Go back to OlderGeeks.com's Main Page
If you're frustrated with the time it takes your Windows PC to boot and then it seems to be running slowly you may have too many programs running at start-up - and have come to the right place to identify them. This is the original startup programs (as opposed to processes/tasks) list - one of the most comprehensive and most accurate!
"Name or Startup Item" in the table below refers to how an entry is displayed in MSConfig, Windows Defender or the registry "Run" keys. "Command or Data" refers to the program the entry runs. For further information on this and how to identify and disable startup programs please visit the Startup Content page.
For further information on random startup entries please visit the Startup Info page. For the next few months and foreseeable future I'll be verifying many of the Y, U, N & ? entries via virtual machines. If you can verify/identify those entries with a "?" status (especially hardware specific - such as laptops and motherboards) then please E-mail me (address at bottom of the page) or use the new Message Board.
Last update :- 25th May, 2010
21379 items listed
If you are a regular visitor, click HERE to go straight to the list...
"Status" key:
- "Y" - Normally leave to run at start-up
- "N" - Not required or not recommended - typically infrequently used tasks that can be started manually if necessary
- "U" - User's choice - depends whether a user deems it necessary
- "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
- "?" - Unknown
Variables:
- %System% - refers to the System folder; by default this is C:\Windows\System (9x/Me), C:\Winnt\System32 (NT/2K), or C:\Windows\System32 (XP/Vista)
- %Windir% - refers to the Windows installation folder; by default this is C:\Windows (9x/Me/XP/Vista) or C:\Winnt (NT/2K)
- %UserProfile% - refers to the current user's profile folder; by default this is C:\Documents and Settings\ (NT/2K/XP) or C:\Users\ (Vista)
- %ProgramFiles% - refers to the Program Files folder; typically the path is C:\Program Files
|
|
| Name or Startup Item | Status | Command or Data | Description | Tested? |
|---|
| X | system32.exe | Added by the AGOBOT-KU WORM! Note - has a blank entry under the Startup Item/Name field | No |
| X | pathex.exe | Added by the MKMOOSE-A WORM! Note - has a blank entry under the Startup Item/Name field | No |
| X | svchost.exe | Added by the DELF-UX TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%. Note - has a blank entry under the Startup Item/Name field | No |
| X | MSPF.EXE | Added by a variant of the SDBOT WORM! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field | No |
| X | dllvirtual.exe | Added by the DADOBRA-IW TROJAN! Note - has a blank entry under the Startup Item/Name field | No |
| X | dllvirtual.dll | Added by the DADOBRA-IW TROJAN! Note - has a blank entry under the Startup Item/Name field | No |
| X | dllvirtual.js | Added by the DADOBRA-IW TROJAN! Note - has a blank entry under the Startup Item/Name field | No |
| X | ajsha5.exe | Added by the SPYBOT-NX WORM! Note - has a blank entry under the Startup Item/Name field | No |
| X | ne.exe | Added by the IRCBOT-ZL TROJAN! Note - has a blank entry under the Startup Item/Name field | No |
| X | iexpl0re.exe | Added by the RBOT-SD WORM! Note - has a blank entry under the Startup Item/Name field | No |
| X | gbpm.exe | Added by the DLOADR.ZZD WORM! Note - has a blank entry under the Startup Item/Name field | No |
| X | regedit.exe /s appboost.reg | Added by the APPIX.D WORM! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run and HKCU\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank. The Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The file "appboost.reg" is located in %Windir% | No |
| !1_pgaccount | Y | pgaccount.exe | DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. You will see one instant of pgaccount.exe for every active account on your system, and this is essential for PG to work properly | No |
| !1_ProcessGuard_Startup | Y | procguard.exe | DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks | No |
| !AVG Anti-Spyware | Y | avgas.exe | System Tray access to and notifications for AVG Anti-Spyware 7.5. This has now been superseded by AVG Anti-Virus which includes Anti-Spyware | Yes |
| !ewido | Y | ewido.exe | System Tray access to and notifications for Ewido Anti-Spyware 4.0. Ewido is now part of AVG Technologies so this has been superseded by AVG Anti-Virus which includes Anti-Spyware | Yes |
| !NoLoad | N | winrecon.exe | WinRecon keystroke logger/monitoring program - remove unless you installed it yourself! | No |
| $EnterNet | U | Enternet.exe | Connection manager for the EnterNet ISP. You can also use RASPPOE | No |
| $sys$cmp | X | $sys$xp.exe | Added by the RYKNOS.B TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer | No |
| $sys$crash | X | $sys$sonyTimer.exe | Added by the WELOMOCH TROJAN! | No |
| $sys$crash | X | $sys$sos$sys$.exe | Added by the WELOMOCH TROJAN! | No |
| $sys$crash | X | $sys$WeLoveMcCOL.exe | Added by the WELOMOCH TROJAN! | No |
| $sys$drv | X | $sys$drv.exe | Added by the RYKNOS TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer | No |
| $sys$momomomochin | X | $sys$sonyTimer.exe | Added by the WELOMOCH TROJAN! | No |
| $sys$momomomochin | X | $sys$sos$sys$.exe | Added by the WELOMOCH TROJAN! | No |
| $sys$momomomochin | X | $sys$WeLoveMcCOL.exe | Added by the WELOMOCH TROJAN! | No |
| $sys$umaiyo | X | $sys$sonyTimer.exe | Added by the WELOMOCH TROJAN! | No |
| $sys$umaiyo | X | $sys$sos$sys$.exe | Added by the WELOMOCH TROJAN! | No |
| $sys$umaiyo | X | $sys$WeLoveMcCOL.exe | Added by the WELOMOCH TROJAN! | No |
| $Volumouse$ | U | volumouse.exe | Volumouse from Nirsoft. "Provides you a quick and easy way to control the sound volume on your system - simply by rolling the wheel of your wheel mouse" | No |
| $WindowsRegKey%update | X | IEXPLORE.EXE | Added by the RBOT-EZ WORM! Note - this is not the legitimate Internet Explorer (iexplore.exe) which is always located in %ProgramFiles%\Internet Explorer and should not normally figure in Msconfig/Startup! This one is located in %System% | No |
| %cmpmixtitle% | ? | %cmpmixstr% | Possibly related to C-Media Mixer Control panel? | No |
| %FP%012-L2TP fts.exe | N | fts.exe | 012.Net.il Israeli ISP software front-end | No |
| %FP%012-L2TP FWPortal.exe | U | FWPortal.exe | 012.Net.il Israeli ISP dial-up software | No |
| %FP%1776 Internet fts.exe | N | fts.exe | 1776 Internet US ISP software ISP software front-end | No |
| %FP%1776 Internet FWPortal.exe | U | FWPortal.exe | 1776 Internet US ISP dial-up software | No |
| %FP%AIRTEL fts.exe | N | fts.exe | Bharti Airtel Broadband - Indian ISP software front-end | No |
| %FP%Barak013 fts.exe | N | fts.exe | Barak013 Israeli ISP software front-end | No |
| %FP%Barak013 FWPortal.exe | U | FWPortal.exe | Barak013 Israeli ISP dial-up software | No |
| %FP%Friendly fts.exe | N | fts.exe | Friendly ISP software front-end | No |
| %Temp% | X | %Temp%\delwdef2008.bat | WinDefender 2008 rogue privacy program - not recommended, removal instructions here | No |
| %Windir%\winnl.exe | X | winnl.exe | Added by the KIDKITI TROJAN! | No |
| %Windir%\winnm.exe | X | winnm.exe | Added by the KIDKITI TROJAN! | No |
| Services.dll | X | smss.exe | Added by the SOBER-L WORM! Note - this is not the legitimate smss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\msagent\system and note the space at the beginning of the "Startup Item" field | No |
| WinCheck | X | services.exe | Added by the SOBER.V WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\ConnectionStatus\Microsoft and note the space at the beginning of the "Startup Item" field | No |
| WinData | X | services.exe | Added by the SOBER-AD WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\PoolData and note the space at the beginning of the "Startup Item" field | No |
| Windows | X | services.exe | Added by the SOBER.X WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\WinSecurity and note the space at the beginning of the "Startup Item" field | No |
| WinINet | X | services.exe | Added by the SOBER.R WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\ConnectionStatus and note the space at the beginning of the "Startup Item" field | No |
| WinStart | X | services.exe | Added by the SOBER.O WORM! Note - this is not the legitimate services.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\Connection Wizard\Status and note the space at the beginning of the "Startup Item" field | No |
| winsystem.sys | X | smss.exe | Added by the SOBER.K WORM! Note - this is not the legitimate smss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\msagent\win32 and note the space at the beginning of the "Startup Item" field | No |
|
You can download off-line HTML ZIP, EXE and EXCEL ZIP versions of this list from here.
In addition the following files are available for people developing mirrors of the site and using the information presented here (right-click and select "Save Target As..." for IE and "Save Link As..." for Firefox):
Startup XML File - Startup INI File - Startup HTML File
DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.
NOTE: This is NOT a database of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a database of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try the Process Library from Uniblue, the list at PC Pitstop or one of the many others now available. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSConfig or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.
To avoid the database becoming too large, all virus entries are only shown using the registry version which is common to all Windows versions. Otherwise there would be multiple entries for popular filenames that viruses often use - such as "svchost" above for example. Multiple viruses can also use the same startup entries, in this case only those with significant differences (such as file location) are repeated in this database.
NOTE : There are a number of virus and malware entried listed in this database where specific removal instructions haven't been given. If this is the case then you could try SDFix, a program written by AndyManchesta that can remove many different types of Trojans and Worms. See here for a tutorial on how to use the program and here for the latest ReadMe file detailing the fixes included.
IMPORTANT: A number of entries are repeated due to the way that different operating systems display startup items. For example, WinMe lists "POPROXY.EXE" as "Norton eMail Protect" in both MSCONFIG and the registry whereas WinXP lists it as "Poproxy" in MSCONFIG and "Norton eMail Protect" in the registry.
RECOMMENDATIONS:
If you're looking for a startup manager then why not try WinPatrol (by BillP Studios) or Advanced SystemCare Free (by IObit) - both include the option to search this database for a particular entry. Alternatively try Spybot - Search & Destroy (by Safer Networking Ltd) as the startup programs section (select the Advanced mode) includes descriptions from this database. You might also want to try their RunAlyzer and FileAlyzer tools.
There are an ever increasing number of rogue applications appearing these days and many of the removal guides referenced in this database use MalwareBytes Anti-Malware (which now incorporates the now discontinued RogueRemover).
As there are more than 10,000 entries in this database related to viruses, trojans, worms and other malware I recommend you use a quality internet security package. Which ever you choose, keep it updated.
Presentation, format & comments Copyright © 2001 - 2010 Paul Collins
Portions Copyright © Peter Forrest, Denny Denham, Sylvain Prevost, Tony Klein, CastleCops & Bleeping Computer
Database creation and support by Patrick Kolla
Software support by John Mayer
All rights reserved
