CLSID List Results
BHOs, Toolbars, SHs, Explorer Bars
BHOs, Toolbars, SHs, Explorer Bars
| CLSID | Name | Filename | Description | Status |
| {7FFBBA7A-4237-40A2-9FF0-E600A34AA000} | Microsoft.SupportCenter 0 | Windows-LEIC.SCenter, Windows-****.SCenter | Keylogger, detected by Kaspersky antivirus as Trojan-Downloader.Win32.BHO.dw and by AntiVir as TR/Spy.Agen.35328.B | X BHO |
| {0B56B5C3-3D91-4E1D-A234-EB1068624EDA} | Microsoft.WirelessNetworks 0 | Windows-BETE.wirellesn, Windows-****.wirellesn | Keylogger, detected by Kaspersky antivirus as Trojan-Downloader.Win32.BHO.dw and by AntiVir as TR/Spy.Agen.35328.B | X BHO |
| {36DBC179-A19F-48F2-B16A-6A3E19B42A87} | (no name) | systeminfo.dll, rundll32.dll, esentutl.dll, tskill.dll, odbcad32.dll, winver.dll, rasdial.dll, setup.dll, spoolsv.dll, finger.dll, charmap.dll, runonce.dll, scardsvr.dll, winspool.dll, any filename taken at random from the System or System32 folder | Password stealer trojan, detected by Symantec as Infostealer.Bzup.B | X BHO |
| {I1OP5NK3-GKJ1-JP60-6R7Y-Y2Y80P2UWBA3} | (no name) | windows player.exe | Infostealer trojan, see here | X BHO |
| {051276BF-A27E-4C90-8950-E1C6B1141047} | windows sidebar | windows-sidebar.dll, WINDOW~1.DLL | Parasite of Korean origin hailing from winsidebar.net and detected as Win32.Spyware.windowssidebar | X BHO |
Startup List Results
Startup Entry
Startup Entry
| Name | Filename | Description | Status |
| hack1x2 | C:\WINDOWS\system32:hlpnod32.exe | A variant of the Backdoor.Bifrose Note: Located in \%WINDIR%\system32:hlpnod32.exe Note: Please note that this infection is an Alternate Data Stream file attached to the legitimate C:\Windows\System32 folder. Do not delete the C:\Windows\System32 folder as Windows will not operate correctly without it. To delete the Alternate Data Stream you should read this tutorial. Note: Use SDFix under supervision. | X |
| CTFMON | wscript.exe /E:vbs C:\WINDOWS\system32\winjpg.jpg | Added by the W32/Autorun-ALB ADWARE! Note: Located in \%WINDIR%\%System%\ Note: Spreads via removable media. | X |
| WinShowUpdate | copy C:\WINDOWS\winshow.new C:\WINDOWS\winshow.dll | Winshow parasiate related - from the "RunOnce" keys it replaces "winshow.dll" with a new version | X |
| System32 | System32.exe | Added by the MARI, SYSXXX and other VIRUSES! | X |
| DriverPath | system32.exe | Added by the Troj/Prorat-S TROJAN! Note: This trojan file is found in the Windows or Winnt folder. | X |
O20 List Results
AppInit_DLLs & Winlogon Notify
AppInit_DLLs & Winlogon Notify
| Name | Filename | Description | Status |
| st3 | C:\WINDOWS\system32\st3.dll | TrojanDownloader.Delf.NBH | X Winlogon Notify |
| sunotify | WINDOWS\SYSTEM32\sunotify.dll | ShadowUser_Pro - Create a virtual copy of your system for private and safe Web surfing. | L Winlogon Notify |
| (no name) | Windows\System32\vsmvhk.dll folder in (XP) | ShadowUser_Pro - Create a virtual copy of your system for private and safe Web surfing. | L AppInit_DLLs |
| welcome | [random].dll ins System32 directory | Spyware.Look2Me | X Winlogon Notify |
| winnt32 | %SYSDIR%\SYSTEM32\WinNt32.dll | W32/Mutant.XE!tr.dldr | X Winlogon Notify |
O21 List Results
ShellServiceObjectDelayLoad
ShellServiceObjectDelayLoad
| CLSID | Name | Filename | Description | Status |
| {1DBD6574-D6D0-4782-94C3-69619E719765} | (no name) | %WINDOWS%\help\B41346EFA848.dll | Troj/Lineag-FC | X |
| {BCBCD383-3E06-11D3-91A9-00C04F68105C} | AUHook | C:\WINDOWS\SYSTEM\AUHOOK.DLL | Windows ME Microsoft AutoUpdate | L |
| {********-****-****-****-************} | System | %SYSDIR%\system32.dll | CWS variant (Greatsearch) | X |
| {7849596a-48ea-486e-8937-a2a3009f31a9} | PostBootReminder | %SystemRoot%\system32\SHELL32.dll | Microsoft Windows | L |
| {fbeb8a05-beee-4442-804e-409d6c4515e9} | CDBurn | %SystemRoot%\system32\SHELL32.dll | Microsoft Windows | L |
O22 List Results
Shared Task Scheduler
Shared Task Scheduler
| CLSID | Name | Filename | Description | Status |
| {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} | (no name) | c:\windows\system32\mtwirl32.dll | CWSChronicles | X |
O23 List Results
Windows Services
Windows Services
| Name | Filename | Description | Status |
| Service name: Messenger | system32.exe | See Symantec Trojan.Esteems.B Location: C\Windows\system\system32.exe (9X\ME) or C\Windows or Winnt\system32\system32.exe (NT\2000\XP) | X |
| system32 (system32) | system32.exe | Added by the Troj/GrayBird-U TROJAN! Note: This trojan file is found in the Windows or Winnt folder. Note: Also see Troj/Graybird-G | X |
| WindowsFirewall | system32.exe | Added by a variant of the IRCBOT Note: Located in \%WINDIR%\ Note: Use SDFix under supervision. | X |
| MS Internet Countermeasures Framework (ICF) | \System32:svchost.exe | Added by an unidentified TROJAN! of the Sdbot family. Note Note: DO NOT delete the svchost.exe file. | X |
| Microsoft cache control (MSControlService) | windows | Detected by NOD32 as Win32/Adware.SecToolbar application Note: Located in %windir%\System32 | X |
O16 List Results
ActiveX
ActiveX
| CLSID | Name | Filename | Description | Status |
| {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} | DPF | jinstall-*_*_*_**-windows-i586.cab | Could be related to an old version of Sun Microsystems Java Software. For your Security you are urged to check and update your version if required. Verify Java Version | ? |
| {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} | DPF | jinstall-14-windows-i586.cab | Related to an old version of Sun Microsystems Java Software. For your Security you are urged to update your version. http://www.java.com/en/download/installed.jsp | ? |
| {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} | Java Plug-in 1.5.0_06 | jinstall-windows-i586.cab | Related to an old version of Sun Microsystems Java Software. For your Security you are urged to update your version. Sun Java update site | ? |
| {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} | Java Plug-in 1.6.0 | jinstall-6u**-windows-i586.cab | Could be related to an old version of Sun Microsystems Java Software. For your Security you are urged to check and update your version if required. Verify Java Version | ? |
| {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} | Java Plug-in 1.4.2_13 | jinstall-142-windows-i586.cab | Related to an old version of Sun Microsystems Java Software. For your Security you are urged to update your version. Sun Java update site | ? |
SEH List Results
ShellExecuteHook
ShellExecuteHook
| CLSID | Name | Filename | Description | Status |
| {E60A0B68-AF3A-C1D2-CD09-5A81A136D2BA} | (no name) | %WINDIR%\SYSTEM32\sonj32drv.dll | Infostealer trojan, dropper detected by Kaspersky antivirus as Trojan-GameThief.Win32.OnLineGames.aiky - also see here | X |
| {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} | Microsoft AntiMalware ShellExecuteHook | Windows Defender\MpShHook.dll | Windows Defender | L |
| {AEB6717E-7E19-11d0-97EE-00C04FD91974} | (no name) | %SYSDIR%\windows.dll, winforms.dll | TSPY_ONLINEG.IOT trojan | X |
| {ACC52793-08DC-42BB-99AB-F70FD2A7E244} | ??- SEApproved | %PROGRAMFILES%\Windows???\WinCipShe ll.dll | Infostealer trojan, see here | X |
| {56F9679E-7826-4C84-81F3-532071A8BCC5} | Windows Desktop Search Namespace Manager | %ProgramFiles%\Windows Desktop Search\MSNLNamespaceMgr.dll | Windows Desktop Search | L |
Drivers List Results
Driver Entry
Driver Entry
| Name | Filename | Description | Status |
| Hp.Skyroom.Windows.Service | Hp.Skyroom.Windows.Service.exe | Related to Hp.Skyroom.Windows.Service.exe HP SkyRoom service from Hewlett-Packard | L |
| Windows RemoteHelp Desk | Windows RemoteHelp Desk.DLL | Added by the Windows RemoteHelp Desk.DLL Infostealer trojan, detected by ESET's Nod32 antivirus as a variant of Win32/Korplug.J Note: Located in \%AppData%\ | X |
FF Extensions List Results
Firefox Extension
Firefox Extension
| CLSID | Name | Filename | Description | Status |
| Humanity@Windows | Humanity | Humanity@Windows.xpi | Humanity from WinTango Patcher - Theme with Humanity Icons. Additional customizations via Humanity Extras extension. See also other WinTango themes. | L |
| web2pdfextension.17@acrobat.adobe.com | web2pdfextension.17@acrobat .adobe.com | adobe_acrobat-1.0-windows.xpi | Related to adobe.com web2pdfextension. | L |
| Cheser-Extras@Windows | Cheser Extras | Cheser-Extras@Windows.xpi | Cheser Extras - Additional customizations for Cheser theme. | L |
| Elementary-Extras@Windows | Elementary Extras | Elementary-Extras@Windows.xpi | Elementary Extras - Additional customizations for Elementary theme. | L |
| Gnome-Extras@Windows | Gnome Extras | Gnome-Extras@Windows.xpi | Gnome Extras - Additional customizations for Gnome theme. | L |
Active Setup List Results
Active Setup - Installed Component
Active Setup - Installed Component
| CLSID | Name | Filename | Description | Status |
| {89B4C1CD-B018-4511-B0A1-5476DBF70820} | (no name) | Rundll32.exe C:\Windows\system32\mscories.dll,In stall | Microsoft® .NET Framework | L |
| {2D46B6DC-2207-486B-B523-A557E6D54B47} | (no name) | (Command Line): cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache | Microsoft Internet Explorer | L |
| {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} | (no name) | (command:) rundll32.exe c:\windows\system32\advpack.dll,lau nchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall .ResetTour,,12 | Microsoft Internet Explorer | L |
| {8310OJ62-078R-U7KL-T56T-86321LK632V8} | (no name) | SYSTEM32(.exe) | Infostealer trojan, detected by Microsoft as Worm:Win32/Rebhip.A - also see here | X |
| {FE881CA5-21E8-34F5-2AA1-628BF7995938} | (no name) | SYSTEM32.exe | Infostealer trojan, detected by Kaspersky antivirus as Trojan.Win32.Buzus.fjuf, see here | X |