| www.solveithere.com | Start up list | ||
| Name/Startup Item | Command | Comments | |
| U | 0 | pit.exe | PrivateEye surveillance software. Uninstall this software unless you put it there yourself |
| N | 1:00 | hpdrv.exe | HP utility for monitoring when and how many recoveries have been done |
| X | 1 | 1.exe | Added by the ESTEEMS TROJAN! |
| X | 1 | lsass.scr | Added by the BANCOS.V TROJAN! |
| X | 1 | svchost.scr | Added by the BANCOS.X TROJAN! |
| X | 27 | csrss32.exe | Added by the SLSORVE-D TROJAN! |
| X | 27 | msm32.exe | Added by the SLSORVE-E TROJAN! |
| X | 27 | slsorve.exe | Added by the SLSORVE-A TROJAN! |
| X | 252 | winmgr.exe | Added by the LEGMIR-AT TROJAN! |
| X | 333 | svchost.exe | Added by the JD-A TROJAN! Note - this is not the legitimate svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This one is located in a "Syswm1i" directory |
| X | 666 | Ska.exe | Added by the PIPES TROJAN! |
| X | 678 | lsas32.exe | Added by the SLSORVE-B TROJAN! |
| X | 55278 | grepclient1.exe | Added by the LINEAGE-S TROJAN! |
| X | 123456 | rundll32.exe shell32.dll, Control_RunDLL ...123456.cpl | Added by the KITRO.C (or DANDI.A) WORM! 123456 can be any random 3 to 6 digit number |
| X | 456655 | explorer.exe | Added by the BIFROSE-DE TROJAN! Note - the legitimate Windows Explorer (explorer.exe) is located in the Windows or Winnt folder and would not normally appear in Msconfig/Startup unless you added it manually! This one is located in the System folder |
| Y | !1_pgaccount | pgaccount.exe | DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. You will see one instant of pgaccount.exe for every active account on your system, and this is essential for PG to work properly |
| Y | !1_ProcessGuard_Startup | procguard.exe | DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks |
| U | !AVG Anti-Spyware | avgas.exe | Part of AVG Anti-Spyware from Grisoft |
| U | !ewido | ewido.exe | Part of Ewido anti-spyware |
| N | !NoLoad | winrecon.exe | WinRecon keystroke logger/monitoring program - remove unless you installed it yourself! |
| ? | $EnterNet | Enternet.exe | Connection manager for the EnterNet ISP. You can also use RASPPOE |
| X | $sys$cmp | $sys$xp.exe | Added by the RYKNOS.B TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer |
| X | $sys$crash | $sys$sonyTimer.exe | Added by the WELOMOCH TROJAN! |
| X | $sys$crash | $sys$sos$sys$.exe | Added by the WELOMOCH TROJAN! |
| X | $sys$crash | $sys$WeLoveMcCOL.exe | Added by the WELOMOCH TROJAN! |
| X | $sys$drv | $sys$drv.exe | Added by the RYKNOS TROJAN! Attempts to utilize the Sony Rootkit A.K.A. SecurityRisk.First4DRM security risk to hide itself on the compromised computer |
| X | $sys$momomomochin | $sys$sonyTimer.exe | Added by the WELOMOCH TROJAN! |
| X | $sys$momomomochin | $sys$sos$sys$.exe | Added by the WELOMOCH TROJAN! |
| X | $sys$momomomochin | $sys$WeLoveMcCOL.exe | Added by the WELOMOCH TROJAN! |
| X | $sys$umaiyo | $sys$sonyTimer.exe | Added by the WELOMOCH TROJAN! |
| X | $sys$umaiyo | $sys$sos$sys$.exe | Added by the WELOMOCH TROJAN! |
| X | $sys$umaiyo | $sys$WeLoveMcCOL.exe | Added by the WELOMOCH TROJAN! |
| U | $Volumouse$ | volumouse.exe | Volumouse from Nirsoft. "Provides you a quick and easy way to control the sound volume on your system - simply by rolling the wheel of your wheel mouse" |
| X | $WindowsRegKey%update | IEXPLORE.EXE | Added by the RBOT-EZ WORM! Note - this is not the legitimate Internet Explorer iexplore.exe process which is always located in the Program FilesInternet Explorer folder and should not normally figure in Msconfig/Startup! This file is located in the System (9x/Me) or System32 (NT/2K/XP) folder |
| N | %cmpmixtitle% | %cmpmixstr% | Possibly related to C-Media Mixer Control panel? |
| N | %FP%012-L2TP fts.exe | fts.exe | 012.Net.il Israeli ISP software front-end |
| U | %FP%012-L2TP FWPortal.exe | FWPortal.exe | 012.Net.il Israeli ISP dial-up software |
| N | %FP%1776 Internet fts.exe | fts.exe | 1776 Internet US ISP software ISP software front-end |
| U | %FP%1776 Internet FWPortal.exe | FWPortal.exe | 1776 Internet US ISP dial-up software |
| N | %FP%Barak013 fts.exe | fts.exe | Barak013 Israeli ISP software front-end |
| U | %FP%Barak013 FWPortal.exe | FWPortal.exe | Barak013 Israeli ISP dial-up software |
| N | %FP%Friendly fts.exe | fts.exe | Friendly ISP software front-end |
| X | (*)API Machine | winSOCKS.exe | Homepage hijacker, see here (* = any digit) |
| X | (*)Run | win32API.exe | Homepage hijacker, see here (* = any digit) |
| X | (default) | [random filename].exe | Added by the BLACKMAL WORM! |
| X | (default) | rundll32.exe [path] Zykheptd.dll | Added by the HESIVE.B TROJAN! |
| X | (L4r1$$4) (4nt1) (V1ruz) | SP00Lsv32.pif | Added by the ASSIRAL.B WORM! |
| X | *JanisRuckenbrodII | janis.com | Added by the POPS WORM! |
| X | *Microsoft Update | ctxma.exe | Added by the STMU TROJAN! |
| X | *Microsoft Update | cxma.exe | Added by the STMU TROJAN! |
| X | *Microsoft Update | wstcl.exe | Added by the STMU TROJAN! |
| X | *Microsoft Update | wucxt.exe | Added by the STMU TROJAN! |
| X | *Microsoft Update | wuytc.exe | Added by the STMU TROJAN! |
| X | *MS Setup | [random filename] | Virtumondo adware, also known as the VUNDO TROJAN! |
| X | *Security Center | secctr.exe | Added by the SDBOT.BRO WORM! |
| Y | *StateMgr | statemgr.exe | Windows ME default for System Restore. Do NOT disable! |
| X | *Windows [filename] Checker | [filename] | Added by the KEDEBE-B WORM! |
| X | *windows update | waurclt.exe | Added by a variant of the RBOT WORM! |
| X | *windows update | wkmst.exe | Added by the SDBOT.AVD WORM! |
| X | *windows update | wrauclt.exe | Added by the RBOT-QU WORM! |
| X | *windows update | wsctl.exe | Added by the SPYBOT.PR WORM! |
| X | *windows update | wscxt.exe | Added by the RBOT.AOS WORM! |
| X | *windows update | wuanclt.exe | Added by the RBOT-PG WORM! |
| X | *windows update | wuaucrlt.exe | Added by the SPYBOT.HUR WORM! |
| X | *windows update | wuraclt.exe | Added by the RBOT-PO WORM! |
| X | *windows update | wurauclt.exe | Added by the RBOT-SY WORM! |
| X | *WindowsAudio | systemupd.exe | Added by the AGENT-TH WORM! |
| X | *WinLogon | [trojan path] ren time:[random number] | Added by the VUNDO TROJAN! |
| X | *winstats | winstats.exe | Added by the GARGAFX TROJAN! |
| X | *wuauclt.exe | w****.exe [* = random char] | Added by a variant of the RBOT-UG WORM! Note - * in the filename represents a random char; variants spotted: wxmct.exe, wtmsv.exe, wxmst.exe, wmsvc.exe and so on... |
| X | ,main drive Loader | wininfo.exe | Suspected malware as it appears in 3 different registry locations - see here |
| X | .. | ABC2007.exe | Added by the DLOADR-ASH TROJAN! |
| X | .mscdr | lassa.exe | Added by the WEBUS.C TROJAN! |
| X | .mscdr | lsvchost.exe | Added by the WEBUS.D TROJAN! |
| X | .mscdsr | lsvchost.exe | Added by the CR TROJAN! |
| X | .mscsbl | svhost.exe | Added by the CMQ TROJAN! |
| X | .msfupdate | msveup.exe | Added by the ALLOCUP.A WORM! |
| X | .mssecure | mssecure.exe | Added by the DDOS_BOXED.X TROJAN! |
| ? | .NET config | sysmon32.exe | ?? |
| X | .norton | rchost.exe | Added by a variant of the BOXED-A TROJAN! |
| X | .nvsvc | smss.exe | Added by the IRCBOT-FP TROJAN! Note - this is not the legitimate smss.exe process which should not normally figure in Msconfig/Startup! |
| X | .nvsvcb | smssb.exe | Added by the BOXED.CG TROJAN! |
| X | .Prog | services.exe | Added by the NEVEG.B or NEVEG.C WORMS! Note - this is not the legitimate services.exe process, which should not appear in Msconfig/Startup! |
| X | .Prog | winlogon.exe | Added by the NEVEG.A WORM! Note - this is not the legitimate winlogon.exe process, which should not appear in Msconfig/Startup! |
| X | .protected | N/A | Smitfraud variant |
| X | .svchost | CSRSS.EXE | Added by the WEBUS.F TROJAN! Note - this is not the legitimate csrss.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the System folder |
| X | .TEXTCONV | csrss.exe | Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process, which should not appear in Msconfig/Startup! |
| X | .TEXTCONV | lsass.exe | Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the System folder |
| X | .WMAudio | csrss.exe | Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process, which should not appear in Msconfig/Startup! |
| X | .WMAudio | lsass.exe | Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the System folder |
| N | /l:eng | N/A | Related to the Dell OEM version of the Sound Blaster Audigy 2 sound card. If this item is listed and checked in startup, the System32 Folder will appear on every startup. A patch is available - filename R75304.EXE - that fixes the issue. You can find that file at support.dell.com by typing that name in the 'Search' box available there. It addresses the root of the problem in Creative's software and corrects it. Unfortunately there is no direct link to the file, but it's easily available using the search function |
| X | ;Rundll | [filename] | Added by the PWSLEGMIR.E TROJAN! |
| X | ?ekio Startups | ?nksvc32.exe | Added by the AGOBOT-OV WORM where ? is a random character |
| X | @ | regedit -s ..win.dll | Added by the SEEKER.K TROJAN! |
| N | @Hoc Toolbar | AtHoc.exe | One-click activated browsing toolbar used by various web-sites. See here for more info |
| N | @loha | reminder.exe | Registration reminder for @loha@home E-mail utility |
| X | @tour_ww | @tour_ww[1].exe | Adult content dialler |
| X | [3-4 random letters] | nslookup.exe | PurityScan/Clickspring adware. Not to be confused with the legitimate nslookup.exe which is found in the System32 folder |
| X | [3-4 random letters]Srv32 | [path to file] | Added by the BANCSADE-A TROJAN! |
| X | [decimal number] | [path to worm] | Added by the OPOSSUM-A WORM! The decimal number can be anything, eg, 0.12345678 |
| X | [default] | DrWatson32.exe | Added by the DREMN TROJAN! |
| X | [Entry name] | System.exe | Added by the NETHIEF-N TROJAN! |
| X | [Ephemeral 2.5] by TreeHugger, | [path to worm] | Added by the LEMOOR-C WORM! |
| X | [Ephemeral 2.x] by TreeHugger, | [path to worm] | Added by the LEMOOR.A WORM! where "x" represents 3 or 4 |
| X | [executed file name] | App.exe | Added by the WAXPOW WORM! |
| X | [executed file name] | Regsrv32.com | Added by the SOUTHGHOST WORM! |
| X | [filename] | svchost.scr | Added by the BANKER-CC TROJAN! |
| X | [original filename] | svchost.scr | Added by the BANCBAN-CX TROJAN! |
| X | [original filename] | xphost.scr | Added by the BANCBAN-HM TROJAN! |
| X | [random 12 digit number] | admparse.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | advpack1.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | asferror.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | atitvo32.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | audiosrv.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | autodisc.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | avifile5.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | batmeter.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | bidispl2.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | bootvid2.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | bootvid4.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | browser8.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | cabview1.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | catsrvps.exe | Adsrv.com/IeDriver adware variant |
| X | [random 12 digit number] | cmpbk321.exe | Adsrv.com/IeDriver adware variant |
| X | [random characters] | rsbmsc.exe | Detected by AntiVir antivirus as the BDS/Agent.adt TROJAN! |
| X | [random characters] | securewinload32x.exe | Added by the OPTIXP-N TROJAN! Note - this trojan file is found in the System (9x/Me) or System32 (NT/2K/XP) folder. The file system32dir2a.exe will also be found in the same folder and should be deleted |
| X | [random filename] | slk8x2peu.exe | QuickLinks adware |
| X | [random name] | ??anregw.exe | PurityScan/Clickspring adware |
| X | [random name] | ??chost.exe | PurityScan/Clickspring adware |
| X | [random name] | ??erinit.exe | PurityScan/Clickspring adware |
| X | [random name] | ??ool32.exe | PurityScan/Clickspring adware |
| X | [random name] | ??oolsv.exe | PurityScan/Clickspring adware |
| X | [random name] | ??plorer.exe | PurityScan/Clickspring adware |
| X | [random name] | ??rss.exe | PurityScan/Clickspring adware |
| X | [random name] | ??rvices.exe | PurityScan/Clickspring adware |
| X | [random name] | ??xplore.exe | PurityScan/Clickspring adware |
| X | [random name] | ?hkdsk.exe | PurityScan/Clickspring adware |
| X | [random name] | ?hkntfs.exe | PurityScan/Clickspring adware |
| X | [random name] | ?ti2evxx.exe | PurityScan/Clickspring adware |
| X | [random name] | ?ttrib.exe | PurityScan/Clickspring adware |
| X | [random name] | [random name].dll | SearchNet adware |
| X | [random name] | charmapnt.exe | Added by the BANCOS-DR TROJAN! |
| X | [random name] | chkdsk.exe | PurityScan/Clickspring adware. Unlike this file, the legitimate Windows chkdisk.exe will in Windows XP/2K/NT always be located in the WinntSystem32 or WindowsSystem32 folder, and ought moreover NOT to figure among the startups! |
| X | [random name] | CXTPLS_LOADER.EXE | AproposMedia adware |
| X | [random name] | d?dplay.exe | PurityScan/Clickspring adware |
| X | [random name] | d?xplore.exe | PurityScan/Clickspring adware |
| X | [random name] | dvdplay.exe | PurityScan/Clickspring adware |
| X | [random name] | iexpl0ra.exe | Added by the ULPM.BD TROJAN! |
| X | [random name] | j?vaw.exe | PurityScan/Clickspring adware |
| X | [random name] | l?ass.exe | PurityScan/Clickspring adware |
| X | [random name] | l?gonui.exe | PurityScan/Clickspring adware |
| X | [random name] | m?config.exe | PurityScan/Clickspring adware |
| X | [random name] | m?dtc.exe | PurityScan/Clickspring adware |
| X | [random name] | m?iexec.exe | PurityScan/Clickspring adware |
| X | [random name] | n?lookup.exe | PurityScan/Clickspring adware |
| X | [random name] | n?pdb.exe | PurityScan/Clickspring adware |
| X | [random name] | n?tdde.exe | PurityScan/Clickspring adware |
| X | [random name] | n?tepad.exe | PurityScan/Clickspring adware |
| X | [random name] | ping.exe | PurityScan/Clickspring adware. Note - do not confuse with the Microsoft utility of the same name as described here |
| X | [random name] | r?gedit.exe | PurityScan/Clickspring adware |
| X | [random name] | r?gsvr32.exe | PurityScan/Clickspring adware |
| X | [random name] | r?ndll.exe | PurityScan/Clickspring adware |
| X | [random name] | r?ndll32.exe | PurityScan/Clickspring adware |
| X | [random name] | rundl13a.exe | Added by the GAMPASS-L TROJAN! |
| X | [random name] | scanregw.exe | PurityScan/Clickspring adware |
| X | [random name] | se?vices.exe | PurityScan/Clickspring adware |
| X | [random name] | Servere.exe | Added by the LEGMIR-AQM TROJAN! |
| X | [random name] | spoolsv.exe | PurityScan/Clickspring adware. Do not confuse with the legitimate Microsoft Printer Spooler Service (spoolsv.exe) |
| X | [random name] | svchost.exe | Added by the BANCBAN-JC TROJAN! Note - this is not the legitimate svchost.exe process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in a "config" subfolder of the Winnt or Windows folder |
| X | [random name] | Svchosts.exe | Added by the SDBOT.N TROJAN! |
| X | [random name] | t?skmgr.exe | PurityScan/Clickspring adware |
| X | [random name] | w?aclt.exe | PurityScan/Clickspring adware |
| X | [random name] | w?auboot.exe | PurityScan/Clickspring adware |
| X | [random name] | w?auclt.exe | PurityScan/Clickspring adware |
| X | [random name] | w?crtupd.exe | PurityScan/Clickspring adware |
| X | [random name] | w?nlogon.exe | PurityScan/Clickspring adware |
| X | [random name] | w?nspool.exe | PurityScan/Clickspring adware |
| X | [random name] | w?nword.exe | PurityScan/Clickspring adware |
| X | [random name] | w?wexec.exe | PurityScan/Clickspring adware |
| X | [random name] | wincpu.exe | Added by an unidentified VIRUS, WORM or TROJAN! |
| X | [random name] | wuauboot.exe | PurityScan/Clickspring adware. Note - do not confuse with the legitimate wuauboot.exe file, which should not figure in Msconfig/Startup! |
| X | [random name] | wucrtupd.exe | PurityScan/Clickspring adware. Do not confuse with the legitimate Windows Critical Update Notification (wucrtupd.exe) |
| X | [random names] | eee2.exe | MediaMotor adware |
| X | [random number] | explorer.exe | Added by the KEYLOG-AN TROJAN! Note - the legitimate Windows Explorer (explorer.exe) is located in the Windows or Winnt folder and would not normally appear in Msconfig/Startup unless you added it manually! This one copies it's self under 9 additional file names in the System (9x/Me) or System32 (NT/2K/XP) folder |
| X | [random] | lsass.scr | Added by the BANCBAN-CW TROJAN! |
| X | [random] | svchost.scr | Added by the BANCBAN-CY TROJAN! |
| X | [Randomly chosen existing folder name] | _autorun.exe | Added by the ANTINNY-L WORM! |
| X | [Randomly chosen existing folder name] | _cfg.exe | Added by the ANTINNY-L WORM! |
| X | [Randomly chosen existing folder name] | _config.exe | Added by the ANTINNY-L WORM! |
| X | [Randomly chosen existing folder name] | _env.exe | Added by the ANTINNY-L WORM! |
| X | [Randomly chosen existing folder name] | _loader.exe | Added by the ANTINNY-L WORM! |
| X | [Randomly chosen existing folder name] | _login.exe | Added by the ANTINNY-L WORM! |
| X | [Randomly chosen existing folder name] | _setup.exe | Added by the ANTINNY-L WORM! |
| X | [Randomly chosen existing folder name] | _start.exe | Added by the ANTINNY-L WORM! |
| X | [trojan filename] | Install.exe | Added by the BANCBAN-FS TROJAN! |
| X | [trojan name] | svchost.exe | Added by the BANCBAN-CL TROJAN! Note - this is not the legitimate svchost.exe process which should not normally figure in Msconfig/Startup! |
| X | [username] config | [path to trojan] | Added by the MOSUCK-H TROJAN! |
| X | [various filenames] | qtsks.exe | Added by the WEBDOR.Y TROJAN |
| X | [various names] | _ctcp.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | 10010.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | 321102.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | 34763.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | 80d0.exe | MediaMotor adware |
| X | [various names] | ABCXYZ.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | abrek.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | ActionScr.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | AliceSD.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | AppMasterCenter.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | atl_helper.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | ATLIEHELPER.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | avpmondll.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | awinrar.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | backd.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | backorif.exe | Added by a NTROOTKIT TROJAN variant! |
| X | [various names] | backorif.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | barint.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | bhoserv.exe | Added by a NTROOTKIT TROJAN variant! |
| X | [various names] | bhoserv.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | bingo9.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | bling.exe | Added by the RBOT-NI WORM! |
| X | [various names] | bnui.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | Bogobot.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | borlandg.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | BoundRec.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | br0ken.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | Brong32.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | clamav.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | cmon14.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | cnftips.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | control64.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | corrida.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | crsrs.exe | Added by the FORBOT-AK WORM! |
| X | [various names] | CToolBar.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | DCC_send.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | defect08.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | dePloy.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | Dest068.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | dialer423.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | diskserv.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | driver32.exe | Added by a variant of the SDBOT WORM! |
| X | [various names] | driver64.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | dstart2.exe | Adware - recognized by Kaspersky antivirus as Trojan-Downloader.Small.alw |
| X | [various names] | DTOURS.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | elf.exe | Elf is a hacker program, tied to a trojan server |
| X | [various names] | ERTYDF.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | ExchangeMaster.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | EXE32EXE.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | exe81.exe | MediaMotor adware |
| X | [various names] | exe82.exe | MediaMotor adware |
| X | [various names] | expoler.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | FLKPT.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | forces_elite.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | ftbar.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | gabber.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | hyandex.exe | Added by a NTROOTKIT TROJAN variant! |
| X | [various names] | hyandex.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | iehelper.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | iesetupdll.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | init32.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | InpriseMon.exe | Wareout - malware masquerading as a spyware and dialer remover |
| X | [various names] | install2.exe | |