Support Forum Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

NEW HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

If you're not finding what you're looking for please go to this forum and submit a new startup entry.

Key:

  • "Y" - Normally leave to run at start-up
  • "N" - Not required - typically infrequently used tasks that can be started manually if necessary
  • "U" - User's choice - depends whether a user deems it necessary
  • "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
  • "?" - Unknown



Startup Name Process Name Details
X(Default)media_driver.exe"Added by the TUPEG VIRUS! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)Shania.vbs"Added by the SHANIA BACKDOOR! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)NOTEPAD.exe"Added by the RUSTY WORM! Note - not to be confused with the valid Windows ""NOTEPAD"" text editor! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)[random filename].exe"Added by the BLACKMAL WORM! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run and HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)twunk_32.exe"Added by the BLACKMAL.C WORM! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)winhelp.exe"Added by the BLACKMAL.C WORM! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)spolsvr2.exe"Added by the EVILSOCK.10 TROJAN! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)winbas12.exe"Adware
X(Default)Systrsy.exe"Added by the CDTRAY TROJAN! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)llsass.exe"Added by the PROXY-GG TROJAN! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)syspol.exe"Added by the DREMN-B TROJAN! Note - this malware actually changes the value data of the ""(Default)"" key in HKCU\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(default)winlog.exe"Added by the RBOT-CVY WORM! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run and HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(default)"rundll32.exe [path to DLL file]Do98Work"
X(Default)winligom.exe"Added by the RBOT-GAI WORM! Note - this malware actually changes the value data of the ""(Default)"" key in HKCU\Run
X(Default)5640.exe"Added by the DOWNLD-ABF TROJAN! Note - this malware actually changes the value data of the ""(Default)"" key in HKCU\Run
X(Default)QQUpdate.exe"Added by the QUADRULE.A WORM! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)Mcafee.exe"Added by the AGENT.AY TROJAN! Note - this is not a valid McAfee program and is located in %System%. This malware actually changes the value data of the ""(Default)"" key in HKCU\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)fada.exe"Added by the VB.HEI TROJAN! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run
X(Default)Default.exe"Added by the AUTORUN.BUK WORM! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\RunOnce & HKCU\RunOnce in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)KEYBOARD.exe"Added by the AUTORUN.BUK WORM! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)msarti.com"Added by the SILLYFDC.CJ WORM! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\..\Policies\Explorer\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)msnupdate.exe"Added by the RBOT-GWT BACKDOOR! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run & HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X(Default)xtreme.exe"Added by the DROPR-CZ TROJAN! Note - this malware actually changes the value data of the ""(Default)"" key in HKLMRun in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
XA5118r_default32142.pif"Added by the BRONTOK-AK WORM and variants!"
UAFAFilterwindefault.exe"AFAFilter - internet filter software"
UChikkaDefaultChikkaLauncher.exe"Chikka PC text messanger and IM client"
XConfiguration DefaultWuxat.exe"Added by the SPYBOT-CA WORM!"
XDefaultexplore.vbs"Added by the ALLEM WORM!"
XDefaultmtask.vbe"Added by the ALLEM WORM!"
Xdefaultshell32.exe"Added by the BINGHE TROJAN!"
XDefault_default.pif"Added by the RUBBLE-C WORM!"
Udefaultmskbw.exe"PC Surveillance PRO surveillance software. Uninstall this software unless you put it there yourself"
UDefault ManagerDefMgr.exe"Part of MSN Toolbar from version 4.* onwards (renamed ""Bing Bar"" from version 5.* onwards) which includes the Bing search engine. Via Start → All Programs → Microsoft Default Manager you can elect to keep Bing as the default search engine and set it to notify you of any changes to your browsers default settings. Not required if you choose not to use Bing"
XDefault System Researchvhchost.exe"Added by the TARNO.I TROJAN!"
XDefault web browserIexpIore.exe"Added by the OBLIVION.B TROJAN! Note - do not confuse "IexpIore.exe" with "iexplore.exe" (Internet Explorer)
XDefaultConfigurationdefaultconfh.exe"Added by the AGOBOT-JC WORM!"
XDefault_Page_URLhttp://find.naupoint.com"Naupoint browser hijacker"
XDefault_Search_URLhttp://find.naupoint.com"Naupoint browser hijacker"
?DevconDefaultDBREADREG"Appears to be related to older Creative Soundblaster soundcards"
XGraphics_default.pif"Added by the AUTOSKY WORM!"
UMicrosoft Default ManagerDefMgr.exe"Part of MSN Toolbar from version 4.* onwards (renamed ""Bing Bar"" from version 5.* onwards) which includes the Bing search engine. Via Start → All Programs → Microsoft Default Manager you can elect to keep Bing as the default search engine and set it to notify you of any changes to your browsers default settings. Not required if you choose not to use Bing"
?SetDefaultMIDIMIDIDef.exe"Related to a Soundblaster Audigy soundcards. What does it do and is it required?"
YSetDefaultPrintercloaker.exeUsed by HP and Compaq computers to hide the windows of programs passed as arguments to it
XWindows Default Configurationsvchost.exe"Added by the DLOADER-U TROJAN! Note - this is not the legitimate svchost.exe process which should not normally figure in Msconfig/Startup!"
XWindows Default Serverwfdmgrsp.exe"Added by the IRCBOT.BCX BACKDOOR!"
XWindows Default Serverwinampa.exe"Added by the IRCBOT.AUN WORM! Note - this is NOT associated with the popular Winamp media player. The valid file for the Winamp Agent resides in a ""Winamp"" subdirectory of the Program Files directory"
UWinfast2KLoadDefault"rundll32.exe wf2kcpl.dllDllLoadDefaultSettings"
X[default]DrWatson32.exe"Added by the DREMN TROJAN!"
X[random characters]_default[random].pif"Added by the BRONTOK-AI WORM and variants!"


DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.