanderson]

This is what I see in Windows XP Service Pack 2, with current updates, in
addition to Microsoft Antispyware's hook.

URL Exec Hook

This is a known Shell Excecute Hook.

Name: Microsoft Windows Shell Common Dll

Description: Windows Shell Common Dll

Publisher: Microsoft Corporation

File path: E:\WINDOWS\system32\shell32.dll

File version: 6.0.2900.2578

Technical Details:

CLSID: {AEB6717E-7E19-11d0-97EE-00C04FD91972}

Original file name: SHELL32.DLL

MD5: 5db5f53f801b616f4b4b7cae6ee7d1c6


I don't have enough experience looking at lots of machines to know what
other legitimate objects might be here. Do you have other security or
antispyware active-protection applications on the machine?

You could post the unknowns here--click in the right panel with the object
selected, hit Ctrl-a, then right-click and choose copy, then paste into the
message.

Or--you could experiment by blocking one and seeing what happens.

 

[Louis]

Hello Bill, and Plun,
Thanks for your responses.
Below is the copy and paste as suggested.

"URL Exec Hook
This is an unknown Shell Excecute Hook.

Name: Microsoft Windows Shell Common Dll
Description: Windows Shell Common Dll
Publisher: Microsoft Corporation
File path: C:\WINDOWS\system32\shell32.dll
File version: 6.0.3790.1433"

I have blocked it on one machine and have seen any
negative effect.
I have it running on this machine for further research
that would let me know what is the proper treatment for
this event.
I have no other Spyware program on this machine, however
on one the other machines I have Adaware by Lavasoft that
locates tracking cookies, and those are not found by
Microsoft Antispyware.

Plun the list I need is for Microsoft Antispyware only,
not any other Antispyware program.
Louis.

 

[Bill Sanderson]

What version of Windows is this? Is any third-party software related to
"themes"--or skins for the OS--installed?

No list such as the one Plun referred to for the other product is available
for Microsoft Antispyware.

When I am looking for a reference for an individual bug, I tend to google on
the name of the bug and Sunbelt, because that vendor also sells a product
which is a child of Giant's antispyware program. I expect that the products
are diverging daily, though.

 

[Louis]

-----Original Message-----
What version of Windows is this?

Answer: Windows 2003 SP1 beta.

Is any third-party software related to

"themes"--or skins for the OS--installed?

Answer: No

No list such as the one Plun referred to for the other product is available
for Microsoft Antispyware.

OK Bill,
Thanks.
Louis.

 

[Bill Sanderson]

The small number of references I was able to find for your version number
were mainly in languages I don't read, and seemed to relate to Windows
Server 2003. I'm not surprised that a piece of beta code is not marked as
known--I think this may very well be intentional--there have been other
instances noted here where old beta versions still in place were marked as
unknown.

On XP Workstations, I normally see two entries in this area. One is the
shell32 which is the Windows shell, and the other is Microsoft
Antispyware--not sure whether it says Giant or Microsoft. I'm interested in
the third entry that you found--you have two shell32's?

 

[Guest]

Bill

Fwiw, I have a machine here running XP Home SP2 and
ASwBeta1 build 509 which also displays three unknown Shell
Execute Hooks. They are:-
system32\shell32.dll
progra~1\wg\wormguard.dll (from DiamondCS WormGuard)
ms antispyware\ShellExtension.dll

Machine is a P4 3.06GHz with HT enabled.
It has at one stage had 'Object Desktop Lite' installed
(nVidia theme) which had been uninstalled, yet didn't
restore the original icons (leading me to guess that the
anomaly in the shellIconCache might be partly to blame??)

I also have a second machine here (Celeron 2GHz, no HT),
running XP Pro SP2
Using the same version of ASw Beta1 but without WormGuard
installed. It shows shell32.dll & ShellExtension.dll as
known Shell Execute Hooks.


Machine 1 has unfortunately been potentially compromised by
hacker/trojan attacks and has been isolated from the
network whilst under investigation - I therefore can't
guarantee that they are false positives for you but hope
that this information might help regardless.

 

[Bill Sanderson]

Interesting--thanks. I've been wondering what sorts of programs would
normally show up in that hook, and an Internet Security program is a logical
candidate. I take it that this DiamondCS Worm guard is something you know
about and have intentionally installed?

I agree about the ShellIconCache. You can delete this file--perhaps from
safe mode command prompt, and it should be recreated and the icons
corrected. However, I don't recall where it lives on XP at the
moment--sorry!

 

[Pug]

Sure. No worries.
Yes the WormGuard program was one of several
counter-measures I had been evaluating in this area and
seems totally benign wrt being/containing malware.

Great. Thanks for the confirmation. I'm sure I can find it.

I'll keep you updated if anything else comes to light and
will keep an eye here for developments too.

Thanks Bill.