Key:
- "Y" - Normally leave to run at start-up
- "N" - Not required or not recommended - typically infrequently used tasks that can be started manually if necessary
- "U" - User's choice - depends whether a user deems it necessary
- "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
- "?" - Unknown
Variables:
- %System% - refers to the System folder; by default this is C:\Windows\System (9x/Me), C:\Winnt\System32 (NT/2K), or C:\Windows\System32 (XP/Vista)
- %Windir% - refers to the Windows installation folder; by default this is C:\Windows (9x/Me/XP/Vista) or C:\Winnt (NT/2K)
- %UserProfile% - refers to the current user's profile folder; by default this is C:\Documents and Settings\ (NT/2K/XP) or C:\Users\ (Vista)
- %ProgramFiles% - refers to the Program Files folder; typically the path is C:\Program Files
The original startups (as opposed to processes/tasks) list. Maybe not the most comprehensive but still one of the best and most accurate!
NOTE : There are a number of virus and malware entried listed in this database where specific removal instructions haven't been given. If this is the case then you could try SDFix, a program written by AndyManchesta that can remove many different types of Trojans and Worms. See here for a tutorial on how to use the program and here for the latest ReadMe file detailing the fixes included.
Last update :- 22nd December, 2008
17654 items listed.
The current update only corrects a few errors found after the Dec 13th, where the wrong entries were changed. The offline versions have also been updated. Apologies for any incovenience caused. |
|
| Name or Startup Item | Status | Command or Data | Description |
|---|
| X | system32.exe | Added by the AGOBOT-KU WORM! Note - has a blank entry under the Startup Item/Name field |
| X | pathex.exe | Added by the MKMOOSE-A WORM! Note - has a blank entry under the Startup Item/Name field |
| X | svchost.exe | Added by the DELF-UX TROJAN! Note - this is not the legitimate svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field |
| X | MSPF.EXE | Added by a variant of the SDBOT WORM! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field |
| X | dllvirtual.exe | Added by the DADOBRA-IW TROJAN! Note - has a blank entry under the Startup Item/Name field |
| X | dllvirtual.dll | Added by the DADOBRA-IW TROJAN! Note - has a blank entry under the Startup Item/Name field |
| X | dllvirtual.js | Added by the DADOBRA-IW TROJAN! Note - has a blank entry under the Startup Item/Name field |
| X | ajsha5.exe | Added by the SPYBOT-NX WORM! Note - has a blank entry under the Startup Item/Name field |
| X | ne.exe | Added by the IRCBOT-ZL TROJAN! |
| SystemBoot | X | services.exe | Added by the SOBER-Q TROJAN! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a Help\Help subfolder of the Windows or Winnt folder |
| WinCheck | X | services.exe | Added by the SOBER-S WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a "ConnectionStatus\Microsoft" subfolder of the Windows or Winnt folder |
| Windows | X | services.exe | Added by the SOBER.X WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a "WinSecurity" subfolder of the Windows or Winnt folder |
| WinStart | X | services.exe | Added by the SOBER.O WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a Connection Wizard\Status subfolder of the Windows or Winnt folder |
| winsystem.sys | X | smss.exe | Added by the SOBER.K TROJAN! Note - this is not the legitimate smss.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a msagent\win32 subfolder of the Winnt or Windows folder |
| !1_pgaccount | Y | pgaccount.exe | DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. You will see one instant of pgaccount.exe for every active account on your system, and this is essential for PG to work properly |
| !1_ProcessGuard_Startup | Y | procguard.exe | DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks |
| !AVG Anti-Spyware | U | avgas.exe | Part of AVG Anti-Spyware from Grisoft |
| !ewido | U | ewido.exe | Part of Ewido anti-spyware |
| !NoLoad | N | winrecon.exe | WinRecon keystroke logger/monitoring program - remove unless you installed it yourself! |
| $EnterNet | ? | Enternet.exe | Connection manager for the EnterNet ISP. You can also use RASPPOE |
| $sys$cmp | X | $sys$xp.exe | Added by the RYKNOS.B TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer |
| $sys$crash | X | $sys$sonyTimer.exe | Added by the WELOMOCH TROJAN! |
| $sys$crash | X | $sys$sos$sys$.exe | Added by the WELOMOCH TROJAN! |
| $sys$crash | X | $sys$WeLoveMcCOL.exe | Added by the WELOMOCH TROJAN! |
| $sys$drv | X | $sys$drv.exe | Added by the RYKNOS TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer |
| $sys$momomomochin | X | $sys$sonyTimer.exe | Added by the WELOMOCH TROJAN! |
| $sys$momomomochin | X | $sys$sos$sys$.exe | Added by the WELOMOCH TROJAN! |
| $sys$momomomochin | X | $sys$WeLoveMcCOL.exe | Added by the WELOMOCH TROJAN! |
| $sys$umaiyo | X | $sys$sonyTimer.exe | Added by the WELOMOCH TROJAN! |
| $sys$umaiyo | X | $sys$sos$sys$.exe | Added by the WELOMOCH TROJAN! |
| $sys$umaiyo | X | $sys$WeLoveMcCOL.exe | Added by the WELOMOCH TROJAN! |
| $Volumouse$ | U | volumouse.exe | Volumouse from Nirsoft. "Provides you a quick and easy way to control the sound volume on your system - simply by rolling the wheel of your wheel mouse" |
| $WindowsRegKey%update | X | IEXPLORE.EXE | Added by the RBOT-EZ WORM! Note - this is not the legitimate Internet Explorer (iexplore.exe) which is always located in %ProgramFiles%\Internet Explorer and should not normally figure in Msconfig/Startup! This one is located in %System% |
| %cmpmixtitle% | N | %cmpmixstr% | Possibly related to C-Media Mixer Control panel? |
| %FP%012-L2TP fts.exe | N | fts.exe | 012.Net.il Israeli ISP software front-end |
| %FP%012-L2TP FWPortal.exe | U | FWPortal.exe | 012.Net.il Israeli ISP dial-up software |
| %FP%1776 Internet fts.exe | N | fts.exe | 1776 Internet US ISP software ISP software front-end |
| %FP%1776 Internet FWPortal.exe | U | FWPortal.exe | 1776 Internet US ISP dial-up software |
| %FP%AIRTEL fts.exe | N | fts.exe | Bharti Airtel Broadband - Indian ISP software front-end |
| %FP%Barak013 fts.exe | N | fts.exe | Barak013 Israeli ISP software front-end |
| %FP%Barak013 FWPortal.exe | U | FWPortal.exe | Barak013 Israeli ISP dial-up software |
| %FP%Friendly fts.exe | N | fts.exe | Friendly ISP software front-end |
| \NvCpTDaemon | X | wuauqmr.exe | Added by the CULT-B WORM! |
| µTorrent | U | utorrent.exe | µTorrent - BitTorrent client for Windows sporting a very small footprint. It was designed to use as little cpu, memory and space as possible while offering all the functionality expected from advanced clients |
| (*)API Machine | X | winSOCKS.exe | Homepage hijacker, see here (* = any digit) |
| (*)Run | X | win32API.exe | Homepage hijacker, see here (* = any digit) |
| (Default) | X | media_driver.exe | Added by the TUPEG VIRUS! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank |
| (Default) | X | Shania.vbs | Added by the SHANIA BACKDOOR! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank |
| (Default) | X | NOTEPAD.exe | Added by the RUSTY WORM! Note - not to be confused with the valid Windows "NOTEPAD" text editor! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank |
| (Default) | X | [random filename].exe | Added by the BLACKMAL WORM! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run and HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank |
|
You can download off-line HTML ZIP, EXE and EXCEL ZIP versions of this list from here.
In addition the following files are available for people developing mirrors of the site and using the information presented here (right-click and select "Save Target As..." for IE and "Save Link As..." for Firefox):
Startup XML File - Startup INI File - Startup HTML File
DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.
NOTE: This is NOT a database of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a database of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try the Process Library from Uniblue, the list at PC Pitstop or one of the many others now available. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSConfig or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.
To avoid the database becoming too large, all virus entries are only shown using the registry version which is common to all Windows versions. Otnerwise there would be multiple entries for popular filenames that viruses often use - such as "svchost" above for example. Multiple viruses can also use the same startup entries, in this case only those with significant differences (such as file location) are repeated in this database.
IMPORTANT: A number of entries are repeated due to the way that different operating systems display startup items. For example, WinMe lists "POPROXY.EXE" as "Norton eMail Protect" in both MSCONFIG and the registry whereas WinXP lists it as "Poproxy" in MSCONFIG and "Norton eMail Protect" in the registry.
RECOMMENDATION: If you're looking for a startup manager then why not try Advanced SystemCare PRO (by IObit - formerly Advanced WindowsCare Professional) which "provides an always-on, automated, all-in-one PC Healthcare Service with anti-spyware, privacy protection, performance tune-ups, and system cleaning capabilities." It includes a startup manager (select Utilities → Admin Tools → Startup Manager) and the "Online search" option brings you to this database.
As there are more than 10,000 entries in this database related to viruses, trojans, worms and other malware I recommend you use a quality internet security package. Which ever you choose, keep it updated and renew any subscriptions.
For further information on how to identify and disable startup programs please visit the Startup Content page.
For further information on random startup entries and spyware please visit the Startup Info page.
Presentation, format & comments Copyright © 2001 - 2008 Paul Collins
Portions Copyright © Peter Forrest, Denny Denham, Sylvain Prevost, Tony Klein, CastleCops & Bleeping Computer
Database creation and support by Patrick Kolla
Software support by John Mayer
All rights reserved