Contributed by: Vino Rosso
Learn About the Lists

Overview of the SystemLookup Lists

The lists at SystemLookup have been compiled to provide both computer users and helpers with useful information on the different files and entries that can be found in key locations on a computer and in the Windows registry.

For some time, HijackThis was the preferred tool used by helpers to interrogate a computer system to get an understanding of what files or programs were being run and how they were being launched. The log produced by HijackThis displayed entries by various categories - R3, O4, and O23 are three examples. Though HijackThis is not used as widely now, newer tools and helpers still refer to these categories... and so does SystemLookup.

Many tools have known good entries in a 'whitelist', meaning those good entries will not be shown in the tool's output log. So, just because you can't see a good entry, it doesn't mean it's not there.

The lists at SystemLookup are:

CLSID (O2, O3, R3)BHOs, Toolbars, URLSearchHooks, Explorer Bars
Startup (O4)Startup / Autorun Entries
O9Internet Explorer Buttons
O10Layered Service Providers (LSPs)
O16DPF ActiveX Installs
O18Extra Protocols
O20AppInit_DLLs & Winlogon Notify
O22Shared Task Scheduler
DriversWindows System Drivers

Where possible, each entry in the lists will include:
  • An entry name
  • A file name
  • A description
  • A file location
  • A good, bad, unknown indication of whether the entry can be trusted
  • A reference or link to further information

Where does the information in the SystemLookup lists come from?

Trained helpers across the malware removal community use the SystemLookup lists as part of their research when deciding on a course of action to clean or speed up a computer. When an entry being researched is not found in the lists, it is reported to the team of experienced people who maintain the lists. That team investigate, collect evidence, and decide on the entry's status before adding it to the lists.

How should the information in the SystemLookup lists be used?

Any entry should be looked at from all possible angles. If the CLSID and file name are available, look up both items in the lists and compare the results.

The lists should be used in conjunction with other sources such as the major search engines to confirm findings.

List Descriptions

The descriptions and information about the SystemLookup lists below are provided to help enhance understanding of each list's content. Computer users are advised NOT to remove files from their computer or make changes to the Windows registry without seeking expert advice first.

CLSID (O2, O3, R3) - BHOs, Toolbars, URLSearchHooks, Explorer Bars

Browser Helper Objects - Browser plug-ins which are designed to enhance the browser's functionality.
Entries can be found in the registry at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Toolbars - Additional toolbars that appear in a browser, often below the address bar.
Entries can be found in the registry at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar

URLSearchHooks - Used when an address without a protocol such as http:// has been entered in the browser's address bar.
Entries can be found in the registry at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks

Explorer Bars - Internet Explorer sidebars located adjacent to the browser pane.
Entries can be found in the registry at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars

Startup (O4) - Startup / Autorun Entries

Entries in this list will start up with Windows either on a global or an individual user basis. They can be launched from one of the Startup folders or from one of the various keys in the registry.

The startup folders can be found at:
  • Windows 98 and Millennium:
    • Global:
      %WinDir\Start Menu\Programs
    • Individual:
      %WinDir%\All Users\Start Menu\Programs
  • Windows XP and 2000
    • Global:
      %AllUsersProfile%\Start Menu\Programs
    • Individual:
      %UserProfile%\Start Menu\Programs
  • Vista/Windows 7
    • Global:
      %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup
    • Individual:
      %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
The registry keys are:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices  (only Windows 98 and ME)
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce  (only Windows 98 and ME)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices  (only Windows 98 and ME)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce  (only Windows 98 and ME)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
In addition to these 'classic' startup items, the SystemLookup Startup list also includes items (frequently malware related) launched from the following keys:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

O9 - Internet Explorer Buttons

These entries related to buttons on the IE toolbar or items in the Tools menu.

Entries can be found in the registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CLSID}

O10 - Layered Service Providers (LSPs)

A Layered Service Provider can intercept and modify inbound and outbound Internet traffic. A security program can use this functionality to protect the computer while online. Malware can use this to redirect traffic.

Great care must be taken when dealing with O10 entries as improper action could break the TCP/IP stack and the computer will no longer have network/internet access.

Entries are found as data values in keys in the registry under:

Further information: Layered Service Provider

O16 - DPF ActiveX Installs

Small programs, sometimes called "add-ons", ActiveX controls can enhance browsing experience by allowing animation or they can help with tasks such as installing security updates at Microsoft Update.

ActiveX entries can be found as keys in the registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CLSID}

The CLSID will refer to a file stored in:
%windir%\Downloaded Program Files

Further information: What is an ActiveX control?

O18 - Extra Protocols

Protocol entries are values of the keys that are found in the registry at:

These entries usually point to the CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID} where the file information is held in the InprocServer32 key and can be used to change how a computer sends and receives information.

Further information: About Asynchronous Pluggable Protocols

O20 - AppInit_DLLs & Winlogon Notify

AppInit_DLLs entries can be found as values of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key in the registry. These entries are loaded when the file user32.dll is loaded. Most Windows executables use user32.dll which means any entry in the AppInit_DLL value will be loaded as well. This makes it very difficult to remove the entry as it will be loaded by multiple processes, some of which can not be stopped without causing system instability.

Further information: Working with the AppInit_DLLs registry value

Winlogon Notify entries can be found as subkeys of
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This is well known registry key added to in order to communicate to Winlogon.exe and let it know which procedures to run during an event notification; a DLL referenced here will be executed in a SYSTEM-level process, regardless of whether a user logs in.

Further information: Notify registry key

O21 - ShellServiceObjectDelayLoad

These entries will be loaded when the computer starts. This happens because ShellServiceObjectDelayLoad entries are loaded by the computer's "shell" program, explorer.exe.

ShellServiceObjectDelayLoad entries are found in the Windows registry at:

These entries usually point to the CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID} where the file information is held in the InprocServer32 key.

O22 - Shared Task Scheduler

Shared Task Scheduler entries are found in the Windows registry at:

These entries usually point to the CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID} where the file information is held in the InprocServer32 key and the entries will be loaded when the computer starts.

O23 - Services

Services are programs that start with Windows, no matter whether the user logs on. They can be set to start automatically, to start manually when required, or to not start at all (disabled). Services tend to provide system-wide facilities such as Event logging, Indexing, and the Task Scheduler.

Services are found in the Windows registry at:

However, they are better managed via: Start > Run > Services.msc

Further information on Services can be found at: Black Viper's Web Site

SEH - ShellExecuteHooks

ShellExecuteHooks entries are found in the Windows registry at:

These entries usually point to the CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID} where the file information is held in the InprocServer32 key and the entries will be loaded when the computer starts.

Further information: IShellExecuteHook Interface

Drivers - Windows System Drivers

Basically, a driver is a piece of code that an operating system often uses to control items such as disk devices, display adapters, input devices, modems, fax machines, printers and other hardware.

The loaded drivers on a computer can be seen by clicking Start > Run > MSINFO32.EXE. Expand Software Environment and you can see the System Drivers and Signed Drivers.

Windows drivers can run in either user mode or kernel mode:
  • User-mode drivers run in the nonprivileged processor mode in which other application code, including protected subsystem code, executes. User-mode drivers cannot gain access to system data except by calling the Win32 API which, in turn, calls system services.
  • Kernel-mode drivers run as part of the operating system's executive, the underlying operating system component that supports one or more protected subsystems.
Further information: Introduction to Windows Drivers | What Determines When a Driver Is Loaded

Powered by SystemLookup Engine. © 2008-2012 BrightFort. All Rights Reserved. | Privacy Policy | Terms of Use