F0, F1, F2, F3 HijackThis Entries

Bleeping Computer

Welcome Guide Blogs Chat Help

RSS

Welcome Guest (Log In | Create Account)

New Member? Join for free.

Have a problem and would like to ask us for help? To learn how to ask your question Click Here!

Do you have popups or other malware infecting your computer? If so, Start Here!

Are you having trouble using this site? Then you should visit the New User Orientation Center!

BleepingComputer.com -> Startup Programs Database -> F0, F1, F2, F3 HijackThis Entries

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Other

HJT: F0, F1, F2, F3 · O4 · O20 · O21 · O22 · O23

Rootkit List

· Submit a Startup

· Top Submitters

Startup Index · Newest Entries · Mozilla Search Tools · WebMaster Site Tools · Status Key
Startup Database Forum · Computer Help Forums · How to use the Startup Database

Enter the filename or keyword you would like to search for:

Advanced Search

Pages: (3) [1] 2 3

Name	Filename	Status	Description
<not used>	Removal.vbs	X	Added by the VBS/Small-ELQ worm.
<not used>	sys.vbs	X	Added by the W32/Autorun-EL removable media worm. Please note that C:\Wndows\System32\wscript.exe is a legitimate file and should not be deleted.
<not used>	xwusuhzh.exe	X	Identified as a variant of the Troj/FakeAle-BI malware.
<not used>	csmm.exe	X	Added by the Troj/VB-DZN Trojan.
<not used>	gaqy.exe	X	Identified as a variant of the Backdoor:Win32/Tofsee.F malware.
<not used>	systemio.exe	X	Added by the W32/Autorun-DH removable media worm.
<not used>	OfficeExt.exe	X	Added by the W32/Autorun-CY removable media worm.
<not used>	boot.vbs	X	Added by the W32/Isetspy-C worm. C:\Windows\System32\wscript.exe should not be deleted as it is a legitimate file.
<not used>	%%%.exe	X	A variant of the Troj/Nymod-A malware.
<not used>	^^^^^.exe	X	A variant of the IRCBot family of worms and IRC backdoor Trojans.
<not used>	wsnpoema.exe	X	Identified as a variant of the Troj/SpyAgent-H malware.
<not used>	sbwltbxa.exe	X	Identified as a variant of the Troj/Agent-GRP variant malware.
<not used>	mtssc.exe	X	Added by the Trojan-Spy.Webmoner.FQ password-stealing and keylogging Trojan.
start	sbmntr.exe	X	Identified as a variant of the Adware/Netproject malware.
some	scit.exe	X	Identified as a variant of the Adware/Netproject malware.
<not used>	brxdoy.exe	X	A variant of the IRCBot family of worms and IRC backdoor Trojans.
<not used>	ddabc.exe	X	Added by the PE_TRATS.E-O virus.
<not used>	ok1.exe	X	Added by the Troj/Mdrop-BQM Trojan.
<not used>	msnmgnr.exe	X	A variant of the IRCBot family of worms and IRC backdoor Trojans.
<not used>	killVBS.vbs	X	Added by the VBS.Autill worm. Do not delete C:\Windows\System32\wscript.exe as it is a legitimate file.
stem%	regwiz.exe	X	Added by the Trojan-Dropper.Win32.Small.azk Trojan.
<not used>	mgmrwmrv.exe	X	Identified as a variant of the Trojan.FakeAlert malware. This malware will issue fake alerts on your computer stating you have security problems and advertising rogue programs that can supposedly fix them.
<not used>	rascal32.exe	X	Added by the W32/Otakbokep-A worm.
<not used>	rxjddnvj.exe	X	Identified as part of the Adware/UltimateCleaner rogue anti-spyware program.
<not used>	frwl.exe	X	Added by the W32/Autorun.worm.f removable media worm.
<not used>	killer.exe	X	Identified by Kaspersky Antivirus as a variant of the Virus.Win32.AutoRun.abt removable device worm.
<not used>	geedc.exe	X	Identified by Kaspersky antivirus as a variant of the Trojan-Dropper.Win32.Agent.dgo malware.
<not used>	DTMONX.EXE	?	Desktop Printer Driver from Microsoft. Anyone know what it does?
<not used>	mma.bat	X	Added by the W32/Autorun-AP removable media worm.
<not used>	mljjk.exe	?	Identified as either related to the Vundo Trojan or a variant of the TROJAN.AGENT.GEN malware.
<not used>	idaw64.exe	X	Identified as a variant of the Win32/SpamTool.Agent.NAJ malware.
<not used>	actcontroller.exe	X	Identified as a variant of the Win32/SpamTool.Agent.NAJ malware.
<not used>	WgaTrays.exe	X	Added by the W32.SillyDC worm.
<not used>	VirusRemoval.vbs	X	Browser Hijacker. Please note that C:\Windows\System32\wscript.exe is a legitimate program and should not be removed.
<not used>	awvvs.exe	X	Added by the Troj/Agent-GKQ Trojan.
<not used>	wuaucl.exe	X	Added by the W32.Vapka.A worm. W32.Vapka.A is a worm that spreads by copying itself to removable media and steals confidential information.
<not used>	VsTaskMgr.exe	X	Added by the TROJ_MULDROP.OE Trojan.
<not used>	ccEtvMgr.pif	X	Added by the W32.Roty.B@mm worm. W32.Roty.B@mm is a mass-mailing worm that also copies itself to shared folders and mapped network drives.
<not used>	commond.com	X	Added by the W32/Autorun-X removable media worm.
<not used>	winsys16_061230.dll	X	Added by the WORM_AGENT.AFFZ worm. Please note that rundll32.exe is a legitimate program.
<not used>	salo.exe	X	Added by the W32/Mabezat-A virus dropper.
<not used>	proper.exe	X	Fakealert Trojan which shows fake security alerts on your computer.
<not used>	msgsvc.exe	X	Added by the W32.Iretsim worm. W32.Iretsim is a worm that spreads by copying itself to removable drives. It also attempts to end security-related processes on the compromised computer.
<not used>	UpDateWinc.exe	X	Added by the W32.Yahack.A worm. W32.Yahack.A is a worm that spreads through mapped drives. It logs keystrokes, gathers system information, and steals Yahoo! Messenger passwords.
<not used>	crase.exe	X	Added by the W32.Debanpass worm. W32.Debanpass is a worm that copies itself to all drives. It steals confidential information and account details when users connect to a bank Web site.
<not used>	real.exe	X	Added by the W32.Snaban worm. W32.Snaban is a worm that spreads by copying itself to removable drives and network drives on the compromised computer. It also steals confidential information by logging keystrokes.
<not used>	taskmar.exe	X	Added by the TSPY_ONLINEG.GJQ spyware. This spyware steals sensitive information, such as user names and passwords, related to the game, World of Warcraft.
<not used>	themeupd.exe	X	Unidentified malware.
<not used>	themeui.exe	X	Unidentified malware.
<not used>	svchctrl.exe	X	Unidentified malware.
<not used>	svcvhost.exe	X	Unidentified malware.
<not used>	spoolsrvc.exe	X	Unidentified malware.
<not used>	shchostv.exe	X	Unidentified malware.
<not used>	MISuvstm.exe	X	Added by the Troj/Haoba-A Trojan.
<not used>	codeblocks.exe	X	Identified as a variant of the Trojan.Spambot.2424 malware.
<not used>	imgkulot.bat	X	Added by the VBS/Capiz-A worm. You can also delete the C:\Windows\System32\imgkulot.reg and C:\Windows\System32\imgkulot.vbs files that are associated with this infection.
<not used>	ntsvc32.dll	X	Identified as the Trojan-Notifier.Win32.Small.i malware.
<not used>	printer.exe	X	Malware related to and installed with different rogue anti-spyware programs including WinAntiSpyware 2006 or WinAntiSpyware 2007. This Trojan is responsible for the fake security alerts being displayed in your Windows taskbar.
<not used>	ActiveX.exe	X	Added by the W32/Rubble-C worm.
<not used>	taskmger.com	X	Added by the W32/Frawrm-A worm.
<not used>	msdun.exe	X	Identified as Trojan-Downloader.Win32.Small.ewt.
<not used>	WinSit.exe	X	Added by the W32/CoiDung-A worm.
<not used>	Other.exe	X	Added by the W32/CoiDung-A worm.
<not used>	viollice.exe	X	Added by the W32.Lecivio worm. W32.Lecivio is a worm that spreads by copying itself to all mapped drives on the compromised computer. It also downloads potentially malicious files on to the compromised computer.
<not used>	Empty.bat	X	Added by the W32.Pahatia.B worm. W32.Pahatia.B is a worm that spreads through mapped network drives and attempts to restart the computer if certain processes are running.
<not used>	corelnetwork.exe	X	Added by the Troj/Dial-DH Trojan.
<not used>	conime.exe	X	Added by the W32.Slurk.A worm. W32.Slurk.A is a worm that copies itself to all removable and shared drives, and drops other threats on to the compromised computer.
<not used>	MyComp.scr	X	Added by the W32.Odelud worm. W32.Odelud is a worm that spreads via network shares and removable media and may infect executable files.
<not used>	ctftpscr32.exe	X	Added by the Troj/Agent-FPN Trojan.
<not used>	czvhost.exe	X	Identified as Backdoor.IRC.Zapchast.
<not used>	userini.exe	X	Added by the Troj/Proxy-HP proxy Trojan.
<not used>	cchost.exe	X	Added by the Troj/Squatbot-B Trojan.
<not used>	cryptfg.exe	X	Identified as the Trojan.PWS.Zassan password-stealing Trojan.
<not used>	emirate.exe	X	Added by the W32/Brontok-DF worm. This infection also attempts to load via the Shell registry key.
<not used>	systems.dll	X	Added by the Troj/WLDrop-A Trojan.
<not used>	lsass.exe	X	Added by the WORM_SOHANAD.AM worm. This infection also downloads two files called YMWorm.exe and worm2007.exe. Once download it launches the C:\Windows\System\YMWorm.exe and C:\Windows\System\worm2007.exe programs. This infection should not be confused with the legitimate C:\Windows\System32\lsass.exe file.
<not used>	wandrv.exe	X	Added by the Troj/Bckdr-QHR backdoor Trojan.
<not used>	crclan.exe	X	Added by the W32/Rungbu-E virus. W32/Rungbu-E searches for files with a DOC extension and appends them to itself. It then deletes the original file, and copies itself to the same name but with an EXE extension.
<not used>	ODBCJET.exe	X	Added by the W32/SillyFDC-Z worm.
<not used>	msn.exe	X	Added by the W32.Eliles.A@mm worm.
<not used>	crs.exe	X	Added by the Troj/Delf-ESL Trojan.
<not used>	winsys16_070307.dll	X	Added by the Troj/Hiphop-G data stealing Trojan.
<not used>	systeminit.exe	X	Added by the W32.Solow worm. W32.Solow is a worm that attempts to spread via removable storage drives and copies itself as exe files with various names.
<not used>	sbs.exe	X	Added by the Troj/Hacksaw-A Trojan. Troj/Hacksaw-A infects a system when a U3 USB drive loaded with it is connected to to a compatible system.
<not used>	autorun.bat	X	Added by the VBS.Runauto worm. VBS.Runauto is a Visual Basic script worm that copies itself in the root folder of all drives (including removable devices) except floppy drives.
<not used>	setup_.exe	X	Added by the Troj/KGSpy-A key logging and information-stealing Trojan.
<not used>	lnks.exe	X	Added by the W32.Takeobel worm. W32.Takeobel is a worm that copies itself to mapped network drives. It also adds an .ln3 extension to any .doc files that it finds on the compromised computer.
<not used>	vrsserv.exe	X	Added by the Troj/Agent-ECW Trojan.
<not used>	blackice.exe	X	Added by the W32.Darksnow ad-clicking virus.
<not used>	winwork.exe	X	Added by the TSPY_WOWCRAFT.BL information stealing Trojan for the online game the World of Warcraft.
<not used>	dllvirtual.js	X	Added by the Troj/Dadobra-IW information stealing Trojan for online banks.
<not used>	dllvirtual.dll	X	Added by the Troj/Dadobra-IW information stealing Trojan for online banks.
<not used>	dllvirtual.exe	X	Added by the Troj/Dadobra-IW information stealing Trojan for online banks.
<not used>	mouser.exe	X	Added by the Troj/Agent-ETC Trojan.
<not used>	aExplorer.exe	X	Added by the W32/VB-CTQ virus.
<not used>	XPV6I4O.exe	X	Added by the W32/Bobandy-F mass-mailing worm.
<not used>	svichosst.exe	X	Added by the W32/Sohana-J worm. W32/Sohana-J may attempt to spread via instant messaging clients.
<not used>	wuaucll.exe	X	Added by the W32/SillyFDC-M worm.
<not used>	M5VBVM60.EXE	X	Added by the W32/Brontok-CJ worm. It is important to note that there may be a legitimate C:\Autoexec.bat. This file uses the number zero instead of the letter O.
<not used>	MVH.exe	X	Added by the W32.Falgna worm. W32.Falgna is a worm that steals system information and opens a back door on the compromised computer allowing a remote attacker to have unauthorized access.

Pages: (3) [1] 2 3

Disclaimer

It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. BleepingComputer.com will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from Uniblue Systems. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides