| Name |
Filename |
Status |
Description |
|
cfg
|
cfg.exe
|
X
|
Added by the W32/Bdoor-ZAR backdoor worm. |
|
Windows_Help_Server
|
lasas.exe
|
X
|
Added by the Troj/Delf-JQ trojan downloader. This infection also logs your keystrokes. |
|
System Startup Service
|
svcproc.exe
|
X
|
This infection is identified as Trojan.Win32.Stervis.b. It is usually bundled with nail.exe, a Abetterinternet adware variant. It is notoriously difficult to remove and is usually bundled with other malware that are hard to remove as well. One method that we have found that is able to remove this infection and the other malware that are bundled with it is the ewido security suite which you can download and try for free. |
|
EthernetService
|
tcpcheck.exe
|
X
|
Added by the Troj/Vbbot-B TROJAN, which installs a service called EthernetService and also uses that displayname. |
|
zzzxSYSTEM_32
|
zzzxt2ve.exe
|
X
|
Added by the W32/Oddbot-D WORM! |
|
Windows Security Update
|
secupd.exe
|
X
|
Added by the Troj/Sepuc-B TROJAN, which installs a service with both service & displaynames being Windows Security Update. |
|
Microsoft Java Virtual Machine
|
msjavarxp.exe
|
X
|
Added by the W32/Forbot-DL, using the servicename of Norton Anti-hacker. |
|
wmon
|
jusched.exe
|
X
|
Added by the W32/Agobot-OW WORM/IRC backdoor trojan and using a new servicename called wsaconfig. |
|
Microsoft Windows Registry Updater
|
wreg.exe
|
X
|
Added by the W32/Forbot-DN WORM/IRC backdoor trojan, while it creates a new service called wreg. |
|
eProxy
|
[random]
|
X
|
Added as a new service by the Troj/Daemoni-AL TROJAN, using a displayname of Microsoft Security Subsystem Provider. |
|
Smart Card Client
|
SCardClnt.exe
|
X
|
Added as a new service by the W32/Codbot-K WORM/IRC backdoor, using SCardClnt as a servicename. |
|
servisec
|
servisec.exe
|
X
|
Added as a new service by the Troj/Xrat-B TROJAN, using a displayname of the same. |
|
svhost System
|
svhost.exe
|
X
|
Added as a new service by the Troj/Xrat-A TROJAN, using a servicename of svhost. |
|
SmartLinkService
|
slserv.exe
|
U
|
Associated with SmartLink modem and is used to show a tray icon that gives connection information.
|
|
Netropa NHK Server
|
Nhksrv.exe
|
N
|
This program is installed by certain Dell and Compaq computers. It is used to disable any configured hotkeys while the screensaver is running.
|
|
Ulead Systems
|
ULCDRSvr.exe
|
X
|
Added by W32/Codbot-H as a service, with a displayname of Ulead Systems System Files on Windows NT/2000/XP versions. |
|
Win32SysV
|
xin.exe
|
X
|
Added by W32/Forbot-EO using both a registry run key and service to startup. |
|
updater
|
wisvc.exe
|
X
|
Added by Troj/Orse-A, which also creates a service using the same name, with a displayname of Windows update Service. |
|
pnpsvc
|
svchost.exe -k netsvcs
|
X
|
Added by Troj/StartPa-FP as a new service, using "Plug and Play svc service" as a displayname. |
|
SCVHOST
|
SCVHOST
|
X
|
Added by the Troj/Feutel-D TROJAN as a new service using the same name as a displayname. |
|
RAT X Control
|
xflash.exe
|
X
|
|
|
arsch
|
nets.exe
|
X
|
Added by the W32/Forbot-EL, it's displayname is "Indexing Provider". |
|
Network Devices Controller
|
[unknown filename]
|
X
|
Added by the Backdoor.Alnica backdoor. Listens on port 6667 awaiting a remote connection. |
|
Rio MSC Manager
|
RioMSC.exe
|
U
|
Used by the RIO MP3 player to organize and copy music to your MP3 player.
|
|
Compuware Distributed Analyzer Service
|
NCS.exe
|
Y
|
|
|
Compuware Distributed Analyzer Service
|
DASVCNT.exe
|
Y
|
|
|
ArcGIS License Manager
|
lmgrd.exe
|
Y
|
Part of the Macrovision FLEXlm software. This software is installed as part of the licensing of the ArcGis software. |
|
Atheros Configuration Service
|
acs.exe
|
Y
|
Part of the Atheros 802.11b/g WiFi connectivity driver.
|
|
BrSplService
|
brsvc01a.exe
|
Y
|
This file is an integral part of the Brother printer driver. Disabling this service will disable communication between your computer and the printer.
|
|
Brother Popup Suspend service for Resource manager
|
Brmfrmps.exe
|
?
|
Related to the Brother printer software. Is this necessary to run automatically?
|
|
SecuROM User Access Service (V7)
|
UAService7.exe
|
Y
|
Used by virtual CD programs like Alcohol to access CD images protected by SecureROM.
|
|
wtaskbarmngr
|
taskbarmngr.exe
|
X
|
Added by the W32/Rbot-ZO as a new service with a displayname of Windows Taskbar Manager |
|
Gray_Pigeon_Server
|
G_Server.exe
|
X
|
Added as a new service by the Troj/Feutel-C TROJAN. |
|
ACCRA
|
Mocih.exe
|
X
|
Added as a new service by the Troj/Chimo-B TROJAN, with a displayname of Trace network connections. |
|
winmdgr
|
winsvcmgr.exe
|
X
|
Added as a new service by the W32/Sdbot-WQ WORM/IRC backdoor, and uses a displayname of Microsoft Service Manager. |
|
Symantec AntiVirus Client
|
rtvscan.exe
|
Y
|
This is the real-time component of the Symantec antivirus proection program. This program should not be disabled as you will no longer have real-time virus protection.
|
|
AOL TopSpeed Monitor
|
aoltsmon.exe
|
Y
|
This program is used by AOL's web acceleration technology which supposedly helps to make web browsing faster. This is most important for those users who still access AOL via dial-up.
|
|
McAfee.com VirusScan Online Realtime Engine
|
mcvsrte.exe
|
Y
|
Associated with McAfee's Internet Security suite. This is the real-time scanning engine and should not be disabled!
|
|
McAfee SecurityCenter Update Manager
|
mcupdmgr.exe
|
Y
|
Associated with McAfee's Internet Security suite. May control the updating of the program.
|
|
McAfee.com McShield
|
mcshield.exe
|
Y
|
Associated with McAfee's Internet Security suite.
|
|
StyleXPService
|
StyleXPService.exe
|
Y
|
"How sleek is your desktop? Style XP unleashes the full potential of your Windows XP desktop by allowing you to download and install XP themes." |
|
DameWare NT Utilities 2.6
|
DNTUS26.EXE
|
U
|
Dameware NT Utilities program that allows remote access and control of a computer. This is a common program for hackers to install on a computer, so if it is installed, and you did not install it, it should be removed.
|
|
NetBackup Client Service
|
bpinetd.exe
|
Y
|
The Netbackup backup client. |
|
Apache Tomcat
|
tomcat5.exe
|
Y
|
This is the Apache Tomcat JSP/JAVA web services. If this server is running on your computer, then you should know about it. |
|
Steganos Live Encryption Engine (Version 401) [Service]
|
SLEE401.exe
|
Y
|
This is part of the Steganos Security Suite and involved in handling real-time encryption.
|
|
OfficeScanNT RealTime Scan
|
ntrtscan.exe
|
Y
|
Part of the Trend Micro OfficeScan product. Should not be disabled. |
|
Apache
|
apache.exe
|
Y
|
This is the Apache Web Server. If this is running on your machine, you should know about it. |
|
MySql
|
mysqld-nt.exe
|
Y
|
The open source MySQL database for Windows XP/NT/2000/2003. This can be installed as a standalone product or bundled with other products such as EasyPHP. May be installed in different directories than the one shown here in this information. Typically, if this is installed, you should know its installed. |
|
MySql
|
mysqld.exe
|
Y
|
The open source MySQL database for Windows 95/98/ME. This can be installed as a standalone product or bundled with other products such as EasyPHP. May be installed in different directories than the one shown here in this information. Typically, if this is installed, you should know its installed. |
|
avast! Web Scanner
|
Ashwebsv.exe
|
Y
|
|
|
kavsvc
|
kavsvc.exe
|
Y
|
|
|
NDIS TCP Layer Transport Device
|
servenxpp.exe
|
X
|
The service is added by the W32/Forbot-GP WORM using this file, it's displayname is NDIS Adapter. |
|
Restoreds
|
windrives.exe
|
X
|
A new service added by the W32/Agobot-RB WORM/IRC backdoor, it's displayname is Systems Backups
. |
|
Kern32
|
telcmd.exe
|
X
|
A new service added by the Troj/Agent-CP TROJAN, with a displayname of Manageer Network Connections. |
|
Hardware Clock Driver
|
HWCLOCK.EXE
|
X
|
Added by the W32/Hwbot-A WORM/IRC backdoor as a new service, it's servicename being Hwclock. |
|
Webservice
|
svchost.exe
|
X
|
Added as a new service by the Troj/Feutel-B TROJAN, using the same displayname. |
|
Event Locator
|
ctst.exe
|
X
|
Added as a service by the W32/Forbot-DJ WORM! |
|
LMMng
|
mewlow.sys
|
X
|
The Troj/Haxdoor-Q TROJAN/backdoor creates this file, and service with a servicename of mewlow. |
|
MemDRV
|
vdnt32.sys
|
X
|
|
|
memlow
|
vtd_16.exe
|
X
|
Troj/Haxdoor-AE TROJAN sets up this service name, it's displayname being LMMngr.
|
|
ISEXEng
|
angelex.exe
|
X
|
This file is associated with adware. It is known to download and install other spware and adware on to your computer. This service should definitely be stopped and disabled.
|
|
ZESOFT
|
zeta.exe
|
X
|
This file is associated with adware. It is known to download and install other spware and adware on to your computer. This service should definitely be stopped and disabled.
|
|
Ulead Burning Helper
|
ULCDRSvr.exe
|
Y
|
This program is part of the Ulead DVD Workshop, and may be bundled with other products from this company. It should be left alone in order to guarantee the stable operation of these products.
|
|
SymWMI Service
|
SymWSC.exe
|
Y
|
Installed by Norton Internet Security Center. This program is essential to operation of this program when installed on your computer. Disabling this service may affect Internet access.
|
|
Sony SPTI Service
|
Sptisrv.exe
|
N
|
Legitimate service from Sony. Possibly for video on demand from Sony Pictures Television International (SPTI)
|
|
PACSPTISVR
|
Pacsptisvr.exe
|
?
|
Legitimate Sony service. Unknown what it's purpose is.
|
|
Norton AntiVirus Auto Protect Service
|
navapsvc.exe
|
Y
|
This service is used by Norton Antivirus to run in the background and detect when any files that are infected with malware are stopped from running. This is an essential service and should not be stopped.
|
|
LexBce Server
|
LEXBCES.EXE
|
Y
|
This is installed by Lexmark printers, and some Dell printers which are made by Lexmark, to configure the onboard network print server. Disabling this service will make it so that print spooler service will no longer startup, which effectively disables printing on your computer.
This can be fixed by removing the LexBceS dependency. To remove the dependency you should use the following command and start the print spooler service:
sc config spooler depend= RPCSS
Note: Notice the space after depend= . This is necessary.
|
|
Crypkey License
|
crypserv.exe
|
Y
|
Used by certain software as copy protection. This should be left running otherwise the program that utilizes it may not work.
|
|
Symantec Password Validation Service
|
ccPwdSvc.exe
|
Y
|
Used by Symantec products 2003/2004 possibly to allow certain users Internet access.
|
|
Offices
|
msnmgd32.exe
|
X
|
|
|
RVS CAPI
|
rvs_cent.exe
|
?
|
RVCS_CENT is used by certain Internet Providers in Germany for ISDN and DSL connections.
|
|
Win32
|
sys32.exe
|
X
|
A service created by W32/Forbot-FX with a display name of "System Net" allows remote attack via IRC channel, deletion of files, modification of data and ternination of processes. |
|
Windows ExplorerTM
|
servinfo.exe
|
X
|
A service initiated by the W32/Forbot-EN, with a display name of "Windows Server Information" on NT systems. |
|
msiishlp
|
MSIISHLP.EXE
|
X
|
A service added by the Troj/Bdoor-GML TROJAN/backdoor, it's display name is "Microsoft IIS helper". |
|
Wut Nigga
|
syswork.exe
|
X
|
A service created by W32/Forbot-FZ and bearing the display name of Working System Analyzer. |
|
Connection Reset
|
webadmin.exe
|
X
|
A new service is set by W32/Forbot-FY with a display name of "Website Administrator Info"
|
|
Distributed Link Tracking Extensions
|
kernel32dll.exe
|
X
|
Added by the W32/Myfip-I WORM with a service display name of "Distributed Link Tracking Extensions", also. |
|
WLTRYSVC
|
WLTRYSVC.EXE
|
Y
|
Part of the Broadcom Corporation Wireless Network Tray Applet which allows you to change and see settings for the hardware.
|
|
IEXPLORER-Drivers
|
windns.exe
|
X
|
A service is created by the W32/Forbot-EP WORM, and run using the display name of "Windows Domain Name Drivers". |
|
DirectX DLL Register Support Service
|
DXDLLSVC.EXE
|
X
|
Added by W32/Codbot-I, a WORM/IRC backdoor TROJAN! |
|
Working System Analyzer
|
syswork.exe
|
X
|
This is a SDBot variant infection. These types of infections are backdoor trojans. It also creates Run registry entries to start this file.
|
|
RPC+ Service Provider
|
rpcss_pl.exe
|
X
|
This is an unknown malware. This malware makes the legitimate RPCSS service depend on it so that if you shut it down your computer will be come unstable.
To remove the dependency on the RpCSs service you can do the following. Click on start, then run, and type cmd and press enter. Then type the following in the cmd prompt:
sc config rpcss depend= ""
Note: There must be a space after depend= .
Note 2: To remove this file you must killbox %system%\rpcss_pl.exe |
|
Activating the notepad common used library
|
[unknown]
|
X
|
Added by W32/Codbot-G, a WORM/backdoor. |
|
Workstation Manager
|
wm.exe
|
Y
|
Part of the Novell Windows client. Found in the C:\Program Files\Novell\ZENworks folder.
|
|
spkrmon
|
spkrmon.exe
|
?
|
SoundMAX SpeakerMonitor service.
|
|
Novell ZfD Remote Management
|
ZenRem32.exe
|
Y
|
Part of the Novell Windows client. It has a service name of Remote Management Agent and is found in the C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent folder.
|
|
Novell ZfD Wake on LAN Status Agent
|
WolSerNT.exe
|
Y
|
Part of the Novell Windows Client. The service name is Prometheus Wake-On-LAN Status Agent. It is found in the C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent folder.
|
|
Novell Application Launcher
|
nalntsrv.exe
|
Y
|
Part of the Novell client for Windows. Found in the C:\Program Files\Novell\ZENworks folder.
|
|
Client Update Service for Novell
|
cusrvc.exe
|
Y
|
Part of the Novell Client for Windows and is used to keep the client up to date. It has a service name of cusrvc and is found in the Windows system folder.
|
|
Sub Connections
|
shmyga.exe
|
X
|
Added by an unknown Trojan Downloader. It installs itself as a service with a servicename of Pro. Shmyga.exe is located in the Windows system folder. When executed it downloads zalupen.exe from a website which then copies two files, serve.exe and serve.dll to the Windows system folder and starts serve.exe. Serve.exe listens on port 80 and udp port 53 and appears to be a backdoor.
|
|
Working Network Connections
|
hicom.exe
|
X
|
Added by the Trojan.Chimo.A Trojan. This file is installed as a service with the service name TY164. The file is found in the Windows system folder. |
|
Alerter
|
alrsvc.dll
|
Y
|
This service is used to notify selected computers and users of alerts from programs. This service is started by svchost.exe.
|
|
Adobe LM Service
|
Adobelmsvc.exe
|
Y
|
This is Adobe's license management service that is used to make sure you are not using a pirated copy of their software. It does this by examining your hardware on your computer and asking you to reregister if this changes. This can not be disabled as it will reenable when you use one of their products.
|
|
Wireless Zero Daemon
|
wzdsvc.exe
|
X
|
Added by the W32/Codbot-E WORM! This service loads in safe mode to make it more difficult to remove. |
|
Remote Packet Capture Protocol v.0 (experimental)
|
rpcapd.exe
|
Y
|
Service name is rpcapd. " WinPcap is an open source library for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.6.2)." |
|
iPod Service
|
iPodService.exe
|
N
|
This service is used by Itunes for using your Ipod. If you do not use Itunes you can disable this service.
|
|
ATI Smart
|
ati2sgag.exe
|
Y
|
This Windows service is used at system boot up to check for system compatability and stability issues for ATI video cards. Also responsible for setting the AGP settings the video card will use. Unless this is causing a problem we recommend you leave this set as automatic.
|
|
Symantec Core LC
|
symlcsvc.exe
|
Y
|
Part of Norton AntiVirus 2004. What does it do?
|
|
Symantec Network Drivers Service
|
SNDSRVC.EXE
|
U
|
Part of Norton Personal Firewall and Norton Internet Security. Sndsrvc.exe is the module controlling the send scan for outbound email if the optioin is selected to integrate into the mail client. It is not necessary if you do not scan outbound email
|