Dit

NEW HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

Page

If you're not finding what you're looking for please go to this forum and submit a new startup entry.

Key:

"Y" - Normally leave to run at start-up
"N" - Not required - typically infrequently used tasks that can be started manually if necessary
"U" - User's choice - depends whether a user deems it necessary
"X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
"?" - Unknown

	Startup Name	Process Name	Details
X		regedit.exe /s appboost.reg	"Added by the APPIX.D WORM! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run and HKCU\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank. The Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The file ""appboost.reg"" is located in %Windir%"
X	1	addit.exe	"Added by the SDBOT-RI WORM!"
X	@	regedit -s win.dll	"Added by the SEEKER.K TROJAN! Note that regedit is the the legitimate Windows Registry Editor and shouldn't be deleted. The ""win.dll"" file is located in %Windir%"
X	Additional Guard	WI[random characters].exe	"Additional Guard rogue security software - not recommended
X	ADDITIONAL Services	pkgadd.exe	"Added by a variant of the IRCBOT TROJAN!"
X	Ccao	regedit.exe	"Probably a variant of MediaTickets adware. Note - this is not the valid Windows registry editor which resides in %Windir% and will not figure in Msconfig/Startup! This version resides in a ""mduu"" subfolder
X	cof.updit	[random filename]	"Added by a variant of the SDBOT WORM!"
X	CTFMON	wscript.exe /E:vbs regedit.sys	"Added by the VBSAUTO-A WORM! Note that wscript.exe is a legitimate Microsoft file used to launch script files and shouldn't be deleted. The ""regedit.sys"" file is located in %System%"
X	Data789	Regedit.exe ....data789.tmp	Homepage hijacker
Y	Dit	dit.exe	""Drive Icon and Label Utility" - assigns drive icons and names to flash memory cards. Required
X	Dit	dit.exe	"Added by the LAZAR-A TROJAN! Note - this is located in %System%"
N	DiTask.exe	DiTask.exe	"Associated with an Eicon Networks ISDN or ADSL modem. System Tray icon which shows you the status of your lines (free
N	DJRegFix	regedit /s c:hpdjregfix.reg	"DJRegFix showed up first in WinME as a ""clever"" way to ensure that all Hewlett-Packard DeskJet printers actually worked with WinME - since most were having major problems. This ""utility"" adds the functionality and compatibility HP forgot to add in its WinME drivers"
N	Download Accelerator Manager Free Edition	dam.exe	"Download Accelerator Manager Free Edition from Tensons Corp"
X	editpad	editpad.exe	"Added by the CONSPER-B TROJAN!"
U	HostsFileMgr	winHostsEdit.exe	"AdBin from Gilmore Software Development. An easy solution to managing your Window's hosts file"
X	Internal	regedit.exe /s c[month number]	"Added by the FORTNIGHT.D TROJAN! Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The file ""c[month number]"" is located in %Windir%
Y	LXDICATS	"rundll32 [path] LXDItime.dll	_RunDLLEntry@16"
X	Microsoft Regestry Edit Manager	regedit.exe	"Added by the SHEUR.HC TROJAN! Note - this is not the valid Windows registry editor which resides in %Windir% and will not normally figure in Msconfig/Startup! This version resides in %System%"
X	Microsoft Regestry Manager	regedit32.exe	"Added by a variant of the IRCBOT.ARD WORM!"
X	Mircrosoft Technic Help	EditKey.exe	"Added by the KOLABC.AS WORM!"
X	Ms System Config	pcedit.exe	"Added by a variant of the SDBOT WORM!"
X	NeroCheck	regedit.exe	"Added by the DOOMJUICE.B WORM! Note - this is not the valid Ahead Nero CD/DVD burning program. Also
X	No Credit Card	plugin-[random].exe	Adult content pop-up dialler
X	OPQFile	regedit.exe /s ...rad03FA6.tmp	Unsavoury program that resets your homepage every time you restart - uncheck in MSCONFIG and delete it via a registry edit
U	PopUpStopperFreeEdition	PSFREE.EXE	"Panicware's Pop-Up Stopper - free limited features version"
U	PowerPanel Personal Edition User Interaction	pppeuser.exe	"CyberPower PowerPanel Personal Edition UPS Monitoring & Control Software - ""is included with CyberPower's products. This exclusive software allows control and monitoring of your UPS to provide protection for your computer system
?	PowerSet	Regedit.exe /s ...PowerSet_8100_CU.REG	"Appears to be Toshiba power management related"
X	regedit	regedit.exe	"Added by the BRID.A WORM! Note - this is not the valid Windows registry editor which resides in %Windir$ and will not figure in Msconfig/Startup! This version resides in %System%"
X	REGEDIT	Regsrv32.com	"Added by the SOUTHGHOST WORM!"
X	regedit	autoexe.exe	"Added by a variant of the RBOT WORM!"
X	regedit	svchost.exe ccRegVfy	"Added by the HOTWORD.B TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is also located in %System% but has a space at the beginning of the filename"
X	regedit	regedit.exe	"Added by the GANBATE.A WORM! Note that the legitimate Windows registry editor (regedit.exe) is located %Windir% and will not figure in Msconfig/Startup! This one is located in %Windir%\security\Database"
X	Regedit	regedits.exe	"Added by the BANCBAN-QV TROJAN!"
X	RegEdit32	RegEdit32.exe	"Added by the VOUMIT-A WORM! Note - this is not the legitimate regedit32.exe application which is always located in %System% and should not normally figure in Msconfig/Startup! This file is located in a ""mirc32"" folder"
X	Regedit32	regedit.exe	Added by an unidentified WORM or TROJAN! Note - this is not the valid Windows registry editor which resides in %Windir% and will not normally figure in Msconfig/Startup! This version resides in %System%
X	REGRUN	regeditt.exe	"Adware downloader - also detected as a variant of the LOWZONES.BW or AGENT.RD TROJANS!"
X	Secure64	Regedit32.com StartUp	"Added by the BRONTOK-CJ WORM!"
X	Service Registry NT Save	regeditnt.exe	"Added by the BANCOS-BM TROJAN!"
X	setupuser	regedit.exe setupuser.log	"Regfile in disguise - another CoolWebSearch parasite variant"
U	ShadowUser Pro Edition	ShadowUser.exe	"""StorageCraft™ ShadowUser™ provides easy to use desktop security and protection for Windows operating systems. ShadowUser is the best way to prevent unwanted changes to PCs and laptops"""
X	sp	regedit-s .... sp.dll	"Malicious javascript annoyance that changes the default search engine in IE to one of many including ""topsearcher"". See here for more and a fix"
U	SpeedItUp	SPEEDITUP.EXE	"Speed It Up - ""all in one Speed Booster designed to significantly increase the speed of your computer and boost your PC available memory"". Installs PC-Checkup and Search Defender (which is detected by DrWeb as the STARTPAGE.ORIGIN TROJAN) without permission"
U	SpeedItUpEX	SpeedItUpEx.exe	"""Speed-It-Up Extreme is designed to speed of your computer up to 3 times faster and boost your PC available memory"""
X	spp	regedit -s spp.reg	"IE search hijacker - changes the default search to h**p://www.hotsearchbox.com/ie/. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The file ""spp.reg"" is located in the root folder (ie
X	Symantec Antivirus professional	regedit.exe	"Added by a variant of the FORBOT WORM! Note - this is not the valid Windows registry editor which resides in %Windir% and will not normally figure in Msconfig/Startup! This version resides in %System%"
N	Symantec Fax Starter Edition Port	OLFSNT40.EXE	Offers a virtual printer as a fax machine. Can be run via a desktop shortcut
X	sys	regedit /s sys.reg	"Raxmus adware. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The file ""sys.reg"" is located in %Windir%"
X	sys	regedit sysdllwm.reg	"CoolWebSearch parasite variant - also detected as the FEMAD-L TROJAN!"
X	SysSearch	Regedit.exe -s pcsearch.reg	"Added by the STARTPAGE-FN TROJAN! Note that regedit.exe is a legitimate Microsoft file and shouldn't be deleted. The ""pcsearch.reg"" file is located in %Windir%"
X	SysSearch	Regedit.exe -s sysreg.reg	"Added by the STARTPA-ME TROJAN! Note that regedit.exe is a legitimate Microsoft file and shouldn't be deleted. The ""sysreg.reg"" file is located in %Windir%"
X	system	regedit -s system.dll	Homepage hijacker
X	System Efficiency Monitor	mscedit32.exe	"Added by the SDBOT.P TROJAN!"
X	System Efficiency Monitor	msedit32.exe	"Added by the STEPH-B WORM!"
X	systemr	gedit.exe	"Added by the ADCLICK-AQ TROJAN!"
X	SystemSearch	regedit.exe -s ie.reg	"Installs a Seachxl.com browser page hijack. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The file ""ie.reg"" is located in the root folder (ie
X	SystemSearch	regedit.exe -s sys.reg	"Installs a i--search.com browser page hijack. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The file ""sys.reg"" is located in %Windir%"
N	tour	regedit ..tour.reg	Edits registry values to keep the WinMe tour in Task Scheduler
N	tourpath	regedit /s [path] tour.reg	"Edits registry values to keep the Win 2000 ""tour"" in Task Scheduler"
X	Ultra Edit v5.1	ultraedit.exe	"Added by the SDBOT-RK WORM!"
X	UltraEdit	uledit.exe	"Added by the SDBOT-TO WORM!"
X	UNleaded Syn Manager	Edit.exe	"Added by the SLINNBOT.ALD BACKDOOR!"
X	win	regedit -s win.dll	"Added by the SEEKER.K TROJAN! Note that regedit is the the legitimate Windows Registry Editor and shouldn't be deleted. The ""win.dll"" file is located in %Windir%"
X	win32 regedit	msn32.exe	Added by an unidentified WORM or TROJAN!
X	Windows 32 Editor	Win32edit.exe	"Added by the WOOTBOT.GQ WORM!"
X	Windows Additional Guard	WI[random characters].exe	"Windows Additional Guard rogue security software - not recommended
X	Windows Printing Driver	gpedits.exe	"Added by the DCKEYG.A WORM!"
X	WINDOWS REGISTER EDIT	registr32.exe	Added by an unidentified WORM or TROJAN!
X	WinSP	[path] REGEDIT.EXE -s [path] sysreg.reg	"Added by the STARTPA-ME TROJAN!"
X	[random name]	r?gedit.exe	"PurityScan adware"
X	[random name]	regedit.exe	"PurityScan adware. Note - this is not the valid Windows registry editor which resides in %Windir% and will not figure in Msconfig/Startup!"

DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.