CLSID List Results
BHOs, Toolbars, SHs, Explorer Bars
BHOs, Toolbars, SHs, Explorer Bars
CLSID | Name | Filename | Description | Status |
{7FFBBA7A-4237-40A2-9FF0-E600A34AA000} | Microsoft.SupportCenter 0 | Windows-LEIC.SCenter, Windows-****.SCenter | Keylogger, detected by Kaspersky antivirus as Trojan-Downloader.Win32.BHO.dw and by AntiVir as TR/Spy.Agen.35328.B | X BHO |
{0B56B5C3-3D91-4E1D-A234-EB1068624EDA} | Microsoft.WirelessNetworks 0 | Windows-BETE.wirellesn, Windows-****.wirellesn | Keylogger, detected by Kaspersky antivirus as Trojan-Downloader.Win32.BHO.dw and by AntiVir as TR/Spy.Agen.35328.B | X BHO |
{5574E139-F59C-4bee-9A61-150B0D3A16C7} | MSDNS System | service.dll | MyGeek/Cpvfeed.com adware variant, detected by AntiVir antivirus as ADSPY/BHOApp - logs search engine queries to a %Windir%\search_res.txt file. Also see here | X BHO |
{11111111-1111-1111-1111-110211971101} | CrossriderApp0029701, service-x86 | service-x86.dll, service-x86-bho.dll | Crossrider cross-browser plugin, often bundled with third party software or foistware - detected as Adware.GamePlayLabs or Adware.CrossRider and by Malwarebytes Anti-Malware as PUP.215Apps, PUP.CrossFire or PUP.CrossRider | X BHO |
{30F9B915-B755-4826-820B-08FBA6BD249D} | Conduit Engine, Conduit Motor | ConduitEngin.dll, ConduitEngine.dll, ConduitEngin0.dll, ConduitEngin1.dll, prxConduitEngin.dll, prxConduitEngine.dll, prxConduitEngin0.dll, prxConduitEngin1.dll, prxConduitEngin2.dll, ldrConduitEngine.dll, Local.DLL | Browser plugin bundled with various Conduit "Community Toolbars", also see here and here | O BHO, TB |
Startup List Results
Startup Entry
Startup Entry
Name | Filename | Description | Status |
MsWerr | ctfmon.dll | Added by the W32.Virut.CF VIRUT! Note: Located in \%WINDIR%\%System%\ | X |
SetUp | ctfmon.exe | Added by the Trojan.Win32.Pasta.fuw Note: Located in \%Program Files%\Windows NT\ | X |
Firewall | ctfmon.exe | Added by a variant of the IRCBOT Note: Located in \%WINDIR%\ Note: Use SDFix under supervision. Not to be confused by the original file in \%WINDIR%\%SYSTEM%\ folder. | X |
ctfmon | ctfmon.exe | Added by the Troj/SDBot-06 Trojan! which allows a remote user to access and control the computer via IRC channels. Note: Located in \%WINDIR%\ Note: Do not confuse with the MS Office file of the same name as described here | X |
ctfmon | ctfmon.exe | Adware responsible for tenmonkey.com popups Note: Located in \%WINDIR%\ Note: do not confuse with the MS Office file of the same name as described here | X |
O20 List Results
AppInit_DLLs & Winlogon Notify
AppInit_DLLs & Winlogon Notify
Name | Filename | Description | Status |
st3 | C:\WINDOWS\system32\st3.dll | TrojanDownloader.Delf.NBH | X Winlogon Notify |
sunotify | WINDOWS\SYSTEM32\sunotify.dll | ShadowUser_Pro - Create a virtual copy of your system for private and safe Web surfing. | L Winlogon Notify |
(no name) | Windows\System32\vsmvhk.dll folder in (XP) | ShadowUser_Pro - Create a virtual copy of your system for private and safe Web surfing. | L AppInit_DLLs |
nvmtfga-x32 | %userappdata%\Local\nvmtfga.dll | Troj/HkMain-CT | X Winlogon Notify |
stifolo | %AppData%\Local\stifolo.dll | Trojan.Downloader | X Winlogon Notify |
O21 List Results
ShellServiceObjectDelayLoad
ShellServiceObjectDelayLoad
CLSID | Name | Filename | Description | Status |
{1DBD6574-D6D0-4782-94C3-69619E719765} | (no name) | %WINDOWS%\help\B41346EFA848.dll | Troj/Lineag-FC | X |
{BCBCD383-3E06-11D3-91A9-00C04F68105C} | AUHook | C:\WINDOWS\SYSTEM\AUHOOK.DLL | Windows ME Microsoft AutoUpdate | L |
{********-****-****-****-************} | System | %SYSDIR%\system32.dll | CWS variant (Greatsearch) | X |
{7849596a-48ea-486e-8937-a2a3009f31a9} | PostBootReminder | %SystemRoot%\system32\SHELL32.dll | Microsoft Windows | L |
{fbeb8a05-beee-4442-804e-409d6c4515e9} | CDBurn | %SystemRoot%\system32\SHELL32.dll | Microsoft Windows | L |
O22 List Results
Shared Task Scheduler
Shared Task Scheduler
CLSID | Name | Filename | Description | Status |
{3F143C3A-1457-6CCA-03A7-7AA23B61E40F} | (no name) | c:\windows\system32\mtwirl32.dll | CWSChronicles | X |
O23 List Results
Windows Services
Windows Services
Name | Filename | Description | Status |
Alternative User Input Services (Ctfmon) | ctfmon.exe | Added by the W32/Tilebot-JR WORM! Note: This worm is located in C:\%WINDIR%\ Note: NoteThis is not the cftmon.exe normally found in C:\WINDOWS\System32\ | X |
Microsoft CTF Loader | ctfmon.exe | CTF Loader | L |
Windows CTF Loader | ctfmon.exe | W32/Sdbot-DFSCopies itself to %Windows% directory | X |
LPTRDC server (LPTRDCsrv) | ctfmon.exe | Identified as TrojanDownloader:Win32/Fourta.A Malware Note: located in \%WINDIR%\ Note: Use SDFix under supervision. | X |
Windows Updates Service | Windows Updates Service.vbe | Added by the Windows Updates Service description. Note: Located in \%AppData%\Roaming\Windows Updates Files\ | X |
O16 List Results
ActiveX
ActiveX
CLSID | Name | Filename | Description | Status |
{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} | DPF | jinstall-*_*_*_**-windows-i586.cab | Could be related to an old version of Sun Microsystems Java Software. For your Security you are urged to check and update your version if required. Verify Java Version | ? |
{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} | DPF | jinstall-14-windows-i586.cab | Related to an old version of Sun Microsystems Java Software. For your Security you are urged to update your version. http://www.java.com/en/download/installed.jsp | ? |
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} | Java Plug-in 1.5.0_06 | jinstall-windows-i586.cab | Related to an old version of Sun Microsystems Java Software. For your Security you are urged to update your version. Sun Java update site | ? |
{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} | Java Plug-in 1.6.0 | jinstall-6u**-windows-i586.cab | Could be related to an old version of Sun Microsystems Java Software. For your Security you are urged to check and update your version if required. Verify Java Version | ? |
{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA} | Java Plug-in 1.4.2_13 | jinstall-142-windows-i586.cab | Related to an old version of Sun Microsystems Java Software. For your Security you are urged to update your version. Sun Java update site | ? |
SEH List Results
ShellExecuteHook
ShellExecuteHook
CLSID | Name | Filename | Description | Status |
{E60A0B68-AF3A-C1D2-CD09-5A81A136D2BA} | (no name) | %WINDIR%\SYSTEM32\sonj32drv.dll | Infostealer trojan, dropper detected by Kaspersky antivirus as Trojan-GameThief.Win32.OnLineGames.aiky - also see here | X |
{003319FE-D7A2-456A-AE04-EB9ABF822FE4} | (no name) | %USER_PROFILE%\Local Settings\Temp\BAK*ow.dll | PWS-OnlineGames.bc | X |
{00274BC4-F915-4741-A6F6-6EF95C5E17AA} | (no name) | %UserProfile%\Local Settings\Temp\con\zttz.dll | Password stealer trojan of Chinese origin, a variant of Infostealer.Gampass | X |
{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} | Microsoft AntiMalware ShellExecuteHook | Windows Defender\MpShHook.dll | Windows Defender | L |
{AEB6717E-7E19-11d0-97EE-00C04FD91974} | (no name) | %SYSDIR%\windows.dll, winforms.dll | TSPY_ONLINEG.IOT trojan | X |
Drivers List Results
Driver Entry
Driver Entry
Name | Filename | Description | Status |
System Service | ctfmon.exe | Infostealer trojan, detected by ESET's Nod32 antivirus as a variant of Win32/PSW.OnLineGames.PSK | X |
Hp.Skyroom.Windows.Service | Hp.Skyroom.Windows.Service.exe | Related to Hp.Skyroom.Windows.Service.exe HP SkyRoom service from Hewlett-Packard | L |
Local Print Agent | Local Print Agent.exe | Related to Local Print Agent.exe collect information from local printing devices. from PrintFleet Inc | L |
Windows RemoteHelp Desk | Windows RemoteHelp Desk.DLL | Added by the Windows RemoteHelp Desk.DLL Infostealer trojan, detected by ESET's Nod32 antivirus as a variant of Win32/Korplug.J Note: Located in \%AppData%\ | X |
PayClock_Terminal_Service64 | Lathem.USBTM.Service.PC600.Service. exe | Related to the Lathem.USBTM.Service.PC600.Service.exe PayClock from Lathem Time Corporation | L |
FF Extensions List Results
Firefox Extension
Firefox Extension
CLSID | Name | Filename | Description | Status |
service@touchpdf.com | pdfit | service@touchpdf.com.xpi | pdfit allows to convert a current page to PNG/JPG image, or PDF format. During the page to image conversion some image filters can be applied (e.g. rotate, reflection). | L |
user@imagiris.txt | imagiris | user@imagiris.txt.xpi | Imagiris - High definition image enlargement. Note: Discontinued extension and service - dead imagiris.com domain. | L |
add-to-local-website-archive@aignes.com | Add to Local Website Archive | add-to-local-website-archive@aignes.com.xpi | Add to Local Website Archive adds the entry "Add to Local Website Archive" to the Firefox context menu. Calling this menu item adds the currently opened page to Local Website Archive. See also other *@aignes.com extensions. Note: Not listed on Mozilla Add-ons, but signed by Mozilla. | L |
add-to-local-website-archive-toolbar@aignes.com | Add to Local Website Archive | add-to-local-website-archive-toolbar@aignes.com.xpi | Add to Local Website Archive adds the button "Add to Local Website Archive" to the Firefox toolbar. Clicking this button adds the currently opened page to Local Website Archive. See also other *@aignes.com extensions. Note: Not listed on Mozilla Add-ons, but signed by Mozilla. | L |
Humanity@Windows | Humanity | Humanity@Windows.xpi | Humanity from WinTango Patcher - Theme with Humanity Icons. Additional customizations via Humanity Extras extension. See also other WinTango themes. | L |
Active Setup List Results
Active Setup - Installed Component
Active Setup - Installed Component
CLSID | Name | Filename | Description | Status |
{8FCFFCDD-AFBF-FB7A-1E9C-BFCC8CAAEC7A} | (no name) | ctfmon.exe | Infostealer trojan, detected by Microsoft as Worm:Win32/Ainslot.A - also see here | X |
{J707HCKD-A7OV-I040-X0FU-Q5F12N3EI702} | (no name) | ctfmon.exe | Infostealer trojan, detected by Kaspersky antivirus as Trojan.Win32.Bublik.aigr - also see this ThreatExpert Report | X |
{F5776D81-AE53-4935-8E84-B0B284D4BCEF} | (no name) | ctfmon.exe | Infostealer trojan, detected by Sophos as Troj/Insidoor-A | X |
{EHS168S0-JO23-16C1-IP62-HFGSJUPGJ15R} | (no name) | ctfmon.exe | Infostealer trojan, detected by Microsoft as BackDoor:Win32/Fynloski.A - also see here | X |
{003M185M-XA30-WYI2-3PNK-YXN35127018N} | (no name) | ctfmon.exe | Infostealer trojan, see here | X |