Adding CLSID's to "customblocking"

Discussion in 'SpywareBlaster & Other Forum' started by redwolfe_98, Dec 19, 2007.

Thread Status:
Not open for further replies.
  1. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i want some advice on adding "CLSID's" to SB's "customblocking", please..

    if i look at "smitfraudfix", i see that it removes some "bad" "CLSID's".. here is a link for smitfraudfix's "changelog":

    http://siri.urz.free.fr/Fix/ChangeLog.php

    let's say that i take the cue from "smitfraudfix" and want to add some of the "bad" "CLSID's" from smitfraudfix's "changelog" to SB's "customblocking".. which "CLSID's" would i want to add to SB's "customblocking"? would i add the BHO-CLSID's that i see there? or both the "BHO-CLSID's" and the "toolbar-CLSID's"? or, both, those and others, too? what do the "pro's" think?

    let's look at the latest addition to smitfraudfix's changelog, for example.. here is what it shows:

    %WINDOWS%\binret.exe
    %WINDOWS%\ttvbono_O.dll
    %WINDOWS%\leosrv.dll
    %WINDOWS%\hjoqor.dll
    %WINDOWS%\xcvwer.dll
    O2 - BHO: BDEX System - {7875DBFF-6B8A-4B74-B8A2-E2DBF657CA03} - C:\WINDOWS\ttvbonfvm.dll
    O3 - Toolbar: The leosrv - {14E52265-CCA3-4F78-A21B-88F4EE6E78C1} - C:\WINDOWS\leosrv.dll
    O21 - SSODL: hjoqor - {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} - C:\WINDOWS\hjoqor.dll
    O21 - SSODL: xcvwer - {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} - C:\WINDOWS\xcvwer.dll
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{14E52265-CCA3-4F78-A21B-88F4EE6E78C1}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7875DBFF-6B8A-4B74-B8A2-E2DBF657CA03}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E9078DA-0C69-47B0-9637-2734104BD217}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EBAAB89-A5CD-40C4-A0AB-3275317351D1}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BEC8AD62-3D64-4F7B-B24D-2C785AE5449B}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{372685AA-9F61-43F5-BEBA-A60900E228EB}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5328D226-7057-4B06-9E4A-7829BFA7CA78}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\leosrv.bkwo]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\leosrv.ToolBar.1]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7875DBFF-6B8A-4B74-B8A2-E2DBF657CA03}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{14E52265-CCA3-4F78-A21B-88F4EE6E78C1}"=-

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "hjoqor"=-
    "xcvwer"=-


    %WINDOWS%\mscfg32.dll


    %SYSTEM%\gnjsjc.dll
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5c770fbc-cc2f-4acd-93e8-e6f0594307fd}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{5c770fbc-cc2f-4acd-93e8-e6f0594307fd}"="cariniana"
    --------------------------------------------------------------

    which of the "CLSID's" listed above, from smitfraudfix's changelog, would i want to add to SB's "customblocking list"?

    incidentally, i wish that javacool would get together with tony klein, with his "CLSID" list, and add a lot of the bad "CLSID's" from tony's "CLSID list" to SB's "CLSID-killbit databases"..

    http://www.castlecops.com/CLSID.html
     
    Last edited: Dec 19, 2007
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    From the first group I'd just add the two toolbar and BHO CLSIDs .

    And you could add the SharedTaskScheduler CLSID

    We already submit all 'bad' CLSIDs we add to Javacool, and in turn he adds most of them to the SB database. :)

    I have to add this as well as some other current malware in particular now change very rapidly indeed. New versions are being pushed out several times a day, so it really is very hard to keep current...

    Incidentally, if you're into adding custom CLSIDs, there's also a Finnish guy maintaining an extensive SB file: http://koti.mbnet.fi/pattaya1/customblocking.txt
     
    Last edited: Dec 23, 2007
  3. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    thanks tony..

    i think i have finally figured out how i can "search" your "CLSID list" for "bad" clsid's..
     
Thread Status:
Not open for further replies.