CLSID List Results
BHOs, Toolbars, SHs, Explorer Bars
BHOs, Toolbars, SHs, Explorer Bars
| CLSID | Name | Filename | Description | Status |
| {B3A05538-8F91-49C1-8EE3-6EB142B41E2A} | HelloWorldBHO, Microsoft Help | Microsoft.System.Help.dll, Microsoft.System.Help.Object.dll, Microsoft.System.Help.Library.dll | Keyword hijacker redirecting to find.fm and bestsamara.org, detected by Kaspersky antivirus as Trojan.Win32.BHO.es | X BHO |
| {11111111-1111-1111-1111-110611561119} | 6d9e5b4b83b642dda6872290d49 2b0fa0065619, System Support | System Support-bho.dll, System Support-bho64.dll | Crossrider cross-browser plugin, often bundled with third party software or part of an adware bundle - detected as Adware.CrossRider and by Malwarebytes Anti-Malware as "PUP.Optional.CrossRider" or "PUP.Optional.SystemSupport.A" - also see here | X BHO |
| {11111111-1111-1111-1111-110211701196} | CrossriderApp0027096, Services x86 | Services x86.dll, Services x86-bho.dll | Crossrider cross-browser plugin, detected as Adware.GamePlayLabs or Adware.CrossRider and by Malwarebytes Anti-Malware as PUP.215Apps, PUP.CrossFire or PUP.CrossRider | X BHO |
| {67A06BB1-027B-4E94-8C3D-2DCD5E808A28} | IHiu Class | Services.dll, AYBHOAD.dll | Parasite of Chinese origin, a variant of the Win-Clicker/Puper.73728 trojan - also detected as Trojan.HIU | X BHO |
| {BE1962AB-3E8F-422a-934D-12E1AD39AF4C} | XBTB00664 | intermedia-services.com.dll, INTERM~*.DLL | Flatland.net Toolbar - a Softomate Toolbar variant - Softomate customizes toolbars to customers needs. The dll files for their toolbars contain some spyware/adware functionality, although not all of the toolbars use this. | O BHO |
Startup List Results
Startup Entry
Startup Entry
| Name | Filename | Description | Status |
| system.exe | system.exe | Added by the Win32/Jampork.E WORM! Note: Located in \%WINDIR%\System32\ Note: Win32/Jampork.E attempts to spread via removable disks (such as USB sticks and flash drives). | X |
| winlogon | system.exe | Identified as a variant of the Trojan-Downloader.Win32.Delf.cns malware. Note: Located in \%WINDIR%\System32\drivers\ | X |
| Windows Update Software | system.exe | Added by the TSPY_TOFGER.BX TROJAN! Note: Located in \%WINDIR%\System32\ | X |
| windows run | system.exe | Added by the W32/Icpass-A WORM! Note: Located in \%WINDIR%\System32\ | X |
| Windows DLL Services | system.exe | Added by the TSPY_AGENT.H SPYWARE! Note: Located in %Spyware path%\ | X |
O18 List Results
Extra Protocols
Extra Protocols
| CLSID | Name | Filename | Description | Status |
| {53B95211-7D77-11D2-9F81-00104B107C96} | start, about | MSXWORD.DLL, SYSTEM***.dll (*** random digits) | CoolWebSearch parasite variant | X Protocol, Protocol hijack |
| {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} | http\oledb, https\oledb, msdaipp\oledb | %ProgramFiles%\Common Files\SYSTEM\OLE DB\msdaipp.dll | Microsoft Data Access Component Internet Publishing Provider Note: item whitelisted by HijackThis | L Protocol |
O20 List Results
AppInit_DLLs & Winlogon Notify
AppInit_DLLs & Winlogon Notify
| Name | Filename | Description | Status |
| (no name) | %SYSDIR%\services.dll | PurityScan variant | X AppInit_DLLs |
O21 List Results
ShellServiceObjectDelayLoad
ShellServiceObjectDelayLoad
| CLSID | Name | Filename | Description | Status |
| {F28A40D7-AD0E-034A-C651-5F0ED76232E6} | Internet Explorer | %System%\[RANDOM NAME].dll | Backdoor.Berbew.T | X |
| {000000A0-0000-0000-0000-000000000011} | Keysaver | %System%\Keysaver.dll | Trojan-Dropper.Win32.Small | X |
| {BCBCD383-3E06-11D3-91A9-00C04F68105C} | AUHook | C:\WINDOWS\SYSTEM\AUHOOK.DLL | Windows ME Microsoft AutoUpdate | L |
O22 List Results
Shared Task Scheduler
Shared Task Scheduler
| CLSID | Name | Filename | Description | Status |
| {fa4fbf53-c766-4622-8011-a87a805eebf0} | deboner | %SYSTEM%\antzozc.dll | Smitfraud | X |
| {3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea} | doglike | %SYSTEM%\fftktmk.dll | Smitfraud | X |
| {25b7d2fd-4f71-46d1-801a-7de323e4ec82} | equiparant | %SYSTEM%\indwvm.dll | Smitfraud | X |
| {6ad686b9-ab56-4ebc-a804-9f70b55b4577} | floripondio | %SYSTEM%\uimcu.dll | Smitfraud | X |
| {0c5a0fff-9164-493b-93e0-17446374e0a0} | inflexive | %SYSTEM%\dtjby.dll | Smitfraud | X |
O23 List Results
Windows Services
Windows Services
| Name | Filename | Description | Status |
| Windows System Controller | System.exe | Added by the WORM_SDBOT.BLC WORM! Note: This worm\trojan is located in C:\%WINDIR%\ folder. | X |
| system | system.exe | Added by an unidentified TROJAN! Note: of the Win32/Rbot Family. Note: This worm\trojan is located in C:\%WINDIR%\ folder | X |
| systemboot (systemboot) | System.exe | Added by the SDBOT.CDM WORM! Note: Read the link, rootkit type stealth involved. | X |
| Windows DHCP Service | system.exe | Added by a variant of the W32/SDBOT WORM! Note: This worm\trojan is located in C:\%WINDIR%\ folder. | X |
| SCA (Service Control Application) | SYSTEM.EXE | Unknown virus | X |
SEH List Results
ShellExecuteHook
ShellExecuteHook
| CLSID | Name | Filename | Description | Status |
| {6E44887F-5214-41F2-AB46-4728735C4CC6} | (no name) | %Program Files%\Internet Explorer\PLUGINS\system.sys, system3.sys, System*.sys, system**.sys | Infostealer trojan, detected by Kaspersky antivirus as Trojan-PSW.Win32.QQPass.qi - also see here | X |
| {7A238B14-A6F1-11E0-9A84-00C04FD8DBD8} | (no name) | %SYSDIR%\system.dll | TR/PSW.Small.BS.4 | X |
| {59659854-7415-1025-5982-789541250195} | (no name) | %System%\WinSysms_1.dll | Infostealer.Gampass | X |
| {ACADABAF-1000-0010-8000-10AA006D2EA4} | (no name) | %SYSDIR%\system.dat | TROJ_DLOADER.AAL trojan | X |
| {40AA9D3D-BFB8-4B9F-A0E6-8913EDAC6779} | (no name) | %COMMONPROGRAMFILES%\System\bho.dll | Infostealer trojan, detected by Kaspersky antivirus as Trojan.Win32.Swisyn.adfc - also see here | X |
Drivers List Results
Driver Entry
Driver Entry
| Name | Filename | Description | Status |
| OrbisClient.Services | OrbisClient.Services.exe | Related to OrbisClient.Services.exe Comprehensive Security courseware to date. With over 60 lab simulations, LabSim for Security Pro will give you the knowledge and the experience you need to enter the industry as an entry-level IT security administrator from TestOut Corporation® | L |
| system-updateservice | system-update-se.exe | System-Update, a parasite of Korean origin hailing from system-update.co.kr and detected by MBAM as "Rogue.SystemUpdate.K" | X |
| AutoProcess | AMG Attendance System.exe | Related to the AMG Attendance System.exe Card Reader Time and Attendance Software from AMG Attendance System | L |
FF Extensions List Results
Firefox Extension
Firefox Extension
| CLSID | Name | Filename | Description | Status |
| system-monitor@clear-code.com | System Monitor | system-monitor@clear-code.com.xpi | System Monitor provides CPU usage and memory usage graphs on the toolbar. | L |
| disable-system-alerts@matthew.noorenberghe.com | Disable System Alerts | disable-system-alerts@matthew.noorenberghe.com.xpi | Disable System Alerts disables integration with the system alert/notification service such as OS X Notification Center and libnotify. | L |
Active Setup List Results
Active Setup - Installed Component
Active Setup - Installed Component
| CLSID | Name | Filename | Description | Status |
| {JDNFMB03-K156-1J54-176T-H5SGQAUF1ATH} | (no name) | Services.exe | Infostealer trojan, detected by Microsoft as VirTool:MSIL/Injector.gen!A, see here | X |
| {5SEE5RH5-C8N0-G86Y-78T3-V4G5382A3U5C} | (no name) | services.exe | Infostealer trojan, detected by Microsoft as Worm:Win32/Rebhip.A - also see here | X |
| {51SW6ENN-P584-25G0-1DX4-38T8MSFT6UGO2} | (no name) | services.exe | Infostealer trojan, see here | X |
| {DDA46FB1-E4EB-AAA3-AFEE-EF6FEF22C279} | (no name) | Services.exe | Infostealer trojan, see this ThreatExpert Report | X |
| {F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} | (no name) | services.exe | Infostealer trojan, a variant of Troj/Nopride-A - see this ThreatExpert Report | X |