Windows Startup Item Database

HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

Page

Key:

"Y" - Normally leave to run at start-up
"N" - Not required - typically infrequently used tasks that can be started manually if necessary
"U" - User's choice - depends whether a user deems it necessary
"X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
"?" - Unknown

	Startup Name	Process Name	Details
X	List checker 32 BIT	list32.exe	"Added by the RBOT-AHO WORM!"
X	Litebot	[path to trojan]	"Added by the LITEBOT-A TROJAN!"
N	LIU	LIU.exe	"Logitech Internet Update. Used to update drivers/software for Logitech's Wingman
N	LIU	Rubicon.exe	"Logitech Internet Update. Used to update drivers/software for Logitech's Wingman
N	Live Menu	Dllcmd32.exe	"eFax Send button for eFax Messenger Plus. Available via Start -> Programs Disabling instructions available here"
N	LiveMonitor	LMonitor.exe	MSI Live Update - auto-detects and suggests the latest BIOS/Driver/Utilities information
N	LiveNote	Livenote.exe	Asus graphics card driver live update feature
X	LiveSexCams	LiveSexCams.exe	Premium rate adult content dialler
U	LiveUpdate	LiveUpdate.exe	"Web-update utility as used by various types of software - see here"
X	LiveUpdate	[Windows username]05.exe	"Added by the LINEAGE TROJAN!"
X	Livre	Dibane.bat	"Added by the BANEDI VIRUS!"
X	lk3h1	[path to file]	"Added by the MOSUCK-G TROJAN!"
?	LLMODCL2	"rundll.exe setupx.dll	InstallHinfSection ..LLMODCL2.INF"
X	llsass	llsass.exe	"Added by the PROXY-GG TROJAN! Note - this malware actually changes the default value data of the registry ""Run"" key in order to force Windows to launch it at boot. Name field may be empty"
N	LM Status	LMSTATUS.EXE	Xerox WorkCenter XE - language monitor status application
X	LMA Manager	lmamanager.exe	"Added by the TILEBOT-AD WORM!"
U	LManager	QtZgAcer.EXE	Acer Launch Manager - on Acer laptops it allows users to configure shortcut keys and to set the operating state of the WLAN module and the (optional) Bluetooth radio
U	LManager	QtZpAcer.exe	Acer Launch Manager - on Acer laptops it allows users to configure shortcut keys and to set the operating state of the WLAN module and the (optional) Bluetooth radio
U	LManager	HotkeyApp.exe	Acer Launch Manager - on Acer laptops it allows users to configure shortcut keys and to set the operating state of the WLAN module and the (optional) Bluetooth radio
U	LManager	QtaET2S.EXE	"Acer Launch Manager - on Acer laptops
X	lMAPl	lMAPl.exe	"Added by the AGOBOT-RE WORM!"
U	LMgrOSD	OSDCtrl.exe	"OSD (on-screen-display) utility - part of Acer Launch Manager. Gives you control to customize the monitor to your liking...from sound
N	LMonitor	LMonitor.exe	MSI Live Update - auto-detects and suggests the latest BIOS/Driver/Utilities information
?	lmpdpsrv	lmpdpsrv.exe	"Related to a Lexmark printer/scanner. Printer sharing server? Is it required?"
X	lmrt	lmrt.exe	Unidentified adware
N	LMSTATUS	LMSTATUS.EXE	Xerox WorkCenter XE - language monitor status application
Y	LMSXXD	LMSXXD.exe	Driver for Xerox XD series printer/copiers
X	lmu	LMU.exe	"Downloader trojan
X	lnternet Explorer	AMSNDMGR.EXE	"Added by the KWBOT.R WORM! Note that the ""l"" is a lower case ""L"" and not an upper case ""I"""
X	load	mdm.exe	"Added by the BINGHE TROJAN!"
X	load	msgsr32.exe	"Added by the SDBOT-QR WORM!"
X	load	[path to worm]	"Added by the KELVIR.AI WORM!"
X	Load	MyGame.exe	"Added by the LAMEYEAR-A WORM!"
X	load	_Kerne1.exe	"Added by the LINEAGE-AN TROJAN!"
X	load	Internat.exe	"Added by the WOWCRAFT TROJAN!"
X	load	rundll32.exe	"Added by the WOWCRAFT TROJAN!"
X	load	svhost32.exe	"Added by the WOWCRAFT TROJAN!"
X	load	svchsot.exe	"Added by the GWGHOST-O TROJAN!"
X	load	explorer.exe	"Added by the LINEAGE-OZ TROJAN! Note - the legitimate Windows Explorer (explorer.exe) is located in the Windows or Winnt folder and would not normally appear in Msconfig/Startup unless you added it manually! This one is located in the System (9x/Me) or System32 (NT/2K/XP) folder"
X	load	Kerne121.exe	"Added by the LINEAGE-ON TROJAN!"
X	load	Kerne1211.exe	"Added by the LINEAGE-DY TROJAN!"
X	Load Service	SvHost.exe	"Added by the PESIN-D WORM!"
U	LOAD WB	LOADWB.EXE	"Part of Stardock's WindowBlinds custom desktop program. "WindowBlinds is the first utility of its kind. It extends Win98/NT/2K/XP to have a fully skinnable user interface. You can change the style of title bars
X	Load-Guard	Wscript.exe LGuarg.exe.vbs	"Added by the YENO.B and YENO.C WORMS!"
X	LOAD32	Lorena.exe	"Added by the MAPSON.C WORM!"
X	load32	load32.exe	"Added by the NIBU
X	load32	l32x.exe	"Added by the DUMARU.Z or DUMARU.Y or DUMARU.AD WORM!"
X	load32	1111a.exe	"Added by the DUMARU.AH WORM!"
X	load32	swchost.exe	"Added by the TURTA.A WORM!"
X	load32	netda.exe	"Added by the NIBU.E TROJAN!"
X	load32	winldra.exe	"Added by the BACKDOOR.NIBU.J or DUMARU-BI TROJANS! Note - also known as Srv.SSA-KeyLogger by Sunbelt Software which has developed a free removal tool for this keylogger"
N	load=	adw30.exe	After Dark for Windows - screen saver program. Popular before screen savers were integrated into Win95
U	load=	asistat.exe	Status monitor for an NEC SuperScript printer
?	load=	cfgsys32.exe	"??"
U	load=	esspk.exe	"Speakerphone capability through a soundcard for an ESS modem"
Y	load=	hotkey.exe	Solo 5300 display driver for Win2K on some Gateway laptops
N	load=	HPWHRC.EXE	Loads the Status Window software for the HP Laserjet printers
?	load=	WPSLOAD.EXE	"Windows printing system that comes with the setup for Canon BJC series on the manufacturer's disk"
N	load=	vi_grm.exe	Monitor drivers for Trio2x/3x based video cards - displays control panel for quick access to display settings
?	load=	WINOSCFG.EXE	"Could it be something to do with configuring Windows on a new PC from an OEM supplier?"
Y	load=	wpshrc.exe	Required to prevent configuration errors on a Compaq LBP-660 and LBP-460 parallel port laser printers (and maybe others)
Y	load=	Bfrecv.exe	Bitware modem driver
X	load=	msater.exe	"Added by the RETSAM TROJAN!"
X	load=	shambl3r.exe	"Added by the REMABL WORM!"
X	load=	Spoolsv.exe	"Added by the CIADOOR.B TROJAN! Note - ""Spoolsv.exe"" is located in the Windows or Winnt directory
?	Load=	wtfeat.exe	"Associated with the Wintab Digitizer"
Y	load=	AICLIENT.EXE	"Asset Insight from Tangram - asset managing software. Required if an organisation is running a centrally administered asset management system"
X	load=	hint.exe	"Added by the ATAK WORM!"
X	load=	win32exec.exe	"Added by the BITTER WORM!"
X	load=	a1g.exe	"Added by the ATAK.B WORM!"
X	load=	dapdll.exe	"Added by the ATAK.E WORM!"
X	load=	svhost32.exe	"Added by the LINEAGE-AB TROJAN!"
Y	load=	01comm32.exe	"Related to Elsa CommPro (Communicate Pro) access software for Microlink modems - this software contains answering machine and fax functions
X	load=	inetinfo.exe	"Added by the PROXY-GG TROJAN!"
X	load=	Kerne14.exe	"Added by the LINEAGE-BA TROJAN!"
X	Loadab1	explorer.exe	"Added by the LINEAGE-AJ TROJAN! Note - the legitimate Windows Explorer (explorer.exe) is located in the Windows or Winnt folder and would not normally appear in Msconfig/Startup unless you added it manually! This one is located in the Program Files folder"
Y	LoadBlackD	blackd.exe	"This is the "intrusion detection system" of the BlackICE PC Protection (was Defender) firewall which loads independently of the "user interface" (BlackICE Utility)"
?	LoadBtnHnd	BtnHnd.exe	"Fujitsu LifeBook related"
X	LoadDBackUp	BcTool.exe	"Added by the GIBE WORM!"
X	loaddll	loaddll.exe	"Winvest spyware"
?	LoadDvpApi9x	DVPAPI9X.exe	"Part of Command AntiVirus for Windows 95/98/Me. Is it needed?"
X	loader	loader.exe	"Homepage hijacker
X	loader	WMPLAYER.EXE	Unknown baddie - WMPLAYER.EXE is stored in the location and uses the same name as Windows Media Player but that valid Windows program doesn't load at startup
X	loader32	Loader32.exe	Added by an unidentified TROJAN!
X	loader32	sys***.exe [*** = random digit]	"Added by the DOMCOM TROJAN!"
X	Loaders	HeIp.exe	"Added by the SDBOT-ADB WORM!"
X	loadfax	loadfax.exe	"Added by the WINFLUX-C TROJAN!"
X	LoadFonts	LoadFonts.vbs	Homepage hijacker that changes your homepage to an adult content site
X	LoadFonts	Tahoma.vbs	Homepage hijacker that changes your homepage to an adult content site
X	LoadGolfCourses	LoadGolfCourses.exe	PlayMiniGolf.com foistware - stealth installed!
X	LoadHTML	"rundll32.exe mshtmpre.dll	MShtmpre"
X	LoadingAgent	ZipLoader32.exe	"Added by the OBLIVION TROJAN! This executable is one of the most common but there are more"
X	LoadingAgent	msload32.exe	"Added by the OBLIVION TROJAN! This executable is one of the most common but there are more"
X	LoadManager	msload.exe	"Added by the OPASERV.T WORM!"
X	loadMecq0	explorer.exe	"Added by the MUMUBOY.C TROJAN! Note - the legitimate Windows Explorer (explorer.exe) is located in the Windows or Winnt folder and would not normally appear in Msconfig/Startup unless you added it manually! This one is located in the Program Files folder"
X	loadMecq3	rundll32.exe	"Added by the LEGMIR-AS TROJAN!"
X	loadMect1	explorer.exe	"Added by the LINEAGE-L TROJAN! Note - the legitimate Windows Explorer (explorer.exe) is located in the Windows or Winnt folder and would not normally appear in Msconfig/Startup unless you added it manually! This one is located in the Program Files folder"
X	loadMefs	rundll32.exe	"Added by the LEGMIR-JB TROJAN! Note - this is not the legitimate rundll32.exe process
X	loadMefs	smss32.exe	"Added by the FLOOD-EL TROJAN!"
N	LoadMSvcmm	msvcmm32.exe	"Auto-update for Movielink - internet movie rental System Tray access"
X	LoadOrderVerification	[random filename]	"Added by the TRON.A TROJAN!"
U	Loadout Manager	nost_LM.exe	"Manager for the Belkin Nostromo n50 SpeedPad game controller - see here"
X	LoadPFW	wmimgr.exe	"Added by the QEDS-B WORM!"
X	LoadPowerProfile	ASDAPI.EXE	"Added by the CABRO TROJAN! Not to be confused with the valid LoadPowerProfile entry where the command is Rundll32.exe powrprof.dll"
U	LoadPowerProfile	Rundll32.exe powrprof.dll	"Power management specifics such as monitor shut-off
X	LoadPowerProfile	Rundll.exe powerprof.dll	"Added by the LOXOSCAM TROJAN! Note - do not confuse with the valid LoadPowerProfile entry! Notice that the infected version uses ""Rundll.exe"" whereas the uninfected version uses ""Rundll32.exe"""
X	LoadPowerProfile	rundl.exe	"Added by the TOFAZZOL TROJAN! Not to be confused with the valid LoadPowerProfile entry where the command is Rundll32.exe powrprof.dll"
X	LoadPowerProfile	Rundll32.exe	"Added by the MIROOT WORM! Note - do not confuse with the valid LoadPowerProfile entry which has ""powrprof.dll"" appended to the command/data line"
X	LoadPowerScheme	rundll32.exe powerprof.dll CheckPowerProfile	"Ulubione adult content dialer"
U	LoadQM	loadqm.exe	"Installed with MSN Explorer and loads the MSN Queue Manager. Required to enable the WU AutoUpdate feature. Note that disabling this can sometimes prevent internet sharing working on Win2K Pro SP2. Reports also suggest that removing it will re-enable internet access - hence the ""users choice"" recommendation. If you have problems leave it
X	loads.exe	loads.exe	"MediaMotor adware"
X	loads.exe	medload.exe	"Medload adware"
X	loads.exe	suploads.exe	"Added by the AGENT-BZ TROJAN!"
X	LoadService	Rest In Peace	"Added by the KANGAROO-A WORM!"
X	LoadService	"Maaf	tempatmu bukan di sin"
X	LoadService	Virus	"Added by the CAGER.A WORM!"
X	LoadSIPS	"rundll32.exe [path] SIPSPI32.dll	SIPSPI32"
?	LoadWatcher	Test.exe	"Reportedly part of a webcam surveillance program that's supposed to test SMTP dialling in the event of an alert? Is this correct?"
X	LoadWatcher	watcher.exe	"Watcher spyware"
X	loadwin	winset.exe	"Added by the QQPASS-I TROJAN!"
X	loadwin	winsys.exe	"Added by the QQPASS-J TROJAN!"
X	LoadWindowsFile	[filename]	"Added by the DELF.B TROJAN! where [filename] is the infected file"
X	Local Area Network	OpenGL.exe	"Added by a variant of the RBOT WORM!"
X	Local Authority Service	lsass.exe	"Added by the AMRKTMAN-C TROJAN! Note - this is not the legitimate lsass.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder"
X	Local Internet Connection	LIC.exe	"Added by the SDBOT-YA WORM!"
X	LOCAL INTERNET WEB DRIVERS FOR WIN32	phqghume.exe	"Added by a variant of the RBOT WORM!"
X	Local Page	http://find.naupoint.com	"Naupoint browser hijacker"
X	Local runole service	srvc32.exe	"Added by the SMALL-DP TROJAN!"
X	Local Security Authority Servce	lssas.exe	"Added by the POEBOT-T WORM! Note - this is not the legitimate lsass.exe process"
X	Local Security Authority Service	lssas.exe	"Added by the POEBOT-J WORM!"
X	Local Security Authority Service	Isass.exe	"Added by the LINKBOT.M WORM!"
X	Local Service	Intenat.exe	"Added by the NUCLEAR-J TROJAN!"
X	Local-Settings-of-[User Name]	[User Name].exe	"Added by the GAVGENT.A WORM!"

DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.