Windows Startup Item Database

HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

Page

Key:

"Y" - Normally leave to run at start-up
"N" - Not required - typically infrequently used tasks that can be started manually if necessary
"U" - User's choice - depends whether a user deems it necessary
"X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
"?" - Unknown

	Startup Name	Process Name	Details
N	RtlMon.exe	RtlMon.exe	Monitor for RealTek network card
Y	RTMonitor	RTMonitor.exe	"Cheyenne (now eTrust) antivirus"
X	rtos	rtos.exe	IRC trojan
?	RTStartMute	N/A	"??"
Y	rtvscn95	RTVSCN95.EXE	Real-time virus scanner component of Norton Anti-Virus Corporate Edition
U	RtWLan	RtWLan.exe	"Configuration utility for the Netgear WG111 54 Mbps Wireless USB 2.0 Adapter that ""provides wireless access to your desktop or notebook PC through the computer's USB port"""
X	Ruby13	Ruby13.exe	"Added by the MEXER.E WORM!"
X	Ruby14	Ruby14.exe	"Added by the FIGHTRUB-A WORM!"
X	ruin	system32.exe	"Added by the DELF-JM TROJAN!"
U	RuLaunch	RuLaunch.exe	"Instant Updater for McAfee's VirusScan
X	run	Autoexec.com	"Added by the HOLCAS.A WORM!"
X	run	inetinfo.exe	"Added by the BINGHE TROJAN!"
X	Run	help.exe	"Identified as the DELF.LF by Ewido Security Suite"
X	run	[path] rundll32.exe rsrc.dll	"Browser hijacker of Chinese origin
X	Run Msn Messenger	msnmgr.exe	"Added by the AGOBOT.HA WORM!"
X	Run MSupdt32	wscript MSupdt32.vbs	"Added by the CASER WORM!"
U	Run POPFile in background	perl.exe	"POPFile - E-mail spam blocker"
U	Run POPFile in background	wperl.exe	"POPFile - E-mail spam blocker"
X	Run Services as Application	localsvc.exe	"Added by the DLOADER-NY TROJAN!"
X	Run Services as Application	netsvc.exe	"Added by the DLOADER-NY TROJAN!"
X	Run Services as Application	spoolsvc.exe	"Added by the DLOADER-NY TROJAN!"
X	Run Services as Application	svcadmin.exe	"Added by the DLOADER-NY TROJAN!"
X	Run Services as Application	svcman.exe	"Added by the DLOADER-NY TROJAN!"
X	Run Services as Application	svcrun.exe	"Added by the DLOADER-NY TROJAN!"
X	Run Services as Application	tcpsvc.exe	"Added by the DLOADER-NY TROJAN!"
X	Run Services as Application	websvc.exe	"Added by the DLOADER-NY TROJAN!"
U	Run StartupMonitor	StartupMonitor.exe	"Mike Lin's StartupMonitor
X	Run TaskMrg	csrss.exe	"Added by the LDPINCH-W TROJAN! Note - this is not the legitimate csrss.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Windows folder"
X	run windows	servic.bat	"Added by the REBOOT-AP TROJAN!"
X	Run XP Service Pack	xpservicepack.exe	"Added by the SDBOT.AQA WORM!"
X	Run05	rundll_32.exe	"Added by the BANCOS-DT TROJAN!"
X	run32dll	WINClock.exe	"Added by an unidentified VIRUS
X	run32dll	task32.exe	"Added by an unidentified VIRUS
X	Run32dll	ocxdll.exe	"Added by an unidentified VIRUS
N	run=	cmmpu.exe	MIDI emulator driver for the integrated sound chip by C-Media based on the CMI-8330 chip set normally found in cheap motherboards. Also installed as part of the software for a Guillemot Maxi Muse sound card (PCI)
N	run=	hpfsched	HPFSCHED is a small TSR that will remind you to clean the cartridges in your DeskJet from time to time in order to keep print quality high. It can be removed from the run line in win.ini if you do not want that feature
N	run=	lxdboxcp.exe	Lexmark DOS-Printing Control Program for the Lexmark 2050. Only required if you need to print from DOS
N	run=	pcfix2k.exe	pcfix2k splash screen
X	run=	ptlseq.cpl	"PhoenixNet BIOS adware. See here"
U	run=	ramsys.exe	"Advanced Startup Manager from Rays Lab"
?	run=	wallflip.exe	"Desktop wallpaper changer?"
X	run=	svcinit.exe	"CoolWebSearch parasite variant"
X	run=	fntldr.exe	"CoolWebSearch Tapicfg parasite variant"
Y	run=	smsrun16.exe	"Microsoft Systems Management Server (SMS) related - program that reads SMSRUN16.INI on clients running Win 3.1
?	run=	win.ini	"??"
X	run=	RAVMOND.exe	"Added by a variant of the LOVGATE WORM!"
X	run=	real.exe	"Added by a variant of the LOVGATE WORM!"
X	run=	dec25.exe	"Added by the ATAK.F WORM!"
?	run=	LXBTppls.exe	"Reportedly part of Lexmark printer software - what does it do and is it required?"
N	run=	fmedia.exe	FMedia FaxWorks related - can be run manually
Y	run=	wswpd.exe	"Used with some models of Panasonic
X	run=	cyxid98.exe	Unidentified malware
X	run=	info32.exe	"CoolWebSearch Tapicfg parasite variant"
X	run=	mouse_configurator.win	"Added by the GAGGLE.E WORM!"
X	run=	RegistryReminder.exe	"Added by the APSTROJAN.OB TROJAN!"
X	run=	sec5dec.exe	"Added by the ATAK.G WORM!"
X	run=	wmplayer.exe	"CoolWebSearch Smartsearch parasite variant"
X	run=	Autoexec.com	"Added by the HOLCAS.A WORM!"
X	run=	htmlsync.exe	Searchforfree.info browser hijacker
X	run=	msoffice.exe	"Added by the ADWARELOADER TROJAN! Note - do not confuse with the legitimate Microsoft Office file
X	run=	DRDOOM.EXE	"Added by the SEMAPI-A WORM!"
X	run=	svhost.exe	"Added by the ADMINCASH.B TROJAN!"
X	run=	dllreg.exe	"Added by the DUMARU-L TROJAN!"
X	run=	mdm.exe	"Added by the PROXY-GG TROJAN!"
X	run=	Celine.scr	"Added by the CELINE-A TROJAN!"
X	run=	services.exe	"Added by the KREPPER-N TROJAN! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a ""inet10066"" subfolder of the Windows or Winnt folder"
U	RunAlert	AService.exe	"MSI MOtherboard PC Alert III - MSI motherboard monitoring software. Only required if you "overclock" your system"
N	runAP	runAP.exe	"Not required but what is it?"
X	runapp	icqchk.exe	"Added by the BOMKA TROJAN!"
X	Runapp32	Runapp32.exe	"Added by the NEODURK TROJAN!"
Y	RunCA	InvokeSvc3.exe	Wireless-G USB Wireless Network Adapter related - would appear to be required
X	Rund11	Rund11.EXE	"Added by the MARIO-C WORM!"
X	rund1132	rund1132.exe	"Added by the DOPBOT-A WORM!"
X	Rund1132.exe	Rund1132.exe	"Added by the STARTPA-HS TROJAN!"
X	Rund1l32	Winfi1e32.exe	"Added by the MERTIAN WORM!"
X	Rundil32	runlli32.exe	"Added by the QQPASS-U TROJAN!"
X	Rundil32	Updadv.exe	"Added by the QQPASS-N TROJAN!"
X	rundl332	math.exe ...pluged.exe	"Added by the DOOMJUICE WORM!"
X	rundli32	rundli32.exe	"Added by the LADE WORM!"
X	RunDLL	"rundll32.exe bridge.dll	Load"
X	Rundll	Rundll~.exe	"Added by the DELF-KT TROJAN!"
X	Rundll	"rundll32.exe [random file name].dll ""taskmon"""	"Added by the MYTOB.IG WORM!"
X	RunDll	RunDll.exe	"Added by the QQPASS-AH TROJAN! Note - this is NOT the Windows system file of the same name as described here"
X	rundll***	die.exe [path] mdll.exe	"Added by the SUMTAX TROJAN! where *** is 134
X	rundll***	die.exe [path] secure.bat	"Added by the SUMTAX TROJAN! where *** is 134
X	rundll***	die.exe [path] secure.exe	"Added by the SUMTAX TROJAN! where *** is 134
X	rundll***	die.exe [path] ttg.exe	"Added by the SUMTAX TROJAN! where *** is 134
X	Rundll16	Rundll16.exe	"Added by a number of VIRUSES
X	Rundll32	Rundll32.exe	"Added by the DVLDR TROJAN! Note - this is not the valid ""Rundll32.exe"" as it's in the WindowsFonts directory"
N	RUNDLL32	"RUNDLL32.EXE NvQtwk	NvCplDaemon"
N	RunDLL32	"RunDLL32.exe NvMCTray.dll	NvTaskbarInit"
U	rundll32	Rundll32.exe Wf2kcpl.dll DllLoadDefaultSettings	Loads default settings for Leadtek Winfast graphics cards
X	RunDLL32	winupdate.exe	"Added by an unidentified TROJAN! - possibly a BMBOT variant"
X	Rundll32	Windows.exe	"Added by the QQPASS.E TROJAN!"
U	Rundll32	"Rundll32.exe ptipbm.dll	SetWriteBack"
X	rundll32	[path to worm]	"Added by the AUTEX WORM!"
?	rundll32	"rundll32.exe ptipbmf.dll	SetWriteCacheMode"
X	rundll32	rundll32.exe	"Added by the SANKER WORM! Note that the valid ""rundll32.exe"" resides in C:WindowsSystem32 wheras this version resides in C:Windows"
X	rundll32	csrss.exe	"Added by the GUTTA TROJAN! Note - this is not the legitimate csrss.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Windows folder"
U	rundll32	"RunDLL32.exe irprops.cpl	BluetoothAuthenticationAgent"
X	RUNDLL32	rundl32.exe	"Added by the DEMOTRY-A WORM!"
X	rundll32	rundll32.exe	"Added by the AGENT-EZ TROJAN! Note - the real rundll32.exe resides in the System (9x/Me) or System32 (NT/2K/XP) folder whereas this file is found in a ""SHELLEXT"" subfolder"
X	Rundll32	RUNDDLL32.EXE	Added by the STARTPAGE.AXH TROJAN!
N	Rundll32 cmicnfg	"Rundll32 cmicnfg.cpl	CMICtrlWnd"
?	Rundll32 P17	"Rundll32 P17.dll	P17Helper"
X	Rundll32.exe	Proyecto1.exe	"Added by the GRUEL WORM!"
X	Rundll32.exe	Root.exe	"Added by the GRUEL WORM!"
X	Rundll32_7	"rundll32.exe MSIEFR40.DLL	DllRunServer"
X	Rundll32_8	"rundll32.exe inetp60.dll	DllRunServer"
X	Rundll32_8	"rundll32.exe 1.dll	DllRunServer"
X	rundll64	[path to worm]	"Added by the AUTEX WORM!"
X	RundllSvr	Rundll.exe	"Added by the HUAYU WORM! Note - this is NOT the Windows system file of the same name as described here"
X	Rundllsystem32	Rundllsystem32.exe	"Added by the NETDEVIL.B TROJAN!"
X	Rundnm	Rundnm.exe	"Added by the DELF-HA TROJAN!"
X	RUNGogoTools	LaunchAdware.exe	"GoGoTools adware"
X	RUNGogoTools	GoGoLaunch.exe	"GoGoTools adware"
X	RUNHYPER	hyperx.exe	"PurityScan/Clickspring adware"
X	runing	win.exe	"Added by the DELF-LC TROJAN!"
X	RUNLOAD	l0ad.exe	"PurityScan/Clickspring adware"
X	RUNLOUD	loud.exe	"PurityScan/Clickspring adware"
U	Runmarc8mManager	marc8m95.exe	"MARC Sound System Manager for the Marc 8 MIDI sound card - allows for easy adjustment of the settings"
X	Runner	lsass.exe [trojan filename]	"Added by the DROWSY-B TROJAN! Note - this is not the legitimate lsass.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located the Winnt or Windows folder"
X	Runner	csrss.exe	"Added by the ADCLICK-AG TROJAN! Note - this is not the legitimate csrss.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder"
X	Runner	lsass.exe	"Added by the ADCLICK-AG TROJAN! Note - this is not the legitimate lsass.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder"
X	Runner	svchost.exe	"Added by the ADCLICK-AG TROJAN! Note - this is not the legitimate svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder"
U	RunOnce	RUNONCE.EXE	Part of MS Data Access Components - only required if you use these
X	RunOnceEx	sms.exe	"Identified as the DELF.LF by Ewido Security Suite"
X	RunProg	Server.exe	"Added by the OPTIX.04.A TROJAN!"
X	RunProg	wini.exe	"Added by the OPTIX.04.D TROJAN!"
X	runreper	viewer.exe	"Added by the REPER.A VIRUS!"
X	runs	run.exe	"Added by the RBOT-BWF WORM!"
X	RunSearvices	tread.exe	"Identified as the DELF.LF by Ewido Security Suite"
X	RunServices	runsvc32.exe	"Added by the AGOBOT.QJ WORM!"

DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.