| X | NeuerSchild | pgs.exe | "NeuerSchild |
| X | ntldr | ntldr.exe | "Browser hijacker re-directing to search-control.com. In addition to the registry changes found by HijackThis it also creates the following system files: %System%\ntldr.exe |
| X | NvCplD | m2gr32.exe | """Switch"" premium rate adult content dialler variant"
|
| X | NvCplD | ntcpl.exe | """Switch"" premium rate adult content dialler variant"
|
| U | NvCplDaemon | "RUNDLL32.EXE NvQTwk | NvCplDaemon" |
| U | NvCplDaemon | "RUNDLL32.EXE NvCpl.dll | NvStartup" |
| X | NvCplDaemon | msmsgrs.exe | "Added by the DLOADER-YI TROJAN!"
|
| X | NvCplDaemon | Xplorer.exe | "Added by the ORBINA-A WORM!"
|
| X | NvCplDaemon32 | anvshell32.exe | "Added by the VB-XU TROJAN!"
|
| X | NvCplDeamon | nvdisp.exe | "Added by the PEEPVIE-I TROJAN!"
|
| X | NvCplDmn | NAVSVC.EXE | "Added by an unidentified VIRUS |
| X | NvXplDeamon | xstyles.exe | Added by the SMALL.AJ VIRUS!
|
| X | oddworldz.exe | oddworldz.exe | "Added by the MULTIDR-EG TROJAN!"
|
| X | OpenGL Drivers | 0penGLD.exe | "Added by the YIMP-A WORM!"
|
| X | PCShield | regsvr32 sfg_****.dll [* = random char] | "SafeguardProtect/Veevo hijacker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The random DLL file is found in %System%"
|
| X | PCTotalDefender | pgs.exe | "PCTotalDefender rogue security software - not recommended. A member of the AVSystemCare family"
|
| ? | PreloadApp | hphprld.exe | "HP PhotoSmart printers related. What does it do and is it required?"
|
| X | ProtectSoldier | ProtectSoldier.exe | "ProtectSoldier rogue security software - not recommended |
| X | ProtocolDiskChk | ssrms.exe | "Added by the BDOOR-ML BACKDOOR!"
|
| X | ProtocolDiskChk | svcvlw32.exe | "Added by the STINX-Y TROJAN!"
|
| N | QuikShield | qkshield.exe | "QuikShield popup blocker - reportedly stealth installed |
| N | RealDownload | RealPlay.exe | Download manager. Available via Start -> Programs
|
| X | RealDownload Express | npnzdad.exe | Advertising spyware
|
| X | RNBc Test | bvldv32.exe | "Added by the RBOT-AJF WORM!"
|
| X | run= | fntldr.exe | "CoolWebSearch Tapicfg parasite variant"
|
| U | Safeworld | Freedom.exe | SafeWorld Internet Security - now no longer available
|
| X | SaveSoldier | SaveSoldier.exe | "SaveSoldier rogue security software - not recommended |
| X | ScrSvrOld | [worm filename] | "Added by the OPASERV WORM!"
|
| X | SecuritySoldier | SecuritySoldier.exe | "SecuritySoldier rogue security software - not recommended |
| N | setup | hphprld.exe ....setup.exe | HP DeskJet Setup - printers function normally without it
|
| X | shell32 | ntldrt.exe | "Added by the JLOK-A WORM!"
|
| X | Shelldaemon | Shelldaemon.exe | Added by a variant of the AGENT.ALN TROJAN!
|
| X | Shield Security | shield.exe | "Added by the RIZO.A TROJAN!"
|
| X | Shield32 Security | shield32.exe | "Added by the RIZO.A TROJAN!"
|
| X | ShieldSafeness | ShieldSafeness.exe | "ShieldSafeness rogue security software - not recommended |
| X | SoftSoldier | SoftSoldier.exe | "SoftSoldier rogue security software - not recommended |
| X | SoftStronghold | SoftStronghold.exe | "SoftStronghold rogue security software - not recommended |
| U | Speaking Clock Deluxe | SpClDlx.exe | "Speaking Clock Deluxe - turns your computer into a speaking clock with several languages. It can also keep track of up to 50 alarms that can be set to a time and a date |
| X | spysoldier | spysoldier.exe | "SpySoldier rogue spyware remover - not recommended |
| U | SpyWare Shield | Shield.exe | "Acronis Privacy Expert Spyware Shield prevents spyware and other suspicious programs from being installed on PCs"
|
| Y | SpywareTerminator | SpywareTerminatorShield.exe | "Spyware Terminator's real-time protection. Initially not recommended due to false positives but the later versions have since improved - see here"
|
| X | Srv32Old | [worm filename].PIF | "Added by the OPASERV.J WORM!"
|
| X | SSLDyn | SSLDyn.exE | "FRETHOG.MM spyware"
|
| N | Streamload Downloader | SlDB.exe | "Downloader for MediaMax (was Streamload) - ""gives you a private and secure place to upload |
| X | syncman | wuaucldt.exe | "Added by the NAMSYS-A TROJAN!"
|
| X | sysclx | ntldrt.exe | "Added by the JLOK-A WORM!"
|
| X | sysldtray | ld02.exe | "Added by the KOOBFACE.BG WORM!"
|
| X | sysldtray | ld03.exe | "Added by the KOOBFACE.CA WORM!"
|
| X | sysldtray | ld11.exe | "Added by the KOOBFACE.JG WORM!"
|
| X | sysLDtray | ld08.exe | "Added by the AGENT-JSV TROJAN!"
|
| X | sysldtray | ld09.exe | "Added by the AGENT-KFI TROJAN!"
|
| X | sysldtray | ld10.exe | "Added by the FAKEAV-UD TROJAN!"
|
| X | sysldtray | ld12.exe | "Added by the KOOBFACE.V WORM!"
|
| X | sysldtray | ld01.exe | "Added by the KOOBFACE.I WORM!"
|
| X | sysldtray | ld15.exe | "Added by the AGENT-LNH TROJAN!"
|
| X | sysldtray | ld04.exe | "Added by the KOOBFACE WORM!"
|
| X | sysldtray | ld06.exe | "Added by the KOOBFACE WORM!"
|
| X | sysldtray | ld07.exe | "Added by the KOOBFACE WORM!"
|
| X | sysldtray | ld14.exe | "Added by the VIRUT.CE VIRUS!"
|
| X | sysldtray | ld16.exe | "Added by the AGENT-MMO TROJAN!"
|
| X | SystemLoader | sysldr32.exe | "Added by the DOWNLDR-NS TROJAN!"
|
| U | TPP Auto Loader | Tppaldr.exe | "Installed with DataStor's (and some other manufacturers) USB 2.0 based external DVD |
| U | Tray Folder | Tray Folder.exe | "Tray Folder by Titlebar Software - creates a hidden folder that is only normally accessible by double-clicking on a System Tray icon that shows the current date. You can also hide files and other folders in that hidden folder. The originator's website is no longer available but you can still download it here"
|
| U | TrayFolder | Tray Folder.exe | "Tray Folder by Titlebar Software - creates a hidden folder that is only normally accessible by double-clicking on a System Tray icon that shows the current date. You can also hide files and other folders in that hidden folder. The originator's website is no longer available but you can still download it here"
|
| X | Trojan Guarder Gold Version | Trojan Guarder.exe | "TrojanGuarder rogue security software - not recommended"
|
| U | TrojanShield | Init.exe | "TrojanShield"
|
| U | TrojanShield Protector | Port.exe | "TrojanShield anti-hacker/anti-trojan software"
|
| X | TrustSoldier | TrustSoldier.exe | "TrustSoldier rogue security software - not recommended |
| X | ttool | essldev.exe | "Added by the AGENT-LWB TROJAN!"
|
| Y | umxldra | umxldra.exe | "User mode executive module DLL loader - part of Tiny Personal Firewall V4"
|
| Y | UMXLDRW | UMXLDRW.exe | "Tiny Personal Firewall (pre V4)"
|
| X | unldr16 | unldr16.exe | "Added by a variant of the CRYPTER.C TROJAN!"
|
| X | unldr32 | unldr32.exe | "Added by a variant of the CRYPTER.C TROJAN!"
|
| U | V.92 Modem On Hold | Ltmoh.exe | Modem On Hold utility - manages incoming/outgoing voice calls on a single phone line while being connected to the internet
|
| U | Virtual Dimension | VirtualDimension.exe | "Virtual Dimension by Typz - ""a free |
| U | VirtualDimension.exe | VirtualDimension.exe | "Virtual Dimension by Typz - ""a free |
| N | VirtualDrive | VDTask.exe | "VirtualDrive from Farstone - virtual CD/DVD drive emulator. Available via Start → Programs"
|
| X | Virus Shield 2009 | VShield.exe | "Virus Shield 2009 rogue security software - not recommended |
| Y | VirusScan Online | mcvsshld.exe | "ActiveShield - background scanner for older versions of McAfee VirusScan and the now obsolete McAfee VirusScan Online which scans files in the background as and when they are accessed |
| N | vTPass | vtpassld.exe | "Part of vTrails - a live media delivery solution. vTPass is the driver enabling the system to work. If unavailable via Start -> Programs |
| U | WashAndGo - Cleanup of old Backupfiles | checker.exe | "WashAndGo - temp file cleaner"
|
| N | WebCallDirect | WebCallDirect.exe | "WebCallDirect - free internet telephony utility using the VoIP (Voice over Internet Protocol). Call online friends for free and regular phones either for free (limited use) or low rates. One of a number provided by Betamax - the others generally have different rate plans. Similar to the more popular Skype"
|
| N | Webposition Gold 2 | wpsche~1.exe | "Scheduler for Web Position Gold - utility to help optimize the position of web-sites in search engines"
|
| X | WebSpyShield | WebSpyShield.exe | "WebSpyShield rogue security software - not recommended"
|
| X | WildFlics | WildFlics.exe | "Direct-B premium rate adult content dialler"
|
| ? | WildTangent CDA | "RUNDLL32.exe cdaEngine0400.dll | cdaEngineMain" |
| U | WildTangent Web Driver updater | wcmdmgrl.exe | "Web Driver delivery system for WildTangent on-line games. Periodically checks for updates - can be disabled within the programs control panel. Note that WildTanget's privacy policy used to state that they also collect and share individuals information but this is no longer the case"
|
| N | Wildwire Monitor | WWMon.exe | This places a status icon on the taskbar for the DSL WildWire Tiger Modem. This is also a shortcut to the diagnostics utility for the DSL modem
|
| X | Win Patch | ntldr.exe | "Added by the SDBOT-GS WORM!"
|
| X | Win32 Device Loader | Win32ldr.exe | "Added by a variant of the AGOBOT/GAOBOT WORM!"
|
| X | WinDLL (dlfksdld.exe) | "rundll32.exe dlfksdld.exe | start" |
| X | WinDLL (wchshield.exe) | "rundll32.exe wchshield.exe | start" |
| X | Windowfdgfds DLL fgfdg Verifier | Windowsdldfglcheckkk.exe | "Added by the RBOT.CSP WORM!"
|
| X | Windows applications server | SysShield.exe | "Added by the unregistered version of Personal Anti Malware rogue security software - not recommended |
| X | Windows Automatic Updates | dvldr.exe | "Added by the RBOT.MF WORM!"
|
| X | Windows Explorer Update Build 1142 | EXPLORER32.EXE | "Added by the KaZaA based KWBOT or KWBOT.Y WORMS!"
|
| X | Windows Login Folder | winzep.exe | "Added by the AGOBOT-TZ WORM!"
|
| X | WINDOWSflashbrg | sqldata1.exe | "Added by a variant of the AGENT-IC TROJAN!"
|
| N | WindowsWelcomeCenter | "rundll32.exe oobefldr.dll | ShowWelcomeCenter" |
| X | WiniShield | WiniShield.exe | "WiniShield rogue security software - not recommended |
| X | winldr | [path to file] | "Added by the VIDLO-P TROJAN!"
|
| X | winldr | Rechnung.pdf.exe | "Added by the ACS TROJAN!"
|
| X | WorldAntiSpy | worldantispy.exe | "WorldAntiSpy rogue spyware remover - not recommended |
| U | WorldTime.exe | WorldTime.exe | "Part of AnyTime Organizer Deluxe from Individual Software Inc - ""Check the time anywhere in the world and know when to communicate. Place up to twelve clocks on your desktop"""
|
| X | Wsecurity | ldanw32.exe | "Added by the AGENT-BUC TROJAN!"
|
| U | WSEP Status+Configuration | controldGUI.exe | "User interface for the WatchGuard Security Event Processor (WSEP) Status/Configuration dialog box associated with the Firebox series of security products from Watchguard"
|
| U | xbtl | bootldr.exe | "Active Keylogger keystroke logger/monitoring program - remove unless you installed it yourself!"
|
| X | XPShield | XP-Shield.exe | "XP-Shield rogue security software - not recommended |
| X | [Randomly chosen existing folder name] | _autorun.exe | "Added by the ANTINNY-L WORM!"
|
| X | [Randomly chosen existing folder name] | _cfg.exe | "Added by the ANTINNY-L WORM!"
|
| X | [Randomly chosen existing folder name] | _config.exe | "Added by the ANTINNY-L WORM!"
|
| X | [Randomly chosen existing folder name] | _env.exe | "Added by the ANTINNY-L WORM!"
|
| X | [Randomly chosen existing folder name] | _loader.exe | "Added by the ANTINNY-L WORM!"
|
| X | [Randomly chosen existing folder name] | _login.exe | "Added by the ANTINNY-L WORM!"
|
| X | [Randomly chosen existing folder name] | _setup.exe | "Added by the ANTINNY-L WORM!"
|
| X | [Randomly chosen existing folder name] | _start.exe | "Added by the ANTINNY-L WORM!"
|
