| Name |
Filename |
Status |
Description |
|
Mouse Hardware Sync
|
mousehs.exe
|
X
|
Added by the Troj/Bdoor-HU backdoor trojan.
|
|
ProjectX
|
ProjectX.exe
|
X
|
Added by the W32/Cisum-A worm.
|
|
GridIron XLR8
|
xlr8d.exe
|
Y
|
Added by GridIron™ XLR8. Description: For software developers with computationally intensive applications, GridIron XLR8 is a technology that enables the parallel processing of software applications on multiple CPUs.
|
|
Windows 32 Rescue
|
win32resc.exe
|
X
|
Added by the W32/Forbot-EU worm. When started this infection connects to an IRC server where it waits for remote commands to executed. This startup entry refers to the NT service that it creates.
|
|
NGate service
|
tage32.sys
|
X
|
Added by the Troj/Haxdoor-R rootkit. This infection makes it so you can not see certain processes, files, or registry keys on your computer. It is usually installed in conjunction with other malware.
|
|
Logical Disk Manager Provider
|
spool.exe
|
X
|
Added by the Troj/Agent-DA trojan.
|
|
MSCoolServ
|
mscolsrv.exe
|
X
|
Added by the Troj/RaHack-A trojan.
|
|
Handling the loading of the MAPI API
|
MAPI32.EXE
|
X
|
Added by the W32/Codbot-C backdoor. When started this infection connects to a remote IRC server where it waits for commands. This infection is also known to steal passwords, so if you are infected with this, you should immediately change your passwords.
|
|
Loads files to memory for later outputing over the endpoint
|
LSPOOL.EXE
|
X
|
Added by the W32/Codbot-B backdoor. When started this infection connects to an IRC server where it waits for commands to execute.
|
|
Task Scheduler
|
unknown
|
X
|
Added by the Troj/PcClient-R as a display name used when it overwrites the existing service named Service.
|
|
msdirectx
|
msdirectx.sys
|
X
|
Added by the W32/Sdbot-XP, W32/Sdbot-XQ, and W32/Sdbot-XR worms as a new service. They will use the same display name, and exploit IRC channels.
|
|
Network Host Controller
|
MSRSDN32.DLL
|
X
|
Added by the W32/Kassbot-B worm.
|
|
iesprt
|
IESPRT.SYS
|
X
|
Added by the Troj/Goldun-G password stealing trojan. If you have this infection you should change all your passwords.
|
|
Service Control Application
|
system.exe
|
X
|
Added by the worm. This worms spreads via the LSASS exploit.
|
|
Event Monitor
|
msgfix.exe
|
X
|
Added by the W32/Sdbot-DY. When started this infections connects to a remote IRC server where it waits for commands to execute.
|
|
Application Provier
|
MST.EXE
|
X
|
Added by the W32/Forbot-DX worm.
|
|
Network Monitoring Service
|
NETMON.EXE
|
X
|
Added by the W32/Codbot-A backdoor.
|
|
sdkupdate22
|
SDK0mCORE.exe
|
X
|
Added by the W32/Forbot-DT network worm. When started this infections connects to an IRC server where it waits for remote commands.
|
|
Performance Logs and Alerts
|
smlogsvc.exe
|
N
|
This is a Microsoft services that collects performance data from various applications running on a Windows computer. This service should be set to manual as it will start and stop as needed.
|
|
DLL Enhancer Drive
|
lsass.exe
|
X
|
Added by the Troj/Bdoor-CGM backdoor trojan.
|
|
zzzzDeMe
|
zzzx*.exe
|
X
|
Added by the Troj/Socksrv-A backdoor trojan.
|
|
Symantec Client Security Loader
|
DHCP.DLL
|
X
|
Added by the Troj/DllLoad-B trojan dll loader. DHCP.DLL is a file that tells the service what malicious DLL to load.
|
|
Internet Protocol
|
MSCTRL32OCX.EXE
|
X
|
Added by the Troj/Bdoor-BK backdoor trojan.
|
|
MediaSource
|
MSCTRL32OCX.EXE
|
X
|
Added by the Troj/Bdoor-BK backdoor trojan.
|
|
mserv.exe
|
mserv.exe
|
X
|
Added by the Troj/KillProc-E trojan. This program is used to terminate security related software so they can not run on your computer.
|
|
rdriv
|
rdriv.sys
|
X
|
A rootkit bundled with various infections in order to hide them.
|
|
iTunesMusic
|
iTunesMusic.exe
|
X
|
Added by the W32.Spybot.NLX worm. This worm utilizes the rdriv.sys rootkit to stealth itself.
|
|
sqlsrvd
|
_sqlexec.exe
|
X
|
Possible new variant of W32.Spybot.NLX. This infection has root kit capabilities so it is possible you have further files that can not be seen.
|
|
MS SQL Server Moniter
|
_sqlsrvd.exe
|
X
|
Possible new variant of W32.Spybot.NLX. This infection has root kit capabilities so it is possible you have further files that can not be seen.
|
|
msdirectx
|
msdirectx.sys
|
X
|
This infection hijacks Internet Explorer to redirect to search-area.com. More information can be found here - Troj/Malche-A.
|
|
KeBoot
|
Boot32.sys
|
X
|
Added by the HaxDoor.B rootkit/backdoor Trojan. This service is installed as a system driver and is part of the rootkit functionality of this infection.
|
|
KeSDM
|
Sdmapi.sys
|
X
|
Added by the HaxDoor.B rootkit/backdoor Trojan. This service is installed as a system driver and is part of the rootkit functionality of this infection.
|
|
VIRTwin
|
VDMT16.SYS
|
X
|
Added by the Troj/Haxdoor-CN rootkit infection. This file is installed as system driver and is used to hide processes, files, and registry keys from being seen.
|
|
SCNDmem
|
WINLOW.SYS
|
X
|
Added by the Troj/Haxdoor-CN rootkit infection. This file is installed as system driver and is used to hide processes, files, and registry keys from being seen.
|
|
Flash Memory tool
|
FLASHMGR.EXE
|
X
|
Added by the Troj/Riler-F backdoor trojan.
|
|
MemDRV
|
vdnt32.sys
|
X
|
Part of the Troj/Haxdoor-AE rootkit. This is installed as a system driver service so will not be seen in the services.msc control panel.
|
|
LMMngr
|
memlow.sys
|
X
|
Part of the Troj/Haxdoor-AE rootkit. This is installed as a system driver service so will not be seen in the services.msc control panel.
|
|
Ulead Sservice System Files
|
ulcdrsf.exe
|
X
|
Added by the W32/Codbot-S network worm and backdoor trojan.
|
|
cfg
|
cfg.exe
|
X
|
Added by the W32/Bdoor-ZAR backdoor worm.
|
|
Windows_Help_Server
|
lasas.exe
|
X
|
Added by the Troj/Delf-JQ trojan downloader. This infection also logs your keystrokes.
|
|
System Startup Service
|
svcproc.exe
|
X
|
This infection is identified as Trojan.Win32.Stervis.b. It is usually bundled with nail.exe, a Abetterinternet adware variant. It is notoriously difficult to remove and is usually bundled with other malware that are hard to remove as well. One method that we have found that is able to remove this infection and the other malware that are bundled with it is the ewido security suite which you can download and try for free.
|
|
EthernetService
|
tcpcheck.exe
|
X
|
Added by the Troj/Vbbot-B TROJAN, which installs a service called EthernetService and also uses that displayname.
|
|
zzzxSYSTEM_32
|
zzzxt2ve.exe
|
X
|
Added by the W32/Oddbot-D WORM!
|
|
Windows Security Update
|
secupd.exe
|
X
|
Added by the Troj/Sepuc-B TROJAN, which installs a service with both service & displaynames being Windows Security Update.
|
|
Microsoft Java Virtual Machine
|
msjavarxp.exe
|
X
|
Added by the W32/Forbot-DL, using the servicename of Norton Anti-hacker.
|
|
wmon
|
jusched.exe
|
X
|
Added by the W32/Agobot-OW WORM/IRC backdoor trojan and using a new servicename called wsaconfig.
|
|
Microsoft Windows Registry Updater
|
wreg.exe
|
X
|
Added by the W32/Forbot-DN WORM/IRC backdoor trojan, while it creates a new service called wreg.
|
|
eProxy
|
[random]
|
X
|
Added as a new service by the Troj/Daemoni-AL TROJAN, using a displayname of Microsoft Security Subsystem Provider.
|
|
Smart Card Client
|
SCardClnt.exe
|
X
|
Added as a new service by the W32/Codbot-K WORM/IRC backdoor, using SCardClnt as a servicename.
|
|
servisec
|
servisec.exe
|
X
|
Added as a new service by the Troj/Xrat-B TROJAN, using a displayname of the same.
|
|
svhost System
|
svhost.exe
|
X
|
Added as a new service by the Troj/Xrat-A TROJAN, using a servicename of svhost.
|
|
SmartLinkService
|
slserv.exe
|
U
|
Associated with SmartLink modem and is used to show a tray icon that gives connection information.
|
|
Netropa NHK Server
|
Nhksrv.exe
|
N
|
This program is installed by certain Dell and Compaq computers. It is used to disable any configured hotkeys while the screensaver is running.
|
|
Ulead Systems
|
ULCDRSvr.exe
|
X
|
Added by W32/Codbot-H as a service, with a displayname of Ulead Systems System Files on Windows NT/2000/XP versions.
|
|
Win32SysV
|
xin.exe
|
X
|
Added by W32/Forbot-EO using both a registry run key and service to startup.
|
|
updater
|
wisvc.exe
|
X
|
Added by Troj/Orse-A, which also creates a service using the same name, with a displayname of Windows update Service.
|
|
pnpsvc
|
svchost.exe -k netsvcs
|
X
|
Added by Troj/StartPa-FP as a new service, using "Plug and Play svc service" as a displayname.
|
|
SCVHOST
|
SCVHOST
|
X
|
Added by the Troj/Feutel-D TROJAN as a new service using the same name as a displayname.
|
|
RAT X Control
|
xflash.exe
|
X
|
Added by Troj/Bdoor-CPE .
|
|
arsch
|
nets.exe
|
X
|
Added by the W32/Forbot-EL, it's displayname is "Indexing Provider".
|
|
Network Devices Controller
|
[unknown filename]
|
X
|
Added by the Backdoor.Alnica backdoor. Listens on port 6667 awaiting a remote connection.
|
|
Rio MSC Manager
|
RioMSC.exe
|
U
|
Used by the RIO MP3 player to organize and copy music to your MP3 player.
|
|
Compuware Distributed Analyzer Service
|
NCS.exe
|
Y
|
Added as part of the Compuware DevPartner Studio.
|
|
Compuware Distributed Analyzer Service
|
DASVCNT.exe
|
Y
|
Added as part of the Compuware DevPartner Studio.
|
|
ArcGIS License Manager
|
lmgrd.exe
|
Y
|
Part of the Macrovision FLEXlm software. This software is installed as part of the licensing of the ArcGis software.
|
|
Atheros Configuration Service
|
acs.exe
|
Y
|
Part of the Atheros 802.11b/g WiFi connectivity driver.
|
|
BrSplService
|
brsvc01a.exe
|
Y
|
This file is an integral part of the Brother printer driver. Disabling this service will disable communication between your computer and the printer.
|
|
Brother Popup Suspend service for Resource manager
|
Brmfrmps.exe
|
?
|
Related to the Brother printer software. Is this necessary to run automatically?
|
|
SecuROM User Access Service (V7)
|
UAService7.exe
|
Y
|
Used by virtual CD programs like Alcohol to access CD images protected by SecureROM.
|
|
wtaskbarmngr
|
taskbarmngr.exe
|
X
|
Added by the W32/Rbot-ZO as a new service with a displayname of Windows Taskbar Manager
|
|
Gray_Pigeon_Server
|
G_Server.exe
|
X
|
Added as a new service by the Troj/Feutel-C TROJAN.
|
|
ACCRA
|
Mocih.exe
|
X
|
Added as a new service by the Troj/Chimo-B TROJAN, with a displayname of Trace network connections.
|
|
winmdgr
|
winsvcmgr.exe
|
X
|
Added as a new service by the W32/Sdbot-WQ WORM/IRC backdoor, and uses a displayname of Microsoft Service Manager.
|
|
Symantec AntiVirus Client
|
rtvscan.exe
|
Y
|
This is the real-time component of the Symantec antivirus proection program. This program should not be disabled as you will no longer have real-time virus protection.
|
|
AOL TopSpeed Monitor
|
aoltsmon.exe
|
Y
|
This program is used by AOL's web acceleration technology which supposedly helps to make web browsing faster. This is most important for those users who still access AOL via dial-up.
|
|
McAfee.com VirusScan Online Realtime Engine
|
mcvsrte.exe
|
Y
|
Associated with McAfee's Internet Security suite. This is the real-time scanning engine and should not be disabled!
|
|
McAfee SecurityCenter Update Manager
|
mcupdmgr.exe
|
Y
|
Associated with McAfee's Internet Security suite. May control the updating of the program.
|
|
McAfee.com McShield
|
mcshield.exe
|
Y
|
Associated with McAfee's Internet Security suite.
|
|
StyleXPService
|
StyleXPService.exe
|
Y
|
"How sleek is your desktop? Style XP unleashes the full potential of your Windows XP desktop by allowing you to download and install XP themes."
|
|
DameWare NT Utilities 2.6
|
DNTUS26.EXE
|
U
|
Dameware NT Utilities program that allows remote access and control of a computer. This is a common program for hackers to install on a computer, so if it is installed, and you did not install it, it should be removed.
|
|
NetBackup Client Service
|
bpinetd.exe
|
Y
|
The Netbackup backup client.
|
|
Apache Tomcat
|
tomcat5.exe
|
Y
|
This is the Apache Tomcat JSP/JAVA web services. If this server is running on your computer, then you should know about it.
|
|
Steganos Live Encryption Engine (Version 401) [Service]
|
SLEE401.exe
|
Y
|
This is part of the Steganos Security Suite and involved in handling real-time encryption.
|
|
OfficeScanNT RealTime Scan
|
ntrtscan.exe
|
Y
|
Part of the Trend Micro OfficeScan product. Should not be disabled.
|
|
Apache
|
apache.exe
|
Y
|
This is the Apache Web Server. If this is running on your machine, you should know about it.
|
|
MySql
|
mysqld-nt.exe
|
Y
|
The open source MySQL database for Windows XP/NT/2000/2003. This can be installed as a standalone product or bundled with other products such as EasyPHP. May be installed in different directories than the one shown here in this information. Typically, if this is installed, you should know its installed.
|
|
MySql
|
mysqld.exe
|
Y
|
The open source MySQL database for Windows 95/98/ME. This can be installed as a standalone product or bundled with other products such as EasyPHP. May be installed in different directories than the one shown here in this information. Typically, if this is installed, you should know its installed.
|
|
avast! Web Scanner
|
Ashwebsv.exe
|
Y
|
Avast! antivirus
|
|
kavsvc
|
kavsvc.exe
|
Y
|
Kaspersky antivirus
|
|
NDIS TCP Layer Transport Device
|
servenxpp.exe
|
X
|
The service is added by the W32/Forbot-GP WORM using this file, it's displayname is NDIS Adapter.
|
|
Restoreds
|
windrives.exe
|
X
|
A new service added by the W32/Agobot-RB WORM/IRC backdoor, it's displayname is Systems Backups
.
|
|
Kern32
|
telcmd.exe
|
X
|
A new service added by the Troj/Agent-CP TROJAN, with a displayname of Manageer Network Connections.
|
|
Hardware Clock Driver
|
HWCLOCK.EXE
|
X
|
Added by the W32/Hwbot-A WORM/IRC backdoor as a new service, it's servicename being Hwclock.
|
|
Webservice
|
svchost.exe
|
X
|
Added as a new service by the Troj/Feutel-B TROJAN, using the same displayname.
|
|
Event Locator
|
ctst.exe
|
X
|
Added as a service by the W32/Forbot-DJ WORM!
|
|
LMMng
|
mewlow.sys
|
X
|
The Troj/Haxdoor-Q TROJAN/backdoor creates this file, and service with a servicename of mewlow.
|
|
MemDRV
|
vdnt32.sys
|
X
|
|
|
memlow
|
vtd_16.exe
|
X
|
Troj/Haxdoor-AE TROJAN sets up this service name, it's displayname being LMMngr.
|
|
ISEXEng
|
angelex.exe
|
X
|
This file is associated with adware. It is known to download and install other spware and adware on to your computer. This service should definitely be stopped and disabled.
|
|
ZESOFT
|
zeta.exe
|
X
|
This file is associated with adware. It is known to download and install other spware and adware on to your computer. This service should definitely be stopped and disabled.
|
· 
· 
Disclaimer
Have a problem and would like to ask us for help? To learn how to ask your question Click Here!
Do you have popups or other malware infecting your computer? If so, Start Here!
Are you having trouble using this site? Then you should visit the New User Orientation Center!