|
||
9 October 2010. Previous CLSID shit lists: http://cryptome.org/0001/clsid-list-04.htm
CLSID Shit List 5A sends: Renaming malware does not erase the malware, only hides it. A simple delete click does not prevent the malware from entering the system again. You must bleach its data; wiping out its permission set from the registry, THEN a simple delete click will bleach the CLSID by default error; stripping the bones from a corpse while rotting in a bier. Then, and only then, malware cannot operate, nor can it be fixed due to the lack of permission set privileges. No values or strings attached either. Bleaching malware / spyware off Windows XP ; Click "Start" / Click "Run" / Type regedit / Press Enter Regedit.exe will load up in 1 second. Click "Edit" / Click "Find" / Type the name or CLSID / Enter Make sure you type the EXACT CLSID or name! It will load up what you search in order. IF spyware comes up, its infecting the system. IF not, it is not inside the system. To bleach, right click "Permissions" / Click "Advanced" You will see the SID users / Uncheck the Inherit box This will warn you; you better know what you modify. Click "Remove" / Now SIDs are gone from that CLSID Click "Apply" and then "OK" / The spyware will show up Right click "Delete" / An error pops up, that's normal One mistake could crash the whole system, or cause problems with other software! Only bleach what you know is harmful or intrusive that the system will not need! My expensive mistakes are listed at the bottom of this page, as warnings of what to avoid and why. HKCR stands for HKEY_CLASSES_ROOT. HKLM stands for HKEY_LOCAL_MACHINE. Note: Everything on this list has been tested. * FILE FORMATS * Government CoCo Intranet Monitoring Format HKEY_CLASSES_ROOT\.gcsx Shiva Smart Tunneling [UDP port 2233] HKEY_CLASSES_ROOT\.sst IPhone HKEY_CLASSES_ROOT\.iii MessengerContactList HKEY_CLASSES_ROOT\.CTT Microsoft Internet Mail Message [rfc822] HKEY_CLASSES_ROOT\.eml Microsoft Internet News Message [rfc822] HKEY_CLASSES_ROOT\.nws Remote Desktop HKEY_CLASSES_ROOT\.RDP IIS NNTP Subject List Extension HKEY_CLASSES_ROOT\.xix File formats in detail -- http://www.ace.net.nz/tech/TechFileFormat.html * MIMES * HKCR\MIME\Database\Content Type\application/pkcs10 HKCR\MIME\Database\Content Type\application/pkcs7-mime HKCR\MIME\Database\Content Type\application/pkcs7-signature HKCR\MIME\Database\Content Type\application/pkix-cert HKCR\MIME\Database\Content Type\application/ vnd.ms-pki.certstore HKCR\MIME\Database\Content Type\application/x-iphone HKCR\MIME\Database\Content Type\application/x-pkcs12 HKCR\MIME\Database\Content Type\application/ x-pkcs7-certificates HKCR\MIME\Database\Content Type\application/ x-pkcs7-certreqresp HKCR\MIME\Database\Content Type\application/x-x509-ca-cert HKCR\MIME\DataBase\Content Type\application/ x-vnd.google.oneclickctrl HKCR\MIME\DataBase\Content Type\application/ x-yahoo-browserplus_2 HKCR\MIME\DataBase\Content Type\application/ x-yahoo-browserplus_2.4.17 HKCR\MIME\DataBase\Content Type\application/ x-yahoo-browserplus_2.4.21 [Careful with PKCS, emails use SSL protocols, most email services mandate SSL certification to log in. The internet works fine without SSL IF you rather not have it.] * CLSID SHIT LIST UPDATES * Name : ADODB (A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment.) Size: varies Category: Trojan Type: Exploit, Trojan Date of Discovery: May 01, 2006 HKEY_CLASSES_ROOT\ADODB.Command {00000507-0000-0010-8000-00AA006D2EA4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {00000507-0000-0010-8000-00AA006D2EA4} HKCR\ADODB.Connection {00000514-0000-0010-8000-00AA006D2EA4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {0000050B-0000-0010-8000-00AA006D2EA4} HKEY_CLASSES_ROOT\ADODB.Error {00000541-0000-0010-8000-00AA006D2EA4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {00000514-0000-0010-8000-00AA006D2EA4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {00000541-0000-0010-8000-00AA006D2EA4} HKEY_CLASSES_ROOT\ADODB.ErrorLookup {00000542-0000-0010-8000-00AA006D2EA4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {0000051A-0000-0010-8000-00AA006D2EA4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {00000542-0000-0010-8000-00AA006D2EA4} HKEY_CLASSES_ROOT\ADODB.Parameter {0000050B-0000-0010-8000-00AA006D2EA4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {0000050B-0000-0010-8000-00AA006D2EA4} HKEY_CLASSES_ROOT\ADODB.Record {00000560-0000-0010-8000-00AA006D2EA4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {00000560-0000-0010-8000-00AA006D2EA4} HKEY_CLASSES_ROOT\ADODB.Recordset {00000535-0000-0010-8000-00AA006D2EA4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {00000535-0000-0010-8000-00AA006D2EA4} HKEY_CLASSES_ROOT\ADODB.Stream {00000566-0000-0010-8000-00AA006D2EA4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {00000566-0000-0010-8000-00AA006D2EA4} %ProgramFiles%\Tencenc\ADODB.dll MD5: 0x95822EC22C5EA4E21FE0D46EEF78D9DF SHA-1: 0x874A320F8E4AD7E734806BBBE719F1492E35502C Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2003. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. HKEY_CLASSES_ROOT\IAS.Accounting HKEY_CLASSES_ROOT\IAS.AccountValidation HKEY_CLASSES_ROOT\IAS.ADsDataStore HKEY_CLASSES_ROOT\IAS.AuditChannel HKEY_CLASSES_ROOT\IAS.AuthorizationHost HKEY_CLASSES_ROOT\IAS.BaseCampHost HKEY_CLASSES_ROOT\IAS.CClient HKEY_CLASSES_ROOT\IAS.EAP HKEY_CLASSES_ROOT\IAS.IasHelper HKEY_CLASSES_ROOT\IAS.Match HKEY_CLASSES_ROOT\IAS.NetDataStore HKEY_CLASSES_ROOT\IAS.NTEventLog HKEY_CLASSES_ROOT\IAS.NTGroups HKEY_CLASSES_ROOT\IAS.NTSamPerUser HKEY_CLASSES_ROOT\IAS.Pipeline HKEY_CLASSES_ROOT\IAS.PolicyEnforcer HKEY_CLASSES_ROOT\IAS.ProxyPolicyEnforcer HKEY_CLASSES_ROOT\IAS.RadiusProtocol HKEY_CLASSES_ROOT\IAS.RadiusProxy HKEY_CLASSES_ROOT\IAS.Request HKEY_CLASSES_ROOT\IAS.SdoService HKEY_CLASSES_ROOT\IAS.TimeOfDay HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RemoteAccess\Policy\Pipeline Backdoor/W32.DarkMoon HKEY_CLASSES_ROOT\ContactPicker.ContactPicker HKEY_CLASSES_ROOT\ContactPicker.PropPage1 HKEY_CLASSES_ROOT\ContactPicker.PropPage2 More Yahoo! Spyware YMERemote HKCR\AppID\{7D831388-D405-4272-9511-A07440AD2927} HKCR\AppID\YMERemote.DLL C:\PROGRA~1\Yahoo!\common\yiesrvc.dll {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} Infected Java plugin that produces outbound traffic. HKCR\AppID\{E311BFF9-7280-40D3-AE0B-2D3651C37EC8} HKCR\Interface\{AD5FB04F-5A8D-44D4-8206-6A8734186EA2} HKLM\SOFTWARE\Classes\ieplugin.JQSIEStartDetectorImpl HKLM\SOFTWARE\Classes\ieplugin.JQSIEStartDetectorImpl.1 {E7E6F031-17CE-4C07-BC86-EABFE594F69C} MD5: 0xF68EDAFE003F2B3523C0742CD3B8D673 SHA-1: 0x87CE831F4A32DF4A38FB33660AD2A7344AC18689Malicious backdoor trojan horses that represent security risks to the compromised system, its network environment. Opens remote proxy services on infected machines. netman HKCR\AppID\{27AF75ED-20D9-11D1-B1CE-00805FC1270E} MSIServer HKCR\AppID\{000C101C-0000-0000-C000-000000000046} Interactive User HKCR\AppID\{0010890e-8789-413c-adbc-48f5b511b3af} HKCR\AppID\{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} HKCR\AppID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} Removable Storage Manager HKCR\AppID\{D61A27C1-8F53-11D0-BFA0-00A024151983} WIA Logger HKCR\AppID\{A1E75357-881A-419E-83E2-BB16DB197C68} [NOT ALL OF WBEM IS INFECTED WITH SPYWARE!] WBEM Spyware Infection Microsoft WBEM Forwarding Consumer Provider HKCR\CLSID\{AD1B46E8-0AAC-401B-A3B8-FCDCF8186F55} Microsoft WBEM Forwarding Event Provider HKCR\CLSID\{7879E40D-9FB5-450A-8A6D-00C89F349FCE} Web-Based Enterprise Management (WBEM) is a set of systems management technologies developed to unify the management of distributed computing environments. WBEM is based on Internet standards and Distributed Management Task Force (DMTF) open standards: Common Information Model (CIM) infrastructure and schema, CIM-XML, CIM operations over HTTP, and WS. Although the name refers to WBEM as being "Web-Based", it is NOT NECESSARILY tied in any way to a particular user interface (see below). Other systems management approaches are remote shells, proprietary solutions and network management architectures like SNMP. wmipcima.dll can be used to hack a compromised computer. WBEM Framework Instance Provider CIMA HKCR\CLSID\{04788120-12C2-498D-83C1-A7D92E677AC6} %AppData%\Microsoft\HTML Help HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe A virus capable to modify other files by infecting, or overwriting them them with its own body. C:\regbomb.reg C:\contacts.html C:\Documents and Settings\xx\Local Settings\salehoo\ auctionalert\_tmp\aa.exe C:\Documents and Settings\xx\Local Settings\salehoo\ salehooalert\_tmp\aa.exe Device to automatically attempt a new dial-up connection when the current connection fails. Outbound connections are stored in the RAS phonebook. HKEY_CURRENT_USER\Software\Microsoft\RAS AutoDial HKEY_CURRENT_USER\Software\Microsoft\RAS Phonebook HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAS AutoDial HKEY_USERS\.DEFAULT\Software\Microsoft\RAS AutoDial Portal Connect Spyware HKEY_CLASSES_ROOT\PortalConnect12.PersonalSite {E7339A62-0E31-4A5E-BA3D-F2FEDFBF8BE5} HKEY_CLASSES_ROOT\PortalConnect12.PersonalSite.1 {E7339A62-0E31-4A5E-BA3D-F2FEDFBF8BE5} AddThis Toolbar Spyware C:\Program Files\AddThis Toolbar\Toolbar.dll C:\Program Files (x86)\AddThis Toolbar\Toolbar.dll {B43176CC-4D9E-493B-A636-D9CBFE39C6DA} {9EBF8AAF-0A31-4786-909A-97A0EF101743} FCToolbarURLSearchHook Class {fa887e92-8f5f-4ec9-99ca-09be0e4120d6} Blackberry CLSIDs BlackBerry Device Manager HKEY_CLASSES_ROOT\RIM.BlackBerryDeviceManager HKCR\AppID\{4848DD90-EDA2-461F-8FE9-B47A067A5225} HKCR\CLSID\{BA3D0120-E617-4F66-ADCA-585CC2FB86DB} HKEY_CLASSES_ROOT\RIMDeviceManager.DeviceManager HKEY_CLASSES_ROOT\RIMDeviceManager.DeviceManager\CLSID HKEY_CLASSES_ROOT\RIMDeviceManager.DeviceManager\CurVer HKEY_CLASSES_ROOT\RIMDeviceManager.DeviceManager.1 HKEY_CLASSES_ROOT\RIMDeviceManager.DeviceManager.1\CLSID BbClientManager Class HKCR\CLSID\{0C1EB979-8EC7-46E8-8097-246957D6B94C} HKEY_CLASSES_ROOT\BbDevMgr.BbClientManager {0C1EB979-8EC7-46E8-8097-246957D6B94C} HKEY_CLASSES_ROOT\BbDevMgr.EmulatorManager {EE7F6B66-AC97-41CF-BD88-372DDB786DB6} IBbClientManager HKCR\Interface\{AB71DE2D-7EF0-49C8-9A16-6B1ED0085EDB} Bluetooth Remote Camera C:\Documents and Settings\xx\My Documents\Bluetooth\RemoteCamera Certification Spyware HKEY_CLASSES_ROOT\CertificateAuthority.Config {372FCE38-4324-11D0-8810-00A0C903B83C} HKEY_CLASSES_ROOT\CertificateAuthority.GetConfig {C6CC49B0-CE17-11D0-8833-00A0C903B83C} HKEY_CLASSES_ROOT\CertificateAuthority.Request {98AFF3F0-5524-11D0-8812-00A0C903B83C} HKEY_CLASSES_ROOT\CertificateAuthority.ServerExit {4C4A5E40-732C-11D0-8816-00A0C903B83C} HKEY_CLASSES_ROOT\CertificateAuthority.ServerPolicy {AA000926-FFBE-11CF-8800-00A0C903B83C} Factoid Class HKCR\CLSID\{16A933D2-A296-49D5-96FC-C7C2DAEE88B4} HKCR\CLSID\{339361CD-6723-455D-A40B-C95F1F91FF8A} HKCR\CLSID\{49DF3409-46B3-4B0C-B7BF-FEC0F9401EDD} HKCR\CLSID\{87EF1CFE-51CA-4E6B-8C76-E576AA926888} HKCR\CLSID\{C3754D1A-04D3-4085-8CFB-97705B57A98F} HKCR\CLSID\{F114AE61-1331-4238-92C9-BBE330AF25FD} C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FDATE.DLL C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FPERSON.DLL C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\FBIBLIO.DLL HKEY_CLASSES_ROOT\FPerson.Factoid HKEY_CLASSES_ROOT\FPerson.Factoid.2 HKEY_CLASSES_ROOT\FPlace.Factoid HKEY_CLASSES_ROOT\FPlace.Factoid.2 HKEY_CLASSES_ROOT\FStock.Factoid HKEY_CLASSES_ROOT\FStock.Factoid.2 OSCM3.EXE VIRUS HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\ UserData\S-1-5-18\Components\B288D2488D9A99D45A6B164A0D9FC61D C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCM3.exe OSCM3 communicates with remote computer systems using an infected HTTP protocol. MDServiceProvider Class HKCR\CLSID\{896E73F0-3851-11D3-AA54-00C04FD22F6C} HKCR\MDServiceProvider.MDServiceProvider {896E73F0-3851-11D3-AA54-00C04FD22F6C} Ndi-Steelhead Remote Access {121681B7-7AAF-4B13-A837-0B66FD51BFA9} Remote Assistance HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\ SessionManager\Apps\{56b994a7-380f-410b-9985-c809d78c1bdc} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\ Application\Remote Assistance C:\WINDOWS\system32\rcImLby.exe RDSessMgr manages and controls Remote Assistance. HKLM\SYSTEM\ControlSet001\Services\RDSessMgr HKLM\SYSTEM\ControlSet002\Services\RDSessMgr HKLM\SYSTEM\CurrentControlSetServices\RDSessMgr RDSessMgr HKCR\AppID\{038ABBA4-4138-4AC4-A492-4A3DF068BD8A} HKEY_CLASSES_ROOT\RDCHost.RemoteDesktopClientHost {299BE050-E83E-4DB7-A7DA-D86FDEBFE6D0} Remote Desktop Connection HKEY_CLASSES_ROOT\RDP.File HKEY_CLASSES_ROOT\RDS.DataControl {BD96C556-65A3-11D0-983A-00C04FC29E33} HKEY_CLASSES_ROOT\RDS.DataControl.2.81 {BD96C556-65A3-11D0-983A-00C04FC29E33} HKEY_CLASSES_ROOT\RDS.DataSpace {BD96C556-65A3-11D0-983A-00C04FC29E36} HKEY_CLASSES_ROOT\RDS.DataSpace.2.81 {BD96C556-65A3-11D0-983A-00C04FC29E36} HKEY_CLASSES_ROOT\RDSHost.SAFRemoteDesktopServerHost {5EA6F67B-7713-45F3-B535-0E03DD637345} HKEY_CLASSES_ROOT\RDSServer.DataFactory {9381D8F5-0288-11d0-9501-00AA00B911A5} HKEY_CLASSES_ROOT\RDSServer.DataFactory.2.81 {9381D8F5-0288-11d0-9501-00AA00B911A5} HKCR\RemoteDeskSessmgr.RemoteDeskHelpSessionMgr {A6A6F92B-26B5-463B-AE0D-5F361B09C171} SharedAccess HKCR\AppID\{ce166e40-1e72-45b9-94c9-3b2050e8f180} Shared Access Connection Class HKCR\CLSID\{BA126AE2-2166-11D1-B1D0-00805FC1270E} HKEY_CURRENT_USER\RemoteAccess HKLM\SOFTWARE\Classes\RemoteHelper.RemoteHelper {E423AF7C-FC2D-11d2-B126-00805FC73204} HKEY_CLASSES_ROOT\ISAFrdm.SAFRemoteDesktopManager {04F34B7F-0241-455A-9DCD-25471E111409} HKEY_CLASSES_ROOT\ISAFrdm.SAFRemoteDesktopManager.1 {04F34B7F-0241-455A-9DCD-25471E111409} ISAFRemoteDesktopManager HKCR\Interface\{26934FF8-F0B6-4E10-8661-23D47F4C69C5} _ISAFRemoteDesktopClientEvents HKCR\Interface\{327A98F6-B337-43B0-A3DE-408B46E6C4CE} _ISAFRemoteDesktopSessionEvents HKCR\Interface\{434AD1CF-4054-44A8-933F-C69889CA22D7} _ISAFRemoteDesktopDataChannelEvents HKCR\Interface\{59AE79BC-9721-42DF-9396-9D98E7F7A396} ISAFRemoteDesktopTestExtension HKCR\Interface\{5C7A32EF-1C77-4F35-8FBA-729DD2DE7222} ISAFRemoteDesktopDataChannel HKCR\Interface\{64976FAE-B108-4095-8E59-5874E00E562A} ISAFRemoteDesktopClientHost HKCR\Interface\{69DE5BF3-5EB9-4158-81DA-6FD662BBDDDD} ISAFReg HKCR\Interface\{833E4180-AFF7-4AC3-AAC2-9F24C1457BCE} ISAFChannel HKCR\Interface\{833E4181-AFF7-4AC3-AAC2-9F24C1457BCE} ISAFIncidentItem HKCR\Interface\{833E4182-AFF7-4AC3-AAC2-9F24C1457BCE} ISAFDataCollection HKCR\Interface\{833E4190-AFF7-4AC3-AAC2-9F24C1457BCE} DSAFDataCollectionEvents HKCR\Interface\{833E4191-AFF7-4AC3-AAC2-9F24C1457BCE} ISAFDataCollectionReport HKCR\Interface\{833E4192-AFF7-4AC3-AAC2-9F24C1457BCE} ISAFCabinet HKCR\Interface\{833E41A0-AFF7-4AC3-AAC2-9F24C1457BCE} DSAFCabinetEvents HKCR\Interface\{833E41A1-AFF7-4AC3-AAC2-9F24C1457BCE} ISAFUser HKCR\Interface\{833E41A9-AFF7-4AC3-AAC2-9F24C1457BCE} ISAFSession HKCR\Interface\{833E41AA-AFF7-4AC3-AAC2-9F24C1457BCE} ISAFRemoteConnectionData HKCR\Interface\{833E41AB-AFF7-4AC3-AAC2-9F24C1457BCE} ISAFChannelNotifyIncident HKCR\Interface\{833E41B0-AFF7-4AC3-AAC2-9F24C1457BCE} ISAFRemoteDesktopConnection HKCR\Interface\{833E41AC-AFF7-4AC3-AAC2-9F24C1457BCE} ISAFRemoteDesktopClient HKCR\Interface\{8AA5F108-2918-435C-88AA-DE0AFEE51440} ISAFRemoteDesktopChannelMgr HKCR\Interface\{8E6E0954-33CE-4945-ACF7-6728D23B2067} ISAFRemoteDesktopSession HKCR\Interface\{9D8C82C9-A89F-42C5-8A52-FE2A77B00E82} ISAFRemoteDesktopCallback HKCR\Interface\{A39442C2-10A5-4805-BE54-5E6BA334DC29} ISAFRemoteDesktopServerHost HKCR\Interface\{C9CCDEB3-A3DD-4673-B495-C1C89494D90E} ISAFIntercomClient HKCR\Interface\{FC7D9E60-3F9E-11D3-93C0-00C04F72DAF7} DSAFIntercomClientEvents HKCR\Interface\{FC7D9E61-3F9E-11D3-93C0-00C04F72DAF7} ISAFIntercomServer HKCR\Interface\{FC7D9E62-3F9E-11D3-93C0-00C04F72DAF7} DSAFIntercomServerEvents HKCR\Interface\{FC7D9E63-3F9E-11D3-93C0-00C04F72DAF7} WBEM Ping Provider HKCR\CLSID\{734AC5AE-68E1-4FB5-B8DA-1D92F7FC6661} HKLM\SOFTWARE\Classes\CLSID\{734AC5AE-68E1-4FB5-B8DA-1D92F7FC6661} INetFwIcmpSettings {A6207B2E-7CDD-426A-951E-5E1CBC5AFEAD} Wireless Identification and Sensing Platform HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wisp Third Party Spyware ThirdPartyEapDispatcherPeerConfig HKCR\AppID\{1F7D1BE9-7A50-40B6-A605-C4F3696F49C0} HKCR\CLSID\{1F7D1BE9-7A50-40b6-A605-C4F3696F49C0} HKCR\Interface\{32C5A81F-27C0-4E66-A894-786F646F1236} HKLM\SOFTWARE\Classes\AppID\{1F7D1BE9-7A50-40B6-A605-C4F3696F49C0} ThirdPartyEapDispatcherAuthenticatorConfig HKCR\AppID\{1FF84C3B-1140-4EB6-BE38-4BE618D2E7D6} HKCR\CLSID\{1FF84C3B-1140-4eb6-BE38-4BE618D2E7D6} HKCR\Interface\{7A3F55BF-EF47-40A6-A0AD-8023CC9ED4C7} HKLM\SOFTWARE\Classes\AppID\{1FF84C3B-1140-4EB6-BE38-4BE618D2E7D6} ThirdPartyEapDispatcherPeerRuntime HKCR\AppID\{87BB326B-E4A0-4DE1-94F0-B9F41D0C6059} HKCR\CLSID\{87BB326B-E4A0-4de1-94F0-B9F41D0C6059} HKCR\Interface\{C48CA462-67FB-4C12-A21A-6415460FA8AE} HKLM\SOFTWARE\Classes\AppID\{87BB326B-E4A0-4DE1-94F0-B9F41D0C6059} ThirdPartyEapDispatcherAuthenticatorRuntime HKCR\AppID\{B0E28D63-52F6-4E30-992B-78ECF97268E9} HKCR\CLSID\{B0E28D63-52F6-4e30-992B-78ECF97268E9} HKCR\Interface\{9DAA7B9D-CE5B-42CE-B942-32BBC284AC44} HKLM\SOFTWARE\Classes\AppID\{B0E28D63-52F6-4E30-992B-78ECF97268E9} What is a Virtual Machine? "A virtual machine is software equivalent of a physical computer that, like the physical machine, runs an operating system and applications. In the case of VMware Fusion, a virtual machine is equivalent to a personal computer (PC). A virtual machine is like having a computer running inside another computer, mimicking the actions of different hardware devices commonly found inside a computer, such as a processor, memory, and a hard drive." Virtual Machine Service Provider Program (VSPP) VMware Remote Console Plug-in HKCR\CLSID\{338095E4-1806-4BA3-AB51-38A3179200E9} VMware Remote Console Plug-in HKCR\CLSID\{B94C2248-346E-4C5E-9B36-8CC627F35574} HKCR\CLSID\{B94C2249-346E-4C5E-9B36-8CC627F35574} IVMwareRemoteConsole HKCR\Interface\{10B52B4F-3887-4507-8653-A8EB64580CCE} _IVMwareRemoteConsoleEvents HKCR\Interface\{10B52B50-3887-4507-8653-A8EB64580CCE} IVMwareRemoteDeviceMgr HKCR\Interface\{B8356EF4-99D5-4A5F-91F9-674C71D5FD48} IVMwareEmbeddedRemoteConsole HKCR\Interface\{D63907CE-7CE7-40A1-848A-091F768756E8} _IVMwareEmbeddedRemoteConsoleEvents HKCR\Interface\{D63907CF-7CE7-40A1-848A-091F768756E8} VMware Remote Console Type Library HKCR\TypeLib\{A51B0CB2-1545-43AD-B66E-AD322009406C} HKEY_CLASSES_ROOT\VMware.hosted.QuickMksAxCtl {338095E4-1806-4BA3-AB51-38A3179200E9} HKEY_CLASSES_ROOT\VMware.hosted.QuickMksAxCtl.2.5 {338095E4-1806-4BA3-AB51-38A3179200E9} HKEY_CLASSES_ROOT\VMware.hosted.VMwareEmbeddedRemoteConsole {B94C2249-346E-4C5E-9B36-8CC627F35574} HKEY_CLASSES_ROOT\VMware.hosted.VMwareEmbeddedRemoteConsole.2.5 {B94C2249-346E-4c5e-9B36-8CC627F35574} HKEY_CLASSES_ROOT\VMware.hosted.VMwareRemoteConsole {B94C2248-346E-4C5E-9B36-8CC627F35574} HKEY_CLASSES_ROOT\VMware.hosted.VMwareRemoteConsole.2.5 {B94C2248-346E-4C5E-9B36-8CC627F35574} VMware converts a physical machine into a virtual machine; referred to as Physical-to-Virtual (P2V). HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion {1D2680C9-0E2A-469d-B787-065558BC7D43} The IADsFaxNumber interface provides methods for an ADSI client to access the Facsimile Telephone Number attribute in Novell NetWare Directory Services (NDS). IADsFaxNumber HKCR\Interface\{A910DEA9-4680-11D1-A3B4-00C04FB950DC} SAPI, Speech Application Programming Interface, is a sensitive API in the system. The default program must stay inside the system, or problems will manifest. But SAPI allows third party plug-ins, leaving it inclinable of being hacked. Here are the few infections to hunt down. [TESTED] HKEY_CLASSES_ROOT\SAPI.SpNullPhoneConverter {455F24E9-7396-4A16-9715-7C0FDBE3EFE3} HKEY_CLASSES_ROOT\SAPI.SpPhoneConverter {9185F743-1143-4C28-86B5-BFF14F20E5C8} HKEY_CLASSES_ROOT\SAPI.SpSharedRecoContext {47206204-5ECA-11D2-960F-00C04F8EE628} HKEY_CLASSES_ROOT\SAPI.SpSharedRecognizer {3BEE4890-4FE9-4A37-8C1E-5E7E12791C1F} Leave all other SAPI CLSIDs alone! These four listed could be from a virus or spyware. AutoComplete Cache HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ AdvancedOptions\BROWSE\AUTOAPPEND AutoComplete Client HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ AutoComplete {807C1E6C-1D00-453f-B920-B61BB7CDD997} Other Microsoft AutoComplete CLSIDs HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062} HKEY_CLASSES_ROOT\CLSID\{00BB2764-6A77-11D0-A535-00C04FD7D062} HKEY_CLASSES_ROOT\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062} HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383} HKEY_CLASSES_ROOT\CLSID\{3028902F-6374-48b2-8DC6-9725E775B926} HKEY_CLASSES_ROOT\CLSID\{6038EF75-ABFC-4e59-AB6F-12D397F6568D} HKEY_CLASSES_ROOT\CLSID\{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} HKEY_CLASSES_ROOT\CLSID\{B31C5FAE-961F-415b-BAF0-E697A5178B94} HKEY_CLASSES_ROOT\CLSID\{B96D2802-4B41-4bc7-A6A4-55C5A12268CA} HKLM\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062} HKLM\SOFTWARE\Classes\CLSID\{00BB2764-6A77-11D0-A535-00C04FD7D062} HKLM\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062} HKLM\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383} HKLM\SOFTWARE\Classes\CLSID\{3028902F-6374-48b2-8DC6-9725E775B926} HKLM\SOFTWARE\Classes\CLSID\{6038EF75-ABFC-4e59-AB6F-12D397F6568D} HKLM\SOFTWARE\Classes\CLSID\{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} HKLM\SOFTWARE\Classes\CLSID\{B31C5FAE-961F-415b-BAF0-E697A5178B94} HKLM\SOFTWARE\Classes\CLSID\{B96D2802-4B41-4bc7-A6A4-55C5A12268CA} HKEY_CLASSES_ROOT\AutoDiscovery.EmailAssociations {CE682BA0-C554-43f7-99C6-2F00FE46C8BC} HKEY_CLASSES_ROOT\AutoDiscovery.Mail {008FD5DD-6DBB-48e3-991B-2D3ED658516A} Automatic Updates CAutoUpdate Class 1.0 HKCR\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E} HKCR\CLSID\{9B1F122C-2982-4e91-AA8B-E071D54F2A4D} AutomaticUpdates Class HKCR\CLSID\{BFE18E9C-6D87-4450-B37C-E02F0B373803} IAutoUpdateInternal2 HKCR\Interface\{2F413257-2290-497B-AAF9-2629B75C1C82} IAutoUpdateClient HKCR\Interface\{633107CC-BA85-454B-986F-1800151A022E} IAutoUpdateInstallAtShutdown HKCR\Interface\{63992373-C600-4ADB-9794-A378789E595E} IAutoUpdateClient HKCR\Interface\{7AE22377-B19D-497D-808E-307860C5660A} Trojan exploit HKEY_CLASSES_ROOT\DBROWPRX.AsProxy {ef636392-f343-11d0-9477-00c04fd36226} HKEY_CLASSES_ROOT\DBROWPRX.AsServer {ef636393-f343-11d0-9477-00c04fd36226} HKEY_CLASSES_ROOT\DBRSTPRX.AsProxy {ef636390-f343-11d0-9477-00c04fd36226} HKEY_CLASSES_ROOT\DBRSTPRX.AsServer {ef636391-f343-11d0-9477-00c04fd36226} * INTRUSIVE "SERVICES" / DEFAULT SPYWARE * Click "Start" / go to "Control Panel" / click "Administrative Tools" / click "Services" SERVICES THE RPC DEPEND ON CAN BE SENSITIVE TO THE SYSTEM, WILL NOT BE POSTED. SERVICES PLUG AND PLAY DEPEND ON ARE SENSITIVE TO THE SYSTEM, WILL NOT BE POSTED. SERVICES THAT COMPUTERS DO NOT NEED TO FUNCTION, WHICH ARE NOT SECURE, ARE POSTED BELOW. Automatic Updates Enables the download and installation of Windows updates. ClipBook Enables ClipBook Viewer to store information and share it with remote computers. FortiClient SSL SSL spyware for Windows VISTA. Indexing Service Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language. [Some may choose to have this active, although it is not necessary.] LogMeIn Spyware. [New systems MAY need this, old systems do not!] LogMeIn Maintenance Service Spyware. [New systems MAY need this, old systems do not!] Net.Tcp Port Sharing Service Spyware. Provides ability to share TCP ports over the net. NetMeeting Remote Desktop Sharing Spyware. Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. Network DDE Provides network transport and security for Dynamic Data Exchange. Network DDE DSDM Manages Dynamic Data Exchange (DDE) network shares. NICCONFIGSVC Configures Internal Network Card power management settings. http://www.spydig.com/file-diagnosis/NicConfigSvc-cpl.html Remote Desktop Help Session Manager Spyware. Manages and controls Remote Assistance. Remote Registry Spyware. Enables remote users to modify registry settings on this computer. Secondary Logon Enables starting processes under alternate credentials. TOSHIBA Bluetooth Service Wireless radio service. WebClient Spyware. Remote NT service. * PAST MISTAKES UPDATED * !DO NOT BLEACH BDATuner.MPEG2! {helps operate online flash players} HKEY_CLASSES_ROOT\BDATuner.MPEG2Component HKEY_CLASSES_ROOT\BDATuner.MPEG2ComponentType HKEY_CLASSES_ROOT\BDATuner.MPEG2TuneRequest HKEY_CLASSES_ROOT\BDATuner.SystemTuningSpaces Other BDA CLSIDs can be bleached for Wi-Fi security. The first CLSID shit list contains DRM, DRM should NOT be bleached! All new flash players depend on DRM. !DO NOT BLEACH TELEPHONY! {this will cut the internet connection} !DO NOT BLEACH SYSTEM CERTIFICATE! {this will destroy the system} !DO NOT BLEACH CRYPTOGRAPHIC PROVIDERS! {this will destroy the system} !DO NOT BLEACH CERFile! {this is a hardware cryptographic certificate} !DO NOT BLEACH ITCARD! {this will cut the internet connection} !DO NOT BLEACH MUICache! {this will destroy system restore capability} !DO NOT BLEACH INK FILE! {this will destroy start menu and desktop shortcuts} !DO NOT BLEACH RASMAN Certificate! {this would cause browser problems} !DO NOT BLEACH ANY RPC! {this will destroy the system} !DO NOT BLEACH MUI! {this will cause problems with media players} !DO NOT BLEACH DRM! {this will cause problems with flash players} !DO NOT BLEACH vCard! {this will cause microsoft outlook to crash} !DO NOT BLEACH DirectX! {this could cause problems with audio software} !DO NOT BLEACH LEGACY DRIVES! {major problems could fry the computer} !DO NOT BLEACH WHAT YOU DO NOT KNOW! {take this as experienced forewarning} Here is a list of basic CLSIDs! DO NOT BLEACH! Inbox: {00020D76-0000-0000-C000-000000000046} Cabinet File: {0CD7A5C0-9F37-11CE-AE65-08002B2E1262} Taskbar and Start Menu: {0DF44EAA-FF21-4412-828E-260A8728E7F1} Favorites: {1A9BA3A0-143A-11CF-8350-444553540000} Assembly: {1D2680C9-0E2A-469d-B787-065558BC7D43} Computer Search Results Folder: {1f4de370-d627-11d1-ba4f-00a0c91eedba} My Network Places: {208D2C60-3AEA-1069-A2D7-08002B30309D} My Computer: {20D04FE0-3AEA-1069-A2D8-08002B30309D} Control Panel: {21EC2020-3AEA-1069-A2DD-08002B30309D} Printers: {2227A280-3AEA-1069-A2DE-08002B30309D} Internet: {2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} E-Mail: {2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} The Internet: {3DC7A020-0ACD-11CF-A9BB-00AA004AE837} My Documents: {450D8FBA-AD25-11D0-98A8-0800361B1103} Start Menu Folder: {48e7caab-b918-4e58-a94d-505519c795dc} FTP Folder: {63da6ec0-2e98-11cf-8d82-444553540000} Recycle Bin: {645FF040-5081-101B-9F08-00AA002F954E} Extensions Manager Folder: {692F0339-CBAA-47e6-B5B5-3B84DB604E87} Folder Options: {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} Network Connections: {7007ACC7-3202-11D1-AAD2-00805FC1270E} Programs Folder: {7be9d83c-a729-4d97-b5a7-1b7313c39e0a} Briefcase: {85BBD920-42A0-1069-A2E4-08002B30309D} Briefcase Folder: {86747AC0-42A0-1069-A2E6-08002B30309D} Internet Explorer: {871C5380-42A0-1069-A2EA-08002B30309D} Setup MSN Internet Access: {88667D10-10F0-11D0-8150-00AA00BF8457} Downloaded Program Files: {88C6C381-2E85-11d0-94DE-444553540000} Network Connections: {992CFFA0-F557-101A-88EC-00DD010CCC48} Home Networking Wizard: {B45EE8BF-8131-47A3-8E6D-92252F331CFF} Web Folders: {BDEADF00-C265-11d0-BCED-00A0C90AB50F} Add Network Place: {D4480A50-BA28-11d1-8E75-00C04FA31A86} Tasks: {d6277990-4c6a-11cf-8d87-00aa0060f5bf} Search Results Folder: {e17d4fc0-5564-11d1-83f2-00a0c90dc849} Scanners and Camera's: {E211B736-43FD-11D1-9EFB-0000F8757FCD} Offline Web Pages: {F5175861-2688-11d0-9C5E-00AA00A45957} Scanners and Camera's: {FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} Composite Folder: {FEF10DED-355E-4e06-9381-9B24D7F7CC88} History: {FF393560-C2A7-11CF-BFF4-444553540000} Fonts: {BD84B380-8CA2-1069-AB1D-08000948F534} Temporary Internet Files: {7BD29E00-76C1-11CF-9DD0-00A0C9034933}
|