Results 1 to 8 of 8

Thread: Question about CommonName / ToolbarCNBabe

  1. #1
    Junior Member
    Join Date
    Apr 2010
    Posts
    4

    Default Question about CommonName / ToolbarCNBabe

    Spybot is telling me that I have CommonName / ToolbarCNBabe:

    12.04.2010 21:02:49 - ##### check started #####
    12.04.2010 21:02:49 - ### Version: 1.6.2
    12.04.2010 21:02:49 - ### Date: 4/12/10 9:02:49 PM
    12.04.2010 21:02:49 - ##### checking bots #####
    12.04.2010 21:10:34 - found: CommonName Class ID

    It's telling me this based on this registry entry:

    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

    It is normal to have a CLSID with all zero's like that?

    What else do I need to have in the registry in the vicinity of (or associates with) that CSLID in order to confirm CommonName / ToolbarCNBabe presence?

    I do not have the file cnbabe.dll on my system.

  2. #2
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default

    Hi 98Guy98,



    Systemlookup gives you some examples which kind of Malware or programs the CLSID {00000000-0000-0000-0000-000000000000} use.

    Does it help you?
    Best regards - Beste Grüße,

    Matt

  3. #3
    Junior Member
    Join Date
    Apr 2010
    Posts
    4

    Default

    Quote Originally Posted by Matt View Post
    Hi 98Guy98,
    Systemlookup gives you some examples which kind of Malware or programs the CLSID
    Does it help you?
    No.

    I searched my system for all the files mentioned in your link:

    CnbarIE.dll, Cnbabe.dll, BabeIE.dll, msxmlpp.dll, msxslab.dll, DLManager.dll, QQIEHelper02.dll, xunleiBHO_Now.dll

    None of those files are on my system.

    In my registry, I have this:

    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

    And I have this:

    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

    And I have *no values* or keys data values associated with those entries.

    What other keys or data values *must* appear in my registry along with

    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

    that would correctly indicate the presence of CommonName or CNBabe or any of the other malwares that are indicated?

    In searching my registry for other occurrences of 00000000-0000-0000-0000-000000000000, I have these:

    HKEY_CLASSES_ROOT\CLSID\{31345649-0000-0010-8000-00AA00389B71}\Pins\Output\Types\{73646976-0000-0010-8000-00AA00389B71}\{00000000-0000-0000-0000-000000000000}
    HKEY_CLASSES_ROOT\CLSID\{9D2E5600-9099-11D0-B0AC-006097707A2C}\Pins\Input\Types\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{00000000-0000-0000-0000-000000000000}
    HKEY_CLASSES_ROOT\CLSID\{A2551F60-705F-11CF-A424-00AA003735BE}\Pins\Input\Types\{73646976-0000-0010-8000-00AA00389B71}\{00000000-0000-0000-0000-000000000000}
    HKEY_CLASSES_ROOT\Media Type\Extensions\.sdp\subtype
    HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device

    These all seem to be related to MPEG playback methods or codecs.

  4. #4
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default

    Hi 98Guy98,

    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}
    does Spybot only find this one registry key?

    Can you send us some logfiles, like Yodama has described here


    What other keys or data values *must* appear in my registry along with

    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

    that would correctly indicate the presence of CommonName or CNBabe or any of the other malwares that are indicated?
    I can't give you an answer to this question, but I'm sure Yodama can.
    Best regards - Beste Grüße,

    Matt

  5. #5
    Junior Member
    Join Date
    Apr 2010
    Posts
    4

    Default

    This is what spybot found when I ran it. What other information do you need from me in order to fully investigate this detection of "CommonName" ?

    --- Report generated: 2010-04-12 21:33 ---

    CommonName: [SBI $A5CE4ECE] Class ID (Registry key, nothing done)
    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

    DoubleClick: Tracking cookie (Firefox: Administrator (default)) (Cookie, nothing done)
    CasaleMedia: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    CasaleMedia: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    CasaleMedia: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    DoubleClick: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    HitBox: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    FastClick: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    FastClick: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    HitBox: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    MediaPlex: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    MediaPlex: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    Statcounter: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    Statcounter: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    Statcounter: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
    Zedo: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)

    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

    --- System information ---
    Windows 98 (Build: 2222) A
    / DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
    / DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
    / DataAccess: Microsoft Data Access Components KB870669
    / DataAccess: Security update for Microsoft Data Access Components
    / DataAccess: RDS Killbit Bypass and Cross Zone Scripting
    / Windows Media Player: Windows Media Update 819639
    / Windows Media Player: Windows Media Update 837272
    / Windows Media Player: Windows Media Update 885492
    / Windows Media Player: Windows Media Update 917734
    / Windows Media Player: Windows Media Update KB891122
    / DirectX: Windows Update 904706
    / MSXML4SP2: Security update for MSXML4 SP2 (KB973688)

  6. #6
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hello,

    please export this registry key
    Code:
    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}
    And attach the export in this thread or email it to detections@spybot.info with a reference to this thread.
    Since the Win98 registry editor does not support export of registry keys please use the regalyzer
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  7. #7
    Junior Member
    Join Date
    Apr 2010
    Posts
    4

    Default

    Quote Originally Posted by Yodama View Post
    hello, please export this registry key
    Code:
    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}
    And attach the export in this thread. Since the Win98 registry editor does not support export of registry keys please use regalyzer
    The following is the requested key, as exported by regalyzer and opened with wordpad:

    -----------------------
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}]
    [HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}\Implemented Categories]
    [HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
    [HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
    -------------------------

    As I said in an earlier post, I have no data types or data values associated with that CLSID. I don't know why there are two identical subkeys.

  8. #8
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    ok,
    I just wanted to make sure that there is nothing else inside the key in question.
    The subkey is responsible for suppressing a security warning for the activeX control {00000000-0000-0000-0000-000000000000}
    Since the entry that ensures that it is executed without warning is present 2 times it is very clear that a badly written malware has added it.

    To make the long story short, I recommend to remove the key.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •