CLSID List Results
BHOs, Toolbars, SHs, Explorer Bars
BHOs, Toolbars, SHs, Explorer Bars
| CLSID | Name | Filename | Description | Status |
| {7FFBBA7A-4237-40A2-9FF0-E600A34AA000} | Microsoft.SupportCenter 0 | Windows-LEIC.SCenter, Windows-****.SCenter | Keylogger, detected by Kaspersky antivirus as Trojan-Downloader.Win32.BHO.dw and by AntiVir as TR/Spy.Agen.35328.B | X BHO |
| {0B56B5C3-3D91-4E1D-A234-EB1068624EDA} | Microsoft.WirelessNetworks 0 | Windows-BETE.wirellesn, Windows-****.wirellesn | Keylogger, detected by Kaspersky antivirus as Trojan-Downloader.Win32.BHO.dw and by AntiVir as TR/Spy.Agen.35328.B | X BHO |
| {36DBC179-A19F-48F2-B16A-6A3E19B42A87} | (no name) | systeminfo.dll, rundll32.dll, esentutl.dll, tskill.dll, odbcad32.dll, winver.dll, rasdial.dll, setup.dll, spoolsv.dll, finger.dll, charmap.dll, runonce.dll, scardsvr.dll, winspool.dll, any filename taken at random from the System or System32 folder | Password stealer trojan, detected by Symantec as Infostealer.Bzup.B | X BHO |
| {I1OP5NK3-GKJ1-JP60-6R7Y-Y2Y80P2UWBA3} | (no name) | windows player.exe | Infostealer trojan, see here | X BHO |
| {051276BF-A27E-4C90-8950-E1C6B1141047} | windows sidebar | windows-sidebar.dll, WINDOW~1.DLL | Parasite of Korean origin hailing from winsidebar.net and detected as Win32.Spyware.windowssidebar | X BHO |
Startup List Results
Startup Entry
Startup Entry
| Name | Filename | Description | Status |
| MsWerr | ctfmon.dll | Added by the W32.Virut.CF VIRUT! Note: Located in \%WINDIR%\%System%\ | X |
| Windows Live Messenger 8.12 | ctfmon.exe | Added by a W32/LiPark-A WORM! Note: Located in \%User%\ Note: Do not remove the legitimate program file in \%WINDIR%\%System%\ Note: The worm spread by copying itself into shared folders used by common Peer to Peer (P2P) filesharing applications. | X |
| ctfmon | ctfmon.exe | Added by the Worm.Win32.AutoRun.ctz Note: Located in \%WINDIR%\ Note: Do not remove the legitimate ctfmon.exe file which is always found in \%WINDIR%\%System%\ | X |
| SetUp | ctfmon.exe | Added by the Trojan.Win32.Pasta.fuw Note: Located in \%Program Files%\Windows NT\ | X |
| ctfmon | ctfmon.exe | Added by the Troj/SDBot-06 Trojan! which allows a remote user to access and control the computer via IRC channels. Note: Located in \%WINDIR%\ Note: Do not confuse with the MS Office file of the same name as described here | X |
O20 List Results
AppInit_DLLs & Winlogon Notify
AppInit_DLLs & Winlogon Notify
| Name | Filename | Description | Status |
| st3 | C:\WINDOWS\system32\st3.dll | TrojanDownloader.Delf.NBH | X Winlogon Notify |
| sunotify | WINDOWS\SYSTEM32\sunotify.dll | ShadowUser_Pro - Create a virtual copy of your system for private and safe Web surfing. | L Winlogon Notify |
| (no name) | Windows\System32\vsmvhk.dll folder in (XP) | ShadowUser_Pro - Create a virtual copy of your system for private and safe Web surfing. | L AppInit_DLLs |
| welcome | [random].dll ins System32 directory | Spyware.Look2Me | X Winlogon Notify |
| winnt32 | %SYSDIR%\SYSTEM32\WinNt32.dll | W32/Mutant.XE!tr.dldr | X Winlogon Notify |
O21 List Results
ShellServiceObjectDelayLoad
ShellServiceObjectDelayLoad
| CLSID | Name | Filename | Description | Status |
| {1DBD6574-D6D0-4782-94C3-69619E719765} | (no name) | %WINDOWS%\help\B41346EFA848.dll | Troj/Lineag-FC | X |
| {BCBCD383-3E06-11D3-91A9-00C04F68105C} | AUHook | C:\WINDOWS\SYSTEM\AUHOOK.DLL | Windows ME Microsoft AutoUpdate | L |
| {********-****-****-****-************} | System | %SYSDIR%\system32.dll | CWS variant (Greatsearch) | X |
| {7849596a-48ea-486e-8937-a2a3009f31a9} | PostBootReminder | %SystemRoot%\system32\SHELL32.dll | Microsoft Windows | L |
| {fbeb8a05-beee-4442-804e-409d6c4515e9} | CDBurn | %SystemRoot%\system32\SHELL32.dll | Microsoft Windows | L |
O22 List Results
Shared Task Scheduler
Shared Task Scheduler
| CLSID | Name | Filename | Description | Status |
| {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} | (no name) | c:\windows\system32\mtwirl32.dll | CWSChronicles | X |
O23 List Results
Windows Services
Windows Services
| Name | Filename | Description | Status |
| Alternative User Input Services (Ctfmon) | ctfmon.exe | Added by the W32/Tilebot-JR WORM! Note: This worm is located in C:\%WINDIR%\ Note: NoteThis is not the cftmon.exe normally found in C:\WINDOWS\System32\ | X |
| LPTRDC server (LPTRDCsrv) | ctfmon.exe | Identified as TrojanDownloader:Win32/Fourta.A Malware Note: located in \%WINDIR%\ Note: Use SDFix under supervision. | X |
| Microsoft CTF Loader | ctfmon.exe | CTF Loader | L |
| Windows CTF Loader | ctfmon.exe | W32/Sdbot-DFSCopies itself to %Windows% directory | X |
| WindowsFirewall | system32.exe | Added by a variant of the IRCBOT Note: Located in \%WINDIR%\ Note: Use SDFix under supervision. | X |
O16 List Results
ActiveX
ActiveX
| CLSID | Name | Filename | Description | Status |
| {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} | DPF | jinstall-*_*_*_**-windows-i586.cab | Could be related to an old version of Sun Microsystems Java Software. For your Security you are urged to check and update your version if required. Verify Java Version | ? |
| {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} | DPF | jinstall-14-windows-i586.cab | Related to an old version of Sun Microsystems Java Software. For your Security you are urged to update your version. http://www.java.com/en/download/installed.jsp | ? |
| {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} | Java Plug-in 1.5.0_06 | jinstall-windows-i586.cab | Related to an old version of Sun Microsystems Java Software. For your Security you are urged to update your version. Sun Java update site | ? |
| {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} | Java Plug-in 1.6.0 | jinstall-6u**-windows-i586.cab | Could be related to an old version of Sun Microsystems Java Software. For your Security you are urged to check and update your version if required. Verify Java Version | ? |
| {CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} | Java Plug-in 1.4.2_13 | jinstall-142-windows-i586.cab | Related to an old version of Sun Microsystems Java Software. For your Security you are urged to update your version. Sun Java update site | ? |
SEH List Results
ShellExecuteHook
ShellExecuteHook
| CLSID | Name | Filename | Description | Status |
| {E60A0B68-AF3A-C1D2-CD09-5A81A136D2BA} | (no name) | %WINDIR%\SYSTEM32\sonj32drv.dll | Infostealer trojan, dropper detected by Kaspersky antivirus as Trojan-GameThief.Win32.OnLineGames.aiky - also see here | X |
| {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} | Microsoft AntiMalware ShellExecuteHook | Windows Defender\MpShHook.dll | Windows Defender | L |
| {AEB6717E-7E19-11d0-97EE-00C04FD91974} | (no name) | %SYSDIR%\windows.dll, winforms.dll | TSPY_ONLINEG.IOT trojan | X |
| {ACC52793-08DC-42BB-99AB-F70FD2A7E244} | ??- SEApproved | %PROGRAMFILES%\Windows???\WinCipShe ll.dll | Infostealer trojan, see here | X |
| {56F9679E-7826-4C84-81F3-532071A8BCC5} | Windows Desktop Search Namespace Manager | %ProgramFiles%\Windows Desktop Search\MSNLNamespaceMgr.dll | Windows Desktop Search | L |
Drivers List Results
Driver Entry
Driver Entry
| Name | Filename | Description | Status |
| System Service | ctfmon.exe | Infostealer trojan, detected by ESET's Nod32 antivirus as a variant of Win32/PSW.OnLineGames.PSK | X |
| Hp.Skyroom.Windows.Service | Hp.Skyroom.Windows.Service.exe | Related to Hp.Skyroom.Windows.Service.exe HP SkyRoom service from Hewlett-Packard | L |
| Windows RemoteHelp Desk | Windows RemoteHelp Desk.DLL | Added by the Windows RemoteHelp Desk.DLL Infostealer trojan, detected by ESET's Nod32 antivirus as a variant of Win32/Korplug.J Note: Located in \%AppData%\ | X |
FF Extensions List Results
Firefox Extension
Firefox Extension
| CLSID | Name | Filename | Description | Status |
| Humanity@Windows | Humanity | Humanity@Windows.xpi | Humanity from WinTango Patcher - Theme with Humanity Icons. Additional customizations via Humanity Extras extension. See also other WinTango themes. | L |
| web2pdfextension.17@acrobat.adobe.com | web2pdfextension.17@acrobat .adobe.com | adobe_acrobat-1.0-windows.xpi | Related to adobe.com web2pdfextension. | L |
| Cheser-Extras@Windows | Cheser Extras | Cheser-Extras@Windows.xpi | Cheser Extras - Additional customizations for Cheser theme. | L |
| Elementary-Extras@Windows | Elementary Extras | Elementary-Extras@Windows.xpi | Elementary Extras - Additional customizations for Elementary theme. | L |
| Gnome-Extras@Windows | Gnome Extras | Gnome-Extras@Windows.xpi | Gnome Extras - Additional customizations for Gnome theme. | L |
Active Setup List Results
Active Setup - Installed Component
Active Setup - Installed Component
| CLSID | Name | Filename | Description | Status |
| {J707HCKD-A7OV-I040-X0FU-Q5F12N3EI702} | (no name) | ctfmon.exe | Infostealer trojan, detected by Kaspersky antivirus as Trojan.Win32.Bublik.aigr - also see this ThreatExpert Report | X |
| {003M185M-XA30-WYI2-3PNK-YXN35127018N} | (no name) | ctfmon.exe | Infostealer trojan, see here | X |
| {7N365172-32M6-8LL2-XRW7-EF733H5H8722} | (no name) | ctfmon.exe | Infostealer trojan, see here | X |
| {F5776D81-AE53-4935-8E84-B0B284D4BCEF} | (no name) | ctfmon.exe | Infostealer trojan, detected by Sophos as Troj/Insidoor-A | X |
| {7A4Q2V25-7CXG-D2RT-6C77-166PLA7SA7Y7} | (no name) | ctfmon.exe | Infostealer trojan, detected by Kaspersky antivirus as Trojan.Win32.Jorik.Llac.ajd, see this ThreatExpert Report | X |