| Name | Status | Filename | Description |
|---|
| X | MSPF.EXE | Added by a variant of the SDBOT WORM! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field
|
| X | svchost.exe | Added by the DELF-UX TROJAN! Note - this is not the legitimate svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field
|
| X | mstdmc.exe | Added by Trojan-Downloader.Win32.Banload.cil MALWARE! Note: Located in \%WINDIR%\System32\ The startup name is empty This will make sure that it's start at startup. |
| X | msmapiax32.exe | Identified as a variant of the Rootkit.Win32.Agent.uj rootkit. Note: Located in \%WINDIR%\System32\ Note: Use SDFix under supervision. |
| X | msmapibx32.exe | Identified as a variant of the Rootkit.Win32.Agent.uj rootkit. Note: Located in \%WINDIR%\System32\ Note: Use SDFix under supervision. |
| | | Added by the W32/Sdbot-DHY, Worm! Read the link, allows remote access Note: located in \%WINDIR%\ Note: Use SDFix under supervision. |
| hamachi | U | hamachi.exe | Related to hamachi Instantly connect multiple computers in a VPN from LogMeIn Inc. Note: Located in \%Program Files%\Hamachi\ |
| Security Patch | X | scmss.exe | Added by the W32/RBOT-ZW WORM! Read the link, keylogger/password stealing trojan(s) involved. |
| WinCheck | X | services.exe | Added by the W32.Sober.V
WORM!
Note: This worm file is found in the Windows\ConnectionStatus\Microsoft or Winnt\ConnectionStatus\Microsoft folder. |
| Windows | X | services.exe | Added by the W32.Sober.X
WORM!
Note: This is not the legitimate Windows process services.exe (Which is always found in the System32 folder.) This worm file is found in the Windows\WinSecurity or Winnt\WinSecurity folder.
|
| !1_pgaccount | Y | pgaccount.exe | DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. You will see one instant of pgaccount.exe for every active account on your system, and this is essential for PG to work properly |
| !1_ProcessGuard_Startup | Y | procguard.exe | DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. |
| !AVG Anti-Spyware | U | avgas.exe | Related to AVG_Anti-Spyware from Grisoft. Note: Located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\ |
| !ewido | U | ewido.exe | Part of Ewido anti-spyware
|
| !NoLoad | U | winrecon.exe | Winrecon Read the link, keylogger/password stealing trojan(s) involved. - Commercial Keylogger |
| $EnterNet | U | Enternet.exe | Connection manager for the EnterNet ISP. You can also use RASPPOE |
| $sys$cmp | X | $sys$xp.exe | Added by the Backdoor.Ryknos.B
TROJAN! Note: This trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder. Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer.
Read the link, rootkit type stealth involved.
|
| $sys$crash | X | $sys$WeLoveMcCOL.exe | Added by the Welomoch
TROJAN!
Note: This worm\trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder.
Read the link, rootkit type stealth involved. SONY ROOTKIT, THANKS SONY! |
| $sys$crash | X | $sys$sonyTimer.exe | Added by the Welomoch
TROJAN!
Note: This worm\trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder.
Read the link, rootkit type stealth involved. SONY ROOTKIT, THANKS SONY! |
| $sys$crash | X | $sys$sos$sys$.exe | Added by the Welomoch
TROJAN!
Note: This worm\trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder.
Read the link, rootkit type stealth involved. SONY ROOTKIT, THANKS SONY! |
| $sys$drv | X | $sys$drv.exe | Added by the Backdoor.Ryknos
TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer.
Read the link, rootkit type stealth involved.
|
| $Volumouse$ | U | volumouse.exe | Related to Volumouse from Nirsoft. Provides you a quick and easy way to control the sound volume on your system. Note: Located in C:\Program Files\Volumouse\ |
| $WindowsRegKey%update | X | IEXPLORE.EXE | Added by a W32/Rbot-EZ WORM! Note - this is not the legitimate Internet Explorer iexplorer.exe process, it should not appear in Msconfig/Startup unless you add it manually! |
| %cmpmixtitle% | ? | %cmpmixstr% | Possibly related to C-Media Mixer Control panel? |
| %FP%012-L2TP fts.exe | ? | fts.exe | 012.Net ISP software - what does it do and is it required? |
| %FP%012-L2TP FWPortal.exe | ? | FWPortal.exe | 012.Net ISP software - what does it do and is it required? |
| %FP%1776 Internet fts.exe | ? | fts.exe | 1776 Internet ISP software - what does it do and is it required? |
| %FP%1776 Internet FWPortal.exe | ? | FWPortal.exe | 1776 Internet ISP software - what does it do and is it required? |
| %FP%AIRTEL fts.exe | U | fts.exe | Related to AIRTEL-Broadband Part of the Friendly technologies PPPOE DSL Driver. This is customized for use with the AIRTEL-Broadband ISP. Note: Located in \%Program Files%\AIRTEL\AIRTEL-Broadband\ |
| %FP%Barak013 fts.exe | ? | fts.exe | Barak013 ISP software - what does it do and is it required? |
| %FP%Barak013 FWPortal.exe | ? | FWPortal.exe | Barak013 ISP software - what does it do and is it required? |
| %FP%Friendly fts.exe | ? | fts.exe | Friendly ISP software - what does it do and is it required?
|
| (*)API Machine | X | winSOCKS.exe | Homepage hijacker, see here (* = any digit) |
| (*)Run | X | win32API.exe | Homepage hijacker, see here (* = any digit) |
| (default) | X | (random filename).exe | Added by the BLACKMAL VIRUS! |
| (Default) | X | Systrsy.exe
| Added by the Trojan.Cdtray
TROJAN!
Note: This trojan file is found in the Internet Explorer folder. |
| (default) | X | llsass.exe | Added by the TROJ/PROXY-GG TROJAN! |
| (Default) | X | webcam.exe | Added by the Troj/Monad-A
TROJAN!
Note: This trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder.
|
| (Default) | X | syspol.exe | Added by the Dremm.b TROJAN! |
| (default) | X | rundll32.exe (path to) Zykheptd.dll | Added by the Backdoor.Hesive.B
TROJAN!
Read the link, rootkit type stealth involved.
|
| (Default) | X | 5640.exe | Troj/DownLd-ABF |
| (Entry name) | X | System.exe | Added by the Troj/Nethief-N
Trojan!
|
| (Global Startup) | X | Skunk.exe | Added by the W32/Sunk-A
WORM!
Note: This worm\trojan file is found in the Root folder. (C:\), (D:\), (E:\) etc, etc.
|
| (L4r1$$4) (4nt1) (V1ruz) | X | SP00Lsv32.pif | Added by the ASSIRAL.B WORM! |
| (original file name) | X | svchost.scr | Added by Troj/Bancban-CX and Troj/Bancban-DA TROJANS! Read the link, keylogger/password stealing TROJAN(S) involved.
|
| (original filename) | X | xphost.scr | Added by the Troj/Bancban-HM TROJAN! Note: This trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder. Read the link, keylogger/password stealing TROJAN(S) involved.
|
| (Original Trojan Filename) | X | install.exe | Added by the Troj/Bancban-FS TROJAN! Note: This trojan file is found in the Windows or Winnt folder. Read the link, keylogger/password stealing TROJAN(S) involved.
|
| (random 12 digit number) | X | actxprxy.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | avicap32.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | browser8.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | avifile5.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | bootvid4.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | cdmodem4.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | acctres8.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | autodisc.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | cabview1.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | atitvo32.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | advpack1.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | batmeter.exe | Adsrv.com/IeDriver adware variant
|
| (random 12 digit number) | X | bidispl2.exe | Adsrv.com/IeDriver adware variant
|
| (random 12 digit number) | X | asferror.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | catsrvps.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | audiosrv.exe | Adsrv.com/IeDriver adware variant |
| (random 12 digit number) | X | admparse.exe | Adsrv.com/IeDriver adware variant
|
| (random 12 digit number) | X | bootvid2.exe | Adsrv.com/IeDriver adware variant
|
| (random 12 digit number) | X | cmpbk321.exe | Adsrv.com/IeDriver adware variant
|
| (Random characters) | X | securewinload32x.exe | Added by the Troj/OptixP-N
TROJAN!
Note: This trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder. The file system32dir2a.exe will also be found in the same folder and should be deleted.
|
| (random filename - format **-**-**-**-**) | X | dwdsregt.exe | Added by Adware.ZenoSearch ADAWARE! |
| (random filename - format **-**-**-**-**) | X | qndsregn.exe | Added by ZenoSearch ADAWARE! |
| (random filename) | X | slk8x2peu.exe | Added by QuickLinks_Process ADAWARE! |
| (random name) | X | iexpl0ra.exe | TROJ_ULPM.BD |
| (Random Name) | X | csrssc.exe | Identified as a variant of the Win32/TrojanDownloader.Small.CYF malware. Note: Located in \%Temp%\ Note: Use SDFix under supervision. |
| (Random number) | X | explorer.exe | Added by the Troj/Keylog-AN TROJAN! Note: This trojan file is found in the Windows\service or Winnt\service folder, be sure to check the link for this one, It copies it's self under 9 additional file names, all in the Windows\service or Winnt\service folder. Keylogger/password stealing TROJAN(S) involved. |
| (Random number) | X | explorer.exe | Added by the Troj/Keylog-AN TROJAN! Note: This trojan file is found in the Windows\service or Winnt\service folder, be sure to check the link for this one, It copies it's self under 9 additional file names, all in the Windows\service or Winnt\service folder. Keylogger/password stealing TROJAN(S) involved.
|
| (random) | X | lsass.scr | Added by Troj/Bancban-CW TROJAN! Read the link, keylogger/password stealing TROJAN(S) involved. |
| (random) | X | svchost.scr | Added by Troj/Bancban-CY Trojan! Read the link, keylogger/password stealing TROJAN(S) involved. |
| (Random) | X | svshost.exe | Added by the W32/Kelvir-AX
WORM!
Note: This worm\trojan file is found in the System\(random folder name) (95/98/ME) or System32\(random folder name) (NT/2000/XP) folder. |
| (random) | X | svchost.exe | Added by the Troj/Bancban-JC TROJAN! Read the link, keylogger/password stealing TROJAN(S) involved. |
| (Randomly chosen existing folder name) | X | _cfg.exe | Added by the W32/Antinny-L
WORM!
|
| (Randomly chosen existing folder name) | X | _login.exe | Added by the W32/Antinny-L
WORM!
|
| (Randomly chosen existing folder name) | X | _start.exe | Added by the W32/Antinny-L
WORM!
|
| (Randomly chosen existing folder name) | X | _config.exe | Added by the W32/Antinny-L
WORM!
|
| (Randomly chosen existing folder name) | X | _autorun.exe | Added by the W32/Antinny-L
WORM!
|
| (Randomly chosen existing folder name) | X | _loader.exe | Added by the W32/Antinny-L
WORM!
|
| (Randomly chosen existing folder name) | X | _env.exe | Added by the W32/Antinny-L
WORM!
|
| (Randomly chosen existing folder name) | X | _setup.exe | Added by the W32/Antinny-L
WORM!
|
| (Registry Value Name) | X | roses.exe | Added by the W32/Rbot-AFT Worm! Read the link, keylogger/password stealing TROJAN(S) involved.
|
| (unknown) | X | charmapnt.exe | Added by the Troj/Bancos-DR TROJAN! Read the link, keylogger/password stealing TROJAN(S) involved.
|
| (User name) config | X | (Path to Trojan exe) | Added by the Troj/Mosuck-H
TROJAN!
|
| (various file names) | X | mediaplayer32.exe | Added by a variant of the WIN32.RBOT WORM!
|
| (various file names) | X | bling.exe | Added by the W32/RBOT-NI WORM! Read the link, keylogger/password stealing TROJAN(S) involved.
|
| (various names) | X | win32snd.exe | Added by the W32/RBOT-DQ WORM! |
| (various names) | X | svchostss.exe | Added by a variant of the WIN32.RBOT WORM!
|
| (various names) | X | PasswdMon.exe | Added by Wareout Rogue Software |
| (various names) | X | runload32.exe | Added by Wareout Rogue Software |
| )Start Service | U | upssrv.exe | Cyber Power PowerPanelPlus software. "In the event of a power outage, PowerPanelPlus Software automatically saves and closes all open files, and then shuts down the computer system in an intelligent and orderly manner." |
| * | X | twain_32.exe | Identified as Trj/Downloader.SV by Panda. TROJAN! Note: located in \%WINDIR%\ |
| ******** (* = random char or digit) | X | rsbmsc.exe | Added by what AntiVir antivirus detects as the BDS/Agent.adt TROJAN! |
| *Bandook | X | msdll.exe | Add a variant of the Trojan/Backdoor TROJAN! Note: Located in \%WINDIR%\System32\ |
| *JanisRuckenbrodII | X | janis.com | Added by the POPS VIRUS! |
| *Microsoft Update | X | wucxt.exe | Added by the W32.HLLW.STMU TROJAN! |
| *Microsoft Update | X | wuytc.exe | Added by the W32.HLLW.STMU TROJAN! |
| *Microsoft Update | X | ctxma.exe | Added by the W32.HLLW.STMU TROJAN! |
| *Microsoft Update | X | wstcl.exe | Added by the W32.HLLW.STMU TROJAN! |
| *Microsoft Update | X | cxma.exe | Added by the W32.HLLW.STMU TROJAN! |
| *microsoft update | X | cxma.exe | Added by the W32.HLLW.STMU TROJAN |
| *MS Setup | X | [random file name] | Virtumondo adware, also known as the VUNDO TROJAN! |
| *MSConfig32 | X | aecache.exe | Detected as Trojan.Win32.Obfuscated.gp by F-secure |
| *Security Center | X | secctr.exe | Added by the SDBOT.BRO WORM! |
| *StateMgr | Y | statemgr.exe | Windows ME default for System Restore. Do NOT disable! |
| *WerKernelReporting | N | WerFault.exe | Related to Windows_Error_Reporting technology (WER) on Vista Computers. WER captures software crash and hang data from end-users who agree to report it. Note: Located in \%WINDIR%\System32\ |
| *windows update | X | wurauclt.exe | Added by the W32/RBOT-SY WORM! |
| *windows update | X | wsctl.exe | Added by the SPYBOT.PR WORM! |
| *windows update | X | wscxt.exe | Added by the RBOT.AOS WORM! |
| *windows update | X | wkmst.exe | Added by the SDBOT.AVD WORM! |
| *windows update | X | wuaucrlt.exe | Added by the SPYBOT.HUR WORM! Read the link, keylogger/password stealing TROJAN(S) involved.
|
| *windows update | X | waurclt.exe | Added by a variant of the WIN32.RBOT WORM! |
| *WinLogon | X | [trojan path] ren time:[random number] | Added by the VUNDO TROJAN!
|
| *winstats | X | winstats.exe | Added by the Trojan.Gargafx
TROJAN! Note: This trojan file (winstats.exe) is found in the Windows or Winnt folder. |
| *wuauclt.exe | X | w****.exe (* = random char) | Added by a variant of the W32/RBOT-UG WORM! - NOTE: * in the file name represents a random char; variants spotted: wxmct.exe, wtmsv.exe, wxmst.exe, wmsvc.exe and so on... |
| *wuauclt.exe | X | wmsvc.exe | Added by the W32/RBOT-UG WORM! Read the link, keylogger/password stealing TROJAN(S) involved.
|
| ,main drive Loader | X | wininfo.exe | Suspected malware as it appears in 3 different registry locations - see here
|
| -FreedomNeedsReboot | Y | ZkRunOnceR.exe | Related to Internet_Security_Suite used by Internet providers to protect customers against many attacks. Read the article Note: Located in \%Program Files%\(Internet provider)\(Internet provider) Internet Security Suite\ |
| .. | X | ABC2007.exe | Added by the Troj/Dloadr-ASH TROJAN! Note: This worm\trojan is located in C:\%WINDIR%\System32\dllcache\ (XP/WinNT/2K) |
| .mscdr | X | lassa.exe | Added by the WEBUS.C TROJAN! |
| .mscdr | X | lsvchost.exe | Added by the WEBUS.D TROJAN! |
| .mscdsr | X | lsvchost.exe | Added by the Troj/Bdoor-CR
Trojan!
|
| .mscsbl | X | svhost.exe | Added by the BACKDOOR-CMQ TROJAN! |
| .msfupdate | X | msveup.exe | Added by the W32.ALLOCUP.A WORM! |
| .mssecure | X | mssecure.exe | Added by the DDOS_BOXED.X TROJAN! |
| .mssecure | X | mssecure.exe | Added by the Troj/Borobot-B
Trojan!
|
| .NET config | ? | sysmon32.exe | ?? |
| .NET. | X | msnmgnr.exe | Added by a variant of the IRCBOT Note: Located in \%WINDIR%\System32\ Note: Use SDFix under supervision. |
| .norton | X | rchost.exe | Added by a variant of the BOXED-A
TROJAN! |
| .nvsvc | X | smss.exe | Added by the BackDoor-CXT TROJAN! Note: located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System (XP/WinNT/2K) and not in it's System32 subdirectory, as is the case with the legitimate Smss.exe system file. |
| .nvsvcb | X | smssb.exe | Added by the Win32/Boxed.CG TROJAN! Note: This worm\trojan is located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K) Will attempt to disable antivirus, firewall and Windows Update software |
| .Prog | X | services.exe | Added by the NEVEG.B or NEVEG.C WORMS! Note - this is not the valid Windows Service Controller (services.exe ) process |
| .Prog | X | winlogon.exe | Added by NEVEG.A WORM! Note - this is not the valid Windows Logon winlogon.exe process |
| .protected | X | (no name) | Added by a Smithfraud infection. |
| .svchost | X | CSRSS.EXE | Added by the WEBUS.F TROJAN! - NOTE - this file is placed in the Winnt\System or Windows\System folder, and should NOT be confused with the legitimate Windows Client Server Runtime Subsystem csrss.exe process, which provides text window support, shutdown, and hard-error handling, always located in the Winnt\System32 or Windows\System32 folder, and which moreover should NOT figure in Msconfig/Startup!
|
| .TEXTCONV | X | csrss.exe | Added by the WEBUS TROJAN! Note - this is not the valid Client Server Runtime Subsystem csrss.exe process, which provides text window support, shutdown, and hard-error handling |
| .WMAudio | X | csrss.exe | Added by the WEBUS TROJAN! Note - this is not the valid Client Server Runtime Subsystem csrss.exe process" which provides text window support, shutdown, and hard-error handling |
| .WMAudio | X | lsass.exe | Added by a Webus.B trojan infection. Note - this is not the legitimate Lsass.exe system file, which should normally NOT figure in Msconfig/Startup |
| /l:eng | N | N/A | Related to the Dell OEM version of the Sound Blaster Audigy 2 sound card. If this item is listed and checked in startup, the System32 Folder will appear on every startup |
| 000 | U | pit.exe | Added by the PrivateEye SPYWARE! **Note - If you did not intentionally install this remove it. |
0006 - C:Documents and SettingsCompaq_OwnerStart
MenuProgramsHP Internet Connection Center | N | command.com | Related to HP_Internet_Connection_Center provides access to a variety of valuable offers from Internet Service Providers. |
0008 - C:Documents and SettingsCompaq_OwnerStart
MenuProgramshp deskjet 990c series v3.0 | N | command.com | Related to HP_Internet_Connection_Center provides access to a variety of valuable offers from Internet Service Providers. |
| 000hpdllhos | X | hpdllhost.exe | LZIO.com adware downloader |
| 000StTHK | U | 000StTHK.exe | Toshiba Hot key functionality for the function keys (Fn-Esc, Fn-F1 (lock), Fn-F2, Fn-F3, Fn-F4, Fn-F5 (switching between laptop and CRT display output), etc...) |
| 0050726-007-i32-1 | X | 0050726-007-i32-1.exe | Added by the Troj/Bancban-EC TROJAN! Read the link, keylogger/password stealing TROJAN(S) involved.
|
| 00DSKSVR00 | N | desksaver.exe | Related to Advanced_Desktop_Shield |
| 00DSKSVR01 | N | desksaver.exe | Related to Advanced_Desktop_Shield |
| 00ERSRRRNKY | U | eraser.exe | Related to Evidence_Exterminator from Softstack.com Allows for complete removal of data from your hard drive. Note: Located in \%Program Files%\Evidence Exterminator\ More here |
| 00ERSRRRNKY | U | erasrv.exe | Related to Evidence_Exterminator from Softstack.com Allows for complete removal of data from your hard drive. Note: Located in \%Program Files%\Evidence Exterminator\ More here |
| 00PCTFW | Y | FirewallGUI.exe | Related to PC_Tools Firewall. Note: Located in \%Program Files%\PC Tools Firewall Plus\ |
| 00TCrdMain | Y | TCrdMain.exe | Related to flash_card slot on the Toshiba laptop. Ending this process will disable access to the flash cards. Note: located in %ProgramFiles%\TOSHIBA\FlashCards\ |
| 00THotkey | U | 00THotKey.exe | For Toshiba Satellite notebook series to use the front buttons, play, stop, next, prev. |
| 00THotkey | U | system32THotkey.exe | For Toshiba Satellite notebook series to use the front buttons, play, stop, next, prev. |
| 0190 Warner | U | WARN0190.EXE | Anti-dialer program (Germany) |
| 0900 Warner | U | WARN0900.EXE | Anti-dialer program (Germany) |
| 09734482329566253820889118044258 | X | av2009.exe | Added by the Antivirus_2009 rogue anti-spyware program. Note: Located in \%Program Files%\Antivirus 2009\ |
| 0mcamcap | X | 0mcamcap.exe | Added by Troj/Cosiam-H TROJAN! Prevx identifies it has Haxdoor Note: located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K) |
| 0utlook Express | X | *****.exe (where * = random char) | Added by the W32/RBOT-CC WORM! |
| 1 | X | 1.exe | Added by the ESTEEMS TROJAN! |
| 1 | X | svchost.scr | Added by PWSteal.Bancos.X Trojan. Read the link, keylogger/password stealing TROJAN(S) involved.
|
| 1 | X | lsass.scr | Added by the PWSteal.Bancos.V TROJAN! Read the link, keylogger/password stealing TROJAN(S) involved.
|
| 1 | X | mrcmgr.exe | Identified as a variant of the Trojan-Banker.Win32.Banker.rqk malware. Note: Located in \%WINDIR%\System32\ Note: Use SDFix under supervision. |
| 1&1 EasyLogin | U | EasyLogin.exe | Related to 1&1_EasyLogin an Internet Provider. Note: Located in \%Program Files%\1&1\1&1 EasyLogin\ |
| 101Clips | U | 101Clips.exe | Related to 101Clips 101 is the simplest of all multi-clipboard programs. Just have it running minimized and it captures everything you cut or copy from other programs. Note: Located in \%Program Files%\101 Clips\ |
| 1029BB4B-16A9-4E77-AA3D-96930BD68EEC | X | sysockeu.exe | Added by the SmitFraud Trojan |
| 108Mbps Wireless LAN Adapte | U | TRENDnet.exe | Related to TRENDnet Wireless LAN Adapter. Note: Located in \%Program Files%\TRENDnet\Model number\ |
| 11 | X | faxcomdos.exe | Added by the Tuimer TROJAN! |
| 1111swapmgr.exe | X | 1111swapmgr.exe | Added by the BDOOR-IC TROJAN! |
| 123456 | X | rundll32.exe shell32.dll, Control_RunDLL ...123456.cpl | Added by the KITRO.C (or DANDI.A) VIRUS! 123456 can be any random 3 to 6 digit number |
| 1234567 | X | svcost.exe | Added by the Backdoor.Bifrose.YA family of trojan. Note: This worm\trojan is located in C:\%WINDIR%\System32\dllcache\ (XP/WinNT/2K) |
| 1234klsjdc uiar924c af | X | sxgnsvuxct.exe | Added by the Smitfraud Trojan |
| 1290A33C-85F5-4164-A1BE-7DD299D4986A | U | PBKScheduler.exe | Scheduler for CyberLink PowerBackup - archiving/backup utility |
| 12EE7A5E-0674-42f9-A76B-000000004D00 | X | rundll32.exe stlb2.dll,DllRunMain | BrowserAid/BrowserPal Foistware |
| 12Ghosts Popup-Killer | U | 12popup.exe | 12Ghosts Popup-Killer |
| 12Ghosts ShowTime | U | 12showtime.exe | Related to 12Ghosts Power Tools for Windows users. Note: Located in \%Program Files%\12Ghosts ShowTime\ |
| 12Ghosts Synchronize | U | 12sync.exe | Related to 12Ghosts Power Tools for Windows users. Note: Located in \%Program Files%\12Ghosts ShowTime\ |
| 17779Proj2002 | ? | N/A | ?? |
| 180adsolution | X | 180adsolution.exe | ncase adware |
| 180ax | X | 180ax.exe | ncase adware |
| 180ClientStubInstall | X | stubinstaller****.exe (* = digit) | 180Solutions adware related |
| 180ClientStubInstall | X | ******.exe (* = random digit/character) | 180Solutions adware related |
| 180ClientStubInstall | X | ******.tmp (* = random digit/character) | 180Solutions adware related |
| 1916435341.exe | X | 1916435341.exe | Troj/Dloadr-AXU |
| 196_150_ni | X | 196_150_ni.exe | Added by WinSoftware/WinFixer.Process TROJAN! |
| 197_150_ni_3 | X | 197_150_ni_3.exe | A variant TROJAN! |
| 1: | N | hpdrv.exe | HP utility for monitoring when and how many recoveries have been done |
| 1A:MacVisionTrayMonitor | N | TrayMonitor.exe | Comes with the MacVision program for monitoring tray icons (Note : program is by Stardock) |
| 1A:Stardock MCP | Y | mcpserver.exe | Master Control Program for Stardock apps, in development. People should leave it running if they're using any of the Stardock applications |
| 1A:Stardock TrayMonitor | Y | TrayServer.exe | For monitoring tray icons - if disabled icons will not be displayed in ObjectBar or DesktopX |
| 1CmailS | ? | NETMAIL.EXE | ?? |
| 1on1 | X | 1on1.exe | Adult content dialler |
| 1Srv32 | U | SpyAgent4.exe | SpyTech SpyAgent monitoring software. "Spy software that allows you to monitor EVERYTHING users do on your PC." |
| 1u7 | X | 1u7.exe | Added by the Troj/Murbac-A TROJAN!
Note: This worm\trojan is located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K) |
| 1Win32Cfg | U | SpyBuddy.exe | SpyBuddy monitoring software. Read the link, keylogger/password stealing trojan(s) involved. |
| 1Win32Cfg | U | Keyloggerpro.exe | Keyloggerpro monitoring software. Read the link, keylogger/password stealing trojan(s) involved. |
| 1WinCfg32 | X | "\WebMailSpy.exe | Added by WebMailSpy SPYWARE! |
| 2020Downloader | X | mssvr.exe | 2020Search Toolbar |
| 2177F056-0AA6-4D6C-A944-13F71F341C29 | X | sysokuaw.exe | Added by the SmitFraud Trojan |
| 24Online Client | U | CyberoamClient.exe | Related to Cyberroam from Elitecore Technologies Ltd. Note: Located in \%Program Files%\eLitecore\Cyberoam Client for 24Online\ |
| 250 | X | winmgr.exe | Added by the Troj/LegMir-AT TROJAN! Read the link, keylogger/password stealing trojan(s) involved. |
| 27 | X | slsorve.exe | Added by the SLSORVE-A TROJAN! |
| 27 | X | csrss32.exe | Added by the TROJ/SLSORVE-D TROJAN! |
| 27 | X | msm32.exe | Added by the TROJ/SLSORVE-E TROJAN! |
| 2CF0B992-5EEB-4143-99C0-5297EF71F444 | X | rundll32.exe stlbdist.dll, DllRunMain | BrowserAid/BrowserPal Foistware |
| 2CF0B992-5EEB-4143-99C2-5297EF71F44B | X | rundll32.exe stlbupdt.DLL, DllRunMain | BrowserAid/BrowserPal Foistware |
| 2chkdsk | X | ******.dll | VirtuMonde/Vundo adware variant |
| 2kadiras | Y | 2kadiras.exe | Allied_Telesyn AT series router/modem related - apparently required
|
| 2Search | X | main.exe | Added by Adware.2Search ADAWARE! Note: located in C:\Program Files\2search\ |
| 2thousandbuck | X | (path to file) | Added by the RANKY.L TROJAN!
|
| 2wSysTray | U | 2portalmon.exe | 2Wire Homeportal user interface |
| 32-bit Thunking service | X | thunk32.exe | Added by the W32.Derdero.A WORM! |
| 333 | X | svchost.exe | Troj/JD-A Read the link, steals information |
| 357AA41A-B7A8-4632-A27D-5B980B25CF43 | X | [path to svchost.exe] | Added by the SMALL-AQ TROJAN! |
| 357AA41A-B7A8-4632-A27D-5B980B25CF43 | X | services.exe | Added by FakeMessage/AdRotator adware - NOTE - this file is placed in a Winnt\System32\Inetserv or Windows\System32\Inetsrv folder, and should NOT be confused with the legitimate Windows services.exe process, always located in the Winnt\System32 or Windows\System32 folder, and which moreover should NOT figure in Msconfig/Startup!
|
| 36X Raid Configurer | Y | JMRaidSetup.exe | Related to Raid_Configurer Disk Partitioning Setup. Note: Located in \%WINDIR%\System32\ |
| 388529725448 | X | AutomaticUpdates.exe | W32/Sdbot-DEN Read the link, allows remote access |
| 38921398152773197389309440455459 | X | av2009.exe | Added by the Antivirus_2009 rogue anti-spyware program. Note: Located in \%Program Files%\Antivirus 2009\ Note: Use SDFix under supervision. Note: Random numbers in the Start up name. |
| 3c1807pd | Y | 3cmlink.exe 3cpipe-3c1807pd | 3Com WinModem driver. See here for more WinModem information |
| 3capplnk | Y | 3capplnk.exe | US Robotics Modem driver |
| 3cdminic | N | 3CDMINIC.EXE | 3Com DMI (DynamicAccess Desktop Management Interface) Agent associated with 3Com network cards |
| 3CM Link | Y | 3cmcnkw.exe | Required for a US Robotics WinModem as it provides the link to Windows - won't work without it. |
| 3Cmlink | Y | 3CmlinkW.exe | For a US Robotics WinModem. Provides the link to Windows as the CPU does the processing on WinModems - won't work without it. See here for more WinModem information |
| 3ComDMIAgent | N | 3CDMINIC.EXE | 3Com DMI (DynamicAccess Desktop Management Interface) Agent associated with 3Com network cards |
| 3D Text | N | 3D Text.scr | Added by the JERMY.A VIRUS! |
| 3Deep Control Panel | U | 3DeepCTL.EXE | From LightSurf Technologies (nee E-Color) - 3Deep corrects lighting, shading and color for all your 2D and 3D games |
| 3Dfx Acc | X | GFXACC.EXE | Added by the GIBE VIRUS! |
| 3dfx Task Manager | N | 3dfxMan.exe | System Tray application for 3dfx Voodoo 3/4/5 functions. Available via Start -> Programs |
| 3dfx Tools | Y | 3dfxCmn.dll | Updates the registry with information that can't be held for Voodoo 3/4/5 series graphics cards. Important for owners of these cards |
| 3dfxv2ps.dll | Y | 3dfxv2ps.dll | Updates the registry with info that can't be held for 3dfx Voodoo 2 video cards. Important for owners of these cards |
| 3Dlabs Taskbar Display Manager | ? | 3DLman.exe | 3DLabs graphics driver related. System Tray access to display settings? |
| 3DLabsHelperDemon | U | 3dldemon.exe | Directly from the programs author "It is a tiny program that is installed by the Permedia2/3 and probably other Oxygen-series cards. Normally it sits in the background doing nothing at all (sleeping on a semaphore), so it should take zero CPU time and virtually zero memory, since it will all be paged out to the hard drive." In most cases it can be safely disabled |
| 3DMouse.EXE | Y | 3DMouse.EXE | Dritek System Inc. 3D Mouse driver |
| 3d_sound | X | 3d_sound.exe | Added by the Troj/Riados-A
TROJAN!
Note: This trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder.
|
| 3P_UDEC | X | AntvrsInstall.exe | Installer for the Antivirus_2008 rogue anti-spyware program. Note: Use Malwarebytes RogueRemover tool. |
| 3qdctl.exe | U | 3qdctl.exe | Provided with Terratec 128i PCI and similar sound cards. Loads a sound profile at bootup, restoring volume and other audio settings to a pre-determined default. Similar to Creative Lab's AudioHQ |
| 3ware 3DM | Y | 3dm.exe | Monitors status of the disk array on 3ware IDE RAID controllers |
| 4684735485910 | X | netdll32.exe | W32/Sdbot-DEV Read the link, allows remote access |
| 4da92ad5.exe | X | 4da92ad5.exe | Troj/Dloadr-WZ |
| 4oD | U | KHost.exe | Kontiki_Delivery_Manager - Windows-based client software that enables secure delivery of content to users' desktops |
| 4wd!!! | X | Natal!.pif | Added by the OPASERV.AI VIRUS! |
| 5-1-61-96 | X | members-area.exe | Adult content dialler |
| 5-2-46-112 | X | 5-2-46-112.exe | Adult content pop-up dialler. Removal instructions here |
| 55278 | X | grepclient1.exe | Added by the Troj/Lineage-S Trojan! Read the link, keylogger/password stealing trojan(s) involved. |
| 5p4m | X | (Path to Trojan) | Added by the Troj/Litebot-C
TROJAN!
|
| 666 | X | Ska.exe | Added by the Troj/Pipes TROJAN! |
| 678 | X | lsas32.exe | Added by the Troj/Slsorve-C
TROJAN!
|
| 756349DC-6D9E-4F2A-9B24-269661F073C3 | X | sysoghcx.exe | Added by the SmitFraud Trojan |
| 7f8e | X | z****.exe 9idf | Detected by NOD32 as Win32/TrojanDropper.Small.ALI , Note: it creates a number of extra z****.dll files in the system32 folder |
| 7v3j | X | z1844.exe gdtgh | Added by an unidentified TROJAN! Note: of the Win32/Rbot Family. Note: This worm\trojan is located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K) The file name is random z(Random Number).exe followed by gdtgh |
| 802.11b+g USB Wireless LAN Utility | U | ZDWlan.exe | Related to USB_Wifi_device Wireless Lan. Note: Located in \%Program Files%\WLAN\802.11b g USB WLAN\ |
| 802.11g Wireless Adatper | U | Monitor.exe | Related to wireless card (802.11) adapter/standard. System Tray icon that provides a shortcut to "Wireless Connection Status" and allows to turn WL on and off. Supplier unknown. Adapter is miss-spelled. |
| 85 | X | rundl132.exe | Added by the Troj/Gampass-L TROJAN! Note: This worm\trojan is located in C:\%WINDIR%\TEMP\ Monitor user activity and log keystrokes. It also attempts to suppress detection alerts for an anti-virus product (random key name). |
| 852EBF20-A95D-4F1F-B9C2-B2CD24350F3E | X | sysodkcs.exe | Added by the SmitFraud Trojan |
| 98D0CE0C16B1 | X | rundll32.exe D0CE0C16B1,D0CE0C16B1 | BrowserAid/BrowserPal Foistware |
| 9m | X | winlog0n.exe | Troj/LegMir-AQK Read the link, steals information |
| 9xadiras | Y | 9xadiras.exe | Allied_Telesyn AT series router/modem related - apparently required
|
| 9xHtProtect | X | AVprotect9x.exe | Added by the W32.NETSKY.M WORM! |
| ;Rundll | X | (random filename) | Added by the PWSLEGMIR.E VIRUS! |
| X | Regsrv32.com | Added by the SOUTHGHOST VIRUS! |
| X | App.exe | Added by the WAXPOW VIRUS! where <filename> is the executed filename |
| X | wincpu.exe | Added by an unidentified VIRUS! |
| X | elf.exe | Elf is a hacker program, tied to a trojan server |
| ??QQ | ? | QQ.exe | Related to QQ_IM program popular in China. (It's similar to MSN Messenger.) there are many add-ons created for QQ and of course, some add-ons are malware. If you didn't get his QQ from the official site, or you installed some add-ons it is suggested that you remove it and have install a fresh copy from the official Tencent Inc. site. Note: Located in \%Program Files%\Tencent\QQ\ |
| ?ekio Startups | X | ?nksvc32.exe | Added by the W32/AGOBOT-OV WORM! Read the link, keylogger/password stealing trojan(s) involved. |
| @ | X | regedit -s ..win.dll | Added by the SEEKER.K VIRUS! |
| @Hoc Toolbar | N | AtHoc.exe | One-click activated browsing toolbar used by various web-sites. See here for more info |
| @loha | N | reminder.exe | Registration reminder for @loha@home E-mail utility |
| @tour_ww | X | @tour_ww[1].exe | Adult content dialler |
| a | X | a.exe | Commercials file that registers itself in the system registry and redirects IE to a certain commercial website |
| a | X | jesse.exe | Added by the W32/Melo-A
WORM!
Note: This worm file is found in the system32\drivers\etc folder.
|
| A New Windows Updater | X | w32NTupdt.exe | Added by W32.Mytob.BM WORM! |
| A Note | U | A Note.exe | Related to A_Note A Note is a program that lets you create post-it like notes on your Microsoft Windows desktop. Note: Located in \%Program Files%\A Note\ |
| A Verizon App | U | VERIZO~1 | Related to Verizon_Online Help support/ Note: Located in C:\PROGRA~1\VERIZO~1\HELPSU~1\ |
| a-squared | U | a2guard.exe | a-Squared antitrojan - can be run on demand, but necessary in Startup, if you prefer the aČ 'Background Guard' real time protection feature |
| a-winpoet-service | Y | winpppoverethernet.exe | WinPoET is the industry's first Windows-based PPP over Ethernet client. Developed by iVasion, WinPoET is attractive to equipment providers, modem suppliers, RBOCs and ISPs. For more info read here. It uses dial-up networking for new high-speed internet customers who are more familiar with analogue modems. If unchecked in MSCONFIG it reports Error 360 - Hardware Error in dial-up networking |
| A1000 Settings Utility | U | cpqa1000.exe | Compaq A1000 Print Fax All-in-One copy scan printer software. Required in the Startup in order to scan, print, copy and fax. Only required if you use these features |
| A4Proxy | U | A4Proxy.exe | Anonymity 4 Proxy - local proxy server that makes you anonymous when visiting web sites |
| A70F6A1D-0195-42a2-934C-D8AC0F7C08EB | X | rundll32.exe E6F1873B.DLL,D9EBC318C | BrowserAid/BrowserPal Foistware |
| aa bbcc dde effgghh jj | X | update.exe | Added by a variant of the IRCBOT Note: Located in \%WINDIR%\System32\ Note: Use SDFix under supervision. |
| AAACLEAN | ? | AAACLEAN.INF | ?? |
| AAAKeyboard | ? | ?? | ?? |
| AAATraySaver | N | TraySaver.exe | System Tray management utility from Mike Lin which allows you to hide, show, restore icons that are lost in an Explorer crash, remove dead tray icons, minimize any window to the System Tray |
| AAK | U | aak.exe | Advanced Anti-Keylogger - "Anti-spy software to prohibit operation of any keyloggers currently in use or presently being developed anywhere" |
|
