Please Help CLSID´s

PauloMaviega · August 2, 2011

Hello Friend´s...

I do not know if it is the correct place to post, but I lay on the forum.

I'm in doubt consult CLSID's websites.

For example this key: HKEY_CLASSES_ROOT \ Interface \ {E743CF05-181C-4D72-B4EE-95435ED4B86B} (Trojan.BHO)

I looked up the CLSID in SystemLookUp site and nothing was found.

Could you help me how to know when the key is harmful or not? And if there are other sites to do this research.

Thank you.

Paulo Maviega

nosirrah · August 2, 2011

There can be no help provided without a complete scan log.

That is also not a CLSID.

HKEY_CLASSES_ROOT\CLSID\ <- those are located in this key.

PauloMaviega · August 2, 2011

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Versão da Base de Dados: 7357

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/8/2011 13:59:44

mbam-log-2011-08-02 (13-59-44).txt

Tipo de Verificação: Verificação Completa (C:\|)

Objetos escaneados: 146596

Tempo decorrido: 12 minuto(s), 59 segundo(s)

Processos de Memória Infectados: 0

Módulos de Memória Infectados: 0

Chaves de Registro Infectadas: 16

Valores de Registro Infectados: 0

Itens de Dados no Registro Infectados: 3

Pastas Infectadas: 5

Arquivos Infectados: 16

Processos de Memória Infectados:

(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados:

(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:

HKEY_CLASSES_ROOT\Interface\{E743CF05-181C-4D72-B4EE-95435ED4B86B} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\rs_adw.Helper_bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\rs_adw.Helper_bho (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{71E59D37-D7FC-4ED6-BC1D-D13BE02FE6C5} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{2552632F-867D-4052-B836-7F83A5302534} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\reklosoft_adw.Helper_Bar (Trojan.Kerlofost) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\rs_adw.DLL (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\SearchHelper (Adware.Reklosoft) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71E59D37-D7FC-4ED6-BC1D-D13BE02FE6C5} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{71E59D37-D7FC-4ED6-BC1D-D13BE02FE6C5} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{71E59D37-D7FC-4ED6-BC1D-D13BE02FE6C5} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{D96FA298-1BB6-47FC-AD21-72781B744DC3} (Adware.Reklosoft) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{FFFFE708-B832-42F1-BAFF-247753B5E452} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\rs_adw.Helper_Bar.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFFFE708-B832-42F1-BAFF-247753B5E452} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FFFFE708-B832-42F1-BAFF-247753B5E452} (Trojan.BHO) -> Quarantined and deleted successfully.

Valores de Registro Infectados:

(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Pastas Infectadas:

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\chrome\content (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\defaults (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\defaults\preferences (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66} (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\chrome (Trojan.Kerlofost) -> Quarantined and deleted successfully.

Arquivos Infectados:

c:\WINDOWS\system32\ssd.dll (Trojan.BHO) -> Quarantined and deleted successfully.

c:\documents and settings\pviega_testes\Desktop\16_\m2dev.exe (Trojan.Small) -> Quarantined and deleted successfully.

c:\documents and settings\pviega_testes\Desktop\16_\qip8092.exe (Adware.Agent) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\chrome\content\q.png (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\chrome\content\q_gray.png (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\chrome\content\x.png (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\chrome\content\x_gray.png (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\chrome.manifest (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\extension.reg (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\install.rdf (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\defaults\preferences\main.js.old (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\chrome\content\main.xul (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\chrome\content\extensions.xul (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\chrome\content\logo.png (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\chrome\content\main.js (Trojan.Kerlofost) -> Quarantined and deleted successfully.

c:\arquivos de programas\arquivos comuns\{7445f2b0-cf99-11dd-ad8b-0800200c9a66}\defaults\preferences\main.js (Trojan.Kerlofost) -> Quarantined and deleted successfully.

=============================================================================

My question is to know where can I find the CLSID's.

There is SystemLookUp, there are some other sites?

Do I need to know to learn to analyze HijackThis LOG's and the like.

nosirrah · August 2, 2011

HKEY_CLASSES_ROOT\CLSID\{71E59D37-D7FC-4ED6-BC1D-D13BE02FE6C5} (Trojan.BHO) -> Quarantined and deleted successfully.

This is the only CLSID in your log and it is confirmed malware:

http://www.systemlookup.com/CLSID/58148-rs23493_dll_4rs23515_dll_1rs23525_dll_rs41_dll_similar_filenames_softopay_dll_qip_dll_my32ad_dll_dimsys_dll_rs2lib_dll_totalcom_dll_winarchive_dll_nod32_dll_alc_dll_videoru_dll_vidus1_dll_000s_dll_megaru_dll_winamp_dll.html

nosirrah · August 2, 2011

http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=546407#none

Click "Virus Characteristics", seems to be what you have in your system.

nosirrah · August 2, 2011

HKEY_CLASSES_ROOT\CLSID\{FFFFE708-B832-42F1-BAFF-247753B5E452} (Trojan.BHO) -> Quarantined and deleted successfully.

Ahhh missed this one but looking online it is also confirmed malware.

PauloMaviega · August 2, 2011

In Regedit I find the values of CLSID's (the keys inside)?

PauloMaviega · August 2, 2011

And to see this key?

HKEY_CLASSES_ROOT \ Interface \ {E743CF05-181C-4D72-B4EE-95435ED4B86B} (Trojan.BHO) -> Quarantined and deleted successfully.

{E743CF05-181C-4D72-B4EE-95435ED4B86B} is not a CLSID?

nosirrah · August 2, 2011

{E743CF05-181C-4D72-B4EE-95435ED4B86B} <- on its own is a GUID.

In the example you gave:

HKEY_CLASSES_ROOT \ Interface \ {E743CF05-181C-4D72-B4EE-95435ED4B86B}

that GUID is an interface.

In this example:

HKEY_CLASSES_ROOT\TypeLib\{2552632F-867D-4052-B836-7F83A5302534}

{2552632F-867D-4052-B836-7F83A5302534} is a TypeLib.

PauloMaviega · August 2, 2011

Very Good

HKEY_CLASSES_ROOT \ Interface \ {E743CF05-181C-4D72-B4EE-95435ED4B86B} = GUID.

HKEY_CLASSES_ROOT\TypeLib\{2552632F-867D-4052-B836-7F83A5302534} = TypeLib.

HKEY_CLASSES_ROOT\CLSID\{FFFFE708-B832-42F1-BAFF-247753B5E452} = CLSID

I know it's for SystemLookUp CLSID's.

To TypeLib GUID and is there a site to view these keys and values is necessary to study the same in the Windows registry? This is my biggest question.

nosirrah · August 2, 2011

HKEY_CLASSES_ROOT \ Interface \ {E743CF05-181C-4D72-B4EE-95435ED4B86B} = GUID.

Not quite

{????????-????-????-????-????????????}

This basic structure where each ? is a hex character is called a GUID. Where it is located determines what it is.

HKEY_CLASSES_ROOT \ Interface \ {E743CF05-181C-4D72-B4EE-95435ED4B86B}

{E743CF05-181C-4D72-B4EE-95435ED4B86B} is an interface because that is where it is located in the registry.

To TypeLib GUID and is there a site to view these keys and values is necessary to study the same in the Windows registry? This is my biggest question.

You should be able to find Typelibs on google but I do not know of any site where you can look them up. Interfaces are linked from TypeLibs which in turn are linked to from CLSIDs so none of this really matters anyway. MBAM does not actually define much of what you see in that log BTW. We use system inspection to find linked components allowing complete infection removal with very little initial data.

PauloMaviega · August 2, 2011

Thank you again.

Through his explanation checked out of curiosity value manually in the registry interface.

Key Name: HKEY_CLASSES_ROOT \ Interface \ {E743CF05-181C-4D72-B4EE-95435ED4B86B}

Class name: <No classe>

Time of last write: 02/08/2011 - 15:33

value 0

Name: <No Name>

Type: REG_SZ

Data: IHelper_bho <<

Thank you for explanations, I have to use google even when analyzing the keys of some HijackThis log or OTL / DDS.

The MalwareBytes help is very good too.

Thank you for your explanations and for its good will.

It was of great benefit.

Thank you very much.

Paulo Maviega

Please Help CLSID´s

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Important Information