SYSINFO.ORG STARTUP LIST : 11th June 2006 (c) Paul Collins Status Name/Startup Item Command Comments X system32.exe Added by the AGOBOT-KU WORM! Note - has a blank entry under the Startup Item/Name field X pathex.exe Added by the MKMOOSE-A WORM! X svchost.exe Added by the DELF-UX TROJAN! Note - this is not the legitimate svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder X SystemBoot services.exe Added by the SOBER-Q TROJAN! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a HelpHelp subfolder of the Windows or Winnt folder X WinCheck services.exe Added by the SOBER-S WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a "ConnectionStatusMicrosoft" subfolder of the Windows or Winnt folder X Windows services.exe Added by the SOBER.X WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a "WinSecurity" subfolder of the Windows or Winnt folder X WinStart services.exe Added by the SOBER.O WORM! Note - this is not the legitimate services.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a Connection WizardStatus subfolder of the Windows or Winnt folder X winsystem.sys smss.exe Added by the SOBER.K TROJAN! Note - this is not the legitimate smss.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a msagentwin32 subfolder of the Winnt or Windows folder Y !1_pgaccount pgaccount.exe DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. You will see one instant of pgaccount.exe for every active account on your system, and this is essential for PG to work properly Y !1_ProcessGuard_Startup procguard.exe DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks N !NoLoad winrecon.exe WinRecon - surveillance software that creates records of everything people do on a computer, ie, spying or monitoring depending upon how you call it ? $EnterNet Enternet.exe Connection manager for the EnterNet ISP. You can also use RASPPOE X $sys$cmp $sys$xp.exe Added by the RYKNOS.B TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer X $sys$crash $sys$sonyTimer.exe Added by the WELOMOCH TROJAN! X $sys$crash $sys$sos$sys$.exe Added by the WELOMOCH TROJAN! X $sys$crash $sys$WeLoveMcCOL.exe Added by the WELOMOCH TROJAN! X $sys$drv $sys$drv.exe Added by the RYKNOS TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer X $sys$momomomochin $sys$sonyTimer.exe Added by the WELOMOCH TROJAN! X $sys$momomomochin $sys$sos$sys$.exe Added by the WELOMOCH TROJAN! X $sys$momomomochin $sys$WeLoveMcCOL.exe Added by the WELOMOCH TROJAN! X $sys$umaiyo $sys$sonyTimer.exe Added by the WELOMOCH TROJAN! X $sys$umaiyo $sys$sos$sys$.exe Added by the WELOMOCH TROJAN! X $sys$umaiyo $sys$WeLoveMcCOL.exe Added by the WELOMOCH TROJAN! X $WindowsRegKey%update IEXPLORE.EXE Added by the RBOT-EZ WORM! Note - this is not the legitimate Internet Explorer iexplore.exe process which is always located in the Program FilesInternet Explorer folder and should not normally figure in Msconfig/Startup! This file is located in the System (9x/Me) or System32 (NT/2K/XP) folder N %cmpmixtitle% %cmpmixstr% Possibly related to C-Media Mixer Control panel? N %FP%012-L2TP fts.exe fts.exe 012.Net.il Israeli ISP software front-end U %FP%012-L2TP FWPortal.exe FWPortal.exe 012.Net.il Israeli ISP dial-up software N %FP%1776 Internet fts.exe fts.exe 1776 Internet US ISP software ISP software front-end U %FP%1776 Internet FWPortal.exe FWPortal.exe 1776 Internet US ISP dial-up software N %FP%Barak013 fts.exe fts.exe Barak013 Israeli ISP software front-end U %FP%Barak013 FWPortal.exe FWPortal.exe Barak013 Israeli ISP dial-up software N %FP%Friendly fts.exe fts.exe Friendly ISP software front-end X (*)API Machine winSOCKS.exe Homepage hijacker, see here (* = any digit) X (*)Run win32API.exe Homepage hijacker, see here (* = any digit) X (default) [random filename].exe Added by the BLACKMAL WORM! X (default) rundll32.exe [path] Zykheptd.dll Added by the HESIVE.B TROJAN! X (L4r1$$4) (4nt1) (V1ruz) SP00Lsv32.pif Added by the ASSIRAL.B WORM! U )Start Service upssrv.exe Cyber Power PowerPanelPlus software. "In the event of a power outage, PowerPanelPlus Software automatically saves and closes all open files, and then shuts down the computer system in an intelligent and orderly manner" X *JanisRuckenbrodII janis.com Added by the POPS WORM! X *Microsoft Update ctxma.exe Added by the STMU TROJAN! X *Microsoft Update cxma.exe Added by the STMU TROJAN! X *Microsoft Update wstcl.exe Added by the STMU TROJAN! X *Microsoft Update wucxt.exe Added by the STMU TROJAN! X *Microsoft Update wuytc.exe Added by the STMU TROJAN! X *MS Setup [random filename] Virtumondo adware, also known as the VUNDO TROJAN! X *Security Center secctr.exe Added by the SDBOT.BRO WORM! Y *StateMgr statemgr.exe Windows ME default for System Restore. Do NOT disable! X *windows update wrauclt.exe Added by the RBOT-QU WORM! X *windows update wuanclt.exe Added by the RBOT-PG WORM! X *windows update wuaucrlt.exe Added by the SPYBOT.HUR WORM! X *windows update wuraclt.exe Added by the RBOT-PO WORM! X *windows update wurauclt.exe Added by the RBOT-SY WORM! X *windows update wsctl.exe Added by the SPYBOT.PR WORM! X *windows update wkmst.exe Added by the SDBOT.AVD WORM! X *windows update wscxt.exe Added by the RBOT.AOS WORM! X *windows update waurclt.exe Added by a variant of the RBOT WORM! X *Windows [filename] Checker [filename] Added by the KEDEBE-B WORM! X *WindowsAudio systemupd.exe Added by the AGENT-TH WORM! X *WinLogon [trojan path] ren time:[random number]Added by the VUNDO TROJAN! X *winstats winstats.exe Added by the GARGAFX TROJAN! X *wuauclt.exe w****.exe [* = random char] Added by a variant of the RBOT-UG WORM! Note - * in the filename represents a random char; variants spotted: wxmct.exe, wtmsv.exe, wxmst.exe, wmsvc.exe and so on... X ,main drive Loader wininfo.exe Suspected malware as it appears in 3 different registry locations - see here X .mscdr lassa.exe Added by the WEBUS.C TROJAN! X .mscdr lsvchost.exe Added by the WEBUS.D TROJAN! X .mscdsr lsvchost.exe Added by the CR TROJAN! X .mscsbl svhost.exe Added by the CMQ TROJAN! X .msfupdate msveup.exe Added by the ALLOCUP.A WORM! X .mssecure mssecure.exe Added by the DDOS_BOXED.X TROJAN! ? .NET config sysmon32.exe ?? X .norton rchost.exe Added by a variant of the BOXED-A TROJAN! X .nvsvc smss.exe Added by the IRCBOT-FP TROJAN! Note - this is not the legitimate smss.exe process which should not normally figure in Msconfig/Startup! X .Prog services.exe Added by the NEVEG.B or NEVEG.C WORMS! Note - this is not the legitimate services.exe process, which should not appear in Msconfig/Startup! X .Prog winlogon.exe Added by the NEVEG.A WORM! Note - this is not the legitimate winlogon.exe process, which should not appear in Msconfig/Startup! X .svchost CSRSS.EXE Added by the WEBUS.F TROJAN! Note - this is not the legitimate csrss.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the System folder X .TEXTCONV csrss.exe Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process, which should not appear in Msconfig/Startup! X .TEXTCONV lsass.exe Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the System folder X .WMAudio csrss.exe Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process, which should not appear in Msconfig/Startup! X .WMAudio lsass.exe Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the System folder N /l:eng N/A Related to the Dell OEM version of the Sound Blaster Audigy 2 sound card. If this item is listed and checked in startup, the System32 Folder will appear on every startup.