| Status | Autorun name | Command | Description |
| X | shell | explorer.exe | Added by the KAKKEYS TROJAN! Note - the legitimate Windows Explorer (same filename) is located in %Windir% and would not normally appear in Msconfig/Startup unless you added it manually! This one is located in %System% |
| X | Shell | Explorer.exe iexplore.exe | Added by the KIPIS-U WORM! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The legitimate Internet Explorer (iexplore.exe) is always located in %ProgramFiles%\Internet Explorer and should not normally figure in Msconfig/Startup! This one is located in %System%\Microsoft |
| X | Shell | ibm0000*.exe [* = digit] | Added by the TORPIG-C and TORPIG-J TROJANS! Filenames spotted include ibm00001.exe, ibm00002.exe, ibm00005.exe and so on |
| X | Shell | taskmrg.exe | Added by the BANCBAN-FT TROJAN! |
| X | Shell | Explorer.exe winupdate.exe | Added by the AGENT-FD TROJAN! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The "winupdate.exe" file is located in %System% |
| X | Shell | Explorer.exe [path] ibm[RANDOM 5 DIGIT NUMBER].exe | Added by the ANSERIN TROJAN! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files |
| X | Shell | svchost.exe | Added by the GOLDSPY-B TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir% |
| X | Shell | ibm00001.dll | Added by the TORPIG-Q TROJAN! |
| X | Shell | wmedia32.exe | Added by the AGENT-BR TROJAN! |
| X | Shell | Explorer.exe winsys32.exe | Added by the DELF.CP BACKDOOR! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The "winsys32.exe" file is located in %Windir% |
| X | Shell | Win32.dll.exe | Added by the VB.BTX TROJAN! |
| X | Shell | taskmam.exe | Added by the BANCBAN-OL TROJAN! |
| X | Shell | explorer.exe msbnc.exe | Added by the AGENT-PL BACKDOOR! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The "msbnc.exe" file is located in %System% |
| X | Shell | Explorer.exe kbdsys.exe | Added by the DAPROSY WORM! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The "kbdsys.exe" file is located in %AppData%\Microsoft\Keyboard |
| X | Shell | smsc.exe | Added by the BANCBAN-OY TROJAN! |
| X | Shell | Explorer.exe init32m.exe | Added by the DLSW-B TROJAN! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The "init32m.exe" file is located in %System% |
| X | Shell | Explorer.exe smssnt.exe | Added by the AGOBOT.EE TROJAN! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The "smssnt.exe" file is located in %System% |
| X | Shell API32 | svcnet.exe | Added by the TIBICK.C WORM! |
| X | Shell Extension | spollsv.exe | Added by the LOVGATE.Z WORM! |
| X | Shell Tray Window | ShellTraywnd.exe | Added by the STULTDOR-A TROJAN! |
| X | shell update | shellexec.exe | Added by the RBOT-ANC WORM! |
| X | Shell.exe | Shell.exe | Added by the EMERLEOX.S WORM! |
| X | Shell32 | Shell32.vbs | Added by the SCAFENE WORM! |
| X | shell32 | ntldrt.exe | Added by the JLOK-A WORM! |
| X | Shell32 | iexplore.exe | Added by the IRCBOT-AY BACKDOOR! Note - this is not the legitimate Internet Explorer (iexplore.exe) which is always located in %ProgramFiles%\Internet Explorer and should not normally figure in Msconfig/Startup! This one is located in %System% |
| X | Shell32 | explorer.exe | Added by the SDBOT-NF WORM! Note - the legitimate Windows Explorer (same filename) is located in %Windir% and would not normally appear in Msconfig/Startup unless you added it manually! This one is located in %System% |
| X | ShellApi | SHELLMSN.EXE | Added by the NETDEV.B BACKDOOR! |
| X | Shellapi32 | Shellapi32.exe | Added by the NETDEVIL (or NERTE) TROJAN! |
| X | Shellapi32 | mcvsrte.exe | Added by an unidentified WORM! Note - do not confuse with the McAfee SecurityCenter file of the same name |
| X | shellbn | [random].dll | SoftStop rogue security software - not recommended |
| X | shellbn | shlext32.exe | Malware installed by different rogue security software including SpyKillerPro and the XP AntiVirus series |
| X | ShellCommand | [path to file] | Added by the REMCON-A TROJAN! |
| X | Shelldaemon | Shelldaemon.exe | Added by a variant of the AGENT.ALN TROJAN! |
| X | ShellEx | ShellEx.exe | Added by the ANAKHA TROJAN! |
| X | ShellN | isca.exe | Added by the IBILL.Z TROJAN! |
| X | ShellOS | A+++.exe | Added by the AV TROJAN! |
| X | ShellRun | lexplore_.exe | Added by the MSNOPT-A TROJAN! |
| X | ShellRun32 | iexplore.exe | Added by the IRCBOT-AY BACKDOOR! Note - this is not the legitimate Internet Explorer (iexplore.exe) which is always located in %ProgramFiles%\Internet Explorer and should not normally figure in Msconfig/Startup! This one is located in %System% |
| X | Shellspl | lsas.exe | Added by the YALER-A TROJAN! |
| X | Shellspl | spools.exe | Added by the PROXAGE-A TROJAN! |
| X | shellsystem | shellsystem.exe | Added by the UPCHAN TROJAN! |
| X | shhost | shhost.exe | Added by the AGENT.CE BACKDOOR! |
| N | shicoxp | shicoxp.exe | Installed with the drivers for multi card readers of various brands. To differentiate between the various card slots on multi slot readers the shicoxp.exe file assigns and loads unique drive icons for the various card slots that are displayed in Windows Explorer |
| X | Shield Security | shield.exe | Added by the RIZO.A TROJAN! |
| X | Shield32 Security | shield32.exe | Added by the RIZO.A TROJAN! |
| X | ShieldSafeness | ShieldSafeness.exe | ShieldSafeness rogue security software - not recommended, removal instructions here. A member of the WiniGuard family |
| X | Shine | Shine.exe | Added by the HAPPYLOW (or NISHE-A) VIRUS! |
| ? | SHINITV | shinitv.exe | ?? |
| X | Shmgrate.exe | ibot4.exe | Added by the GASTER TROJAN! |
| N | ShockmachineReminder | SmReminder.exe | "Shockmachine is a stand-alone application that lets users collect Macromedia Shockwave and Flash titles and play them offline". Could be a registration reminder for the trial version |
| X | Shockwave | csrss.exe | Added by the SNDOG WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir% |
| N | Shockwave Init | SWINIT.EXE | Part of Macromedia Shockwave. Controls the Shockwave Remote Control Panel. The Remote Control can be activated manually from the Start Menu by locating and selecting Shockwave and then Shockwave Remote under Programs |
| X | Shockwave Support | FlashPlayer.exe | Added by the DELF-DRA WORM! |
| X | shoket | svchs0t.exe | Added by the WOWPWS-E TROJAN! |
| N | ShopSafe | ShopSafe.exe | Created by Orbiscom for MNBA (now Bank of America) - ShopSafe creates a temporary card number each time you make an online purchase |
| N | ShortKeys 99 | SHORTKEY.EXE | ShortKeys from Insight Software Solutions - allows you to program keys with text strings |
| U | ShortKeys Lite | shklite.exe | ShortKeys Lite from Insight Software Solutions, Inc. A macro utility to automate a task that you perform repeatedly or on a regular basis |
| Y | sHotKey | sHotKey.exe | Special function key manager for Chicony keyboards - see here |
| N | Shotty | Shotty.exe | Shotty by Thomas Baumann - "is an application to take pictures from your computers screen (called screenshots) or from one application only. Unlike other applications that does this Shotty provides various other features that are useful to modify the taken screenshot" |
| N | Shotty - Tiny but impressive screenshot utility | Shotty.exe | Shotty by Thomas Baumann - "is an application to take pictures from your computers screen (called screenshots) or from one application only. Unlike other applications that does this Shotty provides various other features that are useful to modify the taken screenshot" |
| X | Showbehind | SHOWBEHIND.EXE | Advertisement display which can be stopped here |
| X | ShowFF | ShowFF.exe | FFToolBar adware toolbar |
| ? | ShowIcon_Justrams_USB Product Driver v2.12r012 | shwicon.exe | Related to Just Rams USB product driver. Is it required? |
| U | ShowIcon_PNY_PNY Attaché | shwicon.exe | PNY Attaché USB flash memory stick System Tray icon - shows when the device is plugged in |
| ? | ShowIcon_SmartDisk Corporation_USB Card Reader v1.14e051 | shwicon.exe | Card reader for memory cards from digital cameras. Is it required? |
| U | ShowLOMControl | [strange symbol] | Note that there is a strange symbol in the command field and in logs it's shown as "O4 - HKLM\..\Run: [ShowLOMControl] [strange symbol]". Additional registry information for the entry is "Reg_DWORD 0x00000001 (1)". It means Show "LAN on Motherboard" Control. On systems where you can install an external LAN interface, it will warn you that you already have a built-in LAN interface. Appears to be a feature on certain Dell systems |
| X | Showme | Ruden.vbs | Added by the HANDLE-A VIRUS! |
| U | ShowWnd | ShowWnd.exe | Found on Gateway computers (and maybe others) - see here. "Showwnd is included with the Chicony keyboard software and is used by the software to stop the keyboard driver's taskbar entry from reappearing. It is not necessary to remove the keyboard software, however if you wish it can be removed through Add or Remove Programs" |
| U | SHPC32 | SHPC32.exe | Port monitor for Lexmark printers on a USB connection. Ties in with the Printer Control Program. Features like cancelling a print are unavailable if disabled |
| U | SHS | SHS.exe | "Rogers Self Help Software is a free suite of tools and utilities for your computer that keeps your system running properly, and makes your Hi-Speed Internet experience smooth and trouble-free" |
| Y | ShStatEXE | SHSTAT.EXE | Part of McAfee's VirusScan Enterprise corporate anti-virus and anti-spyware security tool |
| U | Shutdownaware | shutdownaware.exe | Loaded by the SWEEX 6-in-1 Media Card Reader to properly manage the reader while it is connected to your system |
| U | ShutDownPro | ShutDownPro.exe | ShutDownPro - shutdown, reboot, logoff your System with one mouse click |
| X | ShutDownWindows | Rundll32.exe User,ExitWindows | Added by the VB-HE TROJAN! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted |
| X | ShutdownWithoutLjiasvt.exe | [path to trojan] | Added by the BIFROSE.F BACKDOOR! |
| X | shv | antit.exe | Added by the AGENT-JKU TROJAN! |
| N | Si Meter | SIMETER.EXE | Si Meter - keep track of things like CPU activity, network activity and speed, hard-drive activity, hard-drive space, system memory, running processes, or just date and time |
| X | si91e44b | rundll32.exe si91e44b.dll, EnableRunDLL32 | LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The "si91e44b.dll" file is found in %System% |
| U | SIA2006 | SIA2006.exe | Part of Steganos Internet Anonym privacy software |
| U | SIAPRO6 | sia.exe | Steganos Internet Anonym privacy software |
| X | sibawerix | tomup.exe | Added by the SDBOT.AVB WORM! |
| X | SichererAntivirus | pgs.exe | SichererAntivirus, German rogue security software - not recommended. A member of the AVSystemCare family |
| X | SichererSchutz | pgs.exe | SichererSchutz, German rogue security software - not recommended. A member of the AVSystemCare family |
| X | SicherheitsTool | SysRep.exe | SicherheitsTool, Dutch rogue system error and cleaning utility - not recommended. A member of the ErrClean family |
| X | Sicom | Sicom.exe | Added by the NETLIP WORM! |
| U | SideACT! | SideACT.exe | To-Do list add-on for the Sage ACT! contact manager |
| U | Sidebar | Sidebar.exe | Windows Sidebar is a pane on the side of the Microsoft Windows Vista desktop where you can keep your gadgets organized and always available. In Windows 7 this feature is known as Desktop Gadgets and each gadget can be placed anywhere on the desktop. If the file isn't located in %ProgramFiles%\Windows Sidebar or you're using other versions of Windows it could be part of the Searchcentrix hijacker |
| N | SIDEBAR | dsidebar.exe | "Desktop Sidebar provides you with instant access to the information you most desire by grabbing data from your PC and the internet. The result is a dynamic visual display you configure and control" |
| X | SideGreen | SideGreen.exe | SideGreen adware. File located in %Program Files%\SideGreen |
| X | SideTab | SideTab.exe | SideTab adware |
| N | SideWinderTrayV4 | SWTrayV4.exe | MS SideWinder game controller system tray icon. This is specific to version 4 of the software. Available via Start -> Programs |
| ? | SIECACST | siecacst.exe | Related to a Siemens card reader. Is it required? |
| U | SightSpeed | SightSpeed.exe | SightSpeed Video Chat - "lets you connect with all your friends and family easily. Make video calls, phone calls, and send video mails and text messages to everyone in your network, anywhere in the world" |
| N | SigmaTel Audio | setup.exe | Sigmatel audio driver |
| N | SigmaTel StacMon | stacmon.exe | Installed with the drivers for a SigmaTel C-Major Audio card (on a Dell Inspiron 600m PC for example). Appears as though it can be disabled with no ill effects |
| N | SigmatelSysTrayApp | stsystra.exe | System tray program for the Sigmatel Audio sound card. Often found on Dell computers |
| N | SigmatelSysTrayApp | sttray.exe | System tray program for the Sigmatel Audio sound card. Often found on Dell computers |
| U | SigX | sigx.exe | SigX is a "dynamic signature image generated based on whatever data your computer sends it though our SigX program. It can display your current Mp3, current OS, Free Ram, your current time and more" |
| U | SigXC | SigX.exe | SigX is a "dynamic signature image generated based on whatever data your computer sends it though our SigX program. It can display your current Mp3, current OS, Free Ram, your current time and more" |
| X | SilentSoftech | [worm filename] | Added by the SILLYFDC-BL WORM! |
