Donate $25 for two DVDs of the Cryptome collection of files from June 1996 to the present

Natsios Young Architects

23 October 2010

Previous: 

http://cryptome.org/0002/clsid-list-06.htm
http://cryptome.org/0002/clsid-list-05.htm
http://cryptome.org/0001/clsid-list-04.htm
http://cryptome.org/0001/clsid-list-03.htm
http://cryptome.org/0001/clsid-list-02.htm
http://cryptome.org/0001/clsid-list-01.htm
http://cryptome.org/isp-spy/ms-analysis.htm 
http://cryptome.org/0001/vista-clsids.htm

CLSID Shit List 7

A sends:

Before scrolling through this updated list, I recommend reading CLSID Shitlist Beyond.

http://cryptome.org/0002/clsid-beyond.htm

_________________________________________

What (A) told us is true, the registry is not the only place to hunt down viruses, spyware, or other malware infections.

Taking snapshots of the system and using a utility that tracks any changes does help filter out hidden rogue activity, good point. An inbound/outbound firewall would also help catch anything trying to establish a remote connection.

I'm surprised others have taken interest to these shit lists ; these help me to thwart registry infection, while finding more ways to improve stability and defense.

Also working with several computers, I've practiced editing and researching registry. Not only finding infected CLSIDs but what files/programs may depend on them, whether those files/programs can be trusted, or if they exist for third parties, or at times, perhaps stable.

The truth is I happen to be better detecting something abnormal or rogue inside the registry than I am finding the proper software that can be trusted.

Hard copy backups are smart, that helps alot.

I am familiar with common techniques some people use. People sometimes use an unregistered computer, with basic system defense. No updating (which should NEVER be trusted), no emailing, no logging into accounts linking to personal identity.

One computer I use now is always offline.

As (A) stated before, "someone who's trying to keep a normal Windows system secure and non-invasive has to watch a lot more than just CLSIDs."  That's true.

Keep in mind, when I use the term "bleach", this does not mean "delete". What I have stumbled across after deleting infected files, is the fact they can re-surface, same as deleting an infected CLSID. (NOT referring to the system32 files meant to re-surface for protection.)

Bleaching the CLSID keeps the CLSID inside the registry without data, no strings no value, without the permission set. ... That cannot be fixed unless you stand by the computer to reprogram it. That can be a pain in the ass, sometimes that won't work either. When it's bleached, it's dead with ONLY the physical owner holding the bones to reincarnate it.

Learn how to bleach here: http://ht.ly/19nj0Z

One problem I have trouble with is finding the proper software I can trust. Most of the freeware now days is corrupt, that also goes for most of the anti-spyware people pay for in the stores. GARBAGE!

I best stick with what I study here, and that is unnecessary, unstable registry.

_________________________________________

The registry looks more complex than it is, however it IS very sensitive! The benefit of using these guides help average folks protect their computers from exploitation.

MMC Plugable Internet Protocol Updated
HKCR\CLSID\{3C5F432A-EF40-4669-9974-9671D4FC2E12}
HKCR\CLSID\{43136EB5-D36C-11CF-ADBC-00AA00A80033}
HKCR\CLSID\{7F1899DA-62A6-11D0-A2C6-00C04FD909DD}
HKCR\CLSID\{ADE6444B-C91F-4E37-92A4-5BB430A33340}
HKCR\CLSID\{B708457E-DB61-4C55-A92F-0D4B5E9B1224}
HKCR\CLSID\{D6FEDB1D-CF21-4BD9-AF3B-C5468E9C6684}

HKCR\CLSID\{F1E752C3-FD72-11D0-AEF6-00C04FB6DD2C}
HKCR\CLSID\{F7A4F1DA-96C3-4BCF-BEB3-1D9FFDE89EE9}

Here are all those MMC Node Manager CLSIDs.

HKEY_CLASSES_ROOT\NODEMGR.AppEventsDHTMLConnector
{ADE6444B-C91F-4E37-92A4-5BB430A33340}

HKEY_CLASSES_ROOT\NODEMGR.ComCacheCleanup
{F7A4F1DA-96C3-4BCF-BEB3-1D9FFDE89EE9}

HKEY_CLASSES_ROOT\NODEMGR.MMCDocConfig
{F1E752C3-FD72-11D0-AEF6-00C04FB6DD2C}

HKEY_CLASSES_ROOT\NODEMGR.MMCProtocol
{3C5F432A-EF40-4669-9974-9671D4FC2E12}

HKEY_CLASSES_ROOT\NODEMGR.MMCVersionInfo
{D6FEDB1D-CF21-4BD9-AF3B-C5468E9C6684}

HKEY_CLASSES_ROOT\NODEMGR.MMCViewExt
{B708457E-DB61-4C55-A92F-0D4B5E9B1224}

HKEY_CLASSES_ROOT\NODEMGR.NodeInitObject
{43136EB5-D36C-11CF-ADBC-00AA00A80033}

HKEY_CLASSES_ROOT\NODEMGR.ScopeTreeObject
{7F1899DA-62A6-11D0-A2C6-00C04FD909DD}

The Node Manager belongs to Cisco. These
CLSIDs help cache messages inside a system.

The three Cisco ports are located on ports
130 - 132; cisco-fna, cisco-tna and cisco-sys.

These CLSIDs have been bleached and tested on both
wireless and wired internet connections, both
separate systems. Node Manager is not required.

The Node Manager can be exploited by third parties
and can be used to bypass security. Safe to bleach.
There are rumors that MMC runs with a trojan rootkit.


Hacked RDNs FOUND [DO NOT BLEACH THESE]

FlashBroker
HKCR\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}

The two hacks are "Everyone" and "Anonymous Logon"

Right click, go to the permission set.

Remove both RDNs listed above!

Click "Apply" then click OK.

NEXT RDN HACKS

Follow the same procedure above. Do not bleach!

IFlashBroker2
HKCR\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}

HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}

Once fixed in HKCR, they are stable in HKLM.


BitBucket Hacker Hacks "Everyone" RDN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\BitBucket  [SAFE TO BLEACH]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\NetworkCrawler  [SAFE TO BLEACH]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\RemoteComputer  [SAFE TO BLEACH]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
WindowsUpdate  [SAFE TO BLEACH]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
NetCache  [SAFE TO BLEACH]


"Power Users" and "CREATOR OWNER" RDNs Hacked

[DO NOT BLEACH!]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc

Right click, go to the permission set.

Remove both RDNs listed above!

Click "Apply" then click OK.


FIVE RDNs TO DISABLE!

GO TO HKEY_CLASSES_ROOT, HKEY_CURRENT_USER,
HKEY_LOCAL_MACHINE, HKEY_USERS, AND HKEY_CURRENT_CONFIG.

MAKE SURE "Power Users", "CREATOR OWNER", "EVERYONE"
"Anonymous Logon" AND "RESTRICTED" ARE TAKEN OFF
OR DISABLED. LEAVE THE OTHER RDNs ALONE!


WSecEdit Security Manager is a malicious trojan
that presents security risks to the compromised
computer. Modifies security settings automatically.

WSecEdit Security Manager Class
HKCR\CLSID\{011BE22D-E453-11D1-945A-00C04FB984F9}

WSecEdit RSOP Security Settings Class
HKCR\CLSID\{1B6FC61A-648A-4493-A303-A1A22B543F01}


WSecEdit Security Configuration Class
HKCR\CLSID\{2AABFCD0-1797-11D2-ABA2-00C04FB6C6FA}

WSecEdit Local Security Settings Class
HKCR\CLSID\{2E8EA1E5-F406-46F5-AF10-661FD6539F28}

WSecEdit Security Configuration Class
HKCR\CLSID\{5ADF5BF6-E452-11D1-945A-00C04FB984F9}

WSecEdit Security Manager Class
HKCR\CLSID\{5C0786ED-1847-11D2-ABA2-00C04FB6C6FA}

WSecEdit Security Settings Class
HKCR\CLSID\{5C0786EE-1847-11D2-ABA2-00C04FB6C6FA}

WSecEdit Extension Class
HKCR\CLSID\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}

WSecEdit Local Security Settings Class
HKCR\CLSID\{CFF49D53-EE51-49F2-A807-7E3DF4EA36E3}

WSecEdit RSOP Security Settings Class
HKCR\CLSID\{FE883157-CEBD-4570-B7A2-E4FE06ABE626}

HKEY_CLASSES_ROOT\WPDSp.WPDServiceProvider
{77F7F122-20B0-4117-A2FB-059D1FC88256}

HKEY_CLASSES_ROOT\Wsecedit.Extension
{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}

HKEY_CLASSES_ROOT\Wsecedit.LS
{CFF49D53-EE51-49F2-A807-7E3DF4EA36E3}

HKEY_CLASSES_ROOT\Wsecedit.LSAbout.1
{2E8EA1E5-F406-46F5-AF10-661FD6539F28}

HKEY_CLASSES_ROOT\Wsecedit.RSOP
{FE883157-CEBD-4570-B7A2-E4FE06ABE626}

HKEY_CLASSES_ROOT\Wsecedit.RSOPAbout.1
{1B6FC61A-648A-4493-A303-A1A22B543F01}

HKEY_CLASSES_ROOT\Wsecedit.SAV
{011BE22D-E453-11D1-945A-00C04FB984F9}

HKEY_CLASSES_ROOT\Wsecedit.SCE
{5ADF5BF6-E452-11D1-945A-00C04FB984F9}


WECAPI2 CLSIDs Updated

WECAPI2.FpStructureModification.1
HKCR\CLSID\{F6FD0A00-43F0-11D1-BE58-00A0C90A4335}

WECAPI2.FpStructureElement.1
HKCR\CLSID\{F6FD0A01-43F0-11D1-BE58-00A0C90A4335}

WECAPI2.FpFile.1
HKCR\CLSID\{F6FD0A0E-43F0-11D1-BE58-00A0C90A4335}

WECAPI2.FpMetaInfo.1
HKCR\CLSID\{F6FD0A0F-43F0-11D1-BE58-00A0C90A4335}

WECAPI2.FpFolder.1
HKCR\CLSID\{F6FD0A11-43F0-11D1-BE58-00A0C90A4335}

WECAPI2.WebExtenderClient.1
HKCR\CLSID\{F6FD0A13-43F0-11D1-BE58-00A0C90A4335}

HKEY_CLASSES_ROOT\WECAPI2.FpFile
{F6FD0A0E-43F0-11D1-BE58-00A0C90A4335}

HKEY_CLASSES_ROOT\WECAPI2.FpFolder
{F6FD0A11-43F0-11D1-BE58-00A0C90A4335}

HKEY_CLASSES_ROOT\WECAPI2.FpMetaInfo
{F6FD0A0F-43F0-11D1-BE58-00A0C90A4335}

HKEY_CLASSES_ROOT\WECAPI2.FpStructureElement
{F6FD0A01-43F0-11D1-BE58-00A0C90A4335}

HKEY_CLASSES_ROOT\WECAPI2.FpStructureModification
{F6FD0A00-43F0-11D1-BE58-00A0C90A4335}

HKEY_CLASSES_ROOT\WECAPI2.WebExtenderClient
{F6FD0A13-43F0-11D1-BE58-00A0C90A4335}


This vulnerability lets remote users execute arbitrary
scripts inside compromised systems. Windows Explorer
includes a preview pane (web view), which displays
information on some types of files when they become
selected. The preview pane is implemented via an HTML
resource file (in webvw.dll). Scripts can be injected
to execute malicious threats to the system, even
used to spy on remote users.

Microsoft claims WebView is safe. It is not safe.

WebViewCoord Class
HKEY_CLASSES_ROOT\CLSID\{7A707490-260A-11D1-83DF-00A0C90DC849}

WebViewCoord Class
HKEY_CLASSES_ROOT\CLSID\{BCFD624E-705A-11d2-A2AF-00C04FC30871}

HKEY_CLASSES_ROOT\WebViewCoord.WebViewCoord

HKLM\SOFTWARE\Classes\WebViewCoord.WebViewCoord

{7A707490-260A-11D1-83DF-00A0C90DC849}

HKEY_CLASSES_ROOT\WebViewFolderIcon.WebViewFolderIcon

HKLM\SOFTWARE\Classes\WebViewFolderIcon.WebViewFolderIcon


{e5df9d10-3b52-11d1-83e8-00a0c90dc849}


SharedTaskScheduler Spyware

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\SharedTaskScheduler

[Links {8C7461EF-2B13-11d2-BE35-3078302C2030}]

[Part of Component Categories conditional cache daemon.]

Component Categories conditional cache daemons

HKCR\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}
HKCR\CLSID\{DC651A43-0720-4a2b-9971-BD2EF1329A3D}
HKCR\CLSID\{E56829C9-2D59-11d2-BE38-3078302C2030}


!DO NOT BLEACH RANDOM SHELL EXTENSIONS!

*THESE ARE SAFE TO BLEACH* THESE KEEP
TRACK OF WHAT YOU DO ON YOUR SYSTEM.

*Fusion Cache*
{1D2680C9-0E2A-469d-B787-065558BC7D43}

*Microsoft History AutoComplete List*
{00BB2764-6A77-11D0-A535-00C04FD7D062}

*Microsoft Multiple AutoComplete List*
{00BB2765-6A77-11D0-A535-00C04FD7D062}

*WebCheckWebCrawler*
{08165EA0-E946-11CF-9C87-00AA005127ED}

ONLY THOSE FOUR LISTED ABOVE ARE SAFE TO BLEACH!

OTHERS CAN BE FOUND HERE:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Shell Extensions\Approved

DON'T SCREW AROUND! SHELLS ARE SENSITIVE.


Windows NT Abusive Vulnerabilities

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Network\World Full Access Shared Parameters

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Network\Location Awareness

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Time Zones

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\WOW\WowFax

SQLDMO can be used by remote Windows NT users.
Unlike general SQL; SQLDMO is safe to bleach.
I suggest not bleaching SQLDMO UNLESS you
have no use for it or it's causing a problem,
for instance a hacker cracking into it.

SQLDMO IS safe to bleach, but remember,
never start bleaching random SQL CLSIDs or
you could end up with system damage.

My SQLDMO has been hacked before, I had to
bleach it. Not that big a deal, just takes
an hour to bleach it all.

HKCR\Interface\{10021506-E260-11CF-AE68-00AA004A34D5}
HKCR\Interface\{10021516-E260-11CF-AE68-00AA004A34D5}
HKCR\Interface\{10021603-E260-11CF-AE68-00AA004A34D5}
HKCR\Interface\{10021606-E260-11CF-AE68-00AA004A34D5}
HKCR\Interface\{10021E06-E260-11CF-AE68-00AA004A34D5}
HKCR\Interface\{10023306-E260-11CF-AE68-00AA004A34D5}
HKCR\Interface\{10023316-E260-11CF-AE68-00AA004A34D5}
HKCR\Interface\{10023403-E260-11CF-AE68-00AA004A34D5}
HKCR\Interface\{10023406-E260-11CF-AE68-00AA004A34D5}
HKCR\Interface\{10031206-E260-11CF-AE68-00AA004A34D5}
HKCR\Interface\{10041003-E260-11CF-AE68-00AA004A34D5}
HKCR\Interface\{10041006-E260-11CF-AE68-00AA004A34D5}

HKEY_CLASSES_ROOT\SQLDMO.Alert
HKEY_CLASSES_ROOT\SQLDMO.Alert.8.0
HKEY_CLASSES_ROOT\SQLDMO.Application
HKEY_CLASSES_ROOT\SQLDMO.Application.8.0
HKEY_CLASSES_ROOT\SQLDMO.Backup
HKEY_CLASSES_ROOT\SQLDMO.Backup.8.0
HKEY_CLASSES_ROOT\SQLDMO.Backup2
HKEY_CLASSES_ROOT\SQLDMO.Backup2.8.0
HKEY_CLASSES_ROOT\SQLDMO.BackupDevice
HKEY_CLASSES_ROOT\SQLDMO.BackupDevice.8.0
HKEY_CLASSES_ROOT\SQLDMO.BulkCopy
HKEY_CLASSES_ROOT\SQLDMO.BulkCopy.8.0
HKEY_CLASSES_ROOT\SQLDMO.BulkCopy2
HKEY_CLASSES_ROOT\SQLDMO.BulkCopy2.8.0
HKEY_CLASSES_ROOT\SQLDMO.Category
HKEY_CLASSES_ROOT\SQLDMO.Check
HKEY_CLASSES_ROOT\SQLDMO.Column
HKEY_CLASSES_ROOT\SQLDMO.Column2
HKEY_CLASSES_ROOT\SQLDMO.DatabaseRole
HKEY_CLASSES_ROOT\SQLDMO.DatabaseRole2
HKEY_CLASSES_ROOT\SQLDMO.DBFile
HKEY_CLASSES_ROOT\SQLDMO.Default
HKEY_CLASSES_ROOT\SQLDMO.Default2
HKEY_CLASSES_ROOT\SQLDMO.DistributionArticle
HKEY_CLASSES_ROOT\SQLDMO.DistributionArticle.8.0
HKEY_CLASSES_ROOT\SQLDMO.DistributionArticle2
HKEY_CLASSES_ROOT\SQLDMO.DistributionArticle2.8.0
HKEY_CLASSES_ROOT\SQLDMO.DistributionPublisher
HKEY_CLASSES_ROOT\SQLDMO.DistributionPublisher.8.0
HKEY_CLASSES_ROOT\SQLDMO.DistributionPublisher2
HKEY_CLASSES_ROOT\SQLDMO.DistributionPublisher2.8.0
HKEY_CLASSES_ROOT\SQLDMO.DistributionSubscription
HKEY_CLASSES_ROOT\SQLDMO.DistributionSubscription2
HKEY_CLASSES_ROOT\SQLDMO.FileGroup
HKEY_CLASSES_ROOT\SQLDMO.FileGroup2
HKEY_CLASSES_ROOT\SQLDMO.FullTextCatalog
HKEY_CLASSES_ROOT\SQLDMO.FullTextCatalog2
HKEY_CLASSES_ROOT\SQLDMO.Group
HKEY_CLASSES_ROOT\SQLDMO.Index
HKEY_CLASSES_ROOT\SQLDMO.Index.8.0
HKEY_CLASSES_ROOT\SQLDMO.Index2
HKEY_CLASSES_ROOT\SQLDMO.Index2.8.0
HKEY_CLASSES_ROOT\SQLDMO.Job
HKEY_CLASSES_ROOT\SQLDMO.Job.8.0
HKEY_CLASSES_ROOT\SQLDMO.JobSchedule
HKEY_CLASSES_ROOT\SQLDMO.JobSchedule.8.0
HKEY_CLASSES_ROOT\SQLDMO.JobStep
HKEY_CLASSES_ROOT\SQLDMO.JobStep.8.0
HKEY_CLASSES_ROOT\SQLDMO.LinkedServer
HKEY_CLASSES_ROOT\SQLDMO.LinkedServer.8.0
HKEY_CLASSES_ROOT\SQLDMO.LinkedServer2
HKEY_CLASSES_ROOT\SQLDMO.LinkedServer2.8.0
HKEY_CLASSES_ROOT\SQLDMO.LinkedServerLogin

HKEY_CLASSES_ROOT\SQLDMO.LinkedServerLogin.8.0
HKEY_CLASSES_ROOT\SQLDMO.LogFile
HKEY_CLASSES_ROOT\SQLDMO.LogFile2
HKEY_CLASSES_ROOT\SQLDMO.Login
HKEY_CLASSES_ROOT\SQLDMO.Login2
HKEY_CLASSES_ROOT\SQLDMO.Operator
HKEY_CLASSES_ROOT\SQLDMO.Operator.8.0
HKEY_CLASSES_ROOT\SQLDMO.RegisteredServer
HKEY_CLASSES_ROOT\SQLDMO.RegisteredSubscriber
HKEY_CLASSES_ROOT\SQLDMO.RemoteServer
HKEY_CLASSES_ROOT\SQLDMO.RemoteServer.8.0
HKEY_CLASSES_ROOT\SQLDMO.Replication
HKEY_CLASSES_ROOT\SQLDMO.Replication2
HKEY_CLASSES_ROOT\SQLDMO.ReplicationSecurity
HKEY_CLASSES_ROOT\SQLDMO.ReplicationSecurity.8.0
HKEY_CLASSES_ROOT\SQLDMO.Restore
HKEY_CLASSES_ROOT\SQLDMO.Restore2
HKEY_CLASSES_ROOT\SQLDMO.Rule
HKEY_CLASSES_ROOT\SQLDMO.Rule2
HKEY_CLASSES_ROOT\SQLDMO.ServerRole
HKEY_CLASSES_ROOT\SQLDMO.ServerRole.8.0
HKEY_CLASSES_ROOT\SQLDMO.TargetServer
HKEY_CLASSES_ROOT\SQLDMO.TargetServer.8.0
HKEY_CLASSES_ROOT\SQLDMO.TargetServerGroup
HKEY_CLASSES_ROOT\SQLDMO.TargetServerGroup.8.0
HKEY_CLASSES_ROOT\SQLDMO.Transfer
HKEY_CLASSES_ROOT\SQLDMO.Transfer.8.0
HKEY_CLASSES_ROOT\SQLDMO.Transfer2
HKEY_CLASSES_ROOT\SQLDMO.Transfer2.8.0
HKEY_CLASSES_ROOT\SQLDMO.TransPublication
HKEY_CLASSES_ROOT\SQLDMO.TransPublication.8.0
HKEY_CLASSES_ROOT\SQLDMO.TransPublication2
HKEY_CLASSES_ROOT\SQLDMO.TransPublication2.8.0
HKEY_CLASSES_ROOT\SQLDMO.Trigger
HKEY_CLASSES_ROOT\SQLDMO.Trigger2
HKEY_CLASSES_ROOT\SQLDMO.User
HKEY_CLASSES_ROOT\SQLDMO.User.8.0
HKEY_CLASSES_ROOT\SQLDMO.User2
HKEY_CLASSES_ROOT\SQLDMO.User2.8.0
HKEY_CLASSES_ROOT\SQLDMO.View
HKEY_CLASSES_ROOT\SQLDMO.View2


More junk. Safe to bleach.

Microsoft.Update.WebProxy
HKCR\CLSID\{650503CF-9108-4DDC-A2CE-6C2341E1C582}

System.AccessViolationException
HKCR\CLSID\{4C3EBFD5-FC72-33DC-BC37-9953EB25B8D7}

HKEY_CLASSES_ROOT\System.AccessViolationException
{4C3EBFD5-FC72-33DC-BC37-9953EB25B8D7}

HKEY_CLASSES_ROOT\Sdtclb4ui.CLBDTDispenser
{B890AF56-AC8C-11D1-8CB7-00C04FC3261D}

HKEY_CLASSES_ROOT\OISCTRL.OISClientLauncher
{E543A17A-F212-49C0-B63D-BF09B460250E}


These CLSIDs are linked with Trojan-Spy.KeyLogger,
which captures all user keystrokes, and is designed
with rootkit-specific techniques to crack into remote
systems, stealing valuable information such as passwords,
and login information. Other Trojan-Spy.KeyLogger.sd5
CLSIDs can be found on Shit List 4.

EngUKWrdBrk Class
HKCR\CLSID\{363F1015-FD5F-4ba8-AC58-29634F378A42}

EngUSWrdBrk Class
HKCR\CLSID\{80A3E9B0-A246-11D3-BB8C-0090272FA362}

FrnFrnWrdBrk Class
HKCR\CLSID\{F14E6B48-FBCA-4d32-BD79-7829D4F7E43B}

HKEY_CLASSES_ROOT\EngUKWrdBrk.EngUKWrdBrk
{363F1015-FD5F-4ba8-AC58-29634F378A42}

HKEY_CLASSES_ROOT\EngUSWrdBrk.EngUSWrdBrk
{80A3E9B0-A246-11D3-BB8C-0090272FA362}

HKEY_CLASSES_ROOT\FrnFrnWrdBrk.FrnFrnWrdBrk

HKLM\SOFTWARE\Classes\FrnFrnWrdBrk.FrnFrnWrdBrk

Watson subscriber for SENS Network Events
HKCR\AppID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}

Interactive User
HKCR\AppID\{995C996E-D918-4a8c-A302-45719A6F4EA7}

HKCR\AppID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}
HKCR\AppID\{D5978630-5B9F-11D1-8DD2-00AA004ABD5E}
HKCR\AppID\{D5978640-5B9F-11D1-8DD2-00AA004ABD5E}
HKCR\AppID\{D5978650-5B9F-11D1-8DD2-00AA004ABD5E}

___________________________________________________
ON HKCR\AppID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39} ...

ONLY delete the RunAs string value "Interactive User"

Leave the rest of the CLSID alone.

Same thing goes for

HKCR\AppID\{A55803CC-4D53-404c-8557-FD63DBA95D24}

ONLY delete the RunAs string value "Interactive User"
___________________________________________________
Interactive User
HKCR\AppID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}

HKEY_CLASSES_ROOT\SENDCMSG.SendConsoleMessageApp.1
{B1AFF7D0-0C49-11D1-BB12-00C04FC9A3A3}

HKEY_CLASSES_ROOT\SENS Logon Events
{D5978630-5B9F-11D1-8DD2-00AA004ABD5E}

HKEY_CLASSES_ROOT\SENS Logon2 Events
{D5978650-5B9F-11D1-8DD2-00AA004ABD5E}

HKEY_CLASSES_ROOT\SENS Network Events
{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}

HKEY_CLASSES_ROOT\SENS OnNow Events
{D5978640-5B9F-11D1-8DD2-00AA004ABD5E}

ONLY BLEACH THE LISTED CLSIDs!


The Parallel Problems Server (PPServer) provides
interactive clients with access to powerful
functionality and users of parallel machines
access to interactive environments where they
can manipulate and visualize large data sets.
The PPServer communicates with clients using
a simple request-response protocol. A client
requests that an action be performed by
issuing a command with the appropriate
arguments, the server executes that command,
and then notifies the client that the
action is complete.

With the PPServer, MIT have been able to
build applications for information retrieval,
machine learning, and scientific computing.

PPServer Trojan-Dropper.Agent Updated

HKEY_CLASSES_ROOT\ppDSApp.ppDSApp
{2AFA62E2-5548-11D1-A6E1-006097C4E476}

HKEY_CLASSES_ROOT\ppDSClip.ppDSClip
{31C48C31-70B0-11d1-A708-006097C4E476}

HKEY_CLASSES_ROOT\ppDSDetl.ppDSDetl
{31C48C32-70B0-11d1-A708-006097C4E476}

HKEY_CLASSES_ROOT\ppDSFile.ppDSFile
{1D1237A0-6CD6-11d2-96BA-00104B242E64}

HKEY_CLASSES_ROOT\ppDShowNet.ppDShowNet
{5C85DCB0-F967-11D0-81ED-00C04FC99D4C}

HKEY_CLASSES_ROOT\ppDShowPlay.ppDShowPlay
{C0CD59AE-020D-11d1-81F2-00C04FC99D4C}

HKEY_CLASSES_ROOT\ppDSMeta.ppDSMeta
{BB314F91-A010-11d1-A75A-006097C4E476}

HKEY_CLASSES_ROOT\ppDSOAdv.ppDSOAdv
{AE1A5813-5230-11D1-A6E0-006097C4E476}

HKEY_CLASSES_ROOT\ppDSPropAdv.ppDSPropAdv
{8C4EB103-516F-11D1-A6DF-006097C4E476}

HKEY_CLASSES_ROOT\ppDSView.ppDSView
{AE1A5812-5230-11D1-A6E0-006097C4E476}

HKEY_CLASSES_ROOT\PPServer.PPServerClass
{23D1AE30-8023-11D3-8D47-00C04F949D33}


Network Provisioning Service allows automatic
provisioning of information about networks
on a client machine. Information is downloaded
from network providers as XML configuration
files. These files are validated against
locally stored XML schemas. The Network
Provisioning Service can be used to keep
the information up-to-date by downloading
new content from the network provider on
a pre-determined schedule.

Network Provisioning Service Class
HKCR\CLSID\{116391ee-e1e5-444e-9424-d53b641d3cea}

Network Provisioning via XML Class
HKCR\CLSID\{2aa2b5fe-b846-4d07-810c-b21ee45320e3}

Network Provisioning Service
HKCR\AppID\{39ce474e-59c1-4b84-9be2-2600c335b5c6}

Network Provisioning Service Client API Class
HKCR\CLSID\{61d55f63-98f7-473c-97c7-a08e2f13c955}


Remote Desktop Updates

Otherwise known as MsTscAx, RPD and IMsRpd

HKCR\CLSID\{6AE29350-321B-42be-BBE5-12FB5270C0DE}
HKCR\CLSID\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}
HKCR\CLSID\{7584c670-2274-4efb-b00b-d6aaba6d3850}
HKCR\CLSID\{7cacbd7b-0d99-468f-ac33-22e495c0afe5}
HKCR\CLSID\{9059f30f-4eb1-4bd2-9fdc-36f43a218f4a}
HKCR\CLSID\{ace575fd-1fcf-4074-9401-ebab990fa9de}
HKCR\CLSID\{d2ea46a7-c2bf-426b-af24-e19c44456399}

IMsRdpClient3
HKCR\Interface\{91B7CBC5-A72E-4FA0-9300-D647D7E897FF}

IMsRdpClient
HKCR\Interface\{92B4A539-7115-4B7C-A5A9-E5D9EFC2780A}

IMsRdpClientAdvancedSettings2
HKCR\Interface\{9AC42117-2B76-4320-AA44-0E616AB8437B}

IMsRdpClientShell
HKCR\Interface\{D012AE6D-C19A-4BFE-B367-201F8911F134}

IMsRdpClient6
HKCR\Interface\{D43B7D80-8517-4B6D-9EAC-96AD6800D7F2}

IMsRdpClient2
HKCR\Interface\{E7E17DC4-3B71-4BA7-A8E6-281FFADCA28F}

IMsRdpClientAdvancedSettings5
HKCR\Interface\{FBA7F64E-6783-4405-DA45-FA4A763DABD0}

IMsRdpClientAdvancedSettings4
HKCR\Interface\{FBA7F64E-7345-4405-AE50-FA4A763DC0DE}

Microsoft RDP Client Control Updates
HKCR\CLSID\{3523c2fb-4031-44e4-9a3b-f1e94986ee7f}
HKCR\CLSID\{4eb2f086-c818-447e-b32c-c51ce2b30d31}
HKCR\CLSID\{ace575fd-1fcf-4074-9401-ebab990fa9de}


HKCR\SoftwareDistribution.MicrosoftUpdate
{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}

HKCR\SoftwareDistribution.MUClientUIPlugin
{3809920F-B9D4-42DA-92E0-E26265E0FB89}

HKCR\SoftwareDistribution.WebControl
{6414512B-B978-451D-A0D8-FCFDF33E833C}

HKCR\SoftwareDistribution.WUClientUIPlugin
{AE097EE9-9AB5-4999-95F7-200F862661F9}


Steelhead Router Configuration Notify Object
HKCR\CLSID\{6E65CBC5-926D-11D0-8E27-00C04FC99DCF}


HxDs.Hx Trojan

HKCR\Software\Microsoft\HTMLHelp\2.0\LocalReg\CLSID

HKCR\Software\Microsoft\HTMLHelp\2.0\LocalReg\HxDs.HxFilters
{314111e2-a502-11d2-bbca-00c04f8ec294}

HKCR\Software\Microsoft\HTMLHelp\2.0\LocalReg\Hxds.HxPlugIn
{314111db-a502-11d2-bbca-00c04f8ec294}

HKCR\Software\Microsoft\HTMLHelp\2.0\LocalReg\HxDs.HxRegister
{314111bd-a502-11d2-bbca-00c04f8ec294}


Queued Component Default Spyware

QC Marshal Interceptor Class
HKCR\CLSID\{ecabafcb-7f19-11d2-978e-0000f8757e2a}

QC Listener Class
HKCR\CLSID\{ecabafc3-7f19-11d2-978e-0000f8757e2a}

Queued Components Player (QC.ListenerHelper)
HKCR\CLSID\{ecabafc4-7f19-11d2-978e-0000f8757e2a}

QC.MessageMover
HKCR\CLSID\{ecabb0bf-7f19-11d2-978e-0000f8757e2a}


Queued Components Recorder (QC.Recorder)
HKCR\CLSID\{ecabafc2-7f19-11d2-978e-0000f8757e2a}

HKEY_CLASSES_ROOT\QC.DLQListener
{ecabafca-7f19-11d2-978e-0000f8757e2a}

HKEY_CLASSES_ROOT\QC.Listener
{ecabafc3-7f19-11d2-978e-0000f8757e2a}

HKEY_CLASSES_ROOT\QC.ListenerHelper
{ecabafc4-7f19-11d2-978e-0000f8757e2a}

HKEY_CLASSES_ROOT\QC.MessageMover
{ecabb0bf-7f19-11d2-978e-0000f8757e2a}

HKEY_CLASSES_ROOT\QC.Recorder
{ecabafc2-7f19-11d2-978e-0000f8757e2a}


HKEY_CLASSES_ROOT\PeerDraw.PeerDraw
{10072CEC-8CC1-11D1-986E-00A0C955B42E}

HKEY_CLASSES_ROOT\PeerFactory.PeerFactory
{3050F4CF-98B5-11CF-BB82-00AA00BDCE0B}


For all those working on a personal
computer, without emailing or sharing,
who wish to fortify system security,
this is for you ;

HKCR\CLSID\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}

HKCR\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}

(These run C:\WINDOWS\system32\sendmail.dll)