| Name/Startup Item | Command | Comments |
| X | | system32.exe | Added by the AGOBOT-KU WORM! Note - has a blank entry under the Startup Item/Name field |
| Y | !1_pgaccount | pgaccount.exe | DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. You will see one instant of pgaccount.exe for every active account on your system, and this is essential for PG to work properly |
| Y | !1_ProcessGuard_Startup | procguard.exe | DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks |
| N | !NoLoad | winrecon.exe | WinRecon - surveillance software that creates records of everything people do on a computer, ie, spying or monitoring depending upon how you call it |
| ? | $EnterNet | Enternet.exe | Connection manager for the EnterNet ISP. You can also use RASPPOE |
| X | $WindowsRegKey%update | IEXPLORE.EXE | Added by the RBOT-EZ WORM! Note - this is not the legitimate Internet Explorer (iexplore.exe) process, which should not appear in Msconfig/Startup unless you add it manually! |
| N | %cmpmixtitle% | %cmpmixstr% | Possibly related to C-Media Mixer Control panel? |
| ? | %FP%012-L2TP fts.exe | fts.exe | 012.Net ISP software - what does it do and is it required? |
| ? | %FP%012-L2TP FWPortal.exe | FWPortal.exe | 012.Net ISP software - what does it do and is it required? |
| ? | %FP%1776 Internet fts.exe | fts.exe | 1776 Internet ISP software - what does it do and is it required? |
| ? | %FP%1776 Internet FWPortal.exe | FWPortal.exe | 1776 Internet ISP software - what does it do and is it required? |
| ? | %FP%Barak013 fts.exe | fts.exe | Barak013 ISP software - what does it do and is it required? |
| ? | %FP%Barak013 FWPortal.exe | FWPortal.exe | Barak013 ISP software - what does it do and is it required? |
| ? | %FP%Friendly fts.exe | fts.exe | Friendly ISP software - what does it do and is it required? |
| X | (*)API Machine | winSOCKS.exe | Homepage hijacker, see here (* = any digit) |
| X | (*)Run | win32API.exe | Homepage hijacker, see here (* = any digit) |
| X | (Default) | media_driver.exe | Added by the TUPEG VIRUS! |
| X | (Default) | Shania.vbs | Added by the SHANIA TROJAN! |
| X | (Default) | NOTEPAD.exe | Added by the RUSTY WORM! Note - not to be confused with the valid Windows "NOTEPAD" text editor |
| X | (default) | [random filename].exe | Added by the BLACKMAL WORM! |
| X | (default) | twunk_32.exe | Added by the BLACKMAL.C WORM! |
| X | (default) | winhelp.exe | Added by the BLACKMAL.C WORM! |
| X | (L4r1$$4) (4nt1) (V1ruz) | SP00Lsv32.pif | Added by the ASSIRAL.B WORM! |
| X | *JanisRuckenbrodII | janis.com | Added by the POPS WORM! |
| Y | *StateMgr | statemgr.exe | Windows ME default for System Restore. Do NOT disable! |
| X | *windows update | wrauclt.exe | Added by the RBOT-QU WORM! |
| X | *windows update | wuanclt.exe | Added by the RBOT-PG WORM! |
| X | *windows update | wuaucrlt.exe | Added by the SPYBOT.HUR WORM! |
| X | *windows update | wuraclt.exe | Added by the RBOT-PO WORM! |
| X | *windows update | wurauclt.exe | Added by the RBOT-SY WORM! |
| X | *windows update | wsctl.exe | Added by the SPYBOT.PR WORM! |
| X | *WinLogon | [trojan path] ren time:[random number] | Added by the VUNDO TROJAN! |
| X | ,main drive Loader | wininfo.exe | Suspected malware as it appears in 3 different registry locations - see here |
| X | .mscdr | lassa.exe | Added by the WEBUS.C TROJAN! |
| X | .mscdr | lsvchost.exe | Added by the WEBUS.D TROJAN! |
| X | .mssecure | mssecure.exe | Added by the DDOS_BOXED.X TROJAN! |
| ? | .NET config | sysmon32.exe | ?? |
| X | .norton | rchost.exe | Added by a variant of the BOXED-A TROJAN! |
| X | .Prog | services.exe | Added by the NEVEG.B or NEVEG.C WORMS! Note - this is not the legitimate services.exe process, which should not appear in Msconfig/Startup! |
| X | .Prog | winlogon.exe | Added by the NEVEG.A WORM! Note - this is not the legitimate winlogon.exe process, which should not appear in Msconfig/Startup! |
| X | .TEXTCONV | csrss.exe | Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process, which should not appear in Msconfig/Startup! |
| X | .TEXTCONV | lsass.exe | Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process, which should not appear in Msconfig/Startup! |
| X | .WMAudio | csrss.exe | Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process, which should not appear in Msconfig/Startup! |
| X | .WMAudio | lsass.exe | Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process, which should not appear in Msconfig/Startup! |
| N | /l:eng | N/A | Related to the Dell OEM version of the Sound Blaster Audigy 2 sound card. If this item is listed and checked in startup, the System32 Folder will appear on every startup. A patch is available - filename R75304.EXE - that fixes the issue. You can find that file at support.dell.com by typing that name in the 'Search' box available there. It addresses the root of the problem in Creative's software and corrects it. Unfortunately there is no direct link to the file, but it's easily available using the search function |
| X | 000hpdllhos | hpdllhost.exe | LZIO.com adware downloader |
| U | 000StTHK | 000StTHK.exe | Toshiba Hot key functionality for the function keys (Fn-Esc, Fn-F1 (lock), Fn-F2, Fn-F3, Fn-F4, Fn-F5 (switching between laptop and CRT display output), etc...) |
| U | 00THotkey | 00THotKey.exe | For Toshiba Satellite notebook series to use the front buttons, play, stop, next, prev. |
| U | 0190 Warner | WARN0190.EXE | Anti-dialer program (Germany) |
| U | 0900 Warner | WARN0900.EXE | Anti-dialer program (Germany) |
| X | 123456 | rundll32.exe shell32.dll, Control_RunDLL ...123456.cpl | Added by the KITRO.C (or DANDI.A) WORM! 123456 can be any random 3 to 6 digit number |
| U | 12Ghosts Popup-Killer | 12popup.exe | 12Ghosts Popup-Killer |
| ? | 17779Proj2002 | N/A | ?? |
| X | 180adsolution | 180adsolution.exe | 180Solutions/N-Case adware variant |
| X | 180ax | 180ax.exe | 180Solutions/N-Case adware variant |
| N | 1: | hpdrv.exe | HP utility for monitoring when and how many recoveries have been done |
| N | 1A:MacVisionTrayMonitor | TrayMonitor.exe | Comes with the MacVision program for monitoring tray icons (Note : program is by Stardock) |
| Y | 1A:Stardock MCP | mcpserver.exe | Master Control Program for Stardock apps, in development. People should leave it running if they're using any of the Stardock applications |
| Y | 1A:Stardock TrayMonitor | TrayServer.exe | For monitoring tray icons - if disabled icons will not be displayed in ObjectBar or DesktopX |
| ? | 1CmailS | NETMAIL.EXE | ?? |
| X | 1on1 | 1on1.exe | Adult content dialler |
| U | 1Srv32 | SpyAgent4.exe | SpyTech SpyAgent monitoring software. "Spy software that allows you to monitor EVERYTHING users do on your PC." |
| U | 1Win32Cfg | SpyBuddy.exe | SpyBuddy monitoring software |
| U | 1Win32Cfg | Keyloggerpro.exe | KeyloggerPro - monitoring software |
| X | 1WinCfg32 | WebMailSpy.exe | WebMailSpy spyware |
| X | 2020Downloader | mssvr.exe | 2020Search Toolbar related. Reported to be auto-installed |
| X | 2thousandbuck | [path to file] | Added by the RANKY.L TROJAN! |
| U | 2wSysTray | 2portalmon.exe | 2Wire Homeportal user interface |
| X | 32-bit Thunking service | thunk32.exe | Added by the DERDERO.A WORM! |
| ? | 39ELTFH25Z8SKF | Ezg1q5.exe | Seems to be associated with software by Resplendence SP ? |
| Y | 3c1807pd | 3cmlink.exe 3cpipe-3c1807pd | 3Com WinModem driver. See here for more WinModem information |
| Y | 3capplnk | 3capplnk.exe | US Robotics Modem driver |
| N | 3cdminic | 3CDMINIC.EXE | 3Com DMI (DynamicAccess Desktop Management Interface) Agent associated with 3Com network cards |
| ? | 3CM Link | 3cmcnkw.exe | ?? |
| Y | 3Cmlink | 3CmlinkW.exe | For a US Robotics WinModem. Provides the link to Windows as the CPU does the processing on WinModems - won't work without it. See here for more WinModem information |
| N | 3ComDMIAgent | 3CDMINIC.EXE | 3Com DMI (DynamicAccess Desktop Management Interface) Agent associated with 3Com network cards |
| Y | 3cpipe-USRpdA | USRmlnkA.exe | Modem driver files from US Robotics |
| X | 3D Text | 3D Text.scr | Added by the JERMY.A WORM! |
| U | 3Deep Control Panel | 3DeepCTL.EXE | From LightSurf Technologies (nee E-Color) - 3Deep corrects lighting, shading and color for all your 2D and 3D games |
| X | 3Dfx Acc | GFXACC.EXE | Added by the GIBE WORM! |
| N | 3dfx Task Manager | 3dfxMan.exe | System Tray application for 3dfx Voodoo 3/4/5 functions. Available via Start -> Programs |
| Y | 3dfx Tools | 3dfxCmn.dll | Updates the registry with information that can't be held for Voodoo 3/4/5 series graphics cards. Important for owners of these cards |
| Y | 3dfxv2ps.dll | 3dfxv2ps.dll | Updates the registry with info that can't be held for 3dfx Voodoo 2 video cards. Important for owners of these cards |
| ? | 3Dlabs Taskbar Display Manager | 3DLman.exe | 3DLabs graphics driver related. System Tray access to display settings? |
| U | 3DLabsHelperDemon | 3dldemon.exe | Directly from the programs author "It is a tiny program that is installed by the Permedia2/3 and probably other Oxygen-series cards. Normally it sits in the background doing nothing at all (sleeping on a semaphore), so it should take zero CPU time and virtually zero memory, since it will all be paged out to the hard drive." In most cases it can be safely disabled |
| U | 3qdctl.exe | 3qdctl.exe | Provided with Terratec 128i PCI and similar sound cards. Loads a sound profile at bootup, restoring volume and other audio settings to a pre-determined default. Similar to Creative Lab's AudioHQ |
| Y | 3ware 3DM | 3dm.exe | Monitors status of the disk array on 3ware IDE RAID controllers |
| X | 4wd!!! | Natal!.pif | Added by the OPASERV.AI WORM! |
| X | 5-1-61-96 | members-area.exe | Adult content dialler |
| X | 5-2-46-112 | 5-2-46-112.exe | Adult content pop-up dialler. Removal instructions here |
| X | 666 | Ska.exe | Added by the PIPES TROJAN! |
| X | 9xHtProtect | AVprotect9x.exe | Added by the NETSKY.M WORM! |
| X | ;Rundll | [filename] | Added by the PWSLEGMIR.E TROJAN! |
| X | @ | regedit -s ..win.dll | Added by the SEEKER.K TROJAN! |
| N | @Hoc Toolbar | AtHoc.exe | One-click activated browsing toolbar used by various web-sites. See here for more info |
| N | @loha | reminder.exe | Registration reminder for @loha@home E-mail utility |
| X | @tour_ww | @tour_ww[1].exe | Adult content dialler |
| X | a | a.exe | Commercials file that registers itself in the system registry and redirects IE to a certain commercial website |
| U | a-squared | a2guard.exe | a-Squared antitrojan - can be run on demand but necessary in Startup if you prefer the a˛ 'Background Guard' real time protection feature |
| Y | a-winpoet-service | winpppoverethernet.exe | WinPoET is the industry's first Windows-based PPP over Ethernet client. Developed by iVasion, WinPoET is attractive to equipment providers, modem suppliers, RBOCs and ISPs. For more info read here. It uses dial-up networking for new high-speed internet customers who are more familiar with analogue modems. If unchecked in MSCONFIG it reports Error 360 - Hardware Error in dial-up networking |
| U | A1000 Settings Utility | cpqa1000.exe | Compaq A1000 Print Fax All-in-One copy scan printer software. Required in the Startup in order to scan, print, copy and fax. Only required if you use these features |
| U | A4Proxy | A4Proxy.exe | Anonymity 4 Proxy - local proxy server that makes you anonymous when visiting web sites |
| ? | AAACLEAN | AAACLEAN.INF | ?? |
| ? | AAAKeyboard | ?? | ?? |
| N | AAATraySaver | TraySaver.exe | System Tray management utility from Mike Lin which allows you to hide, show, restore icons that are lost in an Explorer crash, remove dead tray icons, minimize any window to the System Tray |
| U | AAK | aak.exe | Advanced Anti-Keylogger - "Anti-spy software to prohibit operation of any keyloggers currently in use or presently being developed anywhere" |
| X | Aaou | amee.exe | PurityScan/Clickspring adware |
| ? | ab EazyScheduler | ezsched.exe | ?? |
| N | ABBYY Community Agent | CAGENT.EXE | Installed with the Optical Character Recognition (OCR) software that comes bundled with a Compaq A3000 all-in-one printer/scanner. Its function appears to be to link you to the internet in an attempt to buy the 5.0 version of the software |
| X | ABC | keylogger.exe | Monitors keystrokes so you can check if someone has typed anything while your away from your PC. Reported as spyware by SpyCop in their FAQ |
| U | ABIT uGuru | uGuru.exe | Provides quick access to several Abit motherboard utilities - such as monitoring cpu temperature, fan speeds, overclocking, flashing of BIOS |
| U | Absolute Shield | dseraser.exe | Absolute Shield/Evidence Eliminator - iternet history eraser |
| U | Absolute StartUp monitor | ASMon.exe | Absolute Startup - startup monitor from F-Group Software |
| X | ABsr | absr.exe | Added by the AUTOUPDER TROJAN! |
| X | absr | mwsvm.exe | SeekSeek search hijacker related - as seen here |
| X | abtu | mp3serch.exe | Loads the executable for Lop.com. mp3serch.exe is the final version |
| X | abtu | lopsearch.exe | Loads the executable for Lop.com. lopsearch.exe is the beta version |
| U | AbyssWebServer | abyssws.exe | Abyss web server |
| Y | AcBtnMgr_Xxx | AcBtnMgr_Xxx.exe | Associated with the Lexmark Xxx (where "xx" is the model) all-in-one printer/scanner/copier. Required for correct operation |
| U | acc | acc.exe | Advanced Call Center - "full-featured yet easy-to-use answering machine software for your voice modem" |
| X | ACCDEFRAGINFO | [path to worm] | Added by the DARBY-O WORM! |
| U | Accelerate | accelerate.exe | Webroot Accelerate - allows you to optimize Windows network registry settings in order to boost surfing speeds. Leave this enabled if you find it improves your connection |
| N | Access Ramp Monitor | armon32.exe | Monitors your progress on the internet; hang-ups, connection speeds, internet congestion and traffic flow. It prevents some games from running also. To disable the Access Ramp Monitor (1) Open Windows Explorer (2) Open the Program Files folder (3) Open the MindSpring folder (4) Open the AccessRamp folder (5) Double-click on the ARMCfg32.exe file (6) Uncheck Enable Dialup Monitor and click OK (7) Restart the computer and try again |
| N | AccessRamp Monitor01 | ARMon32a.exe | From a visitor "Just wanted to provide you with some info on Access Ramp software installed with Verizon DSL accounts in those areas that use the Winpoet PPPoE software. The Access Ramp TSRs are installed as part of IP Insight software (can't remember the software maker). You can decline to install IP Insight during Winpoet setup, or go into Add/Remove programs uninstall IP Insight by hand if it's already installed. It really doesn't do a darn thing for you. It was intended to help DSL techs monitor QoS, but the backend part was never implemented (at least as of earlier this year). This will not affect the user's ability or inability to access their DSL service." |
| N | AccessRampLAN01 | ARUpld32.exe | Version of the AccessRamp Monitor01 entry for LAN connections - a history uploader. The key in turning it off is a file named ARUCfg32.exe. This file (ARUCfg32.exe) does not show up in the startup process. If you have this file, you can execute it and remove all the monitoring activities it does. Removing all the checks in all the boxes (both tabs) still calls ARUpld32.exe to start when you start the dial up. You can block it from sending info if you have Zone Alarm installed. Renaming the extension of ARUCfg32.exe to ARUCfg32.exe1 works. The ARUpld32.exe is not loaded when launching the dial up client. Written by IP Insight and also included with Earthlink Total Access 2003 |
| U | AcctMgr | AcctMgr.exe | Norton™ Password Manager - part of Norton SystemWorks 2004 - stores passwords and other personal information, and retrieves the data needed for email logins, shopping orders, banking, and other online activities—all from the safety of your own PC |
| N | AccuWeather.com® Desktop | ?? | Desktop weather from AccuWeather.com |
| ? | Ace bows | Ace bows.exe | ?? |
| N | AceGain LiveUpdate | LiveUpdate.exe | AceGain_LiveUpdate. "AceGain LiveUpdate provides a fully managed and customizable LiveUpdate platform that seamlessly integrates with a game. As soon as an update is made available, AceGain manages the alert, download and installation as well as version control and user network preferences." |
| U | AcerNotebookManager | almxptray.exe | System Tray access on some Acer Notebooks to give faster access to system settings |
| U | AcerPowerkey | Powerkey.exe | PowerKey utility for Acer TravelMate notebook PCs. Allows the user to quickly switch between different power schemes by pressing Fn+F3 |
| N | Acme.PCHButton | pchbutton.exe | Used by HP Instant Support |
| Y | ACMonitor_Xxx | ACMonitor_Xxx.exe | Associated with the Lexmark Xxx (where "xx" is the model) all-in-one printer/scanner/copier. Required for correct operation |
| X | acocash | fastdown.exe | Adult content dialler |
| X | acocash | fastdown.exe | Adult content dialler |
| U | Acombo3dmouse | Acombo3d.exe | Mouse driver - required if you use non-standard Windows driver features |
| X | Aconti | aconti.exe | Adult content dialler |
| U | acoustic | acoustic.exe | Control panel program for Philips Acoustic Edge soundcard. Not required unless changed settings aren't retained |
| N | acpart | agpart11.exe | Program for finding trucks on-line |
| U | Acrobat Assistant *.* | ACROTRAY.EXE | Used to create PDF files with Acrobat Distiller. For Win9x/Me systems you can run this file manually beforehand. For WinXP systems this file must run at startup. Hence the "U" recommendation. *.* represents the version |
| U | Acronis Scheduler2 Service | schedhlp.exe | Part of Acronis True Image - backup software. Co-operates with the "schedul2.exe" servuce to perform backup/restore tasks correctly. Required if you want to use TrueImage to do some real backup/restore tasks - not if you only want to explore/mount images |
| N | Acronis TrueImage Monitor | TrueImageMonitor.exe | Part of Acronis True Image - backup software. Can be disabled without affecting TrueImage |
| N | AcronisTrueImage Monitor | TrueImageMonitor.exe | Part of Acronis True Image - backup software. Can be disabled without affecting TrueImage |
| N | Acronis True Image Monitor | TrueImageMonitor.exe | Part of Acronis True Image - backup software. Can be disabled without affecting TrueImage |
| N | Action Manager 32 | am32.exe | Associated with a Plustech scanner. Small utility that runs in the background for doing fax/copy/etc. Available via Start -> Programs |
| ? | ActionAgent | actionagent.exe | "A COM server that runs on the client as part of the Dell OpenManage Client Instrumentation 6.x package; provides a simple method for a remote administrator to perform actions on the instrumented client". Is it required? |
| N | Activation | Activation.exe | Part of Microsoft Money |
| U | Activboard | MMKeybd.exe | Packard Bell ActiveBoard keyboard - multimedia keyboard manager. Required if you use the additional keys and want to see the status of the Num Lock, Caps Lock, Scroll Lock keys |
| U | Active shield | Activeshield.exe | Active Shield is "an heuristic screen that actively protects your computer from trojans, spyware, adware, trackware, dialers, keyloggers, and even some special kinds of viruses" |
| X | ActiveDesktop | systray32.exe | Added by the DABOOM WORM! |
| X | ACTIVEDS | ACTIVEDS.EXE | Added by the OPASERV.T WORM! |
| N | ActiveEyes | ActiveEyes.exe | ActiveEyes from TFI Technology |
| U | ActiveMenu | ActiveMenu.exe | WildTangent games that come with some HP computers. Unchecking it can prevent the games from running occasionally. Note that WildTanget's privacy policy used to state that they also collect and share individuals information but this is no longer the case |
| U | ActivePlus | activeplus.exe | Interactive Agents Plugin for Messenger Plus! (MSN Messenger add-on) |
| Y | ActiveShield | MCVSSHLD.EXE | McAfee VirusScan On-line. See also the McAgentExe entry |
| N | ActivSurf | backweb*****.exe | Packard Bell ActivSurf - automatically detects an internet connection and downloads any available updates |
| U | ActMaker | ActMak25.exe | "ActMaker mouse and keyboard toolkit can record the daily operation of your computer and reduce your workload. You don't need to do any coding, nor are you required to know a lot about the computer" |
| U | ACU | ACU.exe | Atheros wireless Client Utility For HP Compaq |
| U | Ad Blocker | blocker.exe | Ad Blocker - blocks popups, and also removes banners, image ads and flash ads |
| U | Ad Blocker Pro | Ad Blocker Pro.exe | Ad Away popup and banner remover |
| U | Ad Muncher | AdMunch.exe | Ad Muncher removes adverts, pop-ups and general annoyances in your browser, file-sharing and messenger programs. Causes conflicts with Outlook, game sites and web-building applications |
| ? | Ad Online Guide | adonlineguide.exe | ?? |
| N | Ad-aware | Ad-aware.exe | Ad-aware from Lavasoft. Checks your PC for "Spyware" which reports back your internet activities to "base". Available via Start -> Programs |
| U | Ad-Muncher | ADMUNCH.EXE | Ad Muncher removes adverts, pop-ups and general annoyances in your browser, file-sharing and messenger programs. Causes conflicts with Outlook, game sites and web-building applications |
| U | Ad-watch | Ad-watch.exe | Part of Lavasoft Ad-aware Plus - realtime spyware-monitor watching your memory and registry for spyware that tries to install or change your system |
| U | AD2KClient | AD2KClient.exe | Executable for Active Disk from Iomega disk - allows software applications to be run directly from an Iomega Zip® disk. Required if you wish the applications to launch on insertion of a disk |
| N | Adaptec DirectCD | Directcd.exe | DirectCD primarily allows you to drag and drop files onto a suitably formatted CD-RW disc. Unless you use this on a frequent basis it isn't required and is available via Start -> Programs. Start the program before inserting a DirectCD formatted CD-RW in the drive. A re-boot is recommended if you close Adaptec DirectCD before re-opening it again later |
/Images/icon_Email.gif){kind=icon}
/Images/icon_PrintArticle.gif){kind=icon}
/Images/icon_Favourite.gif){kind=icon}
/Images/icon_ReadLater.gif){kind=icon}
/Images/RateSecA.gif)
/Images/RateSecI.gif)