| Status | Autorun name | Command | Description |
| X | _mzu_stonedrv3 | _mzu_stonedrv3.exe | Added by the DWNLDR-FTB TROJAN! |
| X | _mzu_stonedrv7 | _mzu_stonedrv7.exe | Added by a variant of the DWNLDR-FTB TROJAN! |
| X | _mzu_stonedrv8 | _mzu_stonedrv8.exe | Added by the DOWNLOADER-MZU TROJAN! |
| X | _ntrdlhost | _Ntrdlhost.exe | Added by the DLOADER-JV TROJAN! |
| X | _ntrRescueService | _ntrrs.exe | Added by the DLOADER-JV TROJAN! |
| X | _pnd_Panda Antivirus | _pnd_*****.exe [* = random char/digit] | Added by the AGENT.NAK TROJAN! |
| X | _rx | rundll32.exe | Added by the LINEAG-B TROJAN!! Note - this is not the legitimate rundll32.exe process, which is found in %Windir% (98/ME) or %System% (NT/2K/XP). This one is located in %Windir%\command |
| X | _Services.dll | smss.exe | Added by the SOBER-L WORM! Note - this is not the legitimate smss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\msagent\system |
| X | _Setv | Setv.com | Added by the BESAM WORM! |
| X | _svchost.con | svchost.com | Added by the ERKEZ.C WORM! |
| X | _System_Run | _svchost_.exe | Added by the LINEAGE-Z TROJAN! |
| X | _SystemBoot | services.exe | Added by the SOBER-Q TROJAN! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\Help\Help |
| X | _SystemDriver | csrss.exe | Added by the ASCETIC.B TROJAN! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\addins\explorer |
| X | _tdiserv_ | _tdicli_.exe | Added by the TDISERV.A WORM! |
| U | _winadm | winadm.exe | Parents Friend - "Log any activity and protect programs with a password. Further more you can lock the pc any hour in the week you want with the main password. You can also give users allowed programs in their program-lists and you can limit the maximal daily hours and maximal weekly hours user spend on the PC" |
| X | _WinCheck | services.exe | Added by the SOBER.V WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\ConnectionStatus\Microsoft |
| X | _WinData | services.exe | Added by the SOBER-AD WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\PoolData |
| X | _Windows | services.exe | Added by the SOBER.X WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %windir%\WinSecurity |
| X | _WinINet | services.exe | Added by the SOBER.R WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\ConnectionStatus |
| X | _WinMain | winexec.exe | Added by the DLOADER-XX TROJAN! |
| X | _WinStart | services.exe | Added by the SOBER.O WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\Connection Wizard\Status |
| X | _winsystem.sys | smss.exe | Added by the SOBER.K WORM! Note - this is not the legitimate smss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\msagent\win32 |
| X | _x-Finder | _x-Finder.exe | Disconnects and redials an ISP modem to an adult content site |
| X | {**-**-**-**-**} | dwdsregt.exe | ZenoSearch adware variant where ** are random characters |
| X | {**-**-**-**-**} | omdsregk.exe | ZenoSearch adware variant where ** are random characters |
| X | {**-**-**-**-**} | mrdsregp.exe | ZenoSearch adware variant where ** are random characters |
| X | {**-**-**-**-**} | rwwnw64d.exe | ZenoSearch adware variant where ** are random characters |
| U | {0228e555-4f9c-4e35-a3ec-b109a192b4c2} | gnotify.exe | Google Gmail Notifier. Alerts you when you have new Gmail messages |
| X | {05CD0D77-4947-4a56-94FA-0DF0DC644D7B} | sysqyzwud.exe | Added by the FAKEALERT-AM TROJAN! |
| U | {1290A33C-85F5-4164-A1BE-7DD299D4986A} | PBKScheduler.exe | Part of the PowerBackup archiving/backup utility from CyberLink. The entry is present if you have any backup jobs scheduled |
| X | {12EE7A5E-0674-42f9-A76B-000000004D00} | rundll32.exe stlb2.dll, DllRunMain | BrowserAid adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The "stlb2.dll" file is located in %System% |
| X | {157627A6-2A10-4aa1-B97F-90B8DC6F24AC} | sysqkmwfedz.exe | Added by the FAKEALERT-AH TROJAN! |
| X | {1C-CC-C5-54-ZN} | dwdsregt.exe | ZenoSearch adware |
| X | {29123221-3AF8-488c-85DE-6B3EC59E8074} | netmedia.exe | NetMedia adware |
| X | {2C70168B-97CE-4f31-B85D-1FEC5002721D} | sysxhtcwbse.exe | Added by the FAKEALERT-AM TROJAN! |
| X | {2C70168B-97CE-4f31-B85D-1FEC5002721D} | sxpgknrwva.exe | Added by the FAKEALERT-AM TROJAN! |
| X | {2C70168B-97CE-4f31-B85D-1FEC5002721D} | sysavxjgdu.exe | Added by the FAKEALERT-AM TROJAN! |
| X | {2C70168B-97CE-4f31-B85D-1FEC5002721D} | sysawpbkvnq.exe | Added by the FAKEALERT-AH TROJAN! |
| X | {2CF0B992-5EEB-4143-99C0-5297EF71F444} | rundll32.exe stlbdist.dll,DllRunMain | BrowserAid/BrowserPal foistware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The "stlbdist.dll" file is found in %System% |
| X | {2CF0B992-5EEB-4143-99C2-5297EF71F44B} | rundll32.exe stlbupdt.DLL,DllRunMain | BrowserAid adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The "stlbupdt.dll" file is found in %System% |
| X | {357AA41A-B7A8-4632-A27D-5B980B25CF43} | [path to svchost.exe] | Added by the SMALL-AQ TROJAN! |
| X | {357AA41A-B7A8-4632-A27D-5B980B25CF43} | services.exe | FakeMessage/AdRotator adware. Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in an "Inetsrv" subfolder |
| X | {357AA41A-B7A8-4632-A27D-5B980B25CF43} | [path to trojan] | Added by the SMALL-EP TROJAN! |
| X | {42562052-EE17-4197-82C7-91CB2E4B0666} | sysrswva.exe | Added by the FAKEALERT-AH TROJAN! |
| X | {48DBCECD-61F9-DBB6-AB03-49E1901B80A7} | ichu.exe | Added by the MDROP-CZM TROJAN! |
| X | {52-28-8E-E8-ZN} | thinksnet.exe | Zeno Think-Adz adware |
| X | {5DB71FAB-32CB-CC58-E728-DB563FE51494} | egoxs.exe | Added by the ZBOT-AIN TROJAN! |
| X | {78B578D7-BCE1-4d83-9CD4-195BC34D8CB3} | sxjecknqhu.exe | Added by the FAKEALERT-AM TROJAN! |
| X | {78B578D7-BCE1-4d83-9CD4-195BC34D8CB3} | syspyukrazv.exe | Added by the FAKEALERT-AH TROJAN! |
| X | {78B578D7-BCE1-4d83-9CD4-195BC34D8CB3} | syssfzvakqg.exe | Added by the FAKEALERT-AM TROJAN! |
| X | {7DD4A7AC-A3F1-4495-884A-7947C5B89108} | sysahbecjh.exe | Added by the FAKEALERT-AM TROJAN! |
| U | {914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29} | XPlay.exe | Xplay 3 from Mediafour Corporation - "expands what you can do with any iPod, including the iPhone and iTouch, and a Windows computer." If not used regularily start manually before connecting the iPod/iTouch |
| X | {9754B85A-3B34-4969-BE1F-CD03227E9470} | syszweuas.exe | Added by the FAKEALERT-AM TROJAN! |
| X | {9754B85A-3B34-4969-BE1F-CD03227E9470} | sysatjsicj.exe | Added by the FAKEALERT-AM TROJAN! |
| X | {A4C928E8-0ABA-4fd3-83DF-23BE54ADF9A4} | sxnwhbvrzc.exe | Added by the FAKEALERT-AM TROJAN! |
| X | {A4C928E8-0ABA-4fd3-83DF-23BE54ADF9A4} | sysqrnxstju.exe | Added by the FAKEALERT-AM TROJAN! |
| X | {AF13D6C2-E926-01EF-06C8-326F092AAF9D} | oxadw.exe | Added by the MDROP-CVA TROJAN! |
| X | {B081DB1F-4EE6-4021-9DD4-8B300F0D636D} | syssngbeh.exe | Added by the FAKEALERT-AH TROJAN! |
| U | {B179023B-6238-4499-8F26-CD73E9D90E0A} | MacDrive.exe | MacDrive 7 from Mediafour Corporation - "enables anyone using Windows Vista, XP, and 2003 Server to seamlessly access Mac disks (HFS/HFS+) of all types, including CDs, DVDs, hard drives, floppy, Zip, Jaz, and more!" |
| X | {B3B48B54-C0EC-4705-8EE8-1981AEF656A7} | sysjcyrq.exe | Added by the FAKEALERT-AH TROJAN! |
| X | {B7-7D-D0-08-ZN} | dwdsregt.exe | Added by the AGENT-GBC TROJAN! |
| X | {BAAA759D-56F0-428c-B8DA-827EA3B08C2C} | sysawechod.exe | Added by the FAKEALERT-AH TROJAN! |
| X | {BB87203E-EBAD-7A2C-8F8F-FF9626E7B87B} | aconi.exe | Added by the AGENT-OZR TROJAN! |
| X | {C0FB7D08-056E-1033-0501-03020730002c} | Update.exe | Added by the AGENT-EOG TROJAN! |
| X | {C2220120-1C24-4a79-BA7A-DDCBFC209DB3} | sysfbdgv.exe | Added by the FAKEALERT-AM TROJAN! |
| X | {C599792D-C6D9-461d-93CA-B48BFF8E37B1} | sysfdyev.exe | Added by the FAKEALERT-AM TROJAN! |
| X | {D792EEBE-2C75-4EAA-09C3-AD660894D8F6} | aqlyi.exe | Added by the MDROP-CWR TROJAN! |
| X | {DD651081-A909-45ad-BD71-2335B0ADE043} | sysutrnez.exe | Added by the FAKEALERT-AH TROJAN! |
| X | {DD651081-A909-45ad-BD71-2335B0ADE043} | sysabmpmfr.exe | Added by the FAKEALERT-AH TROJAN! |
| X | {DD651081-A909-45ad-BD71-2335B0ADE043} | sysnxcphmgy.exe | Added by the FAKEALERT-AH TROJAN! |
| X | {E4785213-3EFE-4c26-A9B4-332440E31F6F} | sysrxmfdksp.exe | Added by the FAKEALERT-AH TROJAN! |
| X | {F758F78B-0885-490e-AA3C-4A38D28B0240} | sxpjbwvahn.exe | Added by the FAKEALERT-AM TROJAN! |
| X | {F758F78B-0885-490e-AA3C-4A38D28B0240} | sysyeabdgfp.exe | Added by the FAKEALERT-AM TROJAN! |
| N | µTorrent | uTorrent.exe | µTorrent - file sharing client for Windows sporting a very small footprint from BitTorrent, Inc. Designed to use as little cpu, memory and space as possible while offering all the functionality expected from advanced clients. For more information about the protocol see here. As µTorrent is a peer-to-peer (P2P) file-sharing client used to distribute large amounts of data between multiple users make sure you have good, up-to-date virus protection and check any downloads |
| N | µTorrent | bittorrent.exe | BitTorrent file sharing client - from BitTorrent, Inc. For more information about the protocol see here. As BitTorrent is a peer-to-peer (P2P) file-sharing client used to distribute large amounts of data between multiple users make sure you have good, up-to-date virus protection and check any downloads. Version 6.1 of BitTorrent is displayed as µTorrent in both Vista MSConfig & Windows Defender |
| X | 0 | 0.exe | Added by the AGENT-IO MALWARE! |
| X | 0_AVD32 | xzboot.exe | Added by the AGENT-IWI TROJAN! |
| U | 000 | pit.exe | PrivateEye surveillance software. Uninstall this software unless you put it there yourself |
| X | 000hpdllhos | hpdllhost.exe | LZIO.com adware downloader |
| U | 000StTHK | 000StTHK.exe | Toshiba Hot key functionality for the function keys (Fn-Esc, Fn-F1 (lock), Fn-F2, Fn-F3, Fn-F4, Fn-F5 (switching between laptop and CRT display output), etc...) |
| X | 0050726-007-i32-1 | 0050726-007-i32-1.exe | Added by the BANCBAN-EC TROJAN! |
| X | 007-Anti-Spyware.exe | 007-Anti-Spyware.exe | 007 Anti-Spyware rogue security software - not recommended |
| ? | 00DSKSVR00 | desksaver.exe saskda | Part of Advanced Desktop Shield, Easy Desktop Keeper, 1st Desktop Guard and Desktop Layout Keeper (and maybe others) - which give you the ability to save, restore, manage and lock your desktop layout that includes files and folders located on your desktop, placement of desktop icons, desired wallpaper and screen saver. The exact purpose of this startup entry is unknown at present |
| U | 00DSKSVR01 | desksaver.exe tray | System Tray access to Advanced Desktop Shield, Easy Desktop Keeper, 1st Desktop Guard and Desktop Layout Keeper (and maybe others) - which give you the ability to save, restore, manage and lock your desktop layout that includes files and folders located on your desktop, placement of desktop icons, desired wallpaper and screen saver. Disabling via the program's own options will leave this startup entry but it will not run - "desksaver.exe" does however run as it's also used as a service |
| U | 00ERSRRRNKY | eraser.exe | Part of Evidence Exterminator, 1st Evidence Remover and Evidence Destructor (and maybe others) - the same file for the same version being used by all programs. Security tools that ensure your security and privacy by destroying all hidden activity information on demand, according to a schedule or on each boot/shutdown. This entry provides System Tray access to the main program for on demand cleaning and is required if any automatic cleaning has been scheduled. Located in %ProgramFiles%\Evidence Exterminator, %ProgramFiles%\1st Evidence Remover, %ProgramFiles%\Evidence Destructor or maybe others |
| ? | 00notify33 | NetBrowser.exe | Part of Best Network Security, 1st Network Admin and Corporate Network Security (and maybe others) - network-based password-protected security software that lets you impose access restrictions to all your PC workstations you have in your corporate network to stop users from tampering with them. The exact purpose of this startup entry is unknown at present |
| Y | 00PCTFW | FirewallGUI.exe | System Tray access to PC Tools Firewall Plus from PC Tools - which "is a powerful personal firewall for Windows that protects your computer from intruders and controls the network traffic in and out of your PC" |
| ? | 00saskda | newlock.exe saskda | Part of Access Manager, 1st Security Agent, Security Administrator and PC Security Tweaker (and maybe others) - which let you control which users are allowed to access your PC and the level of access each user may have. You can choose to tweak access to lots of Control Panel applet functions, including Display, Network, Passwords, Printers, System, Add/Remove Programs, etc. The exact purpose of this startup entry is unknown at present but it appears to be related to the "Screen Lock" feature |
| Y | 00TCrdMain | TCrdMain.exe | Related to the flash card slot on a Toshiba laptop. Ending this process will disable access to the flash cards |
| U | 00THotkey | 00THotKey.exe | For Toshiba Satellite notebook series to use the front buttons, play, stop, next, prev. |
| U | 00THotkey | system32THotkey.exe | For Toshiba Satellite notebook series to use the front buttons, play, stop, next, prev |
| U | 0190 Warner | WARN0190.EXE | German anti-dialer - see here |
| U | 0900 Warner | WARN0900.EXE | German anti-dialer - see here |
| X | 0CF48.exe | 0CF48.exe | SecureDefense rogue security software - not recommended, removal instructions here |
| X | 0mcamcap | 0mcamcap.exe | Added by the COSIAM-H TROJAN! |
| X | 0utlook Express | *****.exe [* = random char] | Added by a variant of the RBOT WORM! Note the first letter is actually the digit "0" and not a capital "o" |
| X | 1 | 1.exe | Added by the ESTEEMS TROJAN! |
| X | 1 | lsass.scr | Added by the BANCOS.V TROJAN! |
| X | 1 | svchost.scr | Added by the BANCOS.X TROJAN! |
| X | 1 | mrcmgr.exe | Added by the BANKER.RQK TROJAN! |