If you're frustrated with the time it takes your Windows PC to boot and then it seems to be running slowly you may have too many programs running at start-up - and have come to the right place to identify them. This is the original startup programs (as opposed to processes/tasks) list - one of the most comprehensive and most accurate!
"Name or Startup Item" in the table below refers to how an entry is displayed in MSConfig, Windows Defender or the registry "Run" keys. "Command or Data" refers to the program the entry runs. For further information on this and how to identify and disable startup programs please visit the Startup Content page.
For further information on random startup entries please visit the Startup Info page. For the next few months and foreseeable future I'll be verifying many of the Y, U, N & ? entries via virtual machines. If you can verify/identify those entries with a "?" status (especially hardware specific - such as laptops and motherboards) then please E-mail me (address at bottom of the page) or use the new Message Board.
Last update :- 29th October, 2009
19979 items listed
"Status" key:
- "Y" - Normally leave to run at start-up
- "N" - Not required or not recommended - typically infrequently used tasks that can be started manually if necessary
- "U" - User's choice - depends whether a user deems it necessary
- "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
- "?" - Unknown
Variables:
- %System% - refers to the System folder; by default this is C:\Windows\System (9x/Me), C:\Winnt\System32 (NT/2K), or C:\Windows\System32 (XP/Vista)
- %Windir% - refers to the Windows installation folder; by default this is C:\Windows (9x/Me/XP/Vista) or C:\Winnt (NT/2K)
- %UserProfile% - refers to the current user's profile folder; by default this is C:\Documents and Settings\ (NT/2K/XP) or C:\Users\ (Vista)
- %ProgramFiles% - refers to the Program Files folder; typically the path is C:\Program Files
|
|
| Name or Startup Item | Status | Command or Data | Description | Tested? |
|---|
| ctfmon | X | taskmgr32*.exe [* = number] | Added by the SOWSAT.B WORM! | No |
| ctfmon | X | cftmon.exe | Added by the DELIVE-A TROJAN! Note - this file is found in C:\Windows or C:\Winnt and is not the valid MS Office file of the same name (see here) | No |
| ctfmon | X | mIRC.dll | Added by the DELBOT-E TROJAN! | No |
| ctfmon | X | WinConst.exe | Added by the ASSASIN-G TROJAN! | No |
| CTFMon | U | ctfmon.exe | Family KeyLogger keystroke logger/monitoring program - remove unless you installed it yourself! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in a "CTF" sub-folder | No |
| ctfmon | X | msnmsgr.exe | Added by the BDOOR-JV BACKDOOR! Note - this is not the valid MSN Messenger (now Windows Live Messenger) utility which is located in either %ProgramFiles%\MSN Messenger or %ProgramFiles%\Windows Live\Messenger. This one is located in %System% | No |
| CTFMON | X | wscript.exe /E:vbs winjpg.jpg | Added by the RUNAUTO.F WORM! Note that wscript.exe is a legitimate Microsoft file used to launch script files and shouldn't be deleted. The "winjpg.jpg" file is located in %System% | No |
| CTFMON | X | wscript.exe /E:vbs regedit.sys | Added by the VBSAUTO-A WORM! Note that wscript.exe is a legitimate Microsoft file used to launch script files and shouldn't be deleted. The "regedit.sys" file is located in %System% | No |
| CTFMON | X | win.exe | Added by the VBS.RUNAUTO.G WORM! | No |
| CTFMON.CPL | X | CTFM0N.CMD | Detected by Symantec as the SILLYFDC WORM! See here | No |
| Ctfmon.exe | X | ctfmon32.exe | CoolWebSearch Ctfmon32 parasite variant | No |
| ctfmon.exe | X | ctfmon.exe | Added by the RAIDYS TROJAN! Note - this should not be confused with the valid Office XP file, see here | No |
| ctfmon.exe | X | msupdate32.exe | Spy Sheriff/SpywareNO malware, also detected as the SPYHOAX-A TROJAN, pretends to be a spyware remover! - file names spotted sofar include VXH8JKDQ2.EXE, NS6281400.so, CVXH8JKDQ2.EXE, down3.exe, sefe.exe, winstall.exe, and tool2.exe | No |
| ctfmon.exe | U | ctfmon.exe | Supports multiple languages and alternative method inputs in Windows and MS Office. The language bar is displayed alongside the System Tray if more than one keyboard layout is enabled (for switching input languages) or, for example, if speech is selected as an alternative input for MS Office or Notepad. Required to support advanced text services (such as right to left text) for East Asian users. Can be disabled via Start → Control Panel → Regional and Language Options → Languages → Text Services and Input Languages → Advanced → System Configuration → Turn off advanced text services (which also turns off the language bar). See also here and here. Can also cause problems with some other programs if left enabled - see here for such an example | Yes |
| ctfmon.exe | X | ctfmon.exe eminem.exe | Added by the BHARAT.A WORM! | No |
| CTFMON.EXE | X | svchost.exe | Added by the JUEGO-B WORM! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir% | No |
| CTFMON32 | X | CTFMON32.EXE | CoolWebSearch Ctfmon32 parasite variant - also detected as the CWS-E TROJAN! | No |
| ctfmon32 | X | [random filename].exe | Added by the RBOT-GSN WORM! | No |
| ctfmon32 | X | taskmgr32*.exe [* = digit] | Added by the SOWSAT.C WORM! | No |
| ctfmona | X | ctfmona.exe | Added by the DLOADR-BME TROJAN! | No |
| CTFMONSS | X | CTFMONSS.EXE | Added by the CWS-F TROJAN! | No |
| ctfmun | X | ctfmun.exe | Added by the AGENT.ACEZ TROJAN! | No |
| ctfnnon | X | ctfmon.exe | Added by the TURKOJAN.IL BACKDOOR! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in %Windir% | No |
| ctfnom | X | rundIl32.exe | Added by the LEGMIR-AW TROJAN! | No |
| ctfnom.exe | X | SVOHOST.exe | Added by the DIGIDOR-A TROJAN! | No |
| ctfnom.exe | X | OSRSS.exe | Added by the DLOADER-UQ TROJAN! | No |
| cthelp | X | cthelp.exe | Added by the SDBOT TROJAN! | No |
| CTHELPER | U | CTHELPER.EXE | CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative's sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it | No |
| CTHelper | X | cthelper.exe | Added by the RBOT-XB WORM! Note - do not confuse with the Creative application of the same name described here | No |
| CTime | X | [path to trojan] | Added by the HTTPDOS TROJAN! | No |
| CTin10 | X | CTin10.exe | Added by the BANCOS.E TROJAN! | No |
| CtModule | X | CtModule.exe | Added by the CLICKER-EG TROJAN! | No |
| CTMON.EXE | X | cfmon.exe | Added by the CLCKR-AN TROJAN! | No |
| CTNMRUN | U | ctnmrun.exe | Detects the Creative NOMAD jukebox/MP3 player at the time it is attached to USB and starts the needed application (Creative PlayCentre 2) that you use to copy MP3 files to and from it. This is required if you want PlayCentre 2 to take control of the NOMAD once connected | No |
| CTPDPSRV | ? | CTPDPSRV.EXE | Printer driver (in the WINDOWS\System32\spool\DRIVERS\W32\X86 folder). Is it required? | No |
| CTPerformanceUtility | N | CTPowUti.exe | Related to Creative PowerSysTrayApp. This program is a non-essential process, but should not be terminated unless suspected to be causing problems | No |
| ctpmon | X | ctpmon.exe | System Registry Cleaner - stealth installed foistware from sysregistry.com | No |
| CTRegRun | N | CTRegRun.exe | For Creative Soundblaster Live! series soundcards. Reminds you to register your card with Creative | No |
| CtrlVol | U | CtrlVol.exe | Volume control key on Acer, Fujitsu and other laptops | No |
| CTSched | ? | CTSched.exe | Creative Task Scheduler. What does it do and is it required? | No |
| CTStartup | N | CTEaxSpl.exe | Splash screen with sound on every boot up. Installed with a Sound Blaster Audigy soundcard | No |
| CTSVolFE | U | CTSVolFE.exe | Creative Labs Mixer applet for the Sound Blaster Audigy | No |
| CTSVolFE.exe | U | CTSVolFE.exe | Creative Labs Mixer applet for the Sound Blaster Audigy | No |
| CTSyncU.exe | N | CTSyncU.exe | Creative Sync Manager - synchronizes music tracks on your computer with your player | No |
| CTsysVol | U | CTSYSVOL.exe | Creative sound card volume controls | No |
| cttdpsrv | ? | cttdpsrv.exe | ?? | No |
| CTUpdate | X | ctupdclt.exe | Added by the RBOT-ABG WORM! | No |
| CTxfiHlp | N | CTXFIHLP.EXE | Added by the installation of a Creative Labs X-Fi sound card. This particular process provides the help functionality for your card
| No |
| CTXFIREG | N | CTxfiReg.exe | Creative Labs sound card driver related. It appears that it isn't required and maybe registration related | No |
| Ctykd | X | [path to file] | SMALL.SN spyware | No |
|
You can download off-line HTML ZIP, EXE and EXCEL ZIP versions of this list from here.
In addition the following files are available for people developing mirrors of the site and using the information presented here (right-click and select "Save Target As..." for IE and "Save Link As..." for Firefox):
Startup XML File - Startup INI File - Startup HTML File
DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.
NOTE: This is NOT a database of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a database of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try the Process Library from Uniblue, the list at PC Pitstop or one of the many others now available. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSConfig or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.
To avoid the database becoming too large, all virus entries are only shown using the registry version which is common to all Windows versions. Otherwise there would be multiple entries for popular filenames that viruses often use - such as "svchost" above for example. Multiple viruses can also use the same startup entries, in this case only those with significant differences (such as file location) are repeated in this database.
NOTE : There are a number of virus and malware entried listed in this database where specific removal instructions haven't been given. If this is the case then you could try SDFix, a program written by AndyManchesta that can remove many different types of Trojans and Worms. See here for a tutorial on how to use the program and here for the latest ReadMe file detailing the fixes included.
IMPORTANT: A number of entries are repeated due to the way that different operating systems display startup items. For example, WinMe lists "POPROXY.EXE" as "Norton eMail Protect" in both MSCONFIG and the registry whereas WinXP lists it as "Poproxy" in MSCONFIG and "Norton eMail Protect" in the registry.
RECOMMENDATIONS:
If you're looking for a startup manager then why not try WinPatrol (by BillP Studios) or Advanced SystemCare Free (by IObit) - both include the option to search this database for a particular entry. Alternatively try Spybot - Search & Destroy (by Safer Networking Ltd) as the startup programs section (select the Advanced mode) includes descriptions from this database. You might also want to try their RunAlyzer and FileAlyzer tools.
There are an ever increasing number of rogue applications appearing these days and many of the removal guides referenced in this database use MalwareBytes Anti-Malware (which now incorporates the now discontinued RogueRemover).
As there are more than 10,000 entries in this database related to viruses, trojans, worms and other malware I recommend you use a quality internet security package. Which ever you choose, keep it updated.
Free licenses available for Oops! Backup (by Altaro) BETA Testing - Apply online here
Presentation, format & comments Copyright © 2001 - 2009 Paul Collins
Portions Copyright © Peter Forrest, Denny Denham, Sylvain Prevost, Tony Klein, CastleCops & Bleeping Computer
Database creation and support by Patrick Kolla
Software support by John Mayer
All rights reserved