| Status | Autorun name | Command | Description |
| X | *windows update | wurauclt.exe | Added by the RBOT-SY WORM! |
| X | *windows update | wsctl.exe | Added by the SPYBOT.PR WORM! |
| X | *windows update | wkmst.exe | Added by the SDBOT.AVD WORM! |
| X | *windows update | wscxt.exe | Added by the RBOT.AOS WORM! |
| X | *windows update | waurclt.exe | Added by a variant of the RBOT WORM! |
| X | *windows update | wuaruclt.exe | Added by the RBOT-TF WORM! |
| X | *windows update | wruaclt.exe | Added by the RBOT-QP BACKDOOR! |
| X | *windows update | wruauclt.exe | Added by the RBOT-SF WORM! |
| X | *windows update | wuacrlt.exe | Added by the RBOT-QI WORM! |
| X | *windows update | wuruclt.exe | Added by the RBOT-TA WORM! |
| X | *WindowsAudio | systemupd.exe | Added by the AGENT-TH WORM! |
| X | *WinLogon | [trojan path] ren time:[random number] | Added by the VUNDO TROJAN! |
| X | *winsocks | msnmess.exe | Added by the PWS-ABU TROJAN! |
| X | *winstats | winstats.exe | Added by the GARGAFX TROJAN! |
| X | *wmstu | wmstu.exe | Added by the RBOT-TV WORM! |
| X | *wuauclt.exe | w****.exe [* = random char] | Added by a variant of the RBOT-UG WORM! Note - * in the filename represents a random char; variants spotted: wxmct.exe, wtmsv.exe, wxmst.exe, wmsvc.exe and so on... |
| X | *zggjmyd | zggjmyd.exe | Added by the AFCORE.O BACKDOOR! |
| X | ,main drive Loader | wininfo.exe | Suspected malware as it appears in 3 different registry locations - see here |
| X | -=+(L4r1$$4)+=-(4nt1)-=+(V1ru$)=-+ | ISASS.exe | Added by the ASSIRAL.B WORM! |
| Y | -FreedomNeedsReboot | ZkRunOnceR.exe | Part of internet security suites sourced by Radialpoint for ISP customers such as Virgin Media, AT&T, Bell Canada, TELUS Corporation and Verizon Online. The exact purpose is unknown at this time and it shows no ill effects if disabled, but as the purpose is unknown and it's security related it should be left enabled |
| X | .. | ABC2007.exe | Added by the DLOADR-ASH TROJAN! |
| X | .mscdr | lassa.exe | Added by the WEBUS.C TROJAN! |
| X | .mscdr | lsvchost.exe | Added by the WEBUS.D TROJAN! |
| X | .mscdsr | lsvchost.exe | Added by the BDOOR-CR BACKDOOR! |
| X | .mscsbl | svhost.exe | Added by the CMQ TROJAN! |
| X | .mscsbl | SVCHOST.EXE | Added by the BOROBOT-A TROJAN! Note - this is not the legitimate svchost.exe process which should NOT appear in Msconfig/Startup! |
| X | .msfupdate | msveup.exe | Added by the ALLOCUP.A WORM! |
| X | .mssecure | mssecure.exe | Added by the DDOS_BOXED.X TROJAN! |
| ? | .NET config | sysmon32.exe | ?? |
| X | .Net Recovery | rundll32.exe dotnetfx.dll,repair | Added by the DELEZIUM VIRUS! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The "winsys16_070813.dll" file is found in %System% |
| X | .NET. | msnmgnr.exe | Added by the DELF.AYF WORM! |
| X | .norton | rchost.exe | Added by the BOXED-H TROJAN! |
| X | .nvsvc | smss.exe | Added by the IRCBOT-FP TROJAN! Note - this is not the legitimate smss.exe process which should not normally figure in Msconfig/Startup! |
| X | .nvsvcb | smssb.exe | Added by the BOXED.CG TROJAN! |
| X | .Prog | services.exe | Added by the NEVEG.B or NEVEG.C WORMS! Note - this is not the legitimate services.exe process, which should not appear in Msconfig/Startup! |
| X | .Prog | winlogon.exe | Added by the NEVEG.A WORM! Note - this is not the legitimate winlogon.exe process, which should not appear in Msconfig/Startup! |
| X | .protected | N/A | Smitfraud variant |
| X | .service | winlgon.exe | Added by the BDOOR-BX BACKDOOR! |
| X | .svchost | CSRSS.EXE | Added by the WEBUS.F TROJAN! Note - this worm replaces the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! |
| X | .TEXTCONV | csrss.exe | Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process which should not normally figure in Msconfig/Startup! |
| X | .TEXTCONV | lsass.exe | Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which should not normally figure in Msconfig/Startup! |
| X | .WMAudio | csrss.exe | Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process which should not normally figure in Msconfig/Startup! |
| X | .WMAudio | lsass.exe | Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which should not normally figure in Msconfig/Startup! |
| N | /l:eng | N/A | Related to the Dell OEM version of the Sound Blaster Audigy 2 sound card. If this item is listed and checked in startup, the System32 Folder will appear on every startup. A patch is available - filename R75304.EXE - that fixes the issue. You can find that file at support.dell.com by typing that name in the 'Search' box available there. It addresses the root of the problem in Creative's software and corrects it. Unfortunately there is no direct link to the file, but it's easily available using the search function |
| N | /s | N/A | Related to the Dell OEM version of the Sound Blaster Audigy 2 sound card. If this item is listed and checked in startup, the System32 Folder will appear on every startup. A patch is available - filename R75304.EXE - that fixes the issue. You can find that file at support.dell.com by typing that name in the 'Search' box available there. It addresses the root of the problem in Creative's software and corrects it. Unfortunately there is no direct link to the file, but it's easily available using the search function |
| X | ;Rundll | [filename] | Added by the PWSLEGMIR.E TROJAN! |
| X | ?ekio Startups | ?nksvc32.exe | Added by the AGOBOT-OV WORM where ? is a random character |
| X | @ | regedit -s win.dll | Added by the SEEKER.K TROJAN! Note that regedit is the legitimate Windows Registry Editor and shouldn't be deleted. The "win.dll" file is located in %Windir% |
| X | @ | RUNDLL.EXE | Added by the SPYBOT-DN WORM! Note - this is NOT the Win9x/Me system file of the same name as described here |
| X | @ | sysload.exe | Added by the DELF-EL TROJAN! |
| X | @ | iexpl0res.exe | Added by the RBOT.AEX WORM! |
| X | @ | wincms.exe | Added by the RBOT.CBR WORM! |
| X | @ | winsys32.exe | Added by the DELF.CP BACKDOOR! Note that the entry under the Startup Item/Name field my be blank |
| U | @BackupScheduler | OnlineBackup.exe | Web-based file sharing and file storage for backup protection from SwapDrive, Inc - now acquired by Symantec and rebranded and released as Norton Online Backup |
| N | @Hoc Toolbar | AtHoc.exe | One-click activated browsing toolbar used by various web-sites. See here for more info |
| N | @loha | reminder.exe | Registration reminder for @loha@home E-mail utility |
| Y | @OnlineArmor GUI | oaui.exe | System Tray access to and main user interface for the Online Armor range of security tools from Tall Emu Pty Ltd. The free version incorporates a firewall, limited startup manager, tamper protection and keylogger detection whilst paid versions add features such as a mail/web shield, phishing filter and anti-malware |
| X | @tour_ww | @tour_ww[1].exe | Adult content dialler |
| X | [12 random characters] | avifile5.exe | IeDriver adware variant |
| X | [12 random characters] | bootvid4.exe | IeDriver adware variant |
| X | [12 random characters] | browser8.exe | IeDriver adware variant |
| X | [12 random characters] | atitvo32.exe | IeDriver adware variant |
| X | [12 random characters] | autodisc.exe | IeDriver adware variant |
| X | [12 random characters] | cabview1.exe | IeDriver adware variant |
| X | [12 random characters] | advpack1.exe | IeDriver adware variant |
| X | [12 random characters] | batmeter.exe | IeDriver adware variant |
| X | [12 random characters] | bidispl2.exe | IeDriver adware variant |
| X | [12 random characters] | asferror.exe | IeDriver adware variant |
| X | [12 random characters] | catsrvps.exe | IeDriver adware variant |
| X | [12 random characters] | admparse.exe | IeDriver adware variant |
| X | [12 random characters] | audiosrv.exe | IeDriver adware variant |
| X | [12 random characters] | bootvid2.exe | IeDriver adware variant |
| X | [12 random characters] | cmpbk321.exe | IeDriver adware variant |
| X | [12 random characters] | ADPTIF67.exe | IeDriver adware variant |
| X | [12 random characters] | asycfilt.exe | IeDriver adware variant |
| X | [12 random characters] | ati2dvag.exe | IeDriver adware variant |
| X | [12 random characters] | atl91036.exe | IeDriver adware variant |
| X | [12 random characters] | blackbox.exe | IeDriver adware variant |
| X | [12 random characters] | browser5.exe | IeDriver adware variant |
| X | [12 random characters] | bthserv1.exe | IeDriver adware variant |
| X | [12 random characters] | camocx28.exe | IeDriver adware variant |
| X | [12 random characters] | CAMOCX74.exe | IeDriver adware variant |
| X | [12 random characters] | capesnpn.exe | IeDriver adware variant |
| X | [14 random numbers] | mradll.exe | Green AV rogue security software - not recommended, removal instructions here. The most common entry has the number 37465982736455 |
| X | [14 random numbers] | rwg.exe | Green AV rogue security software - not recommended, removal instructions here. The most common entry has the number 03874569874596 |
| X | [3 random char]srv32 | [3 random char]srv.exe | Added by the BANCOS.N TROJAN! |
| X | [3-4 random letters] | nslookup.exe | PurityScan adware. Not to be confused with the legitimate nslookup.exe which is found in the System32 folder |
| X | [3-4 random letters]Srv32 | [path to file] | Added by the BANCSADE-A TROJAN! |
| X | [32 random hex numbers] | tsc.exe | Total Security rogue security software - not recommended, removal instructions here |
| X | [32 random hex numbers] | badware-protector.exe | Badware Protector rogue security software - not recommended, removal instructions here |
| X | [32 random numbers] | av2009.exe | AntiVirus 2009 rogue security software - not recommended, removal instructions here |
| X | [32 random numbers] | av360.exe | Antivirus 360 rogue security software - not recommended, removal instructions here |
| X | [32 random numbers] | AVS.exe | Antivirus Sentry rogue security software - not recommended, removal instructions here |
| X | [32 random numbers] | xpa.exe | XP Antivirus rogue security software - not recommended |
| X | [32 random numbers] | total.exe | Total Antivirus rogue security software - not recommended, removal instructions here |
| X | [decimal number] | [path to worm] | Added by the OPOSSUM-A WORM! The decimal number can be anything, eg, 0.12345678 |
| X | [default] | DrWatson32.exe | Added by the DREMN TROJAN! |
| X | [empty] | system32.exe | Added by the AGOBOT-KU WORM! Note - has a blank entry under the Startup Item/Name field |
| X | [empty] | pathex.exe | Added by the MKMOOSE-A WORM! Note - has a blank entry under the Startup Item/Name field |
| X | [empty] | svchost.exe | Added by the DELF-UX TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%. Note - has a blank entry under the Startup Item/Name field |
