The Ultimate BHOs, URLSearchHooks, and Toolbar Hexidecimal List

Don't use the "Search this site" box to find your CLSID. Use "Ctrl" + "f" instead. 


"BHO" stands for "Browser Helper Object". The most common way that malicious 
software will redirect you browser is by inserting a BHO into the registry key associated 
with you browser. This malicious code is associated with a "CLSID", short for class 
identifier. There are legitimate BHOs too, so I have compiled a list of harmless or "good" ones as well as a list of the "bad" ones.  Go to the registry key listed and cross reference the BHOs you find in your respective key with those in the lists below. Keep the good ones and delete the bad ones. 

A great little explanation (with pictures),  of how to find bad BHOs is located here: http://www.adoko.com/bho.html


For XP/Vista 32bit go to:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ 

For Vista and Windows 7  64bit go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

The Good Ones:
  • {00C6482D-C502-44C8-8409-FCE54AD9C208} – snagit BHO
  • {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} – timematters toolbar
  • {00F5B5BA-E3C2-4b70-BF51-42A557914FAD} – cashback assistant
  • {01E04581-4EEE-11D0-BFE9-00AA005B4383} - Windows Media Player
  • {02478D38-C3F9-4efb-9B51-7695ECA05670} - Yahoo Companion
  • {0347C33E-8762-4905-BF09-768834316C61} – HP printing
  • {053F9267-DC04-4294-A72C-58F732D338C0} – HP smart web printing
  • {0633EE93-D776-472f-A0FF-E1416B8B2E3A} - live search
  • {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – AcrobatReader
  • {074C1DC5-9320-4A9A-947D-C042949C6216} – adobe
  • {0E5CBF21-D15F-11D0-8301-00AA005B4383} – shell32.dll
  • {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - Lexmark toolbar
  • {18DF081C-E8AD-4283-A596-FA578C2EBDC3} – Acrobat
  • {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - symantec
  • {22BF413B-C6D2-4d91-82A9-A0F997BA588C} – skype add-on
  • {2318C2B1-4965-11d4-9B18-009027A5CD4F} - google toolbar ???
  • {243B17DE-77C7-46BF-B94B-0B5F309A0E64} – microsoft money
  • {27B4851A-3207-45A2-B947-BE8AFE6163AB} – Mcafee phishing filter
  • {2F85D76C-0569-466F-A488-493E6BD0E955} – windows desktop search (dsweballow.dll)
  • {3049C3E9-B461-4BC5-8870-4C09146192CA} - realplayer plugin
  • {387EDF53-1CF2-4523-BC2F-13462651BE8C} - CitiBank
  • {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} – worm radar NAV filter
  • {3FDEB171-8F86-0002-0001-69B8DB553683} - Mcafee site advisor
  • {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton Systemworks
  • {47833539-D0C5-4125-9FA8-0819E2EAAC93} – Acrobat
  • {4E7BD74F-2B8D-469E-92BE-BF2DFE9AAE2C} – embarq toolbar
  • {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} – Windowslive family
  • {52706EF7-D7A2-49AD-A615-E903858CF284} – Netzero popup blocker
  • {53707962-6F74-2D53-2644-206D7942484F} - spybot
  • {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - Kaspersky 
  • {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - yahoo
  • {5C255C8A-E604-49b4-9D64-90988571CECB} - Windows Live Messenger
  • {5CA3D70E-1895-11CF-8E15-001234567890} - drive letter access
  • {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - Norton Confidential
  • {65D886A2-7CA7-479B-BB95-14D1EFB7946A} – Yahoo Yietag
  • {66252F33-BE30-4188-9199-63F2AC8BA137} – earthlink popup blocker
  • {6A1806CD-94D4-4689-BA73-E35EA1EA9990} - Google Updater
  • {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - Symantec Intrusion Prevention
  • {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} – Windows search helper
  • {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} – canon easy web printer
  • {72853161-30C5-4D22-B7F9-0BBC1D38A37E} – Groove/Office12
  • {724d43a9-0d85-11d4-9908-00400523e39a} – Siber Systems Robo form
  • {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - ssv.dll (java)
  • {7E853D72-626A-48EC-A868-BA8D5E23E045} – Windows Live Toolbar Helper
  • {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} – Symantec
  • {8D4D2F69-DF30-4471-988C-CC58545E86C8} – Trojan.GameThief
  • {9030D464-4C02-4ABF-8ECC-5164760863C6} - windows live sign-in helper
  • {9c3ac6c8-ded3-11db-9705-00e08161165f} – reuninion toolbar
  • {9E0B5480-4FF0-4FEE-818B-D4DB0F220D64} - PCLaw
  • {9ECB9560-04F9-4bbc-943D-298DDF1699E1} – Symantec ad blocking (NIS06)
  • {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} – Norton AntiVirus (NAV06)
  • {AA58ED58-01DD-4d91-8333-CF10577473F7} - google toolbar
  • {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} – hp webhelper
  • {AA5C6E09-DCD4-4908-A52A-CDD469EE6D6E} - google ???
  • {AA58ED58-01DD-4d91-8333-CF10577473F7} – google toolbar helper
  • {AE7CD045-E861-484f-8273-0445EE161910} – adobe toolbar
  • {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - google toolbar notifier – swg
  • {B164E929-A1B6-4A06-B104-2CD0E90A88FF} – Mcafee site advisor
  • {b2475f4c-9372-46d3-a407-ff155aa1fb91} – myspace toolbar
  • {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - MSN toolbar
  • {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} – windows live toolbar
  • {BDF3E430-B101-42AD-A544-FADC6B084872} – NAV helper
  • {C291A080-B400-4E34-AE3F-3D2B9637D56C} – Mcafee site advisor
  • {C4069E3A-68F1-403E-B40E-20066696354B} – NAV
  • {C82985D2-1202-4978-B560-D9CCADBD0CD7} - search.live.com
  • {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - google toolbar
  • {CA6319C0-31B7-401E-A518-A07C3DB8F777} – google/dell browser error redirector
  • {CC7E636D-39AA-49b6-B511-65413DA137A1} – IE Developer Toolbar
  • {CFBFAE00-17A6-11D0-99CB-00C04FD64497} – ieFrame.dll
  • {d2ce3e00-f94a-4740-988e-03dc2f38c34f} – MSN toolbar
  • {DBC80044-A445-435b-BC74-9C25C1C588A9} - java plugin 2 ssv helper
  • {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} – WindowsLive Toolbar
  • {E34F0E11-AB79-487c-9773-36C594DFF5AA} – mapquest toolbar
  • {E7E6F031-17CE-4C07-BC86-EABFE594F69C} – jre6
  • {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} – epson printer
  • {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo companion
  • {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} – zone alarm
  • {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} – yahoo
  • {F2CF5485-4E02-4F68-819C-B92DE9277049} – ieFrame.dll
  • {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -- Anchorfree Hotspot Shield
  • {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - Yahoo companion 
  • {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} – Microsoft Money
  • {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} – HP smartwebprinting
  • {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} – HP print clips

The Bad Ones: 
  • {00A6FAF1-072E-44cf-8957-5838F569A31D} – my web search 
  • {0530C850-E80F-4B8C-8365-774DE4D3922d} – unknown
  • {06ec6572-7280-485a-a712-c380526bc048} – winPC Defender
  • {07B18EA1-A523-4961-B6BB-170DE4475CCA} - mywebsearch
  • {0B52C7EC-D1A3-4054-923C-DD12567F28B1} – Vundo (shellexecuteHooks)
  • {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} – gamevance
  • {100EB1FD-D03E-47FD-81F3-EE91287F9465} – shopping report
  • {1FCC7213-5FA5-4D2D-87E5-A538239F0B63} - unknown
  • {2182220D-AA70-4764-B4E6-1F5BBA322C9C} – Anti-Virus Number – 1
  • {22186AA4-E2A6-45E8-BF4F-5C103C0458B0} - zlob
  • {22D9DFC0-1FD1-4F2D-A467-1A1796D79A60} – unknown
  • {25B8D58C-B0CB-46b0-BA64-05B3804E4E86} – media access startup ??????
  • {2502BBD0-D73B-11DD-B4EC-CEBF56D89593} – ad clicker/UACd.sys
  • {28D3CA72-8AC4-83F8-B4F8-3D1BDCF6EBE1} - unknown
  • {2E59498D-7E44-4452-9044-0973B080B9E8} – trojan.downloader/winexplorer.dll
  • {31C2A4CC-289D-442A-950C-B33B1B06522B} – trojan. Koobface
  • {31F57AFD-3989-4A5B-A33E-6B6253DF8DD4} – zlob
  • {323e1a8b-8e6a-4aa3-bf8e-117d7a12b512} - unknown
  • {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} – smiley.com
  • 39fc2065-c9c7-49cd-8942-44cc2dedc844} – trojan downloader
  • {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - Neobee Speeedy Internet Accelerator\PBHelper.dll 
  • {437A43D5-E5C3-4959-BBD0-F2BFB1EDC6FD} – sysloc, spyware protect 2009
  • {44027B55-3CEB-47BC-B281-7E2F91C99563} – unknown
  • {474597C5-AB09-49d6-A4D5-2E8D7341384E} – imesh media list
  • {4AFC04A3-B551-4B68-9BEB-8677D90150D9} – trojan downloader/Win32.ExpDwnldr 
  • {4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} - trojan
  • {4D25F921-B9FE-4682-BF72-8AB8210D6D75} – mywaywebsearch
  • {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - trojan
  • {500BCA15-57A7-4eaf-8143-8C619470B13D} – trojan.agent-ikz
  • {5153C3C5-D96F-4770-AB65-F07B2577FE56} – unknown
  • {549B5CA7-4A86-11D7-A4DF-000874180BB3} – trojan. Agent
  • {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} – URL search Hook
  • {55825511-174A-4b4e-84B7-69AAC4E294B6}} - completetoolbarhelper
  • {57e55589-dff9-4960-b1e4-a1c5aff43674} – unknown
  • {57F10F1F-F32C-4F95-AA8A-1A280C478670} - vundo
  • {59279AD0-E6C6-4e0b-BC71-C23DC56EBCFA} – sidestep toolbar
  • {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} – a lot toolbar
  • {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - trojan.agent
  • {5B452B01-12C9-4286-81D9-2308AEB3CD94} – trojan Zlob
  • {5E21136C-C5B1-4D5B-9170-607F736BCC2E} - unknown
  • {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} – trojan zlob
  • {5FF186E7-0957-4095-8A2C-577CE6EA1B1F} – Trojan Antivirus 360
  • {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} – coupon bar
  • {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} – kiwee toolbar
  • {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} – trojan zlob
  • {6860A44B-5D3E-433D-A7B5-D517F810D0E7} – trojan zlob
  • {6C621F09-DFF3-415A-B7D1-142678EFEB34} – fast browser search 
  • {6C9D6CB2-0B0D-49E4-A6E4-E42E9EBC5F27} – unknown
  • {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} – trojan 
  • {73103FD4-171A-87A0-E2C1-26FD1823732D} – unknown
  • {7510881D-25AB-453A-AB8B-3E2C6EBE0458} - unknown
  • {7DB2D5A0-7241-4E79-B68D-6309F01C5231} – Trojan fake alert
  • {7ED30FE7-2E84-43D8-8C3E-070948C6F5A7} – unknown
  • {800D615B-51F7-45A7-9107-1A33419BB7BD} – unknown
  • {86961450-01B0-409D-871B-6CBBBDAFBCD8} - unknown
  • {8714754b-6aac-ec9f-e267-74ec59f60b39} – solads
  • {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - fastbrowsersearch
  • {8A8278A1-F4FA-4247-9804-A662757B4596} - unknown
  • {8D187DFF-423F-41d3-A331-A60DE5886675} – AV1
  • {8e00fb20-e45b-41d1-9d42-c81756163e8e} – unknown
  • {8EEB2711-9D21-4f9c-99A1-B7FC5A8CA56A} – trojan.downloader
  • {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} – zango
  • {938838B5-F66D-427D-8996-4DAF70D23C43} - trojan fake alert
  • {9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} – trojan. Dropper
  • {99306EE3-1829-4750-9052-161A2C6D5E95} - unknown
  • {9E263D08-4127-4B99-9043-4FB044E6FCBC} – trojan 
  • {A057A204-BACC-4D26-8398-26FADCF27386} – verizon toolbar
  • A48FE9AC-DD02-4FF7-9211-B7BA9A2C8BF2} – trojan zlob
  • {a4dca795-b588-4be0-9463-7ff2864543b1} – xpdeluxe/iehostcx32.dll
  • {A6C7B2A1-00F3-42BD-F434-00AABA2C8953} – packed generic trojan 
  • {A77D3539-581D-450C-9E44-A84C415A6172} – personal antiviurs
  • {ABD42510-9B22-41cd-9DCD-8182A2D07C63} – trojan.Win32.ExpDwnldr/sysguard trojan 
  • {ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - trojan.Win32.ExpDwnldr/sysguard trojan 
  • {AFD4AD01-58C1-47DB-A404-FBE00A6C5486}- Trojan.BHO
  • {B2BA40A2-74F0-42BD-F434-12345A2C8953} – trojan agent
  • {b360243e-09e8-402f-8721-00b6798089ad}....trojan dropper
  • {B744CC8E-746B-4B3B-A593-454ED932ABEF} - unknown
  • {BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} – trojan.agent
  • {bae73141-6e06-482b-b414-b2f6f297f4a1} - unknown
  • {BBD4551A-9B23-41cd-9BCD-818AA2DA7B63} – winspy/Win32.ExpDwnldr
  • {BEAC7DC8-E106-4C6A-931E-5A42E7362883} -- gamevance
  • {C0BEE930-3862-4566-89C7-969B27EAC3BE} – unknown/sdra64.exe/vundo
  • {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} – navhelper/adware.navexcel
  • {CA6319C0-31B7-401E-A518-A07C3DB8F777} – ask toolbar installed by Dell
  • {cadc460c-c057-4b7e-8fdf-b60cf45a4bb8} – unknown
  • {CDBFB47B-58A8-4111-BF95-06178DCE326D} – system search dispatch adware (smiley toolbar)
  • {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} – advanced searchbar
  • {D032570A-5F63-4812-A094-87D007C23012} - sysguard
  • {D263FA6D-84CC-48A8-9AF6-C664362B7A5B} – antivirus 360 
  • {D2CADE3F-B3E0-4B74-B338-71D70910BBCA} – trojan.agent. Bho
  • {D468BCE5-D18E-49A4-8EA7-34BD583659D5} – spy zooka
  • {D714A94F-123A-45CC-8F03-040BCAF82AD6} – ADW_Sidestep.A
  • {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} – morpheus search assistant crap
  • {D80C4E21-C346-4E21-8E64-20746AA20AEB} – navexcel.toolbar
  • {DF47DD37-AC11-4A93-8E16-2B2364AF0897} – zlob
  • {E2F8F7C7-954D-4336-BA99-27BFBEB73DAF} – trojan vundo
  • {E63648F7-3933-440E-B4F6-A8584DD7B7EB} – trojan.BHO
  • {E7F15AC4-E0A9-43F0-921B-70DFEA621220} – trojan
  • {ee2975b6-e8d5-405e-8448-8fe9590f6cfb} – spywarequake/mzoeut.dll
  • {D5BF49A0-94F3-52BD-F434-3604812C8955} – trojan
  • {F75D0447-F56F-44A2-957D-5B0116590BC0} - street-ads
  • {FCBCCB87-9224-4B8D-B117-F56D924BEB18} – freeze.com adware.dospoptoolbar

Other Registry keys to check for BHOs, etc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
Good Ones
  • {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Microsoft AntiMalware ShellExecuteHook
  • {56F9679E-7826-4C84-81F3-532071A8BCC5} – MSN Namespacemanager
  • {717E-7E19-11d0-97EE-00C04FD91972} - <shell32.dll> [Microsoft Windows Component Publisher]
  • {A213B520-C6C2-11d0-AF9D-008029E1027E} – winfax pro 
  • {AEB6717E-7E19-11d0-97EE-00C04FD91972} – active desktop
  • {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - Groove GFS Stub Execution Hook

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
Bad Ones
  • {0B52C7EC-D1A3-4054-923C-DD12567F28B1} – Vundo 
  • {56F9679E-7826-4C84-81F3-532071A8BCC5} – win antispyware 2008
  • {57F10F1F-F32C-4F95-AA8A-1A280C478670} – vundo
  • {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} – trojan 
  • {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - vundo
  • {9EF34FF2-3396-4527-9D27-04C8C1C67806} microsfot antispyware service hook
  • {E2F8F7C7-954D-4336-BA99-27BFBEB73DAF} – Vundo
  • {D5BF49A0-94F3-52BD-F434-3604812C8955} – trojan 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjectDelayLoad 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
Good Ones
  • {35CEC8A3-2BE6-11D2-8773-92E220524153} - SysTray 
  • {750fdf0e-2a26-11d1-a3ea-080036587f03} – ContextMenuHandlers 
  • {7849596a-48ea-486e-8937-a2a3009f31a9} - PostBootReminder 
  • {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - WPDShServiceObj 
  • {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - WebCheck
  • {fbeb8a05-beee-4442-804e-409d6c4515e9} - CDBurn 
  • {4433A54A-1AC8-432F-90FC-85F045CF383C} – symantec (overlay excluded)
  • {476D0EA3-80F9-48B5-B70B-05E677C9C148} - symantec
  • {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} - symantec
BadOnes
  • {750fdf0e-2a26-11d1-a3ea-080036587f03} – trojan vundo


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
Good Ones
  • {3BF043EF-A974-49B3-8322-B853CF1E5EC5} - vista volume service
  • {68ddbb56-9d1d-4fd9-89c5-c0da2a625392} - default for vista - battery monitor
  • {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - webcheck.dll (microsoft component)


Vista/Windows 7

Note: Vista/Windows 7 64bit puts BHOs in but you can still use the previous lists: 
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Below are other places in the registry of the 64bit Operating Systems that you may need to cross reference.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\
Good ones
  • {3BF043EF-A974-49B3-8322-B853CF1E5EC5} - Microsoft VolumeControlService.Class  
  • {68ddbb56-9d1d-4fd9-89c5-c0da2a625392} - Unknown (stobject.dll)  sharpenviro/battery monitor
  • {6FDEDD65-AC51-43CA-B2D0-9EB5D1155D03} – unknown ?????
  • {7007ACCF-3202-11D1-AAD2-00805FC1270E} - Network Connections Tray  
  • {7849596a-48ea-486e-8937-a2a3009f31a9} - PostBootReminder object  
  • {A1607060-5D4C-467a-B711-2B59A6F25957} - Alt Tab  
  • {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - WPDShServiceObj Class  
  • {C51F0A6B-2A63-4cf4-8938-24404EAEF422} - Unknown (cscui.dll)
  • {DA67B8AD-E81B-4c70-9B91-B417B5E33527} - Windows Search Shell Service Object  
  • {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - Web Check - 156481
  • {F20487CC-FC04-4B1E-863F-D9801796130B} - Sync Center Shell Service Object (Internal) 
  • {fbeb8a05-beee-4442-804e-409d6c4515e9} - ShellFolder for CD Burning  
  • {FD6905CE-952F-41F1-9A6F-135D9C6622CC} - WscNotify Class
  • {6FDEDD65-AC51-43CA-B2D0-9EB5D1155D03} – ehome media center


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
Good Ones: 
  • {438755C2-A8BA-11D1-B96B-00A0C90312E1} – browser preloader
  • {553858A7-4922-4e7e-B1C1-97140C1C16EF} – sharedtask component IE ieframe.dll
  • {8C7461EF-2B13-11d2-BE35-3078302C2030} – Component Categories cache daemon
Bad Ones:
  • {75a65a53-15c9-4a0c-bb40-a7ca8b24f544} – trojan - zlob
  • {af3fd9a8-1287-4159-9212-9a5b4494af70} – trojan.zlob
  • {e6adaaf0-79b2-4cf1-a660-50a0b33991a1} – trojan.didymiums
  • {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - vundo


Other places to look:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExtensions
  • {C291A080-B400-4E34-AE3F-3D2B9637D56C} – windows search adware (harmless)


Check for bad DLL Hooks here:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify
  • autocheck, autochk *, atiextevent, crypt32chain, cryptnet, cscdll, dimsntfy, igfxcui, ScCertProp, Schedule, sclgntfy, SensLogn, termsrv, WgaLogon, wlballoon, BootExecute


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\
  • {754FF233-5D4E-11D2-875B-00A0C93C09B3} rogue antivirus gold
  • {C533ADF1-0C80-11D1-8C54-00A02468F316}rogue antivirus gold
  • {B1549E58-3894-11D2-BB7F-00A0C999C4C1} – zlob dns changer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\
  • {BDD307C3-7BC0-4542-9F8F-A9611FE6C1BF} ok
  • {E2D4D26B-0180-43A4-B05F-462D6D54C789} ok pc health center
  • {DA4F543C-C8A9-4E88-9A79-548CBB46F18F} – yahoo messenger


In Vista, content.IE5 folders are here:
C:\Users\Username\AppData\Roaming\Microsoft\Internet Explorer\UserData....clear date.IE5

Here is an excellent resource that  may serve as a compliment to this page: http://www.systemlookup.com/
And here is the awesome GMER for finding and removing rootkits: http://www.gmer.net/


Comments