It's hard to look up a CLSID!

Discussion in 'other software & services' started by HandsOff, Mar 17, 2005.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hijack This is a great program. But a side effect of it's widespread use is that now when I search the internet for a CSLID all I get are occurrences of it in someone else's log. To make make matters worse, almost always, it is not part of the problem, and no new information is to be found.

    In the good old days, one could do a search and find pages actually pertinent to the CSLID.

    Is there some sort of CSLID.COM site where one goes to find links to them?

    If not, hasn't malware sort of gained a new advantage?


    - HandsOff
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    "This is the Master BHO and Toolbar list copyrighted by Tony Klein, and driven by CastleCops"

    Certified spyware/foistware, or other malware, Legitimate items and some that are open for debate.

    This link---> The CLSID / BHO List / Toolbar Master List
     
  3. LPSchool

    LPSchool Guest

    Look in your registry to see what application is attaching tiself to that CID, then from that you can generally figure out whats going on

    or try in google


    {jkggd-gsdd-sfsgdg-dgdfg} -hijackthis -log


    where you rweplace your CID with that one (and yes i know it isnt valid as it goes beyond the extents of hexadecimal numbering)

    good luck
     
  4. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    B- That is a great start. CSLID's would be so useful...if they just ID'd something.


    LPS- I'm sure i would get google responses all right...but most if not all of the log's concern some other problem and don't concern the clsid i want to find info for.

    I do search the registry. the problem is that sometimes either i cant find it or there isn't anything that tells me if it legit or not. half the time all you get is value not set or some other useless info.

    still, thats about as far as i've gone with it so far



    -HandsOff
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I'm not sure what you mean. The link supplied above not only has an ability to search by CSLID but also by word search. There are Currently 1652 entries and growing of CSLID entries @ that CastleCops link....some legit and some not so legit. Perhaps you could explain better what you are actually wanting or perhaps give an example :doubt:
     
  6. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    B - I Just meant that something that is supposed to be an ID is not much good if it cannot be used to Identify.

    I did go to the castle cops site. I copied a CLSID into the search box. clicked it, and nothing happened. I think my computer might have been overloading so I will check it again after reboot.


    - HandsOff
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You need to take into account that a lot of malware these days uses random file names as well as Class IDs.
    These will not be listed, as by definition it's extremely unlikely if not out of the question you'll ever run into an identical one.
    An expert can often identify such an animal by a look at the entire log, but in many cases positive identification can only be made by examination of the file itself.

    This "feature" can actually be used to your advantage. If a file name/CLSID is strongly suspected to be random, and will yield no results either through a Google search, or by querying the List, you can be pretty certain it's malware, and will therefore be safe to remove.
     
  8. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hey Tony!

    Good to here from you. I got back from Castle Cops for the second time but I am unable to do a search. When I specify any range, all I get back is a blank page. Same if I specify all, or do a search. I checked my ad-blocker and it did not block...I cant break the habit of using IE6, though, and my settings are not always tolerated at all websites. It just occurred to me to try Firefox.

    I dont know much about CLSID's but I am constantly confronted with them, so I am attempting to look up one's that show up in different logs. So far it has not been easy.

    On the DECOM configuration list in administrative tools there are tons of programs that are listed. I has three or four warnings that an application name was listed but the CLSID was not registere. then at the bottom of the list are 21 CLSID's and am just curious what they are, and why arent they named like all the rest. It's just curiosity at this point, but I don't like when I can't identify them. These are the one's I am currently searching for

    ....OH! i forgot to mention. I randomly picked 2 of them and searched both the Registry and C:\Windows\ and I could not find either one in either place. I'm guessing I'll finally get to see your list, using firefox!!!


    -HandsOff

    P.S. Just for the record they are:

    {OOOC101C-0000-0000-C000-000000000046}
    {0010890e-8789-413c-adbc-43f5b51lb3af}
    {00E7B358-F65B-4dcf-83DF-CD026B94BFD4}
    {0D458BE8-D99D-11D3-A92B-00105AO88FAC}
    {1B995F32-5DCC-40A6-B60D-32E4B4E78969}
    {IBEIF766-5536-11D1-B726-00C04FB926AF}
    {2AD3FFA2-142F-4854-9975-CE23FC931095}
    {37745268-6AA3-4611-9EB3-BEEFCE1C75EB}
    {4AOF9AA8-A71E-4CC3-891B-76CAC67E67C0}
    {5556FO30-3843-4D61-B974-47013A4EAABE}
    {63A53A38-004F-4898-BD61-96B5EEFADC04}
    {98C3AA12-3146-43BB-A911-7D81F9004E6A}
    {995C996E-D918-4a8c-A302-45719A6F4EA7}
    {9ED50EID-5D3A-41BB-AC65-EO4BE7888BED}
    {B1B9CBB2-B198-47E2-8260-9FD629A2B2EC}
    {B3F97336-A515-4ea6-BE06-4F1428C317C7}
    {B6EBE394-D266-4E14-ADF1-EA8545E7E7AD}
    {C3E7A4D2-AF8B-11D2-BDOF-00C04F72DBBC}
    {EFF16030-9C84-4FB3-8945-C81F7AFBD9C1}
    {F4D6C3EB-304E-4BOC-8BCE-F6B9E974CD17}
    {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}

    Correction: It was the Ad Blocker that was the problem
     

    Attached Files:

    • CC.jpg
      CC.jpg
      File size:
      53.2 KB
      Views:
      351
    Last edited: Mar 19, 2005
  9. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi HandsOff,

    Looks like we have several in common. However, searching the registry here finds all of them. A good registry cleaner, like RegSeeker, should show and let you delete any CLSIDs that are invalid.

    Nick

    Edit: you still have a good point regarding ease of identification. You have to Google a bit just to confirm that "{000C101C-0000-0000-C000-000000000046}" is related to Windows Installer.
     

    Attached Files:

    Last edited: Mar 20, 2005
  10. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hey Nick,

    I guess I'm just not cut out for finding things on the internet. At any rate I think my initial idea to identify all the CLSID's in important logs is a good one...except they are pretty hard to ID so far. I still could not access the list at Castle Cops that Bubba linked to. Even with my adblocker off. Perhaps if I registered there, but stubborn pride will not allow it.

    Actually I stumbled onto something I downloaded from Merijn that may help.


    - HandsOff
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hi HandsOff,

    There's nothing wrong with your browser; I loaded two thirds of your bunch of CLSIDs in your search box, and none of them are listed.

    This can be either because they're indeed random, or because they're not BHO or Toolbar Class ID's (ie the O2 and O3 entries from a Hijack This log)

    Quite so; which again is why it isn't listed: it's nether a Toolbar nor a BHO CLSID.
     
  12. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi Tony, and thanks for replying again.

    In instances like this I am torn between relief and embarrasment. I totally misunderstood the functioning of the list. Now that I (think I) understand I will finally understand how to take advantage of this resource. I'll try looking up a couple that should be on the list, notably a "people on page" fiasco I went through a long while ago, just to make sure.


    - HandsOff
     
  13. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You're welcome, HandsOff. Glad I was able to clarify things a bit. :)
     
  14. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    You Did! And so did Bubba and Nick for pointing me in the right direction...

    Some of the logs that I like are the ones in Spybots Search and Destroy because they catagorize and provide extra information if available.

    Of 6 BHO's listed, 5 were verified as legitimate and the 6th was verified by your list at Castle Cops.


    Also of interest in my CLSID quest were the ones listed in the activeX section.
    Only 3 out of the 10 are verfied though most of the others are almost certainly also legitimate. The following two I thought were interesting because of the strategic nomenclature:

    The first one annoys. It is for Microsoft Windows Genuine Advantage Validation Tool. (that's a mouthful). As you know, we spybot log readers scan the list for the word "legitimate" and speaking for myself, look no further at an entry labeled as such. Note the 'incidental' naming of MS's Tool, which almost can be mistaken as a SS&D seal of legitimacy:


    {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
    DPF name:
    CLSID name: Windows Genuine Advantage Validation Tool
    Path: C:\WINDOWS\System32\
    Long name: LegitCheckControl.DLL
    Short name: LEGITC~1.DLL
    Date (created): 1/28/2005 3:38:00 PM
    Date (last access): 3/19/2005 6:40:06 PM
    Date (last write): 1/28/2005 3:38:00 PM
    Filesize: 421128
    Attributes:
    MD5: C3C3864DA698F0CC1BE56F9695534DD8
    CRC32: C0FC216A
    Version: 0.1.0.0


    I'm sure its just incidental, and I believe it is legitimate since MS asked for permission before it was installed. I don't, however, see any listing in Add and Remove programs, however I'm sure it must be there somewhere.



    The next one is on a more positive note. I'm a CLSID newbie, but I don't recall any others that use a name that is an effort at self-documentation. Note the CAFE in Java's CLSID. I like that!

    {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
    DPF name: Java Runtime Environment 1.5.0
    CLSID name: Java Plug-in 1.5.0_01
    Path: C:\Program Files\Java\jre1.5.0_01\bin\
    Long name: NPJPI150_01.dll
    Short name: NPJPI1~1.DLL
    Date (created): 12/6/2068 9:31:52 PM
    Date (last access): 3/20/2005 11:32:52 AM
    Date (last write): 12/6/2004 9:49:16 PM
    Filesize: 69746
    Attributes:
    MD5: 7B8F5AAF633987C6F1B88146357D04E5
    CRC32: AD99524A
    Version: 0.1.0.5
     
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    The Windows Genuine Advantage Validation Tool is a recent MS development: an ActiveX object you're requested to install prior to downloading certain Windows updates and technologies, and designed to check whether you're running a 'genuine' version of the operating system...

    As for ActiveX CLSIDS, you can use Javacool's SpywareBlaster to check them. It's database holds most of the known 'bad' ones.
     

    Attached Files:

    • SB.gif
      SB.gif
      File size:
      42.6 KB
      Views:
      197
  16. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Thanks Tony,

    And yes, I do use SpywareBlaster, and will go there to check if a CLSID is listed. However, just out of curiosity, I decided to go down the list and search for the numbers in my registry. Very quickly I understood what 'compatability flag' meant, and what its value is for the kilbit.

    If only I could have stopped there I would have felt satisfied, but unfortunately I noticed that some of the CLSID's were present in other parts of the registry as well. I decided it was probably not wise to just delete these other entries, but it does make me wish I knew if I could or not. I guess I can find out by trial and error, as long as I am careful.


    - HandsOff
     
Loading...
Thread Status:
Not open for further replies.