| Status | Autorun name | Command | Description |
| X | CS Update | copy /Y [path] ActivationManager.dll.upd [path] ActivationManager.dll | Added by an unidentified malware |
| N | CS4ServiceManager | CS4ServiceManager.exe | Part of both stand-alone Adobe CS4 products (such as Photoshop and Dreamweaver) and suites, CS4 Service Manager supports online services such as Adobe Drive. Whilst testing, it would appear that this entry can be safely disabled as it will be loaded when required but if you experience problems try re-enabling it |
| N | CS5ServiceManager | CS5ServiceManager.exe | Part of both stand-alone Adobe CS5 products (such as Photoshop and Dreamweaver) and suites, CS5 Service Manager supports online services. Whilst testing, it would appear that this entry can be safely disabled as it will be loaded when required but if you experience problems try re-enabling it |
| N | csaRem | spqmdmui.exe | Compaq modem country selection |
| Y | CSAV_CheckViruses | vchk.exe | Command Antivirus related |
| U | csc | csc.exe | Command line compiler for Microsoft C# it gets installed with the .NET SDK |
| X | cscripts | cscripts.exe | Added by the BDOOR-AAP BACKDOOR! |
| X | CSCRS Value | cscrs.exe | Added by the RBOT-AAA WORM! |
| X | CSCRS Value Check | MsPMSPSd.exe | Added by a variant of the SDBOT WORM! |
| X | Csec | cs.exe | Cyber Security rogue security software - not recommended, removal instructions here |
| N | csecwiz | csecwiz.exe | Setup wizard for the Client Security Software for IBM\Lenovo notebooks. This entry only runs once, after the software has been installed and the notebook rebooted for the first time. If the wizard isn't completed a shortcut is available via the Start menu until it is |
| X | cserv32 | cserv32.exe | Added by the STRATION.EC WORM! |
| X | CsimPlayer | CsimPlayer.exe | Added by the KOOBFACE-AD WORM! |
| U | CSINJECT.EXE | CSINJECT.EXE | Part of Quarterdeck/Norton CleanSweep. "Csinject must be loaded in order for Smart Sweep to automatically monitor installations and properly track registry changes" |
| X | csm Win Updates | csm.exe | Added by the ZOTOB.B WORM! |
| X | CSNetManagerXp | isass.exe | Added by the HIDER-O TROJAN! |
| Y | CSO.exe | CSO.exe | ONO Service Center tool installed when you choose to install their internet security suite - sourced by Radialpoint. Apart from downloading the suite installation files, the exact purpose is unknown at this time but it may be used to source critical updates and alerts so should therefore be left enabled |
| X | csoftok | softok.exe | Added by the QQPASS.G TROJAN! |
| X | csos | csos.exe | Added by the SDBOT-DFE WORM! |
| X | csr | csrrs.exe | Added by the RBOT-CKM WORM! |
| X | csrcs | csrcs.exe | Added by the AGENT-HUA TROJAN! |
| X | csrrs | csrrs.exe | Added by the INEUDOK.A TROJAN! |
| X | csrs | csrs.exe | Added by the GAOBOT.GEN!POLY WORM! |
| X | csrsc | csrsc.exe | Added by the SILLYDC WORM! |
| X | Csrss | CSRSS.EXE | Added by the PUNYA-B WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in C:\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS |
| X | csrss | ssms.exe | Added by an unidentified malware |
| X | CSRSS | CSRSS.EXE | Search page hijacker, redirecting to h**p://www.search-aide.com/. Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! |
| X | Csrss | csrss.exe | Added by the CHOD WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a random subfolder |
| X | csrss | csrss.exe | Added by the KEYLOG-AQ KEYLOGGER! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir% |
| X | csrss | csrss.exe | Added by the CHODE-J WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a random subfolder |
| X | csrss | msmsgs.exe | Added by the CHODE-J BACKDOOR! Note - this malware uses MSN Messenger (which is located in %Program Files%\Messenger) in the background to propogate itself |
| X | csrss | nwiz.exe | Added by the CHODE-J WORM! |
| U | csrss | csrss.exe | BeyondKeylog surveillance software. Uninstall this software unless you put it there yourself. Note - this is not the same file as the csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %ProgramFiles%\Supremtec |
| X | Csrss Host | csrhost.exe | Added by the IRCBOT.BIZ WORM! |
| X | CSRSS Loader | csrsss.exe | Added by the AGOBOT.TX WORM! |
| X | csrss.exe | csrss.exe | Added by the DALBUG WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir% |
| X | csrssLevel4 | csrss.exe | Unidentified malware! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a "Level4" subfolder |
| X | CSRSSU | CSRSSU.exe | CoolWebSearch parasite variant - hijacking to Slawsearch.com. Also detected as the CWS-E TROJAN! |
| X | CSRSSW | CSRSSW.EXE | Added by the CWS-F TROJAN! |
| X | CSRSWIN | [trojan filename] | Added by the WINSHELL.50 TROJAN! |
| X | CSRSX | [trojan filename] | Added by the WINSHELL.50.B TROJAN! |
| X | csrvss | csrvss.exe | Added by a variant of the SDBOT TROJAN! |
| U | CSS Server | CSSServer.exe | ComSpySysSvr surveillance software. Uninstall this software unless you put it there yourself |
| U | CSS_Central | CSS_1631.EXE | CSS Communication Agent (95 Host) from Command Software Systems (now Authentium). "CSS Central™ provides administrators with a powerfully proactive tool to effectively manage and maintain the anti-virus strategy from a centralized console" |
| N | cssauth | cssauth.exe | Part of Thinkvantage Client Security Solution for Lenovo ThinkPad notebooks and ThinkCentre desktops. Once configured via the associated setup screens this loads via winlogon.exe (and loads the password manager) and therefore disabling this entry has no effect |
| N | cssauthe | cssauthe.exe | Part of Thinkvantage Client Security Solution for IBM/Lenovo ThinkPad notebooks and ThinkCentre desktops. Once configured via the associated setup screens this loads via winlogon.exe (and loads the password manager) and therefore disabling this entry has no effect |
| Y | CSScheduleCheck | SCHWIZEX.EXE | Part of ConfigSafe - lets you identify changes to the registry, INI files, System asset files, system hardware, network connections, and operating system versions - provides a restore function. This part takes a snapshot of your system following a healthy re-boot |
| X | cssrs | cssrs.exe | Added by the BANCBAN-DW TROJAN! |
| X | cssrss.exe | cssrss.exe | Malware installed by different rogue security software including SpyKillerPro |
| X | csss | Csss.exe | Added by the BALICK TROJAN! |
| U | CstlFaxTray | FaxTray.Exe | System Tray access to OpenText Fax Appliance, FaxPress (formerly Castelle FaxPress) - which "offers a combined hardware and software faxing solution, providing every possible computer-based, network fax option" |
| X | CSV10P1 | CSP001.exe | ClearSearch adware |
| X | CSV10P70 | CSv10P070.exe | ClearSearch adware |
| X | CSV7P26 | CSV7P26.exe | ClearSearch adware |
| X | CSV7P70 | CSV7P070.exe | ClearSearch adware |
| X | CSV7P91 | CSV7P91.exe | ClearSearch adware |
| U | csvdea | csvdea.exe | SpyArsenalLog surveillance software. Uninstall this software unless you put it there yourself |
| X | csvhost.exe | csvhost.exe | Added by the CIMUZ-BD TROJAN! |
| Y | ct | ct.exe | ct.exe is a file is for the HP Learning Adventure software and if you use this software it is required to run it |
| X | CT Control Settings | CTSVCCD.EXE | Added by the RBOT-YS WORM! |
| U | CTAPR2 | CTAPR2.exe | Console Launcher for the Creative Sound Blaster X-Fi series |
| N | CTAVTray | CTAvTray.exe | For Creative Soundblaster Live! series soundcards. Plays the EAX animation on start-up and adds a System Tray icon for it. Available via AudioHQ |
| U | CTCheck | CTCheck.exe | Associated with the ZEN range of MP3 players from Creative Technology Ltd. A visitor recommended the "U" status but what does it do? |
| U | CTCMonitor | CTCMonitor.exe | Click-to-Convert - document-to-HTML or doc-to-PDF converter. Only required if you are going to use the File -> Print method of using Click-to-Convert. If converting directly from MS Office, it is not required |
| X | CTDrive | rundll32.exe drvmod.dll,startup | Added by a variant of the OP DIALER! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The "drvmod.dll" file is found in %System% |
| N | CTDVDDet | CTDVDDet.exe | Auto-detect and play a DVD when using a Creative Soundblaster Audigy2 soundcard. Uses about 2.2 MB of memory. Disable it by heading to the MediaSource DVD Audio Player, selecting Tools, then uncheck the Auto Start box. It should not start up automatically again |
| X | CTF Device Loader | ctfmond.exe | Added by the AGOBOT-FO WORM! |
| X | ctf.exe | ctf.exe | Added by a variant of the BIFROSE TROJAN! |
| X | ctflog manager | ctflog.exe | Added by the DONBOMB.A TROJAN! |
| X | CTFM0N.exe | CTFM0N.exe | Added by the STARTPAGE.P TROJAN! Notice the digit "0" in both columns rather than the upper case "o" |
| X | ctfmen | cssrs.exe | Added by the STARTP-DC TROJAN! |
| X | ctfmgr | ctfmgr.exe | Added by the PWS-ATU TROJAN! |
| X | ctfmom | ctfnom.exe | Added by the BCKDR-QTA BACKDOOR! |
| U | ctfmon | ctfmon.exe | Supports multiple languages and alternative method inputs in Windows and MS Office. The language bar is displayed alongside the System Tray if more than one keyboard layout is enabled (for switching input languages) or, for example, if speech is selected as an alternative input for MS Office or Notepad. Required to support advanced text services (such as right to left text) for East Asian users. Can be disabled via Start → Control Panel → Regional and Language Options → Languages → Text Services and Input Languages → Details → Advanced → System Configuration → Turn off advanced text services (which also turns off the language bar). See also here and here. Can also cause problems with some other programs if left enabled - see here for such an example |
| X | ctfmon | taskmgr32*.exe [* = number] | Added by the SOWSAT.B WORM! |
| X | ctfmon | cftmon.exe | Added by the DELIVE-A BACKDOOR! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in %Windir% |
| X | ctfmon | mIRC.dll | Added by the DELBOT-E TROJAN! |
| X | ctfmon | WinConst.exe | Added by the ASSASIN-G TROJAN! |
| U | CTFMon | ctfmon.exe | Family KeyLogger keystroke logger/monitoring program - remove unless you installed it yourself! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in a "CTF" sub-folder |
| X | ctfmon | msnmsgr.exe | Added by the BDOOR-JV BACKDOOR! Note - this is not the valid MSN Messenger (now Windows Live Messenger) utility which is located in either %ProgramFiles%\MSN Messenger or %ProgramFiles%\Windows Live\Messenger. This one is located in %System% |
| X | CTFMON | wscript.exe /E:vbs winjpg.jpg | Added by the RUNAUTO.F WORM! Note that wscript.exe is a legitimate Microsoft file used to launch script files and shouldn't be deleted. The "winjpg.jpg" file is located in %System% |
| X | CTFMON | wscript.exe /E:vbs regedit.sys | Added by the VBSAUTO-A WORM! Note that wscript.exe is a legitimate Microsoft file used to launch script files and shouldn't be deleted. The "regedit.sys" file is located in %System% |
| X | CTFMON | win.exe | Added by the VBS.RUNAUTO.G WORM! |
| X | Ctfmon | wmisys.exe | Added by the IRCBOT-ADS WORM! |
| X | ctfmon | WinUP.exe | Added by the BANKER-VV TROJAN! |
| X | ctfmon | ctfmon.exe | Added by the AUTORUN-G WORM! Note - this is not the legitimate ctfmon.exe process associated with alternate language and method inputs which is always located in %System%. This one is located in a "1046" sub-folder |
| X | ctfmon | svhost.exe | Added by the BACKDR-EL BACKDOOR! |
| X | CTFMON.CPL | CTFM0N.CMD | Detected by Symantec as the SILLYFDC WORM! See here |
| X | Ctfmon.exe | ctfmon32.exe | CoolWebSearch Ctfmon32 parasite variant |
| X | ctfmon.exe | ctfmon.exe | Added by the RAIDYS TROJAN! Note - this overwrites the legitimate ctfmon.exe process associated with alternate text inputs which is located in %System% |
| X | ctfmon.exe | msupdate32.exe | Spy Sheriff/SpywareNO malware, also detected as the SPYHOAX-A TROJAN, pretends to be a spyware remover! - file names spotted sofar include VXH8JKDQ2.EXE, NS6281400.so, CVXH8JKDQ2.EXE, down3.exe, sefe.exe, winstall.exe, and tool2.exe |
| U | ctfmon.exe | ctfmon.exe | Supports multiple languages and alternative method inputs in Windows and MS Office. The language bar is displayed alongside the System Tray if more than one keyboard layout is enabled (for switching input languages) or, for example, if speech is selected as an alternative input for MS Office or Notepad. Required to support advanced text services (such as right to left text) for East Asian users. Can be disabled via Start → Control Panel → Regional and Language Options → Languages → Text Services and Input Languages → Details → Advanced → System Configuration → Turn off advanced text services (which also turns off the language bar). See also here and here. Can also cause problems with some other programs if left enabled - see here for such an example |
| X | ctfmon.exe | ctfmon.exe eminem.exe | Added by the BHARAT.A WORM! |
| X | CTFMON.EXE | svchost.exe | Added by the JUEGO-B WORM! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir% |
| X | ctfmon.exe | CTFM0N.EXE | Added by the AUTORUN-AYX WORM! Notice the digit "0" in the filename rather than the upper case "o" |
| U | ctfmon.exe | ctfmon.exe | TotalSpy keystroke logger/monitoring program - remove unless you installed it yourself! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in %ProgramFiles%\TS Trial |
| X | CTFMON.EXE | ctfmon.exe | Added by the VBSP-A WORM! Note - this is not the legitimate ctfmon.exe process associated with alternate language and method inputs which is always located in %System%. This one is located in a "1126" sub-folder |
| X | CTFMON32 | CTFMON32.EXE | CoolWebSearch Ctfmon32 parasite variant - also detected as the CWS-E TROJAN! |
| X | ctfmon32 | [random filename].exe | Added by the RBOT-GSN WORM! |
| X | ctfmon32 | taskmgr32*.exe [* = digit] | Added by the SOWSAT.C WORM! |