Windows Startup Item Database

HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

Page

Key:

"Y" - Normally leave to run at start-up
"N" - Not required - typically infrequently used tasks that can be started manually if necessary
"U" - User's choice - depends whether a user deems it necessary
"X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
"?" - Unknown

	Startup Name	Process Name	Details
X	Windows Media Player	mcafe32.exe	"Added by the RBOT-YO WORM!"
X	Windows Media Player	wmplayer.exe	"Added by the KELVIR.G WORM or variants! Note - this is not the valid Windows Media Player as the executeable resides is C:WindowsSystem (Win9x/Me) C:WinntSystem32 (WinNT/2K) or C:WindowsSystem32 (WinXP) rather than C:Program FilesWindows Media Player"
X	Windows Media Player	50cent.exe	"Added by a variant of the RBOT WORM!"
X	Windows Media Player	mpwe.exe	"Added by the RBOT-TT WORM!"
X	Windows Media Player	msams.exe	"Added by the RBOT.AHR WORM!"
X	Windows Media Player 3.6	wmpa36.exe	"Added by a variant of the RBOT WORM!"
X	Windows Media Player 3.6b	WMPA36B.EXE	"Added by the RBOT-VV WORM!"
X	Windows Media Player 3.6d	wmpa36d.exe	"Added by the RBOT-YA WORM!"
X	Windows Media Player 3.9	wmpa36.exe	"Added by a variant of the RBOT WORM!"
X	Windows Media Player Service	wmedia.exe	"Added by the RBOT.213504 WORM!"
X	Windows Media Player Update	[random filename]	"Added by the RBOT-ET WORM!"
N	Windows Media Powerpoint Helper	NSPPTHLP.EXE	German software (comes with some Toshiba CD writers) that helps convert Powerpoint files to ASF (Streaming Media) files. Available via Start -> Programs
X	Windows Media Server	wmserv.exe	"Added by a variant of the IRCBOT TROJAN! See here"
X	Windows Media Server!	wmserver.exe	"Added by a variant of the IRCBOT TROJAN! See here"
X	Windows media service	crvss.exe	"Added by the SDBOT.VP WORM!"
X	Windows media service	crsss.exe	"Added by the RBOT.ACY WORM!"
X	Windows media service	Sygate32.exe	"Added by the RBOT.ADE WORM!"
X	Windows media services	cvrsss.exe	"Added by the RBOT-MW WORM!"
X	Windows Media SP.2.37	[random filename]	"Added by the LEMIR.C TROJAN!"
X	Windows Media Updater	crease.exe	"Added by the RBOT-ATI WORM!"
X	Windows Media Upgrade	NeUpgrade.exe	"Added by the RBOT.BMF TROJAN!"
X	Windows Media Utility	wmediautil.exe	"Added by a variant of the SPYBOT WORM!"
X	Windows Memory Drivers	memretain.exe	"Added by a variant of the IRCBOT TROJAN!"
X	Windows Memory Manager	windowsmem.exe	"Added by a variant of the IRCBOT TROJAN! See here"
X	Windows Memory Running Services	memrun.exe	"Detected by Kaspersky as the IRCBOT.BLL TROJAN! See here"
X	Windows Memory Sharing	memoryshr.exe	"Added by a variant of the IRCBOT TROJAN!"
X	Windows Memory Sharing	memshare.exe	"Detected by Trend Micro as the IRCBRUTE.AG TROJAN! See here"
X	Windows Memory Sharing	memshr.exe	"Detected by PCTools as the IRCBOT.WCH TROJAN! See here"
X	Windows Messanger Control Center	svchosl.exe	"Added by a variant of the IRCBOT BACKDOOR! See here"
X	Windows Messanger Control Center	svhost.exe	"Added by a variant of the IRCBOT BACKDOOR! See here"
X	Windows Messanger Control Center	winlogin.exe	"Added by a variant of the IRCBOT BACKDOOR! See here"
X	Windows Messanger Control Center	winlogon.exe	"Added by a variant of the IRCBOT BACKDOOR! See here. Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
X	Windows Messanger Control Center	winsys.exe	"Added by a variant of the IRCBOT BACKDOOR! See here"
X	Windows messenger	messengers.exe	"Added by the MYTOB.EI WORM!"
X	Windows Messenger	msnsmgs.exe	"Added by the RBOT-ANJ WORM!"
X	Windows Messenger	msnmsg.exe	"Added by the SPYBOT.BV WORM!"
X	Windows Messenger Connect	wmdsvc.exe	"Detected by Trend Micro as the SLENFBOT.S WORM! See here"
X	Windows Messenger Fileshare	wivsvc.exe	"Detected by Symantec as the SILLYIM WORM! See here"
X	Windows Messenger Live MSN	winlivemsnmessenger.exe	"Added by a variant of the IRCBOT BACKDOOR!"
X	Windows Messenger Live Startup	windowslivemsn.exe	"Added by an unidentified WORM or TROJAN! See here"
X	Windows Messenger Live Startup	windowsmsnlive.exe	"Detected by Kaspersky as the DELF.DAX TROJAN! See here"
X	Windows Messenger Messenger	winmsg.exe	"Added by the VELKBOT.A WORM!"
X	Windows Messenger Panel	wbcsvc.exe	"Detected by Trend Micro as the IRCBOT.ADA TROJAN! See here"
X	Windows Messenger Service	winsmsgr.exe	"Added by the RBOT-VW WORM!"
X	Windows Messenger Service	kaspersky.exe	"Added by the MYTOB.HY WORM!"
X	Windows Messenger Share	wmssvc.exe	"Added by a variant of the IRCBOT TROJAN! See here"
X	Windows Messenger Starter	wmvsvc.exe	"Detected by Trend Micro as the SLENFBOT.T WORM! See here"
X	Windows MeTaLRoCk service	metalrock.exe	"Added by the TASTYRED TROJAN!"
X	Windows Micro Drivers	wupdates32.exe	"Added by the RBOT-AEH WORM!"
X	Windows Microsoft Service	[random filename]	"Added by the AGENT-HCD TROJAN!"
X	Windows Microsoft Services	[8 random letters].exe	"Detected by Trend Micro as the KOLAB.AW WORM! See here for an example"
X	Windows Microsoft Update	wintask32.exe	"Added by a variant of the SDBOT WORM!"
X	Windows Microsoft Verifier	winauth23.exe	"Added by a variant of the RBOT WORM!"
U	Windows Mobile Device Center	wmdc.exe	"Windows Mobile Device Center for Windows Vista. Replaces Microsoft ActiveSync and provides overall device management features for your Windows Mobile powered devices for Windows Vista"
U	Windows Mobile-based device management	wmdSync.exe	Part of Windows Mobile Device Center in Vista. Microsoft Windows Mobile Device Center enables you to set up new partnerships synchronize content and manage music pictures and video with Windows Mobile powered devices (Windows Mobile 2003 or later)
U	Windows Mobile-based device management	wmdc.exe	"Windows Mobile Device Center for Windows Vista. Replaces Microsoft ActiveSync and provides overall device management features for your Windows Mobile powered devices for Windows Vista"
X	Windows mod Verifier	Windows-mod.exe	"Added by the RBOT.DSU WORM!"
X	Windows modez Verifier	w1nz0zz0.exe	"Added by a variant of the SDBOT WORM!"
X	Windows modez Verifier	Window2.exe	"Added by a variant of the RBOT WORM!"
X	Windows modez Verifier	WindowsLogon.exe	"Added by a variant of the SDBOT WORM!"
X	Windows modez Verifier	Wwuamguard.exe	"Added by the RBOT.EZJ WORM!"
X	Windows modez Verifier	winlogom.exe	"Added by a variant of the RBOT WORM!"
X	Windows modez Verifier	Windows-.exe	"Added by the RBOT-DIO WORM!"
X	Windows modez Verifier	taskmngr.exe	"Added by a variant of the RBOT WORM!"
X	Windows modez Verifier	winl0g0z.exe	"Added by the RBOT-FNB WORM!"
X	Windows modez Verifier	wuamguard.exe	"Detected by Kaspersky as the RBOT.CYA TROJAN! See here"
X	Windows Monitor	winmon.exe	"Added by the SDBOT.VB WORM!"
X	Windows Monitor	arsetup.exe	Added by the SPAZBOX.A TROJAN!
X	Windows Monitor Services	winmonitor.exe	"Added by the RBOT-XX WORM!"
X	Windows Monitoring Service	winmon.exe	"Added by a variant of the SDBOT WORM!"
X	Windows More Choice	TopContext.exe	"ZQuest adware"
X	Windows Mouse Services	winmouse.exe	"Added by the CHECKOUT WORM! See here"
X	Windows Mouse Services	winmouse64.exe	"Detected by Trend Micro as the IRCBOT.AIA TROJAN! See here"
X	Windows Mouse Utilities	mouseutils.exe	"Added by the RBOT-ABU WORM!"
X	Windows ms Drivers	msnup32.exe	"Added by the SDBOT-AAL WORM!"
X	Windows MS Update 32	fhm.exe	"Added by the IRCBOT.GEN WORM!"
X	Windows MS Update 32	sucker.exe	"Added by the FORBOT-GJ WORM!"
X	Windows MSConfig Startup Logger	winlog.exe	"Added by the RBOT.BCU WORM!"
X	Windows MSN	MSN.msn	"Added by the TRIXCU.A WORM!"
X	Windows Msn Live Messanger	msnmsgsman.exe	"Added by a variant of the SDBOT WORM!"
X	Windows MSN Live Messanger	wmsnlive.exe	"Detected by Kaspersky as the RBOT.BMV TROJAN! See here"
X	Windows MSN Live Messanger	livemsngs.exe	"Detected by Kaspersky as the RBOT.BMV BACKDOOR! See here"
X	Windows MSN Live Messenger	winlivemsn.exe	"Added by an unidentified WORM or TROJAN! See here"
X	Windows MSN Live Messenger	winmessengerlive.exe	"Detected by Kaspersky as the IRCBOT.EAD BACKDOOR! See here"
X	Windows MSN Updates	wnd32.exe	"Added by the IRCBOT-ABA TROJAN!"
X	Windows MSN2 XP	swchost.exe	"Detected by Trend Micro as the KOLAB.AA WORM! See here"
X	Windows MSX drivers	winmsx.exe	"Added by the RBOT-AYG TROJAN!"
X	Windows Net Cfg	service.exe	"Added by a variant of the RBOT WORM!"
X	Windows NetDDe	wrmana32.exe	"Added by the MYTOB.IM WORM!"
X	Windows Nets	WinNET.exe	"Added by the RBOT-MO WORM!"
X	Windows NetStart Service	winsN2S.exe	"Added by the RBOT-ZX WORM!"
X	Windows NetStart Service2	winsN2S.exe	"Added by the RBOT-ABN WORM!"
X	Windows NetStart Service2	winsN2SD.exe	"Added by a variant of the RBOT WORM!"
X	Windows Netsystem Layer	Netsystem.exe	"Added by the RBOT.BEI WORM!"
X	Windows Network Controller	Mqguard.exe	"Added by the FORBOT-CL WORM!"
X	Windows Network Controller	WinxPupd.exe	"Added by the FORBOT-DK WORM!"
X	Windows Network Controller	winmms32.exe	"Added by the FORBOT-ED WORM!"
X	Windows Network Controller	wingmt.exe	"Added by a variant of the SDBOT WORM!"
X	Windows Network Controller	Win9x.exe	"Added by the WOOTBOT.I WORM!"
X	Windows Network Firewall	firewall.exe	"Added by the POEBOT-J WORM!"
X	Windows Network Logon	npesvc.exe	"Detected by Trend Micro as the AGENT.ERZ TROJAN! See here"
X	Windows Network Service	winvc32.exe	"Added by the RBOT.RY WORM!"
X	Windows Network Service	Msconf32.exe	"Added by a variant of the RBOT WORM!"
X	Windows Network Services	winnetwork.exe	"Added by a variant of the IRCBOT TROJAN! See here"
X	Windows Network Services	winnetwork128.exe	"Added by the CHECKOUT WORM! See here"
X	Windows Network Services	winnetwork32.exe	"Added by a variant of the IRCBOT TROJAN! See here"
X	Windows Network Services	winnetwork64.exe	"Added by a variant of the IRCBOT TROJAN! See here"
X	Windows Network Session	nspsvc.exe	"Added by a variant of the IRCBOT TROJAN! See here"
X	Windows Networking	winsys32.exe	"Added by the GAOBOT.FL WORM!"
X	Windows Networking Monitor	mdm.exe	"Added by a variant of the IRCBOT BACKDOOR! Note - this is not the legitimate Machine Debug Manager (mdm.exe) process which is always located in %ProgramFiles%Microsoft Shared. This one is located in %System%"
X	Windows Networking Monitorin	xmdmx.exe	"Added by a variant of the IRCBOT BACKDOOR! See here"
X	Windows Networking Monitoring	mdm.exe	"Added by the IRCBOT.AKZ WORM! Note - this is not the legitimate Machine Debug Manager (mdm.exe) process which is always located in %ProgramFiles%\Microsoft Shared. This one is located in %System%"
X	Windows Networks	netcog.exe	"Added by the MYTOB.FH WORM!"
X	Windows Nivedia Driver	sysMGT.exe	"Added by a variant of the RBOT WORM!"
X	Windows NNT	[path to trojan]	"Added by the RANKY.E TROJAN!"
X	Windows NT 32	ntlogin32.exe	"Added by the RANDEX.BRD WORM!"
X	Windows NT Login	ntlogin32.exe	"Added by the SDBOT.WG WORM!"
X	Windows NT Login Session Manager	WNSM.EXE	"Added by the RBOT.BIV WORM!"
X	Windows NT Logon Application	winlogon.scr	"Added by the RBOT-ALP WORM!"
X	Windows NT Service Name	winshock.exe	"Added by the RBOT-PK WORM!"
X	Windows NT Session Manager	sess.exe	"Added by a variant of the RBOT WORM!"
X	Windows NT Update Manager	WINL0G0N.exe	"Added by the AGOBOT-NU WORM! Note that those are zeroes in the filename and not capital ""o"""
X	Windows NTFS Volume Manage	[6 random letters].exe	"Detected by Kaspersky as the RBOT.EDL TROJAN! See here"
X	Windows OEM Tools	winres32.exe	"Added by the SPYBOT.FD WORM!"
X	Windows Offical Netvvorks	mywriter32.exe	"Added by a variant of the SDBOT WORM! See here"
X	Windows Office Monitor	emdm.exe	"Detected by Trend Micro as the RBOT.GJO TROJAN! See here"
X	Windows OLE Automation Server	ole32aut.vbe	"CoolWebSearch parasite variant"
X	Windows Online Updater	dllman.exe	"Added by the RBOT-TE WORM!"
X	Windows Pc	winmgr.exe	"Added by the BIBOT-A WORM!"
X	Windows PDG	winpdg.exe	"Added by the RBOT-ADW WORM!"
X	Windows Performance Monitor	wmscupd.exe	"Added by the IRCBOT_GEN WORM!"
X	Windows PNP	winpnp.exe	"Added by the RBOT-AKN WORM!"
X	Windows PNP Server	pnpsrv.exe	"Added by the MS05-039 variant of the SDBOT WORM!"
X	Windows Pool Manager	poolsc.exe	"Detected by Trend Micro as the OBOT.CH WORM! See here"
X	Windows Pool Setup	poolmc.exe	"Added by the CHECKOUT WORM! See here"
X	Windows Population Logger	winpo32.exe	"Added by the AGENT.YKR WORM!"
X	Windows Portable Device Drivers	MSKSVRVS.EXE	"Added by a TROJAN - see here"
X	Windows Portable Devices	MSKSVRTSS.EXE	"Added by the SPYBOT.APEO WORM!"
X	Windows Print Monitor Daemon	[random filename].exe	"Added by a variant of the SDBOT WORM!"
?	Windows Print Spooler	SCVHOSTS.EXE	"Suspicious due to the similarity to the valid ""svchost.exe"" file"
X	Windows Print Spooler	NavAgent32.exe	Added by an unidentified VIRUS WORM or TROJAN!
X	Windows Print Spooler	SVEHOST.EXE	"Added by the SPYBOT.H WORM!"
X	Windows Printing Driver	WinPrint.exe	"Added by a variant of the RBOT WORM!"
X	Windows Printing Driver	WinSpooler.exe	Added by an unknown malware
X	Windows Process	win_update.exe	"Added by the LASTWORD WORM!"
X	Windows Process Manager	winproc.exe	Added by an unidentified WORM or TROJAN!
X	Windows Processe Manager	mspn32.exe	"Added by a variant of the RBOT WORM!"
X	Windows Proffesional Security	WinSecure32.exe	"Added by the AGOBOT.VA WORM"
X	Windows Protected Storage	npssvc.exe	"Detected by Trend Micro as the IRCBOT.AUL TROJAN! See here"
X	Windows Protectot	boxide.exe	"Added by a variant of the WOOTBOT WORM!"
X	Windows Recavery Adware	lsass.exe	"Added by an unidentified TROJAN - see here. Note - this is not the legitimate lsass.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup!"
X	Windows Recylinder Check	zwdomsgemw.exe	"Added by the RBOT-EGJ WORM!"
X	Windows Reg Services	ffservice.exe	"Added by the DLOADER-PL or DLOADER-XM TROJANS!"
X	Windows Reg Services	dservice.exe	"Added by the PRORAT-D TROJAN!"
X	Windows Reg Services	fservice.exe	"Added by the PRORAT-D TROJAN!"
X	Windows Reg Services	ssservice.exe	"Added by the PRORAT-D TROJAN!"
X	Windows Reg Services	lncom.exe	"Added by the PRORAT-O TROJAN!"
X	Windows Reg Services	lservice.exe	"Added by the PRORAT-O TROJAN!"
X	Windows Reg Services	wservice.exe	"Added by the PRORAT-O TROJAN!"
X	WINDOWS REGISTER EDIT	registr32.exe	Added by an unidentified WORM or TROJAN!
X	Windows Register Settings	svmhost.exe	"Added by a variant of the FORBOT WORM!"
X	Windows Registers	winservicess.exe	"Added by a variant of the SDBOT WORM!"
X	Windows Registery Center	svhchosts.exe	"Added by a variant of the IRCBOT BACKDOOR! See here"
X	Windows Registry	msnmsg.exe	"Added by a variant of the RBOT WORM!"
X	Windows Registry	winhost.exe	"Added by a variant of the RBOT WORM!"
X	Windows Registry Cleaner	winclean.exe	"Added by a variant of the SPYBOT WORM!"
X	Windows Registry Control	winreg.exe	"Added by a variant of the IRCBOT TROJAN! See here"
X	Windows Registry DLL	winregdll.exe	"Detected by Trend Micro as the IRCBOT.FB TROJAN! See here"
X	Windows Registry Express Loader	regexpress.exe	"Added by the FORBOT-CJ WORM!"
X	Windows Registry Manager	tasksmanagers.exe	"Added by the MYTOB.ER WORM!"
X	Windows Registry Name	[random filename]	"Added by the RBOT-AEB WORM!"
X	Windows Registry Name	winses.exe	"Added by the RBOT-ADB WORM!"
U	Windows Registry Repair Pro	RegistryRepairPro.exe	"Registry Repair Pro. ""Scans the Windows Registry for invalid or obsolete information in the registry"""
X	Windows Registry Scan	regscan32.exe	"Added by the RBOT.KE WORM!"
X	Windows Registry Scan	timeupdate.exe	"Added by the SPYBOT.JE WORM!"
X	Windows Registry Scan	svcdll.exe	"Added by the RBOT-TP WORM!"
X	Windows Registry Scan	regscan23.exe	"Added by a variant of the RBOT WORM!"
X	Windows Registry Scan	regscan.exe	"Added by the RBOT-HA WORM!"
X	Windows Registry Scan	winmedia.exe	"Added by the SPYBOT.GK WORM!"
X	Windows Registry Security	crss.exe	"Added by a variant of the IRCBOT TROJAN!"

DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.