CLSID List Results
BHOs, Toolbars, SHs, Explorer Bars
BHOs, Toolbars, SHs, Explorer Bars
| CLSID | Name | Filename | Description | Status |
| {5adefb9e-b824-45e6-86e2-2b7941f5d6a3} | AutoSig.BHO | mscoree.dll (MS file!) - [codebase: %ProgramFiles%\Internet Explorer\Internet Explorer\AutoSig.dll, gvdde.dll] | Parasite, see this ThreatExpert Report and here - Dropper detected by Avira as TR/Spy.284672.8 ... Note: BHO based on this tutorial... | X BHO |
| {5adefb9e-b824-45e6-86e2-2b7941f5d6a3} | AutoSig.BHO | mscoree.dll (MS file!) - [codebase: %PROGRAMFILES%\Internet Explorer\Internet Explorer\mhuzun.dll] | Infostealer trojan, see here | X BHO |
| {11111111-1111-1111-1111-110711111163} | fc8a36eecf204e9fb9e1fb11175 732290071163, Explorer Security | Explorer Security-bho.dll, Explorer Security-bho64.dll | Crossrider cross-browser plugin, often bundled with third party software or part of an adware bundle - detected as Adware.CrossRider and by Malwarebytes Anti-Malware as "PUP.Optional.CrossRider.A" or "PUP.Optional.ExplorerSecurity.A" | X BHO |
| {1E1B2879-88FF-11D2-8D96-123457123457} | clitor | Explorer.dll | MAN adware | X BHO |
| {6E28339B-7A2A-47B6-AEB2-46BA53782378} | UpdateCache Class | explorer.dll | Wayphisher trojan | X BHO |
Startup List Results
Startup Entry
Startup Entry
| Name | Filename | Description | Status |
| sys_Runtt1 | explorer.exe | Added by the Troj/Lineage-M TROJAN! Note: Located in \%Program Files%\ Note: Do not remove the legitimate explorer.exe file which is always found in \%WINDIR%\ | X |
| WindowsRegKey Autoupdate | Explorer.exe | Added by a variant of the Win32/Rbot Family WORM! Note: Located in \%WINDIR%\System32\ Note: Do not remove the legitimate explorer.exe file which is always found in \%WINDIR%\ | X |
| Windows System32 | explorer.exe | Added by the W32/Opanki-V WORM! Note: Located in \%WINDIR%\System32\ Note: Do not remove the legitimate explorer.exe file which is always found in \%WINDIR%\ Note: Use SDFix under supervision. | X |
| Windows Services | Explorer.exe | Added by the W32/Sdbot-WT WORM! Note: Located in \%WINDIR%\System32\ Note: Do not remove the legitimate explorer.exe file which is always found in \%WINDIR%\ | X |
| Windows Explorer.exe | Explorer.exe | Added by the Troj/Falter-A WORM! Note: Located in \%WINDIR%\System32\ Note: Do not remove the legitimate explorer.exe file which is always found in \%WINDIR%\ | X |
O18 List Results
Extra Protocols
Extra Protocols
| CLSID | Name | Filename | Description | Status |
| {********-****-****-****-************} | text/html | \microsoft\internet explorer\V0.39.dat | Infostealer.Lineage | X Filter |
O20 List Results
AppInit_DLLs & Winlogon Notify
AppInit_DLLs & Winlogon Notify
| Name | Filename | Description | Status |
| explorer | explorer.dll | Troj/SCLog-B | X Winlogon Notify |
O21 List Results
ShellServiceObjectDelayLoad
ShellServiceObjectDelayLoad
| CLSID | Name | Filename | Description | Status |
| {2C1CD3D7-86AC-4068-93BC-A02304BB2238} | DCOM Server 2238 | explorer.exe, dxvw****.exe (**** = 4 letters) | Troj/SpamThru-K | X |
O22 List Results
Shared Task Scheduler
Shared Task Scheduler
| CLSID | Name | Filename | Description | Status |
| {2C1CD3D7-86AC-4068-93BC-A02304BB2238} | DCOM Server 2238 | explorer.exe, dxvw****.exe (**** = 4 letters) | Troj/SpamThru-K | X |
O23 List Results
Windows Services
Windows Services
| Name | Filename | Description | Status |
| DirectX Service (Cakad) | explorer.exe | Troj/DwnLdr-GTD Note: Read the link, allows remote access | X |
| DirectX Service (DirectFezt) | explorer.exe | Troj/Crybot-G Note: Located in the downloaded program files folder Note: Read the link, allows remote access | X |
| DirectX Service (DirectValk) | explorer.exe | Added by the Troj/Crybot-F TROJAN! Note: Located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K) | X |
| DirectX Service (DirectXopm) | explorer.exe | Added by an unknown variant of a backdoor TROJAN! Note: This worm\trojan is located in C:\%WINDIR%\COMMAND\ Folder. Note: NoteThis should not be confused with C:\%WINDIR%\explorer.exe which is the Microsoft Operating file. | X |
| Windows Control Panel Debugger | explorer.exe | Detected as W32/Hupigon.gen76 by F-Secure Note: Located in %windir%\debug | X |
SEH List Results
ShellExecuteHook
ShellExecuteHook
| CLSID | Name | Filename | Description | Status |
| {61F8AFF1-7583-466C-A772-AAD4B4090514} | (no name) | %ProgramFiles%\Internet Explorer\SDK.Dll | Password stealer trojan of Chinese origin, a variant of Infostealer.Gampass, see here | X |
| {7F826903-D0C4-4A05-BA43-36379CEDC745} | (no name) | %ProgramFiles%\Internet Explorer\sdk.dll | Password stealer trojan of Chinese origin, a variant of Infostealer.Gampass, detected by Kaspersky antivirus as Trojan-GameThief.Win32.OnLineGames.vrre | X |
| {38273D7C-48B6-41AC-8DC1-33DA549C02D6} | (no name) | %ProgramFiles%\Internet Explorer\DD.dll | Password stealer trojan of Chinese origin, a variant of Infostealer.Gampass | X |
| {BD75B192-6840-453B-AE28-2B4B548645B6} | (no name) | %ProgramFiles%\Internet Explorer\D9.dll | Password stealer trojan of Chinese origin, a variant of Infostealer.Gampass | X |
| {A33B53E3-404C-481D-8F9C-33E416E9D865} | (no name) | %ProgramFiles%\Internet Explorer\fzsKetNt.Ps2 | Password stealer trojan of Chinese origin, detected by Kaspersky antivirus as Trojan-PSW.Win32.QQPass.eyb | X |
Drivers List Results
Driver Entry
Driver Entry
| Name | Filename | Description | Status |
| bosadmin | explorer.exe | Added by the Backdoor:Win32/Zegost.AD Infostealer trojan Note: Do not remove the legitimate (explorer.exe) file which is always found in \%Windir%\ | X |
Active Setup List Results
Active Setup - Installed Component
Active Setup - Installed Component
| CLSID | Name | Filename | Description | Status |
| {FDDDDAB3-C734-CD25-E9BF-FDECBBAE1E5B} | (no name) | explorer.exe | Infostealer trojan, detected by Microsoft as Worm:Win32/Ainslot.A - also see here | X |
| {77FEF28E-EB96-44FF-B511-3185DEA48697} | (no name) | explorer.exe | Infostealer trojan, detected by Microsoft as Worm:Win32/Ainslot.A - also see here | X |
| {KCQ5FXT3-D421-CM3U-URKO-L8432L7P5AJC} | (no name) | explorer.exe | Infostealer trojan, detected by Microsoft as Worm:Win32/Rebhip.A - also see here | X |
| {C2DFQGW4-0434-4NTI-EJ6E-LB28EDR27LE0} | (no name) | explorer.exe | Infostealer trojan, detected by KLaspersky as Trojan.Win32.Bublik.akti - also see here | X |
| {JH54N417-727G-S1W0-7TXX-RDXB6E5C1Q0J} | (no name) | explorer.exe | Infostealer trojan, detected by Kaspersky antivirus as Trojan.Win32.Bublik.akni - also see here | X |