Greatis Startup Application Database - Dangerous

The Application Database suggests you which Windows startup programs are usefual and which are bad.
The recommended tool for quickly removing the useless programs is RegRun Startup Optimizer.
www.startupapps.com

Purchase RegRun Suite

Download RegRun Suite

RegRun > Greatis Startup Application Database > Dangerous > S

s.exe
s3msong.exe
saddam.exe
sahagent.exe
salope trojan.exe
sample1.exe
sample2.exe
save.exe
scam32.exe
scandiskc.exe
scandiskvr.exe
scandiskwr.exe
scanirc.exe
scanregw..exe
scanrev.exe
scchost.exe
scfg.exe
scfg216.exe
schedagnt.exe
scheduler.exe
schost.exe
scmx32.exe
scrsvr.exe
scvhost.exe
sear1.exe
searchurl.exe
seclypseserver1.exe
seclypseserver2.exe
secretservice_14.exe
secretservice_client.exe
secretservice_installer.exe
secsrvrc.exe
secure2.bat
securitychk.exe
securpatch.exe
seicho-no-ie.exe
self extract.exe
serv.exe
server(beta).exe
server_setup.exe
server06041.exe
server1.2.exe
server1.3.exe
server1.4.exe
server1.5.exe
server1.53.exe
server14.exe
serverc.exe
servers.exe
service.exe
service5.exe
services.exe
servicess.exe
servidor.exe
servidor2.exe
sesam102.exe
sesamectrl.exe
sesamesys.exe
seti@home_twk.exe
seti_patch.exe
setup_.exe
setup30.exe
setuptrojan.exe
sex.exe
sexec.exe
sexxxymovie.mpeg.exe
sg.scr
shadow.exe
shadowrem.exe
shareall.exe
sheep.exe
shel.exe
shell.exe
shell32.exe
shell32.vbs
shit heep.exe
shlhmp.exe
shockrave.exe
sickboy.exe
silencer.exe
silver.exe
sistem.exe
ska.exe
skd.exe
skynetave.exe
slave.exe
slmss.exe
slserv32.exe
sm tgui.exe
smallserver.exe
smile.exe
smileys.exe
sndloader.exe
sndvol.exe
snipernet 21.exe
snipernet.exe
sochost.exe
sockets.exe
sockets23.exe
softwar.exe
softwarst.exe
soundv.exe
south park.exe
sp.dll
sp_client.exe
spirit1.2.exe
spoler.exe
spoof.exe
spool64.exe
spoolos.exe
spoolsc.exe
spoolserv.exe
spoolsrv.exe
spy.exe
spyserv1.exe
spyserver.exe
srng.exe
srv.exe
srv167.exe
srver.exe
srvreg.exe
ssetup.exe
ssfs.exe
ssfsfull.exe
ssftpsvr.exe
ssiwg.exe
sstrojg.exe
st5unst.exe
stat.exe
status.exe
stcloader.exe
stealthxp.exe
studio54.exe
stukst.exe
subseven.exe
subzero.exe
sucatreg.exe
svchos1.exe
svchost.com
svchost32.exe
svchsst.exe
svdhost32.exe
svhost.exe
svhst.exe
swcaller2.exe
swchost.exe
swizard.exe
symav.exe
syphillis.exe
sys.exe
sys_alert.exe
sys01.exe
sysbat.exe
syscfg32.exe
syscheck.exe
syschk.exe
syscpy.exe
sysdll.exe
sysdrv.exe
sysexplor.exe
sysexplr.exe
syshelp.exe
sysid.exe
sysinfo.exe
sysload32.exe
sysman32.exe
sysmcm.exe
sysmgr.exe
sysmon.exe
sysmonxp.exe
sysmsg332.exe
sysprot.exe
sysreg.exe
sysrnj.exe
sysset.exe
syst.exe
systask32l.exe
system!.exe
system.exe
system.sys
system32.exe
system32driver32.exe
system32ex.exe
system7.bat
systemcfg.exe
systemconf98i.exe
systemio.exe
systempatch.exe
systemtr.exe
systrey.exe
systrj.exe
syswindow.exe
sysz.exe
szchost.exe

s.exe

Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.

s3msong.exe

Worm / File virus
Alters Win.ini. "Between midnight and 2.00am on Wednesdays the worm attempts to display an animated graphic of Adolf Hitler shooting himself in the head." (Sophos)

saddam.exe

Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.

sahagent.exe

Spyware.
It redirects users its advertising sites in order to take the
affiliate fees.
Read more:
http://www.pestpatrol.com/PestInfo/s/sah...
We suggest you do not delete SahAgent.exe and its files.
In Control Panel's Add/Remove Programs, find 'ShopAtHomeSelect Agent'.
Use it to remove the software. Reboot.
Once you have uninstalled via Add/Remove programs, you can delete the
damaged '{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}' entry inside your
'Downloaded Program Files' folder, the 'SAHUninstall.exe' file in the 'Windows'
folder and 'SahAgent.log' in the root of the C: drive to clean up.

salope trojan.exe

Remote Access / Steals passwords
The client also drops a server! The hacker could choose to log passwords only or all text written. One of the functions is to kill antivirus software.

sample1.exe

Remote Access / Keylogger

sample2.exe

Remote Access / Keylogger

save.exe

Advertising Spyware. Stealth advertising components that are installed
by some "shareware" products (and sometimes, legitimately purchased
commercial software) and may collect personal information from your
computer. These "adbots" are usually tied to a dodgy shareware program
you have installed.
Looks like you have installed this software with music player.
Try to stop it.
More info:
http://www.cexx.org/adware.htm

scam32.exe

Status: this is trojan W32/SirCam
Read more details:
http://vil.mcafee.com/dispVirus.asp?viru...
Recommendation: kill it.

scandiskc.exe

Remote Access / ICQ trojan
Alters Win.ini.

scandiskvr.exe

Remote Access / ICQ trojan
Alters Win.ini.

scandiskwr.exe

Remote Access / ICQ trojan
Alters Win.ini.

scanirc.exe

Remote Access / Steals passwords
The client also drops a server! The hacker could choose to log passwords only or all text written. One of the functions is to kill antivirus software.

scanregw..exe

Remote Access
Alters Win.ini and System.ini.

scanrev.exe

Destructive trojan
Formats the hard drive.

scchost.exe

W32.HLLW.Donk is a worm that spreads through network shares, opening numerous TCP ports in the process.
Also has backdoor capabilities that give a hacker access to infected computer.
Also Known as Backdoor.SdBot.gen

Copies itself as %System%\Scchost.exe.

Adds the registry value: "Services Host"="Scchost.exe"
to the registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

If the filename of the worm is not scchost.exe, the program will kill itself and start scchost.exe as a service.

Attempts to spread using the following file shares:
Administrator
Guest
Owner

If a connection is made, the worm copies itself to the following folders:
Winnt\Profiles\All Users\Start Menu\Programs\Startup
Windows\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup

Connects to a specific IRC server and joins a specific channel to accept instructions from the hacker:
Flooding a specified host
Downloading a file from the hacker
Executing a file

Use RegRun Startup Optimizer to remove it from startup.

scfg.exe

Steals passwords
Gets the Dial Up Networking passwords via e-mail.

scfg216.exe

Steals passwords
Gets the Dial Up Networking passwords via e-mail.

schedagnt.exe

Steals passwords

scheduler.exe

W32/Agobot-LQ is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server.
May attempt to terminate anti-virus and other security-related processes.
May search for shared folders on the internet with weak passwords and copy itself into them.
A text file named HOSTS in C:\\drivers\etc\ may be created or overwritten with a list of anti-virus and other security-related websites, each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites.

You can remove it with RegRun Startup Optimizer.

schost.exe

Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe

Free removal tool:
http://securityresponse.symantec.com/avc...

scmx32.exe

I-Worm.Sircam virus.
Kill it!

scrsvr.exe

Opaserv dangerous trojan. Alters registry Run and win.ini under Windows 9X.
Kill it!

scvhost.exe

sear1.exe

Advertising Spyware.
1. End process WINSERVS.
2. Remove it from startup.

searchurl.exe

Worm / File virus
Alters Win.ini. "Between midnight and 2.00am on Wednesdays the worm attempts to display an animated graphic of Adolf Hitler shooting himself in the head." (Sophos)

seclypseserver1.exe

FTP server

seclypseserver2.exe

FTP server

secretservice_14.exe

Remote Access

secretservice_client.exe

Remote Access

secretservice_installer.exe

Remote Access

secsrvrc.exe

Troj/SCKeyLog-G is spyware which runs background processes and allows activity to be monitored on remote systems.
Also, includes detection for the following components: VPASPScanner.exe; CGIScanner.exe; PHPScanner.exe
which represent a monitoring tool that captures users' activity, saves it to an encrypted logfile and periodically sends it to the hacker.
When executed the main component extracts a main executable and a dll file to the Windows system32 folder, installs a background service, changes the system registry and sends the notification email to the remote address.
Sets the value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "secsrvrc"=C:\\WINDOWS\\System32\\secsrvrc.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ win_spool2 ="C:\\WINDOWS\\System32\\win_spool2.exe"

Use RegRun Startup Optimizer to remove this spyware.

secure2.bat

Backdoor.IRC.Zcrew.C is a backdoor Trojan horse that may allow for the remote control of an infected system through IRC and FTP.
Allows unauthorized access to the infected machine.

When Backdoor.IRC.Zcrew.C is executed, it performs the following actions:
Creates the following files in the %System%\instsrv folder:
001.config; Configure; COPYING; cygregex.dll; cygwin1.dll; firedaemon.exe; foxdg.exe; hideapp.exe; ident.exe; inst.bat; iroffer.cron; KILL.EXE;
lrs.reg; Makefile.config; mybot.ignl; mybot.ignl.bkup; mybot.ignl.tmp; new.txt; README; rn.bat; secure1.bat; secure2.bat; startsecure.bat; test.bat; WHATSNEW

Creates the following nonmalicious files in the folder, %System%\instsrv\src:
admin.c; dccchat.c; defines.h; display.c; globals.h; headers.h; iroffer.c; iroffer.cron; misc.c; plugins.c; transfer.c; upload.c; utilities.c

Starts foxdg.exe, which is the Iroffer application, as a service process.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
amd delete the value: "Bat"="C:\winnt\system32\instsrv\secure2.bat"

Also you must delete the nonmalicious files:
Navigate to the %System%\instsrv and %System%\instsrv\src folders and delete any files.

securitychk.exe

W32.IRCBot.F is a backdoor Trojan horse that connects to an IRC server and waits for commands from an attacker.
Allows unauthorized remote access to an infected computer.
Deletes the shares from local drives.
Connects to the IRC server tehr8x.spbx.net using TCP port 6667.

Joins a predefined channel, using a random nickname, and waits for commands from the IRC server.
These commands can allow the attacker to:
- Manage the installation of the Trojan
- Control the IRC client on a compromised computer
- Update the installed Trojan
- Send the Trojan to other IRC channels
- Download and execute files
- Perform Denial of Service (DoS) attacks against a target, which the hacker defines
- Uninstall itself completely by removing the relevant registry entries
- Go to Web sites
- Copy itself to shared folders on other computers
- Steal license keys for predefined games
- Terminate processes

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

securpatch.exe

Remote Access / IRC trojan

seicho-no-ie.exe

Remote Access / Worm / Virus / Trojan dropper / Mail trojan / Downloading trojan
It tries to destroy up to eight different antivirus programs and makes it impossible to mail the AV company or visit its Web-site. Wsock32.dll is patched by the trojan. Whenever the user sends a mail, the trojan will mail another one to the same recipient with an attachment only. May be updated from the Internet.

self extract.exe

Remote Access / Steals passwords
The client also drops a server! The hacker could choose to log passwords only or all text written. One of the functions is to kill antivirus software.

serv.exe

Distributed DoS tool
Is able to connect to three computers and send 65000 bytes ICMP floods.

server(beta).exe

Remote Access / Steals passwords
Also has a function called ""Burn Monitor"". This option constantly resets the Screenresolution.

Remote Access / FTP server / CQ trojan
InCommand can bind (join or wrap) its server to any other .exe file, and can also add extra legth to it to avoid searches on specific file length. It uses selfinstalling plug-ins to add features to the trojan and can thousands of icons stored inside the EditServer file.

Remote Access / IP scanner
The trojan displays a fake message stating ""This file was corrupted"".

serverc.exe

Remote Access / AOL trojan

W32.HLLW.Gaobot.AG is a minor variant of W32.HLLW.Gaobot.AE.
It attempts to spread to network shares that have weak passwords and allows attackers to access an infected computer through an IRC channel.

Opens a randomly chosen TCP port to connect to the attacker.
Connects to a predefined IRC channel, using its own IRC client, and listens for the special commands from the attacker.
When the worm runs, it allows the attacker to remotely control a compromised computer, allowing him/her to perform any of the following actions:
1. Manage the installation of the worm
2. Dynamically update the installed worm
3. Download and execute files
4. Steal a compromised system's information
5. Send the worm to other IRC users
6. Add accounts for the hacker

Sends data to TCP port 135, which exploits the DCOM RPC vulnerability, or sends data to TCP port 445 to exploit the RPC locator vulnerability.

Probes administrative shares using the following user/password combinations, in addition to the user names found on the remote computer, as the NetUserEnum() API determined.

Also, peforms the following actions:
1. After accessing vulnerable computers, the worm copies and executes itself on the new computers.
2. Steals CD keys of the different games.
3. Inventories the active processes and, if it is the name of the firewall and antivirus process the worm attempts to terminate it.
4. Attemps to kill all the running processes that other worms have dropped.
5. Can perform the following types of Denial of Service (DoS) attacks: Ping flood, TCP SYN flood, UDP flood.

This worm adds the value:
"MS Security Hotfix"="service5.exe"
to these registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Use RegRun Startup Optimizer to automatically remove it from startup.

services.exe

Worm / Remote Access / IRC trojan / Destructive trojan / DoS tool
Takes mail adresses from HTML files in the Temporary Internet Files folder. It also connects to the password protected IRC channel #xtcdan, is able to send files to it and receive instructions from users on that channel. It is also updated through the Internet. The mail and the attached file claims to be coming from the antivirus company AVX. It may also destroy files on the infected computer.

servicess.exe

servidor.exe

Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.

servidor2.exe

Remote Access
Alters Win.ini.

sesam102.exe

Steals passwords
Sesame stands for "Stealth Email SMTP Autosender Module".

sesamectrl.exe

Steals passwords
Sesame stands for "Stealth Email SMTP Autosender Module".

sesamesys.exe

Steals passwords
Sesame stands for "Stealth Email SMTP Autosender Module".

seti@home_twk.exe

Worm / Mail trojan
The worm�s .exe file is distributed in a compressed format and is using one of twenty names randomly. Hermes contacts "http://www.seznam.cz", but there is nothing there. It also tris to register, but fails to do so beacause of a bug. It propagates twice to all addresses in Outlook. In several versions th code is packed using UPX.

seti_patch.exe

setup_.exe

Worm / Mail trojan / Virus dropper / Network trojan
Alters Win.ini. The worm also spreads to shared discs in a local network. Every month the worm drops five viruses on different days: Bolzano, CIH_15, Links, Winsk and Bee_Aoc.

setup30.exe

I-Worm.Atirus is a Win32 worm that spreads by sending itself via e-mail to the recipients in a victim's Outlook Address book.
Then, the worm suspends for 5 minutes, then launches one of its payloads depending on system time.
After executing the payload, the worm checks whether the following registry value is present:
HKLM\Software\Microsoft\Windows\CurrentVersion Install=1
If the value doesn't exist, the worm tries to send itself to the senders of messages that exist in MAPI default client's folders.
The subject of the message sent is "New antivirus tool", and the message also contains the attachment "Antivirus.exe" that is the virus itself,
and also contains in the body: Hey, checkout this new antivirus tool which checks your system for viruses

Use RegRun Startup Optimizer to quickly remove this virus.

setuptrojan.exe

Hidden C: share / Hacking tool
Creates a hidden share on drive C:

sex.exe

I-Worm.Sexer is the Internet worm especially for Russian users.
Spreading via the Internet as an email attachment.

Infected email message has the following characteristics:
From: nicky@yahoo
Subject: look for this pretty!))
Attachement: sex.exe

When the file sex.exe is executed, it does the following:

Shows the message (in white background): (in Russian)
German Sterlingov:
For Moskow without Urjuchja.

Copies itself to the root directory of disk c:.
Adds the value: "Win2Drv = sex.exe" to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Creates the file sex.bmp in c:\ and installs it as the wallpaper.
Makes changes in win.ini:

[Desktop]
Wallpaper=C:\SEX.BMP

Searches the key: Software\Microsoft\WAB\WAB4\Wab File Name in the system registry
and sends itself to every mail address found in Windows Address Book uses pre-defined connection to SMTP server.

Use RegRun Startup Optimizer to automatically remove it from startup.

sexec.exe

Remote Access

sexxxymovie.mpeg.exe

Remote Access / Hacking tool / ICQ trojan
Alters Win.ini and System.ini. Generates several .exe-files with randomly choosen names. The only real change in this version is that the server was recompiled.

sg.scr

SheepGoat trojan
Copies to C:\WINDOWS\SYSTEM\SG.scr
[Win.ini]
run=C:\WINDOWS\SYSTEM\SG.scr

shadow.exe

Shadow Phyre
Remote Access / IRC trojan

shadowrem.exe

Shadow Phyre
Remote Access / IRC trojan

shareall.exe

Share All Your Knowledge
Hidden C: share / FTP server / Network trojan
Turns on filesharing on all drives and creates a hidden share on all of them.

sheep.exe

Remote Access / Trojan dropper
Installs Evil BO. Trojanized version of the small joke program "Sheep.exe" with cute little sheeps running over the desktop.

shel.exe

Trojan PSW Gip
Stop its process and remove from startup.

shell.exe

Dangerous Juegos Worm.
Alters win.ini paramter Run.
Each 31 day it will delete :\*.bat c:\*.ini
c:\windows\*.ini c:\windows\*.dll c:\windows\*.exe.
Stop process and remove it from startup.
Delete all founded shell.exe. Check your floppy disks too.

shell32.exe

Remote Access

shell32.vbs

VBS.Nevesc virus
It spreads via IRC channels.
Executes
C:windows\shell32.vbs
or
C:\Program Files\Internet Explorer\Plugins\command32.exe.vbs
Kill it.

shit heep.exe

Name: Shit Heep
Remote Access

shlhmp.exe

Destructive trojan
Overwrites all the files with the sentence "This file cracked by CoKeBoTtLe98".

shockrave.exe

Name: Shockrave
Remote Access (?)

sickboy.exe

Trojan program:WebMoney Wmpatch.
Remove DBOLE.EXE, SICKBOY.EXE, SYSMAN32.EXE from startup and from your hard disk.

silencer.exe

Name: Silencer
Remote Access / Steals passwords / Virus dropper
Is supposed to be the same trojan as Priority.. Among other things it drops the Pingpong virus.

silver.exe

Worm / IRC trojan / Mail trojan
Silver tries to terminate active antivirus software and delete files belonging to them.

sistem.exe

Steals passwords
At first Ring0 came as an attached file to Winsock Version Checker. When it�s active and the computer is connected to the Internet, the trojan searches for proxyservers and tries to send the collected information to an FTP server in Russia.

ska.exe

Worm / Mail trojan
Alters WSock32.dll. Disguised as picture with fireworks and the message ""Happy New Year 1999!". ; "Replaces your current winsock in order to attach the trojan to outgoing email."

skd.exe

Name: SkyDance
Remote Access
Among the information this trojans steals is a copy of all registrysettings.

skynetave.exe

Worm W32.Sasser.D.
W32.Sasser.D can only execute on Windows XP systems. The worm can exploit a vulnerable (unpatched) Windows 2000 machine remotely and copy itself to that machine. However, it will exit before running any code. In such cases, this worm will produce the following error:
The procedure entry point IcmpSendEcho could not be located in the dynamic link library iphlpapi.dll.

Block TCP ports 5554, 9995, and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent the remote exploitation of the vulnerability.
This threat is written in C++ and is packed with PECompact.

Removal: install the patch, remove from startup by RegRun Startup Optimizer.

slave.exe

This is a remote access utility.
See more on
http://www.remote-anything.com/ra_featur...

slmss.exe

This is IE home page hijacker.
It changes your IE home page and redirects you to porn sites or to
another sites.
Recommend to remove it by RegRun Startup Optimizer.
Simply run RegRun Start Control, launch Optimizer feature (tick icon.)
First, Optimizer kills apps in memory, after that it removes them from
startup.
Also check Advanced Optimizer tabs to remove unwanted BHO and Shell
items.
Read more details:
http://www.pestpatrol.com/PestInfo/f/fre...

slserv32.exe

W32/Rbot-KO is a worm of the Rbot family which attempts to spread to remote network shares.
Contains backdoor Trojan functionality allowing unauthorised remote access to the infected computer via IRC channels.
It spreads to network shares with weak passwords.
It also spreads by scanning for and exploiting various vulnerabilities such as RPC/DCOM, LSASS, SUB7 etc.
To avoid detection the worm will terminate various AntiVirus and security related processes.

Copies itself to the Windows system folder as slserv32.exe and creates entries in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service = <%SYSTEM%>\slserv32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows Service = <%SYSTEM%>\slserv32.exe
and HKCU\Software\Microsoft\OLE\Windows Service = \slserv32.exe

You can remove it with RegRun.

sm tgui.exe

ServeMe
FTP server

smallserver.exe

Remote Access / Eavesdropper

smile.exe

I-Worm.Smilex
It spreads through the e-mail in attachment files. This worm have size about 75KB and written with Visual Basic.
It contains the following lines:
Smile Internet Explorer CD_Open

When the worm is activated it copyes itself to C:\WINDOWS\Start Menu\Programs\StartUp\Smile.exe and in C:\Poems.exe.
It deletes the following files in Windows folder:
Defrag.exe
Tuneup.exe
Regedit.exe
and C:\Program Files\Internet Explorer\Iexplore.exe

Then deletes .LNK files in C:\Windows\Desktop.
Deletes Norton Antivirus folders:
C:\Program Files\Symantec Shared
C:\Program Files\Norton AntiVirus\v32scan.dll
C:\Program Files\Norton AntiVirus\Navtask.dll
C:\Program Files\Norton AntiVirus\Navtasks.dll
c:\program files\common files\Symantec Shared\scriptblocking
And copyes itself in their place with their names.

Also this worm deletes the Media Player: C:\Program Files\Windows Media Player\wmplayer.exe
And creates empty folder "Ok" on drive A:.

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

smileys.exe

Steals passwords / Keylogger
Smileys.exe is a version where trojan is disguised as a game that runs during the first time the trojan is installed.

sndloader.exe

W32/Agobot-BV is an IRC backdoor Trojan and network worm.
It spreads to computers on the local network protected by weak passwords.

Copies itself to the Windows system folder as sndloader.exe and creates the registry entries to run itself automatically on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Sound Loader = sndloader.exe

On NT based versions of Windows the worm creates a new service named "Sound Loader" with the startup property set to automatic, so that the service starts automatically each time Windows is started.

Each time W32/Agobot-BV is run it attempts to connect to a remote IRC server and join a specific channel.
W32/Agobot-BV then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.
W32/Agobot-BV attempts to terminate and disable various security-related programs and attempts to prevent its own process from being deleted.

Use RegRun Startup Optimizer to remove it from startup.

sndvol.exe

Autodialing trojan
It randomly connects to three Bulgarian Web- sites: http://www.btc.bg/, http://www.infotel.bg/, and http://ns.infotel.bg/.

Remote Access / Destructive trojan (?)

sockets23.exe

Remote Access / ICQ trojan
Sockets des Troie is French for Trojan Sockets and was one of the very first Remote Access trojans being published.

softwar.exe

Remote Access / Keylogger

softwarst.exe

Remote Access / Keylogger

soundv.exe

Distributed DoS tool
Alters System.ini (on Windows 95 and 98). Is installed in several different places in the Autostart section. Mre.dll is added tothe Drivers section in System.ini. The trojan usually spreads as a mail attachement disguised as a zip file.

south park.exe

Worm / Mail trojan

sp.dll

I'm sorry, but I think you are infected.
Search for sp.dll and try to view this file in the notepad.
If this is the text file you are infected.
Read more:
http://66.34.160.192/spywareinfo/peter.h...
Recommendation: kill it if you are infected.

sp_client.exe

Remote Access

spirit1.2.exe

Remote Access / Steals passwords
Also has a function called ""Burn Monitor"". This option constantly resets the Screenresolution.

spoler.exe

W32.Randex.J is a network-aware worm.

This worm will receive instructions from an IRC channel on a specific IRC server.
One of these commands will start it to spread across the network.

There are some remote instructions from IRC server:
ntscan: Performs the scan of a specific computer with weak administrator passwords and copies itself to these machines.
cdkey: Collects cd keys of many popular games and sends them back to the IRC channel.
sysinfo: Retrieves the infected machine's information, such as CPU speed, memory, and so on.

Copies itself to computers that have weak administrator passwords, as \\\c$\winnt\system32\spolds.exe
Attempts to spread itself in the network, randomly generated IP addresses.

To remove this worm please delete the value:
"helpmanager" = %System%\spoler.exe
in the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Or use the Greatis RegRun Security Suite to perform this operation automatically.

spoof.exe

Trojan dropper
A fake spoofer. Installs Deep Throat 2 server.

spool64.exe

Name: Shtirlitz
Steals passwords

spoolos.exe

Added as a result of the Torvel worm!

W32.HLLW.Torvel@mm is a worm that spreads itself through Microsoft Outlook, Outlook Express, and through file-sharing networks.

It adds the value:
"Service Host" = "%windir%\spoolos.exe"
to the registry key:
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Copies itself to the default sharing folder of the KaZaA file-sharing program. The file names of the copies contain the strings, such as:
ACDSee32 v2.41, Adobe Encore DVD 1.0, BearShare Pro v4.0.1 etc.

Emails itself to addresses in the Microsoft Outlook address book.

The email messages have the following characteristics:

Subject: The subject is composed of combinations of the following text strings: Hi, Hello, FW: RE: Undeliverable mail-- , and other.

Message Body: Hello, You should apply this fix which solves the newest Internet Explorer Vulnerability described in MS05-023. It's important that you apply the fix now since
we estimate the Buffer Overflow is at a Critical Level. Sincerely Yours The Security Team

Attachment: The attachment can have any of these file names:
document.pif
thank_you.pif
her_details.pif
funny_guy.pif
wicked_screensaver.scr
movie0045.pif
torvil.pif
Q723523_W9X_WXP_x86_EN.exe

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

spoolsc.exe

W32/Agobot-HY is a backdoor Trojan for the Windows platform.
It allows a malicious user remote access to an infected computer.
Aliases: Backdoor.Agobot.gen, W32/Gaobot.worm.gen.d, W32.HLLW.Gaobot.gen

In order to run automatically when Windows starts up W32/Agobot-HY creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WSConfiguration = spoolsc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WSConfiguration = spoolsc.exe.

Remove it from startup by RegRun Startup Optimizer.

spoolserv.exe

W32.Dinfor.Worm is a worm that spreads across network shares.
It exploits weak passwords and uses the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-039) to create user accounts on remote computers.
Joins an IRC channel and waits for commands from a remote attacker.
The attacker can:
Retrieve information about the infected host, such as the operating system version and the computer's hardware
Upload and download files
Execute files
Use the computer to perform Denial of Service (DoS) attacks on other computers

Copies itself as the following files:
%System%\Spoolserv.exe
%System%\Cmst32.exe
%System%\Smshost.exe
%System%\Svhost32.exe.

Attempts to delete the following files:
X:\Program Files\Norton AntiVirus\navapsvc.exe
X:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

Use RegRun Startup Optimizer to remove this worm.
And manually changes some values in the system registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
set the DWORD value:
"restrictanonymous" = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Set the value:
"EnableDCOM" = "Y"

spoolsrv.exe

Steals passwords
Gets the Dial Up Networking passwords via e-mail.

spy.exe

Remote Access / Keylogger
Alters Win.ini. Is been disguised as a Y2K system updater.

spyserv1.exe

Keylogger
Logs all keys typed on the server computer.

spyserver.exe

Steals passwords / Remote Access / Downloading trojan
Tries to send information to IP address 202.103.106.189. A remote user is able to compress the files before downloading them.

srng.exe

Browser Hijacker.
Also called ShopNav. This application is a search hijacker implemented
as an Internet Explorer Browser Helper Object, with an auto update
feature, runs at startup. The application tracks and hijacks the following:
Address bar searches, the Search explorer bar, unknown domains, and,
in some variants, non-www server names entered into the address bar
without the preceding 'http://' will be sent to Srng controlling
server www.srng.net, that redirects to a search service at
apps.webservicehost.com.
Read more:
http://www.liutilities.com/products/wint...
Remove it from startup.

srv.exe

Remote Access
Alters Win.ini and System.ini.

Trojan program.
Remove it from startup.

ssetup.exe

Remote Access / Keylogger / IRC trojan
Doly is hidden in several different programs: in Memory Manager, in an Interactive Game, and in a Downloading program. The trojan also starts using Windows Startup Directory.

ssfs.exe

Senna Spy FTP server.
Works on Windows. This trojan allow you full access by FTP Client: CuteFTP, AceFTP or Directly by WebBrowser.

ssfsfull.exe

Senna Spy FTP server.
Works on Windows. This trojan allow you full access by FTP Client: CuteFTP, AceFTP or Directly by WebBrowser.

ssftpsvr.exe

Senna Spy FTP server.
Works on Windows. This trojan allow you full access by FTP Client: CuteFTP, AceFTP or Directly by WebBrowser.

ssiwg.exe

Senna Spy Worm Generator
Worm generator
Generates new worm VBS files. Makes it very easy for anyone who wants to create a worm, which through its complexity in every VBS file, can not be easily detected by any of the well known antivirus programs.

sstrojg.exe

Senna Spy Trojan Generator
Trojan constructor / Remote Access
Has the ability to kill Firewall and Antivirus software from Memory.

st5unst.exe

Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.

stat.exe

Remote Access / ICQ trojan / IRC trojan

status.exe

Kool Status spyware.
Remove it from startup.
Read more:
http://www.pestpatrol.com/pestinfo%5Ck%5...

stcloader.exe

stealthxp.exe

Trojan Trojan.Clicker.NetBuie.b.
Kill it!

studio54.exe

Remote Access

stukst.exe

Keylogger / Remote Access

subseven.exe

subzero.exe

Remote Access / DoS tool / Steals passwords / Keylogger / ICQ trojan / AIM trojan / MSN trojan
One of the features of this trojan is Live Talk.

sucatreg.exe

W32/Magistr-A Virus.
Read details at:
http://www.sophos.com/virusinfo/analyses...
You may remove it from startup but you should know that this virus
infects executable files.
You should check your computer by antiviral software.

svchos1.exe

AGOBOT.R VIRUS
This malware works as a worm and a backdoor too.

As a backdoor, it connects to an IRC server and listens for remote commands.
It executes these commands on the infected machine, thus providing hackers to take a control over infected systems.
This malware does not propagate unless it is commanded to do so.

It may also receive commands that allows it to scan for target systems with the following properties:

1. Weak share passwords.
This malware scans for systems with weak logon and passwords from a buildin list.
2. Vulnerability to the RPC DCOM Buffer Overflow.
To scan for unpatched vulnerable systems, this malware attempts to connect to port 135 of target systems, which is the vulnerable port relative to this security hole.
3. Vulnerability to the Locator Service Buffer Overflow.
To scan for vulnerable systems, this malware attempts to connect to port 445.
4. It copies itself into vulnerable systems and then executes the copy.
It copies and executes itself on systems found with the security weaknesses. It opens port 22227 on the local system to transfer its copies to vulnerable machines.

This malware allows hackers to do the following:
- Execute a specific file
- Open a file
- Retrieve system information such as operating system version
- Change or generate a random nickname to be used by the malware on IRC
- Download and/or execute a file from the Internet via FTP or HTTP
- Update the malware from a remote site via FTP or HTTP

This malware runs on Windows NT, 2000, and XP. Users of affected systems are strongly advised to refer to the cited Microsoft pages for patches.

To disable this backdoor use the Greatis RegRun Security Suite to remove the "svchos1.exe" from the startup section in the system registry.

svchost.com

W32/Rbot-EU. Also known as Backdoor.Rbot.gen
It is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.
It spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-EU moves itself to the Windows system folder as SVCHOST.EXE and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services host = svchost.com
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Services host = svchost.com
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Services host = svchost.com

The worm will also attempt to terminate security related processes as well as processes related to the W32/Blaster family of worms.

Use RegRun Startup Opimizer for removal.

svchost32.exe

Mimail.i spreads through the Internet in the infected file attachment paypal.asp.scr.
Infected email messages include the following content:
- Sender address: donotreply@paypal.com
- Subject: YOUR PAYPAL.COM ACCOUNT EXPIRES
- Body Text:
Dear PayPal member,
PayPal would like to inform you about some important information regarding your PayPal account... e.t.c. ...Thank you for using PayPal.
- Attachement: paypal.asp.scr

Upon being launched the Mimail.i worm displays a dialogue window asking the computer user to supply PayPal credit card data.
Any data entered is then kept in the file named ppinfo.sys, which is then sent to the worm's author.
Mimail.i creates two files in the C: root directory - pp.gif and pp.hta. These files are used to display the dialogue window requesting PayPal credit card information.
The worm creates the following files in the Windows directory: zp3891.tmp; ee98af.tmp; el388.tmp
To mail out infected messages, this worm uses its own SMTP engine.
To detect email addresses to target, the worm searches for address strings contained in files located in the Shell Folders and Program Files directories.

svchsst.exe

W32/Rbot-DH is an IRC backdoor Trojan with spreading capability.
Copies itself into the Windows system folder as svchsst.exe or with a random name.

Sets the following registry entries to run itself automatically when Windows starts up:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft IT Update
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft IT Update
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft IT Update

W32/Rbot-DH logs onto a predefined IRC server and waits for backdoor commands.
When receives the appropriate backdoor command W32/Rbot-DH will attempt to spread to other computers.

Automatic removal: Use RegRun Startuip Optimizer to remove this worm.

svdhost32.exe

W32.Gaobot.ZW is a minor variant of W32.Gaobot.SY.
This worm attempts to spread through network shares with weak passwords.
It also allows attackers to access an infected computer using a predetermined IRC channel.
Disables other worms by deleting their files, associated registry values, and by terminating their processes.
Steals the Windows product ID and CD keys from some video games.
Attempts to terminate processes related with some antivirus software.

The worm uses multiple vulnerabilities to spread, including:
- The Microsoft Messenger Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-043).
- The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445.
The worm specifically targets Windows 2000 machines using this exploit.
- The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
- The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061), using UDP port 1434.
Sending itself to the backdoor ports that the Beagle and Mydoom families of worms open.

Copies itself as %System%\svdhost32.exe.

Adds the value: "Hotfix Updat"="svdhost32.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Deletes the values: "Ssate.exe"; "rate.exe"; "d3dupdate.exe"; "TaskMon"; "Explorer"
from the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Terminates the following processes: irun4.exe; i11r54n4.exe; winsys.exe; bbeagle.exe; taskmon.exe
Deletes the following files: %System%\irun4.exe; %System%\i11r54n4.exe; %System%\winsys.exe; %System%\bbeagle.exe; %System%\taskmon.exe
Deletes the service, upnphost.
Adds the following lines to the %System%\drivers\etc\hosts file, so that any attempts to connect to some antivirus Web sites fail.

Remove it automatically from startup by RegRun Startup Optimizer.

svhost.exe

W32.Mydoom.I@mm is a mass-mailing worm that arrives as an attachment.
The worm is similar in functionality to W32.Mydoom.A@mm.

Creates the following files:
%System%\svhost.exe (A copy of the worm).
%Temp%\Message (This file contains random data and is displayed using Notepad.exe).

Deletes the value: "TaskMon"
from the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
which is the registry value that W32.Mydoom.A@mm adds.

Collects the email addresses from the files with different extensions.
Attempts to send email messages using its own SMTP engine.
The attachment may have either one or two file extensions.
If it has two, the first extension will be one of the following: .htm; .txt; .doc
The second extension, or the only extension if there is only one, will be one of the following: .pif; .scr; .exe; .cmd; .bat; .zip
(This is a .zip file that contains a copy of the worm.)

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "SVHOST"="%System%\svhost.exe"

svhst.exe

W32.Gaobot.YC is a variant of W32.HLLW.Gaobot.gen that attempts to spread to network shares and allows access to an infected computer through an IRC channel.
The worm uses multiple vulnerabilities to spread.
Allows unauthorized remote access.
Steals CD keys of several popular computer games.
Ends processes belonging to antivirus and firewall software.
Accounts with weak passwords; systems not patched against the DCOM RPC vulnerability or the RPC locator vulnerability.

Copies itself as %System%\svhst.exe.

Adds the value: "Configuration Loader" = "svhst.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Connects to a predefined IRC channel, using its own IRC client, and listens for the commands from an attacker.
Copies itself to any systems it compromised using the previously mentioned exploits.
Drops Backdoor.Gaobot to the compromised network shares, and then executes it.

Attempts to kill some processes associated with other worms:
dllhost.exe; msblast.exe; mspatch.exe; penis32.exe; tftpd.exe; winhlpp32.exe; winppr32.exe

Listens on randomly calculated ports (within the range of 1000, and one from above 10000) and waits for other computers to download the worm.

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

swcaller2.exe

Trojan program.
Look at the for more information:
http://groups.google.com/groups?q=SWCALL...
Recommendation: Try to suspend auto run.

swchost.exe

swizard.exe

Remote Access / Keylogger

symav.exe

W32.Netsky.U@mm is a mass-mailing worm and a variant of W32.Netsky.S@mm.
Also Known As: W32/Netsky.u@MM, W32/Netsky-U, WORM_NETSKY.U, Win32.Netsky.U

This worm also contains backdoor functionality and if the computer's system date is between April 14, 2004 to April 23, 2004,
the worm will attempt a DoS attack against the following Web sites:
www.cracks.am; www.emule.de; www.kazaa.com; www.freemule.net; www.keygen.us

Scans drives C through Z (excluding the CD-ROM drives) and retrieves the email addresses from the files with the predefined extensions.
Uses its own SMTP engine to send itself to all the email addresses that it finds.
The Subject and Attachment name vary. The attachment has a .pif file extension.

Copies itself as %Windir%\SymAV.exe.
Creates a mutex, "SyncMutex_USUkUyUnUeUtUU," to allow only one instance of the worm to execute.
Creates the file, %Windir%\fuck_you_bagle.txt, which is a MIME-encoded copy of the worm's executable.

Adds the value: "SymAV"="%Windir%\SymAV.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Listens on port 6789. If an attacker sends an executable file to an infected computer,
the worm will save it as an executable file with a random file name, and then execute the file.

You can use RegRun to remove this worm from the system registry.

syphillis.exe

Remote Access / ICQ trojan
Works on Windows 95 and 98, together with ICQ. Also uses Telnet as client. The Zip-file password = xc4an.

sys.exe

sys_alert.exe

Advertising spyware.
Remove it from startup by RegRun Start Control.

sys01.exe

Remote Access / Mail bomber / Keylogger

sysbat.exe

Backdoor.Palukka is a backdoor Trojan horse that can give a hacker access to the computer.
It is controlled by the hacker using IRC channels.
This particular backdoor Trojan provides a great deal of control over a compromised computer,
including file system access and the ability to use the compromised computer in a distributed Denial of Service attack.

When Backdoor.Palukka is run, it creates a copy of itself as \%Windows%\Sysbat.exe.

It may also add a value that refers to Sysbat.exe to one or more of the following registry keys to make sure this file is run on startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

If the Trojan was run and a hacker executed files on the computer, it may be difficult to determine exactly what was done, even after the Trojan was removed.

syscfg32.exe

Worm.P2P.Lolol.
Shares via Kazaa network.
Stop thsi process and remove from startup.

syscheck.exe

Worm / Remote Access / Destructive trojan / Mail trojan
Takes advantage of addresses in Windows Address Book and Outlook. Usually doesn�t work well because of a very buggy code. On the 4th of every month, Autoexec.bat is written over by a trojan, destroying some files and opens a backdoor to the infected computer.

syschk.exe

W32.Galil.F@mm is a mass-mailing worm that uses its own SMTP engine or Microsoft Outlook to spread.
It harvests email addresses from the files in the current user's Temporary Internet Files folder, Yahoo Messenger, Microsoft Outlook address book, as well as the files whose extensions are .asf, .avi, .doc, .jpg, .mdb, .mpe, .mpeg, .mpg, .pps, .ram, .rar, or .xls.

The worm may spoof the "From" field. The email message has a randomly selected subject line, which may also be the attachment name. The attachment has a .bhx, .exe, .hqx, .mim, .uu , .uue, or .xxe extension. The message body is also different.

When it runs, it does the following:
Displays a fake message.
May create a folder, %Windir%\Sys32s, and copy itself as %Windir%\Sys32s\ZaCker.exe with attributes set to Read-only, Hidden, and System.
Copies itself as %System%\MizZabbat32.exe.

May create the following files:
%System%\Syschk.exe: (With attributes may set to Read-only, Hidden, and System. This is the worm's propagation component.) 29,183 bytes
%System%\Smtp.Ocx: (An SMTP library. This file is not viral by itself.) 25,736 bytes
%System%\Runhelp.cab: (Which contains a file runhelp.inf. This file is not viral by itself.) 6,323 bytes
%Windir%\Sys32s\Runhelp.cab: (With attributes set to Read-only, Hidden, and System.) 6,323 bytes
%Windir%\Web\Folder.htt: (With attributes is set to Hidden and Archive.) 15,483 bytes

Manual removal.
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"SystemChecker"="%System%\Syschk.exe"

Navigate to the key:
HKEY_CURRENT_USER
and delete the value
"Cya"

Use RegRun Startup Optimizer to automatically clean your system.

syscpy.exe

Backdoor.Hogle is a proxy SMTP server that may be used as an anonymous spam relay.
It also listens on TCP port 3355 for incoming connections.

Copies itself as %System%\Syscpy.exe.
Adds the value:
"Syscpy"="%System%\syscpy.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Gets the IP address of the computer on which it is running, and then queries spamcop.net and www.abuse.net for this address.
If the address is found on a "spam blacklist," which one of these services maintains, the Trojan will exit.

Sends a message containing the current IP address to a certain Web site.
Opens a connection on TCP port 3355, waiting for incoming connections.
When a connection is made, the Trojan accepts incoming messages, and relays them to another SMTP server on port 25.

Manual removal:
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"Syscpy"="%System%\syscpy.exe"

Remove this worm by RegRun Startup Optimizer.

sysdll.exe

Remote Access

sysdrv.exe

Worm / Downloading trojan
Hidden in a simple music and graphics program. Updates itself from the Web using plug-ins. It checks Windows Address Book and sends itself to every mail address found.

sysexplor.exe

Remote Access
Includes the LookItUp-tool to test a server host for infection.

sysexplr.exe

Status: This is a dangerous trojan.
Read more:
http://www.windowsitsecurity.com/Panda/I...

Recommendation:
Stop its running and delete SYSEXPLR.EXE and KERNEL32.EXE.

syshelp.exe

Lovgate worm (also known as Supnot)
Worm copies have the following names:
rpcsrv.exe, syshelp.exe, winrpc.exe, WinGate.exe, WinRpcsrv.exe
Installs backdoor program to your computer for remote control.
Remove it from startup.

sysid.exe

Worm / Mail trojan
The worm is packed by the Aspack PE EXE compression utility. It leaves a hidden copy of itself in Windows memory. Mail addresses picked randomly from the address book.

sysinfo.exe

W32.HLLW.Gaobot.FQ is a variant of W32.HLLW.Gaobot.BF.
It attempts to spread to network shares that have weak passwords and allows attackers to access an infected computer through an IRC channel.

Copies itself as %System%\Sysinfo.exe and %System%\Winhlpp32.exe.

Adds the value:
"Configuration Loader"="%System%\sysinfo.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Performs Distributed Denial of Service (DDoS) attacks against targeted systems. The IP addresses of the targets are randomly calculated.
Steals the CD keys/Product ID, ends some processes associated with antivirus and firewall software, attemps to kill some processes associated with other worms.
Listens on randomly calculated ports, and waits for other computers to download the worm.

Remove it from startup by using RegRun Startup Optimizer.

sysload32.exe

I-Worm.Mimail.g is a variant of I.Worm.Mimail.e.
This worm spreads via the Internet being attached to infected emails.
Infected mails contain the following:
Sender's address: john@recipient domain
Message header: don't be late!
Message body: Will meet tonight as we agreed, because on Wednesday I don't think I'll make it, so don't be late. And yes, by the way here is the file you asked for. It's all written there. See you.
Attachment: readnow.zip
The attached file contains the worm under the name 'readnow.doc.scr'
This version of the worm does not contain the function which enables it to steal E-Gold users' information.
The worm carries out a DoS attack on the site mysupersales.com in the same way that I-Worm Mimail.c does.

Manual removal:
Please, go to the key in the system registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "SystemLoad32" = "%windir\sysload32.exe"

sysman32.exe

Trojan program: Greetyah.
Greetyah downloads a file from the internet and sets an auto-run key in the system registry in order to establish automatic starts.
Remove it from startup.

sysmcm.exe

Worm / Downloading trojan
Hidden in a simple music and graphics program. Updates itself from the Web using plug-ins. It checks Windows Address Book and sends itself to every mail address found.

sysmgr.exe

W32/Sdbot-OO is an IRC backdoor that can spread via network shares protected by weak passwords.
The worm copies itself to the file sysmgr.exe and cool.exe in the Windows System folder and adds the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft System Checkup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NT Logging Service
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft System Checkup

W32/Sdbot-OO connects to an IRC server specified by the author and joins a channel from which it will receive further commands.
These commands can start any of the following actions:
- HTTP server
- sock4 proxy server
- UDP, SYN or PING flooding
- TCP redirection
- download files
- execute arbitrary commands
- spread via weakly-protected network shares

It may also attempt to terminate the security related processes.

Use RegRun Startup Optimizer to remove it from startup.

sysmon.exe

Worm.Win32.Bizex
This worm uses the Internet instant messaging system ICQ to spread via the Internet.
The worm sends ICQ users a message with a URL, which is linked to a file which contains procedures to automatically download
and execute the malicious component of the worm on the victim computer.

On connecting to the site http://www.jokeworld.xxx/xxx.html (x here is used to replace certain characters) the CHM-exploit-a is used.
The result of this is that a specially constructed CHM file is automatically executed on the victim computer.
This file contains another file contains TrojanDropper, a type of Trojan written in script language.
This Trojan extracts a file named WinUpdate.exe from itself to a range of system directories.
WinUpdate.exe is a Trojan program of the TrojanDownloader group, which downloads the main component of the worm from a remote site,
and writes it to the temporary directory under the name aptgetupd.exe.

Adds the value: "sysmon" = %system%\sysmon\sysmon.exe
to registry key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

Steals information relating to a range of financial services, such as Acceso a Banca por Internet, Accueil Bred.fr > Espace Bred.fr, American Express UK - Personal, etc.
It also steals data transmitted by HTTPS, relating to accounts of a variety of mail services such as Yahoo, etc.
All stolen information is sent by FTP to a remote server: www.ustrading.info
The worm extracts a number of .dll files from itself and installs them in the Windows system directory: java32.dll, javaext.dll, icq_socket.dll, ICQ2003Decrypt.dll

Remove it from startup with RegRun Startup Optimizer.

sysmonxp.exe