Geeks To Go
Live Chat! · Help · Search · Members · Calendar
 · Terms of Use



Last Updated: February 10, 2007		 Keys
  • "Y" - Normally leave to run at start-up
  • "N" - Not required - typically infrequently used tasks that can be started manually if necessary
  • "U" - User's choice - depends whether a user deems it necessary
  • "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
  • "?" - Unknown
Name Command Status Description
system32.exe X Added by the AGOBOT-KU WORM! Note - has a blank entry under the Startup Item/Name field
pathex.exe X Added by the MKMOOSE-A WORM!
svchost.exe X Added by the DELF-UX TROJAN! Note - this is not the legitimate svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder
MSPF.EXE X Added by a variant of the SDBOT WORM!
SystemBoot services.exe X Added by the SOBER-Q TROJAN! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a Help\Help subfolder of the Windows or Winnt folder
WinCheck services.exe X Added by the SOBER-S WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a "ConnectionStatus\Microsoft" subfolder of the Windows or Winnt folder
Windows services.exe X Added by the SOBER.X WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a "WinSecurity" subfolder of the Windows or Winnt folder
WinStart services.exe X Added by the SOBER.O WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a Connection Wizard\Status subfolder of the Windows or Winnt folder
winsystem.sys smss.exe X Added by the SOBER.K TROJAN! Note - this is not the legitimate smss.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a msagent\win32 subfolder of the Winnt or Windows folder
!1_pgaccount pgaccount.exe Y DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. You will see one instant of pgaccount.exe for every active account on your system, and this is essential for PG to work properly
!1_ProcessGuard_Startup procguard.exe Y DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks
!AVG Anti-Spyware avgas.exe U Part of AVG Anti-Spyware from Grisoft
!ewido ewido.exe U Part of Ewido anti-spyware
!NoLoad winrecon.exe N WinRecon keystroke logger/monitoring program - remove unless you installed it yourself!
$EnterNet Enternet.exe ? Connection manager for the EnterNet ISP. You can also use RASPPOE
$sys$cmp $sys$xp.exe X Added by the RYKNOS.B TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer
$sys$crash $sys$sonyTimer.exe X Added by the WELOMOCH TROJAN!
$sys$crash $sys$sos$sys$.exe X Added by the WELOMOCH TROJAN!
$sys$crash $sys$WeLoveMcCOL.exe X Added by the WELOMOCH TROJAN!
$sys$drv $sys$drv.exe X Added by the RYKNOS TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer
$sys$momomomochin $sys$sonyTimer.exe X Added by the WELOMOCH TROJAN!
$sys$momomomochin $sys$sos$sys$.exe X Added by the WELOMOCH TROJAN!
$sys$momomomochin $sys$WeLoveMcCOL.exe X Added by the WELOMOCH TROJAN!
$sys$umaiyo $sys$sonyTimer.exe X Added by the WELOMOCH TROJAN!
$sys$umaiyo $sys$sos$sys$.exe X Added by the WELOMOCH TROJAN!
$sys$umaiyo $sys$WeLoveMcCOL.exe X Added by the WELOMOCH TROJAN!
$Volumouse$ volumouse.exe U Volumouse from Nirsoft. "Provides you a quick and easy way to control the sound volume on your system - simply by rolling the wheel of your wheel mouse"
$WindowsRegKey%update IEXPLORE.EXE X Added by the RBOT-EZ WORM! Note - this is not the legitimate Internet Explorer iexplore.exe process which is always located in the Program Files\Internet Explorer folder and should not normally figure in Msconfig/Startup! This file is located in the System (9x/Me) or System32 (NT/2K/XP) folder
%cmpmixtitle% %cmpmixstr% N Possibly related to C-Media Mixer Control panel?
%FP%012-L2TP fts.exe fts.exe N 012.Net.il Israeli ISP software front-end
%FP%012-L2TP FWPortal.exe FWPortal.exe U 012.Net.il Israeli ISP dial-up software
%FP%1776 Internet fts.exe fts.exe N 1776 Internet US ISP software ISP software front-end
%FP%1776 Internet FWPortal.exe FWPortal.exe U 1776 Internet US ISP dial-up software
%FP%Barak013 fts.exe fts.exe N Barak013 Israeli ISP software front-end
%FP%Barak013 FWPortal.exe FWPortal.exe U Barak013 Israeli ISP dial-up software
%FP%Friendly fts.exe fts.exe N Friendly ISP software front-end
(*)API Machine winSOCKS.exe X Homepage hijacker, see here (* = any digit)
(*)Run win32API.exe X Homepage hijacker, see here (* = any digit)
(default) [random filename].exe X Added by the BLACKMAL WORM!
(default) rundll32.exe [path] Zykheptd.dll X Added by the HESIVE.B TROJAN!
(L4r1$$4) (4nt1) (V1ruz) SP00Lsv32.pif X Added by the ASSIRAL.B WORM!
*JanisRuckenbrodII janis.com X Added by the POPS WORM!
*Microsoft Update ctxma.exe X Added by the STMU TROJAN!
*Microsoft Update cxma.exe X Added by the STMU TROJAN!
*Microsoft Update wstcl.exe X Added by the STMU TROJAN!
*Microsoft Update wucxt.exe X Added by the STMU TROJAN!
*Microsoft Update wuytc.exe X Added by the STMU TROJAN!
*MS Setup [random filename] X Virtumondo adware, also known as the VUNDO TROJAN!
*Security Center secctr.exe X Added by the SDBOT.BRO WORM!
*StateMgr statemgr.exe Y Windows ME default for System Restore. Do NOT disable!
*windows update wrauclt.exe X Added by the RBOT-QU WORM!
*windows update wuanclt.exe X Added by the RBOT-PG WORM!
*windows update wuaucrlt.exe X Added by the SPYBOT.HUR WORM!
*windows update wuraclt.exe X Added by the RBOT-PO WORM!
*windows update wurauclt.exe X Added by the RBOT-SY WORM!
*windows update wsctl.exe X Added by the SPYBOT.PR WORM!
*windows update wkmst.exe X Added by the SDBOT.AVD WORM!
*windows update wscxt.exe X Added by the RBOT.AOS WORM!
*windows update waurclt.exe X Added by a variant of the RBOT WORM!
*Windows [filename] Checker [filename] X Added by the KEDEBE-B WORM!
*WindowsAudio systemupd.exe X Added by the AGENT-TH WORM!
*WinLogon [trojan path] ren time:[random number] X Added by the VUNDO TROJAN!
*winstats winstats.exe X Added by the GARGAFX TROJAN!
*wuauclt.exe w****.exe [* = random char] X Added by a variant of the RBOT-UG WORM! Note - * in the filename represents a random char; variants spotted: wxmct.exe, wtmsv.exe, wxmst.exe, wmsvc.exe and so on...
,main drive Loader wininfo.exe X Suspected malware as it appears in 3 different registry locations - see here
.mscdr lassa.exe X Added by the WEBUS.C TROJAN!
.mscdr lsvchost.exe X Added by the WEBUS.D TROJAN!
.mscdsr lsvchost.exe X Added by the CR TROJAN!
.mscsbl svhost.exe X Added by the CMQ TROJAN!
.msfupdate msveup.exe X Added by the ALLOCUP.A WORM!
.mssecure mssecure.exe X Added by the DDOS_BOXED.X TROJAN!
.NET config sysmon32.exe ? ??
.norton rchost.exe X Added by a variant of the BOXED-A TROJAN!
.nvsvc smss.exe X Added by the IRCBOT-FP TROJAN! Note - this is not the legitimate smss.exe process which should not normally figure in Msconfig/Startup!
.nvsvcb smssb.exe X Added by the BOXED.CG TROJAN!
.Prog services.exe X Added by the NEVEG.B or NEVEG.C WORMS! Note - this is not the legitimate services.exe process, which should not appear in Msconfig/Startup!
.Prog winlogon.exe X Added by the NEVEG.A WORM! Note - this is not the legitimate winlogon.exe process, which should not appear in Msconfig/Startup!
.protected N/A X Smitfraud variant
.svchost CSRSS.EXE X Added by the WEBUS.F TROJAN! Note - this is not the legitimate csrss.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the System folder
.TEXTCONV csrss.exe X Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process, which should not appear in Msconfig/Startup!
1234567891011121314151617181920212223242526272829
303132333435363738394041424344454647484950515253545556575859
606162636465666768697071727374757677787980818283848586878889
90919293949596979899100101102103104105106107108109110111112113114115116117118119
120121122123124125126127128129130131132133134135136
This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from
LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.
Powered by "Pacman's" Startup List
StartupList Engine 1.0 by Ditto

These pages are advertising free. If you find the information here useful, donate directly to the author (PacMan) by using the PayPal button above.

©2003-2005 Geeks To Go, Inc. | All Rights Reserved | Link to Us