Support Forum Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

NEW HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

If you're not finding what you're looking for please go to this forum and submit a new startup entry.

Key:

  • "Y" - Normally leave to run at start-up
  • "N" - Not required - typically infrequently used tasks that can be started manually if necessary
  • "U" - User's choice - depends whether a user deems it necessary
  • "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
  • "?" - Unknown



Startup Name Process Name Details
XCTF Device Loaderctfmond.exe"Added by the AGOBOT-FO WORM!"
Uctfmonctfmon.exe"Supports multiple languages and alternative method inputs in Windows and MS Office. The language bar is displayed alongside the System Tray if more than one keyboard layout is enabled (for switching input languages) or
Xctfmontaskmgr32*.exe [* = number]"Added by the SOWSAT.B WORM!"
Xctfmoncftmon.exe"Added by the DELIVE-A BACKDOOR! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in %Windir%"
XctfmonmIRC.dll"Added by the DELBOT-E TROJAN!"
XctfmonWinConst.exe"Added by the ASSASIN-G TROJAN!"
UCTFMonctfmon.exe"Family KeyLogger keystroke logger/monitoring program - remove unless you installed it yourself! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in a ""CTF"" sub-folder"
Xctfmonmsnmsgr.exe"Added by the BDOOR-JV BACKDOOR! Note - this is not the valid MSN Messenger (now Windows Live Messenger) utility which is located in either %ProgramFiles%\MSN Messenger or %ProgramFiles%\Windows Live\Messenger. This one is located in %System%"
XCTFMONwscript.exe /E:vbs winjpg.jpg"Added by the RUNAUTO.F WORM! Note that wscript.exe is a legitimate Microsoft file used to launch script files and shouldn't be deleted. The ""winjpg.jpg"" file is located in %System%"
XCTFMONwscript.exe /E:vbs regedit.sys"Added by the VBSAUTO-A WORM! Note that wscript.exe is a legitimate Microsoft file used to launch script files and shouldn't be deleted. The ""regedit.sys"" file is located in %System%"
XCTFMONwin.exe"Added by the VBS.RUNAUTO.G WORM!"
XCtfmonwmisys.exe"Added by the IRCBOT-ADS WORM!"
XctfmonWinUP.exe"Added by the BANKER-VV TROJAN!"
XCTFMON.CPLCTFM0N.CMD"Detected by Symantec as the SILLYFDC WORM! See here"
XCtfmon.exectfmon32.exe"CoolWebSearch Ctfmon32 parasite variant"
Xctfmon.exectfmon.exe"Added by the RAIDYS TROJAN! Note - this overwrites the legitimate ctfmon.exe process associated with alternate text inputs which is located in %System%"
Xctfmon.exemsupdate32.exe"Spy Sheriff/SpywareNO malware
Uctfmon.exectfmon.exe"Supports multiple languages and alternative method inputs in Windows and MS Office. The language bar is displayed alongside the System Tray if more than one keyboard layout is enabled (for switching input languages) or
Xctfmon.exectfmon.exe eminem.exe"Added by the BHARAT.A WORM!"
XCTFMON.EXEsvchost.exe"Added by the JUEGO-B WORM! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XCTFMON32CTFMON32.EXE"CoolWebSearch Ctfmon32 parasite variant - also detected as the CWS-E TROJAN!"
Xctfmon32[random filename].exe"Added by the RBOT-GSN WORM!"
Xctfmon32taskmgr32*.exe [* = digit]"Added by the SOWSAT.C WORM!"
Xctfmonactfmona.exe"Added by the DLOADR-BME TROJAN!"
XCTFMONSSCTFMONSS.EXE"Added by the CWS-F TROJAN!"
Xctfnnonctfmon.exe"Added by the TURKOJAN.IL BACKDOOR! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in %Windir%"
XFirewallctfmon.exe"Added by a variant of the IRCBOT BACKDOOR! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in %Windir%"
UMicrosoft CTF Loaderctfmon.exe"Supports multiple languages and alternative method inputs in Windows and MS Office. The language bar is displayed alongside the System Tray if more than one keyboard layout is enabled (for switching input languages) or
Xntuserctfmon.exe"Added by the AGENT-GSG TROJAN! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in %UserProfile%"
XUser Input ServicesCTFMON32.EXE"Added by the MANCSYN.AK TROJAN!"
XWinDLL (ctfmonm.exe)"rundll32.exe ctfmonm.exestart"
XWindows Live Messenger 8.12ctfmon.exe"Added by the LIPARK-A WORM! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in %UserProfile%"
XWindows Services M7ctfmon32.exe"Added by the AGENT.WOH TROJAN!"
XWindows svchostctfmon32.exe"Added by a variant of the SPYBOT WORM! See here"
XWinXPServicectfmon.exe"Added by a variant of the IRCBOT BACKDOOR! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in a ""ctf"" sub-folder"


DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.