F0, F1, F2, F3 HijackThis Entries

bleepingcomputer.com

Welcome Guest (Log In | Create Account)

New Member? Join for free.

BleepingComputer.com -> Startup Programs Database -> F0, F1, F2, F3 HijackThis Entries

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Other

HJT: F0, F1, F2, F3 · O4 · O20 · O21 · O22 · O23

Rootkit List · Submit a Startup · Top Submitters

Startup Index · Newest Entries · Mozilla Search Tools · WebMaster Site Tools · Status Key
Startup Database Forum · How to use the Startup Database

Enter the filename or keyword you would like to search for:

Advanced Search

Pages: (4) 1 [2] 3 4

Name	Filename	Status	Description
<not used>	frwl.exe	X	Added by the W32/Autorun.worm.f removable media worm.
<not used>	killer.exe	X	Identified by Kaspersky Antivirus as a variant of the Virus.Win32.AutoRun.abt removable device worm.
<not used>	geedc.exe	X	Identified by Kaspersky antivirus as a variant of the Trojan-Dropper.Win32.Agent.dgo malware.
<not used>	DTMONX.EXE	?	Desktop Printer Driver from Microsoft. Anyone know what it does?
<not used>	mma.bat	X	Added by the W32/Autorun-AP removable media worm.
<not used>	mljjk.exe	?	Identified as either related to the Vundo Trojan or a variant of the TROJAN.AGENT.GEN malware.
<not used>	idaw64.exe	X	Identified as a variant of the Win32/SpamTool.Agent.NAJ malware.
<not used>	actcontroller.exe	X	Identified as a variant of the Win32/SpamTool.Agent.NAJ malware.
<not used>	WgaTrays.exe	X	Added by the W32.SillyDC worm.
<not used>	VirusRemoval.vbs	X	Browser Hijacker. Please note that C:\Windows\System32\wscript.exe is a legitimate program and should not be removed.
<not used>	awvvs.exe	X	Added by the Troj/Agent-GKQ Trojan.
<not used>	wuaucl.exe	X	Added by the W32.Vapka.A worm. W32.Vapka.A is a worm that spreads by copying itself to removable media and steals confidential information.
<not used>	VsTaskMgr.exe	X	Added by the TROJ_MULDROP.OE Trojan.
<not used>	ccEtvMgr.pif	X	Added by the W32.Roty.B@mm worm. W32.Roty.B@mm is a mass-mailing worm that also copies itself to shared folders and mapped network drives.
<not used>	commond.com	X	Added by the W32/Autorun-X removable media worm.
<not used>	winsys16_061230.dll	X	Added by the WORM_AGENT.AFFZ worm. Please note that rundll32.exe is a legitimate program.
<not used>	salo.exe	X	Added by the W32/Mabezat-A virus dropper.
<not used>	proper.exe	X	Fakealert Trojan which shows fake security alerts on your computer.
<not used>	msgsvc.exe	X	Added by the W32.Iretsim worm. W32.Iretsim is a worm that spreads by copying itself to removable drives. It also attempts to end security-related processes on the compromised computer.
<not used>	UpDateWinc.exe	X	Added by the W32.Yahack.A worm. W32.Yahack.A is a worm that spreads through mapped drives. It logs keystrokes, gathers system information, and steals Yahoo! Messenger passwords.
<not used>	crase.exe	X	Added by the W32.Debanpass worm. W32.Debanpass is a worm that copies itself to all drives. It steals confidential information and account details when users connect to a bank Web site.
<not used>	real.exe	X	Added by the W32.Snaban worm. W32.Snaban is a worm that spreads by copying itself to removable drives and network drives on the compromised computer. It also steals confidential information by logging keystrokes.
<not used>	taskmar.exe	X	Added by the TSPY_ONLINEG.GJQ spyware. This spyware steals sensitive information, such as user names and passwords, related to the game, World of Warcraft.
<not used>	themeupd.exe	X	Unidentified malware.
<not used>	themeui.exe	X	Unidentified malware.
<not used>	svchctrl.exe	X	Unidentified malware.
<not used>	svcvhost.exe	X	Unidentified malware.
<not used>	spoolsrvc.exe	X	Unidentified malware.
<not used>	shchostv.exe	X	Unidentified malware.
<not used>	MISuvstm.exe	X	Added by the Troj/Haoba-A Trojan.
<not used>	codeblocks.exe	X	Identified as a variant of the Trojan.Spambot.2424 malware.
<not used>	imgkulot.bat	X	Added by the VBS/Capiz-A worm. You can also delete the C:\Windows\System32\imgkulot.reg and C:\Windows\System32\imgkulot.vbs files that are associated with this infection.
<not used>	ntsvc32.dll	X	Identified as the Trojan-Notifier.Win32.Small.i malware.
<not used>	printer.exe	X	Malware related to and installed with different rogue anti-spyware programs including WinAntiSpyware 2006 or WinAntiSpyware 2007. This Trojan is responsible for the fake security alerts being displayed in your Windows taskbar.
<not used>	ActiveX.exe	X	Added by the W32/Rubble-C worm.
<not used>	taskmger.com	X	Added by the W32/Frawrm-A worm.
<not used>	msdun.exe	X	Identified as Trojan-Downloader.Win32.Small.ewt.
<not used>	WinSit.exe	X	Added by the W32/CoiDung-A worm.
<not used>	Other.exe	X	Added by the W32/CoiDung-A worm.
<not used>	viollice.exe	X	Added by the W32.Lecivio worm. W32.Lecivio is a worm that spreads by copying itself to all mapped drives on the compromised computer. It also downloads potentially malicious files on to the compromised computer.
<not used>	Empty.bat	X	Added by the W32.Pahatia.B worm. W32.Pahatia.B is a worm that spreads through mapped network drives and attempts to restart the computer if certain processes are running.
<not used>	corelnetwork.exe	X	Added by the Troj/Dial-DH Trojan.
<not used>	conime.exe	X	Added by the W32.Slurk.A worm. W32.Slurk.A is a worm that copies itself to all removable and shared drives, and drops other threats on to the compromised computer.
<not used>	MyComp.scr	X	Added by the W32.Odelud worm. W32.Odelud is a worm that spreads via network shares and removable media and may infect executable files.
<not used>	ctftpscr32.exe	X	Added by the Troj/Agent-FPN Trojan.
<not used>	czvhost.exe	X	Identified as Backdoor.IRC.Zapchast.
<not used>	userini.exe	X	Added by the Troj/Proxy-HP proxy Trojan.
<not used>	cchost.exe	X	Added by the Troj/Squatbot-B Trojan.
<not used>	cryptfg.exe	X	Identified as the Trojan.PWS.Zassan password-stealing Trojan.
<not used>	emirate.exe	X	Added by the W32/Brontok-DF worm. This infection also attempts to load via the Shell registry key.
<not used>	systems.dll	X	Added by the Troj/WLDrop-A Trojan.
<not used>	lsass.exe	X	Added by the WORM_SOHANAD.AM worm. This infection also downloads two files called YMWorm.exe and worm2007.exe. Once download it launches the C:\Windows\System\YMWorm.exe and C:\Windows\System\worm2007.exe programs. This infection should not be confused with the legitimate C:\Windows\System32\lsass.exe file.
<not used>	wandrv.exe	X	Added by the Troj/Bckdr-QHR backdoor Trojan.
<not used>	crclan.exe	X	Added by the W32/Rungbu-E virus. W32/Rungbu-E searches for files with a DOC extension and appends them to itself. It then deletes the original file, and copies itself to the same name but with an EXE extension.
<not used>	ODBCJET.exe	X	Added by the W32/SillyFDC-Z worm.
<not used>	msn.exe	X	Added by the W32.Eliles.A@mm worm.
<not used>	crs.exe	X	Added by the Troj/Delf-ESL Trojan.
<not used>	winsys16_070307.dll	X	Added by the Troj/Hiphop-G data stealing Trojan.
<not used>	systeminit.exe	X	Added by the W32.Solow worm. W32.Solow is a worm that attempts to spread via removable storage drives and copies itself as exe files with various names.
<not used>	sbs.exe	X	Added by the Troj/Hacksaw-A Trojan. Troj/Hacksaw-A infects a system when a U3 USB drive loaded with it is connected to to a compatible system.
<not used>	autorun.bat	X	Added by the VBS.Runauto worm. VBS.Runauto is a Visual Basic script worm that copies itself in the root folder of all drives (including removable devices) except floppy drives.
<not used>	setup_.exe	X	Added by the Troj/KGSpy-A key logging and information-stealing Trojan.
<not used>	lnks.exe	X	Added by the W32.Takeobel worm. W32.Takeobel is a worm that copies itself to mapped network drives. It also adds an .ln3 extension to any .doc files that it finds on the compromised computer.
<not used>	vrsserv.exe	X	Added by the Troj/Agent-ECW Trojan.
<not used>	blackice.exe	X	Added by the W32.Darksnow ad-clicking virus.
<not used>	winwork.exe	X	Added by the TSPY_WOWCRAFT.BL information stealing Trojan for the online game the World of Warcraft.
<not used>	dllvirtual.js	X	Added by the Troj/Dadobra-IW information stealing Trojan for online banks.
<not used>	dllvirtual.dll	X	Added by the Troj/Dadobra-IW information stealing Trojan for online banks.
<not used>	dllvirtual.exe	X	Added by the Troj/Dadobra-IW information stealing Trojan for online banks.
<not used>	mouser.exe	X	Added by the Troj/Agent-ETC Trojan.
<not used>	aExplorer.exe	X	Added by the W32/VB-CTQ virus.
<not used>	XPV6I4O.exe	X	Added by the W32/Bobandy-F mass-mailing worm.
<not used>	svichosst.exe	X	Added by the W32/Sohana-J worm. W32/Sohana-J may attempt to spread via instant messaging clients.
<not used>	wuaucll.exe	X	Added by the W32/SillyFDC-M worm.
<not used>	M5VBVM60.EXE	X	Added by the W32/Brontok-CJ worm. It is important to note that there may be a legitimate C:\Autoexec.bat. This file uses the number zero instead of the letter O.
<not used>	MVH.exe	X	Added by the W32.Falgna worm. W32.Falgna is a worm that steals system information and opens a back door on the compromised computer allowing a remote attacker to have unauthorized access.
<not used>	MVS.exe	X	Added by the W32.Falgna worm. W32.Falgna is a worm that steals system information and opens a back door on the compromised computer allowing a remote attacker to have unauthorized access.
<not used>	eventsry.exe	X	Added by the Troj/Bckdr-PVP backdoor Trojan.
<not used>	macromedialan.exe	X	Added by the Troj/Small-DNX Trojan.
<not used>	taliban.exe	X	Added by the W32.Jhad worm. W32.Jhad is a worm that spreads through mapped network drives.
<not used>	msn.com	X	Added by the Troj/Agent-DIH downloader Trojan.
<not used>	msvce.exe	X	Added by the Troj/Bckdr-PQP backdoor Trojan.
<not used>	exploer.exe	X	Added by the Troj/Agent-DQT Trojan. This infection should not be confused with the legitimate C:\Windows\explorer.exe file.
<not used>	msvce32.exe	X	Added by the Troj/Bckdr-PNP backdoor Trojan.
<not used>	lhtefx.exe	X	Added by the Troj/QQRob-AAU backdoor Trojan.
<not used>	ciscoutility.exe	X	Added by the Troj/Small-DIV Trojan.
<not used>	Ble'e.exe	X	Added by the W32/Todnab-A worm. This infection should not be confused with the legitimate C:\Windows\System32\lsass.exe file.
<not used>	Blaut.exe	X	Added by the W32/Todnab-A worm. This infection should not be confused with the legitimate C:\Windows\System32\lsass.exe file.
<not used>	lodctr32.exe	X	Added by the Troj/VB-CRJ Trojan.
<not used>	adodbc.exe	X	Added by the Troj/Agent-DLX Trojan.
<not used>	jjakarta.exe	X	Added by the Troj/VB-CRT Trojan.
<not used>	MSGSRV16.COM	X	Added by the W32/Burmec-A worm.
<not used>	jfeee.exe	X	Added by the DoDoor adware.
<not used>	myqq_.exe	X	Added by the Troj/QQPass-AIS Trojan rootkit.
<not used>	hejoice.exe	X	Added by the Troj/Prosti-DE Trojan.
<not used>	fuckkb.exe	X	Added by the Troj/Lineag-AAY password-stealing Trojan for the online game Lineage.
<not used>	ExeRun.exe	X	Added by the W32.Floopy.A virus. W32.Floopy.A is a virus that deletes system files.
<not used>	winhe1p.exe	X	Added by the Troj/Agent-DFT Trojan.
<not used>	spooll.exe	X	Added by the Troj/Banker-DIO Internet banking Trojan. When selected banking websites are accessed, the Trojan will monitor user activity and send the stolen details to remote email addresses.
<not used>	vmmdiag32.exe	X	Added by the Troj/Goldun-DS Trojan. Troj/Goldun-DS monitors browser activity in an attempt to steal passwords when users browse to certain websites, including www.e-gold.com. The Trojan may attempt to modify browser settings in order to force users to re-type passwords.

Pages: (4) 1 [2] 3 4

Disclaimer

It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. BleepingComputer.com will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.