Last Updated was July 20, 2005 2:pm P.S.T.

%program files%\rvp\bpc.exe
addclass.exe
addestroyer.exe
advchk.exe
aimwdinstall.exe
alchem.exe
amcis2.dll
atiptaxx.exe
autoreg.exe
autoup~1.exe
babeie.dll
backweb-4448364.exe
bargains.exe
bdsrhook.dll
bh304181.dll
bigfix.exe
bmz.exe
bootconf.exe
brnts6.exe
bs3.dll
bxxs5.dll
cfd.exe
channelup.exe
chostsv.exe
cme.exe
cmesys.exe
cnbabe.exe
cnbarie.dll
cnform.exe
commonname.exe
compaq-rba.exe
consol32.exe
ct_load.exe
ctb.exe
ctbclick.exe
cteaxspl.exe
ctin10.exe
ctregrun.exe
ctsrreg.exe
dcppaid.exe
dlder.exe
dlgli.exe
dmserver.exe
dsa.exe
dsb.exe
dssagent.exe
eanthology_install.exe
emsw.exe
ezulaboot.dll
ezulumain.exe
fhfmm.dll
fhfmm.exe
findfast.exe
findservice.exe
flt.dll
flydesk.exe
gator.exe
gshp.vbs
gssomatic.exe
gstartup.lnk
hcwprn.exe
hxdl.exe
hxiul.exe
icw97.inf
ie_32.exe
ieasst.dll
iehelper.dll
kazoom.exe
keyloggerpro.exe
khooker.exe
khost.exe
kkcomp.dll
kkcomp.exe
kvnab.dll
kvnab.exe
lexstart.exe
liqad.dll
liqad.exe
liqui.dll
liqui.exe
loadqm.exe
loadwc.exe
mdm.exe
mobsync.exe
mosearch.exe
moz030715s.dll
mp3ad.exe
mrtalk.exe
msa32chk.dll
msbb.exe
msckin.exe
mslogon.exe
msoffice.exe
mstapi.exe
msview.dll
msystem.exe
mwcpyrt.exe
netdotnet.dll
netratings.exe
newdotnet3_36.dll
newsupd.exe
npnsdad.exe
npnzdad.exe
oemreset.exe
onflow.exe
osa.exe
osa8.exe
osa9.exe
p_981116.exe
pbsysie.dll
powerreg scheduler v3.exe
powerreg scheduler.exe
ppstub.exe
ra32.exe
rcsync.exe
realsched.exe
remind32.exe
rundll32 setupapi,installhinfsection oemsyspnp 128 oemsyspnp.inf
rundll32.exe c:\windows\newdot~1.dll,newdotnetstartup
rundll32.exe c:\winnt\system32\msiefr40.dll
rundll32.exe w3knet.dll,dllinitrun
savenow.exe
sentry.exe
seticon.exe
settn.dll
skinkers.exe
sncntr.exe
spoo1sv.exe
spywareguard.exe
stub.exe
supporter5.exe
svch0st.exe
sw.exe
sys32win.exe
sysai.exe
sysdll32.exe
sysu.exe
tcaudiag.exe
tgcmd.exe
tgdc.exe
tgfix.exe
tmpcpyis.bat
tps108.dll
tsadbot.exe
tvm.exe
updmgr.exe
updreg.exe
vcatch.exe
viewmgr.exe
vx2.dll
webinstaller.dll
win32_i.exe
win32info.exe
win32us.exe
winamp.hta
winfavorites.exe
winnet.exe
winstart001.exe
wxprocmgr.exe
xadbrk.dll
xadbrk.exe
xtcfgloader.exe
zupdate.exe

Useless.
Downloads and displays ad popups at intervals.
Remove it from startup.
Read more:
http://www.pestpatrol.com/PestInfo/b/broadcastpc.asp

addclass.exe

CoolWebSearch is a name given to a wide range of different browser hijackers.
Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.
Suspected to be installed by pop-ups exploiting security holes in IE.
The script may open mostly porn pop-ups if it thinks the page being viewed is porn-related.

addestroyer.exe

Adware.AdDestroyer claims to be a spyware remover.
However, it sets itself to run when you start the computer and it remains memory-resident.
When it runs, the software will periodically attempt to contact a server to download updates and instructions.
Some versions may annoy you with pop-up advertisements in Internet Explorer.
They claim that your system is at risk and that you should purchase an upgrade to AdDestroyer.

Remove it byRegRun.

advchk.exe

This program warns you when you install a new version of a Norton product and you didn't uninstall all previous versions.
But in some cases it is incorrect, for example:
when you install Norton SystemWorks (NSW), you see the message "A previous version of Norton SystemWorks was detected. You must uninstall the old version before installing the new one" or a similar message. After you uninstall the previous version of NSW and start to install NSW, you see the same message.
The installation does not proceed.
In this case you must delete following key from the system registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Advchk.exe

aimwdinstall.exe

This is tapping videogame maker of WildTangent Inc. to combine online games with instant messaging as part of a broader effort to generate revenue from its popular free chat service. It also collects and shares private information.
The games are integrated with the messaging service, so players can use the chat software to communicate with one another and to invite players to join a game.
Unlike e-mail messages, which must be opened, instant messages appear automatically on a user's computer screen.

alchem.exe

This is Ad-ware component.
Suggest to remove from startup.
Read more:
http://webhelper.netfirms.com/index.html

amcis2.dll

Part of the Aureate Advertising spyware. Suggest to remove.

atiptaxx.exe

ATI Video card additional utility. Often used a lot of processor resources.
Not required.

autoreg.exe

US Robotics Registration

autoup~1.exe

This is not virus.
This is adware software Envolo AutoUpdater.
It has different versions.
Read more:
http://www.doxdesk.com/parasite/AproposMedia.html
http://www.pestpatrol.com/PestInfo/p/peopleonpage.asp

Remove it from startup by RegRun Startuip Optimizer.

babeie.dll

CommonName Toolbar spyware.
It is installed as toolbar to Internet Explorer.
CNBabe adds CNBABE.DLL to the Browser Helper Objects list.
It traces all your Internet activity.
Removal:
Choose CommonName entry in the Control Panel's Add/Remove Programs option.
If it doesn't work stop, remove from startup:
CommonName.exe, Cnbabe.exe, cnform.exe, cnbabe.dll, BabeIE.dll, and CNBarIE.dll.

backweb-4448364.exe

BackWeb is a generic, background downloading tool that software vendors can incorporate
into their product to download data (e.g. product updates) to the user's PC. Its operation
depends on the instructions given to it by the individual software vendor who bundles it.
BackWeb has been associated with numerous large companies working on a corporate level to
deliver timely information and updates. Essentially, BackWeb is a communications program whereby
a large amount of users may be contacted in an instant.
Read more:
http://pestpatrol.com/pestinfo/b/backweb.asp
Useless.

bargains.exe

Advertising spyware.
Often installed with useful free software like Net2Phone and some versions of LimeWire.
Stop this process and remove from startup.

Back to Top

bdsrhook.dll

Baidu toolbar:
http://bar.baidu.com/
Not required. May cause the problems in Internet Explorer.
Suggets to uninstall.
If you do have no uninstallation procedure, remove it by RegRun.
More info:
http://www.pestpatrol.com/PestInfo/b/bdplugin.asp

bh304181.dll

This is part of Kontiki software.
This is advertising spyware.
You may receive this software with other downloadable software like a
game.
http://www.extremetech.com/article2/0,3973,365073,00.asp
Kontiki software allows Gamespot or other customers to monitor the actions
of users, down to the individual PC.

You can remove it by uninstalling Kontiki software.
If it doesn't work, use RegRun Start Control->Windows Core Components
to remove Kontiki.

bigfix.exe

It is used to automatically receive and read technical support information provided by computer and software manufacturers and other technical support experts.
Also can automatically check your computer for bugs, configuration conflicts, and security holes. It is a resource hog! Please start it manually.

Back to Top

bmz.exe

nCase is adware from 180Solutions.
It consists of a process, msbb.exe, that runs constantly with Windows and shows advertising.

nCase is aware of the FlashTrack parasite and will disable it if it is running, to stop it showing competing adverts.
Some versions also seem to connect to the Gator web servers occasionally, for unknown reasons.
Bundled with a large range of applications, particularly file-sharing programs.
nCase are known to send e-mail to software authors asking them to include the nCase bundle.

Also installed by ActiveX drive-by downloads in adverts inserted on some free web hosting services,
and also installed by the FavoriteMan and BookedSpace parasites.

Looks for known URLs and keywords in URLs, and opens pop-up advertisements targeted at such sites.
Also opens non-targeted pop-up adverts at arbitrary times during IE usage.
Can add shortcut icons to the Start menu and Desktop if directed to by its controlling servers.
nCase can download and execute code from its controlling servers, as an update feature.

May cause an error message such as "msbb.exe file is linked to the missing export wininet.dll" on older systems without a WinInet library.
Can also cause IE to be a bit slow to start up, and some versions are reported to generate page fault errors.

Manual removal:
Navigate ro the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and delete the entry "msbb".
To delete nCase/Alert, also check for a randomly-named entry three or more letters long, pointing to a .EXE of the same name in the Windows folder.
Delete this entry and the file it points to. Alternatively, wait for the next restart and it should prompt to you reinstall or remove itself.
Restart the computer and delete the 'nCase' folder inside Program Files. Or in older versions without an 'nCase' folder, look in the System folder and delete msbb.exe.
Also delete the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCASE, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb and HKEY_CURRENT_USER\Software\180solutions.

Or try to use RegRun Startup Optimizer to automatically remove this adware.

Back to Top

bootconf.exe

This is absolutely useless application.
It's also named IE Homepage hphijacker.
What it does:
It writes to C:\WINDOWS\HOSTS
this is changes msn.search to its IP
Delete this record from c:\windows\hosts:
1123694712 auto.search.msn.com
It creates c:\windows\defaults.css (style sheet) that contains IP.
Registry changes:
Registry key HKLM\Software\Microsoft\Internet Explorer\Search
Changed: Search, SearchAssistant, Search Page, Default_Search_URL etc.
Read more:
http://boards.cexx.org/viewtopic.php?p=2464#2464
By default (on my computer) the Search key contains two values:
CustomizeSearch="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
SearchAssistant="http://www.searchgateway.net/search/"

Other values you may remove.

Remove it by RegRun Startup Optimizer.
Set the default setting for IE by opening Control Panel, Internet
Settings.

brnts6.exe

Spyware.InTheKnow
It is a program that detects keystrokes and takes snapshots of specified programs on your computer.

When Spyware.InTheKnow runs, it performs the following actions:
Displays an introductory message.
Gives you the option of registering the product at www.itksoft.com or entering a registration key.
Allows you to type the main password. Typing this password while using any Windows program brings up the user interface.
Gives you the option to determine the interval between taking snapshots.
Gives you the choice of which programs to take snapshot of.
Gives you picture management options, including how long files are stored and the maximum storage amount.

Creates some files in %Temp%\WZS2.tmp\
Creates the files in %System%\
Creates the folder %System%\Balance, which is to used to store the keystroke and snapshot data.
Creates the folder, C:\ITKExport, which is to used to store exported reports that the Spyware generates.

Adds the subkey: grnx
to the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft
and adds some values to that subkey:

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Brnts6.exe" = "%System%\Brnts6.exe"
Next, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft
and delete the value: "Tg-DTGA3m" = "626I39vGvzVzYL26Oef"
Also, delete the key: HKEY_LOCAL_MACHINE\Software\Microsoft\grnx

bs3.dll

This is advertising spyware and you should to get rid of this
item.
Read more about it:
http://www.doxdesk.com/parasite/BookedSpace.html
To remove it, open RegRun Start Control, go to the Windows Core
Components tab. Open Windows Core Components Wizard.
Go to the BHO tab.
Uncheck bs3.dllb and Apply.

bxxs5.dll

BookedSpace Adware.
Displays popup ads to your computer.
This software may be silently installed by MThree MP3 to WAV converter
or other software.
Try the uninstaller at http://bookedspace.com/uninstaller.exe
If it doesn't work:
Remove this BHO item by RegRun Start Control.
Also remove "bsx3", or "bsx5" or similar from startup.

cfd.exe

BroadJump Client Foundation.
This software is installed with your DSL cable modem driver.
Actions:
1) Installs some software under C:\Program Files\BroadJump\Client Foundation,
2) Adds Comcast entries to the browser's "Favorites"
menu
3) Adds IPrenew.bat file for the 0.000001% of users who can't figure out how to renew their IP manually.
4) Replaces a few Microsoft redistributable DLL's.
5) Puts a DevMngr.vxd (or BJIPAddr.vxd) in the Windows\system folder.
May be stopped without any problems.

channelup.exe

Adware-BuddyLinks application. This is not a virus or trojan.
It is an potentially unwanted program that requires users to download an installer, agreeing to the terms of the program, which includes sending a messages to all users on your AOL Instant Messenger buddy list with a link to the installer page.

This application works when visiting the www.wgutv.com or download.buddylinks.net websites.
Once this page has loaded, users are prompted to install and run a program.

The application creates some files and folders:
%Program Files%\buddylinks.net
%Program Files%\Common Files\PSD Tools

Adds the key to the system registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"PSD Tools Channel" = C:\Program Files\Common Files\PSD Tools\ChannelUp.exe

The following registry keys are also evidence that this application was run:
HKEY_CLASSES_ROOT\Interface\{00D38C81-14B3-44DE-B023-3BDC5BDE4FEC
HKEY_CLASSES_ROOT\CLSID\{FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4}

Removal Instructions:
To uninstall this application, use the ADD/REMOVE Programs Control Panel and remove the applications related to:
BuddyLinks
PSDT Messaging Integration
PSD Tools ChannelUp v1.0 (remove only)

And use RegRun Startup Optimizer to remove this adware.

chostsv.exe

PWSteal.Banpaes.C.
Is a Trojan horse that attempts to steal online banking information.

Also known as PWSteal.Banpaes, PWSteal.Banpaes.B

When PWSteal.Banpaes.C is executed, it performs the following actions:
Creates the following files:
%System%\Chostsv.exe
%System%\Mouse32.dll
%System%\Keybrd32.dll
%System%\Kuser.dll
%System%\Serv.dll
C:\Temp\Install.exe (This may not be created if the Temp folder does not exist in this location).

Adds the value:
"chostsv"="%System%\chostsv.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Logs keystrokes if the keystrokes are entered in windows that have any of the following strings in the window's title bar:
Caixa Economica Federal
Internet Banking CAIXA
BESC - Banco do Estando de Santa Catarina
Banco do Estado de Santa Catarina
Gerenciador Financeiro
Teclado Virtual
HSBC
Credicard
MasterCard
and some other.

Then, this Trojan sends the keystrokes to a predefined email address.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"chostsv"="%System%\chostsv.exe"

Or use RegRun to automatically remove this registry item.

cme.exe

Part of Gator advertising spyware.
Here is a removal instructions - http://www.pchell.com/support/gator.shtml
Use the automatic ActiveX download/installation program if your security settings set low.

cmesys.exe

Advertising spyware. The part of the Gator (http://www.gator.com)
Warns the user about advertising features (why freeware).

cnbabe.exe

cnbarie.dll

CommonName Toolbar spyware.
It is installed as toolbar to Internet Explorer.
CNBabe adds CNBABE.DLL to the Browser Helper Objects list.
It traces all your Internet activity.
Remove from startup:
CommonName.exe, Cnbabe.exe, cnform.exe, cnbabe.dll, BabeIE.dll, and CNBarIE.dll.

Full information:
http://217.115.153.73/parasite/CommonName.html
Removal:
Choose CommonName entry in the Control Panel's Add/Remove Programs option.
If it doesn't work stop its auto run but do not delete files

cnform.exe

commonname.exe

compaq-rba.exe

Compaq Message Server.
Not required, may cause conflicts with other software.
Suggest to stop it.
Read more:
http://www.pacs-portal.co.uk/startup_pages/startup_c.php

consol32.exe

This hijacker redirects to a porn portal, where foistware like ISTBar gets stealth installed.
It opens up a site over and over every couple of minutes.
It opens up a new internet explorer page. The page it opens up redirects to a porn page.
The page that opens up has the address of something like that.

Remove it with RegRun Startup Optimizer.

Back to Top

ct_load.exe

CyDoor advertising spyware.
Remove it from startup.

Back to Top

ctb.exe

The ClickTheButton is described as a price comparison service. It detects when you are visiting a known shopping site and provides sponsored links to competitor sites.
It runs as a process on startup (ctbclick.exe) and installs a number of extra DLLs.

The ClickTheButton has had "legitimate" distribution channels, but now it being silently installed with other applications (eg. some releases of KaZaA).
The ClickTheButton downloads parts of advertising pages when you visit a new web site.
When a complete advertisement has arrived, it will be displayed, usually as a pop-up or pop-under window.
ClickTheButton monitors visits of known shopping sites.

Manual removal:
Kill the 'ctbclick' process, delete 'CTB3_Shared' from the Windows directory, delete 'CTBHooks.dll' from the System directory (WINDOWS\SYSTEM or WINNT\System32).
Delete the value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ClickTheButton.
You can also remove the registry key HKLM\SOFTWARE\CTB_BrandedClient, and every class in HKEY_CLASSES_ROOT
that begins with 'CtbClient', 'CtbSession', 'CtbShopper' or 'CtbXML'.
Remove these registry items (if present):
HKEY_CLASSES_ROOT\clsid\{ab4dd0f0-38da-4f48-aafe-7de7323bb6b2}
HKEY_LOCAL_MACHINE\software\ctb_brandedclient

Use RegRun Startup Optimizer to quickly remove ClickTheButton.

ctbclick.exe

Adwertising spyware.
Brings targeted ads to your computer, after you provide initial consent for this task. May will track your browsing habits and report this info to a central ad server.
1. Stop process named the 'ctbclick' by RegRun Process Manager or by Task Manager.
2. Remove it from startup.

Back to Top

cteaxspl.exe

Creative Audigy EAX splash screen. Shows video splash during startup. Not required.

ctin10.exe

PWSteal.Bancos.E.
Is a Trojan horse that imitates the online interfaces of certain Brazilian banks to try to steal account information.
It is a minor variant of PWSteal.Bancos.D.
Also known as PWSteal.Bancos, PWSteal.Bancos.B, PWSteal.Bancos.C, PWSteal.Bancos.D

Copies itself as itself to the %System%\Ctin10.exe.

Adds the value:
"CTin10"="%System%\CTin10.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
so that the Trojan runs when you start Windows.

If the file C:\BancoBrasil\officeIE\officeIE.CAB exists, the Trojan will move it to C:\officeIE.CAB.

Monitors the active Internet Explorer windows, waiting for you to open a Web page that matches the characteristics of certain banking sites.
Such as:
https:/ /www2.bancobrasil.com.br/aapf/aai/principal
https:/ /bankline.itau.com.br/GRIPNET/Montamenu.exe
https:/ /internetcaixa.caixa.gov.br/NASApp/SIIBC/Login_ok.processa
https:/ /wwwss.bradesco.com.br/scripts/ib2k1.dll/LOGINCHK#top

When such a site is opened, the Trojan displays one of several login screens, which are selected according to the URL.
The information entered on these screens may then be emailed to another computer.

Manual removal:
Navigate to the keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value:
"CTin10"="%System%\CTin10.exe"

ctregrun.exe

Creative Labs registration reminder. Not required.

Back to Top

ctsrreg.exe

Creative Sound Blaster Live registration reminder. Not required.

Back to Top

dcppaid.exe

The purpose of DCPPaid.exe is to keep reminding the user that his
DriveCrypt Plus Pack evaluation period has expired and he should now
uninstall the software. We Did not think it fair to deny him access to his
disks, or suddenly remind him that it would be unavailable pretty soon, so
we designed this reminder program, which cannot be removed without
uninstalling DriveCrypt Plus Pack. The DCPPaid file is not spyware, and we
do not use it to communicate or store anything about the user's activities.

Back to Top

dlder.exe

Spyware.Dlder is the spyware program that submits user's Internet usage information to a server.
Also It submits personal information, such as an IP address, the user's Web browser, and a Global Unique Identifier (GUID).

When Spyware.Dlder was installed, it displays several characteristics that are similar to those of backdoor Trojan Horses.
When the installer of Spyware.Dlder is executed, it does the following:
Does not display information on the screen.
Creates several files and registry keys on the system.
Attempts to download an additional file.
The main file of this Spyware component is Dlder.exe, which was inserted as a hidden file in the \Windows folder.

When the installer executes this spyware, it attempts to contact the site www.2001-007.com and download a file named Explorer.exe to a hidden folder in the \Windows folder, named "Explorer" (not to be confused with the Microsoft file, Explorer.exe, in the Windows folder). It is this downloaded Explorer.exe that contains the main functionality of this spyware application.

Manual removal:
Delete this keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Dlder
HKEY_LOCAL_MACHINE\Software\games\ClickTillUWin

Use RegRun Startup Optimizer to remove this spyware.

dlgli.exe

Backweb installer.
Suspected Adware/Foistware: BackWeb Client

Backweb is a background downloading tool that software vendors can distribute with their product to download data (product updates) to the user's machines.
It's operation depends on the instructions given to it by the individual software vendor who bundles it.

But usually, users have associated it with the appearance of unwanted advertising windows.

May comes with Western Digital's Data Lifeline software.

WD Data Lifeline BackWeb Lite Installer (DLGLI.EXE)
This appears to use the BackWeb product to quietly install unknown items to your computer.
When installing Western Digital Data Lifeline, a reference to DLGLI.EXE is placed in the Windows Startup folder so that it is loaded at startup.
Similar to the Gator install stub, the software slowly downloads ("trickles") the software onto the system.

More recently, the BackWeb client was caught installing with Logitech mouse drivers for purposes unknown.
There is a popup message: "It's Wednesday! Time to update your mouse driver again!! Yah right." The installed file is Iadhide3.dll.

Also, it is installed with Kodak digital camera sync software as a software updater.

How to remove:
If you did not know who install this product, or are noticing unwanted advertisements appearing on your computer, you can try disabling or removing this product.
Backweb does not come with an uninstall option.

Use RegRun Startup Optimizer to get rid of this item.
Startup Optimizer will kill DLGLI.EXE process in memory and will remove from startup. After that you may delete its files.

dmserver.exe

Comet DMServer.
Adware.
Read more:
http://www.pestpatrol.com/PestInfo/c/comet_dmserver.asp
Useless.
Remove it from startup.

dsa.exe

Spyware.DesktopSpy
This is a spyware program that captures screenshots at a predefined interval. This spyware can run in stealth mode.

The installation path is configurable, and the default path is %System%\DSA.

When the Spyware.DesktopSpy runs, it does the following:
Creates and adds the subkeys to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\KMiNT21\PersonalDesktopSpy

Adds the value: "DesktopSpy"="%System%DSA\dsa.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Saves screenshots to %System%\DSA\Images\ at a predefined interval.

Remove it from startup with RegRun Startup Optimizer.

dsb.exe

Adware.EnergyPlugin
It displays advertisements when you are browsing the Internet.
Copies itself to %Program Files%\DSB\Dsb.exe.
Creates temporary log files in %Program Files%\DSB.

Adds the value: DSB = %Program File%\DSB\DSB.exe
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Searches active windows for a Web browser and displays pop-up advertisements.

Automatic removal: Use RegRun Startup Optimizer to remove this adware from startup.

dssagent.exe

Advertising Spyware
http://cexx.org/dssagent.htm

eanthology_install.exe

Advertising software.
This is software that brings ads to your computer.
Such ads may or may not be targeted, but are "injected" and/or popup, and are not
merely displayed within the form of an ad-sponsored application.
Read more:
http://www.pestpatrol.com/PestInfo/e/eacceleration.asp
Suggest to remove it.

emsw.exe

HelpExpress adware.
Displays ad popups.
Remove it from startup.
http://www.kephyr.com/spywarescanner/library/helpexpress/index.phtml

ezulaboot.dll

TopText Scumware.
Infects your Internet Explorer.
Remove from BHO list by Windows Core Components in Start Control.

ezulumain.exe

KaZaa advertising spyware.

Back to Top

fhfmm.dll

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process fhfmm.exe and remove BHO item fhfmm.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

fhfmm.exe

findfast.exe

Microsoft Find Fast manager for Microsoft Office 97.
Used to indexing documents.
http://www.microsoft.com/office/ork/026/026.htm

findservice.exe

The ActualNames software is an address bar search hijacker targeting IE and Netscape.
It also contains components to sending mail from various applications and web sites.
However, these functions are not working.

The software may or may not install with ActualNames/BrowseProxy, an ActiveX installer component, depending on how it was installed.
Bundled with KazaaMate. Also to be installed by ActiveX drive-by download from some pop-ups.
It doesn't advertising or privacy violation.
ActualNames can silently download and execute arbitrary unsigned code from its controlling server actualnames.com, as a self-updating feature.
ActualNames/BrowseProxy is also a severe security hole as it allows any web site to execute arbitrary programs.

Automatical removal:
Go to the Control Panel's Add/Remove Programs feature, choose 'AdvSearch' and click 'Remove'.
And use RegRun Startup Optimizer to remove it from startup.

Manual removal:
In the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'BrowseProxy' entry pointing to 'FindService.exe'.
You can also delete the key HKEY_LOCAL_MACHINE\SOFTWARE\Olivia Corp to clean up if you like.

flt.dll

Advertising spyware - installed by some free software.
Read more details:
http://www.pestpatrol.com/PestInfo/F/FlashTrack.asp
Remove from startup.

flydesk.exe

Advertising spyware

Back to Top

gator.exe

Advertising spyware. Warns the user about advertising features (why freeware).

gshp.vbs

Advertising spyware.
Changes your IE home page to globalsearch.com.
Remove it from startup.

gssomatic.exe

It is a Hijacker · Toolbar.
Also known as Searchcentrix seek4free hijacker, Searchcentrix Webalize toolbar, Searchcentrix.com/Mygeek.com hijacker.
Toolbar: SearchCentrix.Mygeek.com, SearchCentrix.Seek4Free, SearchCentrix.Webalize
Likely to slow performance of Internet Explorer.

Automatic Removal:
Use RegRun Startup Optimizer to remove it from startup.

Manual Removal:
Stop these running processes with Task Manager and then delete these files:
fsgintl.exe, fsgus.exe, gssomatic.exe, pqhelper.exe, s4helper.exe, sidebar.exe, somatic.exe, spoolsvv.exe, webalize.exe, wzhelper.exe

Unregister then reboot and delete DLLs in "systemroot" with Regsvr32:
gsim.dll, barbho.dll, gsim.dll, ifhelper.dll, ifsomatic.dll, somatic.dll, webalize.dll, wzhelper.dll, barbho.dll, gsim.dll, ifhelper.dll, ifsomatic.dll, somatic.dll, webalize.dll, wzhelper.dll

Remove these sub keys
{4e7bd74f-2b8d-469e-98f7-eb6db99aa93b}
{4e7bd74f-2b8d-469e-c0fb-ef60b19da02a}
{4e7bd74f-2b8d-469e-c0fb-ef60b19dbc34}
{4e7bd74f-2b8d-469e-d1f7-eb6db99aa97d}
{4e7bd74f-2b8d-469e-d7e4-f660b597bf2a}
{4e7bd74f-2b8d-469e-dff7-ec6bf4d5fa7d}
{cd2a865b-6c0f-44f9-baa1-7cdb31e04bc8}
in the system registry keys:

HKEY_CLASSES_ROOT\clsid\
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\
HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser\
HKEY_LOCAL_MACHINE\clsid\
HKEY_LOCAL_MACHINE\software\classes\clsid\
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\

gstartup.lnk

Gator Adware component. Not required. Also remove cmesys.exe.

hcwprn.exe

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process hcwprn.exe and remove BHO item settn.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

hxdl.exe

HelpExpres Advertising spyware. Shows banners.
Remove by uninstalling "HelpExpress" and "Attune" under Windows' Add/Remove Programs.
After that check again and remove from startup if required.

hxiul.exe

HelpExpres Advertising spyware. Shows banners.
Remove by uninstalling "HelpExpress" and "Attune" under Windows' Add/Remove Programs.
After that check again and remove from startup if required.

icw97.inf

Installs Microsoft Connection to Internet shortcut on the desktop. Not required.

ie_32.exe

Spyware.Acext is a spyware program that contacts a predefined server for tracking purposes.
This program must be manually installed or may be installed when installing another third-party program.

Performs the following actions:
Installs itself to %Windir%\ie_32.exe, by default.

Adds the value: ""="%Windir%\ie_32.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Periodically contacts the Web site, www.autoraskrutka.ru, for tracking purposes.

Remove it from startup with RegRun Startup Optimizer.

Back to Top

ieasst.dll

Browser (Internet Explorer) spyware.
Read details:
http://www.pestpatrol.com/PestInfo/i/ieasst_dll.asp
Run RegRun Start Control, Advanced Optimizer, BHO (browser helper
objects). Remove this item.

iehelper.dll

Advertising spyware:
VX2 Respondmiter, Blackstone Transponder
Transponder is an IE Browser Helper Object. It monitors web pages requested and data entered into forms, sends this information to its home server, and opens pop-up advertisement windows. It also has the capability to update itself and install other software.
Full info:
http://217.115.153.73/parasite/Transponder.html
Removal:
Remove this item via RegRun Start Control, Windows Core Components, BHO.

kazoom.exe

KaZoom from Blue Haven Media
It is an add-on application to KaZaA that automatically speeds up the download process and finds the files you want more quickly than regular KaZaA searches.
Steals system resources.

keyloggerpro.exe

Spyware.KeyLoggerPro
It is a commercial product that detects keystrokes and activity on your computer.
It is advertised as a parental control tool.

Copies itself to the install directory as KeyloggerPro.exe.
Offers the option to run in stealth mode.
Note: You can disable stealth mode for this program by using the following keystroke: CTRL+SHIFT+ALT+K.

Creates the registry key: HKEY_LOCAL_MACHINE\Software\ExploreAnywhere Software
Creates a log file in the root folder named Kpconfig.dat.

Creates the following registry value: "1win32cfg" = "%/KeyloggerPro.exe"
in the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Manual removal:
Delete all registry keys described above.

khooker.exe

SiS Keyboard Daemon.
System Tray utility which installed by the drivers of SiS (Silicon Integrated Systems) VGA cards. Can cause the errors at startup. It's not required.
The reference to KHooker.exe places into the Startup folder.

Some trojan finder program found KHOOKER.EXE as the trojan.
Use RegRun Startup Opimizer for removal.

khost.exe

KonTiki Secure Delivery Plug In related.
The Secure Delivery Plug In is the 'client' application for the Kontiki DMS. The Secure Delivery Plug In processes users' Deliveries, Subscriptions, and Reservations.
The Kontiki Delivery Management System (DMS) is a secure delivery network for distribution of video, software, audio, documents, and other digital media.
The Kontiki DMS enables enterprises to efficiently publish, secure, deliver and track digital media to employees, partners, and customers.
When it works the advertising windows can appear. Also they think it can be a spyware.

For more information about Kontiki and the Delivery Management System, please visit the Kontiki corporate web site: http://www.kontiki.com

kkcomp.dll

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process kkcomp.exe and remove BHO item kkcomp.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

kkcomp.exe

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process kkcomp.exe and remove BHO item kkcomp.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

kvnab.dll

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process kvnab.exe and remove BHO item kvnab.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

kvnab.exe

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process kvnab.exe and remove BHO item kvnab.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

lexstart.exe

Lexmark printer software may add Lexstart.exe in the startup folder to handle print commands that you send to the printer.This can cause dial-up networking to prompt you to dial your isp. Not required.

liqad.dll

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process ligad.exe and remove BHO item ligad.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

liqad.exe

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process ligad.exe and remove BHO item ligad.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

liqui.dll

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process liqui.exe and remove BHO item liqui.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

liqui.exe

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process liqui.exe and remove BHO item liqui.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

loadqm.exe

This is Microsoft Messenger applet.
It's not useful. It tries to use Internet without your agreement.
Try to suspend it running.
Look at the forum:
http://sysopt.earthweb.com/forum/Forum9/HTML/002496.html

loadwc.exe

Microsoft Load WebCheck (Loadwc.exe 17 K, webcheck.dll 269 K) manages subscriptions and user profiles for IE 4 and IE 5.

mdm.exe

Microsoft Machine Debug Manager.
Used by web developers to debug Internet Explorer applications.
Not useful, not required for common users.

mobsync.exe

Microsoft Mobile Synchronization Manager.
One annoying programme you will find running in W2K/XP is mobsync.exe.
This is because it is set by default to synchronise your home page at log-on.
To stop this, run the programme "Synchronise" from your "Start/Programmes/Accessories
Menu. Select setup, and uncheck the synchronisation options, then deselect the option to synchronise your home page. From explorer select Tools/Folder Options/Offline Files: deselect the "Enable Offline Files" option. When you reboot
you will find the programme is no longer running by default.
You can also remove optional components from your Windows 2000 installation that are not shown in the Add/Remove Programmes applet.

mosearch.exe

Fast Search utility in Microsoft Office XP.
Uses a lot of resources. If you don't like office search, I suggest to stop its loading but do not delete execution file.

moz030715s.dll

An IE browser helper object that detects visits to known sites and redirects them
through a third-party server in order to take the affiliate fees.
WurldMedia even steals the fees from other webmasters when you use their own links.
Read more:
http://www.doxdesk.com/parasite/WurldMedia.html
Try to uninstall it using Control Panel->Add/Remove applet.
If it doesn't use instructions on the page above.
Suggest to use RegRun Windows Core components to remove this item.

mp3ad.exe

Adware.GatorClone
It displays advertisements during Web browsing.

Adware.GatorClone performs the following actions when executed:
Creates a randomly named .dll file in the %Temp% folder and injects the file into running processes.
This .dll file will restart the adware program if the adware program is terminated.

Adds the value: =
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Contacts a remote server for advertisements and instructions, and displays pop-up ads.

Remove it by RegRun StartUp Optimizer.

mrtalk.exe

This is Media Ring Talk - voice recognition software. Allows users to give orders for computer without any keypress.
As it's a resource hog, start it manually.

msa32chk.dll

An ActiveX installer control for premium-rate phone diallers, distributed by Spanish company Matrix Technology Network SA.
Also known as Msa32chk, or LanzarDLL, after filenames used by the software.

Installed by ActiveX drive-by-download on porn pages.
It doesn't advertising or privacy violation.
Critical security issues: Any HTML page can direct the ActiveX control to download and run arbitrary, unsigned executable code from any server.

Automatical removal:
Use RegRun Startup Optimizer to remove it from the system registry.

Manual removal:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the entry called 'Dialer', which uses rundll32.exe to run msa32chk.dll.
Find the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions
and delete the subkey {03FBB191-FB50-4154-91D7-587D5E3C0000}.

You can also delete MSA32CHK.DLL from the System folder.

msbb.exe

Advertising Spyware. http://www.web3000.com
Secretely installed with many products. Displays random pop-up ads on your desktop

msckin.exe

Spyware.ClientMan is a spyware application that submits various Internet usage information to a server, including email and instant messaging details.
It also submits personal information, such as IP address, browser used, and user details retrieved from other installed applications on the system.

Periodically attempts to connect to odysseusmarketing.com.
Spyware.ClientMan must be manually installed on the system.
However, there are several known applications that have Spyware.ClientMan inside of them and that install the spyware component when the application itself is installed.

Copies the file, Msckin.exe, and registers it as a process.
Creates the following folders:
Program Files\ClientMan\new
Program Files\ClientMan\run

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete any values pertaining to "Client Man."

Also, delete the key: HKEY_CURRENT_USER\Software\CliMan

mslogon.exe

Advertising Spyware.
Part of RapidBlaster software
http://www.rapidblaster.com/
Typically displays pop-ups for porn sites.
Read more about:
http://www.doxdesk.com/parasite/RapidBlaster.html
Suggest to remove by Rapid Blaster Killer:
http://www.wilderssecurity.net/specialinfo/rapidblaster.html

msoffice.exe

Microsoft Office Panel.

mstapi.exe

TrojanSpy.Win32.SCKeyLog.f
This is software that dials a phone number.
Some dialers connect to local Internet Service Providers and are beneficial as configured.
Others connect to toll numbers without user awareness or permission.

Back to Top

msview.dll

msystem.exe

Adult content dialler.
This dialer program is installed through various Web sites, mainly with pornographic contents.
Use RegRun Startup Optimizer to remove it from startup.

mwcpyrt.exe

This file is included in Windows 98SE distributive.
Displays some copyright information on IBM ThinkPads.

netdotnet.dll

NewDotNet may be installed on your system with or without your knowledge.
The DLL component is a plugin to your Internet Explorer Browser. It needs when you use nonstandard Toplevel Domain names like .law, .club, .tech, .xxx and so on.
The catch is that nobody would see your domain unless they had the NewDotNet plugin installed on their computer.
Now that many new toplevel domain names have been approved by InterNIC, this new.net functionality is even less useful.
NewDotNet is good example of what's being referred to as Foistware.

NOTE: Foistware is software that adds hidden components to your computer. Usually it's done without your knowledge when you install some other program that would be useful to you.

This program is has been known to be installed along with KaZAa, Earthlink, @Home (ComCast), Juno, Webshots, NetZero, AudioGalaxy, Bearshare and a host of other programs.

It will also update itself without letting you know and it's unknown what new updated versions may do on your system.

It's recommended you use Add/Remove programs to remove the entire application.
(This DLL ties closely into the WinSock communication so if you just delete the DLL you'll screw up your system).

netratings.exe

Spyware.Netrat
When Spyware.Netrat is installed on the system, it tracks Internet usage and submits the tracked information to a server.
Also, the computer attempts to connect to http://premeter.opistat.com.

Must be installed on the system by executing a file or by visiting certain Web sites.
However, if this program is installed when you visit a Web site, you must agree to the installation.

Adds the value: "Premeter"="C:\Program Files\Netratings\Premeter\Netratings.exe"
or: "Premeter"="C:\Program Files\Netratings\Premeter\Nrpr.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Creates one of the following files:
C:\Program Files\Netratings\Premeter\Netratings.exe
C:\Program Files\Netratings\Premeter\Nrpr.exe

Information is not displayed on the screen when the programs are being installed,
but Spyware.Netrat adds the entry "Premeter" in the Add/Remove option in the Control Panel in Windows.

Remove it from startup with RegRun Startup Optimizer.

newdotnet3_36.dll

newsupd.exe

Creative Labs spyware.
http://www.cexx.org/newsupd.htm

npnsdad.exe

Advertising Spyware
http://grc.com/downloaders.htm

npnzdad.exe

NetZip Download Demon - spyware.
http://grc.com/downloaders.htm

oemreset.exe

Appears when you're installing new software or drivers. It needs on OEM installations.
Not required since all the work has already been done.

onflow.exe

Onflow is a Web Advertising tool from Onflow Corporation.
http://www.answersthatwork.com/Tasklist_pages/tasklist_o.htm

osa.exe

Microsoft Office fast launch.

osa8.exe

Microsoft Office fast launch.

osa9.exe

Microsoft Office fast launch.

p_981116.exe

Win32 cabinet self extractor Not required.

pbsysie.dll

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process wbeCheck.exe and remove BHO item pbsysie.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

powerreg scheduler v3.exe

Part of 3COM modem software.
Registration remainder. Not requred.

powerreg scheduler.exe

Part of 3COM modem software.
Registration remainder. Not requred.

ppstub.exe

PrecisionPop adware.
PrecisionPOP is distributed in a wide variety of free software applications.
PrecisionPOP serves advertisements to computers on which it is installed and the revenue generated from these advertisements keeps the bundled software applications free to the end user. All ads served by PrecisionPOP will be branded in the window header as being "Brought to you by PrecisionPOP."
Not required.
Use RegRun Startup Optimizer to remove it.

ra32.exe

BackDoor-CAY - password stealer trojan. Also known as Backdoor.Carufax (AVP), Troj/Volver (Sophos), Win32.Reign (CA).

This trojan uses a stealth technique to circumvent certain scanning technology.
The trojan attempts to capture typed keystrokes and steal web site passwords.
Trojan do not self-replicate. It is spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

When run, the trojan creates a hidden directory named f~a within the WINDOWS SYSTEM directory.
Adds the value: "f~a" = C:\WINNT\System32\f~a\ra32.exe
to the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Within this directory, several files are created:
~key.log
~pass.log
~post.log
ra32.exe
usr_ext.dll (captures keystrokes and steals password)
usrvcrt.dll (captures web site username/password)

Use RegRun Startup Optimizer to remove this trojan.

rcsync.exe

PrizeSurfer is a free software that automatically enters you to win cash and prizes just for surfing the web and shopping online!
This program can show different popup windows and can go you to different site in web. This may cause a problem with your security (Trojans, worm) and privacy.
Suggest to stop it by RegRun Start Control.

realsched.exe

Real Networks Scheduler which gets installed with RealOne Player.
Once installed, it runs independently of RealOne Player. It does not collect personal information or communicate with RealNetworks’ servers.
It is used to remind AutoUpdate and Message Center to perform their tasks at pre-scheduled intervals.

This Scheduler slows down boot-ups unacceptably, using up to 90% of CPU time at times. Also, it is dropping advertising shortcuts onto the desktop during idle times.
It is best if you are using other player such as WinAmp.
To remove it, you should open Real One Player, go to theTools menu, Preferences, Automatic Services.
Uncheck all automatic services.

remind32.exe

HP product registration program.

rundll32 setupapi,installhinfsection oemsyspnp 128 oemsyspnp.inf

CoolWebSearch is a name given to a wide range of different browser hijackers.
http://www.doxdesk.com/parasite/CoolWebSearch.html
Useless.
Stop it.

rundll32.exe c:\windows\newdot~1.dll,newdotnetstartup

Advertising Spyware.
http://cexx.org/newnet.htm

rundll32.exe c:\winnt\system32\msiefr40.dll

BrowserAid is a manufacturer of various Internet Explorer toolbars, most of which seem to be
installed sneakily.
What it does?
Displays advertising popups.
Read more:
http://www.doxdesk.com/parasite/BrowserAid.html
Suggest to remove.

rundll32.exe w3knet.dll,dllinitrun

Status: Web 3000 Spyware.
Read more:
http://www.safersite.com/PestInfo/W/Web3000.asp
Recommendation:
Stop it!

savenow.exe

Advertising spyware.
http://www.affiliatemarketing.co.uk/dec01.htm

sentry.exe

IP Insight Tracking software.
Tracks geographical and connection speed data and reports it back to companies.
Useless.

seticon.exe

Installed if you have a 6-in-1 (4 Media Card slots, a floppy drive and a USB connection) card reading device.
It used to updates the icons for Media Card slots and this operation used a lot of system resources.
You can remove it by RegRun Start Control.

settn.dll

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process hcwprn.exe and remove BHO item settn.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

skinkers.exe

Howard the Weatherman desktop client from Halifax by Skinkers - marketing/messaging tool

It allows web site owners to deliver content directly to customers desktops without "getting lost" within the already cluttered email channel.

The downloadable desktop application installed by the user, marketeers are able to cement a far stronger relationship with their customers.
They can also engage with them far more frequently and effectively than through traditional methods such as email newletters.
Add hyperlinks to push people to pages and data you want them to see, e.g. breaking news or promotional offers.
Skinker content is usually, though not necessarily, delivered by eye-catching corporate logos, animated characters or icons, with their own branded dialogue windows. You have total creative flexibility – make your Skinker and all associated dialogues, characters and icons fit precisely with your corporate culture, branding and identity.

Skinkers is multimedia enabled and is used to deliver rich media such as video, images, music, copy, interactive Flash files and other applications.

http://www.skinkers.com/index.html

sncntr.exe

This dialer program is installed through various Web sites, mainly with adult or pornographic contents.
When it runs, it displays a window inviting you to access different sites using a premium rate telephone number.
Remove it using RegRun Startup Opimizer.

spoo1sv.exe

PWSteal.Souljet is a Trojan horse that steals system and personal information.

Copies itself to %System%\Spoo1sv.exe.
Adds the value: "spoo1sv" = "spoo1sv.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Creates the file, %System%\Soul.dll. This file is the keylogger part of the Trojan.
Searches currently running processes for Explorer.exe.
Injects Soul.dll into the process space of Explorer.exe, so that Soul.dll runs in the process context of Explorer.exe.
Soul.dll steals system information, such as the computer name and IP address.
As previously mentioned, this Trojan also logs key strokes.
It uses the Internet to send the stolen information to a predefined address.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "spoo1sv" = "spoo1sv.exe"

spywareguard.exe

stub.exe

Kazaa/Ezula/TopText Scumware.
eZula TopText is a browser plug-in for Internet Explorer.
Read more:
http://www.whirlywiryweb.com/removeezula.htm
Main executiojn file is stub.exe. It is located in Windows\System or in Windows\System32
Suggest to remove from startup.
1. From your Taskbar select: Start > Settings > Control Panel > Add/Remove Programs
2. In the 'Add/Remove Programs' window, locate one of the following program names: TopText HotText ContextPro, all are different names for the same program. Highlight the program name you find by clicking on it.
3. Click Add/Remove or Change/Remove to begin the uninstall process and follow it through.
4. Restart your computer.

supporter5.exe

It is a part of eScorcher anti-virus software.
Checking for updates of new virus bases each time you logon to the web.
Used to collect information about the user and therefore treated as spyware.
Not required.

svch0st.exe

Trojan.Dingsta.A is a keylogger that tries to log keystrokes that are typed in open Web browser windows.
Then, it sends the captured keystrokes to a predefined Web site.

Creates one of these files:
Windows NT/2000/XP/2003: C:\Winnt\System32\Svch0st.exe
Windows 95/98/Me: C:\Windows\System\Svch0st.exe

Adds the value: "taskmgr.exe" = "%Path%\svch0st.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Adds the value: "taskmgr.exe" = "%Path%\svch0st.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Adds the value: "taskmgr.exe" = "%Path%\svch0st.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Constantly checks the names of all the open windows.
If this Trojan finds a window whose Title Bar matches one of these names: Offline Explorer; Netscape; Microsoft Internet Explorer
it will log all the keystrokes typed inside that window.
Using a script running on the server that the Trojan contacts, it submits all the logged keystrokes to a predefined URL.

Automatic removal:
Use RegRun Startup Optimizer.

sw.exe

Spyware.SilentSpy
It is a software program that monitors all the actions on local and networked computers.

Adds the value: "SSConfig" = "SW.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Adds the subkey: "SW"
to the registry keys:
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\CurrentControlSet\Enum

Adds the value: "0" = "SW\{B7EAFDC0-A680-11D0-96d8-00AA0051E51D}\{9B365890-165F-11D0-A195-0020AFD156E4}"
to the registry key: HKEY_LOCAL_MACHINE\CurrentControlSet\Services\kmixer\Enum

Creates the following files:
C:\Silent-Spy.cnt
C:\Silent-Spy.hlp
C:\Wlp.sys
C:\Wlg.sys
C:\SW.htm
Creates the folder C:\SSS, which stores screenshots that the spyware captures.

Captures and logs the following items:
- Every window that you open and interacted with.
- All of the Web site titles and addresses that you visit.
- All the keystrokes and windows in which the keystrokes were entered.
- Periodic screen shots.

You can remove it with RegRun.

sys32win.exe

Spyware.ActiveKeylog records keystrokes by the user and may send this information through email.
Can be installed as part of another program, or by an installer with a user interface.

While Spyware.ActiveKeylog may be installed through an installer, the installation path is configurable, and the default is C:\Program Files\Active Key Logger.
The spyware may be configured to run in stealth mode, hiding its user interface and system tray icon.

Adds the value: "sys32sql" = "%installation path%\sys32win.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

This spyware program must be manually installed.
However, there are several known programs that have Spyware.ActiveKeylog within them and that install it as the program itself is installed.

Use RegRun Startup Optimizer to remove it from startup.

sysai.exe

AproposMedia is the part of the 'PeopleOnPage' program, an Internet Explorer sidebar which claims to show a list of other users of the current site.
Also known as POP after its program name, Envolo after the name of the updater component included in PeopleOnPage.
PeopleOnPage was bundled with Grokster around June 2003, and it installed by pop-up ActiveX drive-by download.
Opens pop-up adverts at regular intervals when Internet Explorer is in use.
When the PeopleOnPage sidebar is open, the addresses of all pages visited are sent to the controlling server with a unique tracking ID.
Includes an updater component which can silently download and execute arbitrary code form its controlling server.

Removal: Use RegRun Startup Optimizer to remove it from startup.
Amd go to the Control Panel's Add/Remove Programs feature. Select and remove 'AM Server' and 'POP'.

sysdll32.exe

CoolWebSearch parasite related.
Redirecting to wholeworldmarket.com, most likely other domains as well.
The difficulty of removing CWS from a user's system has grown from slightly tricky in the first variant to virtually impossible for the latest few.
Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains.
The CWShredder tool to remove Coolwebsearch will always be up to date and is updated as fast as possible when new variants emerge.
We are pretty sure now CoolWebSearch is part of a new strain of trojans that have recently been identified that all have one thing in common: they install through the ByteVerify exploit in the MS Java VM and change the IE homepage, search page, search bar, etc.
It has also been confirmed that 'Index.dat Viewer' changes your IE search pages to superwebsearch.com, a CWS affiliate page, after installing it.
Uninstalling Index.Dat Viewer will not restore your search pages.

sysu.exe

Adware.DynamicUpdater is an adware program that can be downloaded by Adware.Dynamic.
This adware program is installed manually or as a component of another program.

When Adware.DynamicUpdater is executed, it performs the following actions:
Adds the value:
"sysu" = "c:\progra~1\ddm\sysu.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Generates frequent pop-up advertisements.
May download an executable from the Web, possibly an update of itself.

Use RegRun Startup Optimizer to remove this adware.

tcaudiag.exe

Diagnostic program for 3COM network card.
Not required.

tgcmd.exe

This software is often used by ISP to collect information about your computer and to
automatically send this information to ISP and to auto update this software via Internet.
Go to Add/Remove Programs in your Control Panel and look for something like "support agent" -
these things go by several different names - and remove it.
If you couldn't find it remove it by RegRun Start Control.

tgdc.exe

TGDC Websearch
Adware, also Known as: TGDC IE Plugin Tgdc.exe shopforgood.com
A plugin for IE that someone seems to know where it came from. References in the code point to shopforgood.com

Stays resident in background, hides itself from user, show advertisments:
- Makes changes to browser settings
- Connects to the internet by itself

Manual removal:
You might try deleting it from c:\program files\tgdc\ if found there.
Remove it quickly by RegRun Terminator.

tgfix.exe

This software is often used by ISP to collect information about your computer and to automatically send this information to ISP and to auto update this software via Internet.
Go to Add/Remove Programs in your Control Panel and look for something like "support agent" - these things go by several different names - and remove it.
If you couldn't find it remove it by RegRun Start Control.

tmpcpyis.bat

You may remove this item without any problems.
It's used for clear temp files after installation.
Usually, setup program automatically removes tmpcpyis.bat after installation.

tps108.dll

tsadbot.exe

PKWARE Pkzip special advertisement software.

Back to Top

tvm.exe

It is hijacker.
Any software that resets your browser's settings to point to other sites is called the hijacker.
Hijacks may reroute your info and address requests through an unseen site, capturing that info.
Also change your home page to some other site. Error Hijackers will display a new error page when a requested URL is not found.
May cause crashes and trigger Windows XP error reporting. Likely to slow performance of Internet Explorer.

To manually remove CleverIEHooker from your computer:

Unregister these DLLs with Regsvr32, then reboot:
systemroot+\jeired.dll

Remove these registry items (if present) with RegEdit:
HKEY_CLASSES_ROOT\clsid\{707e6f76-9ffb-4920-a976-ea101271bc25}
HKEY_CLASSES_ROOT\interface\{707e6f76-9ffb-4920-a976-ea101271bc25}
HKEY_CLASSES_ROOT\typelib\{707e6f76-9ffb-4920-a976-ea101271bc25}
HKEY_LOCAL_MACHINE\software\classes\clsid\{707e6f76-9ffb-4920-a976-ea101271bc25}
HKEY_LOCAL_MACHINE\software\classes\typelib\{707e6f76-9ffb-4920-a976-ea101271bc25}

Remove these files (if present):
systemroot+\jeired.dll

Or use RegRun Startup Optimizer to automatical remove this hijacker.

updmgr.exe

This is an auto-updater that starts every time you try to connect to the internet.
Bundled with Kazaa.
Not required.

updreg.exe

Reminder to register Creative Labs SoundBlaster Live! cards. Not required.

Back to Top

vcatch.exe

Spyware that installs CommonSearch, UCMore, Bargain Buddy, and others.
Claims to be an anti-virus product. from the doc:
'We record and analyze the use of the service and software in order to get general, aggregate compilations of users' characteristics and uses of the Internet to potential users and commercial partners. We may use the information that we gather for statistical purposes in aggregate, anonymous form and for advertising, marketing, and other commercial activities.'

Manual Removal:

Kill these running processes with Task Manager:
programfilesdir+\commonsearch\vcatch\vcatch.exeadp.exe
vcatch.exe
vctadpi7099.exe

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
and delete value contains 'Vcatch.exe'.
Unregister mcact.dll with Regsvr32, then reboot.

Remove these registry items (if present) with RegEdit:
HKEY_CURRENT_USER\software\commonsearch
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\vcatch
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\vcatch - the personal virus catcher
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\vcatch - the personal virus catcher
HKEY_USERS\s-1-5-21-1409082233-1390067357-1801674531-500\software\commonsearch

Remove these files (if present) with Windows Explorer:
programfilesdir+\commonsearch\vcatch\vcatch.exeadp.exe
ath.mgf; frb.mgf; install.log; license.txt; mcact.dll; snd.mgf; sub.mgf; sze.mgf; vc.txt; vcatch.exe; vcatch.lnk; vcsetupnew.reg; vctadpi7099.exe

Remove this directory (if present) with Windows Explorer: programfilesdir+\commonsearch

Use RegRun to automatically remove this spyware from the system registry.

viewmgr.exe

Viewpoint Manager for Viewpoint Media Player
It is spyware as bundled with AOL, AOL Instant Messenger, Netscape 7, etc.

Following developers: "Viewpoint Media Player integrates photo-realistic 3D, high-resolution 2D images, Macromedia Flash, audio, and other media formats into HTML pages through a single media host. Essentially a graphics operating system, VMP includes both an ActiveX control and a Netscape plug-in that permits its graphics and online services to be accessed through Web browsers across multiple platforms and over narrowband connections, all while requiring no special server-side software.
This technology can be used for business applications ranging from advertising and e-commerce to online customer service and training."

Viewpoint Media Player collects information about the user.
From the vendor's privacy policy: To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint.
Detected as spyware with some detection programs.

Unused files:
AxMetaStream.dll, ComponentMgr.dll, MetaStreamID.ini, MtsAxInstaller.exe, npViewpoint.dll, npViewpoint.xpt, JpegReader.dll, Mts3Reader.dll, SceneComponent.dll, SreeDMMX.dll, SWFView.dll, WaveletReader.dll

Please, remove this spyware with RegRun Startuip Optimizer.

vx2.dll

webinstaller.dll

ShopAtHomeSelect is a Winsock 2 Layered Service Provider that redirects visits to merchant sites in order to take the affiliate fees from them automatically.
Also known as Golden Retriever.
Bundled with Grokster (around the start of 2003) and iMesh 4. Also installed by the FavoriteMan parasite from May 2003.

It doesn't advertising or privacy violation.
The software can download and execute code from its controlling server, as a silent update feature.

On testing, seemed to cause browser to run quite slowly.

Removal:
There should be an entry in the Control Panel's Add/Remove Programs entry for 'ShopAtHomeSelect Agent'.
Use it to remove the software then restart the computer.

You can delete the damaged '{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}' entry inside the 'Downloaded Program Files' folder,
the 'SAHUninstall.exe' file in the 'Windows' folder and 'SahAgent.log' in the root of the C: drive to clean up if you like.

Not required.
Use RegRun Startup Opimizer for removal.

win32_i.exe

Advertising Spyware.
Typically displays pop-ups for porn sites.
Read more:
http://www.doxdesk.com/parasite/RapidBlaster.html
Remove it from startup by RegRun Startup Optimizer or
use Rapid Blaster Killer:
http://www.wilderssecurity.net/specialinfo/rapidblaster.html

win32info.exe

Adult content dialler.
Installed through various Web sites with pornographic contents.

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

win32us.exe

All-In-One Telcom.
Adult content dialer:
a trojan that dials toll numbers without user awareness or permission.
Read more:
http://www.safersite.com/PestInfo/db/a/all-in-one_telcom.asp

winamp.hta

This is not the real WinAmp program. It used for redirecting you to adult content sites when you surfing the web.

winfavorites.exe

Adware.WinFavorites.B
It is a program that downloads advertisements and updates them periodically.

When executed, it creates the file C:\Program Files\WinFavorites\WinFavorites.exe.
Then adds the values:
"DisplayName"="Win Favorites"
"UninstallString"="C:\Program Files\WinFavorites\WinFavorites.exe /uninstall"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Win Favorites

Adds the value: "WinFavorites" = "C:\Program Files\WinFavorites\WinFavorites.exe1"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Attempts to download files from www.flingstone.com.

Remove it from the system registry by RegRun.

winnet.exe

CommonName Sidebar from www.commonname.com
Advertising Spyware. The uninstall program requires one to access the internet, get a validation code, and then enter this code to get the application to unload. None of this is stated upfront when installed.

winstart001.exe

IGetNet is a plug-in search addition to your IE Browser that will redirect your searching to customers of IGetNet. May disable other browser plug-ins.
Suggest to uninstall this software.

wxprocmgr.exe

TVTonic from Wavexpress.
Users can download some data included full-screen, DVD-quality video channels.
Adds advertising to the data.

xadbrk.dll

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process xddbrk.exe and remove BHO item xadbrk.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

xadbrk.exe

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process xddbrk.exe and remove BHO item xadbrk.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.html

xtcfgloader.exe

Toolbar addition to your browser that supposes to enhance your searching. Will causes pop-up ads to appear on sites that don't normally support them.
Remove it from startup.

zupdate.exe

A player for 'rich media' advertising. Similar to Onflow.
It's other names are Brilliant Digital (company name), B3D Projector (application name).
Apart from being downloadable from Brilliant's own legitimate-looking site, it is also stealth-installed by newer versions of KaZaA and other free applications.
It allows sites to use annoying advertising with 3D effects, sound, and so on. However, it does not add its own advertising to other sites.
The Projector downloads new components and updates silently.
Code-signing seems to be used, to ensure only Brilliant Digital can write code to be executed by the software.
The Projector has 3D functions, which are always liable to cause problems with some graphics cards and driver versions.

Removal:
You can use 'Add/Remove Programs' for 'B3d Projector'. And delete the directory 'BDE' inside your Windows directory, and the files 'bdeinstall.exe', 'bdeinsta2.dll', 'bdefdi.dll', 'bdedata2.dll', 'bdedownloader.dll', 'bdeverify.dll', 'bdesecureinstall.exe' and 'bdesecureinstall.cab' inside your System directory.
Also use RegRun Startup Optimizer to remove it from the system registry.

All information provided here is for an experienced PC Technician who knows how to adjust the regedit files.
Please consult a PC Tech before doing any of the following commands above.

html_banner