Windows Startup Programs database Startup Programs - Useless
Home
Features  
    On-line Guide
   Help On-line
   Screenshots
Order
Download  
     Localization
Awards
Support  
    NI Forum
   Mickey Forum
   Greatis Forum
Startup Programs
Application Database

Hot!
Download:
RegRun 4.0 beta 2
What's new?

Greatis Home

Subscribe:
The Application Database suggests you which Windows startup programs are usefual and which are bad.
The recommended tool for quickly removing the useless programs is RegRun Startup Optimizer.
www.startupapps.com

Get RegRun now! Buy Now! Purchase RegRun Suite
Download Download RegRun Suite
Search Database for:
RegRun > Greatis Startup Application Database > Useless

Useless 

%program files%\rvp\bpc.exe
%programfiles%\srng\srng.exe
%system%\netda.exe
addclass.exe
addestroyer.exe
advchk.exe
aimwdinstall.exe
alchem.exe
amcis2.dll
apuc.dll
atiptaxx.exe
autoreg.exe
autoup~1.exe
babeie.dll
backweb-4448364.exe
bargains.exe
bdsrhook.dll
bh304181.dll
bigfix.exe
bmz.exe
bootconf.exe
brnts6.exe
bs3.dll
bxxs5.dll
cfd.exe
channelup.exe
chostsv.exe
cme.exe
cmesys.exe
cnbabe.exe
cnbarie.dll
cnform.exe
commonname.exe
compaq-rba.exe
consol32.exe
ct_load.exe
ctb.exe
ctbclick.exe
cteaxspl.exe
ctin10.exe
ctregrun.exe
ctsrreg.exe
dcppaid.exe
dlder.exe
dlgli.exe
dmserver.exe
dsa.exe
dsb.exe
dssagent.exe
eanthology_install.exe
emsw.exe
exploror.exe
ezulaboot.dll
ezulumain.exe
fhfmm.dll
fhfmm.exe
findfast.exe
findservice.exe
flt.dll
flydesk.exe
fsw.exe
gator.exe
gshp.vbs
gssomatic.exe
gstartup.lnk
hcwprn.exe
hxdl.exe
hxiul.exe
icw97.inf
ie_32.exe
ieasst.dll
iehelper.dll
ietie.dll
kazoom.exe
keyloggerpro.exe
khooker.exe
khost.exe
kkcomp.dll
kkcomp.exe
kvnab.dll
kvnab.exe
lexstart.exe
liqad.dll
liqad.exe
liqui.dll
liqui.exe
loader.exe
loadqm.exe
loadwc.exe
mdm.exe
mfc42w.exe
mobsync.exe
mosearch.exe
moz030715s.dll
mp3ad.exe
mrtalk.exe
msa32chk.dll
msbb.exe
msckin.exe
mslogon.exe
msoffice.exe
mstapi.exe
msview.dll
msystem.exe
mwcpyrt.exe
ndrv.exe
netdotnet.dll
netratings.exe
newdotnet3_36.dll
newdotnet6_30.dll
newsupd.exe
nin1t.exe
npnsdad.exe
npnzdad.exe
oemreset.exe
onflow.exe
osa.exe
osa8.exe
osa9.exe
p_981116.exe
p2p networking.exe
pbsysie.dll
powerreg scheduler v3.exe
powerreg scheduler.exe
powerreg schedulerv2.exe
ppstub.exe
ra32.exe
rcsync.exe
realsched.exe
remind32.exe
rundll32 setupapi,installhinfsection oemsyspnp 128 oemsyspnp.inf
rundll32.exe c:\windows\newdot~1.dll,newdotnetstartup
rundll32.exe c:\winnt\system32\msiefr40.dll
rundll32.exe w3knet.dll,dllinitrun
savenow.exe
sentry.exe
seticon.exe
settn.dll
skinkers.exe
sncntr.exe
sndcfg16.exe
spoo1sv.exe
spywareguard.exe
ssmgr.exe
stub.exe
supporter5.exe
svch0st.exe
sw.exe
sys32win.exe
sysai.exe
syschecks.dll
sysdll32.exe
systree.exe
sysu.exe
tcaudiag.exe
tgcmd.exe
tgdc.exe
tgfix.exe
tmpcpyis.bat
tps108.dll
tsadbot.exe
tvm.exe
updmgr.exe
updreg.exe
vcatch.exe
vhchost.exe
viewmgr.exe
vx2.dll
webinstaller.dll
win32_i.exe
win32info.exe
win32us.exe
winamp.hta
winfavorites.exe
winnet.exe
winstart001.exe
wxprocmgr.exe
xadbrk.dll
xadbrk.exe
xtcfgloader.exe
zupdate.exe

%program files%\rvp\bpc.exe
Useless.
Downloads and displays ad popups at intervals.
Remove it from startup.
Read more:
http://www.pestpatrol.com/PestInfo/b/bro...

%programfiles%\srng\srng.exe
Spyware.2020search.
It is a search hijacker that is installed as a Browser Helper Object Toolbar in Microsoft Internet Explorer.
Certain address bar searches and unknown domain name searches will be redirected to the program's controlling servers.
It comes bundled and installs Spyware.Shopnav.

Also, it replaces Internet Explorer's Search pane with a search page at pop.popuptoast.com/9908/search/search.html.
Installs a new Internet Explorer toolbar.
Downloads Svchost.exe from www.2020search.com/9908/install.
Creates the folder, %ProgramFiles%\Dynamic Toolbar.
Registers the file, 2020search2.dll, so that it is integrated it into Internet Explorer.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Srng"="C:\Program Files\Srng\Srng.exe"

Or use RegRun Startup Optimizer to automatically remove this spyware.

%system%\netda.exe
Troj/Dumaru-K is a Trojan with password stealing capabilities.
It will steal passwords related to online banking, shopping, investment and gambling.
Gathers clipboard data, passwords and confidential information from the protected storage area of Windows.
In particular WebMoney, The Bat, Total Commander and Far Manager account details are targeted.
It has the ability to log keystrokes. Also, it will attempt to gather username and password details from any window containing predefined text.
Troj/Dumaru-K will attempt to send this information to a pre-configured website as a web form or in an email to a pre-configured Russian address.
May reduce the security of Internet Explorer's content zones in an attempt to avoid alerting the user that details are being sent over the web.
The Trojan may also turn on the AutoComplete and AutoSuggest features of Internet Explorer in order to cache passwords.
This trojan will alter the HOSTS file in an attempt to deny access to certain anti-virus websites.

Manual removal:
Find the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: load32 = \netda.exe

addclass.exe
CoolWebSearch is a name given to a wide range of different browser hijackers.
Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.
Suspected to be installed by pop-ups exploiting security holes in IE.
The script may open mostly porn pop-ups if it thinks the page being viewed is porn-related.

addestroyer.exe
Adware.AdDestroyer claims to be a spyware remover.
However, it sets itself to run when you start the computer and it remains memory-resident.
When it runs, the software will periodically attempt to contact a server to download updates and instructions.
Some versions may annoy you with pop-up advertisements in Internet Explorer.
They claim that your system is at risk and that you should purchase an upgrade to AdDestroyer.

Remove it byRegRun.

advchk.exe
This program warns you when you install a new version of a Norton product and you didn't uninstall all previous versions.
But in some cases it is incorrect, for example:
when you install Norton SystemWorks (NSW), you see the message "A previous version of Norton SystemWorks was detected. You must uninstall the old version before installing the new one" or a similar message. After you uninstall the previous version of NSW and start to install NSW, you see the same message.
The installation does not proceed.
In this case you must delete following key from the system registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Advchk.exe

aimwdinstall.exe
This is tapping videogame maker of WildTangent Inc. to combine online games with instant messaging as part of a broader effort to generate revenue from its popular free chat service. It also collects and shares private information.
The games are integrated with the messaging service, so players can use the chat software to communicate with one another and to invite players to join a game.
Unlike e-mail messages, which must be opened, instant messages appear automatically on a user's computer screen.

alchem.exe
This is Ad-ware component.
Suggest to remove from startup.
Read more:
http://webhelper.netfirms.com/index.html

amcis2.dll
Part of the Aureate Advertising spyware. Suggest to remove.

apuc.dll
Spyware - BargainBuddy.
Read more:
http://simplythebest.net/info/spyware/ba...
First, try to uninstall Bargain Buddy via Control Panel,Add/Remove
Programs.
If you couldn't found Bargain Buddy, remove it from startup by RegRun.

atiptaxx.exe
ATI Video card additional utility. Often used a lot of processor resources.
Not required.

autoreg.exe
US Robotics Registration

autoup~1.exe
This is not virus.
This is adware software Envolo AutoUpdater.
It has different versions.
Read more:
http://www.doxdesk.com/parasite/AproposM...
http://www.pestpatrol.com/PestInfo/p/peo...

Remove it from startup by RegRun Startuip Optimizer.

babeie.dll
CommonName Toolbar spyware.
It is installed as toolbar to Internet Explorer.
CNBabe adds CNBABE.DLL to the Browser Helper Objects list.
It traces all your Internet activity.
Removal:
Choose CommonName entry in the Control Panel's Add/Remove Programs option.
If it doesn't work stop, remove from startup:
CommonName.exe, Cnbabe.exe, cnform.exe, cnbabe.dll, BabeIE.dll, and CNBarIE.dll.

backweb-4448364.exe
BackWeb is a generic, background downloading tool that software vendors can incorporate
into their product to download data (e.g. product updates) to the user's PC. Its operation
depends on the instructions given to it by the individual software vendor who bundles it.
BackWeb has been associated with numerous large companies working on a corporate level to
deliver timely information and updates. Essentially, BackWeb is a communications program whereby
a large amount of users may be contacted in an instant.
Read more:
http://pestpatrol.com/pestinfo/b/backweb...
Useless.

bargains.exe
Advertising spyware.
Often installed with useful free software like Net2Phone and some versions of LimeWire.
Stop this process and remove from startup.

bdsrhook.dll
Baidu toolbar:
http://bar.baidu.com/
Not required. May cause the problems in Internet Explorer.
Suggets to uninstall.
If you do have no uninstallation procedure, remove it by RegRun.
More info:
http://www.pestpatrol.com/PestInfo/b/bdp...

bh304181.dll
This is part of Kontiki software.
This is advertising spyware.
You may receive this software with other downloadable software like a
game.
http://www.extremetech.com/article2/0,3973,365073,00.asp
Kontiki software allows Gamespot or other customers to monitor the actions
of users, down to the individual PC.

You can remove it by uninstalling Kontiki software.
If it doesn't work, use RegRun Start Control->Windows Core Components
to remove Kontiki.

bigfix.exe
It is used to automatically receive and read technical support information provided by computer and software manufacturers and other technical support experts.
Also can automatically check your computer for bugs, configuration conflicts, and security holes. It is a resource hog! Please start it manually.

bmz.exe
nCase is adware from 180Solutions.
It consists of a process, msbb.exe, that runs constantly with Windows and shows advertising.

nCase is aware of the FlashTrack parasite and will disable it if it is running, to stop it showing competing adverts.
Some versions also seem to connect to the Gator web servers occasionally, for unknown reasons.
Bundled with a large range of applications, particularly file-sharing programs.
nCase are known to send e-mail to software authors asking them to include the nCase bundle.

Also installed by ActiveX drive-by downloads in adverts inserted on some free web hosting services,
and also installed by the FavoriteMan and BookedSpace parasites.

Looks for known URLs and keywords in URLs, and opens pop-up advertisements targeted at such sites.
Also opens non-targeted pop-up adverts at arbitrary times during IE usage.
Can add shortcut icons to the Start menu and Desktop if directed to by its controlling servers.
nCase can download and execute code from its controlling servers, as an update feature.

May cause an error message such as "msbb.exe file is linked to the missing export wininet.dll" on older systems without a WinInet library.
Can also cause IE to be a bit slow to start up, and some versions are reported to generate page fault errors.

Manual removal:
Navigate ro the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and delete the entry "msbb".
To delete nCase/Alert, also check for a randomly-named entry three or more letters long, pointing to a .EXE of the same name in the Windows folder.
Delete this entry and the file it points to. Alternatively, wait for the next restart and it should prompt to you reinstall or remove itself.
Restart the computer and delete the 'nCase' folder inside Program Files. Or in older versions without an 'nCase' folder, look in the System folder and delete msbb.exe.
Also delete the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCASE, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb and HKEY_CURRENT_USER\Software\180solutions.

Or try to use RegRun Startup Optimizer to automatically remove this adware.

bootconf.exe
This is absolutely useless application.
It's also named IE Homepage hphijacker.
What it does:
It writes to C:\WINDOWS\HOSTS
this is changes msn.search to its IP
Delete this record from c:\windows\hosts:
1123694712 auto.search.msn.com
It creates c:\windows\defaults.css (style sheet) that contains IP.
Registry changes:
Registry key HKLM\Software\Microsoft\Internet Explorer\Search
Changed: Search, SearchAssistant, Search Page, Default_Search_URL etc.
Read more:
http://boards.cexx.org/viewtopic.php?p=2...
By default (on my computer) the Search key contains two values:
CustomizeSearch="http://ie.search.msn.com/{SUB_RFC1766}/s...
SearchAssistant="http://www.searchgateway.net/search/"

Other values you may remove.

Remove it by RegRun Startup Optimizer.
Set the default setting for IE by opening Control Panel, Internet
Settings.

brnts6.exe
Spyware.InTheKnow
It is a program that detects keystrokes and takes snapshots of specified programs on your computer.

When Spyware.InTheKnow runs, it performs the following actions:
Displays an introductory message.
Gives you the option of registering the product at www.itksoft.com or entering a registration key.
Allows you to type the main password. Typing this password while using any Windows program brings up the user interface.
Gives you the option to determine the interval between taking snapshots.
Gives you the choice of which programs to take snapshot of.
Gives you picture management options, including how long files are stored and the maximum storage amount.

Creates some files in %Temp%\WZS2.tmp\
Creates the files in %System%\
Creates the folder %System%\Balance, which is to used to store the keystroke and snapshot data.
Creates the folder, C:\ITKExport, which is to used to store exported reports that the Spyware generates.

Adds the subkey: grnx
to the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft
and adds some values to that subkey:

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Brnts6.exe" = "%System%\Brnts6.exe"
Next, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft
and delete the value: "Tg-DTGA3m" = "626I39vGvzVzYL26Oef"
Also, delete the key: HKEY_LOCAL_MACHINE\Software\Microsoft\grnx

bs3.dll
This is advertising spyware and you should to get rid of this
item.
Read more about it:
http://www.doxdesk.com/parasite/BookedSp...
To remove it, open RegRun Start Control, go to the Windows Core
Components tab. Open Windows Core Components Wizard.
Go to the BHO tab.
Uncheck bs3.dllb and Apply.

bxxs5.dll
BookedSpace Adware.
Displays popup ads to your computer.
This software may be silently installed by MThree MP3 to WAV converter
or other software.
Try the uninstaller at http://bookedspace.com/uninstaller.exe
If it doesn't work:
Remove this BHO item by RegRun Start Control.
Also remove "bsx3", or "bsx5" or similar from startup.

cfd.exe
BroadJump Client Foundation.
This software is installed with your DSL cable modem driver.
Actions:
1) Installs some software under C:\Program Files\BroadJump\Client Foundation,
2) Adds Comcast entries to the browser's "Favorites"
menu
3) Adds IPrenew.bat file for the 0.000001% of users who can't figure out how to renew their IP manually.
4) Replaces a few Microsoft redistributable DLL's.
5) Puts a DevMngr.vxd (or BJIPAddr.vxd) in the Windows\system folder.
May be stopped without any problems.

channelup.exe
Adware-BuddyLinks application. This is not a virus or trojan.
It is an potentially unwanted program that requires users to download an installer, agreeing to the terms of the program, which includes sending a messages to all users on your AOL Instant Messenger buddy list with a link to the installer page.

This application works when visiting the www.wgutv.com or download.buddylinks.net websites.
Once this page has loaded, users are prompted to install and run a program.

The application creates some files and folders:
%Program Files%\buddylinks.net
%Program Files%\Common Files\PSD Tools

Adds the key to the system registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"PSD Tools Channel" = C:\Program Files\Common Files\PSD Tools\ChannelUp.exe

The following registry keys are also evidence that this application was run:
HKEY_CLASSES_ROOT\Interface\{00D38C81-14B3-44DE-B023-3BDC5BDE4FEC
HKEY_CLASSES_ROOT\CLSID\{FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4}

Removal Instructions:
To uninstall this application, use the ADD/REMOVE Programs Control Panel and remove the applications related to:
BuddyLinks
PSDT Messaging Integration
PSD Tools ChannelUp v1.0 (remove only)

And use RegRun Startup Optimizer to remove this adware.

chostsv.exe
PWSteal.Banpaes.C.
Is a Trojan horse that attempts to steal online banking information.

Also known as PWSteal.Banpaes, PWSteal.Banpaes.B

When PWSteal.Banpaes.C is executed, it performs the following actions:
Creates the following files:
%System%\Chostsv.exe
%System%\Mouse32.dll
%System%\Keybrd32.dll
%System%\Kuser.dll
%System%\Serv.dll
C:\Temp\Install.exe (This may not be created if the Temp folder does not exist in this location).

Adds the value:
"chostsv"="%System%\chostsv.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Logs keystrokes if the keystrokes are entered in windows that have any of the following strings in the window's title bar:
Caixa Economica Federal
Internet Banking CAIXA
BESC - Banco do Estando de Santa Catarina
Banco do Estado de Santa Catarina
Gerenciador Financeiro
Teclado Virtual
HSBC
Credicard
MasterCard
and some other.

Then, this Trojan sends the keystrokes to a predefined email address.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"chostsv"="%System%\chostsv.exe"

Or use RegRun to automatically remove this registry item.

cme.exe
Part of Gator advertising spyware.
Here is a removal instructions - http://www.pchell.com/support/gator.shtm...
Use the automatic ActiveX download/installation program if your security settings set low.

cmesys.exe
Advertising spyware. The part of the Gator (http://www.gator.com)
Warns the user about advertising features (why freeware).

cnbabe.exe
CommonName Toolbar spyware.
It is installed as toolbar to Internet Explorer.
CNBabe adds CNBABE.DLL to the Browser Helper Objects list.
It traces all your Internet activity.
Removal:
Choose CommonName entry in the Control Panel's Add/Remove Programs option.
If it doesn't work stop, remove from startup:
CommonName.exe, Cnbabe.exe, cnform.exe, cnbabe.dll, BabeIE.dll, and CNBarIE.dll.

cnbarie.dll
CommonName Toolbar spyware.
It is installed as toolbar to Internet Explorer.
CNBabe adds CNBABE.DLL to the Browser Helper Objects list.
It traces all your Internet activity.
Remove from startup:
CommonName.exe, Cnbabe.exe, cnform.exe, cnbabe.dll, BabeIE.dll, and CNBarIE.dll.

Full information:
http://217.115.153.73/parasite/CommonNam...
Removal:
Choose CommonName entry in the Control Panel's Add/Remove Programs option.
If it doesn't work stop its auto run but do not delete files

cnform.exe
CommonName Toolbar spyware.
It is installed as toolbar to Internet Explorer.
CNBabe adds CNBABE.DLL to the Browser Helper Objects list.
It traces all your Internet activity.
Removal:
Choose CommonName entry in the Control Panel's Add/Remove Programs option.
If it doesn't work stop, remove from startup:
CommonName.exe, Cnbabe.exe, cnform.exe, cnbabe.dll, BabeIE.dll, and CNBarIE.dll.

commonname.exe
CommonName Toolbar spyware.
It is installed as toolbar to Internet Explorer.
CNBabe adds CNBABE.DLL to the Browser Helper Objects list.
It traces all your Internet activity.
Removal:
Choose CommonName entry in the Control Panel's Add/Remove Programs option.
If it doesn't work stop, remove from startup:
CommonName.exe, Cnbabe.exe, cnform.exe, cnbabe.dll, BabeIE.dll, and CNBarIE.dll.

compaq-rba.exe
Compaq Message Server.
Not required, may cause conflicts with other software.
Suggest to stop it.
Read more:
http://www.pacs-portal.co.uk/startup_pag...

consol32.exe
This hijacker redirects to a porn portal, where foistware like ISTBar gets stealth installed.
It opens up a site over and over every couple of minutes.
It opens up a new internet explorer page. The page it opens up redirects to a porn page.
The page that opens up has the address http://trafficex.org/trs/redirect.php?ad... of something like that.

Remove it with RegRun Startup Optimizer.

ct_load.exe
CyDoor advertising spyware.
Remove it from startup.

ctb.exe
The ClickTheButton is described as a price comparison service. It detects when you are visiting a known shopping site and provides sponsored links to competitor sites.
It runs as a process on startup (ctbclick.exe) and installs a number of extra DLLs.

The ClickTheButton has had "legitimate" distribution channels, but now it being silently installed with other applications (eg. some releases of KaZaA).
The ClickTheButton downloads parts of advertising pages when you visit a new web site.
When a complete advertisement has arrived, it will be displayed, usually as a pop-up or pop-under window.
ClickTheButton monitors visits of known shopping sites.

Manual removal:
Kill the 'ctbclick' process, delete 'CTB3_Shared' from the Windows directory, delete 'CTBHooks.dll' from the System directory (WINDOWS\SYSTEM or WINNT\System32).
Delete the value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ClickTheButton.
You can also remove the registry key HKLM\SOFTWARE\CTB_BrandedClient, and every class in HKEY_CLASSES_ROOT
that begins with 'CtbClient', 'CtbSession', 'CtbShopper' or 'CtbXML'.
Remove these registry items (if present):
HKEY_CLASSES_ROOT\clsid\{ab4dd0f0-38da-4f48-aafe-7de7323bb6b2}
HKEY_LOCAL_MACHINE\software\ctb_brandedclient

Use RegRun Startup Optimizer to quickly remove ClickTheButton.

ctbclick.exe
Adwertising spyware.
Brings targeted ads to your computer, after you provide initial consent for this task. May will track your browsing habits and report this info to a central ad server.
1. Stop process named the 'ctbclick' by RegRun Process Manager or by Task Manager.
2. Remove it from startup.

cteaxspl.exe
Creative Audigy EAX splash screen. Shows video splash during startup. Not required.

ctin10.exe
PWSteal.Bancos.E.
Is a Trojan horse that imitates the online interfaces of certain Brazilian banks to try to steal account information.
It is a minor variant of PWSteal.Bancos.D.
Also known as PWSteal.Bancos, PWSteal.Bancos.B, PWSteal.Bancos.C, PWSteal.Bancos.D

Copies itself as itself to the %System%\Ctin10.exe.

Adds the value:
"CTin10"="%System%\CTin10.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
so that the Trojan runs when you start Windows.

If the file C:\BancoBrasil\officeIE\officeIE.CAB exists, the Trojan will move it to C:\officeIE.CAB.

Monitors the active Internet Explorer windows, waiting for you to open a Web page that matches the characteristics of certain banking sites.
Such as:
https:/ /www2.bancobrasil.com.br/aapf/aai/principal
https:/ /bankline.itau.com.br/GRIPNET/Montamenu.exe
https:/ /internetcaixa.caixa.gov.br/NASApp/SIIBC/Login_ok.processa
https:/ /wwwss.bradesco.com.br/scripts/ib2k1.dll/LOGINCHK#top

When such a site is opened, the Trojan displays one of several login screens, which are selected according to the URL.
The information entered on these screens may then be emailed to another computer.

Manual removal:
Navigate to the keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value:
"CTin10"="%System%\CTin10.exe"

ctregrun.exe
Creative Labs registration reminder. Not required.

ctsrreg.exe
Creative Sound Blaster Live registration reminder. Not required.

dcppaid.exe
The purpose of DCPPaid.exe is to keep reminding the user that his
DriveCrypt Plus Pack evaluation period has expired and he should now
uninstall the software. We Did not think it fair to deny him access to his
disks, or suddenly remind him that it would be unavailable pretty soon, so
we designed this reminder program, which cannot be removed without
uninstalling DriveCrypt Plus Pack. The DCPPaid file is not spyware, and we
do not use it to communicate or store anything about the user's activities.

dlder.exe
Spyware.Dlder is the spyware program that submits user's Internet usage information to a server.
Also It submits personal information, such as an IP address, the user's Web browser, and a Global Unique Identifier (GUID).

When Spyware.Dlder was installed, it displays several characteristics that are similar to those of backdoor Trojan Horses.
When the installer of Spyware.Dlder is executed, it does the following:
Does not display information on the screen.
Creates several files and registry keys on the system.
Attempts to download an additional file.
The main file of this Spyware component is Dlder.exe, which was inserted as a hidden file in the \Windows folder.

When the installer executes this spyware, it attempts to contact the site www.2001-007.com and download a file named Explorer.exe to a hidden folder in the \Windows folder, named "Explorer" (not to be confused with the Microsoft file, Explorer.exe, in the Windows folder). It is this downloaded Explorer.exe that contains the main functionality of this spyware application.

Manual removal:
Delete this keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Dlder
HKEY_LOCAL_MACHINE\Software\games\ClickTillUWin

Use RegRun Startup Optimizer to remove this spyware.

dlgli.exe
Backweb installer.
Suspected Adware/Foistware: BackWeb Client

Backweb is a background downloading tool that software vendors can distribute with their product to download data (product updates) to the user's machines.
It's operation depends on the instructions given to it by the individual software vendor who bundles it.

But usually, users have associated it with the appearance of unwanted advertising windows.

May comes with Western Digital's Data Lifeline software.

WD Data Lifeline BackWeb Lite Installer (DLGLI.EXE)
This appears to use the BackWeb product to quietly install unknown items to your computer.
When installing Western Digital Data Lifeline, a reference to DLGLI.EXE is placed in the Windows Startup folder so that it is loaded at startup.
Similar to the Gator install stub, the software slowly downloads ("trickles") the software onto the system.

More recently, the BackWeb client was caught installing with Logitech mouse drivers for purposes unknown.
There is a popup message: "It's Wednesday! Time to update your mouse driver again!! Yah right." The installed file is Iadhide3.dll.

Also, it is installed with Kodak digital camera sync software as a software updater.


How to remove:
If you did not know who install this product, or are noticing unwanted advertisements appearing on your computer, you can try disabling or removing this product.
Backweb does not come with an uninstall option.

Use RegRun Startup Optimizer to get rid of this item.
Startup Optimizer will kill DLGLI.EXE process in memory and will remove from startup. After that you may delete its files.

dmserver.exe
Comet DMServer.
Adware.
Read more:
http://www.pestpatrol.com/PestInfo/c/com...
Useless.
Remove it from startup.

dsa.exe
Spyware.DesktopSpy
This is a spyware program that captures screenshots at a predefined interval. This spyware can run in stealth mode.

The installation path is configurable, and the default path is %System%\DSA.

When the Spyware.DesktopSpy runs, it does the following:
Creates and adds the subkeys to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\KMiNT21\PersonalDesktopSpy

Adds the value: "DesktopSpy"="%System%DSA\dsa.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Saves screenshots to %System%\DSA\Images\ at a predefined interval.

Remove it from startup with RegRun Startup Optimizer.

dsb.exe
Adware.EnergyPlugin
It displays advertisements when you are browsing the Internet.
Copies itself to %Program Files%\DSB\Dsb.exe.
Creates temporary log files in %Program Files%\DSB.

Adds the value: DSB = %Program File%\DSB\DSB.exe
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Searches active windows for a Web browser and displays pop-up advertisements.

Automatic removal: Use RegRun Startup Optimizer to remove this adware from startup.

dssagent.exe
Advertising Spyware
http://cexx.org/dssagent.htm

eanthology_install.exe
Advertising software.
This is software that brings ads to your computer.
Such ads may or may not be targeted, but are "injected" and/or popup, and are not
merely displayed within the form of an ad-sponsored application.
Read more:
http://www.pestpatrol.com/PestInfo/e/eac...
Suggest to remove it.

emsw.exe
HelpExpress adware.
Displays ad popups.
Remove it from startup.
http://www.kephyr.com/spywarescanner/lib...

exploror.exe
Troj/Delf-ON is a Trojan for the Windows platform that will create the following viral files:
Windows\exploror.exe
Windows\System\exploror.dll
Windows\System\FinDrv.dll

May also set the registry key HKCU\Software\Microsoft\Windows\Current\Version\Internet Settings\Global User Offline = 1
This trojan will log keystrokes to the file Windows\bubbes.bmp which it will then attempt to email out to a third party.
Also, it may open a backdoor listening for incoming commands from a remote user.

Manual removal:
Delete the file Windows\bubbes.bmp if it exists.
Locate the HKEY_LOCAL_MACHINE entry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and remove any reference to exploror.exe and other files.

ezulaboot.dll
TopText Scumware.
Infects your Internet Explorer.
Remove from BHO list by Windows Core Components in Start Control.

ezulumain.exe
KaZaa advertising spyware.

fhfmm.dll
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process fhfmm.exe and remove BHO item fhfmm.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

fhfmm.exe
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process fhfmm.exe and remove BHO item fhfmm.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

findfast.exe
Microsoft Find Fast manager for Microsoft Office 97.
Used to indexing documents.
http://www.microsoft.com/office/ork/026/...

findservice.exe
The ActualNames software is an address bar search hijacker targeting IE and Netscape.
It also contains components to sending mail from various applications and web sites.
However, these functions are not working.

The software may or may not install with ActualNames/BrowseProxy, an ActiveX installer component, depending on how it was installed.
Bundled with KazaaMate. Also to be installed by ActiveX drive-by download from some pop-ups.
It doesn't advertising or privacy violation.
ActualNames can silently download and execute arbitrary unsigned code from its controlling server actualnames.com, as a self-updating feature.
ActualNames/BrowseProxy is also a severe security hole as it allows any web site to execute arbitrary programs.

Automatical removal:
Go to the Control Panel's Add/Remove Programs feature, choose 'AdvSearch' and click 'Remove'.
And use RegRun Startup Optimizer to remove it from startup.

Manual removal:
In the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'BrowseProxy' entry pointing to 'FindService.exe'.
You can also delete the key HKEY_LOCAL_MACHINE\SOFTWARE\Olivia Corp to clean up if you like.

flt.dll
Advertising spyware - installed by some free software.
Read more details:
http://www.pestpatrol.com/PestInfo/F/Fla...
Remove from startup.

flydesk.exe
Advertising spyware

fsw.exe
Adware.FreeScratchWin displays advertisements when you browse the Web.
It is a Browser Helper Object that opens pop-up windows.
May perform the following actions:
- Change the Internet Explorer home page to www.xzoomy.com
- Capture keystrokes
- Update itself in stealth mode
- Open pop-up ads
- Track your browsing habits

Use RegRun Startup Optimizer to remove this adware.

gator.exe
Advertising spyware. Warns the user about advertising features (why freeware).

gshp.vbs
Advertising spyware.
Changes your IE home page to globalsearch.com.
Remove it from startup.

gssomatic.exe
It is a Hijacker · Toolbar.
Also known as Searchcentrix seek4free hijacker, Searchcentrix Webalize toolbar, Searchcentrix.com/Mygeek.com hijacker.
Toolbar: SearchCentrix.Mygeek.com, SearchCentrix.Seek4Free, SearchCentrix.Webalize
Likely to slow performance of Internet Explorer.

Automatic Removal:
Use RegRun Startup Optimizer to remove it from startup.

Manual Removal:
Stop these running processes with Task Manager and then delete these files:
fsgintl.exe, fsgus.exe, gssomatic.exe, pqhelper.exe, s4helper.exe, sidebar.exe, somatic.exe, spoolsvv.exe, webalize.exe, wzhelper.exe

Unregister then reboot and delete DLLs in "systemroot" with Regsvr32:
gsim.dll, barbho.dll, gsim.dll, ifhelper.dll, ifsomatic.dll, somatic.dll, webalize.dll, wzhelper.dll, barbho.dll, gsim.dll, ifhelper.dll, ifsomatic.dll, somatic.dll, webalize.dll, wzhelper.dll

Remove these sub keys
{4e7bd74f-2b8d-469e-98f7-eb6db99aa93b}
{4e7bd74f-2b8d-469e-c0fb-ef60b19da02a}
{4e7bd74f-2b8d-469e-c0fb-ef60b19dbc34}
{4e7bd74f-2b8d-469e-d1f7-eb6db99aa97d}
{4e7bd74f-2b8d-469e-d7e4-f660b597bf2a}
{4e7bd74f-2b8d-469e-dff7-ec6bf4d5fa7d}
{cd2a865b-6c0f-44f9-baa1-7cdb31e04bc8}
in the system registry keys:

HKEY_CLASSES_ROOT\clsid\
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\
HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser\
HKEY_LOCAL_MACHINE\clsid\
HKEY_LOCAL_MACHINE\software\classes\clsid\
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\

gstartup.lnk
Gator Adware component. Not required. Also remove cmesys.exe.

hcwprn.exe
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process hcwprn.exe and remove BHO item settn.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

hxdl.exe
HelpExpres Advertising spyware. Shows banners.
Remove by uninstalling "HelpExpress" and "Attune" under Windows' Add/Remove Programs.
After that check again and remove from startup if required.

hxiul.exe
HelpExpres Advertising spyware. Shows banners.
Remove by uninstalling "HelpExpress" and "Attune" under Windows' Add/Remove Programs.
After that check again and remove from startup if required.

icw97.inf
Installs Microsoft Connection to Internet shortcut on the desktop. Not required.

ie_32.exe
Spyware.Acext is a spyware program that contacts a predefined server for tracking purposes.
This program must be manually installed or may be installed when installing another third-party program.

Performs the following actions:
Installs itself to %Windir%\ie_32.exe, by default.

Adds the value: ""="%Windir%\ie_32.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Periodically contacts the Web site, www.autoraskrutka.ru, for tracking purposes.

Remove it from startup with RegRun Startup Optimizer.

ieasst.dll
Browser (Internet Explorer) spyware.
Read details:
http://www.pestpatrol.com/PestInfo/i/iea...
Run RegRun Start Control, Advanced Optimizer, BHO (browser helper
objects). Remove this item.

iehelper.dll
Advertising spyware:
VX2 Respondmiter, Blackstone Transponder
Transponder is an IE Browser Helper Object. It monitors web pages requested and data entered into forms, sends this information to its home server, and opens pop-up advertisement windows. It also has the capability to update itself and install other software.
Full info:
http://217.115.153.73/parasite/Transpond...
Removal:
Remove this item via RegRun Start Control, Windows Core Components, BHO.

ietie.dll
This is Clear Search, Inc.
http://clearsearch.com/
Useless!
Form authors:
"... We do collect limited information, which is anonymous such as your IP address, keywords
and URL errors typed in the address bar, and date and time of this event. As well, our software
reports an alive status back to the server once a day to assist in determining our coverage. ..."
Execution:
Can silently download and execute arbitrary code from its controlling server, as a
self-updating feature.
Policy:
http://www.clear-search.com/privacypolic...
More info:
http://www.pestpatrol.com/PestInfo/c/cle...
Removal:
Try to uninstall it by Add/Remove Programs applet in Control Panel.
If it doesn't work remove by RegRun.

kazoom.exe
KaZoom from Blue Haven Media
It is an add-on application to KaZaA that automatically speeds up the download process and finds the files you want more quickly than regular KaZaA searches.
Steals system resources.

keyloggerpro.exe
Spyware.KeyLoggerPro
It is a commercial product that detects keystrokes and activity on your computer.
It is advertised as a parental control tool.

Copies itself to the install directory as KeyloggerPro.exe.
Offers the option to run in stealth mode.
Note: You can disable stealth mode for this program by using the following keystroke: CTRL+SHIFT+ALT+K.

Creates the registry key: HKEY_LOCAL_MACHINE\Software\ExploreAnywhere Software
Creates a log file in the root folder named Kpconfig.dat.

Creates the following registry value: "1win32cfg" = "%/KeyloggerPro.exe"
in the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Manual removal:
Delete all registry keys described above.

khooker.exe
SiS Keyboard Daemon.
System Tray utility which installed by the drivers of SiS (Silicon Integrated Systems) VGA cards. Can cause the errors at startup. It's not required.
The reference to KHooker.exe places into the Startup folder.

Some trojan finder program found KHOOKER.EXE as the trojan.
Use RegRun Startup Opimizer for removal.

khost.exe
KonTiki Secure Delivery Plug In related.
The Secure Delivery Plug In is the 'client' application for the Kontiki DMS. The Secure Delivery Plug In processes users' Deliveries, Subscriptions, and Reservations.
The Kontiki Delivery Management System (DMS) is a secure delivery network for distribution of video, software, audio, documents, and other digital media.
The Kontiki DMS enables enterprises to efficiently publish, secure, deliver and track digital media to employees, partners, and customers.
When it works the advertising windows can appear. Also they think it can be a spyware.

For more information about Kontiki and the Delivery Management System, please visit the Kontiki corporate web site: http://www.kontiki.com

kkcomp.dll
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process kkcomp.exe and remove BHO item kkcomp.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

kkcomp.exe
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process kkcomp.exe and remove BHO item kkcomp.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

kvnab.dll
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process kvnab.exe and remove BHO item kvnab.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

kvnab.exe
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process kvnab.exe and remove BHO item kvnab.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

lexstart.exe
Lexmark printer software may add Lexstart.exe in the startup folder to handle print commands that you send to the printer.This can cause dial-up networking to prompt you to dial your isp. Not required.

liqad.dll
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process ligad.exe and remove BHO item ligad.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

liqad.exe
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process ligad.exe and remove BHO item ligad.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

liqui.dll
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process liqui.exe and remove BHO item liqui.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

liqui.exe
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process liqui.exe and remove BHO item liqui.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

loader.exe
Backdoor.Ruledor.c is a part of the backdoor family of malicious programs intended for remote administration.
The victim computer can be remotely controlled and caused to execute some hacker's commands.
Backdoor.Ruledor.c can also download and install other programs unnoticed.
The program creates the directory ClearSearch in the Program Files folder and copies itself to this directory under the name loader.exe.
When the system is started, the program deletes all Browser Helper Objects (BHO) not installed by the program.

Remove it by RegRun Startup Optimizer.

loadqm.exe
This is Microsoft Messenger applet.
It's not useful. It tries to use Internet without your agreement.
Try to suspend it running.
Look at the forum:
http://sysopt.earthweb.com/forum/Forum9/...

loadwc.exe
Microsoft Load WebCheck (Loadwc.exe 17 K, webcheck.dll 269 K) manages subscriptions and user profiles for IE 4 and IE 5.

mdm.exe
Microsoft Machine Debug Manager.
Used by web developers to debug Internet Explorer applications.
Not useful, not required for common users.

mfc42w.exe
Trojan.Win32.Trasher - trojan program.
Upon start-up, it copies itself to the Windows system directory with the MFC42W.EXE name, and registers this file in the Windows registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run MFC42Profile = MFC42W.EXE

The Trojan then "sleeps" for about three minutes, and then creates a TRASH.BIN file in the Windows directory, and then writes to this file garbage in an endless loop;
thus, decreasing hard-drive free space by filling it with useless data.

Automatic removal:
Use RegRun Startup Optimizer to remove this trojan from startup.

mobsync.exe
Microsoft Mobile Synchronization Manager.
One annoying programme you will find running in W2K/XP is mobsync.exe.
This is because it is set by default to synchronise your home page at log-on.
To stop this, run the programme "Synchronise" from your "Start/Programmes/Accessories
Menu. Select setup, and uncheck the synchronisation options, then deselect the option to synchronise your home page. From explorer select Tools/Folder Options/Offline Files: deselect the "Enable Offline Files" option. When you reboot
you will find the programme is no longer running by default.
You can also remove optional components from your Windows 2000 installation that are not shown in the Add/Remove Programmes applet.

mosearch.exe
Fast Search utility in Microsoft Office XP.
Uses a lot of resources. If you don't like office search, I suggest to stop its loading but do not delete execution file.

moz030715s.dll
An IE browser helper object that detects visits to known sites and redirects them
through a third-party server in order to take the affiliate fees.
WurldMedia even steals the fees from other webmasters when you use their own links.
Read more:
http://www.doxdesk.com/parasite/WurldMed...
Try to uninstall it using Control Panel->Add/Remove applet.
If it doesn't use instructions on the page above.
Suggest to use RegRun Windows Core components to remove this item.

mp3ad.exe
Adware.GatorClone
It displays advertisements during Web browsing.

Adware.GatorClone performs the following actions when executed:
Creates a randomly named .dll file in the %Temp% folder and injects the file into running processes.
This .dll file will restart the adware program if the adware program is terminated.

Adds the value: =
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Contacts a remote server for advertisements and instructions, and displays pop-up ads.

Remove it by RegRun StartUp Optimizer.

mrtalk.exe
This is Media Ring Talk - voice recognition software. Allows users to give orders for computer without any keypress.
As it's a resource hog, start it manually.

msa32chk.dll
An ActiveX installer control for premium-rate phone diallers, distributed by Spanish company Matrix Technology Network SA.
Also known as Msa32chk, or LanzarDLL, after filenames used by the software.

Installed by ActiveX drive-by-download on porn pages.
It doesn't advertising or privacy violation.
Critical security issues: Any HTML page can direct the ActiveX control to download and run arbitrary, unsigned executable code from any server.

Automatical removal:
Use RegRun Startup Optimizer to remove it from the system registry.

Manual removal:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the entry called 'Dialer', which uses rundll32.exe to run msa32chk.dll.
Find the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions
and delete the subkey {03FBB191-FB50-4154-91D7-587D5E3C0000}.

You can also delete MSA32CHK.DLL from the System folder.

msbb.exe
Advertising Spyware. http://www.web3000.com
Secretely installed with many products. Displays random pop-up ads on your desktop

msckin.exe
Spyware.ClientMan is a spyware application that submits various Internet usage information to a server, including email and instant messaging details.
It also submits personal information, such as IP address, browser used, and user details retrieved from other installed applications on the system.

Periodically attempts to connect to odysseusmarketing.com.
Spyware.ClientMan must be manually installed on the system.
However, there are several known applications that have Spyware.ClientMan inside of them and that install the spyware component when the application itself is installed.

Copies the file, Msckin.exe, and registers it as a process.
Creates the following folders:
Program Files\ClientMan\new
Program Files\ClientMan\run

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete any values pertaining to "Client Man."

Also, delete the key: HKEY_CURRENT_USER\Software\CliMan

mslogon.exe
Advertising Spyware.
Part of RapidBlaster software
http://www.rapidblaster.com/
Typically displays pop-ups for porn sites.
Read more about:
http://www.doxdesk.com/parasite/RapidBla...
Suggest to remove by Rapid Blaster Killer:
http://www.wilderssecurity.net/specialin...

msoffice.exe
Microsoft Office Panel.

mstapi.exe
TrojanSpy.Win32.SCKeyLog.f
This is software that dials a phone number.
Some dialers connect to local Internet Service Providers and are beneficial as configured.
Others connect to toll numbers without user awareness or permission.

msview.dll
Advertising spyware:
VX2 Respondmiter, Blackstone Transponder
Transponder is an IE Browser Helper Object. It monitors web pages requested and data entered into forms, sends this information to its home server, and opens pop-up advertisement windows. It also has the capability to update itself and install other software.
Full info:
http://217.115.153.73/parasite/Transpond...
Removal:
Remove this item via RegRun Start Control, Windows Core Components, BHO.

msystem.exe
Adult content dialler.
This dialer program is installed through various Web sites, mainly with pornographic contents.
Use RegRun Startup Optimizer to remove it from startup.

mwcpyrt.exe
This file is included in Windows 98SE distributive.
Displays some copyright information on IBM ThinkPads.

ndrv.exe
Troj/PurScan-H is a downloader for an advertising-related application.
It will download configuration data from a remote location.
The data is used to display pop-up and advertisement on the infected computer.
It has the ability to download executable code from a remote location.
This trojan may then set the following registry entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NDrv = \ndrv.exe

Use RegRun Startup Optimizer to remove this trojan from your system.

netdotnet.dll
NewDotNet may be installed on your system with or without your knowledge.
The DLL component is a plugin to your Internet Explorer Browser. It needs when you use nonstandard Toplevel Domain names like .law, .club, .tech, .xxx and so on.
The catch is that nobody would see your domain unless they had the NewDotNet plugin installed on their computer.
Now that many new toplevel domain names have been approved by InterNIC, this new.net functionality is even less useful.
NewDotNet is good example of what's being referred to as Foistware.

NOTE: Foistware is software that adds hidden components to your computer. Usually it's done without your knowledge when you install some other program that would be useful to you.

This program is has been known to be installed along with KaZAa, Earthlink, @Home (ComCast), Juno, Webshots, NetZero, AudioGalaxy, Bearshare and a host of other programs.

It will also update itself without letting you know and it's unknown what new updated versions may do on your system.

It's recommended you use Add/Remove programs to remove the entire application.
(This DLL ties closely into the WinSock communication so if you just delete the DLL you'll screw up your system).

netratings.exe
Spyware.Netrat
When Spyware.Netrat is installed on the system, it tracks Internet usage and submits the tracked information to a server.
Also, the computer attempts to connect to http://premeter.opistat.com.

Must be installed on the system by executing a file or by visiting certain Web sites.
However, if this program is installed when you visit a Web site, you must agree to the installation.

Adds the value: "Premeter"="C:\Program Files\Netratings\Premeter\Netratings.exe"
or: "Premeter"="C:\Program Files\Netratings\Premeter\Nrpr.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Creates one of the following files:
C:\Program Files\Netratings\Premeter\Netratings.exe
C:\Program Files\Netratings\Premeter\Nrpr.exe

Information is not displayed on the screen when the programs are being installed,
but Spyware.Netrat adds the entry "Premeter" in the Add/Remove option in the Control Panel in Windows.

Remove it from startup with RegRun Startup Optimizer.

newdotnet3_36.dll
NewDotNet may be installed on your system with or without your knowledge.
The DLL component is a plugin to your Internet Explorer Browser.
It needs when you use nonstandard Toplevel Domain names like .law, .club, .tech, .xxx and so on.
The catch is that nobody would see your domain unless they had the NewDotNet plugin installed
on their computer.
Now that many new toplevel domain names have been approved by InterNIC, this new.net
functionality is even less useful.
NewDotNet is good example of what's being referred to as Foistware.

newdotnet6_30.dll
NewDotNet may be installed on your system with or without your knowledge.
The DLL component is a plugin to your Internet Explorer Browser.
It needs when you use nonstandard Top level Domain names like .law, .club, .tech, .xxx and so
on.
The catch is that nobody would see your domain unless they had the NewDotNet plugin installed
on their computer.
Now that many new top level domain names have been approved by InterNIC, this new.net
functionality is even less useful.
Use Add/Remove applet in Control Panel.
The manual deletion may be dangerous for you.

newsupd.exe
Creative Labs spyware.
http://www.cexx.org/newsupd.htm

nin1t.exe
Troj/Bancos-V attempts to steal bank account details from customers of a number of Brazilian bank accounts that offer online services.
It is an information-stealing Trojan.
The Trojan logs information typed into web forms corresponding to a number of Brazillian banks that offer online services in an attempt to steal bank account details.

Manual removal:
Please, navigate to the following system registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value: NIN1T = \NIN1T.EXE

npnsdad.exe
Advertising Spyware
http://grc.com/downloaders.htm

npnzdad.exe
NetZip Download Demon - spyware.
http://grc.com/downloaders.htm

oemreset.exe
Appears when you're installing new software or drivers. It needs on OEM installations.
Not required since all the work has already been done.

onflow.exe
Onflow is a Web Advertising tool from Onflow Corporation.
http://www.answersthatwork.com/Tasklist_...

osa.exe
Microsoft Office fast launch.

osa8.exe
Microsoft Office fast launch.

osa9.exe
Microsoft Office fast launch.

p_981116.exe
Win32 cabinet self extractor Not required.

p2p networking.exe
P2P Networking is a component that enables other applications to use Peer-to-Peer functionality.
P2P Networking is bundled with Kazaa v2.5.2 but is not required for its operation.
Changes browser settings other than homepage, without user permission.
Read more:
http://www.pestpatrol.com/PestInfo/p/p2p...
Authors: Joltid Ltd.
Suggest to remove it.

pbsysie.dll
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process wbeCheck.exe and remove BHO item pbsysie.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

powerreg scheduler v3.exe
Part of 3COM modem software.
Registration remainder. Not requred.

powerreg scheduler.exe
Part of 3COM modem software.
Registration remainder. Not requred.

powerreg schedulerv2.exe
Part of 3COM modem software.
Registration remainder. Not required.

ppstub.exe
PrecisionPop adware.
PrecisionPOP is distributed in a wide variety of free software applications.
PrecisionPOP serves advertisements to computers on which it is installed and the revenue generated from these advertisements keeps the bundled software applications free to the end user. All ads served by PrecisionPOP will be branded in the window header as being "Brought to you by PrecisionPOP."
Not required.
Use RegRun Startup Optimizer to remove it.

ra32.exe
BackDoor-CAY - password stealer trojan. Also known as Backdoor.Carufax (AVP), Troj/Volver (Sophos), Win32.Reign (CA).

This trojan uses a stealth technique to circumvent certain scanning technology.
The trojan attempts to capture typed keystrokes and steal web site passwords.
Trojan do not self-replicate. It is spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

When run, the trojan creates a hidden directory named f~a within the WINDOWS SYSTEM directory.
Adds the value: "f~a" = C:\WINNT\System32\f~a\ra32.exe
to the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Within this directory, several files are created:
~key.log
~pass.log
~post.log
ra32.exe
usr_ext.dll (captures keystrokes and steals password)
usrvcrt.dll (captures web site username/password)

Use RegRun Startup Optimizer to remove this trojan.

rcsync.exe
PrizeSurfer is a free software that automatically enters you to win cash and prizes just for surfing the web and shopping online!
This program can show different popup windows and can go you to different site in web. This may cause a problem with your security (Trojans, worm) and privacy.
Suggest to stop it by RegRun Start Control.

realsched.exe
Real Networks Scheduler which gets installed with RealOne Player.
Once installed, it runs independently of RealOne Player. It does not collect personal information or communicate with RealNetworks’ servers.
It is used to remind AutoUpdate and Message Center to perform their tasks at pre-scheduled intervals.

This Scheduler slows down boot-ups unacceptably, using up to 90% of CPU time at times. Also, it is dropping advertising shortcuts onto the desktop during idle times.
It is best if you are using other player such as WinAmp.
To remove it, you should open Real One Player, go to theTools menu, Preferences, Automatic Services.
Uncheck all automatic services.

remind32.exe
HP product registration program.

rundll32 setupapi,installhinfsection oemsyspnp 128 oemsyspnp.inf
CoolWebSearch is a name given to a wide range of different browser hijackers.
http://www.doxdesk.com/parasite/CoolWebS...
Useless.
Stop it.

rundll32.exe c:\windows\newdot~1.dll,newdotnetstartup
Advertising Spyware.
http://cexx.org/newnet.htm

rundll32.exe c:\winnt\system32\msiefr40.dll
BrowserAid is a manufacturer of various Internet Explorer toolbars, most of which seem to be
installed sneakily.
What it does?
Displays advertising popups.
Read more:
http://www.doxdesk.com/parasite/BrowserA...
Suggest to remove.

rundll32.exe w3knet.dll,dllinitrun
Status: Web 3000 Spyware.
Read more:
http://www.safersite.com/PestInfo/W/Web3...
Recommendation:
Stop it!

savenow.exe
Advertising spyware.
http://www.affiliatemarketing.co.uk/dec0...

sentry.exe
IP Insight Tracking software.
Tracks geographical and connection speed data and reports it back to companies.
Useless.

seticon.exe
Installed if you have a 6-in-1 (4 Media Card slots, a floppy drive and a USB connection) card reading device.
It used to updates the icons for Media Card slots and this operation used a lot of system resources.
You can remove it by RegRun Start Control.

settn.dll
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process hcwprn.exe and remove BHO item settn.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

skinkers.exe
Howard the Weatherman desktop client from Halifax by Skinkers - marketing/messaging tool

It allows web site owners to deliver content directly to customers desktops without "getting lost" within the already cluttered email channel.

The downloadable desktop application installed by the user, marketeers are able to cement a far stronger relationship with their customers.
They can also engage with them far more frequently and effectively than through traditional methods such as email newletters.
Add hyperlinks to push people to pages and data you want them to see, e.g. breaking news or promotional offers.
Skinker content is usually, though not necessarily, delivered by eye-catching corporate logos, animated characters or icons, with their own branded dialogue windows. You have total creative flexibility – make your Skinker and all associated dialogues, characters and icons fit precisely with your corporate culture, branding and identity.

Skinkers is multimedia enabled and is used to deliver rich media such as video, images, music, copy, interactive Flash files and other applications.

http://www.skinkers.com/index.html

sncntr.exe
This dialer program is installed through various Web sites, mainly with adult or pornographic contents.
When it runs, it displays a window inviting you to access different sites using a premium rate telephone number.
Remove it using RegRun Startup Opimizer.

sndcfg16.exe
Worm.P2P.Krepper.c
On launch, the worm checks the victim machine for VMWare.
If it is launched under VMWare, some of the malicious functions will not be executed.

Copies itself to the Windows system directory as sndcfg16.exe.
It registers this file in the system registry to ensure this file is run each time the system is started:
[Software\Microsoft\Windows\CurrentVersion\Run] Services = sndcfg16.exe
This worm propagates via P2P networks.
If the worm detects a P2P client, it will copy itself under a random name.
The worm checks the system registry value every second.
It downloads and launches files from the Internet.
The worm also connects to a number of IRC channels to inform the author of the worm about infected machines.

You can remove it by RegRun.

spoo1sv.exe
PWSteal.Souljet is a Trojan horse that steals system and personal information.

Copies itself to %System%\Spoo1sv.exe.
Adds the value: "spoo1sv" = "spoo1sv.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Creates the file, %System%\Soul.dll. This file is the keylogger part of the Trojan.
Searches currently running processes for Explorer.exe.
Injects Soul.dll into the process space of Explorer.exe, so that Soul.dll runs in the process context of Explorer.exe.
Soul.dll steals system information, such as the computer name and IP address.
As previously mentioned, this Trojan also logs key strokes.
It uses the Internet to send the stolen information to a predefined address.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "spoo1sv" = "spoo1sv.exe"

spywareguard.exe
Advertising Spyware.
Part of RapidBlaster software
http://www.rapidblaster.com/
Typically displays pop-ups for porn sites.
Read more about:
http://www.doxdesk.com/parasite/RapidBla...
Suggest to remove by Rapid Blaster Killer:
http://www.wilderssecurity.net/specialin...

ssmgr.exe
Spyware.007Spy is a commercial spyware program.
It logs keystrokes, Web sites visited, programs used, and files and folder activity.
It also has a screen capture logger and can be run automatically in a silent, undetectable mode.
Can use FTP and email to send all the logs to a remote server or email address.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "WinService32"="%ProgramFiles%\Sysmnt\ssmgr.exe"

stub.exe
Kazaa/Ezula/TopText Scumware.
eZula TopText is a browser plug-in for Internet Explorer.
Read more:
http://www.whirlywiryweb.com/removeezula...
Main executiojn file is stub.exe. It is located in Windows\System or in Windows\System32
Suggest to remove from startup.
1. From your Taskbar select: Start > Settings > Control Panel > Add/Remove Programs
2. In the 'Add/Remove Programs' window, locate one of the following program names: TopText HotText ContextPro, all are different names for the same program. Highlight the program name you find by clicking on it.
3. Click Add/Remove or Change/Remove to begin the uninstall process and follow it through.
4. Restart your computer.

supporter5.exe
It is a part of eScorcher anti-virus software.
Checking for updates of new virus bases each time you logon to the web.
Used to collect information about the user and therefore treated as spyware.
Not required.

svch0st.exe
Trojan.Dingsta.A is a keylogger that tries to log keystrokes that are typed in open Web browser windows.
Then, it sends the captured keystrokes to a predefined Web site.

Creates one of these files:
Windows NT/2000/XP/2003: C:\Winnt\System32\Svch0st.exe
Windows 95/98/Me: C:\Windows\System\Svch0st.exe

Adds the value: "taskmgr.exe" = "%Path%\svch0st.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Adds the value: "taskmgr.exe" = "%Path%\svch0st.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Adds the value: "taskmgr.exe" = "%Path%\svch0st.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Constantly checks the names of all the open windows.
If this Trojan finds a window whose Title Bar matches one of these names: Offline Explorer; Netscape; Microsoft Internet Explorer
it will log all the keystrokes typed inside that window.
Using a script running on the server that the Trojan contacts, it submits all the logged keystrokes to a predefined URL.

Automatic removal:
Use RegRun Startup Optimizer.

sw.exe
Spyware.SilentSpy
It is a software program that monitors all the actions on local and networked computers.

Adds the value: "SSConfig" = "SW.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Adds the subkey: "SW"
to the registry keys:
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\CurrentControlSet\Enum

Adds the value: "0" = "SW\{B7EAFDC0-A680-11D0-96d8-00AA0051E51D}\{9B365890-165F-11D0-A195-0020AFD156E4}"
to the registry key: HKEY_LOCAL_MACHINE\CurrentControlSet\Services\kmixer\Enum

Creates the following files:
C:\Silent-Spy.cnt
C:\Silent-Spy.hlp
C:\Wlp.sys
C:\Wlg.sys
C:\SW.htm
Creates the folder C:\SSS, which stores screenshots that the spyware captures.

Captures and logs the following items:
- Every window that you open and interacted with.
- All of the Web site titles and addresses that you visit.
- All the keystrokes and windows in which the keystrokes were entered.
- Periodic screen shots.

You can remove it with RegRun.

sys32win.exe
Spyware.ActiveKeylog records keystrokes by the user and may send this information through email.
Can be installed as part of another program, or by an installer with a user interface.

While Spyware.ActiveKeylog may be installed through an installer, the installation path is configurable, and the default is C:\Program Files\Active Key Logger.
The spyware may be configured to run in stealth mode, hiding its user interface and system tray icon.

Adds the value: "sys32sql" = "%installation path%\sys32win.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

This spyware program must be manually installed.
However, there are several known programs that have Spyware.ActiveKeylog within them and that install it as the program itself is installed.

Use RegRun Startup Optimizer to remove it from startup.

sysai.exe
AproposMedia is the part of the 'PeopleOnPage' program, an Internet Explorer sidebar which claims to show a list of other users of the current site.
Also known as POP after its program name, Envolo after the name of the updater component included in PeopleOnPage.
PeopleOnPage was bundled with Grokster around June 2003, and it installed by pop-up ActiveX drive-by download.
Opens pop-up adverts at regular intervals when Internet Explorer is in use.
When the PeopleOnPage sidebar is open, the addresses of all pages visited are sent to the controlling server with a unique tracking ID.
Includes an updater component which can silently download and execute arbitrary code form its controlling server.

Removal: Use RegRun Startup Optimizer to remove it from startup.
Amd go to the Control Panel's Add/Remove Programs feature. Select and remove 'AM Server' and 'POP'.

syschecks.dll
Spyware.SpyMyPC
Spyware.SpyMyPc is a commercial spyware program that logs keystrokes.
It can be do any of these actions:
- Log keystrokes and output them to a file located in %ProgramFiles%\Logs.
- Run in a Hidden mode in the taskbar.
- Start automatically when Windows starts, by enabling the "Run SpyMyPC when Windows Startup" option.

It creates some files, such as: %ProgramFiles%\SpyMyPC\Smpc.dll; %ProgramFiles%\SpyMyPC\Smpc32.exe; %Windir%\Smode.dll; %Windir%\Syschecks.dll and some others.
Adds the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyMyPC_is1
HKEY_CURRENT_USER\Software\Benutec\SpyMyPC

Manual removal:
Navigate to the key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "SystemCheck"="RUNDLL32.EXE syschecks.dll,SysCheckStartup"
Then, navigate to the key: HKEY_CURRENT_USER\SOFTWARE\Benutec\
and delete the subfolder: "SpyMyPC"
Also, delete the following files in %Windir% if they exist: smode.dll; smrcmd.dll; syschecks.dll

sysdll32.exe
CoolWebSearch parasite related.
Redirecting to wholeworldmarket.com, most likely other domains as well.
The difficulty of removing CWS from a user's system has grown from slightly tricky in the first variant to virtually impossible for the latest few.
Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains.
The CWShredder tool to remove Coolwebsearch will always be up to date and is updated as fast as possible when new variants emerge.
We are pretty sure now CoolWebSearch is part of a new strain of trojans that have recently been identified that all have one thing in common: they install through the ByteVerify exploit in the MS Java VM and change the IE homepage, search page, search bar, etc.
It has also been confirmed that 'Index.dat Viewer' changes your IE search pages to superwebsearch.com, a CWS affiliate page, after installing it.
Uninstalling Index.Dat Viewer will not restore your search pages.

systree.exe
Troj/Bancban-N.
It is a password-stealing Trojan targetted at customers of a Brazilian bank.
The Trojan drops a component of itself into \SYSTRE as SYSTREE.EXE and creates the following registry entry in order to run on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Systree = SYSTREE.EXE

Please, remove it with RegRun.

sysu.exe
Adware.DynamicUpdater is an adware program that can be downloaded by Adware.Dynamic.
This adware program is installed manually or as a component of another program.

When Adware.DynamicUpdater is executed, it performs the following actions:
Adds the value:
"sysu" = "c:\progra~1\ddm\sysu.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Generates frequent pop-up advertisements.
May download an executable from the Web, possibly an update of itself.

Use RegRun Startup Optimizer to remove this adware.

tcaudiag.exe
Diagnostic program for 3COM network card.
Not required.

tgcmd.exe
This software is often used by ISP to collect information about your computer and to
automatically send this information to ISP and to auto update this software via Internet.
Go to Add/Remove Programs in your Control Panel and look for something like "support agent" -
these things go by several different names - and remove it.
If you couldn't find it remove it by RegRun Start Control.

tgdc.exe
TGDC Websearch
Adware, also Known as: TGDC IE Plugin Tgdc.exe shopforgood.com
A plugin for IE that someone seems to know where it came from. References in the code point to shopforgood.com

Stays resident in background, hides itself from user, show advertisments:
- Makes changes to browser settings
- Connects to the internet by itself

Manual removal:
You might try deleting it from c:\program files\tgdc\ if found there.
Remove it quickly by RegRun Terminator.

tgfix.exe
This software is often used by ISP to collect information about your computer and to automatically send this information to ISP and to auto update this software via Internet.
Go to Add/Remove Programs in your Control Panel and look for something like "support agent" - these things go by several different names - and remove it.
If you couldn't find it remove it by RegRun Start Control.

tmpcpyis.bat
You may remove this item without any problems.
It's used for clear temp files after installation.
Usually, setup program automatically removes tmpcpyis.bat after installation.

tps108.dll
Advertising spyware:
VX2 Respondmiter, Blackstone Transponder
Transponder is an IE Browser Helper Object. It monitors web pages requested and data entered into forms, sends this information to its home server, and opens pop-up advertisement windows. It also has the capability to update itself and install other software.
Full info:
http://217.115.153.73/parasite/Transpond...
Removal:
Remove this item via RegRun Start Control, Windows Core Components, BHO.

tsadbot.exe
PKWARE Pkzip special advertisement software.

tvm.exe
It is hijacker.
Any software that resets your browser's settings to point to other sites is called the hijacker.
Hijacks may reroute your info and address requests through an unseen site, capturing that info.
Also change your home page to some other site. Error Hijackers will display a new error page when a requested URL is not found.
May cause crashes and trigger Windows XP error reporting. Likely to slow performance of Internet Explorer.

To manually remove CleverIEHooker from your computer:

Unregister these DLLs with Regsvr32, then reboot:
systemroot+\jeired.dll

Remove these registry items (if present) with RegEdit:
HKEY_CLASSES_ROOT\clsid\{707e6f76-9ffb-4920-a976-ea101271bc25}
HKEY_CLASSES_ROOT\interface\{707e6f76-9ffb-4920-a976-ea101271bc25}
HKEY_CLASSES_ROOT\typelib\{707e6f76-9ffb-4920-a976-ea101271bc25}
HKEY_LOCAL_MACHINE\software\classes\clsid\{707e6f76-9ffb-4920-a976-ea101271bc25}
HKEY_LOCAL_MACHINE\software\classes\typelib\{707e6f76-9ffb-4920-a976-ea101271bc25}

Remove these files (if present):
systemroot+\jeired.dll

Or use RegRun Startup Optimizer to automatical remove this hijacker.

updmgr.exe
This is an auto-updater that starts every time you try to connect to the internet.
Bundled with Kazaa.
Not required.

updreg.exe
Reminder to register Creative Labs SoundBlaster Live! cards. Not required.

vcatch.exe
Spyware that installs CommonSearch, UCMore, Bargain Buddy, and others.
Claims to be an anti-virus product. from the doc:
'We record and analyze the use of the service and software in order to get general, aggregate compilations of users' characteristics and uses of the Internet to potential users and commercial partners. We may use the information that we gather for statistical purposes in aggregate, anonymous form and for advertising, marketing, and other commercial activities.'

Manual Removal:

Kill these running processes with Task Manager:
programfilesdir+\commonsearch\vcatch\vcatch.exeadp.exe
vcatch.exe
vctadpi7099.exe

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
and delete value contains 'Vcatch.exe'.
Unregister mcact.dll with Regsvr32, then reboot.

Remove these registry items (if present) with RegEdit:
HKEY_CURRENT_USER\software\commonsearch
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\vcatch
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\vcatch - the personal virus catcher
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\vcatch - the personal virus catcher
HKEY_USERS\s-1-5-21-1409082233-1390067357-1801674531-500\software\commonsearch

Remove these files (if present) with Windows Explorer:
programfilesdir+\commonsearch\vcatch\vcatch.exeadp.exe
ath.mgf; frb.mgf; install.log; license.txt; mcact.dll; snd.mgf; sub.mgf; sze.mgf; vc.txt; vcatch.exe; vcatch.lnk; vcsetupnew.reg; vctadpi7099.exe

Remove this directory (if present) with Windows Explorer: programfilesdir+\commonsearch


Use RegRun to automatically remove this spyware from the system registry.

vhchost.exe
PWSteal.Tarno.I
It is a Trojan horse that attempts to steal user names and passwords for certain Internet banking sites, by capturing screenshots and logging keystrokes.
Monitors the URL field in Internet Explorer for the following strings:
e-gold; bank; hsbc; halifax; barclays; openplan; lloyds; abbey; cahoot; nationwide; nwolb; natwest; nationet; woolwich
- Stores keystrokes and the content of the clipboard in the file, %System%\Usert\<10digits>_<8digits>.txt, where the digits are derived from the system time.
- Stores screenshots in the file, %System%\Usert\<10digits>_<8digits>.bmp, where these digits are derived from the system time.
- Using %System%\Winrr.exe, which it previously created, the Trojan creates the RAR file, %System%\Usert, which contains the keystrokes and screeenshots.
- Attempts to send the RAR file to a remote Web server.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Default System Research" = "%Windir%\vhchost.exe"

Or use RegRun Startup Optimizer to automatically remove it from startup.

viewmgr.exe
Viewpoint Manager for Viewpoint Media Player
It is spyware as bundled with AOL, AOL Instant Messenger, Netscape 7, etc.

Following developers: "Viewpoint Media Player integrates photo-realistic 3D, high-resolution 2D images, Macromedia Flash, audio, and other media formats into HTML pages through a single media host. Essentially a graphics operating system, VMP includes both an ActiveX control and a Netscape plug-in that permits its graphics and online services to be accessed through Web browsers across multiple platforms and over narrowband connections, all while requiring no special server-side software.
This technology can be used for business applications ranging from advertising and e-commerce to online customer service and training."

Viewpoint Media Player collects information about the user.
From the vendor's privacy policy: To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint.
Detected as spyware with some detection programs.

Unused files:
AxMetaStream.dll, ComponentMgr.dll, MetaStreamID.ini, MtsAxInstaller.exe, npViewpoint.dll, npViewpoint.xpt, JpegReader.dll, Mts3Reader.dll, SceneComponent.dll, SreeDMMX.dll, SWFView.dll, WaveletReader.dll

Please, remove this spyware with RegRun Startuip Optimizer.

vx2.dll
Advertising spyware:
VX2 Respondmiter, Blackstone Transponder
Transponder is an IE Browser Helper Object. It monitors web pages requested and data entered into forms, sends this information to its home server, and opens pop-up advertisement windows. It also has the capability to update itself and install other software.
Full info:
http://217.115.153.73/parasite/Transpond...
Removal:
Remove this item via RegRun Start Control, Windows Core Components, BHO.

webinstaller.dll
ShopAtHomeSelect is a Winsock 2 Layered Service Provider that redirects visits to merchant sites in order to take the affiliate fees from them automatically.
Also known as Golden Retriever.
Bundled with Grokster (around the start of 2003) and iMesh 4. Also installed by the FavoriteMan parasite from May 2003.

It doesn't advertising or privacy violation.
The software can download and execute code from its controlling server, as a silent update feature.

On testing, seemed to cause browser to run quite slowly.

Removal:
There should be an entry in the Control Panel's Add/Remove Programs entry for 'ShopAtHomeSelect Agent'.
Use it to remove the software then restart the computer.

You can delete the damaged '{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}' entry inside the 'Downloaded Program Files' folder,
the 'SAHUninstall.exe' file in the 'Windows' folder and 'SahAgent.log' in the root of the C: drive to clean up if you like.

Not required.
Use RegRun Startup Opimizer for removal.

win32_i.exe
Advertising Spyware.
Typically displays pop-ups for porn sites.
Read more:
http://www.doxdesk.com/parasite/RapidBla...
Remove it from startup by RegRun Startup Optimizer or
use Rapid Blaster Killer:
http://www.wilderssecurity.net/specialin...

win32info.exe
Adult content dialler.
Installed through various Web sites with pornographic contents.

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

win32us.exe
All-In-One Telcom.
Adult content dialer:
a trojan that dials toll numbers without user awareness or permission.
Read more:
http://www.safersite.com/PestInfo/db/a/a...

winamp.hta
This is not the real WinAmp program. It used for redirecting you to adult content sites when you surfing the web.

winfavorites.exe
Adware.WinFavorites.B
It is a program that downloads advertisements and updates them periodically.

When executed, it creates the file C:\Program Files\WinFavorites\WinFavorites.exe.
Then adds the values:
"DisplayName"="Win Favorites"
"UninstallString"="C:\Program Files\WinFavorites\WinFavorites.exe /uninstall"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Win Favorites

Adds the value: "WinFavorites" = "C:\Program Files\WinFavorites\WinFavorites.exe1"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Attempts to download files from www.flingstone.com.

Remove it from the system registry by RegRun.

winnet.exe
CommonName Sidebar from www.commonname.com
Advertising Spyware. The uninstall program requires one to access the internet, get a validation code, and then enter this code to get the application to unload. None of this is stated upfront when installed.

winstart001.exe
IGetNet is a plug-in search addition to your IE Browser that will redirect your searching to customers of IGetNet. May disable other browser plug-ins.
Suggest to uninstall this software.

wxprocmgr.exe
TVTonic from Wavexpress.
Users can download some data included full-screen, DVD-quality video channels.
Adds advertising to the data.

xadbrk.dll
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process xddbrk.exe and remove BHO item xadbrk.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

xadbrk.exe
AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process xddbrk.exe and remove BHO item xadbrk.dll.
Full information at:
http://217.115.153.73/parasite/AdBreak.h...

xtcfgloader.exe
Toolbar addition to your browser that supposes to enhance your searching. Will causes pop-up ads to appear on sites that don't normally support them.
Remove it from startup.

zupdate.exe
A player for 'rich media' advertising. Similar to Onflow.
It's other names are Brilliant Digital (company name), B3D Projector (application name).
Apart from being downloadable from Brilliant's own legitimate-looking site, it is also stealth-installed by newer versions of KaZaA and other free applications.
It allows sites to use annoying advertising with 3D effects, sound, and so on. However, it does not add its own advertising to other sites.
The Projector downloads new components and updates silently.
Code-signing seems to be used, to ensure only Brilliant Digital can write code to be executed by the software.
The Projector has 3D functions, which are always liable to cause problems with some graphics cards and driver versions.

Removal:
You can use 'Add/Remove Programs' for 'B3d Projector'. And delete the directory 'BDE' inside your Windows directory, and the files 'bdeinstall.exe', 'bdeinsta2.dll', 'bdefdi.dll', 'bdedata2.dll', 'bdedownloader.dll', 'bdeverify.dll', 'bdesecureinstall.exe' and 'bdesecureinstall.cab' inside your System directory.
Also use RegRun Startup Optimizer to remove it from the system registry.

Copyright © 1998-2004 Greatis Software | Privacy Policy | Recommend to a friend