How to add custom CLSID's to block with SpywareBlaster

Discussion in 'SpywareBlaster & Other Forum' started by RobertL, Sep 9, 2004.

Thread Status:
Not open for further replies.
  1. RobertL

    RobertL Guest

    Hi, Pieter. I’m not exactly a newbie, but I am new to spyware prevention. I discovered the world of spyware and adware when my machine became so clogged with pop-ups that it would barely operate on-line. A bit of investigation on the Net led me first to a free scan called PestScan and then to the freeware spyware destroyer SpyBot Search and Destroy. PestScan doesn’t offer free destruction of spyware, but the scan it performs is more thorough than SpyBot’s, and it does offer free instructions on how to destroy pests manually.

    I loaded SpyBot and used it to destroy pests. I’ve then checked its work by immediately loading IE and using PestScan. PestScan keeps turning up the same two particularly persistent spyware programs, called BookedSpace and Twain-Tech. Sometimes there’s a third one called Adware.Binet, which uses the same CLSIP as BookedSpace. BookedSpace appears a couple of times on SpywareBlaster’s database, but not with the same CLSIPs.

    Following PestScan’s instructions, I’ve deleted the relevant keys from my machine’s registry every time I’ve seen them (and followed further instructions about deletion of DLL files). But they reload whenever I go on line. Thus it appears that these programs are somehow resident in my IE. Investigating a little further under the subject of “immunization” or “prevention” led me to SpywareBlaster.

    I’ve followed your procedure for adding custom CLSIPs to SpywareBlaster’s standard list. But it hasn’t worked; BookedSpace and Twain-Tech keep reappearing in PestScan’s sweep of my registry (and indeed their wretched pop-ups persist as well). What am I doing wrong?

    I have several questions:

    1. Should I reboot after adding the custom CLSIPs?

    2. The screen whereby one adds a custom CLSIP contains no field for Type. Yet all the CLSIPs shown in SpywareBlaster’s database are identified as either cookies or “ActiveX.” Meanwhile, all the CLSIPs in the little sample screen you’ve shown in your instructions are identified as “Spyware.” What’s ActiveX? Is it a type of spyware? If not, what’s the difference? Could this difference account for the failure of my addition of these custom CLSIPs?

    3. If my understanding of what CLSIPs are is correct, they’re those 32-character strings of code which sometimes accompany registry keys. But not all the registry keys PestScan turns up contain CLSIPs. And I have the impression that to rid your machine of spyware, you have to eliminate ALL the relevant registry keys (and sometimes perform other, non-registry-related steps as well). Could SpywareBlaster be failing because it is blocking the loading of those registry keys that contain the prohibited CLSIPs, but not other registry keys which are alone sufficient to load the spyware?

    4. SpywareBlaster’s database’s not being in any discernable order makes it terribly difficult to learn whether any given CLSIP is on it. Is it possible to sort it, either by name or (better still) by CLSIP? Alternatively, is there a way to search it for a particular CLSIP?

    5. Sometimes when I delete a CLSIP from one registry address, but it exists in another address as well, it’s already gone when I go to look for it in the second address. Is this to be expected?

    I’m sorry for the great length of this post, but as you see, my situation is somewhat complicated. I really appreciate what you’re doing!
  2. Bubba

    Bubba Updates Team

    Apr 15, 2002
    Hey robert,

    I have moved your post here to it's own thread in order to attempt to answer all your questions\concerns without getting lost in the "How to add custom CLSID's to block with SpywareBlaster " announcement thread.

    1.) Once you have properly entered a valid ActiveX control CLSID into SpywareBlasters via it's Custom Blocking feature and then selected....Protect Against Checked is immediatley entered into the proper registry location....HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility....without having to reboot or refresh IE.

    2.) I'll reference the programs Help feature for most of what you've asked and hopefully that will address your questions.

    "Prevent the installation of ActiveX-based spyware, dialers, etc....Blocks the installation of spyware, adware, dialers, browser hijackers, and other potentially unwanted ActiveX-based software."
    ActiveX components it is referring to are consired ActiveX control and plug-ins. ActiveX technologies are built using Microsoft's Component Object Model (COM) and have the ability to access everything on your computer, all folders, all files, everything!. ActiveX control and plug-ins can include many things such as web forms, sound and graphics and installation programs. Some of the names associated with ActiveX and benign in nature are Microsoft Windows Media Player, Macromedia Shockwave, RealNetworks RealPlayer.Unfortunately there are forms of ActiveX that some refer to as trojanware and are asociated with names such as Comet Cursor, Xupiter, Gator\Gain, Bonzi....etc.

    "Custom Blocking: Create your own list of ActiveX controls that you want to block. Add search engine toolbars, browser plug-ins, and more - block any ActiveX control you want. You can even download Custom Blocking lists other people have created.
    (Warning: Please be careful when using a Custom Blocking list someone else has created. Only consider using a Custom Blocking list if you trust the person that created it.) ."

    4.) With SpywareBlaster GUI being on the Internet Explorer button at top next to Status. Then highlight the top entry with one mouse click....right click that entry and select find from the menu choices. Type in a single word name or a valid CLSID to search for.
  3. RobertL

    RobertL Guest

    Hey, Bubba. Thanks -- that was very helpful! But I still have a few follow-up questions.

    1. Since SpywareBlaster isn't removing these two CLSIDs, and since its statement of purpose makes it clear that it's designed to remove ACTIVEX-based software, could it be that the two problematic CLSIDs are NOT ActiveX-based? If it's true that they aren't, what should I do?

    2. The Help page you quote says you can use the custom tool to "block any ActiveX control you want," but this is subject to that control being based in a CLSID, right? Thus, you couldn't add a registry key such as "hkey_local_machine_ \software\vendor\xml" (which is one of the ones giving me trouble), because it doesn't contain a CLSID. Right?

    Thanks again!
  4. Bubba

    Bubba Updates Team

    Apr 15, 2002
    1) Just to be sure we are on the same page....would you Please share with us the...."two problematic CLSIDs"....your speaking of\concernd with ?

    Also....would you mind sharing where you have read that...."its statement of purpose makes it clear that it's designed to remove ACTIVEX-based software"

    SpywareBlaster helps to "Prevent the installation of ActiveX-based spyware, dialers, etc."....NOT in removing the software.

    2) I'm not sure I follow what your saying....sorry :(
  5. RobertL

    RobertL Guest


    Let me show you exactly what PestScan turns up when I run it. I'll give the name of the alleged pestware first, then the registry keys PestScan shows:


    hkey_local_machine \software\microsoft\windows\current version\explorer\browser helper objects\{0000607d-d204-42c7-8e46-216055bf9918}

    hkey_local_machine \software\classes\clsid\{0000607d-d204-42c7-8e46-216055bf9918}

    hkey_classes_root \clsid\{0000607d-d204-42c7-8e46-216055bf9918}


    hkey_local_machine \software\vendor\xml

    hkey_local_machine \software\classes\interface\{4534cd6b-59d6-43fd-864b-06a0d843444a}


    hkey_classes_root \interface\{4534cd6b-59d6-43fd-864b-06a0d843444a}

    Now, in order for me to even make sense on this subject, I need to be sure I have the right idea about what a CLSID IS. It's just the ALPHANUMERIC PART of these registry keys -- the part between the braces. Right? Assuming I'm right about that, these six registry addresses contain only TWO CLSIDs between them, because the CLSIDs are repeated. Thus if the custom-add feature works the way I was expecting it to, it should block all three of these spyware programs, because they all use these particular two CLSIDs.

    The trouble is, one of the programs -- BookedSpace -- is apparently installed in part with a registry key that doesn't contain a CLSID (the first one, "hkey_local_machine \software\vendor\xml"). Thus I'm thinking maybe that particular registry key is getting in past SpywareBlaster, and sneaking the CLSID-bearing key in with it. That was the gist of my second question. Does it make any more sense?

    When I spoke of SpywareBlaster's "statement of purpose," I was just quoting your quote, apparently from the Help page, at the beginning of your answer to my second question in my initial query:

    "Prevent the installation of ActiveX-based spyware, dialers, etc....Blocks the installation of spyware, adware, dialers, browser hijackers, and other potentially unwanted ActiveX-based software."

    The statement's repeated use of "ActiveX-based" seemed like emphasis to me -- implying that if the spyware, etc., were not ActiveX-based, SpywareBlaster wouldn't block it. I'm not sure what the relationship is between CLSIDs and ActiveX code. If it's possible for code to contain a CLSID but not be ActiveX-based, then maybe that explains why these particular CLSIDs seem to be avoiding being blocked by SpywareBlaster.

    Your drawing the distinction between prevention and removal raises the question whether my problem is (a) that the spyware keeps reinvading my system from on-line, despite my having put its CLSIDs on the custom list, or (b) that I simply haven't removed it properly from my system. I've assumed it was (a) because I've followed all the instructions that TWO online sources gave me about removing spyware manually. This could be wrong, of course, but I know that similar steps have worked for me before -- and meanwhile, I've done everything I know how to do.

    I hope I've made this mess a bit clearer for you. Thanks again for your attention to it!
Thread Status:
Not open for further replies.