StartupList INI
Timestamp: 2008-10-11 17:19:30 -05:00

[]
Confirmed=X
Filename=MSPF.EXE
Description=Added by a variant of the http://vil.nai.com/vil/content/v_100454.htm SDBOT WORM! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field

Source=http://www.castlecops.com/startuplist-15264.html

[]
Confirmed=X
Filename=svchost.exe
Description=Added by the http://www.sophos.com/virusinfo/analyses/trojdelfux.html DELF-UX TROJAN! Note - this is not the legitimate http://www.liutilities.com/products/wintaskspro/processlibrary/svchost/ svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field

Source=http://www.castlecops.com/startuplist-15265.html

[]
Confirmed=X
Filename=mstdmc.exe
Description=Added by  <a href="http://www.bleepingcomputer.com/startups/mstdmc.exe-19557.html" target=_blank>Trojan-Downloader.Win32.Banload.cil</a> MALWARE! <font color=red>Note:</font> Located in \%WINDIR%\System32\ <font color=red>The startup name is empty</font> This will make sure that it's start at startup.
Source=http://www.castlecops.com/startuplist-15649.html

[]
Confirmed=X
Filename=msmapiax32.exe
Description=Identified as a variant of the  <a href="http://www.bleepingcomputer.com/startups/msmapiax32.exe-21900.html" target=_blank>Rootkit.Win32.Agent.uj</a> rootkit. <font color=red>Note:</font> Located in \%WINDIR%\System32\ <font color=red>Note:</font> Use SDFix under supervision. 
Source=http://www.castlecops.com/startuplist-16339.html

[]
Confirmed=X
Filename=msmapibx32.exe
Description=Identified as a variant of the  <a href="http://www.bleepingcomputer.com/startups/msmapiax32.exe-21900.html" target=_blank>Rootkit.Win32.Agent.uj</a> rootkit. <font color=red>Note:</font> Located in \%WINDIR%\System32\ <font color=red>Note:</font> Use SDFix under supervision.
Source=http://www.castlecops.com/startuplist-16340.html

[]
Confirmed=
Filename=
Description=Added by the W32/Sdbot-DHY,http://www.sophos.com/security/analyses/viruses-and-spyware/w32sdbotdhy.html Worm! <font color=red>Read the link, allows remote access</font> <font color=red>Note:</font> located in \%WINDIR%\ <font color=red>Note:</font> Use SDFix under supervision.
Source=http://www.castlecops.com/startuplist-17011.html

[ hamachi]
Confirmed=U
Filename=hamachi.exe
Description=Related to  <a href="https://secure.logmein.com/" target=_blank>hamachi</a> Instantly connect multiple computers in a VPN from LogMeIn Inc. <font color=red>Note:</font> Located in \%Program Files%\Hamachi\
Source=http://www.castlecops.com/startuplist-15594.html

[ Security Patch]
Confirmed=X
Filename=scmss.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32rbotzw.html" target=_blank>W32/RBOT-ZW</a> WORM! <font color=red>Read the link, keylogger/password stealing trojan(s) involved.</font>
Source=http://www.castlecops.com/startuplist-7614.html

[ WinCheck]
Confirmed=X
Filename=services.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.v@mm.html" target=_blank>W32.Sober.V</a>
 WORM!
 <font color=red> Note:</font> This worm file is found in the Windows\ConnectionStatus\Microsoft or Winnt\ConnectionStatus\Microsoft folder.
Source=http://www.castlecops.com/startuplist-12044.html

[ Windows]
Confirmed=X
Filename=services.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.x@mm.html" target=_blank>W32.Sober.X</a>
 WORM!
 <font color=red> Note:</font> This is not the legitimate Windows process services.exe (Which is always found in the System32 folder.)  This worm file is found in the Windows\WinSecurity or Winnt\WinSecurity folder.

Source=http://www.castlecops.com/startuplist-12164.html

[!1_pgaccount]
Confirmed=Y
Filename=pgaccount.exe
Description=DiamondCS  <a href="http://www.diamondcs.com.au/processguard/" target=_blank>ProcessGuard</a> security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. You will see one instant of pgaccount.exe for every active account on your system,  and this is essential for PG to work properly
Source=http://www.castlecops.com/startuplist-6352.html

[!1_ProcessGuard_Startup]
Confirmed=Y
Filename=procguard.exe
Description=DiamondCS  <a href="http://www.diamondcs.com.au/processguard/" target=_blank>ProcessGuard</a> security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks.
Source=http://www.castlecops.com/startuplist-6353.html

[!AVG Anti-Spyware]
Confirmed=U
Filename=avgas.exe
Description=Related to  <a href="http://www.grisoft.com/doc/1" target=_blank>AVG_Anti-Spyware</a> from Grisoft. <font color=red>Note:</font> Located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\
Source=http://www.castlecops.com/startuplist-13378.html

[!ewido]
Confirmed=U
Filename=ewido.exe
Description=Part of http://www.ewido.net/en/ Ewido anti-spyware

Source=http://www.castlecops.com/startuplist-12965.html

[!NoLoad]
Confirmed=U
Filename=winrecon.exe
Description= <a href="http://www.symantec.com/avcenter/venc/data/spyware.winrecon.html." target=_blank>Winrecon</a> <font color=red>Read the link, keylogger/password stealing trojan(s) involved.</font> - Commercial Keylogger
Source=http://www.castlecops.com/startuplist-1.html

[$EnterNet]
Confirmed=U
Filename=Enternet.exe
Description=Connection manager for the EnterNet ISP. You can also use <a href="http://user.cs.tu-berlin.de/~normanb/" target="_blank">RASPPOE</a>
Source=http://www.castlecops.com/startuplist-2.html

[$sys$cmp]
Confirmed=X
Filename=$sys$xp.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ryknos.b.html" target=_blank>Backdoor.Ryknos.B</a>
 TROJAN!  Note: This trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder. Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer.
 <font color=red>Read the link, rootkit type stealth involved.</font>

Source=http://www.castlecops.com/startuplist-12041.html

[$sys$crash]
Confirmed=X
Filename=$sys$WeLoveMcCOL.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/trojan.welomoch.html" target=_blank>Welomoch</a>
 TROJAN!
 <font color=red> Note:</font> This worm\trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder.
 <font color=red>Read the link, rootkit type stealth involved. SONY ROOTKIT, THANKS SONY!</font>
Source=http://www.castlecops.com/startuplist-12331.html

[$sys$crash]
Confirmed=X
Filename=$sys$sonyTimer.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/trojan.welomoch.html" target=_blank>Welomoch</a>
 TROJAN!
 <font color=red> Note:</font> This worm\trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder.
 <font color=red>Read the link, rootkit type stealth involved. SONY ROOTKIT, THANKS SONY!</font>
Source=http://www.castlecops.com/startuplist-12332.html

[$sys$crash]
Confirmed=X
Filename=$sys$sos$sys$.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/trojan.welomoch.html" target=_blank>Welomoch</a>
 TROJAN!
 <font color=red> Note:</font> This worm\trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder.
 <font color=red>Read the link, rootkit type stealth involved. SONY ROOTKIT, THANKS SONY!</font>
Source=http://www.castlecops.com/startuplist-12333.html

[$sys$drv]
Confirmed=X
Filename=$sys$drv.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ryknos.html" target=_blank>Backdoor.Ryknos</a>
 TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer.
 <font color=red>Read the link, rootkit type stealth involved.</font>

Source=http://www.castlecops.com/startuplist-12040.html

[$Volumouse$]
Confirmed=U
Filename=volumouse.exe
Description=Related to  <a href="http://www.nirsoft.net/utils/volumouse.html" target=_blank>Volumouse</a> from Nirsoft. Provides you a quick and easy way to control the sound volume on your system. <font color=red>Note:</font> Located in C:\Program Files\Volumouse\
Source=http://www.castlecops.com/startuplist-13161.html

[$WindowsRegKey%update]
Confirmed=X
Filename=IEXPLORE.EXE
Description=Added as result of a  <a href="http://www.sophos.com/virusinfo/analyses/w32rbotez.html" target=_blank>W32/Rbot-EZ</a> WORM! Note - this is not the legitimate Internet Explorer  <a href="http://www.liutilities.com/products/wintaskspro/processlibrary/iexplore" target=_blank>iexplorer.exe</a>  process, it should not appear in Msconfig/Startup unless you add it manually!
Source=http://www.castlecops.com/startuplist-5336.html

[%cmpmixtitle%]
Confirmed=?
Filename=%cmpmixstr%
Description=<font color="#FF0000">Possibly related to C-Media Mixer Control panel?</font>
Source=http://www.castlecops.com/startuplist-3.html

[%FP%012-L2TP fts.exe]
Confirmed=?
Filename=fts.exe
Description=012.Net ISP software - <font color=red>what does it do and is it required?</font>
Source=http://www.castlecops.com/startuplist-6262.html

[%FP%012-L2TP FWPortal.exe]
Confirmed=?
Filename=FWPortal.exe
Description=012.Net ISP software - <font color=red>what does it do and is it required?</font>
Source=http://www.castlecops.com/startuplist-6263.html

[%FP%1776 Internet fts.exe]
Confirmed=?
Filename=fts.exe
Description=1776 Internet ISP software - <font color=red>what does it do and is it required?</font>
Source=http://www.castlecops.com/startuplist-6265.html

[%FP%1776 Internet FWPortal.exe]
Confirmed=?
Filename=FWPortal.exe
Description=1776 Internet ISP software - <font color=red>what does it do and is it required?</font>
Source=http://www.castlecops.com/startuplist-6264.html

[%FP%AIRTEL fts.exe]
Confirmed=U
Filename=fts.exe
Description=Related to  <a href="http://www.airtel.in/level2_t12.aspx?path=1/9" target=_blank>AIRTEL-Broadband</a> Part of the Friendly technologies PPPOE DSL Driver. This is customized for use with the AIRTEL-Broadband ISP. <font color=red>Note:</font> Located in \%Program Files%\AIRTEL\AIRTEL-Broadband\
Source=http://www.castlecops.com/startuplist-15929.html

[%FP%Barak013 fts.exe]
Confirmed=?
Filename=fts.exe
Description= Barak013 ISP software - <font color=red>what does it do and is it required?</font>
Source=http://www.castlecops.com/startuplist-6260.html

[%FP%Barak013 FWPortal.exe]
Confirmed=?
Filename=FWPortal.exe
Description= Barak013 ISP software - <font color=red>what does it do and is it required?</font>
Source=http://www.castlecops.com/startuplist-6261.html

[%FP%Friendly fts.exe]
Confirmed=?
Filename=fts.exe
Description=Friendly ISP software - <font color=red>what does it do and is it required?</font>

Source=http://www.castlecops.com/startuplist-7167.html

[(*)API Machine]
Confirmed=X
Filename=winSOCKS.exe
Description=Homepage hijacker, see <a href="http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi?s=3e991177279cffff;act=ST;f=6;t=2598;hl=new" target="_blank">here</a> (* = any digit)
Source=http://www.castlecops.com/startuplist-9.html

[(*)Run]
Confirmed=X
Filename=win32API.exe
Description=Homepage hijacker, see <a href="http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi?s=3e991177279cffff;act=ST;f=6;t=2598;hl=new" target="_blank">here</a> (* = any digit)
Source=http://www.castlecops.com/startuplist-10.html

[(default)]
Confirmed=X
Filename=(random filename).exe
Description=Added as a result of the <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.html" target="_blank">BLACKMAL</a> VIRUS!
Source=http://www.castlecops.com/startuplist-14.html

[(Default)]
Confirmed=X
Filename=Systrsy.exe

Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/trojan.cdtray.html" target=_blank>Trojan.Cdtray</a>
 TROJAN!
 <font color=red>Note:</font> This trojan file is found in the Internet Explorer folder.
Source=http://www.castlecops.com/startuplist-11140.html

[(default)]
Confirmed=X
Filename=llsass.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojproxygg.html" target=_blank>TROJ/PROXY-GG</a> TROJAN!
Source=http://www.castlecops.com/startuplist-11994.html

[(Default)]
Confirmed=X
Filename=webcam.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojmonada.html" target=_blank>Troj/Monad-A</a>
 TROJAN!
 <font color=red> Note:</font> This trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder.

Source=http://www.castlecops.com/startuplist-12223.html

[(Default)]
Confirmed=X
Filename=syspol.exe
Description=Added by the  <a href="http://www.symantec.com/avcenter/venc/data/trojan.dremn.b.html" target=_blank>Dremm.b</a> TROJAN!
Source=http://www.castlecops.com/startuplist-12334.html

[(default)]
Confirmed=X
Filename=rundll32.exe (path to) Zykheptd.dll
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hesive.b.html" target=_blank>Backdoor.Hesive.B</a>
 TROJAN!
 <font color=red>Read the link, rootkit type stealth involved.</font>

Source=http://www.castlecops.com/startuplist-12663.html

[(Default)]
Confirmed=X
Filename=5640.exe
Description= <a href="http://www.sophos.com/security/analyses/trojdownldabf.html" target=_blank>Troj/DownLd-ABF</a>
Source=http://www.castlecops.com/startuplist-14640.html

[(Entry name)]
Confirmed=X
Filename=System.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojnethiefn.html" target=_blank>Troj/Nethief-N</a>
 Trojan!

Source=http://www.castlecops.com/startuplist-9301.html

[(Global Startup)]
Confirmed=X
Filename=Skunk.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32sunka.html" target=_blank>W32/Sunk-A</a>
 WORM!
<font color=red> Note:</font> This worm\trojan file is found in the Root folder. (C:\), (D:\),  (E:\) etc, etc.

Source=http://www.castlecops.com/startuplist-12346.html

[(L4r1$$4) (4nt1) (V1ruz)]
Confirmed=X
Filename=SP00Lsv32.pif
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.assiral.b@mm.html" target=_blank>ASSIRAL.B</a> WORM!
Source=http://www.castlecops.com/startuplist-7168.html

[(original file name)]
Confirmed=X
Filename=svchost.scr
Description=Added by  <a href="http://www.sophos.com/virusinfo/analyses/trojbancbancx.html" target=_blank>Troj/Bancban-CX</a> and  <a href="http://www.sophos.com/virusinfo/analyses/trojbancbanda.html" target=_blank>Troj/Bancban-DA</a> TROJANS! <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>

Source=http://www.castlecops.com/startuplist-9199.html

[(original filename)]
Confirmed=X
Filename=xphost.scr
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojbancbanhm.html" target=_blank>Troj/Bancban-HM</a> TROJAN! <font color=red>Note:</font> This trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder. <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>

Source=http://www.castlecops.com/startuplist-12129.html

[(Original Trojan Filename)]
Confirmed=X
Filename=install.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojbancbanfs.html" target=_blank>Troj/Bancban-FS</a> TROJAN! <font color=red>Note:</font> This trojan file is found in the Windows or Winnt folder. <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>

Source=http://www.castlecops.com/startuplist-11610.html

[(random 12 digit number)]
Confirmed=X
Filename=actxprxy.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-5667.html

[(random 12 digit number)]
Confirmed=X
Filename=avicap32.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-5666.html

[(random 12 digit number)]
Confirmed=X
Filename=browser8.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-5443.html

[(random 12 digit number)]
Confirmed=X
Filename=avifile5.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-5444.html

[(random 12 digit number)]
Confirmed=X
Filename=bootvid4.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-5450.html

[(random 12 digit number)]
Confirmed=X
Filename=cdmodem4.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-5653.html

[(random 12 digit number)]
Confirmed=X
Filename=acctres8.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-5654.html

[(random 12 digit number)]
Confirmed=X
Filename=autodisc.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-5966.html

[(random 12 digit number)]
Confirmed=X
Filename=cabview1.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-5967.html

[(random 12 digit number)]
Confirmed=X
Filename=atitvo32.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-5968.html

[(random 12 digit number)]
Confirmed=X
Filename=advpack1.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-6313.html

[(random 12 digit number)]
Confirmed=X
Filename=batmeter.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant


Source=http://www.castlecops.com/startuplist-6876.html

[(random 12 digit number)]
Confirmed=X
Filename=bidispl2.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant


Source=http://www.castlecops.com/startuplist-6877.html

[(random 12 digit number)]
Confirmed=X
Filename=asferror.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-7942.html

[(random 12 digit number)]
Confirmed=X
Filename=catsrvps.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-8917.html

[(random 12 digit number)]
Confirmed=X
Filename=audiosrv.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant
Source=http://www.castlecops.com/startuplist-9032.html

[(random 12 digit number)]
Confirmed=X
Filename=admparse.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant


Source=http://www.castlecops.com/startuplist-9085.html

[(random 12 digit number)]
Confirmed=X
Filename=bootvid2.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant


Source=http://www.castlecops.com/startuplist-9086.html

[(random 12 digit number)]
Confirmed=X
Filename=cmpbk321.exe
Description= <a href="http://sarc.com/avcenter/venc/data/pf/adware.iedriver.html" target=_blank>Adsrv.com/IeDriver</a> adware variant


Source=http://www.castlecops.com/startuplist-9087.html

[(Random characters)]
Confirmed=X
Filename=securewinload32x.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojoptixpn.html" target=_blank>Troj/OptixP-N</a>
 TROJAN!
 <font color=red> Note:</font> This trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder. The file system32dir2a.exe will also be found in the same folder and should be deleted.

Source=http://www.castlecops.com/startuplist-12088.html

[(random filename - format **-**-**-**-**)]
Confirmed=X
Filename=dwdsregt.exe
Description=Added by  <a href="http://sarc.com/avcenter/venc/data/adware.zenosearch.html" target=_blank>Adware.ZenoSearch</a> ADAWARE!
Source=http://www.castlecops.com/startuplist-12545.html

[(random filename - format **-**-**-**-**)]
Confirmed=X
Filename=qndsregn.exe
Description=Added by  <a href="http://www.symantec.com/avcenter/venc/data/adware.zenosearch.html" target=_blank>ZenoSearch</a> ADAWARE!
Source=http://www.castlecops.com/startuplist-12712.html

[(random filename)]
Confirmed=X
Filename=slk8x2peu.exe
Description=Added by  <a href="http://www.superadblocker.com/definition/slk8x2peu/" target=_blank>QuickLinks_Process</a> ADAWARE!
Source=http://www.castlecops.com/startuplist-12735.html

[(random name)]
Confirmed=X
Filename=iexpl0ra.exe
Description= <a href="http://si.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=TROJ_ULPM.BD" target=_blank>TROJ_ULPM.BD</a>
Source=http://www.castlecops.com/startuplist-14217.html

[(Random Name)]
Confirmed=X
Filename=csrssc.exe
Description=Identified as a variant of the  <a href="http://www.bleepingcomputer.com/startups/csrssc.exe-22097.html" target=_blank>Win32/TrojanDownloader.Small.CYF</a> malware. <font color=red>Note:</font> Located in \%Temp%\ <font color=red>Note:</font> Use SDFix under supervision.
Source=http://www.castlecops.com/startuplist-16434.html

[(Random number)]
Confirmed=X
Filename=explorer.exe
Description=Added by the Troj/Keylog-AN TROJAN! <font color=red>Note:</font> This trojan file is found in the Windows\service or Winnt\service folder, be sure to check the link for this one, It copies it's self under 9 additional file names, all in the Windows\service or Winnt\service folder. <font color=red>Keylogger/password stealing TROJAN(S) involved.</font>
Source=http://www.castlecops.com/startuplist-9297.html

[(Random number)]
Confirmed=X
Filename=explorer.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojstartpagl.html" target=_blank>Troj/Keylog-AN</a> TROJAN! <font color=red>Note:</font> This trojan file is found in the Windows\service or Winnt\service folder, be sure to check the link for this one, It copies it's self under 9 additional file names, all in the Windows\service or Winnt\service folder. <font color=red>Keylogger/password stealing TROJAN(S) involved.</font>

Source=http://www.castlecops.com/startuplist-11571.html

[(random)]
Confirmed=X
Filename=lsass.scr
Description=Added by  <a href="http://www.sophos.com/virusinfo/analyses/trojbancbancy.html" target=_blank>Troj/Bancban-CW</a> TROJAN! <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>
Source=http://www.castlecops.com/startuplist-9200.html

[(random)]
Confirmed=X
Filename=svchost.scr
Description=Added by  <a href="http://www.sophos.com/virusinfo/analyses/trojbancbancy.html" target=_blank>Troj/Bancban-CY</a> Trojan! <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>
Source=http://www.castlecops.com/startuplist-9198.html

[(Random)]
Confirmed=X
Filename=svshost.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32kelvirax.html" target=_blank>W32/Kelvir-AX</a>
 WORM!
 <font color=red> Note:</font> This worm\trojan file is found in the System\(random folder name) (95/98/ME) or System32\(random folder name) (NT/2000/XP) folder.
Source=http://www.castlecops.com/startuplist-11900.html

[(random)]
Confirmed=X
Filename=svchost.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojbancbanjc.html" target=_blank>Troj/Bancban-JC</a> TROJAN! <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>
Source=http://www.castlecops.com/startuplist-12304.html

[(Randomly chosen existing folder name)]
Confirmed=X
Filename=_cfg.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32antinnyl.html" target=_blank>W32/Antinny-L</a>
 WORM!

Source=http://www.castlecops.com/startuplist-10475.html

[(Randomly chosen existing folder name)]
Confirmed=X
Filename=_login.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32antinnyl.html" target=_blank>W32/Antinny-L</a>
 WORM!

Source=http://www.castlecops.com/startuplist-10476.html

[(Randomly chosen existing folder name)]
Confirmed=X
Filename=_start.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32antinnyl.html" target=_blank>W32/Antinny-L</a>
 WORM!

Source=http://www.castlecops.com/startuplist-10477.html

[(Randomly chosen existing folder name)]
Confirmed=X
Filename=_config.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32antinnyl.html" target=_blank>W32/Antinny-L</a>
 WORM!

Source=http://www.castlecops.com/startuplist-10478.html

[(Randomly chosen existing folder name)]
Confirmed=X
Filename=_autorun.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32antinnyl.html" target=_blank>W32/Antinny-L</a>
 WORM!

Source=http://www.castlecops.com/startuplist-10479.html

[(Randomly chosen existing folder name)]
Confirmed=X
Filename=_loader.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32antinnyl.html" target=_blank>W32/Antinny-L</a>
 WORM!

Source=http://www.castlecops.com/startuplist-10480.html

[(Randomly chosen existing folder name)]
Confirmed=X
Filename=_env.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32antinnyl.html" target=_blank>W32/Antinny-L</a>
 WORM!

Source=http://www.castlecops.com/startuplist-10481.html

[(Randomly chosen existing folder name)]
Confirmed=X
Filename=_setup.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32antinnyl.html" target=_blank>W32/Antinny-L</a>
 WORM!

Source=http://www.castlecops.com/startuplist-10482.html

[(Registry Value Name)]
Confirmed=X
Filename=roses.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32rbotaft.html" target=_blank>W32/Rbot-AFT</a> Worm! <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>

Source=http://www.castlecops.com/startuplist-9572.html

[(unknown)]
Confirmed=X
Filename=charmapnt.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojbancosdr.html" target=_blank>Troj/Bancos-DR</a> TROJAN! <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>

Source=http://www.castlecops.com/startuplist-10771.html

[(User name) config]
Confirmed=X
Filename=(Path to Trojan exe)
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojmosuckh.html" target=_blank>Troj/Mosuck-H</a>
 TROJAN!

Source=http://www.castlecops.com/startuplist-10669.html

[(various file names)]
Confirmed=X
Filename=mediaplayer32.exe
Description=Added by a variant of the  <a href="http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437" target=_blank>WIN32.RBOT</a> WORM!

Source=http://www.castlecops.com/startuplist-5759.html

[(various file names)]
Confirmed=X
Filename=bling.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32rbotni.html" target=_blank>W32/RBOT-NI</a> WORM! <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>

Source=http://www.castlecops.com/startuplist-5884.html

[(various names)]
Confirmed=X
Filename=win32snd.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32rbotdq.html" target=_blank>W32/RBOT-DQ</a> WORM!
Source=http://www.castlecops.com/startuplist-5785.html

[(various names)]
Confirmed=X
Filename=svchostss.exe
Description=Added by a variant of the  <a href="http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437" target=_blank>WIN32.RBOT</a> WORM!


Source=http://www.castlecops.com/startuplist-5938.html

[(various names)]
Confirmed=X
Filename=PasswdMon.exe
Description=Added by  <a href="http://research.sunbelt-software.com/threat_display.cfm?name=Misc.WareOut&threatid=40280&search=wareout" target=_blank>Wareout</a> Rogue Software
Source=http://www.castlecops.com/startuplist-6997.html

[(various names)]
Confirmed=X
Filename=runload32.exe
Description=Added by  <a href="http://research.sunbelt-software.com/threat_display.cfm?name=Misc.WareOut&threatid=40280&search=wareout" target=_blank>Wareout</a> Rogue Software
Source=http://www.castlecops.com/startuplist-6998.html

[)Start Service]
Confirmed=U
Filename=upssrv.exe
Description=Cyber Power  <a href="http://www.cyberpowersystems.com/" target=_blank>PowerPanelPlus</a> software. "In the event of a power outage, PowerPanelPlus Software automatically saves and closes all open files, and then shuts down the computer system in an intelligent and orderly manner."
Source=http://www.castlecops.com/startuplist-5033.html

[*]
Confirmed=X
Filename=twain_32.exe
Description=Identified as Trj/Downloader.SV by Panda. TROJAN! <font color=red>Note:</font> located in \%WINDIR%\
Source=http://www.castlecops.com/startuplist-16107.html

[******** (* = random char or digit)]
Confirmed=X
Filename=rsbmsc.exe
Description=Added by what  <a href="http://www.avira.com/" target=_blank>AntiVir</a> antivirus detects as the BDS/Agent.adt TROJAN!
Source=http://www.castlecops.com/startuplist-13988.html

[*Bandook]
Confirmed=X
Filename=msdll.exe
Description=Add a variant of the Trojan/Backdoor http://www.greatis.com/appdata/d/m/msdll.exe.htm TROJAN! <font color=red>Note:</font> Located in \%WINDIR%\System32\
Source=http://www.castlecops.com/startuplist-15955.html

[*JanisRuckenbrodII]
Confirmed=X
Filename=janis.com
Description=Added as a result of the <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.pops.html" target="_blank">POPS</a> VIRUS!
Source=http://www.castlecops.com/startuplist-15.html

[*Microsoft Update]
Confirmed=X
Filename=wucxt.exe
Description=Added by the  <a href="http://www.kephyr.com/spywarescanner/library/w32.hllw.stmu/index.phtml" target=_blank>W32.HLLW.STMU</a> TROJAN!
Source=http://www.castlecops.com/startuplist-8163.html

[*Microsoft Update]
Confirmed=X
Filename=wuytc.exe
Description=Added by the  <a href="http://www.kephyr.com/spywarescanner/library/w32.hllw.stmu/index.phtml" target=_blank>W32.HLLW.STMU</a> TROJAN!
Source=http://www.castlecops.com/startuplist-8164.html

[*Microsoft Update]
Confirmed=X
Filename=ctxma.exe
Description=Added by the  <a href="http://www.kephyr.com/spywarescanner/library/w32.hllw.stmu/index.phtml" target=_blank>W32.HLLW.STMU</a> TROJAN!
Source=http://www.castlecops.com/startuplist-8165.html

[*Microsoft Update]
Confirmed=X
Filename=wstcl.exe
Description=Added by the  <a href="http://www.kephyr.com/spywarescanner/library/w32.hllw.stmu/index.phtml" target=_blank>W32.HLLW.STMU</a> TROJAN!
Source=http://www.castlecops.com/startuplist-8166.html

[*Microsoft Update]
Confirmed=X
Filename=cxma.exe
Description=Added by the  <a href="http://www.kephyr.com/spywarescanner/library/w32.hllw.stmu/index.phtml" target=_blank>W32.HLLW.STMU</a> TROJAN!
Source=http://www.castlecops.com/startuplist-8167.html

[*microsoft update]
Confirmed=X
Filename=cxma.exe
Description=Added by the  <a href="http://www.kephyr.com/spywarescanner/library/w32.hllw.stmu/index.phtml" target=_blank>W32.HLLW.STMU</a> TROJAN
Source=http://www.castlecops.com/startuplist-9059.html

[*MS Setup]
Confirmed=X
Filename=[random file name]
Description=Virtumondo adware,  also known as the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.html" target=_blank>VUNDO</a> TROJAN!
Source=http://www.castlecops.com/startuplist-9176.html

[*MSConfig32]
Confirmed=X
Filename=aecache.exe 
Description=Detected as Trojan.Win32.Obfuscated.gp by F-secure
Source=http://www.castlecops.com/startuplist-15498.html

[*Security Center]
Confirmed=X
Filename=secctr.exe
Description=Added by the  <a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.BRO&VSect=P" target=_blank>SDBOT.BRO</a> WORM!
Source=http://www.castlecops.com/startuplist-10131.html

[*StateMgr]
Confirmed=Y
Filename=statemgr.exe
Description=Windows ME default for System Restore. Do NOT disable!
Source=http://www.castlecops.com/startuplist-16.html

[*WerKernelReporting]
Confirmed=N
Filename=WerFault.exe
Description=Related to  <a href="http://www.greatis.com/vista/Utilities/w/werfault.exe.htm" target=_blank>Windows_Error_Reporting</a> technology (WER) on Vista Computers. WER captures software crash and hang data from end-users who agree to report it. <font color=red>Note:</font> Located in \%WINDIR%\System32\
Source=http://www.castlecops.com/startuplist-16969.html

[*windows update]
Confirmed=X
Filename=wurauclt.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32rbotsy.html" target=_blank>W32/RBOT-SY</a> WORM!
Source=http://www.castlecops.com/startuplist-6993.html

[*windows update]
Confirmed=X
Filename=wsctl.exe
Description=Added by the  <a href="http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.PR" target=_blank>SPYBOT.PR</a> WORM!
Source=http://www.castlecops.com/startuplist-7124.html

[*windows update]
Confirmed=X
Filename=wscxt.exe
Description=Added by the  <a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.AOS&VSect=P" target=_blank>RBOT.AOS</a> WORM!
Source=http://www.castlecops.com/startuplist-7503.html

[*windows update]
Confirmed=X
Filename=wkmst.exe
Description=Added by the  <a href="http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=86536&VName=WORM_SDBOT.AVD&VSect=O" target=_blank>SDBOT.AVD</a> WORM!
Source=http://www.castlecops.com/startuplist-7628.html

[*windows update]
Confirmed=X
Filename=wuaucrlt.exe
Description=Added by the  <a href="http://www.symantec.com/avcenter/venc/data/w32.spybot.hur.html" target=_blank>SPYBOT.HUR</a> WORM! <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>

Source=http://www.castlecops.com/startuplist-7679.html

[*windows update]
Confirmed=X
Filename=waurclt.exe
Description=Added by a variant of the  <a href="http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437" target=_blank>WIN32.RBOT</a> WORM!
Source=http://www.castlecops.com/startuplist-9152.html

[*WinLogon]
Confirmed=X
Filename=[trojan path] ren time:[random number]
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.html" target=_blank>VUNDO</a> TROJAN!

Source=http://www.castlecops.com/startuplist-6327.html

[*winstats]
Confirmed=X
Filename=winstats.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/trojan.gargafx.html" target=_blank>Trojan.Gargafx</a>
  TROJAN! <font color=red>Note:</font> This trojan file (winstats.exe) is found in the Windows or Winnt folder. 
Source=http://www.castlecops.com/startuplist-11175.html

[*wuauclt.exe]
Confirmed=X
Filename=w****.exe  (* = random char)
Description=Added by a variant of the  <a href="http://www.sophos.com/virusinfo/analyses/w32rbotug.html" target=_blank>W32/RBOT-UG</a> WORM! - NOTE: * in the file name represents a random char;  variants spotted: wxmct.exe, wtmsv.exe, wxmst.exe, wmsvc.exe and so on...
Source=http://www.castlecops.com/startuplist-7697.html

[*wuauclt.exe]
Confirmed=X
Filename=wmsvc.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32rbotug.html" target=_blank>W32/RBOT-UG</a> WORM! <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>

Source=http://www.castlecops.com/startuplist-8701.html

[,main drive Loader]
Confirmed=X
Filename=wininfo.exe
Description=Suspected malware as it appears in 3 different registry locations - see http://forums.techguy.org/security/151017-no-start-menu-taskbar-w32.html here

Source=http://www.castlecops.com/startuplist-17.html

[-FreedomNeedsReboot]
Confirmed=Y
Filename=ZkRunOnceR.exe
Description=Related to  <a href="http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/05-05-2005/0003545403&EDATE=" target=_blank>Internet_Security_Suite</a> used by Internet providers to protect customers against many attacks. <font color=red>Read the article</font> <font color=red>Note:</font> Located in \%Program Files%\(Internet provider)\(Internet provider) Internet Security Suite\
Source=http://www.castlecops.com/startuplist-15422.html

[..]
Confirmed=X
Filename=ABC2007.exe
Description=Added by the  <a href="http://www.us.sophos.com/security/analyses/trojdloadrash.html" target=_blank>Troj/Dloadr-ASH</a> TROJAN! <font color=red>Note:</font> This worm\trojan is located in  C:\%WINDIR%\System32\dllcache\ (XP/WinNT/2K)
Source=http://www.castlecops.com/startuplist-13886.html

[.mscdr]
Confirmed=X
Filename=lassa.exe
Description=Added by the  <a href="http://www.symantec.com/avcenter/venc/data/trojan.webus.c.html" target=_blank>WEBUS.C</a> TROJAN!
Source=http://www.castlecops.com/startuplist-5739.html

[.mscdr]
Confirmed=X
Filename=lsvchost.exe
Description=Added by the  <a href="http://www.symantec.com/avcenter/venc/data/trojan.webus.d.html" target=_blank>WEBUS.D</a> TROJAN!
Source=http://www.castlecops.com/startuplist-6140.html

[.mscdsr]
Confirmed=X
Filename=lsvchost.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojbdoorcr.html" target=_blank>Troj/Bdoor-CR</a>
 Trojan!

Source=http://www.castlecops.com/startuplist-9255.html

[.mscsbl]
Confirmed=X
Filename=svhost.exe
Description=Added by the  <a href="http://vil.mcafeesecurity.com/vil/content/v_130850.htm" target=_blank>BACKDOOR-CMQ</a> TROJAN!
Source=http://www.castlecops.com/startuplist-7656.html

[.msfupdate]
Confirmed=X
Filename=msveup.exe
Description=Added by the  <a href="http://www.symantec.com/avcenter/venc/data/w32.allocup.a.html" target=_blank>W32.ALLOCUP.A</a> WORM!
Source=http://www.castlecops.com/startuplist-7788.html

[.mssecure]
Confirmed=X
Filename=mssecure.exe
Description=Added by the  <a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=DDOS_BOXED.X&VSect=P" target=_blank>DDOS_BOXED.X</a> TROJAN!
Source=http://www.castlecops.com/startuplist-7126.html

[.mssecure]
Confirmed=X
Filename=mssecure.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojborobotb.html" target=_blank>Troj/Borobot-B</a>
 Trojan!

Source=http://www.castlecops.com/startuplist-9493.html

[.NET config]
Confirmed=?
Filename=sysmon32.exe
Description=<font color="#FF0000">??</font>
Source=http://www.castlecops.com/startuplist-18.html

[.NET.]
Confirmed=X
Filename=msnmgnr.exe
Description=Added by a variant of the  <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2002-070818-0630-99" target=_blank>IRCBOT</a> <font color=red>Note:</font> Located in \%WINDIR%\System32\ <font color=red>Note:</font> Use SDFix under supervision.
Source=http://www.castlecops.com/startuplist-16549.html

[.norton]
Confirmed=X
Filename=rchost.exe
Description=Added by a variant of the  <a href="http://www.sophos.com/virusinfo/analyses/trojboxeda.html" target=_blank>BOXED-A</a>
 TROJAN!
Source=http://www.castlecops.com/startuplist-6944.html

[.nvsvc]
Confirmed=X
Filename=smss.exe
Description=Added by the  <a href="http://vil.nai.com/vil/content/v_138575.htm" target=_blank>BackDoor-CXT</a> TROJAN! <font color=red>Note</font>: located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System (XP/WinNT/2K) and not in it's System32 subdirectory, as is the case with the legitimate Smss.exe system file.
Source=http://www.castlecops.com/startuplist-12790.html

[.nvsvcb]
Confirmed=X
Filename=smssb.exe
Description=Added by the  <a href="http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=57167" target=_blank>Win32/Boxed.CG</a> TROJAN! <font color=red>Note:</font> This worm\trojan is located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K) <font color=red>Will attempt to disable antivirus, firewall and Windows Update software</font>
Source=http://www.castlecops.com/startuplist-13437.html

[.Prog]
Confirmed=X
Filename=services.exe
Description=Added as a result of the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.b@mm.html" target=_blank>NEVEG.B</a> or  <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.c@mm.html" target=_blank>NEVEG.C</a> WORMS! Note - this is not the valid Windows Service Controller  <a href="http://www.liutilities.com/products/wintaskspro/processlibrary/services/" target=_blank>(services.exe</a> ) process
Source=http://www.castlecops.com/startuplist-5081.html

[.Prog]
Confirmed=X
Filename=winlogon.exe
Description=Added by  <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.a@mm.html" target=_blank>NEVEG.A</a> WORM! Note - this is not the valid Windows Logon  <a href="http://www.liutilities.com/products/wintaskspro/processlibrary/winlogon/" target=_blank>winlogon.exe</a> process
Source=http://www.castlecops.com/startuplist-5082.html

[.protected]
Confirmed=X
Filename=(no name)
Description=Added by a Smithfraud infection.
Source=http://www.castlecops.com/startuplist-12976.html

[.svchost]
Confirmed=X
Filename=CSRSS.EXE
Description=Added by the  <a href="http://www.symantec.com/avcenter/venc/data/trojan.webus.f.html" target=_blank>WEBUS.F</a> TROJAN! - NOTE - this file is placed in the Winnt\System or Windows\System folder,  and should NOT be confused with the legitimate Windows Client Server Runtime Subsystem  <a href="http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/" target=_blank>csrss.exe</a> process, which provides text window support, shutdown, and hard-error handling, always located in the Winnt\System32 or Windows\System32 folder,  and which moreover should NOT figure in Msconfig/Startup!

Source=http://www.castlecops.com/startuplist-8978.html

[.TEXTCONV]
Confirmed=X
Filename=csrss.exe
Description=Added as a result of the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/trojan.webus.html" target=_blank>WEBUS</a> TROJAN! Note - this is not the valid Client Server Runtime Subsystem   <a href="http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/" target=_blank>csrss.exe</a> process, which provides text window support, shutdown, and hard-error handling
Source=http://www.castlecops.com/startuplist-4929.html

[.WMAudio]
Confirmed=X
Filename=csrss.exe
Description=Added as a result of the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/trojan.webus.html" target=_blank>WEBUS</a> TROJAN! Note - this is not the valid Client Server Runtime Subsystem  <a href="http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/" target=_blank>csrss.exe</a> process" which provides text window support, shutdown, and hard-error handling 
Source=http://www.castlecops.com/startuplist-4930.html

[.WMAudio]
Confirmed=X
Filename=lsass.exe
Description=Added as result of a  <a href="http://www.symantec.com/avcenter/venc/data/trojan.webus.b.html" target=_blank>Webus.B</a> trojan infection.  Note - this is not the legitimate  <a href="http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/" target=_blank>Lsass.exe</a> system file, which should normally NOT figure in Msconfig/Startup
Source=http://www.castlecops.com/startuplist-5483.html

[/l:eng]
Confirmed=N
Filename=N/A
Description=Related to the Dell OEM version of the Sound Blaster Audigy 2 sound card. If this item is listed and checked in startup, the System32 Folder will appear on every startup
Source=http://www.castlecops.com/startuplist-19.html

[000]
Confirmed=U
Filename=pit.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/spyware.privateeye.html" target=_blank>PrivateEye</a> SPYWARE! **Note - If you did not intentionally install this remove it.
Source=http://www.castlecops.com/startuplist-9652.html

[0006 - C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\HP Internet Connection Center]
Confirmed=N
Filename=command.com
Description=Related to  <a href="http://www.amazon.com/HP-Deskjet-950c-capacity-Parallel/dp/B00004TDKS" target=_blank>HP_Internet_Connection_Center</a> provides access to a variety of valuable offers from Internet Service Providers.
Source=http://www.castlecops.com/startuplist-15133.html

[0008 - C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\hp deskjet 990c series v3.0]
Confirmed=N
Filename=command.com
Description=Related to  <a href="http://www.amazon.com/HP-Deskjet-950c-capacity-Parallel/dp/B00004TDKS" target=_blank>HP_Internet_Connection_Center</a> provides access to a variety of valuable offers from Internet Service Providers. 
Source=http://www.castlecops.com/startuplist-15134.html

[000hpdllhos]
Confirmed=X
Filename=hpdllhost.exe
Description= <a href="http://www.spywareguide.com/product_show.php?id=853" target=_blank>LZIO.com</a> adware downloader
Source=http://www.castlecops.com/startuplist-5472.html

[000StTHK]
Confirmed=U
Filename=000StTHK.exe
Description=Toshiba Hot key functionality for the function keys (Fn-Esc, Fn-F1 (lock), Fn-F2, Fn-F3, Fn-F4, Fn-F5 (switching between laptop and CRT display output), etc...)
Source=http://www.castlecops.com/startuplist-20.html

[0050726-007-i32-1]
Confirmed=X
Filename=0050726-007-i32-1.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojbancbanec.html" target=_blank>Troj/Bancban-EC</a> TROJAN! <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>

Source=http://www.castlecops.com/startuplist-10796.html

[00DSKSVR00]
Confirmed=N
Filename=desksaver.exe
Description=Related to  <a href="http://www.softstack.com/deskshield.html" target=_blank>Advanced_Desktop_Shield</a>
Source=http://www.castlecops.com/startuplist-11927.html

[00DSKSVR01]
Confirmed=N
Filename=desksaver.exe
Description=Related to  <a href="http://www.softstack.com/deskshield.html" target=_blank>Advanced_Desktop_Shield</a>
Source=http://www.castlecops.com/startuplist-11929.html

[00ERSRRRNKY]
Confirmed=U
Filename=eraser.exe
Description=Related to  <a href="http://www.softstack.com/evterminate.html" target=_blank>Evidence_Exterminator</a> from Softstack.com Allows for complete removal of data from your hard drive. <font color=red>Note:</font> Located in \%Program Files%\Evidence Exterminator\ <font color=red>More</font>  <a href="http://www.threatexpert.com/report.aspx?uid=3c7b3986-c071-4ca5-93f0-1994e7ba44b9" target=_blank>here</a>
Source=http://www.castlecops.com/startuplist-16997.html

[00ERSRRRNKY]
Confirmed=U
Filename=erasrv.exe
Description=Related to  <a href="http://www.softstack.com/evterminate.html" target=_blank>Evidence_Exterminator</a> from Softstack.com Allows for complete removal of data from your hard drive. <font color=red>Note:</font> Located in \%Program Files%\Evidence Exterminator\ <font color=red>More</font>  <a href="http://www.threatexpert.com/report.aspx?uid=3c7b3986-c071-4ca5-93f0-1994e7ba44b9" target=_blank>here</a>
Source=http://www.castlecops.com/startuplist-16998.html

[00PCTFW]
Confirmed=Y
Filename=FirewallGUI.exe
Description=Related to  <a href="http://www.pctools.com/" target=_blank>PC_Tools</a> Firewall. <font color=red>Note:</font> Located in \%Program Files%\PC Tools Firewall Plus\
Source=http://www.castlecops.com/startuplist-15451.html

[00TCrdMain]
Confirmed=Y
Filename=TCrdMain.exe
Description=Related to  <a href="http://www.bleepingcomputer.com/startups/00TCrdMain-17106.html" target=_blank>flash_card</a> slot on the Toshiba laptop. Ending this process will disable access to the flash cards. <font color=red>Note:</font> located in %ProgramFiles%\TOSHIBA\FlashCards\
Source=http://www.castlecops.com/startuplist-14338.html

[00THotkey]
Confirmed=U
Filename=00THotKey.exe
Description=For Toshiba Satellite notebook series to use the front buttons, play, stop, next, prev.
Source=http://www.castlecops.com/startuplist-21.html

[00THotkey]
Confirmed=U
Filename=system32THotkey.exe
Description=For Toshiba Satellite notebook series to use the front buttons, play, stop, next, prev.
Source=http://www.castlecops.com/startuplist-15391.html

[0190 Warner]
Confirmed=U
Filename=WARN0190.EXE
Description=Anti-dialer  <a href="http://www.wt-rate.com/" target=_blank>program</a> (Germany)
Source=http://www.castlecops.com/startuplist-7047.html

[0900 Warner]
Confirmed=U
Filename=WARN0900.EXE
Description=Anti-dialer  <a href="http://www.wt-rate.com/" target=_blank>program</a> (Germany)
Source=http://www.castlecops.com/startuplist-7048.html

[09734482329566253820889118044258]
Confirmed=X
Filename=av2009.exe
Description=Added by the  <a href="http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009" target=_blank>Antivirus_2009</a> rogue anti-spyware program. <font color=red>Note:</font> Located in \%Program Files%\Antivirus 2009\
Source=http://www.castlecops.com/startuplist-17498.html

[0mcamcap]
Confirmed=X
Filename=0mcamcap.exe
Description=Added by  <a href="http://www.sophos.com/virusinfo/analyses/trojcosiamh.html" target=_blank>Troj/Cosiam-H</a> TROJAN!  <a href="http://fileinfo.prevx.com/QQ13c818782725-0MCA14900234/0MCAMCAP.EXE.html" target=_blank>Prevx</a> identifies it has Haxdoor <font color=red>Note</font>: located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K)
Source=http://www.castlecops.com/startuplist-12829.html

[0utlook Express]
Confirmed=X
Filename=*****.exe (where * = random char)
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32rbotcc.html" target=_blank>W32/RBOT-CC</a> WORM!
Source=http://www.castlecops.com/startuplist-7976.html

[1]
Confirmed=X
Filename=1.exe
Description=Added by the  <a href="http://www.symantec.com/avcenter/venc/data/trojan.esteems.html" target=_blank>ESTEEMS</a> TROJAN!
Source=http://www.castlecops.com/startuplist-7757.html

[1]
Confirmed=X
Filename=svchost.scr
Description=Added by  <a href="http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.x.html" target=_blank>PWSteal.Bancos.X</a> Trojan. <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>

Source=http://www.castlecops.com/startuplist-9203.html

[1]
Confirmed=X
Filename= lsass.scr
Description=Added by the  <a href="http://www.symantec.com/avcenter/venc/data/pwsteal.bancos.v.html" target=_blank>PWSteal.Bancos.V</a> TROJAN! <font color=red>Read the link, keylogger/password stealing TROJAN(S) involved.</font>

Source=http://www.castlecops.com/startuplist-9177.html

[1]
Confirmed=X
Filename=mrcmgr.exe
Description=Identified as a variant of the  <a href="http://www.bleepingcomputer.com/startups/mrcmgr.exe-23589.html" target=_blank>Trojan-Banker.Win32.Banker.rqk</a> malware. <font color=red>Note:</font> Located in \%WINDIR%\System32\ <font color=red>Note:</font> Use SDFix under supervision.
Source=http://www.castlecops.com/startuplist-17449.html

[1&1 EasyLogin]
Confirmed=U
Filename=EasyLogin.exe
Description=Related to  <a href="http://faq.1and1.com/" target=_blank>1&1_EasyLogin</a> an Internet Provider. <font color=red>Note:</font> Located in \%Program Files%\1&1\1&1 EasyLogin\
Source=http://www.castlecops.com/startuplist-16023.html

[101Clips]
Confirmed=U
Filename=101Clips.exe
Description=Related to  <a href="http://101clips.com/" target=_blank>101Clips</a> 101 is the simplest of all multi-clipboard programs. Just have it running minimized and it captures everything you cut or copy from other programs. <font color=red>Note:</font> Located in \%Program Files%\101 Clips\
Source=http://www.castlecops.com/startuplist-17215.html

[1029BB4B-16A9-4E77-AA3D-96930BD68EEC]
Confirmed=X
Filename=sysockeu.exe
Description=Added by the  <a href="http://siri.geekstogo.com/ChangeLog.php" target=_blank>SmitFraud</a> Trojan
Source=http://www.castlecops.com/startuplist-16721.html

[108Mbps Wireless LAN Adapte]
Confirmed=U
Filename=TRENDnet.exe
Description=Related to  <a href="http://www.trendnet.com/" target=_blank>TRENDnet</a> Wireless LAN Adapter. <font color=red>Note:</font> Located in \%Program Files%\TRENDnet\Model number\
Source=http://www.castlecops.com/startuplist-16948.html

[11]
Confirmed=X
Filename=faxcomdos.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/backdoor.tuimer.html" target=_blank>Tuimer</a> TROJAN!
Source=http://www.castlecops.com/startuplist-7348.html

[1111swapmgr.exe]
Confirmed=X
Filename=1111swapmgr.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojbdooric.html" target=_blank>BDOOR-IC</a> TROJAN!
Source=http://www.castlecops.com/startuplist-9009.html

[123456]
Confirmed=X
Filename=rundll32.exe shell32.dll, Control_RunDLL ...123456.cpl
Description=Added as a result of the <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.kitro.c.worm.html" target="_blank"> KITRO.C</a> (or <a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DANDI.A&VSect=T" target="_blank">DANDI.A</a>) VIRUS! 123456 can be any random 3 to 6 digit number
Source=http://www.castlecops.com/startuplist-22.html

[1234567]
Confirmed=X
Filename=svcost.exe
Description=Added by the Backdoor.Bifrose.YA family of trojan. <font color=red>Note:</font> This worm\trojan is located in  C:\%WINDIR%\System32\dllcache\ (XP/WinNT/2K)
Source=http://www.castlecops.com/startuplist-14073.html

[1234klsjdc uiar924c af]
Confirmed=X
Filename=sxgnsvuxct.exe
Description=Added by the  <a href="http://siri.geekstogo.com/ChangeLog.php" target=_blank>Smitfraud</a> Trojan
Source=http://www.castlecops.com/startuplist-17040.html

[1290A33C-85F5-4164-A1BE-7DD299D4986A]
Confirmed=U
Filename=PBKScheduler.exe
Description=Scheduler for CyberLink  <a href="http://www.cyberlink.com/multi/products/main_29_ENU.html" target=_blank>PowerBackup</a>  - archiving/backup utility
Source=http://www.castlecops.com/startuplist-12592.html

[12EE7A5E-0674-42f9-A76B-000000004D00]
Confirmed=X
Filename=rundll32.exe stlb2.dll,DllRunMain
Description= <a href="http://research.sunbelt-software.com/threat_display.cfm?name=BrowserAid&threatid=3342&search=browseraid" target=_blank>BrowserAid/BrowserPal</a> Foistware
Source=http://www.castlecops.com/startuplist-5215.html

[12Ghosts Popup-Killer]
Confirmed=U
Filename=12popup.exe
Description=<a href="http://12ghosts.com/ghosts/popup.htm" target="_blank">12Ghosts Popup-Killer</a>
Source=http://www.castlecops.com/startuplist-23.html

[12Ghosts ShowTime]
Confirmed=U
Filename=12showtime.exe
Description=Related to  <a href="http://12ghosts.com/" target=_blank>12Ghosts</a> Power Tools for Windows users. <font color=red>Note:</font> Located in \%Program Files%\12Ghosts ShowTime\
Source=http://www.castlecops.com/startuplist-15445.html

[12Ghosts Synchronize]
Confirmed=U
Filename=12sync.exe
Description=Related to  <a href="http://12ghosts.com/" target=_blank>12Ghosts</a> Power Tools for Windows users. <font color=red>Note:</font> Located in \%Program Files%\12Ghosts ShowTime\
Source=http://www.castlecops.com/startuplist-15446.html

[17779Proj2002]
Confirmed=?
Filename=N/A
Description=<font color="#FF0000">??</font>
Source=http://www.castlecops.com/startuplist-24.html

[180adsolution]
Confirmed=X
Filename=180adsolution.exe
Description=ncase  <a href="http://research.sunbelt-software.com/threat_display.cfm?name=180solutions.NCase&threatid=8869" target=_blank>adware</a>
Source=http://www.castlecops.com/startuplist-5247.html

[180ax]
Confirmed=X
Filename=180ax.exe
Description=ncase  <a href="http://research.sunbelt-software.com/threat_display.cfm?name=180solutions.NCase&threatid=8869" target=_blank>adware</a>
Source=http://www.castlecops.com/startuplist-5012.html

[180ClientStubInstall]
Confirmed=X
Filename=stubinstaller****.exe  (* = digit)
Description= <a href="http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453090677" target=_blank>180Solutions</a> adware related
Source=http://www.castlecops.com/startuplist-7944.html

[180ClientStubInstall]
Confirmed=X
Filename=******.exe (* = random digit/character)
Description= <a href="http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453090677" target=_blank>180Solutions</a> adware related
Source=http://www.castlecops.com/startuplist-9532.html

[180ClientStubInstall]
Confirmed=X
Filename=******.tmp (* = random digit/character)
Description= <a href="http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453090677" target=_blank>180Solutions</a> adware related
Source=http://www.castlecops.com/startuplist-10688.html

[1916435341.exe]
Confirmed=X
Filename=1916435341.exe
Description= <a href="http://www.sophos.com/security/analyses/trojdloadraxu.html" target=_blank>Troj/Dloadr-AXU</a>
Source=http://www.castlecops.com/startuplist-14550.html

[196_150_ni]
Confirmed=X
Filename=196_150_ni.exe
Description=Added by  <a href="http://www.superadblocker.com/1/196_150_NI.EXE-5442.html" target=_blank>WinSoftware/WinFixer.Process</a> TROJAN!
Source=http://www.castlecops.com/startuplist-12728.html

[197_150_ni_3]
Confirmed=X
Filename=197_150_ni_3.exe
Description=A  <a href="http://www.superadblocker.com/1/196_150_NI.EXE-5442.html" target=_blank>variant</a>  TROJAN!
Source=http://www.castlecops.com/startuplist-12729.html

[1:]
Confirmed=N
Filename=hpdrv.exe
Description=HP utility for monitoring when and how many recoveries have been done
Source=http://www.castlecops.com/startuplist-25.html

[1A:MacVisionTrayMonitor]
Confirmed=N
Filename=TrayMonitor.exe
Description=Comes with the MacVision program for monitoring tray icons (Note : program is by Stardock)
Source=http://www.castlecops.com/startuplist-26.html

[1A:Stardock MCP]
Confirmed=Y
Filename=mcpserver.exe
Description=Master Control Program for Stardock apps, in development. People should leave it running if they're using any of the Stardock applications
Source=http://www.castlecops.com/startuplist-27.html

[1A:Stardock TrayMonitor]
Confirmed=Y
Filename=TrayServer.exe
Description=For monitoring tray icons - if disabled icons will not be displayed in ObjectBar or DesktopX
Source=http://www.castlecops.com/startuplist-28.html

[1CmailS]
Confirmed=?
Filename=NETMAIL.EXE
Description=<font color="#FF0000">??</font>
Source=http://www.castlecops.com/startuplist-29.html

[1on1]
Confirmed=X
Filename=1on1.exe
Description=Adult content dialler
Source=http://www.castlecops.com/startuplist-30.html

[1Srv32]
Confirmed=U
Filename=SpyAgent4.exe
Description=SpyTech <a href="http://www.spytech-web.com/spyagent.shtml" target="_blank">SpyAgent</a> monitoring software. "Spy software that allows you to monitor EVERYTHING users do on your PC."
Source=http://www.castlecops.com/startuplist-31.html

[1u7]
Confirmed=X
Filename=1u7.exe
Description=Added by the  <a href="http://www.sophos.com/security/analyses/trojmurbaca.html" target=_blank>Troj/Murbac-A</a> TROJAN!
<font color=red>Note:</font> This worm\trojan is located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K)
Source=http://www.castlecops.com/startuplist-13602.html

[1Win32Cfg]
Confirmed=U
Filename=SpyBuddy.exe
Description= <a href="http://www.symantec.com/avcenter/venc/data/spyware.spybuddy.html" target=_blank>SpyBuddy</a>  monitoring software. <font color=red>Read the link, keylogger/password stealing trojan(s) involved.</font>
Source=http://www.castlecops.com/startuplist-32.html

[1Win32Cfg]
Confirmed=U
Filename=Keyloggerpro.exe
Description= <a href="http://www.symantec.com/avcenter/venc/data/spyware.keyloggerpro.html" target=_blank>Keyloggerpro</a> monitoring software. <font color=red>Read the link, keylogger/password stealing trojan(s) involved.</font>
Source=http://www.castlecops.com/startuplist-33.html

[1WinCfg32]
Confirmed=X
Filename="\WebMailSpy.exe
Description=Added by  <a href="http://securityresponse.symantec.com/avcenter/venc/data/spyware.webmailspy.html" target=_blank>WebMailSpy</a> SPYWARE!
Source=http://www.castlecops.com/startuplist-7097.html

[2020Downloader]
Confirmed=X
Filename=mssvr.exe
Description= <a href="http://research.sunbelt-software.com/threat_display.cfm?name=2020Search&threatid=13811" target=_blank>2020Search</a> Toolbar 
Source=http://www.castlecops.com/startuplist-34.html

[2177F056-0AA6-4D6C-A944-13F71F341C29]
Confirmed=X
Filename=sysokuaw.exe
Description=Added by the  <a href="http://siri.geekstogo.com/ChangeLog.php" target=_blank>SmitFraud</a> Trojan
Source=http://www.castlecops.com/startuplist-16724.html

[24Online Client]
Confirmed=U
Filename=CyberoamClient.exe
Description=Related to  <a href="http://www.elitecore.com/" target=_blank>Cyberroam</a> from Elitecore Technologies Ltd. <font color=red>Note:</font> Located in \%Program Files%\eLitecore\Cyberoam Client for 24Online\
Source=http://www.castlecops.com/startuplist-15918.html

[250]
Confirmed=X
Filename=winmgr.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojlegmirat.html" target=_blank>Troj/LegMir-AT</a> TROJAN! <font color=red>Read the link, keylogger/password stealing trojan(s) involved.</font>
Source=http://www.castlecops.com/startuplist-11028.html

[27]
Confirmed=X
Filename=slsorve.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojslsorvea.html" target=_blank>SLSORVE-A</a> TROJAN!
Source=http://www.castlecops.com/startuplist-8753.html

[27]
Confirmed=X
Filename=csrss32.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojslsorved.html" target=_blank>TROJ/SLSORVE-D</a> TROJAN!
Source=http://www.castlecops.com/startuplist-10972.html

[27]
Confirmed=X
Filename=msm32.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojslsorvee.html" target=_blank>TROJ/SLSORVE-E</a> TROJAN!
Source=http://www.castlecops.com/startuplist-11479.html

[2CF0B992-5EEB-4143-99C0-5297EF71F444]
Confirmed=X
Filename=rundll32.exe stlbdist.dll, DllRunMain
Description= <a href="http://research.sunbelt-software.com/threat_display.cfm?name=BrowserAid&threatid=3342&search=browseraid" target=_blank>BrowserAid/BrowserPal</a> Foistware
Source=http://www.castlecops.com/startuplist-4649.html

[2CF0B992-5EEB-4143-99C2-5297EF71F44B]
Confirmed=X
Filename=rundll32.exe stlbupdt.DLL, DllRunMain
Description= <a href="http://research.sunbelt-software.com/threat_display.cfm?name=BrowserAid&threatid=3342&search=browseraid" target=_blank>BrowserAid/BrowserPal</a> Foistware
Source=http://www.castlecops.com/startuplist-4650.html

[2chkdsk]
Confirmed=X
Filename=******.dll
Description= <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99" target=_blank>VirtuMonde/Vundo</a> adware variant
Source=http://www.castlecops.com/startuplist-14335.html

[2kadiras]
Confirmed=Y
Filename=2kadiras.exe
Description= <a href="http://www.alliedtelesyn.co.uk/en-gb/" target=_blank>Allied_Telesyn</a> AT series router/modem related - apparently required

Source=http://www.castlecops.com/startuplist-9149.html

[2Search]
Confirmed=X
Filename=main.exe
Description=Added by  <a href="http://www.symantec.com/avcenter/venc/data/adware.2search.html" target=_blank>Adware.2Search</a> ADAWARE! <font color=red>Note</font>: located in C:\Program Files\2search\
Source=http://www.castlecops.com/startuplist-12885.html

[2thousandbuck]
Confirmed=X
Filename=(path to file)
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ranky.l.html" target=_blank>RANKY.L</a> TROJAN!

Source=http://www.castlecops.com/startuplist-6186.html

[2wSysTray]
Confirmed=U
Filename=2portalmon.exe
Description=<a target="_blank" href="http://www.2wire.com/home/index.html">2Wire Homeportal</a> user interface
Source=http://www.castlecops.com/startuplist-35.html

[32-bit Thunking service]
Confirmed=X
Filename=thunk32.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.derdero.a@mm.html" target=_blank>W32.Derdero.A</a> WORM! 
Source=http://www.castlecops.com/startuplist-7473.html

[333]
Confirmed=X
Filename=svchost.exe
Description= <a href="http://www.sophos.com/security/analyses/trojjda.html" target=_blank>Troj/JD-A</a> <font color=red>Read the link, steals information</font>
Source=http://www.castlecops.com/startuplist-14366.html

[357AA41A-B7A8-4632-A27D-5B980B25CF43]
Confirmed=X
Filename=[path to svchost.exe]
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojsmallaq.html" target=_blank>SMALL-AQ</a> TROJAN!
Source=http://www.castlecops.com/startuplist-7169.html

[357AA41A-B7A8-4632-A27D-5B980B25CF43]
Confirmed=X
Filename=services.exe
Description=Added by  <a href="http://www.symantec.com/avcenter/venc/data/adware.fakemessage.html" target=_blank>FakeMessage/AdRotator</a> adware - NOTE - this file is placed in a Winnt\System32\Inetserv or Windows\System32\Inetsrv folder,  and should NOT be confused with the legitimate Windows  <a href="http://www.liutilities.com/products/wintaskspro/processlibrary/services/" target=_blank>services.exe</a> process,   always located in the Winnt\System32 or Windows\System32 folder,  and which moreover should NOT figure in Msconfig/Startup!

Source=http://www.castlecops.com/startuplist-11011.html

[36X Raid Configurer]
Confirmed=Y
Filename=JMRaidSetup.exe
Description=Related to  <a href="http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/ch-software-raid.html" target=_blank>Raid_Configurer</a> Disk Partitioning Setup. <font color=red>Note:</font> Located in \%WINDIR%\System32\
Source=http://www.castlecops.com/startuplist-17352.html

[388529725448]
Confirmed=X
Filename=AutomaticUpdates.exe
Description= <a href="http://www.sophos.com/security/analyses/w32sdbotden.html" target=_blank>W32/Sdbot-DEN</a> <font color=red>Read the link, allows remote access</font>
Source=http://www.castlecops.com/startuplist-14817.html

[38921398152773197389309440455459]
Confirmed=X
Filename=av2009.exe
Description=Added by the  <a href="http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009" target=_blank>Antivirus_2009</a> rogue anti-spyware program. <font color=red>Note:</font> Located in \%Program Files%\Antivirus 2009\ <font color=red>Note:</font> Use SDFix under supervision. <font color=red>Note:</font> Random numbers in the Start up name.
Source=http://www.castlecops.com/startuplist-17409.html

[3c1807pd]
Confirmed=Y
Filename=3cmlink.exe 3cpipe-3c1807pd
Description=3Com WinModem driver. See <a href="http://808hi.com/56k/winmodems.asp" target="_blank">here</a> for more WinModem information
Source=http://www.castlecops.com/startuplist-37.html

[3capplnk]
Confirmed=Y
Filename=3capplnk.exe
Description=US Robotics Modem driver
Source=http://www.castlecops.com/startuplist-38.html

[3cdminic]
Confirmed=N
Filename=3CDMINIC.EXE
Description=3Com DMI (DynamicAccess <u>D</u>esktop <u>M</u>anagement <u>I</u>nterface) Agent associated with 3Com network cards
Source=http://www.castlecops.com/startuplist-39.html

[3CM Link]
Confirmed=Y
Filename=3cmcnkw.exe
Description=Required for a US Robotics WinModem as it provides the link to Windows - won't work without it.
Source=http://www.castlecops.com/startuplist-40.html

[3Cmlink]
Confirmed=Y
Filename=3CmlinkW.exe
Description=For a US Robotics WinModem. Provides the link to Windows as the CPU does the processing on WinModems - won't work without it. See <a href="http://808hi.com/56k/winmodems.asp" target="_blank">here</a> for more WinModem information
Source=http://www.castlecops.com/startuplist-41.html

[3ComDMIAgent]
Confirmed=N
Filename=3CDMINIC.EXE
Description=3Com DMI (DynamicAccess <u>D</u>esktop <u>M</u>anagement <u>I</u>nterface) Agent associated with 3Com network cards
Source=http://www.castlecops.com/startuplist-42.html

[3D Text]
Confirmed=N
Filename=3D Text.scr
Description=Added as a result of the <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.jermy.a.html" target="_blank"> JERMY.A</a> VIRUS!
Source=http://www.castlecops.com/startuplist-44.html

[3Deep Control Panel]
Confirmed=U
Filename=3DeepCTL.EXE
Description=From <a href="http://www.colorific.com/index.htm" target="_blank">LightSurf Technologies</a> (nee E-Color) - <a href="http://www.colorific.com/d1.htm" target="_blank">3Deep</a> corrects lighting, shading and color for all your 2D and 3D games
Source=http://www.castlecops.com/startuplist-45.html

[3Dfx Acc]
Confirmed=X
Filename=GFXACC.EXE
Description=Added as a result of the <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe@mm.html" target="_blank"> GIBE</a> VIRUS!
Source=http://www.castlecops.com/startuplist-46.html

[3dfx Task Manager]
Confirmed=N
Filename=3dfxMan.exe
Description=System Tray application for 3dfx Voodoo 3/4/5 functions. Available via Start -> Programs
Source=http://www.castlecops.com/startuplist-47.html

[3dfx Tools]
Confirmed=Y
Filename=3dfxCmn.dll
Description=Updates the registry with information that can't be held for Voodoo 3/4/5 series graphics cards. Important for owners of these cards
Source=http://www.castlecops.com/startuplist-48.html

[3dfxv2ps.dll]
Confirmed=Y
Filename=3dfxv2ps.dll
Description=Updates the registry with info that can't be held for 3dfx Voodoo 2 video cards. Important for owners of these cards
Source=http://www.castlecops.com/startuplist-49.html

[3Dlabs Taskbar Display Manager]
Confirmed=?
Filename=3DLman.exe
Description=3DLabs graphics driver related. <font color="#FF0000"> System Tray access to display settings?</font>
Source=http://www.castlecops.com/startuplist-50.html

[3DLabsHelperDemon]
Confirmed=U
Filename=3dldemon.exe
Description=Directly from the programs author "It is a tiny program that is installed by the Permedia2/3 and probably other Oxygen-series cards. Normally it sits in the background doing nothing at all (sleeping on a semaphore), so it should take zero CPU time and virtually zero memory, since it will all be paged out to the hard drive." In most cases it can be safely disabled
Source=http://www.castlecops.com/startuplist-51.html

[3DMouse.EXE]
Confirmed=Y
Filename=3DMouse.EXE
Description=Dritek System Inc. 3D Mouse driver
Source=http://www.castlecops.com/startuplist-8340.html

[3d_sound]
Confirmed=X
Filename=3d_sound.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojriadosa.html" target=_blank>Troj/Riados-A</a>
 TROJAN!
 <font color=red> Note:</font> This trojan file is found in the System (95/98/ME) or System32 (NT/2000/XP) folder.

Source=http://www.castlecops.com/startuplist-12053.html

[3P_UDEC]
Confirmed=X
Filename=AntvrsInstall.exe
Description=Installer for the  <a href="http://www.bleepingcomputer.com/malware-removal/antivirus-2008" target=_blank>Antivirus_2008</a> rogue anti-spyware program. <font color=red>Note:</font> Use  <a href="http://www.malwarebytes.org/rogueremover.php" target=_blank>Malwarebytes</a> RogueRemover tool.
Source=http://www.castlecops.com/startuplist-17138.html

[3qdctl.exe]
Confirmed=U
Filename=3qdctl.exe
Description=Provided with Terratec 128i PCI and similar sound cards. Loads a sound profile at bootup, restoring volume and other audio settings to a pre-determined default. Similar to Creative Lab's AudioHQ
Source=http://www.castlecops.com/startuplist-52.html

[3ware 3DM]
Confirmed=Y
Filename=3dm.exe
Description=Monitors status of the disk array on 3ware IDE RAID controllers
Source=http://www.castlecops.com/startuplist-53.html

[4684735485910]
Confirmed=X
Filename=netdll32.exe
Description= <a href="http://www.sophos.com/security/analyses/w32sdbotdev.html" target=_blank>W32/Sdbot-DEV</a> <font color=red>Read the link, allows remote access</font>
Source=http://www.castlecops.com/startuplist-14816.html

[4da92ad5.exe]
Confirmed=X
Filename=4da92ad5.exe
Description= <a href="http://www.sophos.com/security/analyses/trojdloadrwz.html" target=_blank>Troj/Dloadr-WZ</a>
Source=http://www.castlecops.com/startuplist-14184.html

[4oD]
Confirmed=U
Filename=KHost.exe
Description= <a href="http://help.kontiki.com/enduser/search_results.jsp?node=10779&PMSearch=khost.exe" target=_blank>Kontiki_Delivery_Manager</a> - Windows-based client software that enables secure delivery of content to users' desktops
Source=http://www.castlecops.com/startuplist-14642.html

[4wd!!!]
Confirmed=X
Filename=Natal!.pif
Description=Added as a result of the <a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASERV.AI" target="_blank">OPASERV.AI</a> VIRUS!
Source=http://www.castlecops.com/startuplist-54.html

[5-1-61-96]
Confirmed=X
Filename=members-area.exe
Description=Adult content dialler
Source=http://www.castlecops.com/startuplist-55.html

[5-2-46-112]
Confirmed=X
Filename=5-2-46-112.exe
Description=Adult content pop-up dialler. Removal instructions <a href="http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF8&safe=off&threadm=1e10cd61.0203201743.78f51cfa@posting.google.com&rnum=9&prev=/groups?q=5-2-46-112.exe&hl=en&lr=&ie=UTF-8&oe=UTF8&safe=off&selm=1e10cd61.0203201743.78f51cfa@posting.google.com&rnum=9" target="_blank">here</a>
Source=http://www.castlecops.com/startuplist-56.html

[55278]
Confirmed=X
Filename=grepclient1.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojlineages.html" target=_blank>Troj/Lineage-S</a> Trojan! <font color=red>Read the link, keylogger/password stealing trojan(s) involved.</font>
Source=http://www.castlecops.com/startuplist-9595.html

[5p4m]
Confirmed=X
Filename=(Path to Trojan)
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojlitebotc.html" target=_blank>Troj/Litebot-C</a>
 TROJAN!

Source=http://www.castlecops.com/startuplist-10914.html

[666]
Confirmed=X
Filename=Ska.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojpipes.html" target=_blank>Troj/Pipes</a> TROJAN!
Source=http://www.castlecops.com/startuplist-57.html

[678]
Confirmed=X
Filename=lsas32.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojslsorvec.html" target=_blank>Troj/Slsorve-C</a>
 TROJAN!

Source=http://www.castlecops.com/startuplist-10302.html

[756349DC-6D9E-4F2A-9B24-269661F073C3]
Confirmed=X
Filename=sysoghcx.exe
Description=Added by the  <a href="http://siri.geekstogo.com/ChangeLog.php" target=_blank>SmitFraud</a> Trojan
Source=http://www.castlecops.com/startuplist-16723.html

[7f8e]
Confirmed=X
Filename=z****.exe 9idf
Description=Detected by NOD32 as Win32/TrojanDropper.Small.ALI , <font color=red>Note:</font> it creates a number of extra z****.dll files in the system32 folder
Source=http://www.castlecops.com/startuplist-13931.html

[7v3j]
Confirmed=X
Filename=z1844.exe gdtgh
Description=Added by an unidentified TROJAN! <font color=red>Note:</font> of the  <a href="http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39437" target=_blank>Win32/Rbot</a> Family. <font color=red>Note:</font> This worm\trojan is located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K) The file name is random z(Random Number).exe followed by <font color=red>gdtgh</font>
Source=http://www.castlecops.com/startuplist-13681.html

[802.11b+g USB Wireless LAN Utility]
Confirmed=U
Filename=ZDWlan.exe
Description=Related to  <a href="http://www.file.net/process/zdwlan.exe.html" target=_blank>USB_Wifi_device</a> Wireless Lan. <font color=red>Note:</font> Located in \%Program Files%\WLAN\802.11b g USB WLAN\
Source=http://www.castlecops.com/startuplist-15928.html

[802.11g Wireless Adatper]
Confirmed=U
Filename=Monitor.exe
Description=Related to wireless card (802.11) adapter/standard. System Tray icon that provides a shortcut to "Wireless Connection Status" and allows to turn WL on and off. Supplier unknown. Adapter is miss-spelled.
Source=http://www.castlecops.com/startuplist-15432.html

[85]
Confirmed=X
Filename=rundl132.exe
Description=Added by the  <a href="http://www.sophos.com/security/analyses/trojgampassl.html" target=_blank>Troj/Gampass-L</a> TROJAN! <font color=red>Note:</font> This worm\trojan is located in C:\%WINDIR%\TEMP\ <font color=red>Monitor user activity and log keystrokes. It also attempts to suppress detection alerts for an anti-virus product</font> (random key name).
Source=http://www.castlecops.com/startuplist-14251.html

[852EBF20-A95D-4F1F-B9C2-B2CD24350F3E]
Confirmed=X
Filename=sysodkcs.exe
Description=Added by the  <a href="http://siri.geekstogo.com/ChangeLog.php" target=_blank>SmitFraud</a> Trojan
Source=http://www.castlecops.com/startuplist-16722.html

[98D0CE0C16B1]
Confirmed=X
Filename=rundll32.exe D0CE0C16B1,D0CE0C16B1
Description= <a href="http://research.sunbelt-software.com/threat_display.cfm?name=BrowserAid&threatid=3342&search=browseraid" target=_blank>BrowserAid/BrowserPal</a> Foistware
Source=http://www.castlecops.com/startuplist-5622.html

[9m]
Confirmed=X
Filename=winlog0n.exe
Description= <a href="http://www.sophos.com/security/analyses/trojlegmiraqk.html" target=_blank>Troj/LegMir-AQK</a> <font color=red>Read the link, steals information</font>
Source=http://www.castlecops.com/startuplist-14326.html

[9xadiras]
Confirmed=Y
Filename=9xadiras.exe
Description= <a href="http://www.alliedtelesyn.co.uk/en-gb/" target=_blank>Allied_Telesyn</a> AT series router/modem related - apparently required

Source=http://www.castlecops.com/startuplist-9148.html

[9xHtProtect]
Confirmed=X
Filename=AVprotect9x.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.m@mm.html" target=_blank>W32.NETSKY.M</a> WORM!
Source=http://www.castlecops.com/startuplist-58.html

[;Rundll]
Confirmed=X
Filename=(random filename)
Description=Added as a result of the <a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PWSLEGMIR.E" target="_blank">PWSLEGMIR.E</a> VIRUS!
Source=http://www.castlecops.com/startuplist-59.html

[<executed file name>]
Confirmed=X
Filename=Regsrv32.com
Description=Added as a result of the <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.southghost.html" target="_blank">SOUTHGHOST</a> VIRUS!
Source=http://www.castlecops.com/startuplist-4.html

[<filename>]
Confirmed=X
Filename=App.exe
Description=Added as a result of the <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.waxpow.worm.html" target="_blank">WAXPOW</a> VIRUS! where <filename> is the executed filename
Source=http://www.castlecops.com/startuplist-5.html

[<random filename>]
Confirmed=X
Filename=wincpu.exe
Description=Added as a result of an unidentified VIRUS!
Source=http://www.castlecops.com/startuplist-7.html

[<various names>]
Confirmed=X
Filename=elf.exe
Description=Elf is a hacker program, tied to a trojan server
Source=http://www.castlecops.com/startuplist-8.html

[??QQ]
Confirmed=?
Filename=QQ.exe
Description=Related to  <a href="http://im.qq.com/" target=_blank>QQ_IM</a> program popular in China. (It's similar to MSN Messenger.) there are many add-ons created for QQ and of course, some add-ons are malware. If you didn't get his QQ from the official site, or you installed some add-ons it is suggested that you remove it and have install a fresh copy from the official Tencent Inc. site. <font color=red>Note:</font> Located in \%Program Files%\Tencent\QQ\ 
Source=http://www.castlecops.com/startuplist-17042.html

[?ekio Startups]
Confirmed=X
Filename=?nksvc32.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32agobotov.html" target=_blank>W32/AGOBOT-OV</a> WORM! <font color=red>Read the link, keylogger/password stealing trojan(s) involved.</font>
Source=http://www.castlecops.com/startuplist-8511.html

[@]
Confirmed=X
Filename=regedit -s ..win.dll
Description=Added as a result of the <a href="http://securityresponse.symantec.com/avcenter/venc/data/js.seeker.k.html" target="_blank">SEEKER.K</a> VIRUS!
Source=http://www.castlecops.com/startuplist-60.html

[@Hoc Toolbar]
Confirmed=N
Filename=AtHoc.exe
Description=One-click activated browsing toolbar used by various web-sites. See <a href="http://siliconvalley.internet.com/news/article.php/3531_479951" target="_blank">here</a> for more info
Source=http://www.castlecops.com/startuplist-61.html

[@loha]
Confirmed=N
Filename=reminder.exe
Description=Registration reminder for <a href="http://www.pcworld.com/downloads/file_description/0,fid,6581,00.asp" target="_blank">@loha@home</a> E-mail utility
Source=http://www.castlecops.com/startuplist-62.html

[@tour_ww]
Confirmed=X
Filename=@tour_ww[1].exe
Description=Adult content dialler
Source=http://www.castlecops.com/startuplist-63.html

[a]
Confirmed=X
Filename=a.exe
Description=Commercials file that registers itself in the system registry and redirects IE to a certain commercial website
Source=http://www.castlecops.com/startuplist-64.html

[a]
Confirmed=X
Filename=jesse.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32meloa.html" target=_blank>W32/Melo-A</a>
 WORM! 
 <font color=red> Note:</font> This worm file is found in the system32\drivers\etc folder.

Source=http://www.castlecops.com/startuplist-11637.html

[A New Windows Updater]
Confirmed=X
Filename=w32NTupdt.exe
Description=Added by  <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.bm@mm.html" target=_blank>W32.Mytob.BM</a> WORM!
Source=http://www.castlecops.com/startuplist-8083.html

[A Note]
Confirmed=U
Filename=A Note.exe
Description=Related to  <a href="http://a-note.sourceforge.net/" target=_blank>A_Note</a> A Note is a program that lets you create post-it like notes on your Microsoft Windows desktop. <font color=red>Note:</font> Located in \%Program Files%\A Note\
Source=http://www.castlecops.com/startuplist-16702.html

[A Verizon App]
Confirmed=U
Filename=VERIZO~1
Description=Related to  <a href="http://www22.verizon.com/" target=_blank>Verizon_Online</a> Help support/ <font color=red>Note:</font> Located in C:\PROGRA~1\VERIZO~1\HELPSU~1\
Source=http://www.castlecops.com/startuplist-13789.html

[a-squared]
Confirmed=U
Filename=a2guard.exe
Description= <a href="http://www.emsisoft.com/en/" target=_blank>a-Squared</a> antitrojan - can be run on demand,  but necessary in Startup,  if you prefer the a²  'Background Guard'  real time protection feature
Source=http://www.castlecops.com/startuplist-6624.html

[a-winpoet-service]
Confirmed=Y
Filename=winpppoverethernet.exe
Description=WinPoET is the industry's first Windows-based PPP over Ethernet client. Developed by iVasion, WinPoET is attractive to equipment providers, modem suppliers, RBOCs and ISPs. For more info read <a href="http://www.finepoint.com/products/winpoet/index.html" target="_blank">here</a>. It uses dial-up networking for new high-speed internet customers who are more familiar with analogue modems. If unchecked in MSCONFIG it reports Error 360 - Hardware Error in dial-up networking
Source=http://www.castlecops.com/startuplist-65.html

[A1000 Settings Utility]
Confirmed=U
Filename=cpqa1000.exe
Description=Compaq A1000 Print Fax All-in-One copy scan printer software. Required in the Startup in order to scan, print, copy and fax. Only required if you use these features
Source=http://www.castlecops.com/startuplist-66.html

[A4Proxy]
Confirmed=U
Filename=A4Proxy.exe
Description=<a href="http://www.findincontext.com/a4proxy/review.htm" target="_blank">Anonymity 4 Proxy</a> - local proxy server that makes you anonymous when visiting web sites
Source=http://www.castlecops.com/startuplist-67.html

[A70F6A1D-0195-42a2-934C-D8AC0F7C08EB]
Confirmed=X
Filename=rundll32.exe E6F1873B.DLL,D9EBC318C
Description= <a href="http://research.sunbelt-software.com/threat_display.cfm?name=BrowserAid&threatid=3342&search=browseraid" target=_blank>BrowserAid/BrowserPal</a> Foistware
Source=http://www.castlecops.com/startuplist-5621.html

[aa bbcc dde effgghh jj]
Confirmed=X
Filename=update.exe
Description=Added by a variant of the  <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2002-070818-0630-99" target=_blank>IRCBOT</a> <font color=red>Note:</font> Located in \%WINDIR%\System32\ <font color=red>Note:</font> Use SDFix under supervision.
Source=http://www.castlecops.com/startuplist-17079.html

[AAACLEAN]
Confirmed=?
Filename=AAACLEAN.INF
Description=<font color="#FF0000">??</font>
Source=http://www.castlecops.com/startuplist-68.html

[AAAKeyboard]
Confirmed=?
Filename=??
Description=<font color="#FF0000">??</font>
Source=http://www.castlecops.com/startuplist-69.html

[AAATraySaver]
Confirmed=N
Filename=TraySaver.exe
Description=System Tray management utility from <a href="http://www.mlin.net/" target="_blank">Mike Lin</a> which allows you to hide, show, restore icons that are lost in an Explorer crash, remove dead tray icons, minimize any window to the System Tray
Source=http://www.castlecops.com/startuplist-70.html

[AAK]
Confirmed=U
Filename=aak.exe
Description=<a href="http://www.anti-keylogger.net/" target="_blank">Advanced Anti-Keylogger</a> - "Anti-spy software to prohibit operation of any keyloggers currently in use or presently being developed anywhere"
Source=http://www.castlecops.com/startuplist-71.html

[aaLDISCN32]
Confirmed=U
Filename=LDISCN32.EXE
Description=Related to LANDesk® <a href="http://www.landesk.com/" target=_blank>_Management</a> Agent from LANDesk Software. <font color=red>Note:</font> Located in \%ROOT%\LDClient\
Source=http://www.castlecops.com/startuplist-15921.html

[aaLDTaskCompletion]
Confirmed=U
Filename=amclient.EXE
Description=Related to LANDesk® <a href="http://www.landesk.com/" target=_blank>_Management</a> Agent from LANDesk Software. <font color=red>Note:</font> Located in \%ROOT%\LDClient\
Source=http://www.castlecops.com/startuplist-15920.html

[AAMSFree702]
Confirmed=X
Filename=sys.exe
Description=Added by the BackDoor-CPC backdoor TROJAN!
Source=http://www.castlecops.com/startuplist-14720.html

[Aaou]
Confirmed=X
Filename=amee.exe
Description= <a href="http://research.sunbelt-software.com/threat_display.cfm?name=ClickSpring.PuritySCAN&threatid=10115" target=_blank>PurityScan/Clickspring</a> Adware
Source=http://www.castlecops.com/startuplist-5217.html

[Aapp]
Confirmed=X
Filename=adprot
Description= <a href="http://www.symantec.com/avcenter/venc/data/adware.adblaster.html" target=_blank>AdBlaster</a> adware
Source=http://www.castlecops.com/startuplist-8050.html

[aauclient]
Confirmed=?
Filename=ACNUpdater.exe
Description=Appears to be related to software from  <a href="http://www.accenture.com/xd/xd.asp?it=enweb&xd=index.xml" target=_blank>Accenture.com</a> - <font color=red>what does it do and is it required?</font>
Source=http://www.castlecops.com/startuplist-10274.html

[AAW]
Confirmed=N
Filename=Ad-Aware.exe
Description=Related to  <a href="http://www.lavasoftusa.com/" target=_blank>Ad-Aware_SE</a> from Lavasoft. AdAware removal tool. <font color=red>Note:</font> Located in \%Program Files%\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
Source=http://www.castlecops.com/startuplist-15646.html

[AAWTray]
Confirmed=Y
Filename=AAWTray.exe
Description=Part of Ad-aware 2007
Source=http://www.castlecops.com/startuplist-15468.html

[ab EazyScheduler]
Confirmed=?
Filename=ezsched.exe
Description=<font color="#FF0000">??</font>
Source=http://www.castlecops.com/startuplist-72.html

[abass]
Confirmed=X
Filename=abass.exe
Description=Added by a variant of the  <a href="http://www.bleepingcomputer.com/startups/abass.exe-23108.html" target=_blank>Email-Worm.Win32.Zhelatin</a> worm and IRC backdoor. <font color=red>Note:</font> located in \%WINDIR%\ <font color=red>Note:</font> Use SDFix under supervision.
Source=http://www.castlecops.com/startuplist-17091.html

[ABBYY Community Agent]
Confirmed=N
Filename=CAGENT.EXE
Description=Installed with the Optical Character Recognition (OCR) software that comes bundled with a Compaq A3000 all-in-one printer/scanner. Its function appears to be to link you to the internet in an attempt to buy the 5.0 version of the software
Source=http://www.castlecops.com/startuplist-73.html

[ABC]
Confirmed=X
Filename=keylogger.exe
Description=Monitors keystrokes so you can check if someone has typed anything while your away from your PC. Reported as spyware by <a href="http://www.spycop.com/index.html" target="_blank">SpyCop</a> in their <a href="http://www.spycop.com/faq.htm" target="_top">FAQ</a>
Source=http://www.castlecops.com/startuplist-74.html

[abcdefgh]
Confirmed=X
Filename=abcdefgh.exe
Description= <a href="http://www.securitystronghold.com/gates/spyware-adware-solutions/abcdefgh_abcdefgh.exe_solution.htm" target=_blank>DOWNLOADER.EPJ</a> TROJAN! 
Source=http://www.castlecops.com/startuplist-11641.html

[ABIT uGuru]
Confirmed=U
Filename=uGuru.exe
Description=Related to  <a href="http://www.abit-usa.com/" target=_blank>ABIT_Computer</a>  Provides quick access to several Abit motherboard utilities - such as monitoring cpu temperature, fan speeds, overclocking, flashing of BIOS
Source=http://www.castlecops.com/startuplist-12613.html

[ABITEQ]
Confirmed=N
Filename=abiteq.exe
Description=Monitoring utility for ABIT Motherboards. Displays system voltages, temperatures and fan speeds.
Source=http://www.castlecops.com/startuplist-7902.html

[Abrada WIN32]
Confirmed=X
Filename=abrada.exe
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojdermong.html" target=_blank>Troj/Dermon-G</a> TROJAN! <font color=red>Note</font>: located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K) <font color=red>Can severely compromise system security, stealth installed.</font>
Source=http://www.castlecops.com/startuplist-12733.html

[ABRegmon]
Confirmed=Y
Filename=ABregmon.exe
Description= <a href="http://www.arcabit.com/" target=_blank>ArcaVir</a> Antivirus
Source=http://www.castlecops.com/startuplist-17405.html

[Absolute Shield]
Confirmed=U
Filename=dseraser.exe
Description=Absolute Shield/Evidence Eliminator - internet history  <a href="http://www.auditmypc.com/process/dseraser.asp" target=_blank>eraser</a>
Source=http://www.castlecops.com/startuplist-75.html

[Absolute StartUp monitor]
Confirmed=U
Filename=ASMon.exe
Description=<a href="http://www.fgroupsoft.com/Absolutestartup/" target="_blank">Absolute Startup</a> - startup monitor from F-Group Software
Source=http://www.castlecops.com/startuplist-76.html

[AbsoluteShield Internet Eraser]
Confirmed=Y
Filename=cseraser.exe
Description=Related to  <a href="http://www.spyany.com/files/cseraser_exe.html" target=_blank>AbsoluteShield_Internet_Eraser</a> application. <font color=red>Note</font>: located in C:\Program Files\SysShield Tools\Internet Eraser\
Source=http://www.castlecops.com/startuplist-12857.html

[ABsr]
Confirmed=X
Filename=absr.exe
Description=Added as a result of the <a href="http://securityresponse.symantec.com/avcenter/venc/data/backdoor.autoupder.html" target="_blank">AUTOUPDER</a> VIRUS!
Source=http://www.castlecops.com/startuplist-77.html

[absr]
Confirmed=X
Filename=mwsvm.exe
Description=SeekSeek search hijacker related - See  <a href="http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW_SECTHOUGHT.A&VSect=Sn" target=_blank>here</a>
Source=http://www.castlecops.com/startuplist-78.html

[abtu]
Confirmed=X
Filename=mp3serch.exe
Description=Loads the executable for <a href="http://www.spywareinfo.com/lop.html" target="_blank">Lop.com</a>. mp3serch.exe is the final version whilst lopsearch.exe is the beta version
Source=http://www.castlecops.com/startuplist-79.html

[abtu]
Confirmed=X
Filename=lopsearch.exe
Description=Loads the executable for  <a href="http://www.spywareinfo.com/lop.html" target=_blank>LOP</a> adware -  mp3serch.exe is the final version whilst lopsearch.exe is the beta version
Source=http://www.castlecops.com/startuplist-6488.html

[AbyssWebServer]
Confirmed=U
Filename=abyssws.exe
Description=<a href="http://abyss.sourceforge.net/" target="_blank">Abyss</a> web server
Source=http://www.castlecops.com/startuplist-80.html

[Ac97Sound]
Confirmed=X
Filename=snddrv.exe
Description=Detected as Mal/SillyFDC-A by sophos
Source=http://www.castlecops.com/startuplist-14688.html

[AcBtnMgr_Xxx]
Confirmed=Y
Filename=AcBtnMgr_Xxx.exe
Description=Associated with the Lexmark Xxx (where "xx" is the model) all-in-one printer/scanner/copier. Required for correct operation
Source=http://www.castlecops.com/startuplist-81.html

[acc]
Confirmed=U
Filename=acc.exe
Description=<a href="http://www.voicecallcentral.com/#advanced_call_center" target="_blank">Advanced Call Center</a> - "full-featured yet easy-to-use answering machine software for your voice modem"
Source=http://www.castlecops.com/startuplist-82.html

[ACCDEFRAGINFO]
Confirmed=X
Filename=(path to file)
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/w32darbyo.html" target=_blank>W32/Darby-O</a> WORM!
Source=http://www.castlecops.com/startuplist-5594.html

[Accelerate]
Confirmed=U
Filename=accelerate.exe
Description=Webroot <a href="http://www.webroot.com/wb/products/accelerate/index.php" target="_blank">Accelerate</a> - allows you to optimize Windows network registry settings in order to boost surfing speeds. Leave this enabled if you find it improves your connection
Source=http://www.castlecops.com/startuplist-83.html

[Access Control App]
Confirmed=X
Filename=winsto.exe
Description=Identified as a variant of the Win32/TrojanDownloader.Small.CYF Trojan. <font color=red>Note:</font> Located in \%Temp%\
Source=http://www.castlecops.com/startuplist-16150.html

[Access Ramp Monitor]
Confirmed=N
Filename=armon32.exe
Description=Monitors your progress on the internet; hang-ups, connection speeds, internet congestion and traffic flow. It prevents some games from running also. To disable the Access Ramp Monitor (1) Open Windows Explorer (2) Open the Program Files folder (3) Open the MindSpring folder (4) Open the AccessRamp folder (5) Double-click on the ARMCfg32.exe file (6) Uncheck Enable Dialup Monitor and click OK (7) Restart the computer and try again
Source=http://www.castlecops.com/startuplist-84.html

[Access WebControl]
Confirmed=X
Filename=[path to file]
Description=Added by the  <a href="http://www.sophos.com/virusinfo/analyses/trojppdoorm.html" target=_blank>TROJ/PPDOOR-M</a> TROJAN!

Source=http://www.castlecops.com/startuplist-10296.html

[AccessManager]
Confirmed=U
Filename=AccessMgr.exe
Description=Part of SmartPipes  <a href="http://www.smartpipes.com/SecureSite.htm" target=_blank>SecureSite</a> software - "SecureSite enables rapid turnup and enhanced administration of VPNs. It automates and simplifies tasks for VPN design and policy management, access control management, and key management" 


Source=http://www.castlecops.com/startuplist-10165.html

[AccessMedia P2P Loader]
Confirmed=X
Filename=amp2pl.exe
Description=My AccessMedia toolbar related,  stealth installed!
Source=http://www.castlecops.com/startuplist-7948.html

[AccessoriesPlus]
Confirmed=U
Filename=clockplus.exe
Description="Clock Plus",  part of  <a href="http://simplypowerful.com/software/accessoriesplus.html" target=_blank>Accessories_Plus</a> allows you to select from dozens of alternatives for the Windows clock.
Source=http://www.castlecops.com/startuplist-11336.html

[AccessRamp Monitor01]
Confirmed=N
Filename=ARMon32a.exe
Description=From a visitor "Just wanted to provide you with some info on Access Ramp software installed with Verizon DSL accounts in those areas that use the Winpoet PPPoE software. The Access Ramp TSRs are installed as part of IP Insight software (can't remember the software maker). You can decline to install IP Insight during Winpoet setup, or go into Add/Remove programs uninstall IP Insight by hand if it's already installed. It really doesn't do a darn thing for you. It was intended to help DSL techs monitor QoS, but the backend part was never implemented (at least as of earlier this year). This will not affect the user's ability or inability to access their DSL service."
Source=http://www.castlecops.com/startuplist-85.html

[AccessRampLAN01]
Confirmed=N
Filename=ARUpld32.exe
Description=Version of the above for LAN connections - a history uploader. The key in turning it off is a file named ARUCfg32.exe. This file (ARUCfg32.exe) does not show up in the startup process. If you have this file, you can execute it and remove all the monitoring activities it does. Removing all the checks in all the boxes (both tabs) still calls ARUpld32.exe to start when you start the dial up. You can block it from sending info if you have Zone Alarm installed. Renaming the extension of ARUCfg32.exe to ARUCfg32.exe1 works. The ARUpld32.exe is not loaded when launching the dial up client. Written by IP Insight and also included with Earthlink Total Access 2003
Source=http://www.castlecops.com/startuplist-86.html

[AcctMgr]
Confirmed=U
Filename=AcctMgr.exe
Description=Norton™ Password Manager - part of <a href="http://www.symantec.com/sabu/sysworks/basic/" target="_blank">Norton SystemWorks 2004</a> - stores passwords and other personal information, and retrieves the data needed for email logins, shopping orders, banking, and other online activities—all from the safety of your own PC
Source=http://www.castlecops.com/startuplist-87.html

[AccuWeather.com® Desktop]
Confirmed=N
Filename=AccuWeatherDesktop.exe
Description=Desktop weather from http://home.accuweather.com/index.asp?partner=accuweather AccuWeather

Source=http://www.castlecops.com/startuplist-15336.html

[accwizz.exe]
Confirmed=X
Filename=accwizz.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.ruland.a@mm.html" target=_blank>W32.Ruland.A</a>
 WORM!

Source=http://www.castlecops.com/startuplist-11021.html

[accwizzz.exe]
Confirmed=X
Filename=accwizzz.exe
Description=Added by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.ruland.a@mm.html" target=_blank>W32.Ruland.A</a>
 WORM!

Source=http://www.castlecops.com/startuplist-11022.html

[acdllib3]
Confirmed=X
Filename=bcdlmem.exe
Description=Added by the  <a href="http://www.sophos.com/security/analyses/trojmailbotba.html" target=_blank>Troj/Mailbot-BA</a> TROJAN! <font color=red>Note:</font> This worm\trojan is located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K)
Source=http://www.castlecops.com/startuplist-13617.html

[ACDSee]
Confirmed=U
Filename=ACDSee8Pro.exe
Description=Related to  <a href="http://www.acdsee.com/" target=_blank>ACDSee</a> 8 photo software. Organize, manage, enhance, and share all your valued photo memories. <font color=red>Note:</font> Located in C:\Program Files\ACD Systems\ACDSee\8.0.Pro\
Source=http://www.castlecops.com/startuplist-13115.html

[Acecad.Wtxpload]
Confirmed=Y
Filename=Wtxpload.exe Acecad
Description=driver for an  <a href="http://www.acecad.com.tw/eng/product.htm" target=_blank>AceCad</a> USB Graphics Tablet
Source=http://www.castlecops.com/startuplist-5624.html

[AceGain LiveUpdate]
Confirmed=N
Filename=LiveUpdate.exe
Description= <a href="http://gameone.acegain.com/" target=_blank>AceGain_LiveUpdate</a> . "AceGain LiveUpdate provides a fully managed and customizable LiveUpdate platform that seamlessly integrates with a game. As soon as an update is made available, AceGain manages the alert, download and installation as well as version control and user network preferences."
Source=http://www.castlecops.com/startuplist-5580.html

[Acer ePower Management]
Confirmed=U
Filename=Acer ePower Management.exe
Description=Related to  <a href="http://global.acer.com/products/et/index.htm" target=_blank>Acer_ePower</a> Management from Acer Empowering Technology <font color=red>Note:</font> Located in C:\Acer\Empowering Technology\ePower\
Source=http://www.castlecops.com/startuplist-13152.html

[Acer ePresentation HPD]
Confirmed=U
Filename=ePresentation.exe
Description= Allows you to connect your Acer laptop to a projector.
Source=http://www.castlecops.com/startuplist-15654.html

[Acer Product Registration]
Confirmed=N
Filename=ACE1.exe
Description=Related to  <a href="http://www.acer.com.my/service/warr_register/warr_register.aspx" target=_blank>Acer_Product_Registration</a> Remove when registration is completed. <font color=red>Note:</font> Located in \%Program Files%\Acer Registration\
Source=http://www.castlecops.com/startuplist-15880.html

[Acer Tour Reminder
]
Confirmed=N
Filename=Reminder.exe
Description=Popup reminder to take the tour of your new Acer laptop.
Source=http://www.castlecops.com/startuplist-16205.html

[AcerGoto]
Confirmed=U
Filename=AcerGoto.exe
Description=Acer Computer "Goto Drive"  Cold Swap Driver -  a swappable second disk drive provides convenient backup of large files, or easy importation of data from user's previous computer.
Source=http://www.castlecops.com/startuplist-10403.html

[AcerNotebookManager]
Confirmed=U
Filename=almxptray.exe
Description=System Tray access on some Acer Notebooks to give faster access to system settings
Source=http://www.castlecops.com/startuplist-89.html

[AcerPowerkey]
Confirmed=U
Filename=Powerkey.exe
Description=PowerKey utility for Acer TravelMate notebook PCs. Allows the user to quickly switch between different power schemes by pressing Fn F3
Source=http://www.castlecops.com/startuplist-90.html

[Acess2007a]
Confirmed=X
Filename=access2007a.exe
Description=Added by  a variant of the W32/Gaobot.PQA.worm network worm and IRC backdoor.
Source=http://www.castlecops.com/startuplist-15176.html

[Aceu]
Confirmed=X
Filename=[random file name]
Description= <a href="http://research.sunbelt-software.com/threat_display.cfm?name=ClickSpring.PuritySCAN&threatid=10115" target=_blank>PurityScan/Clickspring</a> Adware
Source=http://www.castlecops.com/startuplist-10851.html

[AceUtils]
Confirmed=N
Filename=au.exe
Description=Related to Ace Utilities from  <a href="http://www.acelogix.com/aceutils.html" target=_blank>Acelogix_Software</a>
Note:  this is NOT to be confused with the au.exe used by the  <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.b@mm.html" target=_blank>BEAGLE.B</a> worm!
Source=http://www.castlecops.com/startuplist-12019.html

[acEventServ]
Confirmed=Y
Filename=acevtsrv.exe
Description=Related to  <a href="http://www.actividentity.com/" target=_blank>ActivCard</a> Gold Component of ActivCard Gold from ActivIdentity, Inc. Smart cards that function as photo ID, proximity badges for facility access and as digital identification and authentication devices. <font color=red>Note:</font> Located in \%Program Files%\ActivCard\ActivCard Gold\
Source=http://www.castlecops.com/startuplist-15395.html

[AClntUsr]
Confirmed=U
Filename=AClntUsr.exe
Description=Altiris  <a href="http://www.cdg-group.com/go.exe?prodid=299" target=_blank>AClient</a> Service Windows Tray Icon 
Source=http://www.castlecops.com/startuplist-10514.html

[Acme.PCHButton]
Confirmed=N
Filename=pchbutton.exe
Description=Used by HP Instant Support
Source=http://www.castlecops.com/startuplist-4857.html

[ACMonitor_Xxx]
Confirmed=Y
Filename=ACMonitor_Xxx.exe
Description=Associated with the Lexmark Xxx (where "xx" is the model) all-in-one printer/scanner/copier. Required for correct operation
Source=http://www.castlecops.com/startuplist-91.html

[acocash]
Confirmed=X
Filename=fastdown.exe, fastfown.exe
Description=Adult content dialler
Source=http://www.castlecops.com/startuplist-92.html

[Acombo3dmouse]
Confirmed=U
Filename=Acombo3d.exe
Description=Mouse driver - required if you use non-standard Windows driver features
Source=http://www.castlecops.com/startuplist-93.html

[Aconti]
Confirmed=X
Filename=aconti.exe
Description=Adult content dialler
Source=http://www.castlecops.com/startuplist-94.html

[acoustic]
Confirmed=U
Filename=acoustic.exe
Description=Control panel program for Philips <a href="http://www.consumer.philips.com/global/b2c/ce/catalog/product.jhtml;jsessionid=5ZTUCSVZIGCWUCRQNFJRX1YKGBUEWHAW?divId=0&groupId=PCSTUFF&catId=&subCatId=SOUNDCARDS&productId=PSC706_05" target="_blank"> Acoustic Edge</a> soundcard. Not required unless changed settings aren't retained
Source=http://www.castlecops.com/startuplist-95.html

[acpart]
Confirmed=N
Filename=agpart11.exe
Description=Program for finding trucks on-line
Source=http://www.castlecops.com/startuplist-96.html

[Acrobat]
Confirmed=X
Filename=acrmon32.exe
Description=Added by the  <a href="http://www.sophos.com/security/analyses/trojsmallect.html?_log_from=rss" target=_blank>Troj/Small-ECT</a> TROJAN! <font color=red>Note:</font> Located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K)
Source=http://www.castlecops.com/startuplist-14075.html

[Acrobat Assistant]
Confirmed=U
Filename=ACROTRAY.EXE
Description=Used to create PDF files with Acrobat Distiller. For Win9x/Me systems you can run this file manually beforehand. For WinXP systems this file must run at startup. Hence the "U" recommendation
Source=http://www.castlecops.com/startuplist-97.html

[Acrobat Assistant 8.0]
Confirmed=N
Filename=Acrotray.exe
Description=Related to  <a href="http://www.liutilities.com/products/wintaskspro/processlibrary/acrotray/" target=_blank>Acrobat_Assistant</a> a process belonging to the Adobe Acrobat Traybar Assistant which provides a shortcut to additional configuration options for Adobe products.
<font color=red>Note:</font> Located in C:\Program Files\Adobe\Acrobat 8.0\Acrobat\
Source=http://www.castlecops.com/startuplist-14983.html

[Acrobat Read]
Confirmed=X
Filename=acroup32.exe
Description= <a href="http://www.sophos.com/security/analyses/trojvanbotbq.html" target=_blank>Troj/VanBot-BQ</a> 
Source=http://www.castlecops.com/startuplist-14169.html

[ACROMOUSE]
Confirmed=U
Filename=ACROMAPP.exe
Description=Related to  <a href="http://www.acroxusa.com/" target=_blank>ACROMOUSE</a> Laser mouse control. <font color=red>Note:</font> Located in C:\Program Files\Tech\Office Program Selector\2.0\
Source=http://www.castlecops.com/startuplist-14978.html

[Acronis Popup Blocker]
Confirmed=U
Filename=Blocker.dll,Run
Description=Related to  <a href="http://www.acronis.com/" target=_blank>Acronis</a> Privacy Expert - anti-spyware and security suite.
Source=http://www.castlecops.com/startuplist-12757.html

[Acronis Scheduler Helper]
Confirmed=U
Filename=schedhlp.exe
Description=Part of http://www.acronis.com/homecomputing/products/trueimage/ Acronis True Image - backup software. Co-operates with the "schedul2.exe" service to perform backup/restore tasks correctly. Required if you want to use True Image to do some real backup/restore tasks - not if you only want to explore/mount images

Source=http://www.castlecops.com/startuplist-14947.html

[Acronis Scheduler2 Service]
Confirmed=U
Filename=schedhlp.exe
Description=Part of http://www.acronis.com/homecomputing/products/trueimage/ Acronis True Image - backup software. Co-operates with the "schedul2.exe" servuce to perform backup/restore tasks correctly. Required if you want to use TrueImage to do some real backup/restore tasks - not if you only want to explore/mount images

Source=http://www.castlecops.com/startuplist-98.html

[Acronis True Image]
Confirmed=Y
Filename=TimounterMonitor.exe
Description=Part of  <a href="http://www.acronis.com/homecomputing/products/trueimage" target=_blank>Acronis_True_Image</a>  backup software. Monitor for the backup archive explorer for moving and viewing files within an archive

Source=http://www.castlecops.com/startuplist-14821.html

[Acronis True Image Monitor]
Confirmed=N
Filename=TrueImageMonitor.exe
Description=Part of http://www.acronis.com/homecomputing/products/trueimage/ Acronis True Image - backup software. Can be disabled without affecting TrueImage

Source=http://www.castlecops.com/startuplist-7170.html

[Acronis TrueImage Monitor]
Confirmed=N
Filename=TrueImageMonitor.exe
Description=Part of http://www.acronis.com/homecomputing/products/trueimage/ Acronis True Image - backup software. Can be disabled without affecting TrueImage

Source=http://www.castlecops.com/startuplist-99.html

[AcronisTimounterMonitor]
Confirmed=U
Filename=TimounterMonitor.exe
Description=Related to  <a href="http://www.acronis.com/" target=_blank>Acronis_TrueImage</a> a backup utility by Acronis. <font color=red>Note:</font> Located in C:\Program Files\Acronis\TrueImageHome\
Source=http://www.castlecops.com/startuplist-14242.html

[AcronisTrueImage Monitor]
Confirmed=N
Filename=TrueImageMonitor.exe
Description=Part of http://www.acronis.com/homecomputing/products/trueimage/ Acronis True Image - backup software. Can be disabled without affecting TrueImage

Source=http://www.castlecops.com/startuplist-7171.html

[Act! Preloader]
Confirmed=U
Filename=Act8.exe
Description=Sage Software's http://www.act.com/products/index.cfm ACT! "enables individuals and small business customers to instantly access key contact and customer information, manage and prioritize activities, and track all contact-related communications so you can grow productive business relationships"

Source=http://www.castlecops.com/startuplist-14147.html

[Action Manager 32]
Confirmed=N
Filename=am32.exe
Description=Associated with a Plustech scanner. Small utility that runs in the background for doing fax/copy/etc. Available via Start -> Programs
Source=http://www.castlecops.com/startuplist-100.html

[ActionAgent]
Confirmed=?
Filename=actionagent.exe
Description="A COM server that runs on the client as part of the Dell OpenManage Client Instrumentation 6.x package; provides a simple method for a remote administrator to perform actions on the instrumented client". <font color="#FF0000">Is it required?</font>
Source=http://www.castlecops.com/startuplist-101.html

[Activation]
Confirmed=N
Filename=Activation.exe
Description=Part of Microsoft Money
Source=http://www.castlecops.com/startuplist-102.html

[Activboard]
Confirmed=U
Filename=MMKeybd.exe
Description=Packard Bell ActiveBoard keyboard - multimedia keyboard manager. Required if you use the additional keys and want to see the status of the Num Lock, Caps Lock, Scroll Lock keys
Source=http://www.castlecops.com/startuplist-103.html

[Active Bit Station]
Confirmed=X
Filename=abs.exe
Description=Added by the  <a href="http://www.symantec.com/avcenter/venc/data/w32.mytob.bz@mm.html" target=_blank>W32.MYTOB.BZ</a> WORM!
Source=http://www.castlecops.com/startuplist-8622.html

[Active CPU]
Confirmed=N
Filename=acpu.exe
Description=Related to  <a href="http://www.devicelock.com/freeware.html" target=_blank>Active_CPU</a> from DeviceLock, Inc. A tool that enables you to watch a graphical representation of your CPU's activity. <font color=red>Note:</font> Located in \%Program Files%\Active CPU\
Source=http://www.castlecops.com/startuplist-16760.html

[Active Desktop Calendar]
Confirmed=N
Filename=ADC.EXE
Description=XemiComputers <a target="_blank" href="http://www.xemico.com/adc/index.html">Active Desktop Calendar</a>
Source=http://www.castlecops.com/startuplist-4564.html

[Active Email Monitor]
Confirmed=U
Filename=aem25.exe
Description= <a href="http://www.vicman.net/emailmon/" target=_blank>Active_Email_Monitor</a> checks multiple accounts for email,  serves as a SPAM filter and can also protect you from harmful items that can be sent via email.

Source=http://www.castlecops.com/startuplist-10523.html

[Active shield]
Confirmed=U
Filename=Activeshield.exe
Description= <a href="http://www.securitystronghold.com/" target=_blank>Active_Shield</a> is "an heuristic screen that actively protects your computer from trojans, spyware, adware, trackware, dialers, keyloggers, and even some special kinds of viruses["

Source=http://www.castlecops.com/startuplist-6806.html

[ActiveDesktop]
Confirmed=X
Filename=systray32.exe
Description=Added as a result of the <a href="http://www.symantec.com/avcenter/venc/data/w32.hllw.daboom@mm.html" target="_blank">DABOOM</a> VIRUS!
Source=http://www.castlecops.com/startuplist-104.html

[ACTIVEDS]
Confirmed=X
Filename=ACTIVEDS.EXE
Description=Added as a result of the <a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASERV.T" target="_blank">OPASERV.T</a> VIRUS!
Source=http://www.castlecops.com/startuplist-105.html

[ActiveEyes]
Confirmed=N
Filename=ActiveEyes.exe
Description=<a href="http://www.tfi-technology.com/products.htm#ActiveEyes" target="_blank">ActiveEyes</a> from TFI Technology
Source=http://www.castlecops.com/startuplist-106.html

[ActiveKeys.********************]
Confirmed=U
Filename=akeys.exe
Description=Part of  <a href="http://softarium.com/activekeys/" target=_blank>activekeys</a>
Source=http://www.castlecops.com/startuplist-14429.html

[ActiveMenu]
Confirmed=U
Filename=ActiveMenu.exe
Description=Wild Tangent demo games that come with some HP computers. Unchecking it can prevent the games from running occasionally. Note that WildTanget's privacy policy used to state that they also collect and share individuals information but this is no longer the case
Source=http://www.castlecops.com/startuplist-107.html

[ActivePlus]
Confirmed=U
Filename=activeplus.exe
Description=<a href="http://hot.activebuddy.com/catalog/" target="_blank">Interactive Agents Plugin</a> for <a href="http://www.patchou.com/msgplus/" target="_blank">Messenger Plus!</a> (MSN Messenger add-on)
Source=http://www.castlecops.com/startuplist-108.html

[ActiveScan Antivirus]
Confirmed=X
Filename=ActiveScan.exe
Description=Added by the  <a href="http://www.sophos.com/security/analyses/w32rbotfkq.html" target=_blank>W32/Rbot-FKQ</a> WORM! <font color=red>Note:</font> This worm\trojan is located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K)
Source=http://www.castlecops.com/startuplist-13280.html

[ActiveScript32]
Confirmed=X
Filename=nod.exe
Description=Added by the  <a href="http://www.sophos.com/security/analyses/w32sohanaaj.html" target=_blank>W32/Sohana-AJ</a> WORM! <font color=red>Note:</font> Located in \%WINDIR%\System32\
Source=http://www.castlecops.com/startuplist-15694.html

[ActiveShield]
Confirmed=Y
Filename=MCVSSHLD.EXE
Description=McAfee VirusScan On-line. See also McAgentExe entry.
Source=http://www.castlecops.com/startuplist-109.html

[ActiveSpeed]
Confirmed=U
Filename=AS.exe
Description=Ascentive  <a href="http://www.barelyaverage.com/portfolio/html_emails/ascentive/activespeed_biplane/biplane_anim.html" target=_blank>ActiveSpeed</a> Internet Optimizer
Source=http://www.castlecops.com/startuplist-8934.html

[ActiveSync]
Confirmed=X
Filename=wcescom32.exe
Description= <a href="http://www.sophos.com/security/analyses/trojmancsyne.html" target=_blank>Troj/MancSyn-E</a> <font color=red>Read the link, allows remote access</font>
Source=http://www.castlecops.com/startuplist-14271.html

[ActiveWords]
Confirmed=U
Filename=AWMonitor.exe
Description=Related to  <a href="http://www.activewords.com" target=_blank>ActiveWords</a> from ActiveWord Systems, Inc. Like macro programs, ActiveWords sits in the background and watches as you type. When it recognizes that you’ve typed an ActiveWord, it takes the associated action, such as replacing your keystrokes with the text you’ve defined. <font color=red>Note</font>: located in C:\Program Files\ActiveWords\
Source=http://www.castlecops.com/startuplist-12940.html

[ActiveX Streamer]
Confirmed=X
Filename=msgfix.exe
Description=Added by the  <a href="http://ae.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_SDBOT.NQ" target=_blank>SDBOT.NQ</a> WORM!
Source=http://www.castlecops.com/startuplist-10532.html

[ActiveXUpdate]
Confirmed=X
Filename=svcss.exe
Description=Added by a variant of the  <a href="http://www.sophos.com/virusinfo/analyses/trojdedlerc.html" target=_blank>DEDLER.C</a> TROJAN!
Source=http://www.castlecops.com/startuplist-7875.html

[activity.exe]
Confirmed=X
Filename=actik.exe
Description= <a href="http://www.symantec.com/avcenter/venc/data/spyware.activitykey.html" target=_blank>ActivityKey</a>  Keystroke logger/monitoring program. <font color=red>Read the link, keylogger/password stealing trojan(s) involved.</font>
Source=http://www.castlecops.com/startuplist-8815.html

[ActivSurf]
Confirmed=N
Filename=backweb*****.exe
Description=Packard Bell ActivSurf - automatically detects an internet connection and downloads any available updates
Source=http://www.castlecops.com/startuplist-110.html

[ActMaker]
Confirmed=U
Filename=ActMaker25.exe
Description=The  <a href="http://www.789987.com/products.htm" target=_blank>ActMaker</a> mouse and keyboard toolkit can record the daily operation of your computer and reduce your workload. <font color=red>Read the link, keylogger/password stealing trojan(s) involved.</font>
Source=http://www.castlecops.com/startuplist-6340.html

[ACTray]
Confirmed=N
Filename=ACTray.exe
Description=Related to  <a href="http://www.exedb.com/actray.html" target=_blank>ThinkVantage_Access</a> Connections Status Icon. This program is not important for your system process, but should not be terminated unless suspected to be causing problems. <font color=red>Note:</font> Located in C:\Program Files\ThinkPad\ConnectUtilities\
Source=http://www.castlecops.com/startuplist-13008.html

[Actual Window Minimizer]
Confirmed=U
Filename=ActualWindowMinimizerCenter.exe
Description=Related to  <a href="http://www.actualtools.com/windowminimizer/" target=_blank>Actual_Window_Minimizer</a> allows minimizing any window to task tray notification area or to the edge of the screen. <font color=red>Note</font>: located in C:\Program Files\Actual Window Minimizer\
Source=http://www.castlecops.com/startuplist-12851.html

[ACTX1]
Confirmed=X
Filename=v1201.exe
Description=Added by  <a href="http://www.pestpatrol.com/spywarecenter/pest.aspx?id=453097395" target=_blank>Trojan-Clicker.Win32.VB.is</a>
 TROJAN! Note: This trojan has been found in System\System32 and Winnt\Windows directories. 

Source=http://www.castlecops.com/startuplist-13054.html

[ACU]
Confirmed=U
Filename=ACU.exe
Description= <a href="http://www.nus.edu.sg/winzone/atheros/" target=_blank>Atheros</a> wireless Client Utility For HP Compaq
Source=http://www.castlecops.com/startuplist-6738.html

[ACU_QSB]
Confirmed=U
Filename=ACU.exe
Description= <a href="http://www.nus.edu.sg/winzone/atheros/" target=_blank>Atheros</a> wireless Client Utility For HP Compaq
Source=http://www.castlecops.com/startuplist-11278.html

[ACWLIcon]
Confirmed=U
Filename=ACWLIcon.exe
Description=Related to IBM ThinkVantage Connectivity Solution.
Source=http://www.castlecops.com/startuplist-12721.html

[Ad Blocker]
Confirmed=U
Filename=blocker.exe
Description=<a href="http://www.cdkm.com/" target="_blank">Ad Blocker</a> - blocks popups, and also removes banners, image ads and flash ads
Source=http://www.castlecops.com/startuplist-111.html

[Ad Blocker Pro]
Confirmed=U
Filename=Ad Blocker Pro.exe
Description="Ad Away"  popup and banner remover
Source=http://www.castlecops.com/startuplist-5945.html

[Ad Muncher]
Confirmed=U
Filename=AdMunch.exe
Description=Ad  <a href="http://www.admuncher.com/" target=_blank>Muncher</a> removes adverts, pop-ups and general annoyances in your browser, file-sharing and
messenger programs. Causes conflicts with Outlook, game sites and web-building applications
Source=http://www.castlecops.com/startuplist-7172.html

[Ad Online Guide]
Confirmed=?
Filename=adonlineguide.exe
Description=<font color="#FF00