Application Database

Application database

Startupapps.com recommends you:

Detect and remove hidden rootkits using UnHackMe Free fully functional 30-days trial.

RegRun Security Suite = 24 system utilities for protecting your computer. Try now!

I would like to say that RegRun has helped me on more than 1 occasion when it comes to spyware/adware by letting me know automatically that a piece of it got added to Windows startup. There is so much spyware/addware out there today it's hard to imagine being without RegRun. I like many other features too including the daily registry backups and file protection.

Chris Wagers

%program files%\rvp\bpc.exe
%program files%\system soap pro\soap.exe
%programfiles%\jthabckeylogger\keylogger.exe
%programfiles%\srng\srng.exe
%sysdir%\msstart.exe
%sysdir%\svrhost.exe
%system%\netda.exe
%windir%\alchem.exe
addclass.exe
addestroyer.exe
adtools.exe
advchk.exe
aimwdinstall.exe
alchem.exe
amcis2.dll
aol.exe
apuc.dll
aries.sys
ashlt.exe
ati hotkey poller
ati smart
autoreg.exe
autoup~1.exe
babeie.dll
backweb-4448364.exe
bargains.exe
bh304181.dll
bigfix.exe
bmz.exe
bootconf.exe
breg.exe
brnts6.exe
bs3.dll
c-dillacdac11ba
channelup.exe
chostsv.exe
cme.exe
cmesys.exe
cnbabe.exe
cnbarie.dll
cnform.exe
commonname.exe
compaq-rba.exe
consol32.exe
crater.sys
crrst.32.exe
csserv.exe
ct_load.exe
ctb.exe
ctbclick.exe
cteaxspl.exe
ctin10.exe
ctregrun.exe
ctsrreg.exe
dap.exe
dcppaid.exe
desrcas.dll
dlder.exe
dlgli.exe
dmiehlp.dll
dmserver.exe
drgtodsc.exe
dsa.exe
dsb.exe
eanthology_install.exe
emsw.exe
exploror.exe
ezulaboot.dll
ezulumain.exe
fhfmm.dll
fhfmm.exe
findfast.exe
findservice.exe
flt.dll
flydesk.exe
forbesdownloader.ocx
fsw.exe
fwlink.exe
gator.exe
gshp.vbs
gssomatic.exe
gstartup.lnk
hcwprn.exe
hxdl.exe
hxiul.exe
ie_32.exe
ieasst.dll
iehelper.dll
ietie.dll
internst32.exe
kazoom.exe
kb891711.exe
keyloggerpro.exe
khooker.exe
kkcomp.dll
kkcomp.exe
kvnab.dll
kvnab.exe
lexstart.exe
liqad.dll
liqad.exe
liqui.dll
liqui.exe
loader.exe
loadqm.exe
loadwc.exe
mfc42w.exe
mirarsetup.exe
mobsync.exe
mobsync.exe /logon
mosearch.exe
moz030715s.dll
mp3ad.exe
mrtalk.exe
msa32chk.dll
msckin.exe
msoffice.exe
msohtmed.exe
mstapi.exe
msview.dll
msystem.exe
mw1hel~1.exe
mwcpyrt.exe
mydail~1.exe
mywebsearch email plugin.lnk
ncmyb.dll
ndrv.exe
netdotnet.dll
netratings.exe
netsurf.exe
newdotnet3_36.dll
newdotnet6_30.dll
newsupd.exe
nin1t.exe
npnsdad.exe
npnzdad.exe
odspconfig.exe
oemreset.exe
onflow.exe
osa8.exe
osa9.exe
p_981116.exe
p2p networking.exe
pbagent.exe
pbsysie.dll
potdata.exe
powerreg scheduler v3.exe
powerreg scheduler.exe
powerreg schedulerv2.exe
ppstub.exe
quickbrowser.exe
ra32.exe
rcsync.exe
remind32.exe
rundll deskcp16.dll,quickres_rundllentry
rundll32 setupapi,installhinfsection oemsyspnp 128 oemsyspnp.inf
rundll32.exe c:\windows\newdot~1.dll,newdotnetstartup
rundll32.exe c:\winnt\system32\msiefr40.dll
rundll32.exe w3knet.dll,dllinitrun
safewin.exe
sagent.exe
savenow.exe
sentry.exe
seticon.exe
settn.dll
setupad.exe
skinkers.exe
smrtshpr.dll
sncntr.exe
sndcfg16.exe
splasha.exe
spoo1sv.exe
spywareguard.exe
ssmgr.exe
stopsignav.exe
stub.exe
supporter5.exe
svch0st.exe
sw.exe
syncroad.exe
sys32win.exe
sysai.exe
syschecks.dll
sysdiag.exe
sysdll32.exe
sysmgr32.exe
systree.exe
sysu.exe
tamset.exe
tgcmd.exe
tgdc.exe
tgfix.exe
tmpcpyis.bat
toolbar.dll
tps108.dll
tsadbot.exe
tvm.exe
updmgr.exe
updreg.exe
ussshreg.exe
vcatch.exe
vhchost.exe
viewmgr.exe
vx2.dll
webinstaller.dll
win32_i.exe
win32info.exe
win32us.exe
winamp.hta
winfavorites.exe
winnet.exe
winoko32.exe
winstart001.exe
wxprocmgr.exe
xadbrk.dll
xadbrk.exe
xclean.exe
xtcfgloader.exe
zserv.dll
zupdate.exe

USELESS

Updated weekly. Last update: April 9 2018

Improve boot up time Run a free scan to diagnose your PC and identify the system boottle necks slowing you down. Start Test

Fix Windows PC's Fast! Automated Software Repairs damaged & slow windows systems in 1 click.

Downlod Now!

Free Download

%program files%\rvp\bpc.exe

Useless.
Downloads and displays ad popups at intervals.
Remove it from startup.

%program files%\system soap pro\soap.exe

Soap.exe is part of System Soap Pro.
Soap.exe is Adware.
Installed silently without user permission.

%programfiles%\jthabckeylogger\keylogger.exe

Spyware.ABCKeylogger is a keystroke and screenshot-logging program that can be set to automatically run at Windows startup.
Can also be set up to run in silent mode, but it will still be displayed in the task manager.
A password controls access to the settings and program.
Creates the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\JthAbcKeylogger
so that ABCKeylogger can be uninstalled.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "ABC"="%ProgramFiles%\JthABCKeylogger\Keylogger.exe"

%programfiles%\srng\srng.exe

Spyware.2020search.
It is a search hijacker that is installed as a Browser Helper Object Toolbar in Microsoft Internet Explorer.
Certain address bar searches and unknown domain name searches will be redirected to the program's controlling servers.
It comes bundled and installs Spyware.Shopnav.

Also, it replaces Internet Explorer's Search pane with a search page at pop.popuptoast.com/9908/search/search.html.
Installs a new Internet Explorer toolbar.
Downloads Svchost.exe from www.2020search.com/9908/install.
Creates the folder, %ProgramFiles%\Dynamic Toolbar.
Registers the file, 2020search2.dll, so that it is integrated it into Internet Explorer.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Srng"="C:\Program Files\Srng\Srng.exe"

Or use RegRun Startup Optimizer to automatically remove this spyware.

%sysdir%\msstart.exe

Msstart.exe is an adware program Adware.Satbo.
Msstart.exe downloads and displays advertisements.
Related files:
%System%\Svrhost.exe
%System%\Msstart.exe
Setupad.exe
Adds the value:
"svrhost" = "%System%\Svrhost.exe"
"msstart" = "%System%\Msstart.exe"
to the Windows startup registry keys.
Removal:
Kill Msstart.exe process and remove Msstart.exe from Windows startup.

%sysdir%\svrhost.exe

Svrhost.exe is an adware program Adware.Satbo.
Svrhost.exe downloads and displays advertisements.
Related files:
%System%\Svrhost.exe
%System%\Msstart.exe
Setupad.exe
Adds the value:
"svrhost" = "%System%\Svrhost.exe"
"msstart" = "%System%\Msstart.exe"
to the Windows startup registry keys.
Removal:
Kill Svrhost.exe process and remove Svrhost.exe from Windows startup.

%system%\netda.exe

Troj/Dumaru-K is a Trojan with password stealing capabilities.
It will steal passwords related to online banking, shopping, investment and gambling.
Gathers clipboard data, passwords and confidential information from the protected storage area of Windows.
In particular WebMoney, The Bat, Total Commander and Far Manager account details are targeted.
It has the ability to log keystrokes. Also, it will attempt to gather username and password details from any window containing predefined text.
Troj/Dumaru-K will attempt to send this information to a pre-configured website as a web form or in an email to a pre-configured Russian address.
May reduce the security of Internet Explorer's content zones in an attempt to avoid alerting the user that details are being sent over the web.
The Trojan may also turn on the AutoComplete and AutoSuggest features of Internet Explorer in order to cache passwords.
This trojan will alter the HOSTS file in an attempt to deny access to certain anti-virus websites.

Manual removal:
Find the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: load32 = \netda.exe

%windir%\alchem.exe

This is Ad-ware component.Suggest to remove from startup.

addclass.exe

CoolWebSearch is a name given to a wide range of different browser hijackers.
Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators.
Suspected to be installed by pop-ups exploiting security holes in IE.
The script may open mostly porn pop-ups if it thinks the page being viewed is porn-related.

addestroyer.exe

Adware.AdDestroyer claims to be a spyware remover.
However, it sets itself to run when you start the computer and it remains memory-resident.
When it runs, the software will periodically attempt to contact a server to download updates and instructions.
Some versions may annoy you with pop-up advertisements in Internet Explorer.
They claim that your system is at risk and that you should purchase an upgrade to AdDestroyer.

Remove it byRegRun.

adtools.exe

ADTOOLS.EXE displaysads onyour desktop.
It can be installed with various freeware programs.
Kill the process ADTOOLS.EXE, delete ADTOOLS.EXE.

advchk.exe

This program warns you when you install a new version of a Norton product and you didn't uninstall all previous versions.
But in some cases it is incorrect, for example:
when you install Norton SystemWorks (NSW), you see the message "A previous version of Norton SystemWorks was detected. You must uninstall the old version before installing the new one" or a similar message. After you uninstall the previous version of NSW and start to install NSW, you see the same message.
The installation does not proceed.
In this case you must delete following key from the system registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Advchk.exe

aimwdinstall.exe

This is tapping videogame maker of WildTangent Inc. to combine online games with instant messaging as part of a broader effort to generate revenue from its popular free chat service. It also collects and shares private information.
The games are integrated with the messaging service, so players can use the chat software to communicate with one another and to invite players to join a game.
Unlike e-mail messages, which must be opened, instant messages appear automatically on a user's computer screen.

alchem.exe

This is Ad-ware component.
Suggest to remove from startup.

amcis2.dll

Part of the Aureate Advertising spyware. Suggest to remove.

aol.exe

The aol.exe virus warning was a joke created by Ray Owens, owner of the Joke A Day website.

apuc.dll

Spyware - BargainBuddy.

http://simplythebest.net/info/spyware/ba...
First, try to uninstall Bargain Buddy via Control Panel,Add/Remove
Programs.
If you couldn't found Bargain Buddy, remove it from startup by RegRun.

aries.sys

Aries.sys is a DRM protection driver.
http://www.sysinternals.com/blog/2005/10...

ashlt.exe

Spyware.Ashlt
It is a spyware program that sends out private information.
Can be manually installed or installed as a component of another program.
Adds multiple values to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\ASHLT
Contacts a different server and sends out local gathered information.

Automatic removal: Use RegRun Startup Optimizer to remove it from startup.

ati hotkey poller

ATI Hotkey POLLER service is installed if you update to the latest ATI video card drivers. ATI Hotkey POLLER provides the ability to hot key your display settings for what ever reason you would need this feature.
Disable the service if you do not use hot keys for ATI software.
User comments: docsandman
I have a Dell Inspiron 9100 with Win XP pro. the ATI Hotkey Poller causes system sluggishness when battery operated. Disabling this service put me back to normal batter operations.

ati smart

This service is installed with the latest ATI video card drivers. It provides the ability to test your particular configuration for compatibility issues and stability issues. The location is also in the ATI display properties control panel.
After testing it is not required for all time.
Recommend: Disable

autoreg.exe

US Robotics Registration

autoup~1.exe

This is not virus.
This is adware software Envolo AutoUpdater.
It has different versions.

http://www.doxdesk.com/parasite/AproposM...

Remove it from startup by RegRun Startuip Optimizer.

babeie.dll

CommonName Toolbar spyware.
It is installed as toolbar to Internet Explorer.
CNBabe adds CNBABE.DLL to the Browser Helper Objects list.
It traces all your Internet activity.
Removal:
Choose CommonName entry in the Control Panel's Add/Remove Programs option.
If it doesn't work stop, remove from startup:
CommonName.exe, Cnbabe.exe, cnform.exe, cnbabe.dll, BabeIE.dll, and CNBarIE.dll.

backweb-4448364.exe

BackWeb is a generic, background downloading tool that software vendors can incorporate
into their product to download data (e.g. product updates) to the user's PC. Its operation
depends on the instructions given to it by the individual software vendor who bundles it.
BackWeb has been associated with numerous large companies working on a corporate level to
deliver timely information and updates. Essentially, BackWeb is a communications program whereby
a large amount of users may be contacted in an instant.

Useless.

bargains.exe

Advertising spyware.
Often installed with useful free software like Net2Phone and some versions of LimeWire.
Stop this process and remove from startup.

bh304181.dll

This is part of Kontiki software.
This is advertising spyware.
You may receive this software with other downloadable software like a
game.
http://www.extremetech.com/article2/0,3973,365073,00.asp
Kontiki software allows Gamespot or other customers to monitor the actions
of users, down to the individual PC.

You can remove it by uninstalling Kontiki software.
If it doesn't work, use RegRun Start Control->Windows Core Components
to remove Kontiki.

bigfix.exe

It is used to automatically receive and read technical support information provided by computer and software manufacturers and other technical support experts.
Also can automatically check your computer for bugs, configuration conflicts, and security holes. It is a resource hog! Please start it manually.

bmz.exe

nCase is adware from 180Solutions.
It consists of a process, msbb.exe, that runs constantly with Windows and shows advertising.

nCase is aware of the FlashTrack parasite and will disable it if it is running, to stop it showing competing adverts.
Some versions also seem to connect to the Gator web servers occasionally, for unknown reasons.
Bundled with a large range of applications, particularly file-sharing programs.
nCase are known to send e-mail to software authors asking them to include the nCase bundle.

Also installed by ActiveX drive-by downloads in adverts inserted on some free web hosting services,
and also installed by the FavoriteMan and BookedSpace parasites.

Looks for known URLs and keywords in URLs, and opens pop-up advertisements targeted at such sites.
Also opens non-targeted pop-up adverts at arbitrary times during IE usage.
Can add shortcut icons to the Start menu and Desktop if directed to by its controlling servers.
nCase can download and execute code from its controlling servers, as an update feature.

May cause an error message such as "msbb.exe file is linked to the missing export wininet.dll" on older systems without a WinInet library.
Can also cause IE to be a bit slow to start up, and some versions are reported to generate page fault errors.

Manual removal:
Navigate ro the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and delete the entry "msbb".
To delete nCase/Alert, also check for a randomly-named entry three or more letters long, pointing to a .EXE of the same name in the Windows folder.
Delete this entry and the file it points to. Alternatively, wait for the next restart and it should prompt to you reinstall or remove itself.
Restart the computer and delete the 'nCase' folder inside Program Files. Or in older versions without an 'nCase' folder, look in the System folder and delete msbb.exe.
Also delete the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCASE, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb and HKEY_CURRENT_USER\Software\180solutions.

Or try to use RegRun Startup Optimizer to automatically remove this adware.

bootconf.exe

This is absolutely useless application.
It's also named IE Homepage hphijacker.
What it does:
It writes to C:\WINDOWS\HOSTS
this is changes msn.search to its IP
Delete this record from c:\windows\hosts:
1123694712 auto.search.msn.com
It creates c:\windows\defaults.css (style sheet) that contains IP.
Registry changes:
Registry key HKLM\Software\Microsoft\Internet Explorer\Search
Changed: Search, SearchAssistant, Search Page, Default_Search_URL etc.

http://boards.cexx.org/viewtopic.php?p=2...
By default (on my computer) the Search key contains two values:
CustomizeSearch="http://ie.search.msn.com/{SUB_RFC1766}/s...
SearchAssistant="http://www.searchgateway.net/search/"

Other values you may remove.

Remove it by RegRun Startup Optimizer.
Set the default setting for IE by opening Control Panel, Internet
Settings.

breg.exe

Adware.BroadcastPC.B
It is an adware program that downloads movie and advertisement clips.
Assigns the user a global user ID and tracks aggregate Internet use patterns to better target advertisements.
The advertisements are downloaded in the background and can be scheduled to run at any time, regardless of whether the computer is online or offline.

Use RegRun Startup Optimizer to remove it from the system registry.

brnts6.exe

Spyware.InTheKnow
It is a program that detects keystrokes and takes snapshots of specified programs on your computer.

When Spyware.InTheKnow runs, it performs the following actions:
Displays an introductory message.
Gives you the option of registering the product at www.itksoft.com or entering a registration key.
Allows you to type the main password. Typing this password while using any Windows program brings up the user interface.
Gives you the option to determine the interval between taking snapshots.
Gives you the choice of which programs to take snapshot of.
Gives you picture management options, including how long files are stored and the maximum storage amount.

Creates some files in %Temp%\WZS2.tmp\
Creates the files in %System%\
Creates the folder %System%\Balance, which is to used to store the keystroke and snapshot data.
Creates the folder, C:\ITKExport, which is to used to store exported reports that the Spyware generates.

Adds the subkey: grnx
to the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft
and adds some values to that subkey:

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Brnts6.exe" = "%System%\Brnts6.exe"
Next, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft
and delete the value: "Tg-DTGA3m" = "626I39vGvzVzYL26Oef"
Also, delete the key: HKEY_LOCAL_MACHINE\Software\Microsoft\grnx

bs3.dll

This is advertising spyware and you should to get rid of this
item.
Read more about it:
http://www.doxdesk.com/parasite/BookedSp...
To remove it, open RegRun Start Control, go to the Windows Core
Components tab. Open Windows Core Components Wizard.
Go to the BHO tab.
Uncheck bs3.dllb and Apply.

c-dillacdac11ba

"C-Dilla" is the name of a developer company.
The servise is used to provide software activation services and CD Key verification services for anti-piracy reasons. This technology is bundled with many products. It also increases the ammount of popups you receive on your computer.
Recommend: Disable (spyware/adware).
Leave it only if you have the games required this service.

channelup.exe

Adware-BuddyLinks application. This is not a virus or trojan.
It is an potentially unwanted program that requires users to download an installer, agreeing to the terms of the program, which includes sending a messages to all users on your AOL Instant Messenger buddy list with a link to the installer page.

This application works when visiting the www.wgutv.com or download.buddylinks.net websites.
Once this page has loaded, users are prompted to install and run a program.

The application creates some files and folders:
%Program Files%\buddylinks.net
%Program Files%\Common Files\PSD Tools

Adds the key to the system registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"PSD Tools Channel" = C:\Program Files\Common Files\PSD Tools\ChannelUp.exe

The following registry keys are also evidence that this application was run:
HKEY_CLASSES_ROOT\Interface\{00D38C81-14B3-44DE-B023-3BDC5BDE4FEC
HKEY_CLASSES_ROOT\CLSID\{FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4}

Removal Instructions:
To uninstall this application, use the ADD/REMOVE Programs Control Panel and remove the applications related to:
BuddyLinks
PSDT Messaging Integration
PSD Tools ChannelUp v1.0 (remove only)

And use RegRun Startup Optimizer to remove this adware.

chostsv.exe

PWSteal.Banpaes.C.
Is a Trojan horse that attempts to steal online banking information.

Also known as PWSteal.Banpaes, PWSteal.Banpaes.B

When PWSteal.Banpaes.C is executed, it performs the following actions:
Creates the following files:
%System%\Chostsv.exe
%System%\Mouse32.dll
%System%\Keybrd32.dll
%System%\Kuser.dll
%System%\Serv.dll
C:\Temp\Install.exe (This may not be created if the Temp folder does not exist in this location).

Adds the value:
"chostsv"="%System%\chostsv.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Logs keystrokes if the keystrokes are entered in windows that have any of the following strings in the window's title bar:
Caixa Economica Federal
Internet Banking CAIXA
BESC - Banco do Estando de Santa Catarina
Banco do Estado de Santa Catarina
Gerenciador Financeiro
Teclado Virtual
HSBC
Credicard
MasterCard
and some other.

Then, this Trojan sends the keystrokes to a predefined email address.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"chostsv"="%System%\chostsv.exe"

Or use RegRun to automatically remove this registry item.

cme.exe

Part of Gator advertising spyware.
Here is a removal instructions - http://www.pchell.com/support/gator.shtm...
Use the automatic ActiveX download/installation program if your security settings set low.

cmesys.exe

Advertising spyware. The part of the Gator (http://www.gator.com)
Warns the user about advertising features (why freeware).

cnbabe.exe

cnbarie.dll

CommonName Toolbar spyware.
It is installed as toolbar to Internet Explorer.
CNBabe adds CNBABE.DLL to the Browser Helper Objects list.
It traces all your Internet activity.
Remove from startup:
CommonName.exe, Cnbabe.exe, cnform.exe, cnbabe.dll, BabeIE.dll, and CNBarIE.dll.

Full information:
Removal:
Choose CommonName entry in the Control Panel's Add/Remove Programs option.
If it doesn't work stop its auto run but do not delete files

cnform.exe

commonname.exe

compaq-rba.exe

Compaq Message Server.
Not required, may cause conflicts with other software.
Suggest to stop it.

http://www.pacs-portal.co.uk/startup_pag...

consol32.exe

This hijacker redirects to a porn portal, where foistware like ISTBar gets stealth installed.
It opens up a site over and over every couple of minutes.
It opens up a new internet explorer page. The page it opens up redirects to a porn page.
The page that opens up has the address http://trafficex.org/trs/redirect.php?ad... of something like that.

Remove it with RegRun Startup Optimizer.

crater.sys

Crater.sys is a DRM protection driver.
http://www.sysinternals.com/blog/2005/10...

crrst.32.exe

Spyware.PCSpy
It is a spyware program that captures screenshots at a predefined interval.
These screenshots are stored in %Windir%\Temp_Ig folder.
This spyware can run in stealth mode.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Dconfig7"="%Windir%\crrst32.exe"

csserv.exe

Csserv.exe is related to GroupWise 4.1 Chinese Simplified version.
csserv.exe contents the Chinese Simplified Message Server NLM.
Manufacturer: NOVELL
http://support.novell.com/cgi-bin/search...

ct_load.exe

CyDoor advertising spyware.
Remove it from startup.

ctb.exe

The ClickTheButton is described as a price comparison service. It detects when you are visiting a known shopping site and provides sponsored links to competitor sites.
It runs as a process on startup (ctbclick.exe) and installs a number of extra DLLs.

The ClickTheButton has had "legitimate" distribution channels, but now it being silently installed with other applications (eg. some releases of KaZaA).
The ClickTheButton downloads parts of advertising pages when you visit a new web site.
When a complete advertisement has arrived, it will be displayed, usually as a pop-up or pop-under window.
ClickTheButton monitors visits of known shopping sites.

Manual removal:
Kill the 'ctbclick' process, delete 'CTB3_Shared' from the Windows directory, delete 'CTBHooks.dll' from the System directory (WINDOWS\SYSTEM or WINNT\System32).
Delete the value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ClickTheButton.
You can also remove the registry key HKLM\SOFTWARE\CTB_BrandedClient, and every class in HKEY_CLASSES_ROOT
that begins with 'CtbClient', 'CtbSession', 'CtbShopper' or 'CtbXML'.
Remove these registry items (if present):
HKEY_CLASSES_ROOT\clsid\{ab4dd0f0-38da-4f48-aafe-7de7323bb6b2}
HKEY_LOCAL_MACHINE\software\ctb_brandedclient

Use RegRun Startup Optimizer to quickly remove ClickTheButton.

ctbclick.exe

Adwertising spyware.
Brings targeted ads to your computer, after you provide initial consent for this task. May will track your browsing habits and report this info to a central ad server.
1. Stop process named the 'ctbclick' by RegRun Process Manager or by Task Manager.
2. Remove it from startup.

cteaxspl.exe

Creative Audigy EAX splash screen. Shows video splash during startup. Not required.

ctin10.exe

PWSteal.Bancos.E.
Is a Trojan horse that imitates the online interfaces of certain Brazilian banks to try to steal account information.
It is a minor variant of PWSteal.Bancos.D.
Also known as PWSteal.Bancos, PWSteal.Bancos.B, PWSteal.Bancos.C, PWSteal.Bancos.D

Copies itself as itself to the %System%\Ctin10.exe.

Adds the value:
"CTin10"="%System%\CTin10.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
so that the Trojan runs when you start Windows.

If the file C:\BancoBrasil\officeIE\officeIE.CAB exists, the Trojan will move it to C:\officeIE.CAB.

Monitors the active Internet Explorer windows, waiting for you to open a Web page that matches the characteristics of certain banking sites.
Such as:
https:/ /www2.bancobrasil.com.br/aapf/aai/principal
https:/ /bankline.itau.com.br/GRIPNET/Montamenu.exe
https:/ /internetcaixa.caixa.gov.br/NASApp/SIIBC/Login_ok.processa
https:/ /wwwss.bradesco.com.br/scripts/ib2k1.dll/LOGINCHK#top

When such a site is opened, the Trojan displays one of several login screens, which are selected according to the URL.
The information entered on these screens may then be emailed to another computer.

Manual removal:
Navigate to the keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value:
"CTin10"="%System%\CTin10.exe"

ctregrun.exe

Creative Labs registration reminder. Not required.

ctsrreg.exe

Creative Sound Blaster Live registration reminder. Not required.

dap.exe

Adware.DAP - Download Accelerator Plus
It is a download accelerator product for Internet Explorer, Netscape, Mozilla, and Opera Web browsers.
Functions as a media viewer and FTP browser and allows the user to install games.
Installs a toolbar and browser helper object into the browser that tracks visited sites, downloads, search queries, etc.
Downloads ads to be displayed in your program window, your Internet Explorer toolbar, and through pop-up type advertising.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "DownloadAccelerator"="%ProgramFiles%\DAP\DAP.EXE /STARTUP"

dcppaid.exe

The purpose of DCPPaid.exe is to keep reminding the user that his
DriveCrypt Plus Pack evaluation period has expired and he should now
uninstall the software. We Did not think it fair to deny him access to his
disks, or suddenly remind him that it would be unavailable pretty soon, so
we designed this reminder program, which cannot be removed without
uninstalling DriveCrypt Plus Pack. The DCPPaid file is not spyware, and we
do not use it to communicate or store anything about the user's activities.

desrcas.dll

DESRCAS.DLL is Adware by MyWay.com
Description: MyWay Search Assistant for Dell Computers.
http://www.superadblocker.com/definition...

dlder.exe

Spyware.Dlder is the spyware program that submits user's Internet usage information to a server.
Also It submits personal information, such as an IP address, the user's Web browser, and a Global Unique Identifier (GUID).

When Spyware.Dlder was installed, it displays several characteristics that are similar to those of backdoor Trojan Horses.
When the installer of Spyware.Dlder is executed, it does the following:
Does not display information on the screen.
Creates several files and registry keys on the system.
Attempts to download an additional file.
The main file of this Spyware component is Dlder.exe, which was inserted as a hidden file in the \Windows folder.

When the installer executes this spyware, it attempts to contact the site www.2001-007.com and download a file named Explorer.exe to a hidden folder in the \Windows folder, named "Explorer" (not to be confused with the Microsoft file, Explorer.exe, in the Windows folder). It is this downloaded Explorer.exe that contains the main functionality of this spyware application.

Manual removal:
Delete this keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Dlder
HKEY_LOCAL_MACHINE\Software\games\ClickTillUWin

Use RegRun Startup Optimizer to remove this spyware.

dlgli.exe

Backweb installer.
Suspected Adware/Foistware: BackWeb Client

Backweb is a background downloading tool that software vendors can distribute with their product to download data (product updates) to the user's machines.
It's operation depends on the instructions given to it by the individual software vendor who bundles it.

But usually, users have associated it with the appearance of unwanted advertising windows.

May comes with Western Digital's Data Lifeline software.

WD Data Lifeline BackWeb Lite Installer (DLGLI.EXE)
This appears to use the BackWeb product to quietly install unknown items to your computer.
When installing Western Digital Data Lifeline, a reference to DLGLI.EXE is placed in the Windows Startup folder so that it is loaded at startup.
Similar to the Gator install stub, the software slowly downloads ("trickles") the software onto the system.

More recently, the BackWeb client was caught installing with Logitech mouse drivers for purposes unknown.
There is a popup message: "It's Wednesday! Time to update your mouse driver again!! Yah right." The installed file is Iadhide3.dll.

Also, it is installed with Kodak digital camera sync software as a software updater.

How to remove:
If you did not know who install this product, or are noticing unwanted advertisements appearing on your computer, you can try disabling or removing this product.
Backweb does not come with an uninstall option.

Use RegRun Startup Optimizer to get rid of this item.
Startup Optimizer will kill DLGLI.EXE process in memory and will remove from startup. After that you may delete its files.

dmiehlp.dll

Dmiehlp.dll is installed with Download Master, GetBar or other software.
Dmiehlp.dll is used for tracking user activity, collecting personal information.

dmserver.exe

Comet DMServer.
Adware.

Useless.
Remove it from startup.

drgtodsc.exe

DrgToDsc.exe is related to Roxio EasyCD Creator 6.0 software.
DrgToDsc.exe is used for placing the Roxio Drag-to-Disc icon in system tray.
Not required for Roxio to work properly.
Manufacturer: Roxio
www.roxio.com

dsa.exe

Spyware.DesktopSpy
This is a spyware program that captures screenshots at a predefined interval. This spyware can run in stealth mode.

The installation path is configurable, and the default path is %System%\DSA.

When the Spyware.DesktopSpy runs, it does the following:
Creates and adds the subkeys to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\KMiNT21\PersonalDesktopSpy

Adds the value: "DesktopSpy"="%System%DSA\dsa.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Saves screenshots to %System%\DSA\Images\ at a predefined interval.

Remove it from startup with RegRun Startup Optimizer.

dsb.exe

Adware.EnergyPlugin
It displays advertisements when you are browsing the Internet.
Copies itself to %Program Files%\DSB\Dsb.exe.
Creates temporary log files in %Program Files%\DSB.

Adds the value: DSB = %Program File%\DSB\DSB.exe
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Searches active windows for a Web browser and displays pop-up advertisements.

Automatic removal: Use RegRun Startup Optimizer to remove this adware from startup.

eanthology_install.exe

Advertising software.
This is software that brings ads to your computer.
Such ads may or may not be targeted, but are "injected" and/or popup, and are not
merely displayed within the form of an ad-sponsored application.

Suggest to remove it.

emsw.exe

HelpExpress adware.
Displays ad popups.
Remove it from startup.
http://www.kephyr.com/spywarescanner/lib...

exploror.exe

Troj/Delf-ON is a Trojan for the Windows platform that will create the following viral files:
Windows\exploror.exe
Windows\System\exploror.dll
Windows\System\FinDrv.dll

May also set the registry key HKCU\Software\Microsoft\Windows\Current\Version\Internet Settings\Global User Offline = 1
This trojan will log keystrokes to the file Windows\bubbes.bmp which it will then attempt to email out to a third party.
Also, it may open a backdoor listening for incoming commands from a remote user.

Manual removal:
Delete the file Windows\bubbes.bmp if it exists.
Locate the HKEY_LOCAL_MACHINE entry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and remove any reference to exploror.exe and other files.

ezulaboot.dll

TopText Scumware.
Infects your Internet Explorer.
Remove from BHO list by Windows Core Components in Start Control.

ezulumain.exe

KaZaa advertising spyware.

fhfmm.dll

AdBreak advertising spyware.
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers.
Removal:
Stop the process fhfmm.exe and remove BHO item fhfmm.dll.

fhfmm.exe

findfast.exe

Microsoft Find Fast manager for Microsoft Office 97.
Used to indexing documents.
http://www.microsoft.com/office/ork/026/...

findservice.exe

The ActualNames software is an address bar search hijacker targeting IE and Netscape.
It also contains components to sending mail from various applications and web sites.
However, these functions are not working.

The software may or may not install with ActualNames/BrowseProxy, an ActiveX installer component, depending on how it was installed.
Bundled with KazaaMate. Also to be installed by ActiveX drive-by download from some pop-ups.
It doesn't advertising or privacy violation.
ActualNames can silently download and execute arbitrary unsigned code from its controlling server actualnames.com, as a self-updating feature.
ActualNames/BrowseProxy is also a severe security hole as it allows any web site to execute arbitrary programs.

Automatical removal:
Go to the Control Panel's Add/Remove Programs feature, choose 'AdvSearch' and click 'Remove'.
And use RegRun Startup Optimizer to remove it from startup.

Manual removal:
In the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'BrowseProxy' entry pointing to 'FindService.exe'.
You can also delete the key HKEY_LOCAL_MACHINE\SOFTWARE\Olivia Corp to clean up if you like.

flt.dll

Advertising spyware - installed by some free software.
Read more details:
Remove from startup.

flydesk.exe

Advertising spyware

forbesdownloader.ocx

ForbesDownloader.ocx is a Adware Forbes.
Forbes Business News Alert is an adware that displays pop under advertisements when you are browsing. The program contact its controlling server www.forbes.com via https to retrieve advertisements.
http://www.scanspyware.net/info/Forbes.h...

fsw.exe

Adware.FreeScratchWin displays advertisements when you browse the Web.
It is a Browser Helper Object that opens pop-up windows.
May perform the following actions:
- Change the Internet Explorer home page to www.xzoomy.com
- Capture keystrokes
- Update itself in stealth mode
- Open pop-up ads
- Track your browsing habits

Use RegRun Startup Optimizer to remove this adware.

fwlink.exe

Installed if you download the Dilbert Screen Saver.
Spyware

gator.exe

Advertising spyware. Warns the user about advertising features (why freeware).

gshp.vbs

Advertising spyware.
Changes your IE home page to globalsearch.com.
Remove it from startup.

gssomatic.exe

It is a Hijacker � Toolbar.
Also known as Searchcentrix seek4free hijacker, Searchcentrix Webalize toolbar, Searchcentrix.com/Mygeek.com hijacker.
Toolbar: SearchCentrix.Mygeek.com, SearchCentrix.Seek4Free, SearchCentrix.Webalize
Likely to slow performance of Internet Explorer.

Automatic Removal:
Use RegRun Startup Optimizer to remove it from startup.

Manual Removal:
Stop these running processes with Task Manager and then delete these files:
fsgintl.exe, fsgus.exe, gssomatic.exe, pqhelper.exe, s4helper.exe, sidebar.exe, somatic.exe, spoolsvv.exe, webalize.exe, wzhelper.exe

Unregister then reboot and delete DLLs in "systemroot" with Regsvr32:
gsim.dll, barbho.dll, gsim.dll, ifhelper.dll, ifsomatic.dll, somatic.dll, webalize.dll, wzhelper.dll, barbho.dll, gsim.dll, ifhelper.dll, ifsomatic.dll, somatic.dll, webalize.dll, wzhelper.dll

Remove these sub keys
{4e7bd74f-2b8d-469e-98f7-eb6db99aa93b}
{4e7bd74f-2b8d-469e-c0fb-ef60b19da02a}
{4e7bd74f-2b8d-469e-c0fb-ef60b19dbc34}
{4e7bd74f-2b8d-469e-d1f7-eb6db99aa97d}
{4e7bd74f-2b8d-469e-d7e4-f660b597bf2a}
{4e7bd74f-2b8d-469e-dff7-ec6bf4d5fa7d}
{cd2a865b-6c0f-44f9-baa1-7cdb31e04bc8}
in the system registry keys:

HKEY_CLASSES_ROOT\clsid\
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\
HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser\
HKEY_LOCAL_MACHINE\clsid\
HKEY_LOCAL_MACHINE\software\classes\clsid\
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\

gstartup.lnk

Gator Adware component. Not required. Also remove cmesys.exe.

hcwprn.exe

hxdl.exe

HelpExpres Advertising spyware. Shows banners.
Remove by uninstalling "HelpExpress" and "Attune" under Windows' Add/Remove Programs.
After that check again and remove from startup if required.

hxiul.exe

HelpExpres Advertising spyware. Shows banners.
Remove by uninstalling "HelpExpress" and "Attune" under Windows' Add/Remove Programs.
After that check again and remove from startup if required.

ie_32.exe

Spyware.Acext is a spyware program that contacts a predefined server for tracking purposes.
This program must be manually installed or may be installed when installing another third-party program.

Performs the following actions:
Installs itself to %Windir%\ie_32.exe, by default.

Adds the value: ""="%Windir%\ie_32.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Periodically contacts the Web site, www.autoraskrutka.ru, for tracking purposes.

Remove it from startup with RegRun Startup Optimizer.

ieasst.dll

Browser (Internet Explorer) spyware.
Read details:
Run RegRun Start Control, Advanced Optimizer, BHO (browser helper
objects). Remove this item.

iehelper.dll

Advertising spyware:
VX2 Respondmiter, Blackstone Transponder
Transponder is an IE Browser Helper Object. It monitors web pages requested and data entered into forms, sends this information to its home server, and opens pop-up advertisement windows. It also has the capability to update itself and install other software.
Full info:
Removal:
Remove this item via RegRun Start Control, Windows Core Components, BHO.

ietie.dll

This is Clear Search, Inc.
http://clearsearch.com/
Useless!
Form authors:
"... We do collect limited information, which is anonymous such as your IP address, keywords
and URL errors typed in the address bar, and date and time of this event. As well, our software
reports an alive status back to the server once a day to assist in determining our coverage. ..."
Execution:
Can silently download and execute arbitrary code from its controlling server, as a
self-updating feature.
Policy:
http://www.clear-search.com/privacypolic...
More info:
Removal:
Try to uninstall it by Add/Remove Programs applet in Control Panel.
If it doesn't work remove by RegRun.

internst32.exe

Adware.StartPage.B
This adware changes the Microsoft Internet Explorer home page to a page that has links to adult content.
The Microsoft Internet Explorer home page is reset to www.selfsearch.biz every time that you start Windows.
Modifies the value to: "Start Page"="http:/ /www.selfsearch.biz"
in the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

Automatical removal: Use RegRun Startup Optimizer to remove it from the system registry.

kazoom.exe

KaZoom from Blue Haven Media
It is an add-on application to KaZaA that automatically speeds up the download process and finds the files you want more quickly than regular KaZaA searches.
Steals system resources.

kb891711.exe

KB891711.exe is an update to Microsoft Windows 98/Me.
It is not required to constantly working of the KB891711.exe process.
KB891711.exe may be executed only one time.
Suggest to remove KB891711.exe from Windows startup.
http://www.microsoft.com/technet/securit...

keyloggerpro.exe

Spyware.KeyLoggerPro
It is a commercial product that detects keystrokes and activity on your computer.
It is advertised as a parental control tool.

Copies itself to the install directory as KeyloggerPro.exe.
Offers the option to run in stealth mode.
Note: You can disable stealth mode for this program by using the following keystroke: CTRL+SHIFT+ALT+K.

Creates the registry key: HKEY_LOCAL_MACHINE\Software\ExploreAnywhere Software
Creates a log file in the root folder named Kpconfig.dat.

Creates the following registry value: "1win32cfg" = "%/KeyloggerPro.exe"
in the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Manual removal:
Delete all registry keys described above.

khooker.exe

SiS Keyboard Daemon.
System Tray utility which installed by the drivers of SiS (Silicon Integrated Systems) VGA cards. Can cause the errors at startup. It's not required.
The reference to KHooker.exe places into the Startup folder.

Some trojan finder program found KHOOKER.EXE as the trojan.
Use RegRun Startup Opimizer for removal.

kkcomp.dll

kkcomp.exe

kvnab.dll

kvnab.exe

lexstart.exe

Lexmark printer software may add Lexstart.exe in the startup folder to handle print commands that you send to the printer.This can cause dial-up networking to prompt you to dial your isp. Not required.

liqad.dll

liqad.exe

liqui.dll

liqui.exe

loader.exe

Backdoor.Ruledor.c is a part of the backdoor family of malicious programs intended for remote administration.
The victim computer can be remotely controlled and caused to execute some hacker's commands.
Backdoor.Ruledor.c can also download and install other programs unnoticed.
The program creates the directory ClearSearch in the Program Files folder and copies itself to this directory under the name loader.exe.
When the system is started, the program deletes all Browser Helper Objects (BHO) not installed by the program.

Remove it by RegRun Startup Optimizer.

loadqm.exe

This is Microsoft Messenger applet.
It's not useful. It tries to use Internet without your agreement.
Try to suspend it running.
Look at the forum:
http://sysopt.earthweb.com/forum/Forum9/...

loadwc.exe

Microsoft Load WebCheck (Loadwc.exe 17 K, webcheck.dll 269 K) manages subscriptions and user profiles for IE 4 and IE 5.

mfc42w.exe

Trojan.Win32.Trasher - trojan program.
Upon start-up, it copies itself to the Windows system directory with the MFC42W.EXE name, and registers this file in the Windows registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run MFC42Profile = MFC42W.EXE

The Trojan then "sleeps" for about three minutes, and then creates a TRASH.BIN file in the Windows directory, and then writes to this file garbage in an endless loop;
thus, decreasing hard-drive free space by filling it with useless data.

Automatic removal:
Use RegRun Startup Optimizer to remove this trojan from startup.

mirarsetup.exe

Adware.Mirar attempts to find Web pages that are related to the one being viewed.
It also displays advertisements based on the URLs and search terms while navigating the Internet.
Creates the file, %System%\WinDmy.dll.
Creates the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\RelatedPageInstall
and adds subkeys and values to them to set flags and configurations.

Use RegRun Startup Opimizer for removal.

mobsync.exe

Microsoft Mobile Synchronization Manager.
One annoying programme you will find running in W2K/XP is mobsync.exe.
This is because it is set by default to synchronise your home page at log-on.
To stop this, run the programme "Synchronise" from your "Start/Programmes/Accessories
Menu. Select setup, and uncheck the synchronisation options, then deselect the option to synchronise your home page. From explorer select Tools/Folder Options/Offline Files: deselect the "Enable Offline Files" option. When you reboot
you will find the programme is no longer running by default.
You can also remove optional components from your Windows 2000 installation that are not shown in the Add/Remove Programmes applet.

mobsync.exe /logon

mosearch.exe

Fast Search utility in Microsoft Office XP.
Uses a lot of resources. If you don't like office search, I suggest to stop its loading but do not delete execution file.

moz030715s.dll

An IE browser helper object that detects visits to known sites and redirects them
through a third-party server in order to take the affiliate fees.
WurldMedia even steals the fees from other webmasters when you use their own links.

http://www.doxdesk.com/parasite/WurldMed...
Try to uninstall it using Control Panel->Add/Remove applet.
If it doesn't use instructions on the page above.
Suggest to use RegRun Windows Core components to remove this item.

mp3ad.exe

Adware.GatorClone
It displays advertisements during Web browsing.

Adware.GatorClone performs the following actions when executed:
Creates a randomly named .dll file in the %Temp% folder and injects the file into running processes.
This .dll file will restart the adware program if the adware program is terminated.

Adds the value: =
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Contacts a remote server for advertisements and instructions, and displays pop-up ads.

Remove it by RegRun StartUp Optimizer.

mrtalk.exe

This is Media Ring Talk - voice recognition software. Allows users to give orders for computer without any keypress.
As it's a resource hog, start it manually.

msa32chk.dll

An ActiveX installer control for premium-rate phone diallers, distributed by Spanish company Matrix Technology Network SA.
Also known as Msa32chk, or LanzarDLL, after filenames used by the software.

Installed by ActiveX drive-by-download on porn pages.
It doesn't advertising or privacy violation.
Critical security issues: Any HTML page can direct the ActiveX control to download and run arbitrary, unsigned executable code from any server.

Automatical removal:
Use RegRun Startup Optimizer to remove it from the system registry.

Manual removal:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the entry called 'Dialer', which uses rundll32.exe to run msa32chk.dll.
Find the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions
and delete the subkey {03FBB191-FB50-4154-91D7-587D5E3C0000}.

You can also delete MSA32CHK.DLL from the System folder.

msckin.exe

Spyware.ClientMan is a spyware application that submits various Internet usage information to a server, including email and instant messaging details.
It also submits personal information, such as IP address, browser used, and user details retrieved from other installed applications on the system.

Periodically attempts to connect to odysseusmarketing.com.
Spyware.ClientMan must be manually installed on the system.
However, there are several known applications that have Spyware.ClientMan inside of them and that install the spyware component when the application itself is installed.

Copies the file, Msckin.exe, and registers it as a process.
Creates the following folders:
Program Files\ClientMan\new
Program Files\ClientMan\run

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete any values pertaining to "Client Man."

Also, delete the key: HKEY_CURRENT_USER\Software\CliMan

msoffice.exe

Microsoft Office Panel.

msohtmed.exe

msohtmed.exe is a part of Microsoft Office.
msohtmed.exe is used for printing HTML files.

mstapi.exe

TrojanSpy.Win32.SCKeyLog.f
This is software that dials a phone number.
Some dialers connect to local Internet Service Providers and are beneficial as configured.
Others connect to toll numbers without user awareness or permission.

msview.dll

msystem.exe

Adult content dialler.
This dialer program is installed through various Web sites, mainly with pornographic contents.
Also it may a virus.
System.exe is a Backdoor W32.Spybot.OBB.
System.exe spreads by e-mail and via network shares.
System.exe monitors user Internet activity and private information.
It sends stolen data to a hacker site
Related files:
%System%\system.exe
Adds the value:
"Windows" = "system.exe"
to the Windows startup registry keys.
Removal:
Kill system.exe process and remove system.exe from Windows startup.

mw1hel~1.exe

%PROGRAMM FILES%\MAGICW~1\MW1HEL~1.EXE is MW1HelperStartUp.
MW1HEL~1.EXE is part of MagicWaterfall screensaver.

mwcpyrt.exe

This file is included in Windows 98SE distributive.
Displays some copyright information on IBM ThinkPads.

mydail~1.exe

Adware.Horoscope displays horoscopes and advertisement.
Adds a link to "My Daily Horoscope" in the start menu.
Contacts www.mydailyhoroscope.net for content to display in Internet Explorer frames.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "MyDailyHoroscope" = "C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE"

Also, delete these keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\My Daily Horoscope
HKEY_CURRENT_USER\Software\Econfidence\
HKEY_CURRENT_ROOT\AppId\{6E0AFB50-AB22-477C-B16A-AA15593779aC}
HKEY_CURRENT_ROOT\AppId\MyDailyHoroscope.EXE
HKEY_LOCAL_MACHINE\Software\Econfidence

mywebsearch email plugin.lnk

MyWebSearch Email Plugin.lnk is a part of Fun Web Products.
It is not spyware, but it makes slow your computer down. All of the products use cookies to track usage, although they claim not to use cookies or anything else to track personally identifiable information.
http://www.pchell.com/support/mymailstam...

ncmyb.dll

ndrv.exe

Troj/PurScan-H is a downloader for an advertising-related application.
It will download configuration data from a remote location.
The data is used to display pop-up and advertisement on the infected computer.
It has the ability to download executable code from a remote location.
This trojan may then set the following registry entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NDrv = \ndrv.exe

Use RegRun Startup Optimizer to remove this trojan from your system.

netdotnet.dll

NewDotNet may be installed on your system with or without your knowledge.
The DLL component is a plugin to your Internet Explorer Browser. It needs when you use nonstandard Toplevel Domain names like .law, .club, .tech, .xxx and so on.
The catch is that nobody would see your domain unless they had the NewDotNet plugin installed on their computer.
Now that many new toplevel domain names have been approved by InterNIC, this new.net functionality is even less useful.
NewDotNet is good example of what's being referred to as Foistware.

NOTE: Foistware is software that adds hidden components to your computer. Usually it's done without your knowledge when you install some other program that would be useful to you.

This program is has been known to be installed along with KaZAa, Earthlink, @Home (ComCast), Juno, Webshots, NetZero, AudioGalaxy, Bearshare and a host of other programs.

It will also update itself without letting you know and it's unknown what new updated versions may do on your system.

It's recommended you use Add/Remove programs to remove the entire application.
(This DLL ties closely into the WinSock communication so if you just delete the DLL you'll screw up your system).

netratings.exe

Spyware.Netrat
When Spyware.Netrat is installed on the system, it tracks Internet usage and submits the tracked information to a server.
Also, the computer attempts to connect to http://premeter.opistat.com.

Must be installed on the system by executing a file or by visiting certain Web sites.
However, if this program is installed when you visit a Web site, you must agree to the installation.

Adds the value: "Premeter"="C:\Program Files\Netratings\Premeter\Netratings.exe"
or: "Premeter"="C:\Program Files\Netratings\Premeter\Nrpr.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Creates one of the following files:
C:\Program Files\Netratings\Premeter\Netratings.exe
C:\Program Files\Netratings\Premeter\Nrpr.exe

Information is not displayed on the screen when the programs are being installed,
but Spyware.Netrat adds the entry "Premeter" in the Add/Remove option in the Control Panel in Windows.

Remove it from startup with RegRun Startup Optimizer.

netsurf.exe

Netsurf.exe is Adware.
Netsurf.exe displays advertising popups on your computer.
Netsurf.exe collects information about user activity.
Installed by Optimum ISP.

newdotnet3_36.dll

newdotnet6_30.dll

newsupd.exe

Creative Labs spyware.
http://www.cexx.org/newsupd.htm

nin1t.exe

Troj/Bancos-V attempts to steal bank account details from customers of a number of Brazilian bank accounts that offer online services.
It is an information-stealing Trojan.
The Trojan logs information typed into web forms corresponding to a number of Brazillian banks that offer online services in an attempt to steal bank account details.

Manual removal:
Please, navigate to the following system registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value: NIN1T = \NIN1T.EXE

npnsdad.exe

Advertising Spyware
http://grc.com/downloaders.htm

npnzdad.exe

NetZip Download Demon - spyware.
http://grc.com/downloaders.htm

odspconfig.exe

Spyware.DsktopSurveil
Logs keystrokes, program use, and captures screenshots.
Also, can run in hidden mode.

Manual removal:
Navigate to and delete the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ODSP 6.0.2
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ODSP Host
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_ODSP_HOST
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\ODSP Host
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ODSP_HOST
Then, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "ODSPConfig"="%ProgramFiles%\ODSP\ODSPConfig.exe"

oemreset.exe

Appears when you're installing new software or drivers. It needs on OEM installations.
Not required since all the work has already been done.

onflow.exe

Onflow is a Web Advertising tool from Onflow Corporation.
http://www.answersthatwork.com/Tasklist_...

osa8.exe

Microsoft Office fast launch.

osa9.exe

Microsoft Office fast launch.

p_981116.exe

Win32 cabinet self extractor Not required.

p2p networking.exe

P2P Networking is a component that enables other applications to use Peer-to-Peer functionality.
P2P Networking is bundled with Kazaa v2.5.2 but is not required for its operation.
Changes browser settings other than homepage, without user permission.

Authors: Joltid Ltd.
Suggest to remove it.

pbagent.exe

Spyware.Probot logs keystrokes, program use, Web sites visited, and it captures screenshots.
It can do the following:
- Log keystrokes
- Run in hidden mode
- Log Web sites visited
- Capture screenshots
- Send logs by encrypted email

Automatic removal: Use RegRun Startup Optimizer.

pbsysie.dll

potdata.exe

Potdata.exe is a part of APC PowerChute Personal Edition software.
Application to send information in relation to UPS status to APC.
Useless.

powerreg scheduler v3.exe

Part of 3COM modem software.
Registration remainder. Not requred.

powerreg scheduler.exe

Part of 3COM modem software.
Registration remainder. Not requred.

powerreg schedulerv2.exe

Part of 3COM modem software.
Registration remainder. Not required.

ppstub.exe

PrecisionPop adware.
PrecisionPOP is distributed in a wide variety of free software applications.
PrecisionPOP serves advertisements to computers on which it is installed and the revenue generated from these advertisements keeps the bundled software applications free to the end user. All ads served by PrecisionPOP will be branded in the window header as being "Brought to you by PrecisionPOP."
Not required.
Use RegRun Startup Optimizer to remove it.

quickbrowser.exe

Adware.QuickBrowser is an adware component that adds search windows.
Displays an icon in the Microsoft Windows taskbar, which allows the user to perform Internet searches.
May download and execute remote files.
Creates the following files:
%Windir%\QuickBrowser.exe
%Windir%\QuickBrowserUpgrader.exe

Automatic removal: Use RegRun Startup Optimizer to remove this adware from startup.

ra32.exe

BackDoor-CAY - password stealer trojan. Also known as Backdoor.Carufax (AVP), Troj/Volver (Sophos), Win32.Reign (CA).

This trojan uses a stealth technique to circumvent certain scanning technology.
The trojan attempts to capture typed keystrokes and steal web site passwords.
Trojan do not self-replicate. It is spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

When run, the trojan creates a hidden directory named f~a within the WINDOWS SYSTEM directory.
Adds the value: "f~a" = C:\WINNT\System32\f~a\ra32.exe
to the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Within this directory, several files are created:
~key.log
~pass.log
~post.log
ra32.exe
usr_ext.dll (captures keystrokes and steals password)
usrvcrt.dll (captures web site username/password)

Use RegRun Startup Optimizer to remove this trojan.

rcsync.exe

PrizeSurfer is a free software that automatically enters you to win cash and prizes just for surfing the web and shopping online!
This program can show different popup windows and can go you to different site in web. This may cause a problem with your security (Trojans, worm) and privacy.
Suggest to stop it by RegRun Start Control.

remind32.exe

HP product registration program.

rundll deskcp16.dll,quickres_rundllentry

RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY is related to Display Settings icon in the System Tray.
RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY is used for allowing resolution changes on the fly in Windows 9x.

rundll32 setupapi,installhinfsection oemsyspnp 128 oemsyspnp.inf

CoolWebSearch is a name given to a wide range of different browser hijackers.
http://www.doxdesk.com/parasite/CoolWebS...
Useless.
Stop it.

rundll32.exe c:\windows\newdot~1.dll,newdotnetstartup

Advertising Spyware.
http://cexx.org/newnet.htm

rundll32.exe c:\winnt\system32\msiefr40.dll

BrowserAid is a manufacturer of various Internet Explorer toolbars, most of which seem to be
installed sneakily.
What it does?
Displays advertising popups.

http://www.doxdesk.com/parasite/BrowserA...
Suggest to remove.

rundll32.exe w3knet.dll,dllinitrun

Status: Web 3000 Spyware.

http://www.safersite.com/PestInfo/W/Web3...
Recommendation:
Stop it!

safewin.exe

PWSteal.Focosenha is a Trojan horse program that attempts to steal user names, passwords, and other information from the infected computer.
Logs keystrokes and captures background images when the address bar in Internet Explorer contains predetermined URLs.
The keystrokes are saved in:
%Windir%\MSN\LogMedia.TXT
The captured images are saved in the directory:
%Windir%\MSN\DAT
Sends LogMedia.TXT and image files stored in %Windir%\MSN\DAT to a predetermined email address.

Manual removal:
Navigate to the key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Safe"="C:\Windows\MSN\SafeWin.exe"
Navigate to and delete the key: HKEY_CURRENT_USER\SafeMode

sagent.exe

Spyware.TinySpyAgent
It is a commercial keystroke logger.
It also reports the process that keystrokes are being typed into and can be run in a silent mode.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
then delete the value: "SAGENTSERVICE"="%ProgramFiles%\TinyStone\Tiny Spy Agent\Sagent.exe -start"
Also, delete the key: HKEY_LOCAL_MACHINE\SOFTWARE\TinyStone\Tiny Spy Agent

savenow.exe

Advertising spyware.
http://www.affiliatemarketing.co.uk/dec0...

sentry.exe

IP Insight Tracking software.
Tracks geographical and connection speed data and reports it back to companies.
Useless.

seticon.exe

Installed if you have a 6-in-1 (4 Media Card slots, a floppy drive and a USB connection) card reading device.
It used to updates the icons for Media Card slots and this operation used a lot of system resources.
You can remove it by RegRun Start Control.

settn.dll

setupad.exe

Setupad.exe is an adware program Adware.Satbo.
Setupad.exe downloads and displays advertisements.
Related files:
%System%\Svrhost.exe
%System%\Msstart.exe
Setupad.exe
Adds the value:
"svrhost" = "%System%\Svrhost.exe"
"msstart" = "%System%\Msstart.exe"
to the Windows startup registry keys.
Removal:
Kill Setupad.exe process and remove Setupad.exe from Windows startup.

skinkers.exe

Howard the Weatherman desktop client from Halifax by Skinkers - marketing/messaging tool

It allows web site owners to deliver content directly to customers desktops without "getting lost" within the already cluttered email channel.

The downloadable desktop application installed by the user, marketeers are able to cement a far stronger relationship with their customers.
They can also engage with them far more frequently and effectively than through traditional methods such as email newletters.
Add hyperlinks to push people to pages and data you want them to see, e.g. breaking news or promotional offers.
Skinker content is usually, though not necessarily, delivered by eye-catching corporate logos, animated characters or icons, with their own branded dialogue windows. You have total creative flexibility � make your Skinker and all associated dialogues, characters and icons fit precisely with your corporate culture, branding and identity.

Skinkers is multimedia enabled and is used to deliver rich media such as video, images, music, copy, interactive Flash files and other applications.

http://www.skinkers.com/index.html

smrtshpr.dll

SmrtShpr.dll is a SmartShopper adware.
SmrtShpr.dll monitors user activity and sends information to a master site.

sncntr.exe

This dialer program is installed through various Web sites, mainly with adult or pornographic contents.
When it runs, it displays a window inviting you to access different sites using a premium rate telephone number.
Remove it using RegRun Startup Opimizer.

sndcfg16.exe

Worm.P2P.Krepper.c
On launch, the worm checks the victim machine for VMWare.
If it is launched under VMWare, some of the malicious functions will not be executed.

Copies itself to the Windows system directory as sndcfg16.exe.
It registers this file in the system registry to ensure this file is run each time the system is started:
[Software\Microsoft\Windows\CurrentVersion\Run] Services = sndcfg16.exe
This worm propagates via P2P networks.
If the worm detects a P2P client, it will copy itself under a random name.
The worm checks the system registry value every second.
It downloads and launches files from the Internet.
The worm also connects to a number of IRC channels to inform the author of the worm about infected machines.

You can remove it by RegRun.

splasha.exe

SPLASHA.EXE is related to Interactive Media Manager software.
Manufacturer: Microsoft Corp.
http://blogs.msdn.com/imm/

spoo1sv.exe

PWSteal.Souljet is a Trojan horse that steals system and personal information.

Copies itself to %System%\Spoo1sv.exe.
Adds the value: "spoo1sv" = "spoo1sv.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Creates the file, %System%\Soul.dll. This file is the keylogger part of the Trojan.
Searches currently running processes for Explorer.exe.
Injects Soul.dll into the process space of Explorer.exe, so that Soul.dll runs in the process context of Explorer.exe.
Soul.dll steals system information, such as the computer name and IP address.
As previously mentioned, this Trojan also logs key strokes.
It uses the Internet to send the stolen information to a predefined address.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "spoo1sv" = "spoo1sv.exe"

spywareguard.exe

Advertising Spyware.
Part of RapidBlaster software
http://www.rapidblaster.com/
Typically displays pop-ups for porn sites.
Read more about:
http://www.doxdesk.com/parasite/RapidBla...
Suggest to remove by Rapid Blaster Killer:
http://www.wilderssecurity.net/specialin...

ssmgr.exe

Spyware.007Spy is a commercial spyware program.
It logs keystrokes, Web sites visited, programs used, and files and folder activity.
It also has a screen capture logger and can be run automatically in a silent, undetectable mode.
Can use FTP and email to send all the logs to a remote server or email address.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "WinService32"="%ProgramFiles%\Sysmnt\ssmgr.exe"

stopsignav.exe

stopsignav.exe ia a part of eAcceleration Stop-Sign software.
Not required, may be run manually.

stub.exe

Kazaa/Ezula/TopText Scumware.
eZula TopText is a browser plug-in for Internet Explorer.

http://www.whirlywiryweb.com/removeezula...
Main executiojn file is stub.exe. It is located in Windows\System or in Windows\System32
Suggest to remove from startup.
1. From your Taskbar select: Start > Settings > Control Panel > Add/Remove Programs
2. In the 'Add/Remove Programs' window, locate one of the following program names: TopText HotText ContextPro, all are different names for the same program. Highlight the program name you find by clicking on it.
3. Click Add/Remove or Change/Remove to begin the uninstall process and follow it through.
4. Restart your computer.

supporter5.exe

It is a part of eScorcher anti-virus software.
Checking for updates of new virus bases each time you logon to the web.
Used to collect information about the user and therefore treated as spyware.
Not required.

svch0st.exe

Trojan.Dingsta.A is a keylogger that tries to log keystrokes that are typed in open Web browser windows.
Then, it sends the captured keystrokes to a predefined Web site.

Creates one of these files:
Windows NT/2000/XP/2003: C:\Winnt\System32\Svch0st.exe
Windows 95/98/Me: C:\Windows\System\Svch0st.exe

Adds the value: "taskmgr.exe" = "%Path%\svch0st.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Adds the value: "taskmgr.exe" = "%Path%\svch0st.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Adds the value: "taskmgr.exe" = "%Path%\svch0st.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Constantly checks the names of all the open windows.
If this Trojan finds a window whose Title Bar matches one of these names: Offline Explorer; Netscape; Microsoft Internet Explorer
it will log all the keystrokes typed inside that window.
Using a script running on the server that the Trojan contacts, it submits all the logged keystrokes to a predefined URL.

Automatic removal:
Use RegRun Startup Optimizer.

sw.exe

Spyware.SilentSpy
It is a software program that monitors all the actions on local and networked computers.

Adds the value: "SSConfig" = "SW.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Adds the subkey: "SW"
to the registry keys:
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\CurrentControlSet\Enum

Adds the value: "0" = "SW\{B7EAFDC0-A680-11D0-96d8-00AA0051E51D}\{9B365890-165F-11D0-A195-0020AFD156E4}"
to the registry key: HKEY_LOCAL_MACHINE\CurrentControlSet\Services\kmixer\Enum

Creates the following files:
C:\Silent-Spy.cnt
C:\Silent-Spy.hlp
C:\Wlp.sys
C:\Wlg.sys
C:\SW.htm
Creates the folder C:\SSS, which stores screenshots that the spyware captures.

Captures and logs the following items:
- Every window that you open and interacted with.
- All of the Web site titles and addresses that you visit.
- All the keystrokes and windows in which the keystrokes were entered.
- Periodic screen shots.

You can remove it with RegRun.

syncroad.exe

Adware.SyncroAd displays pop-up advertisements when you are browsing the Internet.
Creates the file %System%\ide21201.vxd
Adds the value: "Windows SyncroAd" = ""
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Adds the values:
"DisplayName" = "Windows SyncroAd"
"UninstallString" = " /Remove"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows SyncroAd

Remove it by RegRun StartUp Optimizer.

sys32win.exe

Spyware.ActiveKeylog records keystrokes by the user and may send this information through email.
Can be installed as part of another program, or by an installer with a user interface.

While Spyware.ActiveKeylog may be installed through an installer, the installation path is configurable, and the default is C:\Program Files\Active Key Logger.
The spyware may be configured to run in stealth mode, hiding its user interface and system tray icon.

Adds the value: "sys32sql" = "%installation path%\sys32win.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

This spyware program must be manually installed.
However, there are several known programs that have Spyware.ActiveKeylog within them and that install it as the program itself is installed.

Use RegRun Startup Optimizer to remove it from startup.

sysai.exe

AproposMedia is the part of the 'PeopleOnPage' program, an Internet Explorer sidebar which claims to show a list of other users of the current site.
Also known as POP after its program name, Envolo after the name of the updater component included in PeopleOnPage.
PeopleOnPage was bundled with Grokster around June 2003, and it installed by pop-up ActiveX drive-by download.
Opens pop-up adverts at regular intervals when Internet Explorer is in use.
When the PeopleOnPage sidebar is open, the addresses of all pages visited are sent to the controlling server with a unique tracking ID.
Includes an updater component which can silently download and execute arbitrary code form its controlling server.

Removal: Use RegRun Startup Optimizer to remove it from startup.
Amd go to the Control Panel's Add/Remove Programs feature. Select and remove 'AM Server' and 'POP'.

syschecks.dll

Spyware.SpyMyPC
Spyware.SpyMyPc is a commercial spyware program that logs keystrokes.
It can be do any of these actions:
- Log keystrokes and output them to a file located in %ProgramFiles%\Logs.
- Run in a Hidden mode in the taskbar.
- Start automatically when Windows starts, by enabling the "Run SpyMyPC when Windows Startup" option.

It creates some files, such as: %ProgramFiles%\SpyMyPC\Smpc.dll; %ProgramFiles%\SpyMyPC\Smpc32.exe; %Windir%\Smode.dll; %Windir%\Syschecks.dll and some others.
Adds the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyMyPC_is1
HKEY_CURRENT_USER\Software\Benutec\SpyMyPC

Manual removal:
Navigate to the key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "SystemCheck"="RUNDLL32.EXE syschecks.dll,SysCheckStartup"
Then, navigate to the key: HKEY_CURRENT_USER\SOFTWARE\Benutec\
and delete the subfolder: "SpyMyPC"
Also, delete the following files in %Windir% if they exist: smode.dll; smrcmd.dll; syschecks.dll

sysdiag.exe

Spyware.SpyAgent.B
It is a commercial keylogger/system-monitoring program.
It has various monitoring features such as keystroke, clipboard, event, file, chat, and Internet logging.
The logs can be emailed or sent via FTP to a remote server.
Can also be run in full silent mode with no splash screen.
It has options to create an Administrative install or as a more basic Stealth install, as well as options to create or not create an uninstaller.

Automatical removal: Use RegRun Startup Optimizer to remove it from the system registry.

sysdll32.exe

CoolWebSearch parasite related.
Redirecting to wholeworldmarket.com, most likely other domains as well.
The difficulty of removing CWS from a user's system has grown from slightly tricky in the first variant to virtually impossible for the latest few.
Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains.
The CWShredder tool to remove Coolwebsearch will always be up to date and is updated as fast as possible when new variants emerge.
We are pretty sure now CoolWebSearch is part of a new strain of trojans that have recently been identified that all have one thing in common: they install through the ByteVerify exploit in the MS Java VM and change the IE homepage, search page, search bar, etc.
It has also been confirmed that 'Index.dat Viewer' changes your IE search pages to superwebsearch.com, a CWS affiliate page, after installing it.
Uninstalling Index.Dat Viewer will not restore your search pages.

sysmgr32.exe

Spyware.Sa_PCSpy.b
It is a commercial spyware program that logs keystrokes, Web sites visited, programs used, and file and folder activity.
It also has a screen capture logger and can be automatically run in a silent, undetectable mode.
Adds the value: "sysmgr32"="%ProgramFiles%\SpyAnytime\sysmgr32.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Use RegRun Startup Optimizer to remove it from startup.

systree.exe

Troj/Bancban-N.
It is a password-stealing Trojan targetted at customers of a Brazilian bank.
The Trojan drops a component of itself into \SYSTRE as SYSTREE.EXE and creates the following registry entry in order to run on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Systree = SYSTREE.EXE

Please, remove it with RegRun.

sysu.exe

Adware.DynamicUpdater is an adware program that can be downloaded by Adware.Dynamic.
This adware program is installed manually or as a component of another program.

When Adware.DynamicUpdater is executed, it performs the following actions:
Adds the value:
"sysu" = "c:\progra~1\ddm\sysu.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Generates frequent pop-up advertisements.
May download an executable from the Web, possibly an update of itself.

Use RegRun Startup Optimizer to remove this adware.

tamset.exe

Spyware.TrueActive is the commercial keylogger TrueActive Monitor.
Formerly known as WinWhatWhere Investigator, TrueActive Software published this spyware.
The spyware has a comprehensive suite of system monitoring tools including, keystroke, password, instant messaging, video/screen capture, and network usage logging.
It can also operate in silent mode and can also use email to send logs to a remote observer.

Please, remove this spyware with RegRun Startuip Optimizer.

tgcmd.exe

This software is often used by ISP to collect information about your computer and to
automatically send this information to ISP and to auto update this software via Internet.
Go to Add/Remove Programs in your Control Panel and look for something like "support agent" -
these things go by several different names - and remove it.
If you couldn't find it remove it by RegRun Start Control.

tgdc.exe

TGDC Websearch
Adware, also Known as: TGDC IE Plugin Tgdc.exe shopforgood.com
A plugin for IE that someone seems to know where it came from. References in the code point to shopforgood.com

Stays resident in background, hides itself from user, show advertisments:
- Makes changes to browser settings
- Connects to the internet by itself

Manual removal:
You might try deleting it from c:\program files\tgdc\ if found there.
Remove it quickly by RegRun Terminator.

tgfix.exe

This software is often used by ISP to collect information about your computer and to automatically send this information to ISP and to auto update this software via Internet.
Go to Add/Remove Programs in your Control Panel and look for something like "support agent" - these things go by several different names - and remove it.
If you couldn't find it remove it by RegRun Start Control.

tmpcpyis.bat

You may remove this item without any problems.
It's used for clear temp files after installation.
Usually, setup program automatically removes tmpcpyis.bat after installation.

toolbar.dll

Spyware.ISearch
It isInternet Explorer Browser Helper Object and functions as a toolbar.
It is a search hijacker and also tracks user activity on a remote server at isearch.com.
Modifies the values:
"Btn_Search"="0x00000002"
"NoDriveTypeAutoRun"="0x00000091"
"SpecifyDefaultButtons"="0x00000001"
Remove Toolbar.dll from BHO list.

tps108.dll

tsadbot.exe

PKWARE Pkzip special advertisement software.

tvm.exe

It is hijacker.
Any software that resets your browser's settings to point to other sites is called the hijacker.
Hijacks may reroute your info and address requests through an unseen site, capturing that info.
Also change your home page to some other site. Error Hijackers will display a new error page when a requested URL is not found.
May cause crashes and trigger Windows XP error reporting. Likely to slow performance of Internet Explorer.

To manually remove CleverIEHooker from your computer:

Unregister these DLLs with Regsvr32, then reboot:
systemroot+\jeired.dll

Remove these registry items (if present) with RegEdit:
HKEY_CLASSES_ROOT\clsid\{707e6f76-9ffb-4920-a976-ea101271bc25}
HKEY_CLASSES_ROOT\interface\{707e6f76-9ffb-4920-a976-ea101271bc25}
HKEY_CLASSES_ROOT\typelib\{707e6f76-9ffb-4920-a976-ea101271bc25}
HKEY_LOCAL_MACHINE\software\classes\clsid\{707e6f76-9ffb-4920-a976-ea101271bc25}
HKEY_LOCAL_MACHINE\software\classes\typelib\{707e6f76-9ffb-4920-a976-ea101271bc25}

Remove these files (if present):
systemroot+\jeired.dll

Or use RegRun Startup Optimizer to automatical remove this hijacker.

updmgr.exe

This is an auto-updater that starts every time you try to connect to the internet.
Bundled with Kazaa.
Not required.

updreg.exe

Reminder to register Creative Labs SoundBlaster Live! cards. Not required.

ussshreg.exe

USSShreg.exe is the program related to ULead�s SmartSaver Pro software.
USSShreg is registration reminder. Not required.

vcatch.exe

Spyware that installs CommonSearch, UCMore, Bargain Buddy, and others.
Claims to be an anti-virus product. from the doc:
'We record and analyze the use of the service and software in order to get general, aggregate compilations of users' characteristics and uses of the Internet to potential users and commercial partners. We may use the information that we gather for statistical purposes in aggregate, anonymous form and for advertising, marketing, and other commercial activities.'

Manual Removal:

Kill these running processes with Task Manager:
programfilesdir+\commonsearch\vcatch\vcatch.exeadp.exe
vcatch.exe
vctadpi7099.exe

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
and delete value contains 'Vcatch.exe'.
Unregister mcact.dll with Regsvr32, then reboot.

Remove these registry items (if present) with RegEdit:
HKEY_CURRENT_USER\software\commonsearch
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\vcatch
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\vcatch - the personal virus catcher
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\vcatch - the personal virus catcher
HKEY_USERS\s-1-5-21-1409082233-1390067357-1801674531-500\software\commonsearch

Remove these files (if present) with Windows Explorer:
programfilesdir+\commonsearch\vcatch\vcatch.exeadp.exe
ath.mgf; frb.mgf; install.log; license.txt; mcact.dll; snd.mgf; sub.mgf; sze.mgf; vc.txt; vcatch.exe; vcatch.lnk; vcsetupnew.reg; vctadpi7099.exe

Remove this directory (if present) with Windows Explorer: programfilesdir+\commonsearch

Use RegRun to automatically remove this spyware from the system registry.

vhchost.exe

PWSteal.Tarno.I
It is a Trojan horse that attempts to steal user names and passwords for certain Internet banking sites, by capturing screenshots and logging keystrokes.
Monitors the URL field in Internet Explorer for the following strings:
e-gold; bank; hsbc; halifax; barclays; openplan; lloyds; abbey; cahoot; nationwide; nwolb; natwest; nationet; woolwich
- Stores keystrokes and the content of the clipboard in the file, %System%\Usert\<10digits>_<8digits>.txt, where the digits are derived from the system time.
- Stores screenshots in the file, %System%\Usert\<10digits>_<8digits>.bmp, where these digits are derived from the system time.
- Using %System%\Winrr.exe, which it previously created, the Trojan creates the RAR file, %System%\Usert, which contains the keystrokes and screeenshots.
- Attempts to send the RAR file to a remote Web server.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Default System Research" = "%Windir%\vhchost.exe"

Or use RegRun Startup Optimizer to automatically remove it from startup.

viewmgr.exe

Viewpoint Manager for Viewpoint Media Player
It is spyware as bundled with AOL, AOL Instant Messenger, Netscape 7, etc.

Following developers: "Viewpoint Media Player integrates photo-realistic 3D, high-resolution 2D images, Macromedia Flash, audio, and other media formats into HTML pages through a single media host. Essentially a graphics operating system, VMP includes both an ActiveX control and a Netscape plug-in that permits its graphics and online services to be accessed through Web browsers across multiple platforms and over narrowband connections, all while requiring no special server-side software.
This technology can be used for business applications ranging from advertising and e-commerce to online customer service and training."

Viewpoint Media Player collects information about the user.
From the vendor's privacy policy: To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint.
Detected as spyware with some detection programs.

Unused files:
AxMetaStream.dll, ComponentMgr.dll, MetaStreamID.ini, MtsAxInstaller.exe, npViewpoint.dll, npViewpoint.xpt, JpegReader.dll, Mts3Reader.dll, SceneComponent.dll, SreeDMMX.dll, SWFView.dll, WaveletReader.dll

Please, remove this spyware with RegRun Startuip Optimizer.

vx2.dll

webinstaller.dll

ShopAtHomeSelect is a Winsock 2 Layered Service Provider that redirects visits to merchant sites in order to take the affiliate fees from them automatically.
Also known as Golden Retriever.
Bundled with Grokster (around the start of 2003) and iMesh 4. Also installed by the FavoriteMan parasite from May 2003.

It doesn't advertising or privacy violation.
The software can download and execute code from its controlling server, as a silent update feature.

On testing, seemed to cause browser to run quite slowly.

Removal:
There should be an entry in the Control Panel's Add/Remove Programs entry for 'ShopAtHomeSelect Agent'.
Use it to remove the software then restart the computer.

You can delete the damaged '{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}' entry inside the 'Downloaded Program Files' folder,
the 'SAHUninstall.exe' file in the 'Windows' folder and 'SahAgent.log' in the root of the C: drive to clean up if you like.

Not required.
Use RegRun Startup Opimizer for removal.

win32_i.exe

Advertising Spyware.
Typically displays pop-ups for porn sites.

http://www.doxdesk.com/parasite/RapidBla...
Remove it from startup by RegRun Startup Optimizer or
use Rapid Blaster Killer:
http://www.wilderssecurity.net/specialin...

win32info.exe

Adult content dialler.
Installed through various Web sites with pornographic contents.

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

win32us.exe

All-In-One Telcom.
Adult content dialer:
a trojan that dials toll numbers without user awareness or permission.

http://www.safersite.com/PestInfo/db/a/a...

winamp.hta

This is not the real WinAmp program. It used for redirecting you to adult content sites when you surfing the web.

winfavorites.exe

Adware.WinFavorites.B
It is a program that downloads advertisements and updates them periodically.

When executed, it creates the file C:\Program Files\WinFavorites\WinFavorites.exe.
Then adds the values:
"DisplayName"="Win Favorites"
"UninstallString"="C:\Program Files\WinFavorites\WinFavorites.exe /uninstall"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Win Favorites

Adds the value: "WinFavorites" = "C:\Program Files\WinFavorites\WinFavorites.exe1"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Attempts to download files from www.flingstone.com.

Remove it from the system registry by RegRun.

winnet.exe

CommonName Sidebar from www.commonname.com
Advertising Spyware. The uninstall program requires one to access the internet, get a validation code, and then enter this code to get the application to unload. None of this is stated upfront when installed.

winoko32.exe

Adware.EliteBar
It is installs itself as an Internet Explorer toolbar and redirects search requests.
It downloads and executes two files from searchmiracle.com, and saves them as C:\Winupdate.exe and C:\Ed.exe.
Creates multiple files in C:\WINNT\EliteBar.
Depending on the response the adware receives from the server, it may change the Internet Explorer home and search pages, add links to the Internet Explorer Favorites, or modify the system hosts file.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Sys29"="%System%\winoko32.exe"

Delete the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum
HKEY_CURRENT_USER\SOFTWARE\LQ
HKEY_CURRENT_ROOT\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA880F}
HKEY_CURRENT_ROOT\CLSID\{28CAEFF3-0F18-4036-B504-51D73BD81C3A}

winstart001.exe

IGetNet is a plug-in search addition to your IE Browser that will redirect your searching to customers of IGetNet. May disable other browser plug-ins.
Suggest to uninstall this software.

wxprocmgr.exe

TVTonic from Wavexpress.
Users can download some data included full-screen, DVD-quality video channels.
Adds advertising to the data.

xadbrk.dll

xadbrk.exe

xclean.exe

Adware.Flashtrack.B
It is an Internet Explorer Browser Helper Object, which monitors the search terms placed in Search page forms and visited Web sites.
It then displays pop-up and pop-under ads.
Adds the value: "t"="%ProgramFiles%\Xmod\xclean.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Please, remove this adware with RegRun Startuip Optimizer.

xtcfgloader.exe

Toolbar addition to your browser that supposes to enhance your searching. Will causes pop-up ads to appear on sites that don't normally support them.
Remove it from startup.

zserv.dll

ZServ is Adware from ZServ
http://www.zserv.biz/
ZServ is used for track user activity, display popup ads etc.
Delete %WinDir%\zserv.dll Browser Helper Object.

zupdate.exe

A player for 'rich media' advertising. Similar to Onflow.
It's other names are Brilliant Digital (company name), B3D Projector (application name).
Apart from being downloadable from Brilliant's own legitimate-looking site, it is also stealth-installed by newer versions of KaZaA and other free applications.
It allows sites to use annoying advertising with 3D effects, sound, and so on. However, it does not add its own advertising to other sites.
The Projector downloads new components and updates silently.
Code-signing seems to be used, to ensure only Brilliant Digital can write code to be executed by the software.
The Projector has 3D functions, which are always liable to cause problems with some graphics cards and driver versions.

Removal:
You can use 'Add/Remove Programs' for 'B3d Projector'. And delete the directory 'BDE' inside your Windows directory, and the files 'bdeinstall.exe', 'bdeinsta2.dll', 'bdefdi.dll', 'bdedata2.dll', 'bdedownloader.dll', 'bdeverify.dll', 'bdesecureinstall.exe' and 'bdesecureinstall.cab' inside your System directory.
Also use RegRun Startup Optimizer to remove it from the system registry.

Quick Links: What's new?
RSS Feed
Add to AppDatabase
Ask Experts
Join forum
Links
Articles: Virus or not? SPTD####.sys
What is mc21.tmp, mc22.tmp, mc23.tmp?
Select: Necessary
Useless
At your option
Dangerous

Downlod Now!