Support Forum Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

NEW HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

If you're not finding what you're looking for please go to this forum and submit a new startup entry.

Key:

  • "Y" - Normally leave to run at start-up
  • "N" - Not required - typically infrequently used tasks that can be started manually if necessary
  • "U" - User's choice - depends whether a user deems it necessary
  • "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
  • "?" - Unknown



Startup Name Process Name Details
X"Vaganza-XPloit-[User Name]"""[user name].exe"Added by the GAVGENT.A WORM!"
UADUserMonADUserMon.exe"Part of Active Disk from Iomega - allows software applications to be run directly from an Iomega Zip® disk. Required if you wish the applications to launch on insertion of a disk"
XBootsCfgwscript.exe [path] All Users.vbs"Added by the SPILTRON WORM! Note that wscript.exe is a legitimate Microsoft file used to launch script files and shouldn't be deleted"
XBootsCfgwscript.exe [path] All Users.vbe"Added by the SPILTRON WORM! Note that wscript.exe is a legitimate Microsoft file used to launch script files and shouldn't be deleted"
Xcalc"rundll32.exe [path] ntuser.dll_IWMPEvents@0"
?CBWUserCBWDial.exe"Associated with Bitware that integrates fax
XConfidentUserSRP.exeConfidentUser rogue system error and cleaning utility - not recommended
UCopernicPerUserTaskMgrCopernicPerUserTaskMgr.exeAutomatic tasking feature of Copernic Pro multi-search engine tool
XExecUserExecUser.exe"Added by a variant of the RBOT WORM!"
NFastUserfast.exeInstalls as part of Windows XP PowerToys as an option for very-fast user switching (allowing a keystoke to switch users instead of using the login screen). It is only used for the hot-key switch and yet it hogs 1.5 megs of memory in two separate processes (one run by the user & one by the system). Optional install in PowerToys
XGT15J4R49Vcpuserv.exeIdentified as a variant of the Trojan.Win32.Radi.gu malware
UHControlUserHControlUser.exeHotkeys on an ASUS Notebook. Only required if you use the additional keys
UIntel(R) Common User Interfaceigfxtray.exe"System Tray access to display settings for Intel desktop and mobile motherboard chipsets with integrated graphics. With this enabled
UIntel(R) Common User Interfacehkcmd.exe"Hot Key handler for Intel desktop and mobile motherboard chipsets with integrated graphics. With this enabled
UIntel(R) Common User Interfaceigfxpers.exe"Installed with the graphics drivers for Intel desktop and mobile motherboard chipsets with integrated graphics. It's purpose or function isn't known at present but testing with it disabled would appear to indicate it isn't required - hence the recommended ""U"" status"
XLiveUpdate[Windows username]05.exe"Added by the LINEAGE TROJAN!"
XLocal-Settings-of-[User Name][User Name].exe"Added by the GAVGENT.A WORM!"
XLogonCSRSS.EXE"Added by the BRONTOK-BH WORM! Note - this is not the legitimate csrss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in Documents and Settings\<User>\Local Settings\Application Data\WINDOWS"
XMicrosoft Logon User Interfacelogonnui.exe"Added by the RBOT-BCC WORM!"
XMicrosoft Update Loaders 2005winusers.exe"Added by the RBOT-AIQ WORM!"
XMicrosoft Update Loaders 2006winusersystem32.exe"Added by a variant of the AGOBOT/GAOBOT WORM!"
XMSN File Sharing!msnuser.exe"Added by a variant of the IRCBOT BACKDOOR! See here"
XMSN Messenger User Controlsmsmsgr.exe"Added by the KELVIR.HI WORM!"
XMsn Update Serviceuserx.exe"Added by the MYTOB.JF WORM!"
XMSN Usermymsnusr.exe"Added by the IRCBOT.AVD BACKDOOR!"
XMSN User Servermsnserver.exe"Added by a variant of the IRCBOT BACKDOOR! See here"
XMSN User Server!msnservices.exe"Added by a variant of the IRCBOT BACKDOOR! See here"
XMSN User Servicemsnsvc.exe"Added by the SLENFBOT.NS WORM!"
XMSN User Service!msnserv.exe"Added by a variant of the IRCBOT BACKDOOR! See here"
XMSN User Servicesmsnuserv.exe"Added by a variant of the IRCBOT BACKDOOR! See here"
XMSN User Svcmsnusnsvc.exe"Added by the IRCBOT.AVV BACKDOOR!"
Xmsuser32.exemsuser32.exe"Added by the ANDROV TROJAN!"
NNetline Usernetchk.exe"Netline supplies internet related products and services and this program identifies user ID and IP information. Found installed along with the Falcon 4 game
XNetLogonuserint.exe"Added by the SDBOT-BC WORM!"
?NovaPortal Single User ServiceNPSU.exe"??"
Xntuserctfmun.exe"Added by the SILLYFDC WORM!"
Xntuserntuser.exe"Added by an unidentified TROJAN! See here"
Xntuserspool.exe"Added by the DLOADER.DYA TROJAN!"
Xntuserspools.exe"Added by the AGENT-GRO TROJAN!"
Xntusersvchost.exe"Added by the POLYCRYP.DY TROJAN!"
Xntuserctfmon.exe"Added by the AGENT-GSG TROJAN! Note - this is not the legitimate ctfmon.exe process associated with alternate text inputs which is always located in %System%. This one is located in %UserProfile%"
?Palm MultiUser ConfigConfigtool.exe"MultiUser configuration for a Palm PDA device?. Is it required?"
XPCuserinity.exe"Added by the PROVIS-A TROJAN!"
Xplay oozeuser grim.exeAdded by and unidentified WORM or TROJAN!
UPowerPanel Personal Edition User Interactionpppeuser.exe"CyberPower PowerPanel Personal Edition UPS Monitoring & Control Software - ""is included with CyberPower's products. This exclusive software allows control and monitoring of your UPS to provide protection for your computer system
XRapdataerabseuser.exe"Added by the QQPASS-S TROJAN!"
NRxUserRxUser.exe"Part of Dell Resolution Assistant - ""a diagnostic program that allows you to contact Dell. When factory-installed by Dell
?screxescruser2k.exe"??"
XServiceSERVICES.EXE"Added by the BRONTOK-BH WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in Documents and Settings\<User>\Local Settings\Application Data\WINDOWS"
Xsetupuserregedit.exe setupuser.log"Regfile in disguise - another CoolWebSearch parasite variant"
UShadowUser Pro EditionShadowUser.exe"""StorageCraft™ ShadowUser™ provides easy to use desktop security and protection for Windows operating systems. ShadowUser is the best way to prevent unwanted changes to PCs and laptops"""
XShutDownWindows"Rundll32.exe UserExitWindows"
YSSC_UserPromptUsrPrmpt.exe"Part of Symantec's AntiVirus suite and comes usually with a product update
Xstartwindowskeyuserrundle2.exe"Added by the JAVAKILLER TROJAN!"
XSystem ManagerUser Documents.exe"Added by the VB.GF VIRUS!"
YTabUserWTabUserW.exeWacom pen tablet driver
XUSB Fix 1.1wuservices.exe"Added by a variant of the SDBOT WORM!"
Xuseruser32.exe"Added by the BINGHE TROJAN!"
XUser.exe"Added by the PUNYA-B WORM!"
Xuserusers.exe"Added by the AUTORUN-AMK WORM!"
XUser Debug Managerusndebug.exe"Added by a variant of the SPYBOT WORM! See here"
XUser Hostusnhost.exe"Added by a variant of the IRCBOT TROJAN! See here"
XUser Hosting Serviceusnhost.exe"Added by the IRCBOT.SN WORM!"
XUser Input ServicesCTFMON32.EXE"Added by the MANCSYN.AK TROJAN!"
UUser LoggerUsrLog.exe"UserLogger commercial surveillance software that logs keystrokes
Xuser logon[path to worm]"Added by the PAHATIA-A WORM!"
Xuser logonuser logon.exe"Added by the PAHATIA.A WORM!"
XUser Managerfcllls.exe"Added by the ZAGABAN-B TROJAN!"
XUser Messagesusrmsg.exe"Added by a variant of the IRCBOT TROJAN! See here"
XUser Messages Managerusnmsgs.exe"Added by a variant of the IRCBOT TROJAN! See here"
XUser Messenger Managerusnmsgr.exe"Added by a variant of the IRCBOT TROJAN! See here"
XUser Protectionusrprot.exe"User Protection rogue security software - not recommended
XUser Servicerusnsrvc.exe"Added by a variant of the IRCBOT TROJAN! See here"
XUser Servicesusersvc.exe"Added by the REVCUSS.A TROJAN!"
XUser Servicesusrsvc.exe"Added by the IRCBOT.SN WORM!"
XUser Sharingusrshare.exe"Added by a variant of the IRCBOT TROJAN! See here"
XUser Sharing Managerusnsharen.exe"Added by a variant of the IRCBOT TROJAN! See here"
XUser Sharing Serverusnsrv.exe"Added by a variant of the IRCBOT TROJAN! See here"
XUser Sharing Servicesusnsvc.exe"Added by a variant of the KOBOT-C WORM!"
XUser Sharing Wizardusnshare.exe"Added by the SLENFBOT.DF WORM!"
XUser23.exeDIAL.exeThis is a trojan trying to disguise itself as User32.dll
XUser32[filename]"Added by the NETTRASH TROJAN!"
Xuserdsystems.com"Added by the OUTLAW-A WORM!"
NUserFaultCheckdumprep 0 -u"Used in connection with memory dumps - you can disable these by - right clicking on My Computer
XUserfile Sharing Servusnsrv.exe"Added by a variant of the IRCBOT TROJAN! See here"
XUserfile Sharing Serverusnserv.exe"Added by a variant of the IRCBOT TROJAN!"
XUserinitlsass.exe"Added by the VIRAN-A TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Program Files%\Common Files%\System"
Xuserinitwinlogon.exe"Added by the DLOADER-TP TROJAN! Note - this is not the legitimate winlogon.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
Xuserinitsmss.exe"Added by the DLOADR-B TROJAN! Note - this is not the legitimate smss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
Xuserinitchoo_003956f4"Added by the PEED.16896 TROJAN!"
Xuserinitntos.exe"Added by the AGENT-ECU TROJAN!"
XUserinitcologsver.exe"Added by the DROPPER.DJO TROJAN!"
XUserInit StartUprpcxuisu.exe"Added by a variant of the SDBOT WORM!"
Xuserinit.exeuserinit.exe"Added by the HAXDOOR-DP TROJAN!"
Xuserint32userint32.exe"Added by an unidentified TROJAN via an Instant Message that says
XUSERINTERFACE REPORT3RM0USE.exe"Added by the MYTOB.HS WORM!"
XUserinterface Reporterfuuuucktttttt.exe"Added by the MYTOB-DK WORM!"
XUserinterface Reportersrv32.exe"ISTBar adware"
XUserSystem[filename]"CoolWebSearch Smartsearch parasite variant. Also detected as the SEARCH-A TROJAN!"
Xuserun32userun32.exe"Added by the LYDRA-B TROJAN!"
XVMware User ProcessKHATRA.exe"Added by the AUTOIT.K TROJAN!"
UVPCUserServicesVMUSrvc.exe"Part of ""DOS Virtual Machine Additions"" for Microsoft Virtual PC
XWindows Service HostingUSERINIT.exe"Added by the GOMMER-A WORM!"
XWindows Service Manageruserint32.exe"Added by the OSCABOT-C WORM!"
XWINDOWS SYSTEMdcomuser.exe"Added by the MYTOB.EO WORM!"
XWindows System Servicewnuserv.exe"Added by the SPYBOT.ANDM WORM!"
XWindows User Mode Driver Managerwdfmrg.exe"Added by the SDBOT-ZN WORM!"
XWindows User Starterwinuser32.exe"Added by the RBOT.SN WORM!"
XWindows_VXDuser32.exe"Added by the PPORT TROJAN!"
Xwinlogon_userccIsass.exe"Added by the SILLYFDC.BBT WORM!"
XWinUser32Kusr32wink.exeAdded by the HK TROJAN!
X[random name]userinit.exe"PurityScan adware. Do not confuse with the legitimate Userinit Logon Application (userinit.exe) process which is always located in %System% and should not figure in Msconfig/Startup!"
X[username] config[path to trojan]"Added by the MOSUCK-H TROJAN!"
X[various names]UserSp1.exe"Wareout - malware masquerading as a spyware and dialer remover"


DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.