Windows startup programs - Browse database

Message Board

Windows startup programs - Browse database

If you're frustrated with the time it takes your Windows 7/Vista/XP PC to boot and then it seems to be running slowly you may have too many programs running at start-up - and you have come to the right place to identify them. This is the original start-up programs (as opposed to processes/tasks) list - one of the most accurate and comprehensive. Services are not included - see below. For further information on this and how to identify and disable start-up programs please visit the Introduction page.

See here for further information on random entries - which are typically added by viruses and other malware or unwanted programs.

Last database update :- 29th Apr, 2013
31819 items listed

Alternatively, you can search the full database or use the alphabetical index on that page.

FIRST PREV ( Page 1 of 637 ) NEXT LAST

You can also manually change the page number in the address bar.

Startup Item or Name	Status	Command or Data	Description	Tested
Windows Services	X	#adobeair.exe	Detected by Sophos as Troj/VB-FHF and by Malwarebytes Anti-Malware as Backdoor.Agent.Gen	No
$sys$drv	X	$sys$drv.exe	Added by the RYKNOS TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer	No
$sys$crash	X	$sys$sonyTimer.exe	Added by the WELOMOCH TROJAN!	No
$sys$momomomochin	X	$sys$sonyTimer.exe	Added by the WELOMOCH TROJAN!	No
$sys$umaiyo	X	$sys$sonyTimer.exe	Added by the WELOMOCH TROJAN!	No
$sys$crash	X	$sys$sos$sys$.exe	Added by the WELOMOCH TROJAN!	No
$sys$momomomochin	X	$sys$sos$sys$.exe	Added by the WELOMOCH TROJAN!	No
$sys$umaiyo	X	$sys$sos$sys$.exe	Added by the WELOMOCH TROJAN!	No
$sys$crash	X	$sys$WeLoveMcCOL.exe	Added by the WELOMOCH TROJAN!	No
$sys$momomomochin	X	$sys$WeLoveMcCOL.exe	Added by the WELOMOCH TROJAN!	No
$sys$umaiyo	X	$sys$WeLoveMcCOL.exe	Added by the WELOMOCH TROJAN!	No
$sys$cmp	X	$sys$xp.exe	Added by the RYKNOS.B TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer	No
SeekmoToolbar	X	${HOOKOE_FILE}	Seekmo Search Assistant adware	No
Flash Media	X	%%%%%%^^ ^ .exe	Added by a variant of W32.IRCBot. The file is located in %System%	No
Flash Media	X	%%%%%.exe	Added by a variant of the IRCBOT BACKDOOR! See here	No
Flash Media	X	%%%.exe	Added by a variant of the IRCBOT BACKDOOR! See here	No
WINSVC	X	%AppData%winini.exe	Detected by Malwarebytes Anti-Malware as Backdoor.Messa	No
%cmpmixtitle%	?	%cmpmixstr%	Possibly related to C-Media Mixer Control panel?	No
GoogleUpdate	X	%GoogleUpdate%	Detected by McAfee as Downloader.a!bn3	No
PAV.EXE	X	%Number%	Added by the KITRO.D (or ARGEN.A) WORM! %Number% can be any number	No
(Default)	X	%ProgramFiles%:Server.exe	Detected by Malwarebytes Anti-Malware as Trojan.Agent.ADS. Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank and the target is a Windows Alternate Data Stream (ADS)	No
11	X	%System%:11.exe	Detected by Malwarebytes Anti-Malware as Trojan.Agent. Note that the target is a Windows Alternate Data Stream (ADS)	No
Winsock.exe	X	%System%:Winlogon.exe	Detected by Kaspersky as Backdoor.Win32.Poison.arnv. Note that the target is a Windows Alternate Data Stream (ADS)	No
%Temp%\delwdef2008.bat	X	%Temp%\delwdef2008.bat	WinDefender 2008 rogue privacy program - not recommended, removal instructions here	No
%TEMP%	X	%TEMP%.exe	Detected by Malwarebytes Anti-Malware as Trojan.Passwords. The file is located in %Temp%	No
102b3bcad4053f1630a0d725fba934ba	X	%TEMP%.exe	Detected by Dr.Web as Trojan.DownLoader7.25770 and by Malwarebytes Anti-Malware as Trojan.MSIL	No
GKIU	X	%TEMP%.scr	Detected by McAfee as RDN/Generic Dropper!ge and by Malwarebytes Anti-Malware as Backdoor.Agent	No
RDKI	X	%TEMP%.scr	Detected by McAfee as RDN/Generic Dropper!ge and by Malwarebytes Anti-Malware as Backdoor.Agent	No
UPDATE.EXE	X	%Windir%:Update.exe	Detected by Malwarebytes Anti-Malware as Trojan.Agent.AI. Note that the target is a Windows Alternate Data Stream (ADS)	No
winlgon	X	%Windir%:winlgon.exe	Detected by Dr.Web as Trojan.DownLoader6.47245 and by Malwarebytes Anti-Malware as Trojan.Backdoor. Note that the target is a Windows Alternate Data Stream (ADS)	No
Alternativo	X	%Windir%Updatex.exe	Detected by Dr.Web as Trojan.FakeAV.14091 and by Malwarebytes Anti-Malware as Trojan.Banker	No
SystemWideHook for Windows NT	X	%WinHook32.exe	Added by the MYDOOM.AC WORM!	No
Flash Media	X	%^% ^ %^%% ^ % ^%%^^ %^^%^%^ ^%% %^.exe	Added by a variant of W32.IRCBot. The file is located in %System%	No
Flash Media	X	%^^%^^% %^^^^ .exe	Added by a variant of W32.IRCBot. The file is located in %System%	No
3f4cf2e1c9a25e21a398573a7245692a	X	ط?an.exe	Detected by Dr.Web as Trojan.DownLoader7.3560 and by Malwarebytes Anti-Malware as Trojan.MSIL	No
Flash Media	X	% ^% ^^^ %^% %% ^ ^ %%% ^% %^ % %^^.exe	Added by a variant of the IRCBOT BACKDOOR! Note the space at the beginning of the filename	No
Flash Media	X	%% % ^^ % %% ^%^^ ^^^ % ^%% ^ ^.exe	Added by a variant of the IRCBOT BACKDOOR! See here. Note the space at the beginning of the filename	No
Regcxmarq	X	REGCXMARQ.EXE	Detected by Trend Micro as TSPY_BANCOS.DK. Note the space at the beginning of the filename	No
regedit	X	svchost.exe ccRegVfy	Added by the HOTWORD.B TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is also located in %System% but has a space at the beginning of the filename	No
Windows Auto Updater	X	WINDOWSUPDATE.EXE	Added by the SDBOT.PB WORM! Note the space at the beginning of the filename	No
Firewall	X	wmlaunch .exe	Added by the ELIPTER.A or ELIPTER.B WORMS! Note the space at the beginning of the filename	No
Flash Media	X	^ %%^%^%.exe	Added by the FLUSH.A TROJAN! Note the space at the beginning of the filename	No
alkasr	X	ÎäÒíÑ.exe	Added by the BALKART TROJAN!	No
íàïîìèíàíèå	X	íàïîìèíàíèå.txt	Detected by Malwarebytes Anti-Malware as Trojan.Agent. The file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
WINDOWS SYSTEM	X	\skybot.exe	Added by the MYTOB.JU WORM!	No
WINDOWS	X	\windows.exe	Added by the MONBOT-A TROJAN!	No
'AdwarePro'	X	'AdwarePro'.exe	AdWarePro rogue security software - not recommended	No
Control handler	X	**********.exe [ = random char]	CoolWebSearch parasite variant	No
Microsoft Windows Update XP64	X	*******.exe [ = random char]	Added by a variant of Win32/Rbot	No
soft2	X	*******.exe [ = random digit]	Added by the KARDPHISHER TROJAN!	No

FIRST PREV ( Page 1 of 637 ) NEXT LAST

You can also manually change the page number in the address bar.

Notes & Warnings

If you can help identify new entries and verify/identify those entries with a "?" status (especially hardware specific - such as laptops and motherboards) then please E-mail us (startups_at_pacs-portal_dot_co_dot_uk).

"Status" key:

"Y" - Normally leave to run at start-up
"N" - Not required or not recommended - typically infrequently used tasks that can be started manually if necessary
"U" - User's choice - depends whether a user deems it necessary
"X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
"?" - Unknown

Variables:

%System% - refers to the System folder; by default this is
- C:\Windows\System32 (7/Vista/XP)
- C:\Winnt\System32 (2K)
- C:\Windows\System (Me/9x)
%Windir% - refers to the Windows installation folder; by default this is
- C:\Windows (7/Vista/XP/Me/9x)
- C:\Winnt (2K)
%ProgramFiles% - refers to the Program Files folder; typically the path is C:\Program Files
%CommonFiles% - refers to the Common Program Files folder; typically the path is C:\Program Files\Common Files
%Root% - refers to the highest directory level on a hard drive - i.e., C:\, D:\
%UserProfile% - refers to the current user's profile folder; by default this is
- C:\Users\{user} (7/Vista)
- C:\Documents and Settings\{user} (XP/2K)
%AllUsersProfile% - refers to the common profile folder for all users; by default this is
- C:\Users\All Users (7/Vista)
- C:\Documents and Settings\All Users (XP/2K)
%AppData% - refers to the current user's Application Data folder; by default this is
- C:\Users\{user}\AppData\Roaming (7/Vista)
- C:\Documents and Settings\{user}\Application Data (XP/2K)
%CommonAppData% - refers to the common Application Data folder for all users; by default this is
- C:\ProgramData (7/Vista - Note: this directory is hidden by default)
- C:\Documents and Settings\All Users\Application Data (XP/2K)
%LocalAppData% - refers to the current user's Local Application Data folder; by default this is
- C:\Users\{user}\AppData\Local (7/Vista)
- C:\Documents and Settings\{user}\Local Settings\Application Data (XP/2K)
%MyDocuments% - refers to the current user's Documents folder; by default this is
- C:\Users\{user}\Documents (7/Vista)
- C:\Documents and Settings\{user}\My Documents (XP/2K)
%CommonDocuments% - refers to the current user's Documents folder; by default this is
- C:\Users\Public\Documents (7/Vista)
- C:\Documents and Settings\All Users\Documents (XP/2K)
%UserTemp% - refers to the current user's Temp folder; by default this is
- C:\Users\{user}\AppData\Local\Temp (7/Vista)
- C:\Documents and Settings\{user}\Local Settings\Temp (XP/2K)
%WinTemp% - refers to the Windows Temp folder; typically the path is C:\Windows\Temp
%Temp% - refers to either or both of the %UserTemp% and %WinTemp% folders where the location isn't specified, or %Root%\Temp
%Templates% - refers to the current user's Templates folder; by default this is
- C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Templates (7/Vista)
- C:\Documents and Settings\{user}\Templates (XP/2K)
%UserStartup% - refers to the current user's Startup folder; by default this is
- C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (7/Vista)
- C:\Documents and Settings\{user}\Start Menu\Programs\Startup (XP/2K)
%AllUsersStartup% - refers to the All User Startup folder; by default this is
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (7/Vista - Note: this directory is hidden by default)
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup (XP/2K)

DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. We will not be held responsible if changes you make cause a system failure.

WARNING: This is NOT a database of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a database of start-up applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at start-up. For a list of tasks/processes you should try the Process Library from Uniblue, the list at PC Pitstop or one of the many others now available. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSConfig or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.

To avoid the database becoming too large, all malware entries are only shown using the registry version which is common to all Windows versions. Otherwise there would be multiple entries for popular filenames that viruses often use - such as "svchost.exe" above for example. Multiple malware can also use the same start-up entries, in this case only those with significant differences (such as file location) are repeated in this database.

As more than 15K entries in this database related to malware you should use a quality internet security package. Which ever you choose, keep it updated and get the latest version at least every two years.

There are a number of virus and malware entried listed in this database where specific removal instructions haven't been given. If this is the case then you could try ComboFix, a program written by sUBs that can remove many different types of Trojans and Worms. See here for a tutorial on how to use the program

NOTE: A number of entries are repeated due to the way that different operating systems display startup items. For example, WinMe lists "POPROXY.EXE" as "Norton eMail Protect" in both MSCONFIG and the registry whereas WinXP lists it as "Poproxy" in MSCONFIG and "Norton eMail Protect" in the registry.

SERVICES: "Services" from the NT/2K/XP/Vista/7 operating systems are not included. We fully understand that some programs with these OS's use "Services" as an alternative to load their component parts at startup but these are handled in a different way. We recommend you try BlackViper for information on services for the relevant operating systems.

Copyright

Presentation, format & comments Copyright © 2001 - 2012 Pacman's Portal
Portions Copyright © Peter Forrest, Denny Denham, Sylvain Prevost, Tony Klein, CastleCops & Bleeping Computer
Powered by Malwarebytes
All rights reserved

Site Map

Home