Adding CLSID's to "customblocking"

Discussion in 'SpywareBlaster & Other Forum' started by redwolfe_98, Dec 19, 2007.

Thread Status:
Not open for further replies.
  1. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i want some advice on adding "CLSID's" to SB's "customblocking", please..

    if i look at "smitfraudfix", i see that it removes some "bad" "CLSID's".. here is a link for smitfraudfix's "changelog":

    http://siri.urz.free.fr/Fix/ChangeLog.php

    let's say that i take the cue from "smitfraudfix" and want to add some of the "bad" "CLSID's" from smitfraudfix's "changelog" to SB's "customblocking".. which "CLSID's" would i want to add to SB's "customblocking"? would i add the BHO-CLSID's that i see there? or both the "BHO-CLSID's" and the "toolbar-CLSID's"? or, both, those and others, too? what do the "pro's" think?

    let's look at the latest addition to smitfraudfix's changelog, for example.. here is what it shows:

    %WINDOWS%\binret.exe
    %WINDOWS%\ttvbono_O.dll
    %WINDOWS%\leosrv.dll
    %WINDOWS%\hjoqor.dll
    %WINDOWS%\xcvwer.dll
    O2 - BHO: BDEX System - {7875DBFF-6B8A-4B74-B8A2-E2DBF657CA03} - C:\WINDOWS\ttvbonfvm.dll
    O3 - Toolbar: The leosrv - {14E52265-CCA3-4F78-A21B-88F4EE6E78C1} - C:\WINDOWS\leosrv.dll
    O21 - SSODL: hjoqor - {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} - C:\WINDOWS\hjoqor.dll
    O21 - SSODL: xcvwer - {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} - C:\WINDOWS\xcvwer.dll
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{14E52265-CCA3-4F78-A21B-88F4EE6E78C1}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7875DBFF-6B8A-4B74-B8A2-E2DBF657CA03}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E9078DA-0C69-47B0-9637-2734104BD217}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EBAAB89-A5CD-40C4-A0AB-3275317351D1}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BEC8AD62-3D64-4F7B-B24D-2C785AE5449B}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{372685AA-9F61-43F5-BEBA-A60900E228EB}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5328D226-7057-4B06-9E4A-7829BFA7CA78}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\leosrv.bkwo]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\leosrv.ToolBar.1]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7875DBFF-6B8A-4B74-B8A2-E2DBF657CA03}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{14E52265-CCA3-4F78-A21B-88F4EE6E78C1}"=-

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "hjoqor"=-
    "xcvwer"=-


    %WINDOWS%\mscfg32.dll


    %SYSTEM%\gnjsjc.dll
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5c770fbc-cc2f-4acd-93e8-e6f0594307fd}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{5c770fbc-cc2f-4acd-93e8-e6f0594307fd}"="cariniana"
    --------------------------------------------------------------

    which of the "CLSID's" listed above, from smitfraudfix's changelog, would i want to add to SB's "customblocking list"?

    incidentally, i wish that javacool would get together with tony klein, with his "CLSID" list, and add a lot of the bad "CLSID's" from tony's "CLSID list" to SB's "CLSID-killbit databases"..

    http://www.castlecops.com/CLSID.html
     
    Last edited: Dec 19, 2007
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,355
    Location:
    The Netherlands
    From the first group I'd just add the two toolbar and BHO CLSIDs .

    And you could add the SharedTaskScheduler CLSID

    We already submit all 'bad' CLSIDs we add to Javacool, and in turn he adds most of them to the SB database. :)

    I have to add this as well as some other current malware in particular now change very rapidly indeed. New versions are being pushed out several times a day, so it really is very hard to keep current...

    Incidentally, if you're into adding custom CLSIDs, there's also a Finnish guy maintaining an extensive SB file: http://koti.mbnet.fi/pattaya1/customblocking.txt
     
    Last edited: Dec 23, 2007
  3. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    thanks tony..

    i think i have finally figured out how i can "search" your "CLSID list" for "bad" clsid's..
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.