CLSID List Results
BHOs, Toolbars, SHs, Explorer Bars
BHOs, Toolbars, SHs, Explorer Bars
| CLSID | Name | Filename | Description | Status |
| {2018eb71-06b5-4438-abf4-e40df31e0be5} | CouponFollow.BHO | mscoree.dll (Windows system file!) [codebase: Program Files\CouponFollow, LLC\Coupons at Checkout\CouponFollowAddon.dll] | Coupons at Checkout - "The Automatic Coupon Savings Tool" | L BHO |
| {44ed99e2-16a6-4b89-80d6-5b21cf42e78b} | FriendsChecker, UnfriendApp, ExFriendAlert, Websteroids, BetterExperience, RecordChecker, SearchDonkey, InfoSeeker, Spy Alert, Safe Monitor, SecureWeb, TVGenie, TubeDimmer, Search Deals | common.dll | Foistware bundled with various third party software or as part of an adware bundle - detected by DrWeb as "Adware.Plugin.16" and by Nod32 as "Win32/ExFriendAlert.A" - also see hereand here | X BHO |
| {B3A05538-8F91-49C1-8EE3-6EB142B41E2A} | HelloWorldBHO, Microsoft Help | Microsoft.System.Help.dll, Microsoft.System.Help.Object.dll, Microsoft.System.Help.Library.dll | Keyword hijacker redirecting to find.fm and bestsamara.org, detected by Kaspersky antivirus as Trojan.Win32.BHO.es | X BHO |
| {6CB6FA9C-7125-401F-932B-ECF26BF0BF16} | (no name) | shared.dll | Parasite of Korean origin hailing from tabside.com and detected as Win-Adware/BHO.TabSide.198656.B | X BHO |
| {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} | Browser Helper Object, Shared Library | helper.dll, _helper.dll, lib.dll, _lib.dll, shared.dll, _shared.dll | DeepDive adware - also see here and here. Detected by Symantec as Trojan.Komplexad | X BHO |
Startup List Results
Startup Entry
Startup Entry
| Name | Filename | Description | Status |
| removeiLividdatamngr | cmd.exe /c RD /S /Q "C:\Program Files (x86)\Search Results Toolbar" | Added by the Searchqu Toolbar iLivid datamngr AdWare - PUP (Potentially Unwanted Program) | X |
| Microsoft IT Update | random files names | Added by a variant of the Win32.Rbot WORM! | X |
| System Files Updater | System Files Updater.exe | Related to System_Files_Updater from Flyakiteosx. It will transform the look of an ordinary Windows XP system to resemble the look of Mac OS X. Note: located in \%WINDIR%\FlyakiteOSX\ | U |
| Avira System Speedup User Starter | Avira.SystemSpeedup.Core.Common.Sta rter.exe | Related to Avira Avira System Speedup. Note: Located in \%Program Files%\Avira\System Speedup\ | U |
| BeSys | [path to the adware program] | Added by BeSys ADWARE! | X |
O18 List Results
Extra Protocols
Extra Protocols
| CLSID | Name | Filename | Description | Status |
| {CD00020A-8B95-11D1-82DB-00C04FB1625D} | cdo | %ProgramFiles%\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL | Microsoft SharePoint Portal Server Object Model Note: Item taken from whitelist of HijackThis | L Protocol |
| {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} | http\oledb, https\oledb, msdaipp\oledb | %ProgramFiles%\Common Files\SYSTEM\OLE DB\msdaipp.dll | Microsoft Data Access Component Internet Publishing Provider Note: item whitelisted by HijackThis | L Protocol |
| {4D25FB7A-8902-4291-960E-9ADA051CFBBF} | tbr | %Program Files%\Crawler\ctbr.dll | Adware-CTBar | O Protocol |
| {99FEA1B2-7881-11D1-A9E2-00403320FCF2} | text/html | %Program Files%\Desktop Armor\GeekSuperheroX.dll | Desktop_Armor | L Filter |
| {994D478A-45D0-4DB4-AE27-738B1E346E99} | text/html | Program Files\Batty\Batty.dll | Adware.Batty | X Filter |
O20 List Results
AppInit_DLLs & Winlogon Notify
AppInit_DLLs & Winlogon Notify
| Name | Filename | Description | Status |
| AwayNotify | %Program Files%\Lenovo\AwayTask\AwayNotify.d ll | Lenovo/IBMTools | L Winlogon Notify |
| LBTWlgn | %common files%\logitech\bluetooth\LBTWlgn.d ll | Logitech_Bluetooth | L Winlogon Notify |
O21 List Results
ShellServiceObjectDelayLoad
ShellServiceObjectDelayLoad
| CLSID | Name | Filename | Description | Status |
| {009541A0-3B00-1F1C-00F3-040224009C02} | WinCTL | Program Files\Common Files\winctl.dll | Troj/Small-EJG | X |
| {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} | msnmsg | Program Files\Messenger\msgmr.dll | Trojan-Downloader.Win32.Agent.yuv | X |
| {********-****-****-****-************} | LiveUpdate | c:\program files\symantec\(liveupdate\)[random].dll | Unidentified malware | X |
| {97421D0D-E07F-40DF-8F07-99597B9585AD} | ThunderAdvise | %WINDIR%\Downloaded Program Files\ThunderAdvise.dll | Online Games Trojan variant | X |
| {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} | OLE Automation Module | %SYSDIR%\child.dll, %AppData%\Microsoft\child.dll | Trojan-Dropper.Win32.Small.fe | X |
O22 List Results
Shared Task Scheduler
Shared Task Scheduler
| CLSID | Name | Filename | Description | Status |
| {********-****-****-****-************} | SysNet | %Documents and Settings\All Users%\Microsoft AData\sysnet.dll | Malware/Fake-AV | X |
O23 List Results
Windows Services
Windows Services
| Name | Filename | Description | Status |
| CIJSRegister | R2 CIJSRegister; C:\Program Files (x86)\Canon\IJ Scan Utility\SETEVENT.exe | Related to CANON INC. CANON IJ SCAN UTILITY SETEVENT. Note: Located in \%Program Files%\Canon\IJ Scan Utility\ | L |
| Microsoft Loading Service | files.exe | Added by a variant of the IRCBOT Note: Located in \%WINDIR%\ Note: Use SDFix under supervision. | X |
| OESH (Office Source Engine Help) | Program.exe | Added by an unidentified TROJAN! of the Sdbot family. Note: This worm\trojan is located in C: folder. | X |
| sdktemp | Microsoft.exe | Added by the SDBOT.CGM WORM! Note: Read the link, rootkit type stealth involved. | X |
| Microsoft Webserver (Microsoft Webserver) | Microsoft Webserver.exe | Added by the Troj/Hupigon-FU TROJAN! Note: This trojan file is found in the Windows or Winnt folder. | X |
O16 List Results
ActiveX
ActiveX
| CLSID | Name | Filename | Description | Status |
| {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} | (no name) | Spyspotter, http://www.spywarewarrior.com/rogue_anti-spyware.htm a rogue program | Spyspotter a rogue program | X |
SEH List Results
ShellExecuteHook
ShellExecuteHook
| CLSID | Name | Filename | Description | Status |
| {DC5DE819-5430-4E1A-85AB-3A797BA3BBBC} | (no name) | %Program Files%\Common Files\Microsoft Shared\MSINFO\atmPP2.dll | Password stealer trojan of Chinese origin, detected by Kaspersky as Trojan.Win32.Delf.tbw - also see here | X |
| {DC7035B1-E435-4A65-9546-059796785F52} | (no name) | %Program Files%\Common Files\Microsoft Shared\MSINFO\SysWFGCQSJ2.dll | Password stealer trojan of Chinese origin, detected as Win32.Troj.Lmir.be.22183 | X |
| {08315C1A-9BA9-4B7C-A432-26885F9QQDSQ} | (no name) | %Program Files% \Common Files\Microsoft Shared\MSINFO\qqdsq2.lmz | TR/PSW.QQPass.KB.6 | X |
| {B48F6409-4740-475B-A474-651F54CCE460} | (no name) | %PROGRAM FILES%\Common Files\Microsoft Shared\MSSearch\Bin\MsInfo.Dll | Infostealer trojan, detected as TR/Copiet.B.1 - also see here | X |
| {3FDEB171-8F86-4669-B664-69B8DB553683} | (no name) | %Program Files%\Common Files\Microsoft Shared\MSInfo\MsDos.DLL | Password stealer trojan, detected as Troj/Lineage-NS | X |
Drivers List Results
Driver Entry
Driver Entry
| Name | Filename | Description | Status |
| FedExLoggingService | FedEx.Gsm.Common.LoggingService.exe | Related to FedEx.Gsm.Common.LoggingService.exe FedEx.Gsm.LoggingService from FedEx Corporation | L |
| vstor2-mntapi10-shared | vstor2-mntapi10-shared.sys | Related to vstor2-mntapi10-shared.sys Virtual Storage Volume Driver from VMware, Inc. | L |
| vstor2-mntapi20-shared | vstor2-mntapi20-shared.sys | Related to the vstor2-mntapi20-shared.sys VMware vCenter Converter Standalone from VMware, Inc. | L |
| MDXAnalyticsService | Microsoft.MDX.AnalyticsService.exe | Related to the Microsoft.MDX.AnalyticsService.exe Microsoft Digital Experience from Microsoft Corp. | L |
| POSPerformanceCounters | Microsoft.PointOfService.Service.ex e | Related to Microsoft.PointOfService.Service.exe Windows Embedded for Point of Service from Microsoft Corporation | L |
FF Extensions List Results
Firefox Extension
Firefox Extension
| CLSID | Name | Filename | Description | Status |
| {943b8007-a895-44af-a672-4f4ea548c95f} | Markdown Viewer Webext | {943b8007-a895-44af-a672-4f4ea548c95f}.xpi | Added by the arkdown Viewer Webext Displays markdown documents beautified in your browser. | L |
| MicrosoftRewards@microsoft.com | Get on board with Microsoft Rewards Earning rewards is easy, simple, and fun. | MicrosoftRewards@microsoft.com.xpi | Added by the Microsoft Rewards Get on board with Microsoft Rewards | L |
| pad.firefox@microsoft.com | Microsoft Power Automate | pad.firefox@microsoft.com.xpi | Related to Microsoft Power Automate Add-on for enabling browser automation actions. | L |
| firefoxbingsearch.full@microsoft.com | Bing Search for Firefox | firefoxbingsearch.full@microsoft.co m.xpi | Bing Search for Firefox lets you use Bing for location bar searches. Note: Newer version not from Mozilla Add-ons uses the following ID: bingsearch.full@microsoft.com. | L |
| firefoxmsn.full@microsoft.com | MSN for Firefox | firefoxmsn.full@microsoft.com.xpi | MSN for Firefox lets you use MSN for location bar searches. Note: Discontinued and no longer supported. Replaced with Bing Search. | L |
Active Setup List Results
Active Setup - Installed Component
Active Setup - Installed Component
| CLSID | Name | Filename | Description | Status |
| {306D6C21-C1B6-4629-986C-E59E1875B8AF} | (no name) | rundll32.exe" "C:\Program Files\Messenger\msgsc.dll | Windows Messenger | L |
| {969B3B70-8765-11D5-9809-0050BACBF861} | (no name) | rundll32.exe advpack.dll,LaunchINFSection c:\program files\CyberLink\MP3PowerEncoder\Cyb er.inf | Cyberlink Power Pack DVD Player and MP3 Ripping software | L |
| {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} | (no name) | (command:) rundll32.exe c:\windows\system32\advpack.dll,lau nchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall .ResetTour,,12 | Microsoft Internet Explorer | L |
| {VJHRR7RR-4N8H-J6LT-3IC6-63JMRP8I64J5} | (no name) | files.exe | Infostealer trojan, dropper detected by Ikraus antivirus as Trojan-Downloader.Win32.Homa | X |
| {f92B23AB-A707-22d2-9CBD-0000F87A469H} | (no name) | MAAASSS.exe, 360.exe, grrb.exe, Microsoftof.exe, common.exe, DOCU.exe, other filenames | Infostealer trojan of Chinese origin, detected by Kaspersky antivirus as Trojan.Win32.Qhost.rjr - also see here | X |