Windows Startup Item Database

HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

Page

Key:

"Y" - Normally leave to run at start-up
"N" - Not required - typically infrequently used tasks that can be started manually if necessary
"U" - User's choice - depends whether a user deems it necessary
"X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
"?" - Unknown

	Startup Name	Process Name	Details
X	Win32	Game.exe.vbs	"Added by the SCAFENE WORM!"
X	Win32	arsetup.exe	Added by the SPAZBOX.A TROJAN!
X	win32	winhost.exe	"Added by the BROPIA.J WORM!"
X	Win32	winnnit.exe	"Added by a variant of the SDBOT WORM!"
X	Win32	msnsrv.exe	"Added by a variant of the SDBOT WORM!"
X	Win32	sysmon.exe	"Added by the MYTOB-HQ TROJAN!"
X	Win32	zaq.exe	"Added by the RBOT-GCE WORM!"
X	Win32 Bios	Winbios.exe	"Added by the SEMAPI-A WORM!"
X	Win32 Configuration	videosd32.exe	"Added by the SDBOT.TT WORM!"
X	Win32 Configuration	dllhelp.exe	"Added by the SDBOT.UL WORM!"
X	Win32 Configuration	mplayer.exe	"Added by the FORBOT-BZ WORM!"
X	Win32 Critical File	Win32.exe	"Added by the RBOT-GUB WORM!"
X	WIN32 DDOSSER	dos.exe	"Added by the KELVIR.F WORM!"
X	Win32 Debug Manager	Win32Debug.exe	"Added by a variant of the WOOTBOT WORM!"
X	Win32 Debug Manager	microsoftupd.exe	"Added by a variant of the WOOTBOT WORM!"
X	Win32 Device Loader	Win32ldr.exe	"Added by a variant of the AGOBOT/GAOBOT WORM!"
X	Win32 Driver	svchosts.exe	"Added by the FORBOT-FD WORM!"
X	Win32 Drivers	winlogons.exe	"Added by the FORBOT-FG WORM!"
X	Win32 DRK Driver	wdrk32.exe	"Added by the WOOTBOT.CY WORM!"
X	Win32 exe file	winstr32.exe	"Added by a variant of the SPYBOT WORM!"
X	Win32 Explorer	Explorer32.exe	"StartPa-MN homepage hijacker"
X	Win32 Firewall Driver	winfw.exe	"Added by a variant of the RBOT WORM!"
X	Win32 FireWire Driver	CTHELPER32.EXE	"Added by the WOOTBOT TROJAN!"
X	Win32 FRT Driver	msfr32.exe	"Added by a variant of the FORBOT WORM!"
X	Win32 Help32 Service	win32help.exe	"Added by the DELBOT-U WORM!"
X	Win32 Info	windowsnfo.exe	"Added by a variant of the IRCBOT TROJAN!"
X	Win32 Information Service	crsrs.exe	"Added by the RINBOT.Y WORM!"
X	win32 internet server	winserver.exe	"Added by the DERMON-D TROJAN!"
X	Win32 Kernel core component	Kernel32.pif	"Added by the MOKS VIRUS!"
X	Win32 Kernel Update	win32update.exe	"Added by the PROXY-BS TROJAN!"
X	Win32 LSA Driver	lsa.exe	"Added by the FORBOT-FJ WORM!"
X	Win32 Ms Auto Updater	AutomsUPD.exe	"Added by a variant of the RBOT WORM!"
X	Win32 NDIS	Ndiswin.exe	"Added by the RBOT.AMG WORM!"
X	Win32 NDIS Driver	xpndis.exe	"Added by a variant of the RBOT WORM!"
X	Win32 NDIS Driver	Ndistcp.exe	"Added by the WOOTBOT.EU WORM!"
X	Win32 Network Driver	crss.exe	"Added by a variant of the AGOBOT/GAOBOT WORM!"
X	Win32 NT Adv Services	taskmngr.exe	"Added by the RBOT-ADE WORM!"
X	Win32 nvc	nvcva.exe	"Added by the RBOT-ABF WORM!"
X	Win32 NVIDIA Driver	MSPMSPSU.EXE	"Added by a variant of the WOOTBOT.Y WORM!"
X	win32 regedit	msn32.exe	Added by an unidentified WORM or TROJAN!
X	Win32 Rundll Loader	Rundll32.exe	"Added by the SDBOT.A TROJAN! Note - this is not to be confused with the legitimate rundll32.exe file!"
X	Win32 Secure	msconfigsvc.exe	"Added by a variant of the SDBOT WORM!"
X	Win32 Security Protocol	secure32.exe	"Added by the RBOT-ETI WORM!"
X	Win32 Security Service	crsss.exe	"Added by the DELBOT-O WORM!"
X	win32 security updates downloader	tskmngr.exe	"Added by a variant of the SDBOT WORM! See here"
X	Win32 Service	bazzi.exe	"Added by the AHKER.E WORM!"
X	Win32 Services	odbc32.exe	"Added by the SPYBOT-EK WORM!"
X	Win32 Services Config	winwkys.exe	"Added by the RBOT.BKY WORM!"
X	Win32 Services1	wuamngr1.exe	"Added by the SDBOT-PV WORM!"
X	Win32 Src Service	win32src.exe	"Added by the RBOT-SX WORM!"
X	Win32 SSL Driver	winssv.exe	"Added by the FORBOT-BH WORM!"
X	Win32 Svchosts Driver	svchosts.exe	"Added by the FORBOT-FO WORM!"
X	Win32 System Kernel	winservice.exe	"Added by the SDBOT.KIN WORM!"
X	win32 system server	winserver.exe	"Added by the DERMON-A TROJAN!"
X	Win32 System Spool	spoolsvc.exe	"Added by the SDBOT.UK WORM!"
X	Win32 Test	bleatest.exe	"Added by a variant of the RBOT WORM!"
X	Win32 Update	svchosts.exe	"Added by a variant of the SDBOT WORM!"
X	Win32 Update	dl32.exe	Added by an unidentified WORM or TROJAN!
X	win32 update service	svchostt.exe	"Added by a variant of the SDBOT WORM!"
X	Win32 USB Driver	winxpinit.exe	"Added by the SDBOT.AA TROJAN!"
X	Win32 USB Driver	mvsecn.exe	"Added by the FORBOT-BK WORM!"
X	Win32 Usb Driver	svhosint32.exe	"Added by the FORBOT-BE or FORBOT-J WORMS!"
X	Win32 Usb Driver	usb32.exe	"Added by the SDBOT-OV WORM!"
X	Win32 Usb Driver	AvpG.exe	"Added by the FORBOT-BX WORM!"
X	Win32 USB2	wins32.exe	"Added by a variant of the RBOT WORM!"
X	Win32 USB2 Driver	win32usb.exe	"Added by the SPYBOT.DHV WORM!"
X	Win32 USB2 Driver	smsc.exe	"Added by the SDBOT.FO WORM!"
X	Win32 USB2 Driver	svchosting.exe	"Added by the FORBOT.J or SDBOT.HU WORM!"
X	Win32 USB2 Driver	sys32.exe	"Added by the WOOTBOT.X WORM!"
X	Win32 USB2 Driver	sys32snd.exe	"Added by the FORBOT-AN WORM!"
X	Win32 USB2 Driver	wind32.exe	"Added by the FORBOT-AH WORM!"
X	Win32 USB2 Driver	winupdate.exe	"Added by the AGOBOT.YE WORM!"
X	Win32 USB2 Driver	updatemgr.exe	"Added by a variant of the FORBOT WORM!"
X	Win32 USB2 Driver	winsnd32.exe	"Added by a variant of the SDBOT WORM!"
X	Win32 USB2 Driver	msn.exe	"Added by the FORBOT-EX WORM!"
X	Win32 USB2 Driver	syscfg32.exe	"Added by the FORBOT-R WORM!"
X	Win32 USB2.0 Driver	386.exe	"Added by the IRCBOT.D WORM!"
X	Win32 USB2.0 Driver	rundll16.exe	"Added by the WOOTBOT.H WORM!"
X	Win32 USB2.0 Driver	w32usb2.exe	"Added by the SPYBOT.DN WORM!"
X	Win32 USB2.0 Driver	service.exe	"Added by the SDBOT-QF WORM!"
X	Win32 USB3 Driver	win32tool.exe	"Added by a variant of the RBOT WORM!"
X	Win32 Wmls Driver	winitr32.exe	"Added by the WOOTBOT.B WORM!"
X	Win32 Word Services	msword32.exe	"Added by a variant of the RBOT WORM!"
X	win32.exe	win32.exe	"Added by the STARTPAGE TROJAN!"
X	Win32.exe	Win32.exe	"Added by the AWQ.A TROJAN!"
X	Win32.Exploit.mzH	mzrun.exe	"Added by the PAINTER TROJAN!"
X	Win32.Trojan.Downloader	netstat2.exe	"Added by the PAINTER TROJAN!"
X	Win32BaseServiceMOD	Wintask.exe	"Added by the NAVIDAD WORM!"
X	win32beta	win32sys4.exe	"Added by the BANKER-DA TROJAN!"
X	win32clf	win32clf.exe	Added by an unidentified VIRUS WORM or TROJAN!
X	win32debug	win32debug.exe	"Added by the GUDEB WORM!"
X	Win32DLL	Win32DLL.vbs	"Added by the LOVELETTER (I LOVE YOU) VIRUS!"
X	Win32dll	Win32dll.exe	"Added by the BANPAES TROJAN!"
X	WIN32DS	clienttimer.exe	"Eziin adware"
X	Win32G	Kernel32.com	"Added by the ESTRELLA TROJAN!"
X	Win32G	Scandisk.com	"Added by the ESTRELLA TROJAN!"
X	win32gb	win32gb.exe	"Added by the DLUCA-F TROJAN!"
X	Win32Host Process	webemir.exe	"Added by the TURGEN -A TROJAN!"
X	win32info	win32info.exe	Adult content dialler
X	win32ini	systroy.exe	"Added by the IRC.ALADINZ.C TROJAN!"
X	WIN32io	clienttimer.exe	"Eziin adware"
X	win32Kernel	findx.exe	"Added by the BANLOA-EY TROJAN!"
X	Win32KernelStart	microsoft.exe	"Added by the DELF-EWZ TROJAN!"
X	Win32R	Server.com	"Added by the ESTRELLA TROJAN!"
X	WIn32S Java DLL	kavsvx.exe	"Added by the AGOBOT-RZ WORM!"
X	win32serv	devicer.exe	"Added by the CHECKOUT WORM! See here"
X	win32serv	servicesetup.exe	"Added by a variant of the PUSHBOT WORM! A family of worms that spread using MSN Messenger"
X	win32serv	systemdevices.exe	"Added by a variant of the PUSHBOT WORM! A family of worms that spread using MSN Messenger"
X	win32servv	load.exe	"iSearch adware"
X	win32servv	ms1.exe	"iSearch adware"
Y	WIN32SL	Win32sl.exe	"Part of Dell OpenManage Client Instrumentation - software that allows remote management application programs to access information about monitor the status of or change the state of the client computer such as shutting it down remotely. Uses the DMI and/or common information model (CIM) protocols which are systems management protocols defined by industry standards. The specific function of this is to load MIF's in order for Dell OpenManage Client to work"
X	WIN32SNDS	banc.exe	Added by an unidentified WORM or TROJAN!
X	Win32system	[random filename]	"Added by the DDV.B WORM!"
X	Win32System	win32s.exe	"Added by the MYDOOM.V WORM!"
X	Win32SystemMonitor	**.exe [ = random char]	Browser hijacker
X	Win32SysV	xin.exe	"Added by the FORBOT-EO WORM!"
X	win32us	win32us.exe	All-In-One-Telcom (adult content dialler) variant
X	win32usbd	ssrs.exe	"Added by the RBOT-RA WORM!"
X	Win32Usr	WinCab.exe	"Added by the DEDMIR-A WORM!"
X	WIN32WN	system_wc.exe	"Eziin adware"
X	win32_i lptt01	win32_i.exe	"RapidBlaster variant (in a ""win32_i"" folder in Program Files). Recommended you use RapidBlaster Killer to uninstall - see here"
X	win32_i ml097e	win32_i.exe	"RapidBlaster variant (in a ""win32_i"" folder in Program Files). Recommended you use RapidBlaster Killer to uninstall - see here"
X	Win386	Win386.exe	"Added by the GOSUSUB VIRUS!"
X	Win386	sp32.dll	Homepage hijacker. Not a dll but a regfile in disguise
X	WIN3S2SNDS	winabsmod.exe	"Added by the AGENT.DN TROJAN - known to BOClean as ""CWS/INDEX"" ""shuts down anything that wants to open and is used as a spam proxy as well"""
X	WIN3S2SNDS	winiprtx.exe	"Added by the AGENT.DN TROJAN - known to BOClean as ""CWS/INDEX"" ""shuts down anything that wants to open and is used as a spam proxy as well"""
X	Win64 Compatibility Check	load win64.drv	"CoolWebSearch parasite variant"
X	WIN95DEFVIEW	[path to file]	"Added by the DEDLER-D TROJAN!"
X	WIN95DEFVIEW	csmss.exe	"Added by the DEDLER-D TROJAN!"
X	win98 DNS	wingrd.exe	"Added by a variant of the RBOT WORM!"
X	winabc	rundll32.exe [Temp][ORIGFILENAME].DLL InstallLaunchEv	"Added by the LINEAGE-PN TROJAN! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted"
X	WinAble	winable.exe	"Added by the MATCASH.BG TROJAN!"
X	WinAC v4	klsuicbn.exe	"Added by the FORBOT-CS WORM!"
U	Winacsr	Winacsr.exe	"AceScreenSpy keystroke logger/monitoring program - remove unless you installed it yourself!"
X	winactive	WINACTIVE.EXE	"WinActive variant of the LOP.com hijacker"
X	WinActiveJ	WinActiveJ.exe	Added by the ROTARRAN VIRUS!
X	Winad Client	Winad.exe	WinAd adware by eXact Advertising
X	WinAdCnt.exe	WinAdCnt.exe	"Added by the BANKER-BU TROJAN!"
X	winadm	winadm.exe	"Browser hijacker - redirecting to Search-World.net. Related to the SMALL.AEX TROJAN!"
?	WinAgent	WinAgent.exe	"Standard Life Insurance program. Is it required at startup?"
X	Winahlp.exe	Winahlp.exe	"Added by a variant of the VAGRNOCKER TROJAN!"
X	winallap	winallap.exe	"Added by the DELF.E TROJAN!"
X	winallapu	winallapu.exe	"Added by the DELF.E TROJAN!"
X	Winamp	winamp.hta	Hijacker - re-directing to adult content sites. Note - this isn't the real Winamp
X	Winamp	winamp.exe	"Added by the AGOBOT.XI WORM! Note - this is NOT the popular Winamp media player"
X	WinAMP	winamp62.exe	"Added by the SDBOT-WN WORM!"
N	Winamp	winamp.exe	"Winamp media player. Resides in a ""Winamp"" subdirectory of the Program Files directory"
X	Winamp Agent	winamp.exe	"Added by a variant of the RBOT WORM! Note - this is NOT the popular Winamp media player. The valid filename for the Winamp Agent is ""winampa.exe"" - see here"
X	Winamp Media	qmedia.exe	"Added by the DIAZMON-A TROJAN!"
X	Winamp media player	winapa.exe	Added by an unidentified VIRUS WORM or TROJAN!
X	Winamp Media Player	winamap.exe	"Detected by PCTools as the SDBOT.ACJM BACKDOOR! See here"
X	Winamp Media Player	winamp.exe	"Added by a variant of the IRCBOT BACKDOOR! See here. Note - this is NOT the popular Winamp media player which resides in a ""Winamp"" subdirectory of %ProgramFiles%"
X	WinAmp Player	winampp.exe	"Added by the RBOT-AQI WORM! Note - this is NOT the popular Winamp media player which has a different filename"
X	Winamp Player 6	Winamp6.exe	"Added by a variant of the SPYBOT WORM!"
U	Winamp to Google Talk	winamptogoogletalk.exe	"Winamp to Google Talk available here shows your current Winamp track in your Google Talk status"
X	Winamp Update	yhn.exe	"Added by the SDBOT-ACR WORM!"
U	Winampa	WINAMPa.exe	"Loads the System Tray icon for the popular Winamp media player - see here. Can be used to mantain file associations so programs like QuickTime and RealPlayer don't take over as default player for various media types. Available via Start -> Programs. Resides in a ""Winamp"" subdirectory of the Program Files directory"
X	Winampa	winampa.exe	"Added by the AGOBOT-GS TROJAN! ! Note - this is NOT associated with the popular Winamp media player. The valid file for the Winamp Agent resides in a ""Winamp"" subdirectory of the Program Files directory whereas this file is located in the System (9x/Me) or System32 (NT/2K/XP) folder"
X	Winampa Agent	WINAMPA.EXE	"Added by a variant of the RBOT WORM! Note - this is NOT the popular Winamp media player. The valid filename for the Winamp Agent is ""winampa.exe"" - see here"
U	WinampAgent	WINAMPa.exe	"Loads the System Tray icon for the popular Winamp media player - see here. Can be used to mantain file associations so programs like QuickTime and RealPlayer don't take over as default player for various media types. Available via Start -> Programs. Resides in a ""Winamp"" subdirectory of the Program Files directory"
X	WinAmpAgent	Msexploren.exe	"Added by the BDOOR-EB BACKDOOR! Note - this is NOT the popular Winamp media player which has a"
X	WinAmpAgent	Shch.exe	"Added by the BDOOR-EB BACKDOOR! Note - this is NOT the popular Winamp media player which has a"
X	WinAmpAgent	svchst.exe	"Added by the BDOOR-EB BACKDOOR! Note - this is NOT the popular Winamp media player which has a"
X	WinAmpAgent	Winagent.exe	"Added by the BDOOR-EB BACKDOOR! Note - this is NOT the popular Winamp media player which has a"
X	WinAmpAgent	msnexploren.exe	"Added by the TACTSLAY.B TROJAN!"
X	WinAmpAgent	sdhch.exe	"Added by the TACTSLAY.B TROJAN!"
X	WinAnonymous	GDC.exe	"WinAnonymous spyware remover - not recommended see here"
X	WinAntiSpyware 2005	was5.exe	"WinAntiSpyware 2005 spyware remover - not recommended see here"
X	WinAntiSpyware 2006 Scanner	was6.exe	"WinAntiSpyware 2006 rogue spyware remover - not recommended see here"
X	WinAntiSpyware 2007	was7.exe	"WinAntiSpyware 2007 spyware remover - not recommended see here"
X	WinAntispyware2008	WinAntispyware2008.exe	"WinAntispyware2008 rogue spyware remover - not recommended see here"
X	WinAntiVirus Pro 2007	WinAV.exe	"WinAntiVirus Pro 2007 rogue anti-virus software - not recommended see here"
X	WinAntiVirusPro2006	WinAV.exe	"WinAntiVirus Pro 2006 rogue virus software - not recommended see here"
X	WinApi	winapix.exe	Added by a variant of the TIBSER.A downloader TROJAN!
X	WINAPLOGUPD	WINAPLOGUPD.EXE	"Added by the CAPSIDE-C WORM!"
X	Winapp	winpup32.exe	Produces popup ads to adult content sites
X	WinApp32	msapp.exe	"Added by the RSBOT TROJAN!"
U	WinAppLog	svchost.exe	"StingKeyLogger keystroke logger/monitoring program - remove unless you installed it yourself!"
X	WinAuth	winlogon.exe	"Hijacker also indentified as the STRTPAGE.BE TROJAN! Note - this is not the legitimate winlogon.exe process which should not appear in Msconfig/Startup and is always located in the System32 folder. This file is placed in the Windows or Winnt folder"
X	WinAvX	WinAvX.exe	"WinAntiSpyware spyware remover - not recommended see here"

DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.