How to Repair Exe Processes
An exe file is the main executable application file for a program. Typically, exe files are most commonly used by the Windows operating systems. However, they are also used by other less common systems such as DOS, OS2, and OpenVMS. This guide will be looking predominantly at exe processes as they relate to the Windows operating system and applications installed on computers with this platform.
An executable file can be used in a number of different circumstances. The Windows Operating System itself uses a large number of executable files in order to complete various tasks. These essential, legitimate executable files are essential for the smooth running of your computer and should be left to run in the majority of cases. In order to run an application, users typically need to double an executable file, or a link to an executable file. Once clicked the executable file will then be run according to the user's settings and the application itself.
Exe files can also be called by other applications and may contain entire applications or sections of an application. Some executable files may only contain certain elements of a program but are usually required for the full and effective running of that application. Disabling or removing these executable files will not usually effect the running of your system or the operating system on your computer but it may prevent the proper running of the appropriate software.
Malicious software, such as spyware, also usually requires an executable process to run on your system. Finding executable processes belonging to malware and preventing the process from running can help to prevent or minimize the damage that the software was intended to do. It is necessary to fully research the process in order to ensure that you are not deleting a legitimate Windows process. Many malicious processes are named in order to closely match those of genuine Windows processes in order to deter you from removing them.
Viewing the active processes on your computer is a simple task and can be done by using the Windows Task manager that is included with your operating system. Holding down Ctrl and Alt and pressing Delete will display the task manager, and by clicking the Processes tab it is possible to view a full list of those processes running on your machine. This also enables users to disable or end any processes that they do not require.
You should always research a process before deciding whether to end it or not. While genuine processes can sometimes cause errors, for one reason or another that we will look at later in this guide, there may be a preferred route to take other than simply deleting the process. The research of these files can be done online using third party websites.
Occasionally, genuine Windows executables can become corrupt or damaged. This can lead to software and system errors and may require the closing down of an application. In the more severe cases this may require the ending of a process through Task Manager. Other executable files, while genuine, can cause a serious drain on your system resources because they require a large percentage of your processor power.
The last sections of this guide contain a list of the most common executable processes. As well as a guide to more than 40 malicious processes that are commonly found on users' systems, there is also a list of 10 genuine, Windows processes. This is obviously not a full list of all potential exe files, but it is a good place to start and contains some of the most common processes that you are likely to find on your computer.
While we attempt to give some general guidelines regarding how you should deal with problems related to exe processes, these are general guidelines. Each process and each problem will typically have its own solution and, as such, it is absolutely imperative that you research each particular process before taking any action. Of course, we've provided a guide to the best way to research the processes active on your system in order to help with this too.
Viewing Active Processes
Most computers have a minimum of ten to twenty processes running on their computer, even while it is lying idle. Many of these processes belong to the Operating System but some belong to applications and software that are being used at the time. Each user on the computer will typically have a number of their own processes that are unique to their logon as well. Printing, connecting to the Internet, and other tasks will open resources, and if you use any software that runs when you start your PC the main executable processes belonging to these applications will be running whenever you are logged on at your computer.
If you are experiencing problems with any specific applications, or if your system is performing slower than normal, then your active process list is a good place to start looking. The active process list displays all executable files and processes that are currently running on your computer. As well as the name of the process the following information is also displayed in Windows Task Manager by default:
User Name As well as system, local service, and network services, this may also display the name of a user that is logged on at your PC. This gives information regarding the location of the process that is running.
CPU Active processes that are being used require a certain amount of your CPU processing power in order to run. The figure displayed in the CPU column is a percentage, and should hopefully not total anywhere near 100% excluding the System Idle Process. The System Idle Process shows the total amount of CPU processing power that is currently unused.
Mem Usage Measured in kilobytes this is the total amount of memory that a process is using. The more processes that are running and active with a greater total memory usage the slower the performance of your PC is likely to be. Applications are likely to show a figure running into the thousands or even tens of thousands while the majority of system processes have a minimal memory usage in order that they do not hog your system resources.
There is a list of other fields that can also be added to this display, should you require them. For the most part, though, the fields listed above are the most important. Should you wish to add or remove any columns from the Task Manager process viewer then simply click on the View menu at the top of Task Manager window and click Select Columns... to bring up a list. Remove ticks from check boxes if you do not wish to display a particular column, or add a tick if you want to enable that column.
There are two more areas of interest in the Task Manager that you may require. The first is the checkbox titled Show processes from all users. By default this tick box is disabled, but once enabled it will populate the list of processes with those belonging to all users on your computer. If you are the only person that uses your computer and you only use one screen name then this tick box is essentially irrelevant.
In order to end an unnecessary process you should first highlight the process name by selecting it from the list at the top of the screen. Once you have done this click on the End Process button at the bottom right of the screen. Always be sure that you are ending the correct process, because if you accidentally or incorrectly close a system process you may need to restart your machine and you may lose any unsaved work.
As well as the simple but relatively effective Task Manager process list, there is a more advanced process handler available for the Windows Operating System. It can be freely downloaded from the following URL: http://download.sysinternals.com/Files/ProcessExplorer.zip
The Process Explorer is a powerful tool that enables users to really get to grips with the processes that are running on their computer and gives an unusual insight into the way that certain applications are run on your computer. There are basically two panes within the Process Explorer window. The top pane will always show a list of active processes, with similar information as displayed in the Windows Task Manager.
Where Process Explorer differs from Task Manager is in the bottom pane. Depending on the mode you have selected, different data will be displayed. Handle mode displays the handles that the selected process has opened while DLL mode displays the DLLs that the process has opened. If you are attempting to determine the legitimacy of a process this can be important information that will help to determine whether or not a process is spyware or malware, or whether it is a genuine process that should be left to run on your system.
When attempting to track down rootkits and other more deviant and covert forms of spyware, utilties like Process Explorer can help make the difference between an infected computer and one that has been fully cleansed. Rootkits are notoriously difficult to find, even for some antispyware packages, but manual searching is an option, albeit a time consuming one.
Perhaps one of the areas where both of these utilities fail to impress is in the viewing of processes that are scheduled to run at a routine time, or those that run on startup whenever you log on to your PC. This information, though, can also be vital in tracking down malware on your computer and helping to determine whether a process should be left resident on your computer or disabled as soon as possible.
Third party software applications are available for this very purpose. Spyware almost always adds a registry entry to your computer in order that it is run when you log on to your computer. By doing this, it is possible for the malicious application to record data from your computer as soon as you are active, and then establish an Internet connection and forward the information freely to a remote server.
Third party process viewers can identify those processes that are set to run on startup. Armed with this information you can research the processes and establish which applications are responsible for them. This, in turn, will help you make the right decision of whether to disable a process from your system. With some shopping around it is also possible to find software that identifies new processes and new autostart entries within the registry. If a new entry is identified without your knowledge of having added any new software then it is likely that the software added is a malicious program of some sort.
Whether you choose to use Windows Task Manager, Process Explorer, or a third party application to view the processes that are running on your machine it is possible to find virus ridden applications and malware applications that currently reside on your computer. While this shouldn't be used as a substitute for good security software, it can help with the manual removal of some of the more difficult problems. It can also help to improve your system performance by identifying needless processes that run when you start your computer and those that are using more than their usual share of your CPU and memory.
Once you have a list of all the processes currently active on your system, the next step is to research them. This is a vital step. Executable processes are used by a huge range of different applications and programs including the Windows operating system itself. This means that removing or ending the wrong process could result in the closing down of your computer. Any unsaved work open at the time will be lost without the chance to save it first.
On the other hand, though, spyware and malware applications also require the running of one or more executable processes. In this case, it is usually desirable to end the exe file before the malware can do any more harm than it may have already done. Some malware will deliver its payload as soon as it is run, but other programs may instead download further applications over a period of time.
Even if you are looking at a genuine, and usually non-harmful process, it may be that the process is running incorrectly. Sometimes, otherwise mundane processes can continue running even when they are not required and this will obviously lead to a drain in your system resources such as CPU usage and memory. With the proper research you can determine whether it is safe to end a process without fear of losing necessary functions or features. It may be possible that the process causing a drain on your system is not really required to run on startup, or may only be needed when you are using a specific application. In these cases, it is usually safe to end them without worry.
The first step to any exe file research is to gather as much information as you can from your computer. If you are only using the Task Manager to view the processes running on your computer this can be time consuming, if at all possible. Often, to determine whether you are running a genuine process or one that is meant to look genuine, you will need to know the exact location of the file that is associated with the executable. Task Manager can not display this information but good third party software does.
At least note the name of the process, and where possible the path. Record the CPU usage, so that you can check to some extent whether the process is performing as it should. Also make a note of the total memory usage this will be handy when you are researching the file and trying to ascertain whether you have the genuine process or a spyware equivalent running on your machine.
The Internet is the largest and most influential resource in the world. Websites exist that list thousands upon thousands of processes and the details that pertain to these processes. Many of these process databases are constantly updated so that you have the latest information to hand. These databases are sometimes maintained by the publishers or authors of antispyware or other security software and, as such, they may also include recommended steps to take with these files.
Your security software is also another good port of call. If you believe that a process running on your system belongs to a spyware application then the most sensible step to take is to first run your antispyware software. If you have been infected with any malware then your security software should pick up on it, in the majority of cases. This will usually identify files that are infected or belong to malware programs, but by checking the details of the particular infection you will also usually be provided with the names and paths (location on your computer) where the file and process will be located.
Some process viewing applications also link directly to a process database that is regularly maintained online. When a process is discovered or added on your machine the software should also display the details of that file in order that you can make a judgment on whether the process and associated file are valid or they should be removed.
And so to probably the real reason you are reading this guide ending processes. Before you go ahead and end a process there are several factors you must have already considered. We can't stress enough that ending the wrong process can cause serious problems that can be difficult to recover from. On the other hand, leaving a process running that is an integral part of a malware application could be even more damaging.
Always do your research find out as much information as you can from as many different sources as you feel you need to. Scour the Internet, use your security software, and check what information you have on your computer. This information is absolutely vital to deciding whether or not you need to end an active process.
Remember that some malicious processes use names that are similar to genuine ones in order to remain resident on your computer. Some processes are also used by more than one application this is especially true of processes belonging to the Operating System. A print process can be called by a number of different applications and ending or removing this process may make it impossible to print from any application not just a single one.
Carefully check the name of the process you are searching for. A common method to closely replicate names is to use numbers in place of letters. For example, winw0rd.exe is highly likely to be a malicious process that is named after the genuine winword.exe process so take care and pay close attention to the name. Where possible look at the location of the file that the process relates to. Genuine program executables should typically be found in the relevant program folder, while the exe files that belong to your Operating System should be found in your system folders.
Is it causing problems if a process is causing problems then, regardless of whether it is a genuine exe file or not, you will need to take some sort of action. Genuine files that are draining resources need to be looked into as much as those that seem to belong to spyware or another malware application. If, in your task manager, you notice that a process is using an extraordinarily large amount of your CPU resource or has a seemingly large memory usage then see what action, if any, can be taken.
It may be that a running application genuinely requires large CPU usage, but this is sometimes a good indicator that things have gone awry somewhere along the line. Memory usage is less indicative of a problem but the information can be used to verify whether an exe file is genuine or not.
If your AntiSpyware or other security application identifies a problem and indicates a running process as being a part of that problem then the decision should be relatively cut and dry, although some cursory research may still be a good idea to make fully sure that you take the appropriate action.
Using AntiSpyware software to start with is generally a good idea. This should give a good grounding to start any more research you want to do. It will provide you with the name of the particular malware that is installed on your computer and enable you to research this as well as the process you are concerned about. By comparing the information you should be able to put together the best action plan to resolve your problem.
If you are struggling in any way with a genuine process then the first thing to try is to see if there are any software updates. If the software package does not include its own updater, or you can access this feature, then visit the vendor's or publisher's website. Look for the latest patches and releases, and also consult the knowledgebase or forum, because if a similar problem has been reported by other users then you might find the problem has already been resolved for you.
Download and install the latest Windows updates. Again, if other users have reported similar problems and the problem is Windows related then there may be a patch included in one of the many updates that Windows releases. The Windows Operating System is set by default to look for the latest downloads, updates, and upgrades so take advantage of this feature. You should certainly have installed the very latest security pack for the particular version of Windows you are using.
If a process does belong to a genuine application but is not required for the safe and regular running of that application then, by all means, end the process. This can save you unnecessarily using the resources available to you on your computer and can improve your system performance significantly. A common example of an unnecessary process running on a computer is when an application is set to run on startup, even though it is not frequently used. Similarly, some components of applications are not always required to run on startup. These can provide a good way to streamline your startup process and speed up the operating efficiency of your system in general.
We've already mentioned malicious processes on a number of occasions within the pages of this guide. This is because it is one of the more common reasons for people to look for information related to the processes that they have running on their system. Even the less damaging spyware or adware applications that install on your computer will typically use up a degree of your CPU and memory because they will run one or more processes whenever your computer is turned on.
Malware falls into several categories, and each has its own payload and method of delivery. Some can be extremely damaging, including those that forward your personal information to a remote server or to a third party, while others are slightly less damaging and serve up advertisements according to the websites you visit. All have one thing in common though they use up system resources and because of the potential threat they cause it is important that you remove them.
Malware this is a generic term that literally means MALicious softWARE. It includes adware, spyware, keyloggers, and much more. Security packages that go by the term of antispyware are actually usually antimalware applications because they will detect and remove all types of malware giving you greater protection against Internet borne threats.
Spyware spyware is software that is used to spy on you. Commonly, it will monitor your Internet browsing activities and report them back to a remote server or to an unauthorized third party in order that they can use this information. Spyware may also record usernames and passwords that you enter while visiting certain websites, such as your bank website, so it is potentially very dangerous to leave spyware on your system.
Adware advertising software is commonly described as being the least threatening of the malware applications. In one sense, this is true. At its most basic, adware is used to routinely generate and display advertisements on your desktop, although most adware applications are more involved than this. Many will monitor the sites you visit and display advertisements that are relevant to this topic. A lot of free software is accompanied by adware and removing the adware may make the software unusable according to the terms of the usage agreement.
These are just some of the types of malware you may come across during your search for executable processes. Certainly, we have listed processes later in the guide that pertain to each of these types and more. As well as those listed there are also keyloggers that log all keystrokes you make on your computer, screen capture software that takes a snapshot image of your screen, dialers that dial premium rate phone numbers from your phone connection, and downloaders that are used to download more malware to your computer.
Malware authors are becoming more and more advanced in their techniques. When creating a malware application one of the main features is that the application is not immediately detected. This ensures that it can deliver its payload before it is detected and removed. One of the most common methods of preventing detection is to give the files and processes similar names to those of genuine files and processes, especially those belonging to your operating system. By doing this, a malware creator knows that you will be less inclined to disable or remove the process for fear of it being the genuine one.
While some malware authors will use the exact same process name as a genuine one, others attempt to camouflage a process by giving it a distinctly similar name. Replacing certain letters with numbers is a common practice. Explorer.exe may instead appear as expl0rer.exe. They may appear similar but one is a genuine process while the other belongs to a malicious application.
It is always recommended that any malware or malicious process be removed from your system. The most effective method of doing this is to use antispyware or other security software. This helps to ensure that all components of the infection are fully removed from your computer. While manual removal is often possible, it can take a lot of work within and around the system files and registry of your Operating System. Unless you know your way around these areas of your computer and are confident that you are disabling the proper processes it is best left to automated software instead.
Always ensure that you are
disabling the appropriate process. Ending a process that belongs to the
Operating System may lead to an inoperable system and the loss of any
unsaved work. With that said, however, and bearing in mind the damage that
malware can potentially cause you should remove any processes that are
determined to be malicious before they can damage your system or forward
your personal information to a third party.
Problems With Legitimate Processes
Even legitimate processes can cause problems. Primarily, this is because files and exe files in particular can become corrupt over time. The installation of other applications, the deletion and addition of files, and other common activities can lead to errors that mean certain exe files become problematic for you and your system.
We mentioned earlier in this guide that Task Manager can be effectively used to view the processes that are running on your computer. It can also be used to display the total resources each of the processes are currently using. Commonly, if you are experiencing problems with a slow running system or software, then the answer can usually be found in the shape of one or more processes that are using up all of the CPU usage. These are called system resource hogs because they hog your system resources.
System resource hogs may not be dangerous in the same sense as malware can steal personal data, but they can cause serious problems with your system and with the software on that system. At the very least they will cause your system to slow down. This, in turn, can cause pagination errors with the Windows Operating System and may result in the seemingly inexplicable closing down of your system and the loss of any unsaved data.
The obvious solution to this problem is to close down any processes that are using a large percentage of your CPU usage. However, in practice, this may not be the best option because you could be closing down an important process that is required for the proper running of the Windows operating system or an application you are currently running on your computer.
Instead you should attempt to find the application that is responsible for the process and see if any updates are available for the software. Download the latest Windows updates as well as any updates that are available for the software concerned. Patches are often included in these updates that can help to resolve many issues that might be causing problems.
Another problem that some users have experienced is that they are unable to close down certain processes that are running on their machine. This problem is not specific to any single application, but it can prevent you from closing your machine down and may even render the application useless until the problem is resolved fully.
This can be a sign that you have been infected with a virus or malware program. You should update your antispyware and antivirus applications and scan your system while in Safe mode. Resolve any problems that are found and then check whether the resource is still resident on your computer. If it is then you may require the use of a third party process viewing application because these usually include a feature that disables processes, even those that will not normally disable.
Some executable files are required by a number of applications, but in these cases it is common for each program to use the same executable process. This means that your system is not drained through having a number of the same exe files running at the same time unnecessarily. However, there is one executable file in particular that is likely to exist in multiple on your system.
The svchost.exe process is a genuine Windows process that, when you first start your computer, will check for services that it needs to load. The services required are grouped together, with each group using its own instance of svchost.exe, hence the multiple versions of the process that may be running on your PC. It is strongly recommended that you do not remove any of these processes unless they are known to be causing any problems and, even then, you should attempt to restart your computer before ending the process.
Below is a list of more than 40 of the most common malware related processes. This is based on how common the associated infection is according to various online sources, including the ParetoLogic spyware center. If you find any of these processes running on your system then it is more than likely that you have been infected and you should attempt to clean your system immediately in order to remove the threat as soon as possible.
arena.exe is the main process for the deletemp3 worm. As the name would suggest, the payload for the deletemp3 worm is to locate and remove any and all mp3 files from the infected computer. It will also disable Task Manager and even the viewing of Explorer, essentially preventing you from being able to delete the process. A registry entry is added in order that it will run whenever you start your computer.
The removal of arena.exe and all other components of this file deleting worm is highly advised. Because of the registry changes that the worm makes, manual deletion can prove difficult. Sufferers are strongly urged to update their security software and use these applications to effectively and safely remove all components of the infection.
bbvorwgry.exe is part of a spam mailer application. Strictly speaking this is a Potentially Unwanted Program (PUP) rather than any form of malware because there are apparently legitimate uses for the application. However, if you have not installed or agreed to any mailing applications being installed on your computer then you are urged to remove this and all other processes belonging to the spam mailer program.
The removal of PUPs is usually done by using the Windows Add or Remove Application utility. Open the Control Panel on your computer and click the Add or Remove Programs link. Once the list has populated with all the software on your system look for the spam mailer application and click Remove.
There are several known instances of the command.exe process making it potentially more difficult to advise on the appropriate action to take. If your PC is running Windows 95, 98, or ME, then this process could be genuine because it belongs to the DOS prompt feature within these operating systems. In these cases you should not remove the process unless it is causing problems, even though the process is not believed to be essential to the proper running of your system.
The adtomi advertising program also uses a process named command.exe. Adtomi records certain information about your browsing habit. It then forwards this information back to a remote server, and also serves advertisements on your desktop based on the results.
Command.exe may also be a component of the Buddy Trojan, which is used to enable hackers and third parties to gain a back door access to your system. Using this access they can steal information, delete files, and alter settings. In these last two cases it is strongly advised that you disable the process.
To determine whether the command.exe process on your system is valid or not we recommend using ParetoLogic antispyware software. Download the latest updates and then perform a full scan of your system. This will identify any infections currently resident on your computer and will offer a means to remedy the problem.
crss.exe is the running process for the Agobot worm. Like many worms, Agobot spreads via email. The email will typically include an alluring or appealing subject line in the hope that you will open the attachment. The attachment includes an SMTP engine so that the worm can then harvest email addresses from your computer and forward a copy of itself to all of these email addresses.
Potentiall, the Agobot worm can be used to access your system and retrieve highly personal data from your computer. As such, it is considered a security risk and needs acting on immediately. Download the latest updates to your security software, scan, and remove any infections that are found.
This file name is an attempt to copy the genuine csrss.exe (note the extra s in the valid process name). This is done in the hope that you will not disable or end the process, believing that it is the genuine Windows operating system process.
dc.exe is a process that belongs to a downloader worm. This worm typically spreads via chat rooms and chat applications and, once it has infected your computer, it will then attempt to download further applications and pieces of code to your computer. This is a security risk because it can lead to a number of other malware applications downloading onto your system that can, in turn, cause more damage.
The most effective way to prevent downloaders from being able to contact remote servers and downloading more files is to use a firewall. A firewall blocks all unwanted Internet traffic, both incoming and outgoing, making it impossible for applications like downloaders to deliver their payload effectively. In order to remove the downloader itself, though, you will require either antispyware or antivirus software.
dfe1.exe is an active process belonging to an application called WinFixer. This PUP is considered to be rogue security software. Winfixer can install covertly on your machine without warning and without requiring consent. It will then claim to scan your system and display a list of false positives. It will encourage, or pester, the user to purchase the software in order to clean the files that it has found.
Also known as Error Safe, this application can usually be removed easily from infected computers simply by using the Windows Add or Remove Programs utility. It is recommended that users remove this program from their computer as soon as possible in order to prevent any further infection and to ensure that they do not accidentally or inadvertently click to purchase the product.
EastAV.exe is a process belonging to a mass mailer worm. Once installed on an infected computer the worm will search for email addresses throughout the system and then send a copy of itself to all the email addresses it finds. The best way to avoid being infected with this kind of worm is to be vigilant when opening suspicious looking emails and always ensure that your security software is up to date and enabled to run.
As with many applications of this type EastAV.exe is set to run on startup, thanks to the addition of a registry entry. As such, it is also used to perform Denial of Service Attack on a number of different websites. If you discover that you have been infected and the EastAV.exe file is on your system then you should use updated security software to scan your computer and remove any infections that it finds. The disabling of the EastAV.exe process will only prevent the worm until you next restart your computer.
This process is added by a Trojan that uses a similar name to a genuine process in the hope that you will not disable it. The genuine process name is explorer.exe, which should not be removed. However, this version that uses a numerical 0 in place of an alphabetical o should be disabled and you should attempt to remove the Trojan before it can do its damage to your computer.
As with all Trojans, expl0rer.exe is downloaded onto your computer under disguise. It will have either come packaged with another application, or you will have downloaded it having been lead to believe it was a genuine and useful application. This downloader Trojan will first install itself in the registry of your computer, making it difficult to locate and ensuring that runs whenever you start your computer, and it will then attempt to download further code from the Internet onto your computer. Removal using antispyware or antivirus software is strongly recommended.
The fontview.exe process belongs to a remote access Trojan and once installed on your system it can cause serious damage to you and your computer. Remote access Trojans enable hackers to gain access to your computer, and with this access they can then steal usernames, passwords, and personal information. This includes but is not at all limited to bank account details, personal details, and log on details for financial websites.
As well as providing access to third parties, the fontview.exe Trojan can cause a system failure by removing or irreperably damaging the CMOS of your computer. Install the latest updates for your ParetoLogic security software and perform a deep scan to find any threats that have installed on your computer.
This process belongs to a hijacker worm, commonly known as the Vispat worm. Propagating by email, a user's computer becomes infected once they click to open the harmful attachment. Once infected it will then hijack the browser home page and even lower security settings on your Internet Explorer. It is not uncommon for this worm to be accompanied by other threats, often downloaded by a downloader infection.
Infected users are strongly urged to remove this from their system by using antivirus software. By doing so, it is possible to determine whether any other infections are resident on the system. If they are then the software can be used to remove all potentially harmful programs and help convert the system back to a fully working, and secure system.
The Israz mass mailing worm drops a copy of the fun.exe file and process on infected computers. This mass mailing worm, once installed, will send a copy of itself to all contacts found in your Windows contact book. Through relatively harmless to the individual infected computer, it can cause problems with email servers, and potentially slow your system or cause your Internet connection to become basically useless. Recipients may also become distressed about receiving infected messages from you, so could potentially cause problems with business contacts you might have.
Initially, this mass mailer is spread through the KaZaA file sharing network and, once it has infected a computer, it will download a copy of itself into the KaZaA downloads folder as well as emailing itself to all of your contacts. There are some minor browser hijacking elements to the worm as well, because it will redirect all .url files to point to specific pages.
If you have a copy of the FVProtect.exe file in your Windows folder and an active process with the same name then you have been infected with the Netsky.P worm. The Netsky family of worms is one of the longest running families and each reincarnation includes something new to be avoided or a new method of evading detection by security software. Netsky.P is a mass mailing worm spread by email as an attachment and also through a number of the more popular file sharing networks.
Once installed, it will locate the download folders for any file sharing networks you use and then copy itself into these folders using an alluring name. Other users of the file sharing network will then see this file and download it believing it to be a genuine file. Once they download and open it, though, they will also become infected. Removal is considered easy using antivirus software with the latest download of the definitions database.
hidn2.exe is installed by a mass mailing worm that also uses a rootkit in a bid to remain undetected on your computer. As such, it can be very difficult to locate and remove manually, with preference being given to the use of automated security software. The worm is spread by email, and once installed it uses its own SMTP engine to further propagate to email addresses it can find on your system. As well as emailing itself to your contacts, this mass mailer will also attempt to lower the security settings on your PC leaving you open to further infection from other online threats.
The file can be found in its own folder, usually named hidn and found in the Application Data subfolder of your system folder. On installation a registry entry is also added so that the worm runs whenever you start your computer. Users that have been infected with this worm and have hidn2.exe running on their system should use antispyware or antivirus software in order to treat the infection properly and quickly.
As part of the BagleDL Trojan, hldrrr.exe is an active process that is set to run whenever you start your computer. This is done by the addition of a registry entry, meaning that the hldrrr.exe process is always running on your PC. It also means that manually ending the process will only work until you next turn on your computer, when the autostart registry entry will once again start the process running.
As well as installing within the registry and potentially slowing down your system, this Trojan can be used to download further code and applications over the Internet. In doing so it poses even further risk to your computer, because it will typically be used to automatically download malware and viruses. Antispyware software should be used to locate all components of the BagleDL Trojan and users should remove the threat as soon as they find it.
The internt.exe is used by at least two separate malware programs as a process name and file name. The name is designed to resemble the word Internet in the hope that users will be less likely to want to disable the process from running on their machine. As with virtually all malware, the process is set to run on startup in order that the process runs as soon as you log on to your computer. Ending the process will only work until you next start the computer, becaues the registry entry will still exist and the process will simply be restarted.
The Peeper Trojan is one of the malware applications that is known to use the internt.exe process. This Trojan provides hackers with backdoor access to your system, enabling them to delete and edit files and settings, and remove personal information that you have stored on your computer. The Carufax Trojan, another threat that uses this process, works in a similar manner to provide the same kind of access. These threats are detected by most antivirus and antispyware packages, and can be removed quickly and safely using this software.
isass.exe is a process that is most commonly dropped by the Optix Pro Trojan. This Trojan is particularly dangerous and often effective because it combines a backdoor access for hackers with the ability to disable firewalls and other security software applications. In order to disable the security software on an infected computer it looks for the registry entries that start your antivirus, antispyware, and firewall applications and then removes these so that you do not receive the live protection that you require.
The Optix Pro Trojan is one in a relatively long line of Optix Trojans, and many have these same functions. If you believe that you have become infected, either through a manual scan of your system or because you notice the isass.exe process running on your system, then you should manually use your installed security software to remove this threat immediately. A backdoor for hackers is a very dangerous program that enables third parties to gain access to your files, folders, system settings, and personal information.
jammer2nd.exe is the main active process for the Netsky-Z worm. As well as being a mass mailer worm, Netsky-Z also offers a backdoor so that third parties can upload further code to your machine. Specifically, and especially for those with firewall protection, Netsky-Z uses port 665 to listen for communication from a remote server. Over this connection, it is possible for the worm to download further code to your computer.
Netsky-Z installs the jammer2nd.exe file within the Windows directory of your computer. A registry entry is also added in order that the process is run whenever you start your computer. Manually disabling the process through Task Manager or a third party process viewer will only solve the problem until you next restart your computer, when the registry entry will once again call the process to run.
As a component of the Crutle-B worm, the msfck.exe file shows that your computer has been infected and attention to the problem is needed right away to prevent damage to your system. Worms spread typically by email, chat, or file sharing programs. Crutle-B specifically uses the popular KaZaA file sharing network in order to propagate to as many computers as possible.
Once your computer is infected, the Crutle-B worm will create a folder and add a number of infected files with appealing names. This file is then set to be a shared file within the KaZaA file sharing client, in the hope that other users will attempt to download the infected files. This is the only payload that the Crutle-B worm is designed to deliver. With no malicious payload it may be tempting to leave this threat, but users are advised against doing this and should use their antispyware or antivirus software in order to remove it.
mswin32.exe is just one possible file name that is used by the Spybot worm. Because the worm installs itself on your system as a service process, it is impossible to close the program through the Windows Close Program function in Windows 95, 98, and ME. Once installed and once it has added registry entries to ensure that the worm starts every time you log on to your computer, it will then create a folder named kazaabackupfiles and then ensures that this folder is shared through the KaZaZ file sharing network. This is how the worm propagates to other users' computers.
The Spybot worm, using the mswin32.exe process, will then open an Internet chat channel through a remote server. This provides a third party with the capability to execute files, browse your system, steal personal information, and retrieve system information, as well as perform attacks on other computers and networks. This is definitely an undesirable program and one that should be removed as soon as possible.
The ntos.exe process is the main process for a virus called ntos, also referred to as InfoStealer. It is spread as an attachment within a spoof email claiming to be from a Dutch bank. This email provides an atttachment that should be opened to gain further information. On opening the attachment the following will happen. It will check for the existence of certain firewall applications on your system, collects certain items of information regarding your Operating System, whether you have the latest service packs downloaded and installed from Windows, and what language setting your system uses.
The size of the ntos.exe file will differ because, as part of its delivery procedure, it will add or remove information from the main file in order that it is a different size in different instances. It then creates a folder that is protected and hidden, and saves the information it has collected about your computer, and the configuration data of the Trojan itself. After adding registry entries so that the ntos.exe process is run whenever you start Windows, it will then add code of a malicious nature to winlogon.exe and svchost.exe that will be running on your computer. It also adds further registry entries to prevent the deletion of the main process and other associated registry entries.
Cookies will be deleted from Internet Explorer so that infected users will need to enter their passwords and usernames again on banking and other financial sites. After stealing saved passwords and storing details regarding the passwords as well as stealing other personal data it will then attempt to gain control of your network and forward this information back to a remote server.
This is a particularly malicious and potentially dangerous threat. The author has gone to great extremes to make it nearly impossible to detect and, if detection is achieved, remove the Trojan from infected computers. Fortunately, since its release at the end of 2006 most antivirus and antispyware applications, including XoftSpy from ParetoLogic, have details of this Trojan's signature and, as such, have the ability to prevent it from being installed or remove it if it has already been installed.
The IRCBot, also known as Agent.aox, is an IRC virus. This means that it is usually spread using Internet Chat channels on your computer. Once installed on your computer, it can open a chat channel to a remote server and download further code to your computer giving it the potential to lead to a huge variety of different problems and infections. As such, its immediate removal is strongly recommended, in order to prevent any other threats from being downloaded and to prevent hackers or other unauthorized third parties from gaining access to your system and the information you have on that system.
By using the most effective antispyware software, such as ParetoLogic AntiSpyware, you can be assured that you catch all potential threats, even those that install within the registry of your computer. Once a threat is installed in the registry it is much more difficult to detect and remove so extra care should be taken to prevent applications behaving in this way.
We strongly urge users to think twice before installing any form of spyware or scumware. Optimize.exe will hijack search and home pages and stores certain information about your browsing habits. Also be aware, that another version of optimize.exe is a premium rate dialer that will connect to the Internet using a premium rate adult content phone number and remain connected, often without your knowledge or consent. Removal, in either case, is strongly advised.
Pmmon.exe and pmsngr.exe
If you have the pmmon.exe or the pmsngr.exe process running on your computer then you have more than likely contracted the Media-Codec.Process Trojan. A Trojan is a program that claims to have a valid purpose, but typically does very little except harm your computer in some way. Different Trojans operate in different ways and have different methods of propagating and different payloads.
Because pmmon.exe is a part of a Trojan it is strongly recommended that you remove this process and all other components of the Media-Codec.Process Trojan. Some Trojans have the capability of downloading more malicious or harmful code to your computer so there is a very real chance that this Trojan and process are not traveling alone. By using antispyware software to scan your system and clean infected files you can be sure that you have removed all of the threats that currently reside on your computer.
The Peeper Trojan adds progmon.exe as its main active process and, as such, this is an undesirable process to have running on your PC in the same vein that the Peeper Trojan is an undesirable application to have running on your PC. The Peeper Trojan is predominantly a backdoor Trojan. A backdoor Trojan literally gives a degree of access to your system that a hacker can exploit to his or her own ends.
This is considered a high risk application because a hacker that gains access to your computer could potentially steal personal information, browse and edit your system and security settings, and essentially take control of your PC. We strongly urge any user that has been infected with the Peeper Trojan and therefore has progmon.exe running as an active process to use antispyware software to fully and cleanly remove it.
rundll16.exe is an active process that belongs to the Domwis Trojan. A Trojan is installed on your system often under the misguided belief that it is a genuine application with a useful purpose. However, once installed it will attempt to perform malicious actions on your computer. In the case of the Domwis Trojan, which is known as a backdoor Trojan, it presents the author or distributor of the software with a means to gain access to your system.
The Domwis Trojan is, in comparison to other backdoor applications, relatively primitive but that doesn't mean that it is harmless. Rather than giving complete access to a hacker, Domwis is able to delete, open, or download files and code from a remote server. Of course, this does mean that it can be used to download further malicious code to your system, which can in turn perpetrate more harmful actions.
The Domwis Trojan should be removed immediately to prevent further infection of your computer but because it has the capacity to download more threats to your computer it is strongly advised that it be removed automatically using antispyware software rather than manually. Manual deletion can prove difficult, anyway, because the Trojan adds several registry entries to ensure that it is run whenever you start your PC.
There are two known cases of the scanregw.exe process being installed on computers. One is a genuine and essential process that belongs to the Windows Operating System while the other is a malicious application that needs removing. The malware application uses the same name as a genuine process in order that you are less likely to end the active process.
Scanregw.exe, as part of the Windows Operating System, runs whenever you start your PC. On execution it will check the registry to determine if any errors can be found. If errors are found then they are reported to the user, who is also prompted to restart Windows at the last known good configuration. If this process is disabled and the file removed then an infected computer will not be subject to this check.
The Stator worm also uses an active process that goes by the name of scanregw.exe in order to dupe the user into leaving the process running and the file in place. The Stator worm propagates via email and is a mass mailing worm. Once installed on your computer, the worm will then rename certain programs and files within your system in order that it can effectively spread.
The scvhost.exe process is a prime example of malicious applications using close imitations of genuine process names in an attempt to remain undetected on your system. The genuine process name, in this case, is svchost.exe of which there may be several running on your system at any time. As part of the Agobot worm, this process is partially responsible for opening a backdoor access to your system from where third party hackers can control your system, steal personal information, and perform other undesirable and damaging actions.
The Agobot worm is potentially dangerous to have installed on your system and, as such, it is important that you download the latest updates to your antispyware software and run a full system scan. Ideally you should always have the proactive protection that good antispyware offers enabled. This may prevent the installing of applications like Agobot in the first place.
The Imcontactspam worm is quite unique in its method of propagation. It is included within a fake e-card that is forwarded to users via email. When the e-card is opened, the worm is installed on the computer so that it can begin to deliver its payload. Once installed it will locate all MSN messenger contacts on your system and forward itself to those contacts.
The email includes a fake link that is allegedly to download the latest Adobe software, but in fact installs the worm on to the system of the recipient, where it will once again begin this process to garner yet more victims. Removal using antispyware is strongly recommended.
There are two possible reasons for having the startdrv.exe process installed on your computer. Once is a genuine and useful file published by Microsoft while the other belongs to a Trojan Downloader, that is entirely undesirable and needs removing from your system as soon as possible.
While startdrv.exe is not a necessary Windows core file, it is included in many Compaq systems and is designed to run on startup. This genuine file is usually located within the Program Files of your computer and is safe to leave running unless it is known to be causing problems on your computer.
If the startdrv.exe file is located in the temp folder of your computer, or any folder other than the Program Files folder then it is likely a part of a Downloader. Downloaders are used to communicate with remote servers, and download and install malicious code and applications. Use antispyware to rid your system of this infection.
This process is part of the CoiDung worm that spreads through chat programs onto Windows based computers. After installing itself on your computer, it will establish a registry entry that means it will run every time you start the Windows operating system and it will then proceed to download malicious code and applications from the Internet on to your computer. This is an undesirable application and needs to be removed from your system quickly in order to prevent further infection. It is recommended that you do this using antispyware in order to check that no further malware or other malicious code was installed on your computer.
Taskbar.exe is known to be used by two programs. While neither are essential to the proper running of your system, one is a genuine file that can be left to safely run on your computer in the majority of cases. The other, however, is the Frethem.L virus, which is definitely an undesirable application to have running on your system.
Sapphire Graphics Card users will probably find that taskbar.exe is a part of the Redline RegTweak software that is included with many of these graphics cards and while this is not an essential Windows component it is a safe process to have running on your system.
The other known case of the taskbar.exe process is as part of the Frethem.L worm. This self replicating virus spreads by collecting emails from popular email clients installed on infected computers and then forwarding itself as an attachment to those email addresses. The Frethem.L worm does not have any other malicious payload and exists only to propagate from one machine to another.
Update.exe is one of the most common process names going. It has its genuine uses as well as its undesirable uses and determining whether or not you have a genuine instance of the file and process on your computer will help you to determine whether or not you should leave the process to run.
Spyware Doctor uses a process called update.exe when it is looking for updates for its software and database. In this case, the file should be left in order that the Spyware Doctor software can continue to run effectively on your computer. Spyware Doctor is an Internet security program designed to protect users against Internet borne spyware threats.
The exedrop downloader also uses a process with the name update.exe. This malware has no purpose other than to download further malicious code to your system, providing further threats that you should attempt to avoid at all costs. In this case, update.exe is a highly undesirable process to have running on your system.
Run your antispyware application in order to determine whether the version of update.exe is the genuine, useful one, or whether it belongs to either of the malicious applications listed above. If your antispyware software finds any infections then clean or remove the files that it lists.
There are two possible versions of updater.exe that you might have running on your computer. Both are undesirable malware applications that should be removed from your system in order to ensure the integrity of your information, your system, and your computer.
Updater.exe may be a component of the Agobot worm, which is a self propagating worm that spreads via email attachment from an infected computer to other computers. It is primarily a backdoor application so grants access to your computer via a backdoor hole that hackers can use to steal information, alter settings, and much more.
Yet another version of updater.exe is known to collect certain pieces of information about your browsing habits in order to forward it back to a remote server for advertising purposes. Both these instances of updater.exe should be protected against and, if your system has already been infected, then you should use antispyware software in order to clean the infection.
Depending on the location of the userinit.exe file, you may have been infected with the Coban2k Trojan. However, userinit.exe is also a genuine and critical component of the Windows Operating System. Determining where the file associated with this process is located will help determine whether you have been infected or not.
The genuine version of userinit.exe that belongs to the Windows Operating System can be found in the system32 folder of your computer and this file and process should be left on your system to run as and when it needs to. However, if you have a version of userinit.exe that is located within the Windows folder, then this is the malicious version attempting to pass itself off as the genuine one and it should be removed using antispyware software.
This process belongs to an adware application known as WinFixer. This program is found on many different systems and under several different guises but if the uwfx5.exe process is running on your system then you have been infected. This process monitors your browsing habits and Internet activity and then reports this information back to a remote server. It will also display popup advertisements on your desktop that are related to the type of sites that you have visited. It is advised that you remove this application using antispyware software to ensure that you get all components and remove them cleanly and properly.
This process belongs to the Spam Mailer application. This Potentially Unwanted Program, or PUP for short, may have its genuine uses but if you have not agreed to its installation onto your system then you should attempt to remove it to prevent your system from being used to send spam email. If you are believed to be sending spam then you may find that your emails will fail to be delivered, even to genuine contacts, because your IP address has been registered as being a known spam email address.
Spam Mailer is sometimes installed as a prerequisite for using free or discount software and, in this case, the removal of the Spam Mailer will mean that you will also need to stop using and uninstall this other software from your system. However, we do recommend that unless you have a genuine use for the Spam Mailer application that you remove it from your system.
wfdmgr.exe is a process that is known to belong to the Mytob-C backdoor worm. As a worm it propagates automatically using its own SMTP server. It collects email addresses from your system and then sends itself as an attachment to the contacts that it found while scouring your system. Because Mytob-C is also a backdoor application it can be used to give hackers and other unauthorized third parties access to your computer, in order that they can steal personal information, alter system settings, and much more. Use antispyware to remove this application and all of its components from your computer.
win.exe is an extremely popular process name with malware creators and authors it would seem. Having a process named win.exe running on your system means that you may have been installed by any of the Myfip.AB worm, SDBot.AK worm, SDBot.QI worm, DelfLC Trojan, PODrop-C Trojan, Rbot-FTO Worm, or the Dloader-AP Trojan.
Between these programs it is possible that hackers may have backdoor access to your system, more spyware and other malware could be downloaded to your computer, and further infections could be installed without your knowledge. It is also possible that personal information could be stored and forwarded to a remote server. If you have been infected by any of the worm viruses mentioned then it is likely that other people that feature within your contacts address book will also be infected with the same virus, worm, or Trojan. Immediate removal using antispyware software is highly recommended.
If a process named win32.exe is running on your PC then it is possible that you have been infected with either the Startpage Trojan or the Ratega virus. There may also be other instances of this file, some possible genuine, but the majority will be spyware or another form of malware that will need immediate action.
The Startpage Trojan is a hijacker that alters your homepage without your consent and makes it incredibly difficult to change it back or add a new page to counteract the problem. The Ratega virus is also a Trojan, but this one opens a backdoor to your system so that hackers or automated scripts can gain access to your system, steal personal information, alter settings, and add or delete files and applications.
Run an antispyware scan of your entire system, including the Windows registry to find any and all infections. By scanning your registry as well it is possible to prevent these and other Trojans from restarting the next time you turn your computer on. ParetoLogic antispyware includes a deep scan that includes the system folders on your computer and the Windows registry to ensure that you are completely protected and that all possible areas of infection are clean.
WinAVX.exe is part of a relatively new threat known as Dropper Payload. Some antispyware may still not contain the appropriate definitions or signatures to detect and clean the infected files on your computer, but this is a malicious program that needs to be removed as soon as possible. Primarily, the winavx.exe process will add registry entries to ensure that the process starts whenever you run your PC, and then it will proceed to modify the hosts file on your computer, alter various browser settings, and change your home page settings.
ParetoLogic AntiSpyware software is privilege to one of the largest signature and definition databases in the industry. The database is constantly being added to with the very latest threats like winavx.exe and provides users with a valid and effective method to eliminate threats as soon as they are discovered on an infected computer.
Windows operating systems use a process called winlogon.exe to manage the different procedures regarding the logging in and out of each of the users on your computer. In this case, and when the winlogon.exe file is found within the system folder of your computer, it is a genuine process that is required by your Operating System to ensure that your computer runs smoothly and accurately.
However, if you have an instance of winlogon.exe that appears anywhere other than in the system folder then the likelihood is that you have contracted one of a large number of Trojans or other malicious applications that use this process name. We strongly urge you to run a spyware scan of your system in order to determine whether or not the winlogon.exe process on your computer is a genuine one or not.
The winsit.exe process belongs to the CoiDung worm. This worm is predominantly a downloader and can be responsible for downloading more malware and other threats to your computer. As such, it is important that you run antispyware software to detect and remove the threat as soon as possible. By doing this you should be able to prevent further infection, and by using antispyware rather than attempting a manual removal you can ensure that you have cleansed your system of any other applications that may have already been downloaded.
This process is a mass mailing worm that attempts to fool users into believing that it is, in fact, related to the popular file compression utility called winzip. In reality, once this process has been installed on your computer it will set up a registry entry so that it starts whenever you run your computer and then it will propagate by collecting email addresses from your system and using its own SMTP engine to forward itself to each of these addresses.
Removal using antispyware software is
strongly recommended. Using antispyware like XoftSpy that performs a deep
scan of your registry and system folders, can ensure that you remove all
traces of this unwanted application from your system.
Above we discussed processes belonging to some of the more potent threats that can be installed on your machine from the Internet. Below is a list of some of the more common Windows executable processes that, in most cases, should be left to run on your computer in order that your system continues to perform at its best without any problems. Do remember, however, that some malicious applications use similar and even identical process names in order to remain undetected and in resident on your system. Extra care should be taken before attempting to remove any process that may be a critical component of the Windows Operating System.
The Session Manager Sub System handles the various sessions on your computer and is a critical component of the Windows operating system. The genuine version of this process should not be disabled because it will prevent your system from operating properly and efficiently.
Smss.exe is also known to be a component of a backdoor Trojan that can enable a hacker to gain access to your system and to your personal information. In order to determine whether you are running the genuine process or the Trojan, use ParetoLogic AntiSpyware in order to scan your system for any potential threats.
This is another process that could be either an essential Windows component or a backdoor Trojan. The genuine Windows component is known as the Client Server Runtime Server Subsystem and is used to deal with most graphical components and elements within Windows. It is required for the proper running of a Windows based system and should be left to run.
It is possible that csrss.exe could be part of a backdoor Trojan that can be used to steal information, alter system settings, install more malicious code, and more. Run an antispyware scan to determine which version is running on your computer.
The genuine services.exe process is always found within the system or system32 folder of your computer, and if you have a version that is stored in any other folder of your computer then you have been infected by the Sober.X worm.
The genuine process is responsible for the activation and deactivation of Windows services and is an essential component of your Operating System that is required in order to effectively use your computer.
The Sober.X worm is a mass mailing worm that collates email addresses from infected computers and then, using its own SMTP server, attempts to propagate to those email addresses. It will also reduce the security settings of any infected computer leaving it more vulnerable to attack from other infections.
Within the Microsoft Operating System, lsass.exe is responsible for dealing with local security settings and logon details, however, there are a number of malicious applications that also use this process name so care should be taken, in the shape of antispyware software, to ensure that you are looking at the genuine version.
At least two malicious applications use lsass.exe as an active process name. One is a backdoor Trojan that enables a third party to access your system, while another is a downloader that will download more malware to your computer until it is removed.
svchost.exe is a process that belongs to your Microsoft Operating System. Unusually, you may find a number of different versions of svchost.exe running on your system at any time but this does not indicate that you have a problem. The process is used to handle the functions that different DLL files have performed on your system, and typically these functions are grouped. Each group has its own instance of svchost.exe, hence the multiple versions that may be running on your computer.
As well as this genuine instance of svchost.exe it is also feasible that your system may be infected because there are a number of different threats that will use a process with this name. Use antispyware to scan your system and determine whether you have any infections or not.
As with many genuine process names, alg.exe could either be a critical component of your Windows operating system or it could be a component of a worm, spyware, or virus. Locating the file or scanning your system with good antispyware software will help to determine which is the case for you.
If you access the Internet using a third party Internet connection or you have a third party firewall installed then the alg.exe process is necessary in order to use all the features of these applications. In these cases the file will be located in the system or system32 folder of your computer.
If the alg.exe file is located anywhere else on your computer then it is highly likely that you have been infected with a malicious program.
This is a process that actually belongs to the Windows Media Player. While it is not a critical component of your operating system, it is required in order to combat certain compatibility issues that exist with the media player. If you use media player then you should leave this process to run, otherwise it is safe to disable or remove from your computer.
This is one of the main processes running on your computer and pertains to Windows Explorer. This includes your desktop, taskbar, and other components of your system. This genuine process can be found in the Widnows folder on your computer. If the file is located anywhere else then it is likely to be a virus or spyware. Users should also look out for a number of malicious processes that attempt to closely resemble this process name.
This process belongs to the Windows operating system, although it is not critical to the proper running of your machine. It is the command prompt or DOS section of your PC and the process may be active even when you do not have the command prompt screen open.
This process is an important part of the Windows Operating System. It should be left to run unaltered on your machine because it is responsible for running the necessary DLLs and placing them into the library on your computer. Disabling or removing this process can cause serious errors with your system.