|
|
| Name or Startup Item | Status | Command or Data | Description |
|---|
| X | system32.exe | Added by the AGOBOT-KU WORM! Note - has a blank entry under the Startup Item/Name field |
| X | pathex.exe | Added by the MKMOOSE-A WORM! Note - has a blank entry under the Startup Item/Name field |
| X | svchost.exe | Added by the DELF-UX TROJAN! Note - this is not the legitimate svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field |
| X | MSPF.EXE | Added by a variant of the SDBOT WORM! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field |
| X | dllvirtual.exe | Added by the DADOBRA-IW TROJAN! Note - has a blank entry under the Startup Item/Name field |
| X | dllvirtual.dll | Added by the DADOBRA-IW TROJAN! Note - has a blank entry under the Startup Item/Name field |
| X | dllvirtual.js | Added by the DADOBRA-IW TROJAN! Note - has a blank entry under the Startup Item/Name field |
| X | ajsha5.exe | Added by the SPYBOT-NX WORM! Note - has a blank entry under the Startup Item/Name field |
| X | ne.exe | Added by the IRCBOT-ZL TROJAN! |
| SystemBoot | X | services.exe | Added by the SOBER-Q TROJAN! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a Help\Help subfolder of the Windows or Winnt folder |
| WinCheck | X | services.exe | Added by the SOBER-S WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a "ConnectionStatus\Microsoft" subfolder of the Windows or Winnt folder |
| Windows | X | services.exe | Added by the SOBER.X WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a "WinSecurity" subfolder of the Windows or Winnt folder |
| WinStart | X | services.exe | Added by the SOBER.O WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a Connection Wizard\Status subfolder of the Windows or Winnt folder |
| winsystem.sys | X | smss.exe | Added by the SOBER.K TROJAN! Note - this is not the legitimate smss.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a msagent\win32 subfolder of the Winnt or Windows folder |
| !1_pgaccount | Y | pgaccount.exe | DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. You will see one instant of pgaccount.exe for every active account on your system, and this is essential for PG to work properly |
| !1_ProcessGuard_Startup | Y | procguard.exe | DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks |
| !AVG Anti-Spyware | U | avgas.exe | Part of AVG Anti-Spyware from Grisoft |
| !ewido | U | ewido.exe | Part of Ewido anti-spyware |
| !NoLoad | N | winrecon.exe | WinRecon keystroke logger/monitoring program - remove unless you installed it yourself! |
| $EnterNet | ? | Enternet.exe | Connection manager for the EnterNet ISP. You can also use RASPPOE |
| $sys$cmp | X | $sys$xp.exe | Added by the RYKNOS.B TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer |
| $sys$crash | X | $sys$sonyTimer.exe | Added by the WELOMOCH TROJAN! |
| $sys$crash | X | $sys$sos$sys$.exe | Added by the WELOMOCH TROJAN! |
| $sys$crash | X | $sys$WeLoveMcCOL.exe | Added by the WELOMOCH TROJAN! |
| $sys$drv | X | $sys$drv.exe | Added by the RYKNOS TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer |
| $sys$momomomochin | X | $sys$sonyTimer.exe | Added by the WELOMOCH TROJAN! |
| $sys$momomomochin | X | $sys$sos$sys$.exe | Added by the WELOMOCH TROJAN! |
| $sys$momomomochin | X | $sys$WeLoveMcCOL.exe | Added by the WELOMOCH TROJAN! |
| $sys$umaiyo | X | $sys$sonyTimer.exe | Added by the WELOMOCH TROJAN! |
| $sys$umaiyo | X | $sys$sos$sys$.exe | Added by the WELOMOCH TROJAN! |
| $sys$umaiyo | X | $sys$WeLoveMcCOL.exe | Added by the WELOMOCH TROJAN! |
| $Volumouse$ | U | volumouse.exe | Volumouse from Nirsoft. "Provides you a quick and easy way to control the sound volume on your system - simply by rolling the wheel of your wheel mouse" |
| $WindowsRegKey%update | X | IEXPLORE.EXE | Added by the RBOT-EZ WORM! Note - this is not the legitimate Internet Explorer iexplore.exe process which is always located in the Program Files\Internet Explorer folder and should not normally figure in Msconfig/Startup! This file is located in the System (9x/Me) or System32 (NT/2K/XP) folder |
| %cmpmixtitle% | N | %cmpmixstr% | Possibly related to C-Media Mixer Control panel? |
| %FP%012-L2TP fts.exe | N | fts.exe | 012.Net.il Israeli ISP software front-end |
| %FP%012-L2TP FWPortal.exe | U | FWPortal.exe | 012.Net.il Israeli ISP dial-up software |
| %FP%1776 Internet fts.exe | N | fts.exe | 1776 Internet US ISP software ISP software front-end |
| %FP%1776 Internet FWPortal.exe | U | FWPortal.exe | 1776 Internet US ISP dial-up software |
| %FP%AIRTEL fts.exe | N | fts.exe | Bharti Airtel Broadband - Indian ISP software front-end |
| %FP%Barak013 fts.exe | N | fts.exe | Barak013 Israeli ISP software front-end |
| %FP%Barak013 FWPortal.exe | U | FWPortal.exe | Barak013 Israeli ISP dial-up software |
| %FP%Friendly fts.exe | N | fts.exe | Friendly ISP software front-end |
| µTorrent | U | utorrent.exe | µTorrent - BitTorrent client for Windows sporting a very small footprint. It was designed to use as little cpu, memory and space as possible while offering all the functionality expected from advanced clients |
| (*)API Machine | X | winSOCKS.exe | Homepage hijacker, see here (* = any digit) |
| (*)Run | X | win32API.exe | Homepage hijacker, see here (* = any digit) |
| (default) | X | [random filename].exe | Added by the BLACKMAL WORM! Note - this malware actually changes the default value data of the registry "Run" key in order to force Windows to launch it at boot. Name field may be empty |
| (default) | X | rundll32.exe [path to DLL file], Do98Work | Added by the HESIVE.B TROJAN! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted |
| (Default) | X | 5640.exe | Added by the DOWNLD-ABF TROJAN! |
| (L4r1$$4) (4nt1) (V1ruz) | X | SP00Lsv32.pif | Added by the ASSIRAL.B WORM! |
| *Bandook | X | msdll.exe | Added by an unidentified TROJAN - see here |
|