As Intended: Question about CommonName / ToolbarCNBabe

9

98Guy98

New member
Spybot is telling me that I have CommonName / ToolbarCNBabe:

12.04.2010 21:02:49 - ##### check started #####
12.04.2010 21:02:49 - ### Version: 1.6.2
12.04.2010 21:02:49 - ### Date: 4/12/10 9:02:49 PM
12.04.2010 21:02:49 - ##### checking bots #####
12.04.2010 21:10:34 - found: CommonName Class ID

It's telling me this based on this registry entry:

HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

It is normal to have a CLSID with all zero's like that?

What else do I need to have in the registry in the vicinity of (or associates with) that CSLID in order to confirm CommonName / ToolbarCNBabe presence?

I do not have the file cnbabe.dll on my system.
 
Matt said:
Hi 98Guy98,
Systemlookup gives you some examples which kind of Malware or programs the CLSID
Does it help you? :)
Click to expand...
No.

I searched my system for all the files mentioned in your link:

CnbarIE.dll, Cnbabe.dll, BabeIE.dll, msxmlpp.dll, msxslab.dll, DLManager.dll, QQIEHelper02.dll, xunleiBHO_Now.dll

None of those files are on my system.

In my registry, I have this:

HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

And I have this:

HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

And I have *no values* or keys data values associated with those entries.

What other keys or data values *must* appear in my registry along with

HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

that would correctly indicate the presence of CommonName or CNBabe or any of the other malwares that are indicated?

In searching my registry for other occurrences of 00000000-0000-0000-0000-000000000000, I have these:

HKEY_CLASSES_ROOT\CLSID\{31345649-0000-0010-8000-00AA00389B71}\Pins\Output\Types\{73646976-0000-0010-8000-00AA00389B71}\{00000000-0000-0000-0000-000000000000}
HKEY_CLASSES_ROOT\CLSID\{9D2E5600-9099-11D0-B0AC-006097707A2C}\Pins\Input\Types\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{00000000-0000-0000-0000-000000000000}
HKEY_CLASSES_ROOT\CLSID\{A2551F60-705F-11CF-A424-00AA003735BE}\Pins\Input\Types\{73646976-0000-0010-8000-00AA00389B71}\{00000000-0000-0000-0000-000000000000}
HKEY_CLASSES_ROOT\Media Type\Extensions\.sdp\subtype
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device

These all seem to be related to MPEG playback methods or codecs.
 
Hi 98Guy98,

HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}
Click to expand...
does Spybot only find this one registry key?

Can you send us some logfiles, like Yodama has described here :thanks:


What other keys or data values *must* appear in my registry along with

HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

that would correctly indicate the presence of CommonName or CNBabe or any of the other malwares that are indicated?
Click to expand...
I can't give you an answer to this question, but I'm sure Yodama can. ;)
 
This is what spybot found when I ran it. What other information do you need from me in order to fully investigate this detection of "CommonName" ?

--- Report generated: 2010-04-12 21:33 ---

CommonName: [SBI $A5CE4ECE] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

DoubleClick: Tracking cookie (Firefox: Administrator (default)) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
DoubleClick: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
HitBox: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
FastClick: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
FastClick: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
HitBox: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
MediaPlex: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
MediaPlex: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
Statcounter: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
Statcounter: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
Statcounter: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)
Zedo: Tracking cookie (Netscape (6 or later): Administrator (default)) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

--- System information ---
Windows 98 (Build: 2222) A
/ DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
/ DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: RDS Killbit Bypass and Cross Zone Scripting
/ Windows Media Player: Windows Media Update 819639
/ Windows Media Player: Windows Media Update 837272
/ Windows Media Player: Windows Media Update 885492
/ Windows Media Player: Windows Media Update 917734
/ Windows Media Player: Windows Media Update KB891122
/ DirectX: Windows Update 904706
/ MSXML4SP2: Security update for MSXML4 SP2 (KB973688)
 
hello,

please export this registry key
Code: 
HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

And attach the export in this thread or email it to detections@spybot.info with a reference to this thread.
Since the Win98 registry editor does not support export of registry keys please use the regalyzer
 
Yodama said:
hello, please export this registry key
Code: 
HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

And attach the export in this thread. Since the Win98 registry editor does not support export of registry keys please use regalyzer
Click to expand...

The following is the requested key, as exported by regalyzer and opened with wordpad:

-----------------------
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}]
[HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}\Implemented Categories]
[HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
-------------------------

As I said in an earlier post, I have no data types or data values associated with that CLSID. I don't know why there are two identical subkeys.
 
ok,
I just wanted to make sure that there is nothing else inside the key in question.
The subkey is responsible for suppressing a security warning for the activeX control {00000000-0000-0000-0000-000000000000}
Since the entry that ensures that it is executed without warning is present 2 times it is very clear that a badly written malware has added it.

To make the long story short, I recommend to remove the key.
 
You must log in or register to reply here.
Back
Top