|
|
Startup Name
| Process Name
| Details |
| X | .svchost | CSRSS.EXE | "Added by the WEBUS.F TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | .TEXTCONV | csrss.exe | "Added by the WEBUS TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | .WMAudio | csrss.exe | "Added by the WEBUS TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | AdRotator.Application | [path to csrss.exe] | "Added by the SMALL-AQ TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | ASP.NET State Service | csrss.exe | "Added by the DLOADER-QI TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| U | AtiSound | csrss.exe | "WinSpy surveillance software. Uninstall this software unless you put it there yourself. Note - this is not the same file as the csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""ComRoot"" subfolder" |
| X | AVManager | csrss.exe | "Added by the AUTORUN-DV WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ~A~m~B~u~R~a~D~u~L~ subfolder" |
| X | BagleAV | csrss.exe | "Added by the NETSKY.AB WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | BuildLabs | csrss.exe | "Added by the WEBUS TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | ccpApps | csrss.exe | "Added by the WEBUS TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | ClickTheButton | csrss.exe | "ClickTheButton adware. Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""drivers"" subfolder" |
| X | Console de Gerenciamento Microsoft | csrss.exe | "Unidentified malware! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""Level4"" subfolder" |
| X | Console de Gerenciamento Microsoft | csrss.exe | "Added by the BANCBAN-ET TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""Central de Segurança"" subfolder" |
| X | CSRSS | CSRSS.EXE | "Search page hijacker redirecting to h**p://www.search-aide.com/. Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | Csrss | csrss.exe | "Added by the CHOD WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a random subfolder" |
| X | csrss | csrss.exe | "Added by the KEYLOG-AQ KEYLOGGER! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | csrss | csrss.exe | "Added by the CHODE-J WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a random subfolder" |
| U | csrss | csrss.exe | "BeyondKeylog surveillance software. Uninstall this software unless you put it there yourself. Note - this is not the same file as the csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %ProgramFiles%\Supremtec" |
| X | Csrss | CSRSS.EXE | "Added by the PUNYA-B WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS" |
| X | csrss.exe | csrss.exe | "Added by the DALBUG WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | csrssLevel4 | csrss.exe | "Unidentified malware! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""Level4"" subfolder" |
| X | DIECOX | csrss.exe | "Added by a variant of the ATM.GEN TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | Explorer.exe | csrss.exe | "Added by the JUEGO-B WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %AppData%\Microsoft" |
| X | FiendlyType | csrss.exe | "Added by the WEBUS TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | FirewallActivies | csrss.exe | "Added by the BANKER-AQ TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""3041"" subfolder" |
| X | KernellApps | csrss.exe | "Added by the BANCBAN-AC TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""System"" subfolder" |
| X | Key Logger | csrss.exe | "Added by the BUCHON.A WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in the root folder (ie C:\)" |
| X | Krnlcheck | csrss.exe | "Added by the BOTNACHALA TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | Logon | CSRSS.EXE | "Added by the BRONTOK-BH WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in Documents and Settings\<User>\Local Settings\Application Data\WINDOWS" |
| X | Logonrepclient1 | CSRSS.EXE | "Added by the BRONTOK-BT WORM and variants! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in Documents and Settings\<User>\Local Settings\Application Data\WINDOWS" |
| X | Logonsara | csrss.exe | "Added by the BRONTOK-BS WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in Documents and Settings\<User>\Local Settings\Application Data\WINDOWS" |
| X | Microsoft SourceSafe | csrss.exe | "Added by the WEBUS TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | Microsoft Windows CSRSS | csrss.exe | "Added by the KALEL-A WORM! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | Microsoft Windows Update Client | csrss.exe | "Added by the KEBEDE-G WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\Systems32" |
| X | Microsoft Word Profissional | csrss.exe | "Added by the BANCBAN-DB TROJAN! Note - this is not the legitimate csrss.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a ""s1613"" subfolder" |
| X | Microsoft Word Profissional | csrss.exe | "Added by the BANKER-DJ TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""protect"" subfolder" |
| X | Microsoft Word Profissional | csrss.exe | "Added by the BANKER-DP TROJAN! ! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""JavaVM"" subfolder" |
| X | Norton Protect Activies | csrss.exe | "Added by the BANKER-CZ TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""D5133"" subfolder" |
| X | NTDLM | csrss.exe | "Added by the HALE TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""Qossrv"" subfolder" |
| X | Prog | csrss.exe | "Added by the WEBUS TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | RegDone Ex | csrss.exe | "Added by the WEBUS TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | RegWrite | csrss.exe | "Added by the SOKACAPS TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\Media" |
| X | RPCserv32g | CSRSS.EXE | "Added by the BOBAX.AD WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | rundll32 | csrss.exe | "Added by the GUTTA TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | Runner | csrss.exe | "Added by the ADCLICK-AG TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | Runtime Process | Csrss.exe | "Added by the CIADOOR-J BACKDOOR! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | Runtime Server Subsystem | csrss.exe | "Added by the IRCBOT-XV WORM!" |
| X | SernellApp.pcx | csrss.exe | "Added by the BANCBAN-BJ TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""D5133"" subfolder" |
| X | Services | csrss.exe | "Added by a variant of the RANKY.U TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup!" |
| X | Shockwave | csrss.exe | "Added by the SNDOG WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | smss.exe | csrss.exe | "Added by the DALBUG WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | State Service | csrss.exe | "Added by the DADOBRA-CP TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | System | csrss.exe | "Added by the LDPINCH.E TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | System Process | csrss.exe | "Added by the ADCLICK-AG TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | SystemDriver | csrss.exe | "Added by the ASCETIC.B TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\addins\explorer" |
| X | SYSTEMSars32 | csrss.exe | "Added by the AHLEM.A WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | TaskMrg | csrss.exe | "Added by the LDPINCH-W TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | Update | csrss.exe | "Added by the ADCLICK-AG TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | Update | csrss.exe | "Added by the MEHEERWAR TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""winupdate"" subfolder" |
| X | UpDaTer | csrss.exe | "Detected by Kaspersky as the AUTORUN.DIB WORM! See here. Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ~A~m~B~u~R~a~D~u~L~� subfolder" |
| X | Windows 2004 | csrss.exe | "Added by the BANKER-DY TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %ProgramFiles%\Windows 2004\Tools" |
| X | Windows Client Service 32 | csrss.exe | "Added by the RBOT-ALB WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a drivers\winsdriver subfolder" |
| X | Windows Explorer SP2 | csrss.exe | "Added by the BANKER-DM TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""JavaBeans"" subfolder" |
| X | Windows Update | csrss.exe | "Added by the BANKER-HM TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%" |
| X | Windowsupdate Service | csrss.exe | "Added by the BABA-B WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in the root folder (ie C:\)" |
| X | WinUpdateAdministrator | CSRSS.EXE | "Added by the PUNYA-A WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in C:\Application Data\WINDOWS" |
| U | WinUpdateProtection | csrss.exe | "EmployeeWatch is a commercial surveillance software program designed to monitor user activity on a computer. Note - this is not the same file as the csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a subfolder of C:\windowsupdate\ufp" |
| X | WinXP | csrss.exe | "Added by the BANCOS-AG TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %ProgramFiles%\WinXP\Tools" |
| X | WinXP-98 | CSRSS.exe | "Added by the BANKER-DS TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %ProgramFiles%\WinXP-98\Tools" |
| U | ZoneUpdate | csrss.exe | "WinSpy surveillance software. Uninstall this software unless you put it there yourself. Note - this is not the same file as the csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""ComRoot"" subfolder" |
| X | _SystemDriver | csrss.exe | "Added by the ASCETIC.B TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\addins\explorer" |
