Regarding Custom Blocking

Discussion in 'SpywareBlaster & Other Forum' started by MessiahMews, Feb 28, 2006.

Thread Status:
Not open for further replies.
  1. MessiahMews

    MessiahMews Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    6
    Hello everyone. I did have a question regarding the custom blocking of spyware CLSIDs in the registry.

    Do we also block the Interface, and Typelib registry keys as well? Or do I only need to block strictly CLSIDs?

    For example this spwyare below... I bolded them, so you can see what I am referring to. I've been adding them along with CLSIDs too, but wanted to make sure it was neccessary.

    WebPI Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA438A1-2530-11D2-9D84-00C04F7FB7C4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA438A4-2530-11D2-9D84-00C04F7FB7C4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7EDC300-766F-11CF-A64F-0020AF37425D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6FBA474B-43AC-11CE-9A0E00AA0062BB4C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E7EDC301-766F-11CF-A64F-0020AF37425D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E7EDC302-766F-11CF-A64F-0020AF37425D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6FBA474BC-43AC-11CE-9A0E00AA0062BB4C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6FBA474D-43AC-11CE-9A0E00AA0062BB4C}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E7EDC303-766F-11CF-A64F-0020AF37425D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Typelib\{6FBA474E-43AC-11CE-9A0E00AA0062BB4C}

    Thank you!
     
  2. Peeved McAfee User

    Peeved McAfee User Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    76
    SpywareBlaster blocks ActiveX by adding Registry like the one below:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0000-0000-0000-000000000000}]
    Compatibility Flags=dword:00000400

    That entry blocks the download and execution ActiveX processes. Internet Explorer ActiveX applications are stored in the following Registry location:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units]

    Since WebPI does not add entries to that location it does not appear that WebPI uses an ActiveX process. Therefore it does not appear that using Custom Blocking would have any affect on WebPI.

    ******************

    To answer you question in general, CLSIDs.
     
    Last edited: Feb 28, 2006
  3. MessiahMews

    MessiahMews Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    6
    Thank you. :D That would make it much easier and save me a lot of work then. Just to make sure I understand, I'll post another example below where I see that and it's in bold. So that also means that I can leave all the other CSLIDS alone? Just clarifying. :D

    Spyware.WALogger Creates the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B7C8860-D78F-101B-B9B5-04021C009402}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68ACC1A8-CFFC-4163-8767-026232DB2697}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78E5A540-1850-11CF-9D53-00AA003C9CB6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{93AAC05D-B974-4770-A9EE-92EFE7A59A85}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFC634B0-4B8B-11CF-8989-00AA00688B10}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B617B991-A767-4F05-99BA-AC6FCABB102E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3B7C8862-D78F-101B-B9B5-04021C009402}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{521B4D64-B9D2-4C2F-8460-0EEA6FBFD0F5}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{859321D0-3FD1-11CF-8981-00AA00688B10}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BA6AF311-61FA-468B-BB20-303BFA6B6C6B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C1E97CB5-5E3A-456C-B3EE-71DB7D986CB1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E9A5593C-CAB0-11D1-8C0B-0000F8754DA1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F51CF22E-E6B3-498F-A9A5-80E80E9E06BD}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{06FFEF32-4765-4123-8C34-2DFE4FB38976}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3B7C8863-D78F-101B-B9B5-04021C009402}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8FB10DD5-CC4F-4D5C-B8E9-E45BE911DE2A}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RICHTEXT.RichtextCtrl.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\UNIPro.uUNIPro
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WALI.cWALIRun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Activity Logging Interface_is1
    HKEY_CURRENT_USER\Software\VB and VBA Program Settings\WALI
     
  4. Peeved McAfee User

    Peeved McAfee User Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    76
    What dword is in the following regitry entry?

    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}]
    If the is dword:00000400 then it is being blocked. If not then there may be a problem.

    If you are getting those Registry entries from a write up of what WALogger modifies in the Registry, it may indicate that WALogger is resetting any blocking of the ActiveX that was put in place by anti-malware products before or as it installs.

    ****************

    See the following for the meaning of "dword:00000400" in the following Registry entry:

    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0000-0000-0000-000000000000}]
    See:
     
  5. MessiahMews

    MessiahMews Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    6
    Thanks for all of that, but now it's way over my head. :D

    The CLSIDs I posted was copied from Symantec Security Risks website, not my machine. It was just an example.

    WALogger is already blocked on my PC. What I had asked and wanted to know was the CLSID that I bolded was the only one that needed to be blocked, just to make sure. I was just clarfying and verifying to make sure I was on the right track.
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I do not feel you are "on the right track" and hopefully I will not add to your confusion :doubt:

    The Custom blocking feature of Spywareblaster is only useful in blocking ActiveX objects(Downloaded Program Files) as they relate to Internet Explorer.

    Yes....there is an ActiveX object that is part of the Wali keylogger payload but that is only one of the many items contained in that keyloggers payload. Sure....you can place that entry in Spywareblasters Custom blocking list but all that does is prevent Wali from installing that portion of it's payload as it relates to the logging of your Internet Explorer activity.
     
  7. MessiahMews

    MessiahMews Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    6
    Well now, I'm more confused. :blink: I asked if I was on the right track because of the first answer I received. So, according to the CLSIDs, I originally posted, what all do I block then. How would I block an entire program from installing in the first place? In layman's terms. I'm still fairly new at this. :)
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    In regards to keyloggers....that is not a function of Spywareblaster and if you are searching for ways to deal with malware similar to your keylogger examples....I suggest we consider moving this whole thread to a more appropriate section or take a look at our other Forum listings and decide which area you are interested in....Anti-malware, Anti-Trojan, Anti-virus....etc.

    Bottom line....it is not a function of Spywareblaster to accomplish what you are wanting. It strictly helps protect Internet Explorer with ActiveX, Cookie and Restricted Sites protection and also MOzilla\Firefox cookie protection.
     
Thread Status:
Not open for further replies.