Free Download Powerdvd Se Dvd Decoder Xp Free

19.07.2019

Index

Introduction

Database

Detailed Entries

Updates

Concise List

HJT Forums

Rogues

Message Board

Free Download Powerdvd Se Dvd Decoder Xp Free Download

Oct 11, 2017. An Overview of Cyberlink PowerDVD; How to Download and Install Cyberlink PowerDVD; Update to the latest version of Cyberlink PowerDVD. Supports H.265/HEVC video codec and ALAC (Apple lossless) audio playback. Once you are in the Cyberlink website, click on Download Free Update.

Windows startup programs - Database search

If you're frustrated with the time it takes your Windows 10/8/7/Vista/XP PC to boot and then it seems to be running slowly you may have too many programs running at start-up - and you have come to the right place to identify them. This is the original start-up programs (as opposed to processes/tasks) list - one of the most accurate and comprehensive. Services are not included - see below. For further information on this and how to identify and disable start-up programs please visit the Introduction page.

See here for further information on random entries - which are typically added by viruses and other malware or unwanted programs.

Last database update :- 28th June, 2019
53684 listed

You can search for any of the following terms to find and display entries in the start-up programs database but the minimum search is 3 characters and you must click on the 'Search' button. Results are sorted by the Startup Item/Name field.

From Windows 10/8 Task Manager (CTRL+SHIFT+ESC → Startup): Name, Command (Note - right-click on any column heading and ensure 'Command' is ticked)
From MSConfig (Start → Run → msconfig → Startup): Startup Item, Command
From Registry Editor (Start → Run → regedit): Name, Data
From SysInternals free AutoRuns utility: AutoRun Entry, Filename from 'Image Path'
From Windows Defender for XP/Vista (Tools → Software Explorer): Display Name, Filename
O4 entries from HijackThis or similar logging utilities: Text highlighted here - [this text] or here - 'Startup: this text.lnk', Filename
Any other text

Alternatively, you can browse the full database (without the search facility) over a number of pages or you can use the alphabetical index below to list the entries for that letter by the Command/Data field, but the results may take longer to appear due to the number of them:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

NOTE: Searching for common words (i.e. 'the' or 'where') will mean the results take longer to appear due to the number of them.

Please click on the Search buttonSilent wav file for 1 second download chromebook.

2448 results found for R

Startup Item or Name	Status	Command or Data	Description	Tested
Google Chrome	X	r.exe	Detected by Malwarebytes as Trojan.Agent.CHR. The file is located in %AppData%Gooogle Chrome	No
L	X	R.exe	Detected by Malwarebytes as Rogue.TechSupportScam. The file is located in %ProgramFiles%Power Update - removal instructions here	No
Microsofht	X	r.vbs	Detected by Malwarebytes as Spyware.Agent.E. The file is located in %CommonAppData%MICRO	No
update	X	r00t.exe	Detected by Sophos as W32/Rbot-ACO	No
AdobeMaster	X	r32nt.exe	Detected by Kaspersky as Trojan.Win32.Agent.dple and by Malwarebytes as Backdoor.Agent.E. The file is located in %Windir%Driver Cachei386	No
MSFTP Service Config	X	r3grun.exe	Detected by Trend Micro as WORM_RBOT.CVI	No
Fellowes Proxy	U	r3proxy.exe	Installed with Fellowes EasyPoint mouse software. Not necessary for normal functioning of Fellowes mice but it is necessary to use the extended features of all Fellowes mice	No
Java234	X	R8YRU5VA86.exe	Detected by Dr.Web as Trojan.Inject.51371	No
f~a	X	ra32.exe	Detected by McAfee as BackDoor-CAY	No
[random]	X	RA4W VPN.exe	Detected by Malwarebytes as Backdoor.Agent.RV. The file is located in %AppData%Microsoft	No
RA4WVPN	X	RA4W VPN.exe	Detected by McAfee as RDN/Generic BackDoor!bbm and by Malwarebytes as Backdoor.Agent.RV	No
WebExRemoteAccessAgent	U	raagtapp.exe	Related to Web Meetings from WebEx Communications, Inc. Share and present online with anyone, anywhere	No
RabbitWannaHome	X	rabbit.exe	Detected by Symantec as W32.Mimail.S@mm	No
Rabo Session Monitor	Y	RaboSessionMon.exe	Related to RaboBank electronic banking software	No
Rapdatae	X	rabseuser.exe	Detected by Sophos as Troj/QQPass-S	No
Racl	X	RaclSvc.exe	Detected by McAfee as Generic.tfr and by Malwarebytes as Adware.K.RightClick	No
Ralink Wireless Utility	N	RaConfig2500.exe	RaLink (now MediaTek) wireless LAN configuration utility	No
RaConfig2500	N	RaConfig2500.exe	RaLink (now MediaTek) wireless LAN configuration utility	No
RaConfig2500.EXE	N	RaConfig2500.exe	RaLink (now MediaTek) wireless LAN configuration utility	No
RacTary.exe	X	RacTary.exe	Detected by Sophos as W32/MoFei-Y	No
Radar	X	Radar.exe	Detected by McAfee as RDN/Generic Dropper!tx and by Malwarebytes as Trojan.Agent.STI	No
RadarSync	N	RadarSync.exe	RadarSync utility included with some DFI motherboards (such as the DFI LanParty Ultra) which checks for BIOS and driver updates periodically	No
RadBoot	U	RadBoot.exe	RadLinker - tweaker/linker for ATI Radeon based graphics cards. It allows you easy access to per game settings	No
Catalyst	X	RadDriver.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %Temp%	No
Intel Radeon Corp	X	radeon.cpl	Detected by McAfee as RDN/Generic Downloader.x!lg and by Malwarebytes as Trojan.Banker.Gen	No
Intel Radeon32 Corp	X	radeon.cpl	Detected by McAfee as RDN/Generic Downloader.x!lg and by Malwarebytes as Trojan.Banker.Gen	No
RadialpointServicepoint.exe	Y	RadialpointServicepoint.exe	Servicepoint tool installed when you install internet security suitea sourced by Radialpoint. Apart from downloading the suite installation files, the exact purpose is unknown at this time but it may be used to source critical updates and alerts so should therefore be left enabled	No
Radio Manager	U	Radio Manager.exe	Part of the MSI System Control Manager graphical utility for some of their laptops - enables/disables the Wi-Fi and Bluetooth modules	No
Radio online	U	radio online.exe	Radio Online by Nend Software - 'is very nice Radio/TV/MP3/WMA player with many options. Everything works with an icon in your systray (right bottom icon next to your clock)'	No
Radio365Agent	U	Radio365TrayAgent.exe	Radio365 - create playlists and broadcast live straight from your PC!	No
RDSound	X	RadioFM.exe	Detected by McAfee as Generic.tfr!q and by Malwarebytes as Trojan.Banker	No
Radio	X	Radiologue.exe	Detected by Malwarebytes as Backdoor.Imminent.E. The file is located in %AppData%Radio	No
ProjetoUnico	X	radlab.exe	Detected by Dr.Web as Trojan.PWS.Banker1.11528 and by Malwarebytes as Spyware.Banker	No
newageishere	X	radnewage.exe newradage.tnt	Detected by Malwarebytes as Trojan.Agent.PrxySvrRST. Both files are located in %Root%newcpuspeed	No
Microsoft	X	radnom.exe	Detected by Sophos as W32/Rbot-GHO and by Malwarebytes as Trojan.Agent.MSGen	No
Chrome	X	rads.exe	Detected by Malwarebytes as Backdoor.Agent.E. The file is located in %UserTemp%	No
WINDOWSUPDSX32	X	rafyvyhy.exe	Detected by McAfee as RDN/Generic.dx!czt and by Malwarebytes as Trojan.Agent.RNS	No
Windows Update	X	rage.exe	Detected by Malwarebytes as Backdoor.Eragbot. The file is located in %CommonFiles%System	No
OrigRage128Tweaker	U	RAGE128TWEAK.EXE	Third party tweaker for ATI Rage 128 Video cards	No
RagesCamera	X	Ragesn.exe	Detected by Trend Micro as WORM_SDBOT.AHJ	No
LogMeIn GUI	U	ragui.exe	LogMeIn remote access and management software which allows you to connect to a computer or device at any time, from anywhere there is an Internet connection and configure, monitor, diagnose and support multiple remote computers	No
RemotelyAnywhere GUI	U	ragui.exe	RemotelyAnywhere by LogMeIn, Inc - 'Experience fast, secure system administration from anywhere. RemotelyAnywhere offers industry-leading security and performance for remote administration'	No
Desktop Authority GUI	U	ragui.exe	Desktop Authority by Quest Software (was ScriptLogic) - remote access and management software which allows you to 'proactively target, secure, manage and support desktops from a central location.' No longer available	No
System RAID Manager	X	raid64.exe	Detected by Sophos as Troj/Agent-NNZ	No
RaidCall	N	raidcall.exe	'RaidCall is a free, elegant and simple tool that allows you to instantly communicate with groups of people. It brings together elements of instant messaging, group communication and voice chat into a professional group communication software'	No
raidhost	X	raidhost.exe	Detected by Sophos as Troj/Agent-LID and by Malwarebytes as Trojan.Agent	No
HighPoint ATA RAID Management Software	Y	raidman.exe	HighPoint RAID management - hard disk striping/mirroring utility for increased performance and reliability. See here for more information on RAID	No
VIA RAID TOOL	U	raid_tool.exe	VIA V-RAID Tool - hard disk striping/mirroring utility for increased performance and reliability	No
VIARaidUtl	U	raid_tool.exe	VIA V-RAID Tool - hard disk striping/mirroring utility for increased performance and reliability	No
RaidTool	U	raid_tool.exe	VIA V-RAID Tool - hard disk striping/mirroring utility for increased performance and reliability	No
Rainlendar	U	Rainlendar.exe	Rainlendar is a customizable calendar that displays the current month	No
Rainlendar2	U	Rainlendar2.exe	Rainlendar is a customizable calendar that displays the current month	No
Vista Rainbar	U	Rainmeter.exe	Vista Rainbar - Vista Sidebar clone for the Rainmeter desktop customization tool	No
Rainmeter	N	Rainmeter.exe	'Rainmeter is the best known and most popular desktop customization program for Windows. Enhance your Windows computer at home or work with skins; handy, compact applets that float freely on your desktop. Rainmeter skins provide you with useful information at a glance'	No
SlipStream	Y	raketa-core.exe	Raketa Krstarice customized core module for Slipstream - internet acceleration through compression/decompression techniques, intelligent cacheing on the server side, and real-time conversion of large/high-bandwidth images to less bulky pix	No
Raketa Krstarice	Y	raketa.exe	Raketa Krstarice customized user interface for Slipstream - internet acceleration through compression/decompression techniques, intelligent cacheing on the server side, and real-time conversion of large/high-bandwidth images to less bulky pix	No
Bron-Spizaetus	X	RakyatKelaparan.exe	Detected by Sophos as W32/Brontok-J and by Malwarebytes as Worm.Brontok	No
Msn Service	X	raloded.exe	Detected by Sophos as W32/Mytob-DY	No
RAMASST	U	RAMASST.exe	Optionally installed with some DVD drives (LG, Panasonic, etc). Disables Windows XP's CD-burning abilities because they cause some incompatibilities. It does not affect your ability to burn CDs. If you do not have this program running, you may have some compatibility issues with burnt DVDs	No
RamBooster	U	Rambooster.exe	RamBooster memory manager	No
RAMBooster.Net	U	RAMBooster.exe	RAM Booster .Net is 'a smart memory management program that will keep your computer (PC) running better, faster, and longer'	No
RAMConnectionChecker	?	RAMConnChecker.exe	Part of Remote Access Manager (RAM) for Nortel Networks - which 'combines an intuitive, user-friendly remote access interface for dialup, cable, LAN, wireless, and DSL users with state-of-the-art phonebook, dialing, and seamless software distribution and update capabilities'. Is it required?	No
RAMGINAConnWatch	?	RAMConnWatcher.exe	Part of Remote Access Manager (RAM) for Nortel Networks - which 'combines an intuitive, user-friendly remote access interface for dialup, cable, LAN, wireless, and DSL users with state-of-the-art phonebook, dialing, and seamless software distribution and update capabilities'. Is it required?	No
RAMDef	U	ramdef.exe	Ram Def memory manager - monitors and defragments your system RAM to improve reliability and speed. No longer supported or available from the author	No
Realtek.exe	X	ramden.exe	Detected by Malwarebytes as Trojan.Agent.FF. The file is located in %Windir% - see here	No
RamIdle	U	ramidle.exe	RAM Idle memory manager from TweakNow which is also included in the PowerPack	No
RAMpage	U	RAMpage.exe RAMpageConfig.exe	Small Windows utility that displays the amount of available memory in an icon in the System Tray. It can also free memory by double clicking the tray icon, or by setting a threshold that activates the program automatically, or by having it run automatically when an application exits. RAMpage is free, and open source	No
RAMRush	U	RAMRush.exe	RAMRush by FTweak Inc - 'is a free memory management and optimization tool. It can efficiently optimize memory usages of your Windows system, free up physical RAM and make your system work better'	Yes
ftweak_RAMRush	U	RAMRush.exe	RAMRush by FTweak Inc - 'is a free memory management and optimization tool. It can efficiently optimize memory usages of your Windows system, free up physical RAM and make your system work better'	Yes
run=	U	ramsys.exe	Advanced Startup Manager from Rays Lab	No
RAM Idle Professional	U	RAM_XP.exe	RAM Idle memory manager from TweakNow which is also included in the PowerPack	No
WindowsUpdateHost	X	Random.exe	Detected by Dr.Web as Trojan.DownLoader6.33883 and by Malwarebytes as Backdoor.Agent.E.Generic	No
xxxjoker	X	random.exe	Detected by Malwarebytes as Backdoor.SpyNet. The file is located in %ProgramFiles%[folder]	No
RandomBars	X	RandomBars.exe	Detected by Malwarebytes as Trojan.Proxy. The file is located in %CommonFiles%RandomBars	No
Service Noits	X	ranga.exe	Detected by Sophos as Mal/Boom-A	No
rant	X	rant.exe	Detected by Sophos as W32/Rbot-ZB	No
raome	X	raome.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %UserProfile%	No
RapApp	Y	RAPAPP.EXE	Application protection component of older software from IBM Security Solutions (formerly Internet Security Systems or ISS) such as the BlackICE firewall. Informs you of any modifications to programs, files or folders and detecting unknown programs trying to launch. Runs as a service on an NT based OS (such as Windows 10/8/7/Vista/XP)	No
Ati Main	X	rapems.exe	Detected by Malwarebytes as Password.Stealer. The file is located in %System%	No
Rapid Antivirus	X	Rapid Antivirus.exe	Rapid Antivirus rogue security software - not recommended, removal instructions here. Detected by Malwarebytes as Rogue.RapidAntiVirus. The file is located in %ProgramFiles%Rapid Antivirus	No
RapidCheck	U	RapidCheck.exe	RapidCheck periodically checks for available free accounts at rapidshare.de. A notification will pop up in the system tray when a free acount is detected then will take you to the account registration page. Note - this entry loads from the Windows Startup folder and the file is located in %ProgramFiles%RapidCheck	N/A
RapidCheck	U	RapidCheck.exe	RapidCheck periodically checks for available free accounts at rapidshare.de. A notification will pop up in the system tray when a free acount is detected then will take you to the account registration page. Note - this entry loads from the HKCURun registry key and the file is located in %ProgramFiles%RapidCheck	N/A
RapidMediaConverterApp	U	RapidMediaConverterApp.exe	Detected by Malwarebytes as PUP.Optional.RapidMediaConverter. Note - this entry loads from the Windows Startup folder and the file is located in %ProgramFiles%RapidMediaConverter. If bundled with another installer or not installed by choice then remove it	No
RapportService	X	RapportService.exe	Detected by Malwarebytes as Trojan.Agent.FS. Note - this is not a legitimate Trusteer Rapport entry and the file is located in %AppData%Fusion[4 digits]	No
RaptorDefence	X	RaptorDefence.exe	RaptorDefence rogue security software - not recommended, removal instructions here	No
Raptr	N	raptrstub.exe	'Raptr makes PC gaming fast, beautiful, and hassle-free'	No
raqkesibxici	X	raqkesibxici.exe	Detected by McAfee as Downloader.a!dcl and by Malwarebytes as Trojan.Agent.US	No
WINRAR UPDATE	X	rar.exe	Detected by McAfee as RDN/Generic.grp!gy and by Malwarebytes as Trojan.Agent.MNR	No
Rarupdate	X	rarupdates.exe	Detected by Symantec as Backdoor.Optix. The file is located in %System%	No
Macromedia Critical Updater	X	rarww.exe	Added by a variant of Backdoor:Win32/Rbot. The file is located in %System%	No
cifxljac	X	rasctrnm6.exe	Detected by Malwarebytes as Adware.SanctionedMedia. The file is located in %System%	No
rasctrs	X	rasctrs.exe	Hijacker, also detected as the ADWAHECK TROJAN!	No
RasMan.exe	X	RasMan.exe	Detected by Sophos as Troj/Feutel-H	No
rasman	X	rasman32.exe	Detected by Sophos as Troj/Bckdr-QGN	No
Remote Access Service Manager	X	rasmngr.exe	Detected by Trend Micro as WORM_AGOBOT.KU	No
RasCon Remote Access Service Manager	X	rasmngr.exe	Detected by Trend Micro as WORM_SPYBOT.EM	No
Microsoft DirectX	X	rasmngr.exe	Detected by Trend Micro as WORM_SDBOT.AU	No
Raspberry	X	Raspberry.exe	Detected by Malwarebytes as Trojan.MSIL. The file is located in %AppData%	No
0L0FRM3NMFGI04+CLW	X	rasphone.exe	Detected by McAfee as RDN/Generic BackDoor!yo and by Malwarebytes as Backdoor.Agent.E	No
RASTA xRAT	X	RASTA.exe	Detected by Malwarebytes as Trojan.Agent.RAS. The file is located in %AppData%RASTA	No
FlashUpdate	X	RasTls.exe	Detected by Dr.Web as Trojan.Inject1.32054	No
java	X	rat.exe	Detected by McAfee as RDN/Generic Dropper!sr and by Malwarebytes as Backdoor.Agent.DCE	No
Ratio Faker	X	RatioFakerSetup.exe	Detected by McAfee as RDN/Generic.bfr and by Malwarebytes as Trojan.Agent.RSF	No
aRato	X	Rato.vbs	Detected by Sophos as VBS/Rabfu-A	No
Rato	X	Ratoii.vbs	Detected by Sophos as VBS/Rabfu-A	No
RemoteAgent	Y	RAUAgent.exe	Part of an older version of the Trend Micro OfficeScan business anti-malware suite	No
Ralink Wireless Utility	U	RaUI.exe	Wireless configuration utility for RaLink (now MediaTek) based products	No
Tenda Wireless Utility	U	RaUI.exe	Wireless configuration utility for Tenda networking products based upon RaLink (now MediaTek) chipsets	No
Airlink101 Wireless Monitor	U	RaUI.exe	Wireless configuration utility for AirLink 101 networking products based upon RaLink (now MediaTek) chipsets	No
Rosewill Wireless Utility	U	RaUI.exe	Wireless configuration utility for Rosewill networking products based upon RaLink (now MediaTek) chipsets	No
ASUS_Utility	U	RaUI.exe	Wireless configuration utility for ASUS laptops using RaLink (now MediaTek) chipsets	No
Wireless Utility	U	RaUI.exe	Wireless configuration utility for networking products based upon RaLink (now MediaTek) chipsets	No
802.11g MIMO Wireless Utility	U	RaUI.exe	Wireless configuration utility for RaLink (now MediaTek) 802.11g MIMO based products	No
Edimax Wireless Utility	U	RaUI.exe	Wireless configuration utility for Edimax networking products based upon RaLink (now MediaTek) chipsets	No
rauoza	X	rauoza.exe	Detected by Malwarebytes as Trojan.Downloader. The file is located in %UserProfile%	No
UpDate	X	RAuth.exe	Detected by Sophos as Troj/Dloader-UL	No
UpData	X	Rauth.exe	Detected by Dr.Web as BackDoor.IRC.YulihuBot.42 and by Malwarebytes as Backdoor.IRCBot.E	No
Realtek Audio HD	X	RAV64.exe	Detected by Malwarebytes as Trojan.Dropper. The file is located in %AppData%	No
Microsoft Autorun9	X	Ravasktao.exe	Detected by Symantec as W32.Ogleon.A	No
Realtek HD Audio Process Sys Local	X	RAVBg6.exe	Detected by Malwarebytes as Trojan.Agent.RTL. Note that this is not a valid Realtek process and the file is located in %AppData% - see here	No
HD Audio Background Process	?	RAVBg64.exe	Installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. The exact purpose is unknown at present	Yes
RtHDVBg	?	RAVBg64.exe	Installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. The exact purpose is unknown at present	Yes
RtHDVBg_Dolby	?	RAVBg64.exe	Installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. The exact purpose is unknown at present although the name suggests it's related to support for the Dolby surround sound system	No
RtHDVBg_DTS	?	RAVBg64.exe	Installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. The exact purpose is unknown at present although the name suggests it's related to support for the DTS (acquired by Tessera and now called Xperi) surround sound system	No
RtHDVBg_MAXX6	?	RAVBg64.exe	Installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. The exact purpose is unknown at present	No
RtHDVBg_PushButton	?	RAVBg64.exe	Installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. The exact purpose is unknown at present	Yes
RtHDVBg_SRSSA	?	RAVBg64.exe	Installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. The exact purpose is unknown at present	No
Realtek HD Audio Process sys	X	RAVBg64m.exe	Detected by Malwarebytes as Backdoor.Bot. The file is located in %AppData%	No
Realtek HD Audio Driver	X	RAVCpl32.exe	Detected by Malwarebytes as RiskWare.Agent.E. The file is located in %CommonAppData%RealtekAudioHDA	No
Realtek HD Audio Manager	X	RAVCpl32.exe	Detected by Malwarebytes as RiskWare.Agent.E. The file is located in %CommonAppData%RealtekAudioHDA - see here	No
Realtek HD Audio Manager	U	RAVCpl64.exe	Realtek HD Audio Manager, installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. Provides a default (but optional) System Tray icon which allows you to manage audio device settings and gives you access to the Sound Manager and other multimedia functions. You will also receive notifications when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged in it may not be detected and therefore may not work	No
RAVCpl64	X	RAVCpl64.exe	Detected by Dr.Web as Trojan.DownLoader9.10954. Note - do not confuse this with the legitimate 64-bit Realtek HD Audio Manager which has the same filename and is normally located in %ProgramFiles%RealtekAudioHDA. This one is located in %AppData%	No
HD Audio Control Panel	U	RAVCpl64.exe	Realtek HD Audio Manager, installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. Provides a default (but optional) System Tray icon which allows you to manage audio device settings and gives you access to the Sound Manager and other multimedia functions. You will also receive notifications when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged in it may not be detected and therefore may not work	No
RtHDVBg	X	RAVCpl64.exe	Detected by Sophos as Troj/Buzus-HB. Note - do not confuse this with the legitimate 64-bit Realtek HD Audio Manager which has the same filename and is normally located in %ProgramFiles%RealtekAudioHDA. This one is located in %AppData%Microsoft	No
RtHDVCpl	U	RAVCpl64.exe	Realtek HD Audio Manager, installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. Provides a default (but optional) System Tray icon which allows you to manage audio device settings and gives you access to the Sound Manager and other multimedia functions. You will also receive notifications when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged in it may not be detected and therefore may not work	No
RTHDVCPL32	X	RAVCplscv.exe	Detected by Dr.Web as Trojan.DownLoader12.59419 and by Malwarebytes as Backdoor.Farfli	No
RAVEN_VLZS.EXE	X	RAVEN_VLZS.EXE	Related to the DownloadReceiver parasite which was a component used by eAcceleration (Acceleration Software International Corporation) to download and install their Webcelerator software. Archived version of Andrew Clover's original description	No
RavMon	Y	RavMon.exe	Rising antivirus	No
run	X	RAVMOND.exe	Detected by Sophos as W32/Lovgate-F. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'run' value data to include the file 'RAVMOND.exe' (which is located in %System%)	No
RavAv	X	RavMonE.exe	Detected by Sophos as W32/RJump-F	No
Rapdata	X	ravsecs.exe	Detected by Sophos as Troj/QQPass-V	No
RavUptpe	X	ravsesur.exe	Detected by Sophos as Troj/QQPass-T	No
Rapdatybs	X	ravseteyns.exe	Detected by Sophos as Troj/PWS-ACP	No
Update.exe	X	ravseuper.exe	Detected by Sophos as Troj/QQPass-P	No
QuickyTranslator	U	RavSoft.GoogleTranslator.exe	Detected by Malwarebytes as PUP.Optional.QuickyTranslator.PrxySvrRST. The file is located in %Windir%Quicky TranslatorQuicky Translator. If bundled with another installer or not installed by choice then remove it, removal instructions here	No
Raptelnet	X	ravspeger.exe	Detected by Sophos as Troj/QQPass-AA	No
Raptelt	X	ravspegtl.exe	Detected by Sophos as Troj/QQPass-AB	No
RavStub	Y	ravstub.exe	Rising antivirus	No
RavTask	Y	RavTask.exe	Rising antivirus	No
RavTimer	Y	RavTimer.exe	Rising antivirus	No
RAV8Tray	Y	ravtray8.exe	RAV Antivirus Desktop by GeCAD Software - acquired by Microsoft in 2003	No
QWJUZZUS	X	RavzWUHO.exe	Detected by McAfee as RDN/Spybot.bfr!h and by Malwarebytes as Trojan.Agent.RNS	No
rav_finder.exe	X	rav_finder.exe	Detected by McAfee as Generic Dropper and by Malwarebytes as PasswordStealer.Tibia. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
rav_temp.exe	?	rav_temp.exe	The file is located in %Temp%EACDownload	No
raxeapuncepe	X	raxeapuncepe.exe	Detected by McAfee as RDN/Generic Downloader.x!kc and by Malwarebytes as Trojan.Agent.US	No
raxlufpyvyxu	X	raxlufpyvyxu.exe	Detected by Sophos as Troj/Cutwail-AE and by Malwarebytes as Trojan.Agent.US	No
Shell	X	ray.exe	Homepage hijacker re-directing browsers to adult content websites	No
Razer Anansi Driver	U	RazerAnansiSysTray.exe	Razer Anansi gaming keyboard driver - required if you use the additional features and programmed keys/macros	No
RazerGameBooster	N	RazerGameBooster.exe	Razer Game Booster by Razer Inc - 'Maximizes your system performance to give you higher frames per second, by automatically shutting off unnecessary processes and applications when you're gaming, and resuming them when you're done'	No
Tarantula	U	razerhid.exe	Razer Tarantula gaming keyboard driver - required if you use the additional features and programmed keys/macros	No
Habu	U	razerhid.exe	Microsoft Habu (by Razer) gaming mouse driver - required if you use the additional features and programmed keys/macros	No
Salmosa	U	razerhid.exe	Razer Salmosa gaming mouse driver - required if you use the additional features and programmed keys/macros	No
razer	U	razerhid.exe	Razer gaming mouse/keyboard driver - required if you use the additional features and programmed keys/macros	No
Lycosa	U	razerhid.exe	Razer Lycosa gaming keyboard driver - required if you use the additional features and programmed keys/macros	No
Abyssus	U	razerhid.exe	Razer Abyssus gaming mouse driver - required if you use the additional features and programmed keys/macros	No
Copperhead	U	razerhid.exe	Razer Copperhead gaming mouse driver - required if you use the additional features and programmed keys/macros	No
Krait	U	razerhid.exe	Razer Krait gaming mouse driver - required if you use the additional features and programmed keys/macros	No
Reclusa	U	razerhid.exe	Microsoft Reclusa (by Razer) gaming keyboard driver - required if you use the additional features and programmed keys/macros	No
Arctosa	U	razerhid.exe	Razer Arctosa gaming keyboard driver - required if you use the additional features and programmed keys/macros	No
Jomantha	U	razerhid.exe	Belkin n52te (powered by Razer) gaming keypad driver - required if you use the additional features and programmed keys/macros	No
HP Gaming Keyboard	U	razerhid.exe	HP VoodooDNA Gaming Keyboard (powered by Razer) driver - required if you use the additional features and programmed keys/macros	No
Diamondback	U	razerhid.exe	Razer Diamondback 3G gaming mouse driver - required if you use the additional features and programmed keys/macros	No
DeathAdder	U	razerhid.exe	Razer DeathAdder gaming mouse driver - required if you use the additional features and programmed keys/macros	No
DeathAdderBlackEdition	U	razerhid.exe	Razer DeathAdderBlackEdition gaming mouse driver - required if you use the additional features and programmed keys/macros	No
Lachesis	U	razerhid.exe	Razer Lachesis gaming mouse driver - required if you use the additional features and programmed keys/macros	No
Razer Imperator Driver	U	RazerImperatorSysTray.exe	Razer Imperator gaming mouse driver - required if you use the additional features and programmed keys/macros	No
Razer Imperator Driver	U	RazerImperatorTray.exe	Razer Imperator gaming mouse driver - required if you use the additional features and programmed keys/macros	No
Razer Mamba Elite Driver	U	RazerMambaSysTray.exe	Razer Mamba gaming mouse driver - required if you use the additional features and programmed keys/macros	No
Razer Naga Driver	U	RazerNagaSysTray.exe	Razer Naga gaming mouse driver - required if you use the additional features and programmed keys/macros	No
Razer Nostromo Driver	U	RazerNostromoSysTray.exe	Razer Nostromo gaming controller driver - required if you use the additional features and programmed keys/macros	No
Razer StarcraftII Driver	U	RazerStarCraftIISysTray.exe	Razer StarCraft II gaming peripherals driver - required if you use the additional features and programmed keys/macros	No
Razer Mamba Driver	U	RazerTray.exe	Razer Mamba gaming mouse driver - required if you use the additional features and programmed keys/macros	No
Razer TRON Driver	U	RazerTRONSysTray.exe	Razer TRON gaming mouse driver - required if you use the additional features and programmed keys/macros	No
RazeSpyware	X	RazeSpyware.exe	RazeSpyware rogue spyware remover - not recommended	No
RazeSpyware Monitor	X	RazeSpyware_monitor.exe	RazeSpyware rogue spyware remover - not recommended	No
razor.exe	X	razor.exe	Detected by Sophos as W32/SillyFDC-AY	No
RamBooster2	X	rb.exe	Detected by Symantec as Backdoor.Akak	No
RapidBlaster	X	rb32.exe	RapidBlaster parasite. A dedicated 'RapidBlaster Killer' removal tool used to be available but quality anti-malware tools will now remove it	No
rb32 lptt01	X	rb32.exe	RapidBlaster variant (in a 'RapidBlaster' or 'rb32' folder in Program Files). A dedicated 'RapidBlaster Killer' removal tool used to be available but quality anti-malware tools will now remove it	No
rb32 ml097e	X	rb32.exe	RapidBlaster variant (in a 'RapidBlaster' folder in Program Files). A dedicated 'RapidBlaster Killer' removal tool used to be available but quality anti-malware tools will now remove it	No
RBAH3ANDANYV.exe	X	RBAH3ANDANYV.exe	Detected by McAfee as RDN/Generic.bfr!ho and by Malwarebytes as Trojan.Downloader.MDO	No
LOCKDOWN	X	rbDyvEH.exe	Detected by Sophos as Troj/GBot-I	No
rbenh lptt01	X	rbenh.exe	RapidBlaster variant (in a 'RBEnhance' folder in Program Files). A dedicated 'RapidBlaster Killer' removal tool used to be available but quality anti-malware tools will now remove it	No
rbnynkctv	X	rbnynkctv.exe	Detected by Sophos as Troj/Agent-GPA	No
sl4 rules	X	rbot32.exe	Detected by Sophos as W32/Sdbot-QC	No
Microsoft	X	rbssetup.exe	Detected by Malwarebytes as Trojan.Agent.E.Generic. The file is located in %AppData%Windows	No
MicrosoftUpdate	X	RBuilder.exe	Detected by Sophos as Troj/Dloadr-BMV and by Malwarebytes as Trojan.Agent.MUGen	No
rc4test.exe	X	rc4test.exe	Detected by Malwarebytes as Backdoor.Agent. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
RCA Detective	N	RCADetective.exe	RCA Detective works with various RCA MP3 players and is used to connect to player to the user's PC through a USB connection	No
ElsaCapiCtl	Y	Rcapi.exe	Assumed to stand for Remote Common Application Programming Interface (RCAPI), this was installed with an Elsa Microlink ISDN modem. If it is not there you can not bring up the dialog box which is sometimes needed to reset the modem	No
Windows Servce Agent	X	rcccgtwv.exe	Detected by Kaspersky as Backdoor.Win32.Rbot.bll and by Malwarebytes as Trojan.Agent. The file is located in %System%	No
Xenocode	X	RCE.exe	Detected by Malwarebytes as Trojan.MSIL. The file is located in %UserTemp%WinApp	No
Win343Plugin	X	RCE.exe	Detected by Dr.Web as Trojan.Inject1.31572 and by Malwarebytes as Trojan.Agent.E	No
PacManStable	X	RCE.exe	Detected by Dr.Web as Trojan.MulDrop5.8591 and by Malwarebytes as Trojan.Agent.PC	No
Soot	?	rcea.exe	The file is located in %Windir%Application Data	No
Ring Central Fax	U	rcenterrll.exe	Only needed if you want a PC to answer faxes automatically	No
Rcf Driver	X	rcf.exe	Detected by Symantec as W32.Randex.BLD	No
Registry Cleaner Scheduler	U	RCHelper.exe	CleanMyPC Registry Cleaner can clean your Windows registry, tune up your PC and keep it in peak performance! Detected by Malwarebytes as PUP.Optional.CleanMyPC. The file is located in %ProgramFiles%CleanMyPCRegistry Cleaner. If bundled with another installer or not installed by choice then remove it, removal instructions here	No
RegClean Expert Scheduler	U	RCHelper.exe	'Registry Clean Expert scans the Windows registry and finds incorrect or obsolete information in the registry. By fixing these obsolete information in Windows registry, your system will run faster and error free'. Detected by Malwarebytes as PUP.Optional.CleanMyPC. The file is located in %ProgramFiles%Registry Clean Expert. If bundled with another installer or not installed by choice then remove it	No
.norton	X	rchost.exe	Detected by Sophos as Troj/Boxed-H	No
RCHotKey	U	RCHotKey.exe	Part of RingCentral Call Controller™ which 'turns your PC into your personal business command center. It brings you real time control of your calls, and immediate access to faxing, your account, Microsoft Outlook® contacts, and many powerful business efficiency tools'	No
rciaviast.vbs	X	rciaviast.vbs	Detected by Malwarebytes as Trojan.Agent.E. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
RotateImage	?	RCIMGDIR.exe	Part of the Ricoh integrated webcam driver. What does it do and is it required?	No
rcimlby.exe	X	rcimlby.exe	Detected by Sophos as W32/Sdbot-DHK	No
LTCISI	X	rckit.exe	Detected by Sophos as W32/IRCBot-YJ	No
Inters Configuration Loader	X	RCL0ADERS.exe	Detected by Sophos as W32/Sdbot-KX	No
RCleanMain	X	RCleanT.exe	Detected by Malwarebytes as Rogue.Agent.K. The file is located in %ProgramFiles%RClean	No
RemoteCenter	U	RcMan.exe	Remote control for the Creative MediaSource player/organizer - plays back music in DVD-Audio, MP3, WMA, WAV and other media formats	No
Registry Crawler	U	rcrawler.exe	Registry Crawler by 4Developers LLC 'enables system administrators, developers and other power users to quickly find and configure Registry settings. The software provides a powerful search engine that allows us to find Registry information based on a search criteria. The results are displayed in a list allowing us to access any key found with a single mouse click'	No
rCron	X	rcron.exe	PageOn1 - Switch dialer and hijacker variant, see here	No
ANSII Rkit	X	rcs.exe	Detected by Malwarebytes as Trojan.Agent.CD. The file is located in %AppData% - see here	No
RCScheduleCheck	U	RCSCHED.EXE	Scheduler for Recovery Commander by Avanquest (was VCOM) - which 'can restore your non-booting system back to normal. It only takes a few minutes to get your system back up and running'	No
RegClean Expert Scheduler	U	RCScheduler.exe	'Registry Clean Expert scans the Windows registry and finds incorrect or obsolete information in the registry. By fixing these obsolete information in Windows registry, your system will run faster and error free'. Detected by Malwarebytes as PUP.Optional.CleanMyPC. The file is located in %ProgramFiles%Registry Clean Expert. If bundled with another installer or not installed by choice then remove it	No
RCSync	X	RCSync.exe	PrizeSurfer parasite - 'free software that automatically enters you to win cash and prizes just for surfing the web and shopping online!' Detected by Symantec as Adware.RCPrograms. The file is located in %ProgramFiles%RCPrograms	No
BuzMe	U	RCUI.exe	Display client for the old BuzMe internet call waiting service by RingCentral which intercepted telephone calls like an answering machine and played the voice message on your PC and was only required when you were on-line via a dial-up modem	No
Pagoo	N	RCUI.exe	Display client for an older version of Pagoo by RingCentral - which 'is a VoIP, cloud-based virtual PBX system that enables you to stay connected anytime, anywhere.' This version intercepted telephone calls like an answering machine and played the voice message on your PC and was only required when you were on-line via a dial-up modem	No
svchost	X	rcv.exe	Detected by Malwarebytes as Backdoor.Bot.E. The file is located in %AppData%	No
rcwinHyper	U	rcwinHyper.exe	Allows you to select a word or phrase within a document, application, web-page, etc and search for it within an older version the 'Le Grand Robert & Collins' French/English dictionary from Le Robert. See here for more information	No
rCwYoAkw.exe	X	rCwYoAkw.exe	Detected by Malwarebytes as Backdoor.Bot. The file is located in %UserProfile%SiEgcgUQ	No
Stask	X	rcxsafwv.exe	Detected by Dr.Web as Trojan.AVKill.33413	No
WGdDR8N7QV	X	rd92olL.exe.lnk	Detected by Sophos as Troj/MSILInj-BF and by Malwarebytes as Backdoor.Agent.RND	No
rD9b0UL	X	rD9b0UL.exe	Detected by McAfee as RDN/Generic BackDoor!ti and by Malwarebytes as Backdoor.Agent.DCE	No
RDAgent	X	RDAgent.exe	RegDefense rogue registry cleaner - not recommended	No
RDClient	U	RDCLIENT.EXE	Remote Disconnection Utility from Twiga. Used for connecting and disconnecting dial up connections on a network - only needed if there is a shared internet connection	No
Real Desktop	Y	rdesc.exe	Real Desktop by Schillergames 'replaces the ordinary Windows desktop by using a 3D user interface, wherein the current configuration of the Windows desktop remains unchanged'	No
RDFNSAgent	U	RDFNSAgent.exe	RegDefense by Xionix Inc 'will Scan,Repair, and help you Effectively Manage your Registry just moments after downloading.' Detected by Malwarebytes as PUP.Optional.RegDefense. The file is located in %ProgramFiles%RegDefense. If bundled with another installer or not installed by choice then remove it	No
RDFNSListener	U	RDFNSListener.exe	RegDefense by Xionix Inc 'will Scan,Repair, and help you Effectively Manage your Registry just moments after downloading.' Detected by Malwarebytes as PUP.Optional.RegDefense. The file is located in %ProgramFiles%RegDefense. If bundled with another installer or not installed by choice then remove it	No
sxwiutqj	X	rdkablgr.exe	Detected by Malwarebytes as Trojan.Weelsof. The file is located in %LocalAppData%	No
RDListener	X	RDListener.exe	RegDefense rogue registry cleaner - not recommended	No
rdmh.exe	X	rdmh.exe	Detected by Malwarebytes as Trojan.Autoit. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts, see here	No
rdmh.exe	X	rdmh.exe	Detected by Malwarebytes as Trojan.Autoit. Note - this entry loads from HKLMRun and HKCURun and the file is located in %UserTemp%, see here	No
rdmouw	X	rdmouw.exe	Detected by Dr.Web as Trojan.DownLoader7.32785 and by Malwarebytes as Trojan.Agent.Gen	No
RDM+ Control Panel	U	rdmpserv_cpanel.exe	Remote Desktop for Mobiles - 'Access remotely your computer even through NAT and Firewall from mobile. You can send and receive emails, edit word documents, surf web, manage files and folders and do hundreds of other things that you usually do sitting in front of your home or office computer'	No
ucquwf	X	rdpclipi.exe	Detected by Dr.Web as Trojan.DownLoader8.37095	No
RDPlatinum v5	X	RDPlatinumv5.exe	Registry Defender Platinum rogue registry cleaner - not recommended, removal instructions here	No
RAMDrive	U	RDTask.exe	Virtual Hard Drive Pro from Farstone - 'takes a portion of your system memory and creates a RAM disk drive, which functions like a physical hard drive, only with much better access rates.' No longer available	No
RE.exe	U	RE.exe	RegistryEasy registry cleaner - regarded by Symantec as a potentially unwanted application, see here	No
RealP1ayer	X	rea1p1ayer.exe	Detected by Symantec as Trojan.Rplay.A. Note that the name has a number '1' in place of the second lower case 'L'. The filename has a number '1' in place of both lower case 'L'	No
vmware	X	read.exe	Detected by Dr.Web as Trojan.DownLoader8.17512 and by Malwarebytes as Trojan.Agent.VM	No
WinReader	X	read.exe	Detected by Sophos as W32/Delbot-V	No
Microsoftz turn Control	X	read.pif	Detected by Sophos as W32/Rbot-AFS	No
User32	X	Read101.exe	Detected by Symantec as Backdoor.Cyn	No
AcrobatReader	X	reader.exe	Detected by Malwarebytes as Backdoor.SpyNet. The file is located in %AppData%Acrobat	No
1	X	reader.exe	Detected by Sophos as Troj/EncPk-AF and by Malwarebytes as Trojan.Downloader. The file is located in %LocalAppData%MicrosoftUpdate (10/8/7/Vista) or %UserProfile%Local SettingsMicrosoftUpdate (XP)	No
1	X	reader.exe	Detected by Dr.Web as Trojan.DownLoader10.6410 and by Malwarebytes as Trojan.Dropper. The file is located in %LocalAppData%Minerd (10/8/7/Vista) or %UserProfile%Local SettingsMinerd (XP)	No
Windows Update Securyt	X	Reader.exe	Detected by Malwarebytes as Trojan.Injector.AI. The file is located in %LocalAppData%[random] - see examples here and here	No
AdobeReader	X	Reader.exe	Detected by McAfee as RDN/Generic.dx!dgx and by Malwarebytes as Trojan.Agent.ADBGen	No
Windows Update System	X	reader.exe	Detected by Sophos as W32/SillyFDC-GB and by Malwarebytes as Trojan.Agent.WUGen	No
winstep	X	reader.exe	Detected by Sophos as Troj/Autoit-PC	No
Reader	X	Reader.exe	Detected by Malwarebytes as Trojan.Banker.ADB. The file is located in %AppData%Adobe - see here	No
Aadobe Reader	X	reader32.exe	Detected by Malwarebytes as Trojan.Agent.E. The file is located in %AppData%	No
Reader Application Helper	U	readerapphelper.exe	Helper for Sony Reader for PC - which 'is an all-new application that provides an easier, friendlier, and improved experience to existing Reader Library customers, and provides all of the same functionality as Reader Library with some new features.' Reader Library was formally eBook Library and is a 'one-stop application for browsing, downloading, managing, and reading your favorite titles. Its integrated eBook Store features thousands of eBook titles including a wide variety of new releases, bestsellers, and your favorite classics'	No
readericon10	?	readericon10.exe	Related to a multimedia card reader - possibly based upon an Alcor Micro chipset. What does it do and is it required?	No
readericon	U	readericon45G.exe	Tray icon to set various configuration settings for Sunkist (and maybe other) media card readers	No
Mobipocket Reader Notifications	U	readernotify.exe	Part of Mobipocket Reader - 'Store all your eBooks, eNews & self-published eDocs on your PC. Download eBooks in Mobi format from your favorite ebookstores to read on your smartphone, PDA, laptop or on your desktop PC'	No
Adobe Updater	X	readerr_sl.exe	Detected by Trend Micro as TROJ_UTOTI.JP and by Malwarebytes as Trojan.Agent	No
Adobe Reader Speed Launchers	X	Readers_sl.exe	Detected by Trend Micro as TROJ_BUZUS.BFQ. The file is located in %AppData%	No
Reader_sl	X	reader_s.bat	Detected by McAfee as Generic.dx!tls and by Malwarebytes as Backdoor.Bot	No
reader_s	X	reader_s.exe	Detected by Sophos as Troj/Agent-IUT	No
Lancement rapide d'Adobe Reader	N	reader_sl.exe	Speeds up the time it takes to load the free Adobe Reader PDF file viewer. 'The Speed Launcher quickly opens and closes all of the files that Acrobat or Adobe Reader will use when the application starts. Opening and closing the files allows your virus protection software to check these programs and add them to its list of safe files'. Not required for Adobe Reader to function properly. French version	No
Adobe Acrobat	N	Reader_sl.exe	Speeds up the time it takes to load the free Adobe Reader PDF file viewer. 'The Speed Launcher quickly opens and closes all of the files that Acrobat or Adobe Reader will use when the application starts. Opening and closing the files allows your virus protection software to check these programs and add them to its list of safe files'. Not required for Adobe Reader to function properly	Yes
AdobeReader	X	reader_sl.exe	Detected by McAfee as Generic Downloader.x!g2y and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate Adobe file which is normally located in a sub-directory of %ProgramFiles%Adobe. This one is located in %AppData%MicrosoftWindows	No
Adobe Reader Speed Launch	N	reader_sl.exe	Speeds up the time it takes to load older versions of the free Adobe Reader PDF file viewer. 'The Speed Launcher quickly opens and closes all of the files that Acrobat or Adobe Reader will use when the application starts. Opening and closing the files allows your virus protection software to check these programs and add them to its list of safe files'. Not required for Adobe Reader to function properly	Yes
Adobe Reader Speed Launch	X	reader_sl.exe	Detected by Kaspersky as Trojan.Win32.Scar.cezj. Note - this is not the legitimate Adobe entry with the same startup name and filename which is normally located in a sub-directory of %ProgramFiles%Adobe. This one is located in %UserTemp%	No
Adobe Reader Speed Launcher	X	Reader_sl.exe	Detected by Malwarebytes as Trojan.Agent.JVGen. Note - this is not the legitimate Adobe entry with the same startup name and filename which is normally located in a sub-directory of %ProgramFiles%Adobe. This one is located in %AppData%SunJavaDeploymentSystemCache6.0# - where # represents one or more digits	No
Adobe Reader Speed Launcher	N	Reader_sl.exe	Speeds up the time it takes to load the free Adobe Reader PDF file viewer. 'The Speed Launcher quickly opens and closes all of the files that Acrobat or Adobe Reader will use when the application starts. Opening and closing the files allows your virus protection software to check these programs and add them to its list of safe files'. Not required for Adobe Reader to function properly	Yes
Adobe Reader Speed Launcher	X	Reader_sl.exe	Detected by McAfee as RDN/Generic.hra and by Malwarebytes as Trojan.Agent.CMA. Note - this is not the legitimate Adobe entry with the same startup name and filename which is normally located in a sub-directory of %ProgramFiles%Adobe. This one is located in %ProgramFiles%Microsoft OfficeOFFICE111033BOTSTYLE	No
Adobe Reader Speed Launcher	X	reader_sl.exe	Detected by Sophos as Troj/VB-EUV and by Malwarebytes as Worm.Prolaco.Gen. Note - this is not the legitimate Adobe entry with the same startup name and filename which is normally located in a sub-directory of %ProgramFiles%Adobe. This one is located in %Windir%	No
Adobe System Incorporated	X	Reader_sl.exe	Detected by McAfee as RDN/Ransom!dk and by Malwarebytes as Backdoor.Agent.ADBGen. Note - this is not the legitimate Adobe file which is normally located in a sub-directory of %ProgramFiles%Adobe. This one is located in %Temp%Adobe	No
Reader_sl	N	Reader_sl.exe	Speeds up the time it takes to load the free Adobe Reader PDF file viewer. 'The Speed Launcher quickly opens and closes all of the files that Acrobat or Adobe Reader will use when the application starts. Opening and closing the files allows your virus protection software to check these programs and add them to its list of safe files'. Not required for Adobe Reader to function properly	Yes
Adobe Acrobat	N	READER~1.EXE	Speeds up the time it takes to load older versions of the free Adobe Reader PDF file viewer. 'The Speed Launcher quickly opens and closes all of the files that Acrobat or Adobe Reader will use when the application starts. Opening and closing the files allows your virus protection software to check these programs and add them to its list of safe files'. Not required for Adobe Reader to function properly	Yes
Adobe Reader Speed Launch	N	READER~1.EXE	Speeds up the time it takes to load older versions of the free Adobe Reader PDF file viewer. 'The Speed Launcher quickly opens and closes all of the files that Acrobat or Adobe Reader will use when the application starts. Opening and closing the files allows your virus protection software to check these programs and add them to its list of safe files'. Not required for Adobe Reader to function properly	Yes
Application Restart #1	U	readLM.exe	TOSHIBA Password Utility - 'adds additional password security to your Toshiba computer. After registering a user password, you will be required to input it when booting the computer or starting the Password Utility'	No
1.TPUReg	U	readLM.exe	TOSHIBA Password Utility - 'adds additional password security to your Toshiba computer. After registering a user password, you will be required to input it when booting the computer or starting the Password Utility'	No
winlogin	X	ReadMe.exe	Detected by Symantec as W32.SillyFDC.BBT	No
Dynamic Application	X	Readme.exe	Detected by Malwarebytes as Trojan.Crypt.E. The file is located in %Windir%	No
Firewall config	X	ReadMe.exe	Detected by Symantec as W32.SillyFDC.BBT	No
gouday.exe	X	readme.exe	Detected by Symantec as W32.Beagle.C@mm	No
Internet Explorer update	X	readme.exe	Detected by Dr.Web as Trojan.Siggen5.43546 and by Malwarebytes as Backdoor.Agent.E	No
army logo	U	readmename.exe	Torrent101 potentially unwanted torrent client application that installs a Browser Helper Object and displays advertisements	No
DevconDefaultDB	?	READREG	Appears to be related to older Creative Soundblaster soundcards	No
ReadyComm	U	ReadyComm.exe	Lenovo ReadyComm which is pre-installed on various Lenovo PCs to aid in configuring and managing wired and wireless network connectivity	No
ReadyComm5	U	ReadyComm.exe	Lenovo ReadyComm which is pre-installed on various Lenovo PCs to aid in configuring and managing wired and wireless network connectivity	No
ReadyNAS Remote	U	ReadyNASRemote.exe	Netgear ReadyNAS Remote - which 'lets you access your storage system anywhere you have Internet access. With ReadyNAS Remote, you can drag and drop files between your ReadyNAS system and your computer or smartphone as though they were on the same LAN'	No
Real Internet Player	X	REAIPLAY.EXE	Added by a variant of W32.Spybot.Worm. The file is located in %System%	No
atidriver	X	reaIplayer.exe	Detected by Sophos as WarPigs-E. Note the upper case 'i' early in the filename, rather than a lower case 'L'	No
reakizwunkyx	X	reakizwunkyx.exe	Detected by Dr.Web as Trojan.DownLoader10.5065 and by Malwarebytes as Trojan.Agent.US	No
Real Desktop	Y	Real Desktop.exe	Real Desktop desktop enhancement by Schillergames	No
real scheduler.hta	X	real scheduler.hta	Detected by Symantec as Trojan.Ceegar. Note - this is not associated with the popular RealPlayer media player and the file is located in %AllUsersStartup% and its presence there ensures it runs when Windows starts	No
Real-Tens	X	Real-Tens.exe	DownloadWare adware	No
Run	X	real.exe	Detected by Trend Micro as WORM_LOVGATE.E	No
windows update	X	real.exe	Detected by Sophos as Troj/LegMir-AU	No
AudioPlug	X	real.exe	Detected by Malwarebytes as Trojan.Downloader.Gen. The file is located in %AppData%	No
RealAudio.exe	X	RealAudio.exe	Detected by Symantec as Trojan.Ceegar. Note - this is not associated with the popular RealPlayer media player and the file is located in %AllUsersStartup% and its presence there ensures it runs when Windows starts	No
Realaudio Player	X	realaudio32.exe	Detected by Trend Micro as WORM_AGOBOT.AFR	No
RealAV.exe	X	RealAV.exe	Real Antivirus rogue security suite - not recommended, removal instructions here	No
realcleaner main	X	realcleaneru.exe	RealCleaner rogue security software - not recommended, removal instructions here	No
RealDownload	N	REALDOWNLOAD.EXE	RealPlayer download manager	No
realEDU	X	realedu1.exe	Detected by Malwarebytes as Spyware.Imminent.E. The file is located in %AppData%Edu.Internet	No
Load	X	realest.exe	Detected by Malwarebytes as Spyware.Agent.E. The file is located in %LocalAppData%MicrosoftWindows	No
Windows Pc Driver	X	Realhost.exe	Detected by Symantec as Backdoor.Esion	No
REAL	N	realjbox.exe	Real Jukebox - MP3 and music files player	No
Realtime Monitor	Y	realmon.exe	Real-time scanner part of the now discontinued eTrust Antivirus/InoculateIT version 6 virus scanners from CA	No
eTrust Realtime Monitor	X	realmon.exe	Detected by Trend Micro as TROJ_LAZAR.B. Note - this is not the legitimate CA eTrust Antivirus file of the same name which is located in %ProgramFiles%CAeTrustAntivirus. This one is located in %System%	No
Real One Player	X	realone.exe	Detected by Trend Micro as WORM_RBOT.APE	No
MsgCenterExe	N	RealOneMessageCenter.exe	Related to RealPlayer by RealNetworks - has no effect if disabled	No
RealP1ayer	X	realp1ayer.exe	Detected by Symantec as Trojan.Rplay.A. Note that both the name and filename have a number '1' in place of the second lower case 'L'	No
RealDownload	N	RealPlay.exe	RealPlayer download manager	No
realplay	N	realplay.exe	System Tray icon for RealPlayer. If you subsequently start RealPlayer manually it adds itself back to the start-up list. You can stop this from happening by right-clicking on the tray icon and disabling StartCenter via Preferences	No
realplay lptt01	X	realplay.exe	RapidBlaster variant (in a 'realPlay' folder in Program Files). A dedicated 'RapidBlaster Killer' removal tool used to be available but quality anti-malware tools will now remove it. Note that the legitimate RealPlayer is located in %ProgramFiles%RealRealPlayer	No
realplay ml097e	X	realplay.exe	RapidBlaster variant (in a 'realPlay' folder in Program Files). A dedicated 'RapidBlaster Killer' removal tool used to be available but quality anti-malware tools will now remove it. Note that the legitimate RealPlayer is located in %ProgramFiles%RealRealPlayer	No
RealPlayer	N	realplay.exe	System Tray icon for RealPlayer. If you subsequently start RealPlayer manually it adds itself back to the start-up list. You can stop this from happening by right-clicking on the tray icon and disabling StartCenter via Preferences	No
Realplayer One	X	realplay.exe	Detected by Sophos as W32/Rbot-NK. Note that the legitimate RealPlayer is located in %ProgramFiles%RealRealPlayer whereas this one is located in %System%	No
Realplayer Video	X	RealPlay.exe	Added by a variant of Backdoor:Win32/Rbot. Note that the legitimate RealPlayer is located in %ProgramFiles%RealRealPlayer whereas this one is located in %System%	No
RealTray	N	RealPlay.exe	System Tray icon for RealPlayer. If you subsequently start RealPlayer manually it adds itself back to the start-up list. You can stop this from happening by right-clicking on the tray icon and disabling StartCenter via Preferences	No
KEY NAME REAL	X	realplay.exe	Detected by McAfee as PWS-Zbot.gen.asg and by Malwarebytes as Backdoor.Agent.KNRGen. Note that the legitimate RealPlayer is located in %ProgramFiles%RealRealPlayer whereas this one is located in %AppData%FolderName@OFF@	No
Realplayer.exe	X	Realplayer.exe	Detected by Trend Micro as TROJ_DELF.CNV. The file is located in %System%	No
WindowsMediaPlayer	X	RealPlayer.exe	Detected by Malwarebytes as Backdoor.Agent.WMGen. The file is located in %System%Real	No
Policies	X	RealPlayer.exe	Detected by Malwarebytes as Backdoor.Agent.PGen. The file is located in %System%Real	No
Windows SYSTEM32	X	Realplayer.exe	Detected by Trend Micro as WORM_SPYBOT.ZH	No
Real Media Player	X	realplayer2.exe	Added by a variant of Backdoor:Win32/Rbot. The file is located in %System%	No
Realplear.exe	X	Realplear.exe	Detected by Dr.Web as Trojan.Fsysna.6491 and by Malwarebytes as Trojan.Agent.E. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
MS Real Player	X	RealPlyr.exe	Detected by Trend Micro as WORM_RBOT.MR	No
Realpopup	?	Realpopup.exe	RealPopup - 'Replaces old winpopup with a full featured freeware tool which remains stable and simple as its predecessor'	No
Realplayer Codec Support	X	realsched.exe	Detected by Sophos as W32/Agobot-AAD. Note - this is not the legitimate RealOne Player (realsched.exe) application of the same name which is normally located in %CommonFiles%RealUpdate_OB. This one is located in %System%	No
realsched	N	realsched.exe	Application Scheduler installed along with RealOne Player. Runs independently of RealOne Player, to remind AutoUpdate and Message Center to perform their tasks at pre-scheduled intervals. If it can't be disabled try deleting or renaming realsched.exe and then delete the entry in the registry	No
TkBell.Exe	N	realsched.exe	Application Scheduler installed along with RealOne Player. Once installed, it runs independently of RealOne Player. See here for more information, including how to disable it. Also see evntsvc and Realsched. Note that eventsvc.exe no longer appears to be in a newer version. To disable 'tkbell.exe' in the new version (1) Start RealOne Player (2) Tools → Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK	No
TkBellExe	N	realsched.exe	Application Scheduler installed along with RealOne Player. Once installed, it runs independently of RealOne Player. See here for more information, including how to disable it. Also see evntsvc and Realsched. Note that eventsvc.exe no longer appears to be in a newer version. To disable 'tkbell.exe' in the new version (1) Start RealOne Player (2) Tools → Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK	No
WinHelp	X	realsched.exe	Detected by Sophos as W32/Lovgate-F and by Malwarebytes as Worm.Email. Note - this is not the legitimate RealOne Player (realsched.exe) application of the same name which is normally located in %CommonFiles%RealUpdate_OB. This one is located in %System%	No
gcasServ	X	realsched.exe	Added by a variant of Win32.Tactslay. The file is located in %Windir%. Note - this is not the legitimate RealOne Player (realsched.exe) application of the same name	No
realtpsk	X	realsched.exe	Chinese originated adware. Detected by Panda as NewWeb. Note - this is not the legitimate RealOne Player (realsched.exe) application of the same name and this file is located in %System%	No
MSService_v1.0	X	realsched.exe	EHU adware. Note - this is not the legitimate RealOne Player (realsched.exe) application of the same name which is normally located in %CommonFiles%RealUpdate_OB. This one is located in %System% or %Temp%	No
Protocol Ethernet	X	realsound.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %CommonAppData%Realtek Drivers	No
Protocol Ethernet	X	realsound.exe	Detected by Sophos as Troj/Agent-AOYI and by Malwarebytes as Trojan.Agent. The file is located in %Root%Realtek Drivers	No
Protocol Ethernet	X	realsound64.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %CommonAppData%Realtek Drivers	No
RealSPEED	U	RealSPEED.Exe	RealSPEED - tweaking utility to speed-up your internet connection	No
audiodriver	X	realtec.exe	Detected by McAfee as Generic.grp!bv and by Malwarebytes as Trojan.Fakealert	No
Realtech	X	Realtech.exe	Detected by McAfee as RDN/Generic.dx!c2f and by Malwarebytes as Backdoor.Agent.E. The file is located in %AppData%Realtech	No
Realtech	X	Realtech.exe	Detected by Malwarebytes as Backdoor.Agent.E. The file is located in %Windir%Realtech	No
INTELTECHNOLIGY	X	Realtech.exe	Detected by McAfee as RDN/Generic.dx!c2t and by Malwarebytes as Backdoor.Messa.E	No
Realtek HD ??? ???	X	realteck.exe	Detected by Dr.Web as Trojan.Siggen6.23737 and by Malwarebytes as Trojan.FakeVer.RLD	No
Emulation Audio Controller	X	Realtek Audio System Emulator.exe	Detected by Dr.Web as Trojan.DownLoader23.46576 and by Malwarebytes as Trojan.Agent.E	No
Klassbat	X	Realtek HD audio.exe	Detected by Malwarebytes as Trojan.Agent.E. The file is located in %CommonAppData%sysbat	No
Realtek A-350 Adapter	X	realtek-a350.exe	Detected by Dr.Web as Trojan.PWS.Siggen.35890 and by Malwarebytes as Backdoor.MSIL.P	No
Google	X	Realtek.exe	Detected by Malwarebytes as Trojan.Agent.IRT. The file is located in %System%install	No
Realtek	X	Realtek.exe	Detected by Malwarebytes as Backdoor.Bot. The file is located in %AppData%Realtek	No
Realtek	X	Realtek.exe	Detected by Malwarebytes as Backdoor.Xtrat. Note that this is not a valid Realtek process and the file is located in %Windir%Realtek	No
Realtek HD Audio	X	Realtek.exe	Detected by Kaspersky as Trojan.Win32.Buzus.ckyb. Note that this is not a valid Realtek process and the file is located in %System%	No
java	X	Realtek.exe	Detected by Malwarebytes as Trojan.Agent.IRT. The file is located in %System%install	No
Realtek_Audio	X	Realtek.exe	Detected by Kaspersky as Backdoor.Win32.VanBot.oc. Note that this is not a valid Realtek process and the file is located in %System%	No
Policies	X	Realtek.exe	Detected by Malwarebytes as Backdoor.Agent.PGen. The file is located in %System%install	No
load	X	Realtek.exe	Detected by Malwarebytes as Trojan.Agent.SC. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'load' value data to include the file 'Realtek.exe' (which is located in %AppData%RealtekAudio)	No
audiodriver	X	realtek.exe	Detected by McAfee as RDN/Generic Downloader.x and by Malwarebytes as Trojan.Agent.MNRGen	No
RealtekAudio	X	RealtekAudio.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %ProgramFiles%Mozilla Firefox - see here	No
Policies	X	RealtekAudio.exe	Detected by Malwarebytes as Backdoor.Agent.PGen. The file is located in %ProgramFiles%Mozilla Firefox - see here	No
Realtek HD Audio Driver x64	X	RealtekAudiox64.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %CommonAppData%QW - see here	No
load	X	RealtekHDAudioManager.exe	Detected by Malwarebytes as Trojan.Injector. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'load' value data to include the file 'RealtekHDAudioManager.exe' (which is located in %AppData%RealtekHDAudioManager)	No
Realtek HD Panel	X	RealtekHDpnl.lnk	Detected by Dr.Web as Win32.HLLW.Autoruner2.5437 and by Malwarebytes as Worm.AutoRun.E	No
Windows Network Service	X	Realteks.exe	Detected by Sophos as W32/Rbot-GTG	No
svchost	X	RealtekSound.exe	Detected by Kaspersky as Trojan.Win32.Llac.ciq and by Malwarebytes as Backdoor.Agent.PGen. The file is located in %System%Microsoft	No
RealtekSound	X	RealTekSound.exe	Detected by Dr.Web as Win32.HLLW.Autoruner1.11767. The file is located in %AppData%Dir	No
RealtekSound	X	RealtekSound.exe	Detected by Kaspersky as Backdoor.Win32.Bifrose.dmif. The file is located in %ProgramFiles%RealtekSound	No
RealtekSound	X	RealtekSound.exe	Detected by Kaspersky as Trojan-PSW.Win32.Rebnip.w. The file is located in %System%Config	No
RealtekSound	X	RealtekSound.exe	Detected by Kaspersky as Trojan.Win32.Llac.ciq. The file is located in %System%Microsoft	No
RealtekSound	X	RealtekSound.exe	Detected by Kaspersky as Backdoor.Win32.Poison.bigi. The file is located in %System%windows	No
Policies	X	RealtekSound.exe	Detected by Kaspersky as Backdoor.Win32.Bifrose.dmif and by Malwarebytes as Backdoor.Agent.PGen. The file is located in %ProgramFiles%RealtekSound	No
Policies	X	RealtekSound.exe	Detected by Kaspersky as Trojan-PSW.Win32.Rebnip.w and by Malwarebytes as Backdoor.Agent.PGen. The file is located in %System%Config	No
DeviceDrivers	X	Realtelk.exe	Detected by Dr.Web as Trojan.DownLoader9.22109 and by Malwarebytes as Trojan.Agent.E	No
Univers	X	Realtim.exe	Detected by Dr.Web as Trojan.PWS.Siggen1.893 and by Malwarebytes as Trojan.Agent.UN	No
PCDRealtime	X	realtime.exe	Real time monitoring for PC Doctor Online anti-virus - not recommended, see here	No
eTrust	X	RealTimeMon.exe	Detected by Sophos as Troj/Delf-EPG	No
RealUpdater	X	realupd.exe	Detected by Symantec as Trojan.Mitglieder.I and by Malwarebytes as Trojan.Passwords	No
Real player updater	X	realupd.exe	Detected by McAfee as Parlay	No
RealPlayerUpdater	X	realupd32.exe	Detected by Sophos as Troj/Lohav-T	No
updatereal	X	realupdate.exe	Chinese originated adware	No
RealVaccineMain	X	RealVaccine.exe	RealVaccine rogue security software - not recommended, removal instructions here	No
Real Windows Value	X	RealWin.exe.exe	Detected by Malwarebytes as Trojan.MSIL. The file is located in %AppData%Real Windows Folder	No
REAnti.exe	X	REAnti.exe	REAnti rogue security software - not recommended, removal instructions here. A member of the AntiAID family. Detected by Malwarebytes as Rogue.REAnti	No
Reasen-protection.exe	X	Reasen-protection.exe	Detected by Malwarebytes as Worm.Jenxcus.AI. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts - see here	No
Reasen-protection.exe	X	Reasen-protection.exe	Detected by Malwarebytes as Worm.Jenxcus.AI. Note - this entry loads from HKCURun and HKCURunOnce and the file is located in %UserTemp%, see here	No
RebateInformer	U	RebateInf.exe	RebateInformer notifies you of available rebates and discounts when you search and browse the Web.' Detected by Malwarebytes as PUP.Optional.RebateInformer. The file is located in %ProgramFiles%RebateInformer. If bundled with another installer or not installed by choice then remove it	No
RebateNation0	X	RebateNation0.exe	RebateNation adware	No
RebateInformer	U	REBATE~1.EXE	RebateInformer notifies you of available rebates and discounts when you search and browse the Web.' Detected by Malwarebytes as PUP.Optional.RebateInformer. The file is located in %ProgramFiles%RebateInformer. If bundled with another installer or not installed by choice then remove it	No
Update	X	Rebel Botnet.exe	Detected by Dr.Web as Trojan.DownLoader11.25405 and by Malwarebytes as Backdoor.Agent.E	No
System Reboot	X	rebootsys.exe	Detected by Sophos as W32/Rbot-WU	No
Diesel	X	Recalculate.exe	Detected by Symantec as Trojan.Lazar	No
netservices	X	recall.exe	Detected by Trend Micro as WORM_WOOTBOT.D	No
msae	X	receipt.com	Detected by Malwarebytes as Trojan.Downloader.E. The file is located in %LocalAppData%MicrosoftWindows	No
WindowsApplication1	X	receipt69.exe	Detected by Malwarebytes as Trojan.Agent.WAGen. The file is located in %UserTemp% - see here	No
Sysinternals	X	receita.exe	Detected by Dr.Web as Trojan.AVKill.30210 and by Malwarebytes as Trojan.Banker	No
Sysinternals2	X	receita.exe	Detected by Dr.Web as Trojan.AVKill.31081 and by Malwarebytes as Trojan.Banker	No
NETGEARDigitalEntertainer	U	receiver.exe	Part of Netgear's Digital Entertainer digital media player series which enable you to 'view photos, listen to music and Internet radio, watch videos you download, watch live TV from a TV Tuner in a PC, or YouTube videos direct from the Internet'	No
NETGEARNeoTV	U	receiver.exe	Part of Netgear's NeoTV streaming media player series - with which 'your TV can be Internet enabled to access a huge selection of online streaming channels without a computer'	No
Recguard	X	recguard.exe	Detected by Trend Micro as TROJ_LAZAR.B. Note - this is not the legitimate HP recovery partition utility with the same filename which is located in %Windir%SMINST. This one is located in %ProgramFiles%HP	No
Recguard	Y	recguard.exe	On HP computers, Recguard prevents the deletion or corruption of the WinXP Recovery Partition. Without it enabled, it is possible to knock that completely out and force the customer to send the PC back to HP for a re-image, possibly at the customer's expense	No
winldr	X	Rechnung.pdf.exe	Detected by McAfee as Downloader-ACS	No
HKLM	X	rechost.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. The file is located in %Root%directoryGateIntalsDirs	No
HKCU	X	rechost.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. The file is located in %Root%directoryGateIntalsDirs	No
Policies	X	rechost.exe	Detected by Malwarebytes as Backdoor.Agent.PGen. The file is located in %Root%directoryGateIntalsDirs	No
MsConfig	X	reciclaje.exe	Detected by Malwarebytes as Worm.AutoRun. The file is located in %Root% - see here	No
IBM RecordNow!	N	RecordNow.exe	IBM customized version of the RecordNow! CD-writing utility from Sonic Solutions	Yes
RecordNow	N	RecordNow.exe	RecordNow! CD-writing utility from Sonic Solutions	Yes
Recordpad	N	recordpad.exe	RecordPad by NCH Software is 'ideal for recording voice and other audio to add to digital presentations, creating an audio book, or for simply recording a message'	No
gpresult.exe	X	recover.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %AppData%AdobeAcrobat10.0JSCache	No
mmsys	?	recover.exe	The file is located in %Root%	No
RecoverFromReboo	N	RecoverFromReboot.exe	Part of a DSL installer package from SBC (probably SBC/Yahoo DSL). If the installation is botched, this entry may be left in the registry	No
RecoverFromReboot	N	RecoverFromReboot.exe	Part of a DSL installer package from SBC (probably SBC/Yahoo DSL). If the installation is botched, this entry may be left in the registry	No
recovery.bmp	X	recovery.bmp	Detected by Malwarebytes as Trojan.Agent.E. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
run	X	recovery.exe	Detected by Malwarebytes as Trojan.Agent.E. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'run' value data to include the file 'recovery.exe' (which is located in %System%)	No
IERecovery	X	Recovery.exe	Detected by Malwarebytes as Trojan.Agent.IEC. Note - this is not a legitimate Internet Explorer process and the file is located in %AppData%MicrosoftInternet ExplorerRecovery - see here	No
Windows Recovery Console	X	recovery.exe	Detected by Trend Micro as WORM_RANSOM.FD	No
userinfo	X	recovery.txt	Detected by Malwarebytes as Ransom.Rapid.E. The file is located in %AppData%	No
startEREO	X	Recoveyng.exe	Detected by Malwarebytes as Trojan.Agent.NC. The file is located in %AppData%	No
RecoverFromReboo	N	RECOVE~1.EXE	Part of a DSL installer package from SBC (probably SBC/Yahoo DSL). If the installation is botched, this entry may be left in the registry	No
Manage Recovry Cleaner	X	recovre.exe	Detected by McAfee as RDN/Generic.dx!cst and by Malwarebytes as Backdoor.Agent.E	No
Policies	X	recovre.exe	Detected by McAfee as RDN/Generic.dx!cst and by Malwarebytes as Backdoor.Agent.PGen	No
Microsoft Recovery Manage System Cleaner	X	recovre.exe	Detected by McAfee as RDN/Generic.dx!cst and by Malwarebytes as Backdoor.Agent.E	No
Internet	X	recruit.exe	Detected by Sophos as W32/Rbot-AJG	No
RecShe	N	RecSche.exe	Recording scheduler for WatchTV Capture Card (TV Tuner card)	No
mysvcig38	X	recsl.exe	Added by a variant of W32/Rbot-FOU	No
real-con	X	recstart.exe	Detected by Malwarebytes as Adware.Korad. The file is located in %AppData%real-con	No
Time jugs	X	Rect Bike.exe	Memini adware	No
Recycle	X	Recycle.exe	Detected by Kaspersky as Trojan.Win32.Scar.bthf. The file is located in %System%	No
CurrentVersion	X	recyclebin.exe	Detected by Sophos as W32/AutoRun-AZX and by Malwarebytes as Worm.AutoRun.Gen	No
ftweak_recyclebinex	U	RecycleBinEx.exe	RecycleBinEx by FTweak Inc - 'a powerful and easy to use recycle bin manager for Windows Operating System. It extends and enhances the Windows recycle bin, and let you use many extra features in it'	Yes
RecycleBinEx	U	RecycleBinEx.exe	RecycleBinEx by FTweak Inc - 'a powerful and easy to use recycle bin manager for Windows Operating System. It extends and enhances the Windows recycle bin, and let you use many extra features in it'	Yes
Recycler DO NOT MODIFY	X	recyclecl.exe	Detected by Trend Micro as WORM_RBOT.DDA and by Malwarebytes as Backdoor.Bot	No
Clip	X	Recycled.exe	Detected by Sophos as W32/GlueBot-A and by Malwarebytes as Trojan.Agent	No
dll	X	Recycled.exe	Detected by Sophos as W32/Setrox-B	No
Recycle Bin Handler	X	recycler.exe	Detected by Sophos as Troj/Shuckbot-A	No
Papelera	X	recycler.exe	Detected by Malwarebytes as Trojan.Qhost. The file is located in %Recycled%	No
Recycler	X	RECYCLER.lnk	Detected by Trend Micro as WORM_WEBMONER.JC and by Malwarebytes as Spyware.PasswordStealer	No
Recycler.NT.exe	X	Recycler.NT.exe	Detected by Malwarebytes as Trojan.SpyEyes. The file is located in %Root%Recycler.NT	No
recyclerr	X	recyclerr.exe	Detected by McAfee as RDN/Generic Downloader.x!kq and by Malwarebytes as Backdoor.Agent	No
rec_**_#	U	rec_**_#.exe	Detected by Malwarebytes as PUP.Optional.Recover - where represents a 2 letter country code (ie, us, ca, jp, pl) and # represents one or more digits. The file is located in %ProgramFiles%rec__#. If bundled with another installer or not installed by choice then remove it	No
HKLM	X	red.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. The file is located in %UserTemp%	No
HKCU	X	red.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. The file is located in %UserTemp%	No
Policies	X	red.exe	Detected by Malwarebytes as Backdoor.Agent.PGen. The file is located in %UserTemp%	No
LantronixRedirector	?	red32.exe	Related to either the Secure Com Port Redirector or Com Port Redirector from Latronix. What does it do and is it required?	No
RedBull.exe	X	RedBull.exe	Detected by McAfee as RDN/Generic.bfr!fg and by Malwarebytes as Backdoor.Messa.E	No
Rede	X	Rede.exe	Detected by BitDefender as Win32.Rede.A@mm	No
RedeWiFi.exe Nacional	X	RedeWiFi.exe	Detected by Kaspersky as Trojan-Downloader.Win32.Agent.eird and by Malwarebytes as Trojan.Agent. The file is located in %CommonAppData%Wireless	No
Red Flag	N	redflag.exe	PMS prediction program with modes for guys and girls - no longer available	No
Red Gate	X	RedGate.exe	Detected by Malwarebytes as Trojan.Clicker. The file is located in %AppData%	No
Bol IM	N	RediffMessenger.exe	Rediff Bol instant messenger	No
redirect	X	redirect*.exe	Dotcomtoolbar/Linksummary hijacker installer - where * is a random digit	No
Facebook	X	Redox.exe	Detected by McAfee as Generic.dx and by Malwarebytes as Backdoor.Agent.DCE	No
red_bul_red_label_[digits].exe	X	red_bul_red_label_[digits].exe	Detected by Malwarebytes as Backdoor.Agent.E. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts - see an example here	No
#krn	X	ree#.exe	Detected by Malwarebytes as Trojan.Banker - where # represents a digit. The file is located in %Root%drivers - see examples here and here	No
Reek 32 Server	X	reek32.exe	Detected by Symantec as W32.Randex.gen	No
roen	X	reepn.exe	Detected by McAfee as RDN/Generic.bfr!ep and by Malwarebytes as Backdoor.Agent.DCE	No
Referee	U	referee.exe	MediaComm's monitor for file association changes. Stop rogue programs from screwing your settings either on installation or whenever they run	No
Macrium Reflect	Y	ReflectUI.exe	Pre-loads the user interface for Macrium Reflect by Paramount Software UK Ltd in the background - which is 'a complete disaster recovery solution for your home and office' providing disk imaging, file backup and disk cloning. Note - 'ReflectUI.exe' will load at startup anyway whether this entry is left enabled or not - hence the 'Y' status	No
Macrium Reflect UI Watcher	Y	ReflectUI.exe	Pre-loads the user interface for Macrium Reflect by Paramount Software UK Ltd in the background - which is 'a complete disaster recovery solution for your home and office' providing disk imaging, file backup and disk cloning. Note - 'ReflectUI.exe' will load at startup anyway whether this entry is left enabled or not - hence the 'Y' status	No
Reflect UI	Y	ReflectUI.exe	Pre-loads the user interface for Macrium Reflect by Paramount Software UK Ltd in the background - which is 'a complete disaster recovery solution for your home and office' providing disk imaging, file backup and disk cloning. Note - 'ReflectUI.exe' will load at startup anyway whether this entry is left enabled or not - hence the 'Y' status	No
Reflex Vision	U	ReflexVision.exe	Reflex Vision from Increment Software. 'A background application for Windows XP that makes switching windows faster and easier'	No
Refresh	N	Refresh.exe	(Iomega) Refresh - loads the Iomega (now LenovoEMC) desktop icons at startup	No
Reg Tool	X	Reg Tool.exe	RegTool rogue registry cleaner - not recommended, removal instructions here	No
Reg	X	Reg.hta	Passon homepage hi-jacker	No
REG1	X	REG1.exe	Detected by McAfee as Generic BackDoor and by Malwarebytes as Backdoor.Agent.E	No
Microsoft System Firewall 2006.2	X	reg32.exe	Added by a variant of W32/Sdbot.worm	No
Ereg	N	reg32.exe	EReg is a software registration tool incorporated on products such as those by Broderbund, Connectix, Hewlett-Packard, The Learning Company, and Sierra. Needless to say you don't need it	No
reg32	X	reg32.exe	Detected by Symantec as Trojan.Noupdate.B	No
Reg32	X	Reg32.exe	Hijacker - redirecting to only-virgins.com	No
Reg32	X	reg33.exe	CoolWebSearch parasite variant - also detected as the STARTPA-M TROJAN!	No
adober	X	RegAsm.exe	Detected by Malwarebytes as Trojan.Injector. Note - this entry either replaces or loads the legitimate 'RegAsm.exe' process which is located in %Windir%Microsoft.NETFrameworkv4.0.30319. Which is the case is unknown at this time	No
load	X	RegAsm.exe	Detected by Malwarebytes as Trojan.Agent.TskLnk. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'load' value data to include the file 'RegAsm.exe' (which is located in %AppData%)	No
load	X	RegAsm.exe	Detected by Malwarebytes as Trojan.Agent.MC. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'load' value data to include the file 'RegAsm.exe' (which is located in %AppData%MicrosoftConf)	No
RegAsm	X	RegAsm.exe	Detected by Malwarebytes as Trojan.Agent.SU. Note - this entry loads from the Windows Startup folder and the file is located in %CommonAppData%RegAsm	No
Regasm.exe	X	Regasm.exe	Detected by Sophos as Troj/MSIL-DDU and by Malwarebytes as Spyware.Agent.E. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
Explore	X	RegCheck.exe	Detected by Malwarebytes as Backdoor.Agent.DC. The file is located in %Windir%SystemEntry	No
FileSystemOptions	U	regCheck.vbs	Detected by Malwarebytes as PUP.Optional.NetFilter. The file is located in %LocalAppData%FileSystemOptions. If bundled with another installer or not installed by choice then remove it	No
FileSystemOptions#	U	regCheck.vbs	Detected by Malwarebytes as PUP.Optional.NetFilter - where # represents a digit. The file is located in %LocalAppData%FileSystemOptions. If bundled with another installer or not installed by choice then remove it	No
AML Registry Cleaner	U	regclean.exe	AML Free Registry Cleaner by AML Software - 'will safely clean and repair Windows Registry problems with a few clicks and enable you to enjoy a cleaner and more efficient PC.' Detected by Malwarebytes as PUP.Optional.AMLRegistryCleaner. The file is located in %ProgramFiles%AML ProductsRegistry Cleaner. If bundled with another installer or not installed by choice then remove it, removal instructions here	No
Registry Cleaner	X	Regclean.exe	Registry Cleaner misleading security software - not recommended, see here	No
RegClean	X	RegClean.exe	RegClean rogue registry cleaner - not recommended	No
Windows Host Process Cleaner	X	regcleaner.exe	Detected by Dr.Web as Trojan.DownLoader7.31726	No
RegClean Expert Scheduler	U	RegCleanExpert.exe	'Registry Clean Expert scans the Windows registry and finds incorrect or obsolete information in the registry. By fixing these obsolete information in Windows registry, your system will run faster and error free'. Detected by Malwarebytes as PUP.Optional.CleanMyPC. The file is located in %ProgramFiles%Registry Clean Expert. If bundled with another installer or not installed by choice then remove it	No
RDReminder	U	RegCleanPro.exe	RegClean Pro registry cleaner by Systweak Software. Detected by Malwarebytes as PUP.Optional.RegCleanPro. The file is located in %ProgramFiles%RegClean Pro or %ProgramFiles%RCP. If bundled with another installer or not installed by choice then remove it	No
Card Monitor	N	REGCNT09.exe	For the USB connection on a Panasonic PV-DV701 Digital Camcorder	No
CSHRZZ	X	reGcoD.exe	Detected by McAfee as RDN/Generic BackDoor!tj and by Malwarebytes as Backdoor.Messa.E	No
SAClient	N	RegCon.exe	ComCast, Insight, Mediacom & BresnanOnLine (and maybe others) BBClient - monitors system and network-delivered services for availability. Your current network status is displayed on a color-coded web page in near-real time. When problems are detected, you're immediately notified by e-mail, pager, or text messaging	No
regcore##	X	regcore.exe	Detected by Malwarebytes as Trojan.Agent.LNK.Generic - where # represents a digit. Note - this entry loads from the Windows Startup folder and the file is located in %AppData%Sys32	No
RegCompres	X	REGCPM32.EXE	Detected by Sophos as Troj/Dasmin-Fam	No
Regcxdinaf	X	REGCXDINAF.EXE	Detected by Sophos as Troj/Bancos-BW	No
Regcxn	X	Regcxn.exe	Detected by Sophos as Troj/Coiboa-D	No
RegDefend	U	regdefend.exe	RegDefend from Ghost Security - 'is a kernel based registry protection system, designed to use as few resources as possible. Instead of polling the registry looking for changes, RegDefend intercepts the changes before they occur. RegDefend comes installed to protect registry autostarts and some special registry keys, custom rules can also be added.' No longer supported	No
Registro do Windows	X	regdit.exe	Detected by McAfee as Generic PWS.y and by Malwarebytes as Trojan.Banker.WS. Note - this is not the valid Windows registry editor which resides in %Windir%. This one is located in %System%	No
process	X	regdllhelper.exe	Detected by McAfee as W32/Induc!no	No
Registry Driver	X	regdrv.exe	Detected by Trend Micro as TROJ_DELF.TAK and by Malwarebytes as Trojan.Downloader.Generic. The file is located in %AppData%	No
Registry Driver	X	regdrv.exe	Detected by Malwarebytes as Trojan.Downloader.Generic. The file is located in %Windir%registration	No
Optim1	X	regdtopt.exe	Detected by Symantec as Trojan.Ramvicrype and by Malwarebytes as Trojan.Agent	No
Optim2	X	regdtopt.exe	Detected by Symantec as Trojan.Ramvicrype and by Malwarebytes as Trojan.Agent	No
Optim3	X	regdtopt.exe	Detected by Symantec as Trojan.Ramvicrype and by Malwarebytes as Trojan.Agent	No
Optim4	X	regdtopt.exe	Detected by Symantec as Trojan.Ramvicrype and by Malwarebytes as Trojan.Agent	No
regdv	X	regdv.exe	Detected by McAfee as Generic.dx and by Malwarebytes as Backdoor.Agent.Gen	No
RegEasy.exe	X	RegEasy.exe	RegistryEasy bogus registry cleaning utility - not recommended, see here and here	No
sys	X	regedit -s [path to sysdllwm.reg]	CoolWebSearch parasite variant. Detected by Sophos as Troj/Femad-L. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted	No
sp	X	regedit -s [path] sp.dll	Malicious javascript annoyance that changes the default search engine in IE to one of many including 'topsearcher'. See here for more and a fix. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'sp.dll' is located in %Windir%	No
spp	X	regedit -s [path] spp.reg	IE search hijacker - changes the default search to h**p://www.hotsearchbox.com/ie/. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'spp.reg' file is located in %Root%	No
@	X	regedit -s [path] win.dll	Detected by Symantec as JS.Seeker.K. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'win.dll' file is located in %Windir%	No
win	X	regedit -s [path] win.dll	Detected by Symantec as JS.Seeker.K. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'win.dll' file is located in %Windir%	No
DJRegFix	N	regedit /s [path] djregfix.reg	DJRegFix showed up first in WinME as a 'clever' way to ensure that all Hewlett-Packard DeskJet printers actually worked with WinME - since most were having major problems. This 'utility' adds the functionality and compatibility HP forgot to add in its WinME drivers. The 'djregfix.reg' file is located in %Root%hp	No
REG	X	regedit /s [path] my.reg	Detected by McAfee as RDN/Generic.bfr!fg and by Malwarebytes as Trojan.StartPage. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'my.reg' file is located in %System%	No
sys	X	regedit /s [path] sys.reg	Detected by Symantec as Adware.Raxums. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'sys.reg' file is located in %Windir%	No
tourpath	N	regedit /s [path] tour.reg	Edits registry values to keep the Win 2000 'tour' in Task Scheduler. The 'tour.reg' file is located in %Windir%	No
regedit	X	regedit.exe	Detected by Symantec as W32.Brid.A@mm. Note - this is not the legitimate Windows registry editor (regedit.exe) which is located in %Windir%. This one is located in %System%	No
regedit	X	regedit.exe	Detected by Symantec as W32.Ganbate.A. Note - this is not the legitimate Windows registry editor (regedit.exe) which is located in %Windir%. This one is located in %Windir%securityDatabase	No
regedit.exe	X	regedit.exe	Detected by Malwarebytes as Trojan.Agent.E. Note - this is not the legitimate Windows registry editor (regedit.exe) which is located in %Windir%. This one is located in %AppData%[random]	No
regedit.exe	X	regedit.exe	Detected by Malwarebytes as Trojan.Injector.MSIL. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts and it is not the legitimate Windows registry editor (regedit.exe) which is located in %Windir%	No
Regedit32	X	regedit.exe	Detected by Sophos as Troj/Mdrop-CMO and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate Windows registry editor (regedit.exe) which is located in %Windir%. This one is located in %System%	No
[3-4 random letters]	X	regedit.exe	Detected by Symantec as Adware.PurityScan - also see the archived version of Andrew Clover's page. Note - this is not the valid Windows registry editor which resides in %Windir%	No
NeroCheck	X	regedit.exe	Detected by Symantec as W32.HLLW.Doomjuice.B. Note - this is not the valid Ahead Nero CD/DVD burning program. Also, this is not the legitimate Windows registry editor (regedit.exe) which is located in %Windir%. This one is located in %System%	No
Ccao	X	regedit.exe	Probably a variant of MediaTickets adware. Note - this is not the valid Windows registry editor which resides in %Windir%. This version resides in a 'mduu' sub-folder, which may change	No
Symantec Antivirus professional	X	regedit.exe	Added by a variant of W32/Forbot-Gen. The file is located in %System%	No
load	X	regedit.exe	Detected by Malwarebytes as Trojan.Injector.MSIL. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'load' value data to include the file 'regedit.exe' (which is located in %AppData%Windows and is not the legitimate Windows registry editor (regedit.exe) which is located in %Windir%)	No
Microsoft Host	X	Regedit.exe	Detected by Microsoft as TrojanDownloader:MSIL/Kilim.A and by Malwarebytes as Trojan.Agent.MH. Note - this is not the legitimate Windows registry editor (regedit.exe) which is located in %Windir%. This one is located in %System%001	No
Microsoft Regestry Edit Manager	X	regedit.exe	Detected by Microsoft as Worm:Win32/Slenfbot.IT. Note - this is not the legitimate Windows registry editor (regedit.exe) which is located in %Windir%. This one is located in %System%	No
SystemSearch	X	regedit.exe -s [path] ie.reg	Installs a Seachxl.com browser page hijack. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'ie.reg' file is located in %Root%	No
SysSearch	X	Regedit.exe -s [path] pcsearch.reg	Detected by McAfee as StartPage-FN. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'pcsearch.reg' file is located in %Windir%	No
SystemSearch	X	regedit.exe -s [path] sys.reg	Installs a i--search.com browser page hijack. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'sys.reg' file is located in %Windir%	No
SysSearch	X	Regedit.exe -s [path] sysreg.reg	Detected by Sophos as Troj/StartPa-ME. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'sysreg.reg' file is located in %Windir%	No
(Default)	X	regedit.exe /s [path] appboost.reg	Detected by Symantec as W32.Appix.D.Worm. Note - this malware actually changes the value data of the '(Default)' key in HKLMRun and HKCURunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank. The Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'appboost.reg' file is located in %Windir%	No
Internal	X	regedit.exe /s [path] c[month number]	Detected by Symantec as JS.Fortnight.D. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'c[month number]' file is located in %Windir%	No
data789	X	regedit.exe /s [path] data789.tmp	Homepage hijacker. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'data789.tmp' file is located in %Windir%	No
PowerSet	?	Regedit.exe /s [path] PowerSet_8100_CU.REG	Appears to be Toshiba power management related. The 'PowerSet_8100_CU.REG' file is located in %Windir%	No
setupuser	X	regedit.exe /s [path] setupuser.log	Regfile in disguise - another CoolWebSearch parasite variant. Note that the Windows registry editor (regedit.exe) is a legitimate Microsoft file located in %Windir% and shouldn't be deleted. The 'setupuser.log' file is located in %Windir%	No
start	X	regedit.lnk	Detected by Sophos as Troj/DLOADR-DKH	No
Secure64	X	Regedit32.com StartUp	Detected by Sophos as W32/Brontok-CJ and by Malwarebytes as Worm.Brontok	No
RegEdit32	X	RegEdit32.exe	Detected by Sophos as W32/Voumit-A and by Malwarebytes as Trojan.Agent. The file is located in %Root%mirc32	No
regedit32	X	regedit32.exe	Detected by Dr.Web as Trojan.Siggen4.26128 and by Malwarebytes as Trojan.Agent. The file is located in %WIndir%	No
Microsoft Regestry Manager	X	regedit32.exe	Added by a variant of the IRCBOT.ARD WORM!	No
Service Registry NT Save	X	regeditnt.exe	Detected by Sophos as Troj/Bancos-BM	No
Regedit	X	regedits.exe	Detected by Sophos as Troj/Bancban-QV	No
tsx	X	regedlt.exe	Detected by Sophos as W32/Sdbot-KA. Note the lower case 'L' in place of the lower case 'I' in the command	No
NOD32 FiX	X	regedt32.exe	NodFix cannot be recommended and is given an (X) status because we do not and will not support Cracks or Warez. Do not delete the regedt32.exe as it is a legitimate Windows application. NodFix interferes with the default settings of the NOD32 AV application allowing users to bypass its free use period and changes the default update server allowing to update NOD32 without password. Note - to avoid interfering with the NOD32 application original settings no full cleanup can be provided	No
Windows Registry Express Loader	X	regexpress.exe	Detected by Sophos as W32/Forbot-CJ	No
regFreeze	X	regfreeze.exe	RegFreeze rogue spyware remover - not recommended, removal instructions here. The file is located in %ProgramFiles%RegFreeze	No
O7P88QAR90EAUU1OD5JRUH3UMBQP219385	X	reggnadi.exe	Detected by McAfee as RDN/Generic.dx and by Malwarebytes as Backdoor.Agent.E	No
reghost	X	reghost.exe	SpyPal surveillance software. Uninstall this software unless you put it there yourself	No
/AMFfunoK3CyHfgD	X	regini.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %AppData%MozillaFirefoxProfileseagmsx8v.defaultweavechanges	No
Registry Integrity Checker	X	regintmon.exe	Added by a variant of WORM_AGOBOT.GEN. The file is located in %System%	No
Register MediaRing Talk	N	register.exe	Registration reminder for MediaRing Talk (now S-unno)	No
Winregister	X	Register.exe	Detected by McAfee as RDN/Generic.bfr!ft and by Malwarebytes as Trojan.Agent.WNA	No
palmOne Registration	N	register.exe	Registration reminder for PalmOne PDAs (personal digital assistants) - a former incarnation of Palm, Inc who were eventually acquired by HP in 2010	No
RegisterKey	X	RegisterKey.exe	Detected by Malwarebytes as Spyware.Remcos. The file is located in %LocalAppData%	No
RegisterKey.exe	X	RegisterKey.exe	Detected by Malwarebytes as Spyware.Remcos. The file is located in %LocalAppData%	No
WINDOWS REGISTER EDIT	X	registr32.exe	Added by an unidentified WORM or TROJAN!	No
WordPerfect Office 1215	N	Registration.exe	Corel WordPerfect Office 12 registration wizard	No
CorelDRAW Graphics Suite 11b	N	Registration.exe	Registration wizard for version 11b of the CorelDRAW® Graphics Suite design software	No
Microsoft® Windows® Operating System	X	Registry.exe	Detected by McAfee as Generic BackDoor and by Malwarebytes as Backdoor.Agent	No
Registry Services	X	Registry.exe	Detected by Symantec as Downloader.Cile	No
BORLAND	X	registry.exe	Detected by McAfee as RDN/Generic BackDoor and by Malwarebytes as Backdoor.Agent.DCE	No
RegistryMonitor	X	registry.pif	Detected by Symantec as Adware.Affilred	No
Registry Services	X	Registry32.exe	Detected by Symantec as Backdoor.Lithium	No
Microsoft Regestry Manager	X	registry32.exe	Detected by Trend Micro as WORM_IRCBOT.ARD	No
Reg32	X	Registry32.exe	Detected by Symantec as Backdoor.Crazynet and by Malwarebytes as Backdoor.Agent.RGGen	No
RegistryBooster	U	RegistryBooster.exe	RegistryBooster (now superseded by RegistryCleanerKit) registry optimizer utility from Uniblue Systems Limited - which will 'clean, repair and optimize your system.' Detected by Malwarebytes as PUP.Optional.Uniblue. The file is located in %ProgramFiles%UniblueRegistryBooster. If bundled with another installer or not installed by choice then remove it	Yes
Uniblue Registry Booster	U	RegistryBooster.exe	RegistryBooster (now superseded by RegistryCleanerKit) registry optimizer utility from Uniblue Systems Limited - which will 'clean, repair and optimize your system.' Detected by Malwarebytes as PUP.Optional.Uniblue. The file is located in %ProgramFiles%UniblueRegistryBooster. If bundled with another installer or not installed by choice then remove it	Yes
Uniblue RegistryBooster 2	U	RegistryBooster.exe	RegistryBooster (now superseded by RegistryCleanerKit) registry optimizer utility from Uniblue Systems Limited - which will 'clean, repair and optimize your system.' Detected by Malwarebytes as PUP.Optional.Uniblue. The file is located in %ProgramFiles%UniblueRegistryBooster 2. If bundled with another installer or not installed by choice then remove it	Yes
Uniblue RegistryBooster 2009	U	RegistryBooster.exe	RegistryBooster (now superseded by RegistryCleanerKit) registry optimizer utility from Uniblue Systems Limited - which will 'clean, repair and optimize your system.' Detected by Malwarebytes as PUP.Optional.Uniblue. The file is located in %ProgramFiles%UniblueRegistryBooster. If bundled with another installer or not installed by choice then remove it	Yes
RegistryCleanFixMFC	X	registrycleanfix.exe	RegistryCleanFix rogue registry cleaner - not recommended	No
RegistryClever	X	RegistryClever.exe	RegistryClever rogue registry cleaner - not recommended, removal instructions here	No
TrayScan	X	RegistryCleverTray.exe	RegistryClever rogue registry cleaner - not recommended, removal instructions here	No
PDF Converter Registry Controller	?	RegistryController.exe	Part of the PDF creating/editing utilities from Nuance (was ScanSoft), often bundled with printers	No
PDF3 Registry Controller	?	RegistryController.exe	Part of the PDF creating/editing utilities from Nuance (was ScanSoft), often bundled with printers	No
PDF4 Registry Controller	?	RegistryController.exe	Part of the PDF creating/editing utilities from Nuance (was ScanSoft), often bundled with printers	No
PDF5 Registry Controller	?	RegistryController.exe	Part of the PDF creating/editing utilities from Nuance (was ScanSoft), often bundled with printers	Yes
PDF6 Registry Controller	?	RegistryController.exe	Part of the PDF creating/editing utilities from Nuance (was ScanSoft), often bundled with printers	No
PDF7 Registry Controller	?	RegistryController.exe	Part of the PDF creating/editing utilities from Nuance (was ScanSoft), often bundled with printers	No
PDF8 Registry Controller	?	RegistryController.exe	Part of the PDF creating/editing utilities from Nuance (was ScanSoft), often bundled with printers	No
REGISTRYCONTROLLER.EXE	?	RegistryController.exe	Part of the PDF creating/editing utilities from Nuance (was ScanSoft), often bundled with printers	No
Nuance PDF Products	?	RegistryController.exe	Part of the PDF creating/editing utilities from Nuance (was ScanSoft), often bundled with printers	No
RegistryDoctor2008	X	registrydoctor.exe	RegistryDoctor2008 rogue registry cleaner - not recommended, removal instructions here	No
RegistryDoktorFrNET	X	RegistryDoktor.exe	Detected by Malwarebytes as Rogue.RegistryDoctor. The file is located in %ProgramFiles%Registry Doktor [version]	No
RegistryFix.exe	X	registryfix.exe	RegistryFix rogue registry cleaner - not recommended, removal instructions here. The homepage for the tool has a poor reputation	No
RegistryGreat.exe	X	RegistryGreat.exe	Registry Great rogue registry cleaner - not recommended	No
Registry Helper	N	RegistryHelper.Exe	Registry Helper by SafeApp Software, LLC - 'is easy-to-use software that scans, identifies, and deletes the detected Invalid Entries in your computer's registry'	No
Microsoft	X	RegistryKey.exe	Detected by Malwarebytes as Trojan.Agent.E.Generic. The file is located in %AppData%Microsoft	No
Register Manager	X	RegistryManage.exe	Detected by Trend Micro as WORM_SDBOT.AYH	No
registrymeccanicrak.exe	X	registrymeccanicrak.exe	Detected by Dr.Web as Trojan.DownLoader10.45703 and by Malwarebytes as Trojan.Downloader.E	No
run=	X	RegistryReminder.exe	Detected by McAfee as APStrojan.ob	No
Registry Repair	U	RegistryRepair.exe	Older version of Glarysoft Registry Repair - 'A perfect solution allows you to safely scan, clean, and repair registry problems.' Version 5.* onwards doesn't include a startup entry	No
Registry Repair Doctor	X	RegistryRepair.exe	Registry Repair Doctor registry cleaner by Malware Sweeper. No longer available and not recommended as Malwarebytes detects Malware Sweeper itself as Rogue.MalwareSweeper. The file is located in %ProgramFiles%Registry Repair Doctor	No
Windows Registry Repair Pro	U	RegistryRepairPro.exe	Registry Repair Pro. 'Scans the Windows Registry for invalid or obsolete information in the registry'	No
Registry Reviver	U	RegistryReviver.exe	Registry Reviver from ReviverSoft - is 'a utility program designed to scan your computer for registry errors and fix them, to better optimize your computer's performance and stability. It is the perfect tool to perform maintenance and optimize the Windows Registry.' Detected by Malwarebytes as PUP.Optional.RegistryReviver. The file is located in %ProgramFiles%ReviversoftRegistry Reviver. If bundled with another installer or not installed by choice then remove it	No
Registry Services	X	RegistryServiceBackup.vbs	Detected by Dr.Web as Win32.HLLW.Autoruner1.57255	No
Network Services	X	RegistryServiceBackup.vbs	Detected by Dr.Web as Trojan.Siggen3.61466 and by Malwarebytes as Trojan.Agent	No
RegistrySmart	X	RegistrySmart.exe	Detected by Malwarebytes as Rogue.RegistrySmart. The file is located in %ProgramFiles%RegistrySmart	No
Regman	X	RegistrySweeperPro.exe	RegistrySweeper rogue registry cleaner - not recommended	No
REGIST~1	U	REGIST~1.EXE	Part of the OCR software TextBridge Pro 9.0 (and possibly earlier versions). Typically used with imaging devices such as scanners and digital cameras for creating text documents from images. This item will probably be displayed twice and will re-instate itself whenever you start the main program so leave it - once started it frees the memory it used. Its purpose and an explanation of how to correct a problem it creates for 'Send To' can be found here. Note that you don't have to uninstall TextBridge for this fix to work and the program works fine afterwards. Not used on later versions of the software - hence the 'U' recommendation	No
RegisterDropHandler	U	REGIST~1.EXE	Part of the OCR software TextBridge Pro 9.0 (and possibly earlier versions). Typically used with imaging devices such as scanners and digital cameras for creating text documents from images. This item will probably be displayed twice and will re-instate itself whenever you start the main program so leave it - once started it frees the memory it used. Its purpose and an explanation of how to correct a problem it creates for 'Send To' can be found here. Note that you don't have to uninstall TextBridge for this fix to work and the program works fine afterwards. Not used on later versions of the software - hence the 'U' recommendation	No
Mircrosoft Technic Help	X	RegKey.exe	Added by a variant of W32.Spybot.Worm. The file is located in %System% - see here	No
RegKillTray	N	RegKillTray.exe	Elaborate Bytes' now discontinued DVD Region Killer utility enables you to play DVD titles made for different regions on your PC, without the hassle to switch the region	Yes
DVD Region Killer	N	RegKillTray.exe	Elaborate Bytes' now discontinued DVD Region Killer utility enables you to play DVD titles made for different regions on your PC, without the hassle to switch the region	Yes
CheckScan32	X	regload16.exe	Detected by Trend Micro as WORM_AEBOT.K	No
Registry Loader	X	regloadr.exe	Detected by Symantec as W32.HLLW.Gaobot.AO	No
Regmonitor	X	regmaping.exe	Detected by Symantec as W32.Beagle.DO@mm	No
Registry Mechanic	N	RegMech.exe	Part of Registry Mechanic from PC Tools by Symantec (now discontinued) - which 'is an advanced registry cleaner for Windows that can safely clean, repair and optimize your registry in a few simple mouse clicks!' This entry is created when Registry Mechanic is installed on XP and loads the System Tray icon and runs a registry scan at startup - if either are enabled. Run manually at regular intervals	Yes
RegistryMechanic	N	RegMech.exe	Part of Registry Mechanic from PC Tools by Symantec (now discontinued) - which 'is an advanced registry cleaner for Windows that can safely clean, repair and optimize your registry in a few simple mouse clicks!' This entry is created when Registry Mechanic is installed on XP and loads the System Tray icon and runs a registry scan at startup - if either are enabled. Run manually at regular intervals	Yes
RegMech	N	RegMech.exe	Part of Registry Mechanic from PC Tools by Symantec (now discontinued) - which 'is an advanced registry cleaner for Windows that can safely clean, repair and optimize your registry in a few simple mouse clicks!' This entry is created when Registry Mechanic is installed on XP and loads the System Tray icon and runs a registry scan at startup - if either are enabled. Run manually at regular intervals	Yes
Registry Monitor	X	regmon.exe	Detected by Sophos as Troj/Bckdr-QKH	No
CheckRegDefragOnce	Y	regopt.exe	Registry Defragger and Optimizer part of an older version of the Advanced System Optimizer utility suite by Systweak Software	No
wininet.dll	X	regperf.exe	Detected by Symantec as Trojan.Zlob	No
RegPowerClean	X	RegPowerClean.exe	Registry Power Cleaner rogue registry cleaner - not recommended	No
AUTOPROP	N	REGPROP.EXE WMPADDIN.DLL	Both the files are in the MS OfficeBotsFP_WMP directory. Apparently, it registers the FrontPage WiMP extension	No
RegProt	Y	Regprot.exe	RegistryProt from DiamondCS - protects the system registry against changes	No
Registry Protector	X	regprotect.exe	Detected by Trend Micro as WORM_ARIVER.A	No
Regptmens	X	Regptmens.exe	Detected by Sophos as Troj/Bancos-ED	No
Registry Checker	X	Regrun.exe	Detected by Symantec as Backdoor.Sdbot	No
Windows Services Agant	X	regs32.exe	Detected by Sophos as W32/Sdbot-DIK	No
Windows Registry Scan	X	regscan.exe	Detected by Sophos as W32/Rbot-HA and by Malwarebytes as Trojan.Downloader	No
RegScan	X	Regscan.exe	Detected by Sophos as Troj/Clicker-DV and by Malwarebytes as Trojan.Downloader. The file is located in %System%	No
RegScan	X	Regscan.exe	Detected by Symantec as Backdoor.Talex. The file is located in %Windir%	No
Windows Registry Scan	X	regscan23.exe	Added by a variant of Backdoor:Win32/Rbot. The file is located in %System%	No
Windows Registry Scan	X	regscan32.exe	Detected by Trend Micro as WORM_RBOT.KE	No
Regscan	X	regscanr.exe	Detected by Sophos as Troj/Optix-SE	No
Server Registry	X	regscr32.exe	Detected by Sophos as Troj/Bifrose-ZB	No
Windows Update Service	X	regscv.exe	Detected by Sophos as W32/Agobot-AM	No
WindowsUpdateR	X	regserv.exe	Detected by Malwarebytes as Backdoor.IRCBot.Gen. The file is located in %System%	No
Registry Server	X	regserv.exe	Added by a variant of W32.IRCBot. The file is located in %System% - see here	No
Windows Registry Services	X	regserv.exe	Detected by Microsoft as Worm:Win32/Slenfbot.BB	No
RegServer	?	regserve.exe	Related to XGI Technology's Volari graphics cards. What does it do and is it required?	No
RSListener	U	RegServeRSListener.exe	RegServe by Xionix Inc 'makes managing your computers registry easy by automatically scanning your computer for corrupt or damaged registry files.' Detected by Malwarebytes as PUP.Optional.RegDefense. The file is located in %ProgramFiles%RegServe. If bundled with another installer or not installed by choice then remove it	No
regservices.exe	X	regservices.exe	Added by an unidentified VIRUS, WORM or TROJAN!	No
REGSERVO	U	REGSERVO.exe	REGSERVO is the one program you need when you have to fix a damaged or corrupted registry with confidence and safety. Detected by Malwarebytes as PUP.Optional.REGServo. The file is located in %ProgramFiles%REGSERVO. If bundled with another installer or not installed by choice then remove it	No
RegShave	N	regshave.exe	Part of the USB driver for your Fuji digital cameras - used when uninstalling the USB drivers, erasing all entries from the registry. Only required BEFORE attempting to uninstall the Fuji software or the uninstall may not work correctly	No
Norton Anti-Virus	X	RegShellEx.com	Detected by Malwarebytes as Backdoor.Agent.E. The file is located in %System%	No
System Profile	X	regsrv.exe	Detected by Trend Micro as BKDR_OPTIX.12B	No
regsrv.exe	X	regsrv.exe	Detected by Malwarebytes as PasswordStealer.Agent. The file is located in %System%	No
REGEDIT	X	Regsrv32.com	Detected by Symantec as W32.HLLW.Southghost	No
[executed file name]	X	Regsrv32.com	Detected by Symantec as W32.HLLW.Southghost	No
Microsoft DLL Registration	X	regsrv32.exe	Detected by Trend Micro as TROJ_VICENOR.AE and by Malwarebytes as Backdoor.Agent.MDR	No
Windows Primary Login	X	regsrv32.exe	Detected by Microsoft as Worm:Win32/Pushbot and by Malwarebytes as Backdoor.Agent. The file is located in %AppData%O-858454-6314-2-64	No
Registry Server	X	regsrv32.exe	Detected by Sophos as W32/Rbot-GM	No
Server Registry	X	regsrv32.exe	Detected by Sophos as Troj/VB-EJD	No
Reg Service	X	REGSRV32.EXE	Detected by Trend Micro as WORM_RBOT.ZW	No
Microsoft DLL Registaation	X	regsrv33.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %AppData%	No
Microsoft DLL Registrations	X	regsrv34.exe	Detected by Malwarebytes as Trojan.Agent.AQM. The file is located in %AppData%	No
Microsoft DLL Registration	X	regsrv64.exe	Detected by Sophos as Troj/VBKrypt-AL and by Malwarebytes as Backdoor.Agent.MDR	No
RegSrv64D	X	RegSrv64D.exE	Detected by Trend Micro as WORM_WINKO.AO	No
HControlUser	X	RegSrvc.exe	Detected by Dr.Web as Trojan.MulDrop4.3133	No
regsrvc	X	regsrvc.exe	Detected by Sophos as Troj/Stoped-A	No
Windows Update	X	RegSrvc32.exe	Detected by Dr.Web as Trojan.DownLoader8.703 and by Malwarebytes as Worm.Inject	No
Regsv	X	regsv.exe	Search hijacker - redirecting to scheo.com	No
Regsvc	X	regsv.exe	Added by unidentified malware. The file is located in %Windir%system	No
Registry Service	X	regsvc.exe	Detected by Sophos as Troj/IRCBot-ZM	No
MS Security	X	RegSvc.exe	Detected by McAfee as RDN/Generic.dx!dcq and by Malwarebytes as Backdoor.Agent.IMN	No
Task Commander	X	regsvc32.exe	Detected by Sophos as W32/Agobot-RX	No
MSRegSvc	X	regsvc32.exe	Homepage hijacker that changes your homepage to an adult content site	No
regsvc32	X	regsvc32.exe	Homepage hijacker that changes your homepage to an adult content site	No
Generic Service Process	X	regsvc32.exe	Detected by Symantec as W32.Gaobot.UJ and by Malwarebytes as Backdoor.IRCBot.Gen	No
regsvcdll	U	regsvcdll.exe	Power Spy surveillance software. Uninstall this software unless you put it there yourself	No
NetWire	X	RegSvcs.exe	Detected by Sophos as Troj/Malit-AE and by Malwarebytes as Backdoor.Agent.E. Note - this entry either replaces or loads the legitimate 'RegSvcs.exe' process which is located in %Windir%Microsoft.NETFrameworkv2.0.50727. Which is the case is unknown at this time	No
NetWire	X	RegSvcs.exe	Detected by Sophos as Troj/Agent-AFXD and by Malwarebytes as Backdoor.Agent.E. Note - this entry either replaces or loads the legitimate 'RegSvcs.exe' process which is located in %Windir%Microsoft.NETFrameworkv4.0.30319. Which is the case is unknown at this time	No
AudioCodec	X	RegSvcs.exe	Detected by Dr.Web as Trojan.PWS.Siggen1.4248 and by Malwarebytes as Trojan.Agent. Note - this entry either replaces or loads the legitimate 'RegSvcs.exe' process which is located in %Windir%Microsoft.NETFrameworkv4.0.30319. Which is the case is unknown at this time	No
RegSvcs.exe	X	RegSvcs.exe	Detected by Malwarebytes as Trojan.Agent. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
RegSvcsNET	X	RegSvcsNET.exe	Detected by Dr.Web as Trojan.DownLoader11.29025 and by Malwarebytes as Backdoor.Agent.DCE	No
Registry Serv	X	regsvr.exe	Detected by Malwarebytes as Backdoor.Bot. The file is located in %System%	No
Msn Messsenger	X	regsvr.exe	Detected by Sophos as Troj/Agent-GXM and by Malwarebytes as Trojan.IMWorm	No
Yahoo Messengger	X	regsvr.exe	Detected by Symantec as W32.Imaut.CN and by Malwarebytes as Backdoor.Bot	No
DHCP Server	X	regsvr.exe	Detected by Sophos as W32/Rbot-PR and by Malwarebytes as Backdoor.Bot	No
regsvr	X	regsvr.exe	Detected by Sophos as Troj/WebMoney-G and by Malwarebytes as Backdoor.Bot	No
Windows Registry Service	X	regsvr16.exe	Detected by McAfee as RDN/Generic.grp!d and by Malwarebytes as Backdoor.Agent	No
#VMGCLIENT	X	regsvr32 /s #VMGCLIENT.jpg	Detected by Malwarebytes as Trojan.Banker.VMG - where # represents a digit. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The '#VMGCLIENT.jpg' file is located in %AppData% - see examples here	No
evx	X	regsvr32 /s evx.r3x	Detected by Sophos as Troj/Agent-ZIY and by Malwarebytes as Trojan.Banker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'evx.r3x' file is located in %AppData%	No
Kazaa Download Accelerator Updater (required)	X	regsvr32 /s kdp[random].dll	SafeguardProtect/Veevo hijacker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'KDP[random].dll' file is located in %System%	No
MsmqIntCert	?	regsvr32 /s mqrt.dll	Microsoft Message Queue Server - Internal Certificate - see here for more info and here for a potential problem. Is it required?	No
mshtmll	X	regsvr32 /s mshtmll.dll	Detected by ThreatTrack Security as Trojan-Downloader.Win32.Delf.bas. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'mshtmll.dll' file is located in %System%	No
Popup Defence Updater	X	regsvr32 /s PDF[random].dll	SafeguardProtect/Veevo hijacker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'pdf[random].dll' file is located in %System%	No
SafeGuard Popup Updater (required)	X	regsvr32 /s PDF[random].dll	SafeguardProtect/Veevo hijacker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'PDF[random].dll' file is located in %System%	No
SafeGuard Popup Blocker Updater	X	regsvr32 /s sfg[random].dll	SafeguardProtect/Veevo hijacker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'sfg[random].dll' file is located in %System%	No
SafeGuard Popup Blocker Updater (required)	X	regsvr32 /s sfg[random].dll	SafeguardProtect/Veevo hijacker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'sfg[random].dll' file is located in %System%	No
SafeGuard Popup Updater (required)	X	regsvr32 /s sfg[random].dll	SafeguardProtect/Veevo hijacker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'sfg[random].dll' file is located in %System%	No
PCShield	X	regsvr32 /s sfg_[random].dll	SafeguardProtect/Veevo hijacker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'sfg_[random].dll' file is located in %System%	No
ssl	X	regsvr32 /s ssheay.dll	Detected by Malwarebytes as Trojan.Agent. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'ssheay.dll' file is located in %AppData%openssl	No
Popup Blocker Updater	X	regsvr32 /s veev[random].dll	SafeguardProtect/Veevo hijacker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'veev[random].dll' file is located in %System%	No
MSN	X	regsvr32 /s Winetwork.dll	Detected by McAfee as Downloader.a!oq and by Malwarebytes as Trojan.Agent. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'Winetwork.dll' file is located in %Root%	No
dmn	X	regsvr32 /s [filename].jpg	Detected by Malwarebytes as Trojan.Banker.EME. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The '[filename].jpg' file is located in %AppData% - see an example here	No
Vmlist	X	regsvr32 /s [path] apphelps.dll	Detected by Total Defense as Win32/Almanahe.A. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'apphelps.dll' file is located in %Windir%AppPatch	No
ygh	X	regsvr32 /s [UserName].jpg	Detected by Malwarebytes as Trojan.Banker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The '[UserName].jpg' file is located in %AppData%	No
[UserName]	X	regsvr32 /s [username].jpg	Detected by Malwarebytes as Trojan.Banker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The '[username].jpg' file is located in %AppData%	No
dw1	X	regsvr32 /s [UserName].jpg	Detected by Malwarebytes as Trojan.Banker. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The '[UserName].jpg' file is located in %AppData%	No
uninstal	X	regsvr32 image.dll	CoolWebSearch parasite variant. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'image.dll' file is located in %System%	No
dispraisers	X	regsvr32 [path] ctfmonm.dll	Detected by Symantec as Infostealer.Rodagose. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'ctfmonm.dll' file is located in %Windir%	No
WINUP	X	regsvr32 [path] [filename].dll	Detected by Malwarebytes as Trojan.Agent.WNUGen. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The '[filename].dll' file is located in %Temp%	No
wuauclt	X	regsvr32 [path] [filename].dll	Detected by Malwarebytes as Trojan.Downloader. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The DLL file is located in %AppData%Microsoftwuauclt - see an example here	No
Windows Desktop Update	X	regsvr32.exe	Detected by McAfee as RDN/Ransom and by Malwarebytes as Backdoor.Agent.DC. Note - this is not the legitimate regsvr32.exe process, which is located in %System%. This one is located in %LocalAppData%Google	No
Generic Service Process	X	regsvr32.exe	Detected by Sophos as W32/Agobot-JU and by Malwarebytes as Backdoor.IRCBot.Gen	No
WU4_RegSvr	?	regsvr32.exe /s AUHOOK.DLL	Related to Windows AutoUpdate on WinME (and maybe others). Loads via HKLMRunOnce and the 'AUHOOK.DLL' file is located in %System%. See here for more information	No
FSCBoss.exe	N	regsvr32.exe /s FSCBoss.exe	Free Store Club shop online software	No
SchedulerManagement	X	Regsvr32.exe /s NPDateControl.dll	Detected by Malwarebytes as Trojan.Agent. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'NPDateControl.dll' file is located in %CommonAppData%{7414692D-4FF3-3F37-E9D3-8FB92EA723DD}	No
DelayHandlers	X	regsvr32.exe /s NPLoadRegistry.dll	Detected by Malwarebytes as Trojan.Agent. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'NPLoadRegistry.dll' file is located in %CommonAppData%{C565A1F1-A0C5-DEB6-76C4-DC251A3C1A98}	No
AssociationStart	X	Regsvr32.exe /s NPShellApp.dll	Detected by Malwarebytes as Trojan.Agent. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'NPShellApp.dll' file is located in %CommonAppData%{C743D427-453E-A4D6-0A2F-BF565720C267}	No
Olqlarv	X	regsvr32.exe /s Olqlarv.dll	Detected by Malwarebytes as Trojan.Chrome.INJ. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'Olqlarv.dll' file is located in %LocalAppData%VirtualStore	No
supdate2.dll	X	regsvr32.exe /s supdate2.dll	Detected by Sophos as Troj/Zlob-VL. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'supdate2.dll' file is located in %System%	No
WU2_RegSvr	?	regsvr32.exe /s WUAUPD98.DLL	Related to Windows AutoUpdate on WinME (and maybe others). Loads via HKLMRunOnce and the 'WUAUPD98.DLL' file is located in %System%. See here for more information	No
[6 characters]	X	regsvr32.exe /s [6 characters].dat	Detected by Malwarebytes as Trojan.Agent.RNSGen. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The file is located in %CommonAppData% - see an example here	No
CryptoUpdate	X	regsvr32.exe /s [path to file]	Detected by Dr.Web as Trojan.DownLoader12.46475 and by Malwarebytes as Trojan.Ransom.CryptoWall. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted, see examples here and here	No
REGSCRLIB	X	regsvr32.exe /s [path] scrrun.dll	Detected by McAfee as MultiDropper-SG. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'scrrun.dll' file is located in %System%	No
sukuwdoa	X	regsvr32.exe /s [path] sukuwdoa.dat	Detected by Malwarebytes as Trojan.FakeMS. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'sukuwdoa.dat' file is located in %CommonAppData%	No
WinResSync	X	regsvr32.exe /s [path] [filename].rs	Detected by Malwarebytes as Trojan.Agent.TPL. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. See an example here	No
WinResSync	U	regsvr32.exe /s [path] {GUID}.rs	Detected by Malwarebytes as PUP.Optional.WinResSync.Generic. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The file is located in %AppData%MicrosoftProtect. If bundled with another installer or not installed by choice then remove it, removal instructions here	No
apnhzm	X	regsvr32.exe apnhzm.dat	Detected by Malwarebytes as Trojan.Ransom.Gen. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'apnhzm.dat' file is located in %CommonAppData%	No
RegBar	U	regsvr32.exe bocaitoolbar.dll	BocaiToolbar adware. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'bocaitoolbar.dll' file is located in %ProgramFiles%blogmark	No
AsioReg	U	regsvr32.exe ctasio.dll	ASIO (Audio Stream In/Out) drivers for the SoundBlaster Audigy 2 series soundcards - for recording and home project studios. Required if you use this functionality	No
AsioThk32Reg	U	regsvr32.exe ctasio.dll	ASIO (Audio Stream In/Out) drivers for the SoundBlaster Audigy 2 series soundcards - for recording and home project studios. Required if you use this functionality	No
mfhsornwnduy	X	regsvr32.exe gisyflngpshcvuakv.dll	Pro AntiSpyware 2009 rogue spyware remover - not recommended, removal instructions here. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'gisyflngpshcvuakv.dll' file is located in %System%	No
Ir41_32.ax	U	regsvr32.exe Ir41_32.ax	Intel® Indeo® video 4.4 Decompression Filter related. The 'Ir41_32.ax' file is located in %System%	No
kvern16.dll	X	regsvr32.exe kvern16.dll	DailyWinner adware. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'kvern16.dll' file is located in %System%	No
Oppics Update	U	regsvr32.exe PMFileReader.dll	Detected by Malwarebytes as PUP.Optional.Acronet. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'PMFileReader.dll' file is located in %LocalAppData%Oppics. If bundled with another installer or not installed by choice then remove it	No
rmoc3260.dll OCX	U	regsvr32.exe rmoc3260.dll	A module that contains COM components for media playback used by both RealPlayer and Windows Media Player - see here. The 'rmoc3260.dll' file is located in %System%	No
vern16.dll	X	regsvr32.exe vernn16.dll	DailyWinner adware. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'vernn16.dll' file is located in %System%	No
Oppics	U	regsvr32.exe [filename].dll	Detected by Malwarebytes as PUP.Optional.Acronet. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The '[filename].dll' file is located in %LocalAppData%Oppics. If bundled with another installer or not installed by choice then remove it	No
AproQaytu	X	regsvr32.exe [path] AproQaytu.dat	Detected by Malwarebytes as Trojan.Agent.PP. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'AproQaytu.dat' file is located in %CommonAppData%AproQaytu	No
Register SeqChk	?	regsvr32.exe [path] csseqchk.dll	The file is located in %System%	No
MSSecurity	X	regsvr32.exe [path] dump21cb.dll	Detected by Symantec as Trojan.Denpur and by Malwarebytes as Trojan.InfoStealer.DLL. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'dump21cb.dll' file is located in %CommonAppData%	No
EmdaNzagi	X	regsvr32.exe [path] EmdaNzagi.dat	Detected by Malwarebytes as Trojan.Ransom.ED. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'EmdaNzagi.dat' file is located in %CommonAppData%	No
ErziZsom	X	regsvr32.exe [path] ErziZsom.dat	Detected by Malwarebytes as Trojan.Tepfer.FA. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'ErziZsom.dat' file is located in %CommonAppData%ErziZsom	No
IvyiFyey	X	regsvr32.exe [path] IvyiFyey.dat	Detected by Malwarebytes as Trojan.Tepfer.FA. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'IvyiFyey.dat' file is located in %CommonAppData%IvyiFyey	No
GosiJuwv	X	regsvr32.exe [path] NoneLmalu.srq	Detected by Malwarebytes as Trojan.FakeMS. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'NoneLmalu.srq' file is located in %CommonAppData%GosiJuwv	No
OmcadEyura	X	regsvr32.exe [path] OmcadEyura.dat	Detected by Malwarebytes as Trojan.Ransom.Gen. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'OmcadEyura.dat' file is located in %CommonAppData%	No
owphelkg	X	regsvr32.exe [path] owphelkg.dat	Detected by Malwarebytes as Trojan.Ransom.Gend. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'owphelkg.dat' file is located in %CommonAppData%	No
Uzmmmedia	X	regsvr32.exe [path] rqhsebbx.dll	Detected by Malwarebytes as Trojan.Boaxxe. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'rqhsebbx.dll' file is located in %LocalAppData%URBmedia	No
ttbuoyik	X	regsvr32.exe [path] ttbuoyik.dat	Detected by Malwarebytes as Trojan.Ransom.Gend. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'ttbuoyik.dat' file is located in %CommonAppData%	No
UjorIpuji	X	regsvr32.exe [path] UjorIpuji.dat	Detected by Malwarebytes as Trojan.Ransom.Gen. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'UjorIpuji.dat' file is located in %CommonAppData%	No
ypkalq	X	regsvr32.exe [path] ypkalq.dat	Detected by Malwarebytes as Trojan.Ransom.Gend. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The 'ypkalq.dat' file is located in %CommonAppData%	No
[UserName]#	X	REGSVR32.EXE [path] [UserName]#.jpg	Detected by Malwarebytes as Trojan.Banker - where # represents a digit. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The '[UserName]#.jpg' file is located in %AppData%	No
xhehjnnlqercber	X	regsvr32.exe [random name].dll	MxliveMedia adware. Note that regsvr32.exe is a legitimate Microsoft file used to register and unregister OLE controls and shouldn't be deleted. The random DLL file is located in %System%	No
Compatibility Service Process	X	regsvs.exe	Detected by Symantec as W32.Gaobot.YN	No
regsync	X	regsync.exe	Detected by Symantec as Spyware.SafeSurfing	No
Registry System	X	Regsys.exe	Added by a variant of W32.IRCBot. The file is located in %System% - see here	No
Reg_WFT	X	Regsysw.com	Detected by Symantec as W32.Wilsef	No
Reg_WFT	X	Regsysw.exe	Detected by Trend Micro as WORM_WILSEF.A	No
RegTask	U	RegTask.exe	RegTask by Time Pioneer Limited 'implements the use of a high performing algorithm that of which will immediately find all inconsistencies with the registry, as well as provide the user a list of everything causing errors. From there, you are able to select which errors should be repaired.' Detected by Malwarebytes as PUP.Optional.RegTask. The file is located in %ProgramFiles%RegTask. If bundled with another installer or not installed by choice then remove it	No
Registration-INSDVD	N	RegTool.exe	Registration reminder for Pinnacle Instant CD/DVD burning and authoring software from Pinnacle Systems	No
Registration-InstantCopy	N	RegTool.exe	Registration reminder for Pinnacle InstantCopy burning software from Pinnacle Systems	No
Registration-Liquid Edition	N	RegTool.exe	Registration reminder for Pinnacle Liquid professional video editing software from Pinnacle Systems. It became Avid Liquid with the acquisition of Pinnacle Systems by Avid Technology, Inc but has since reached End of Life	No
Registration-PCTV	N	RegTool.exe	Registration reminder for the Pinnacle PCTV solution for watching and recording TV on a desktop/laptop from Pinnacle Systems (which became Avid Technology and then Corel). The Pinnacle PCTV product line was sold to Hauppauge Digital	No
Registration-PCTV Deluxe	N	RegTool.exe	Registration reminder for the Pinnacle PCTV solution for watching and recording TV on a desktop/laptop from Pinnacle Systems (which became Avid Technology and then Corel). The Pinnacle PCTV product line was sold to Hauppauge Digital	No
Registration-PCTV Sat	N	RegTool.exe	Registration reminder for the Pinnacle PCTV solution for watching and recording TV on a desktop/laptop from Pinnacle Systems (which became Avid Technology and then Corel). The Pinnacle PCTV product line was sold to Hauppauge Digital	No
Registration-Pinnacle Edition 5	N	RegTool.exe	Registration reminder for Pinnacle Edition realtime DV editing and authoring solution from Pinnacle Systems	No
Registration-Pinnacle Express	N	RegTool.exe	Registration reminder for Pinnacle Express DVD authoring software from Pinnacle Systems	No
Registration-Pinnacle Expression	N	RegTool.exe	Registration reminder for Pinnacle Expression DVD authoring software from Pinnacle Systems	No
Registration-Pinnacle Systems DV500	N	RegTool.exe	Registration reminder for Pinnacle DVD500 realtime DV editing solution from Pinnacle Systems	No
Registration-Studio 7	N	RegTool.exe	Registration reminder for Pinnacle Studio 7 home video editing software from Pinnacle Systems	No
Registration-Studio 7 SE	N	RegTool.exe	Registration reminder for Pinnacle Studio 7 SE home video editing software from Pinnacle Systems	No
Registration-Studio 8	N	RegTool.exe	Registration reminder for Pinnacle Studio 8 home video editing software from Pinnacle Systems	No
Registration-Studio 8 SE	N	RegTool.exe	Registration reminder for Pinnacle Studio 8 SE home video editing software from Pinnacle Systems	No
MicrosoftCorp	X	regtray.exe	Detected by Kaspersky as Backdoor.Win32.Poison.ahnw and by Malwarebytes as Trojan.Agent.MSGen. The file is located in %System%	No
MicrosoftNAPC	X	regtray.exe	Detected by Kaspersky as Backdoor.Win32.Poison.ahnw and by Malwarebytes as Backdoor.Bot. The file is located in %System%	No
RegTweak	U	RegTwk.exe	Rage3d Tweak - ATI Radeon tweaker which allows access to registry tweak options, custom display modes, refresh rates and overclocking all through an easy to use interface	No
nvida_driver	X	regupdate.exe	Detected by McAfee as RDN/Generic.bfr and by Malwarebytes as Backdoor.Agent.DCE	No
RegUse	U	RegUse.exe	RegUse registry utility by Honlyn Limited - 'Ready to End PC Errors? Make it Quick. Make it Easy. Scan The Registry, Correct The Errors, and Pump Up The System Speed. Registry faults cause your computer to run slower. Registry faults generate Windows error messages.' Detected by Trend Micro as PUA_REGUSE and by Malwarebytes as PUP.Optional.RegUse. The file is located in %ProgramFiles%RegUse. If bundled with another installer or not installed by choice then remove it	No
regValue.exe	X	regValue.exe	Detected by Dr.Web as Win32.HLLW.Autoruner2.4540. Note - the file is located in %AllUsersStartup% and its presence there ensures it runs when Windows starts	No
RegVer	X	REGVER.EXE	Detected by Trend Micro as BKDR_LATINUS.16	No
RegVfy32	X	Regverif32.exe	Detected by Symantec as W32.Sygyp.A@mm	No
load	X	regview.exe	Detected by Malwarebytes as Trojan.Regview. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'load' value data to include the file 'regview.exe' (which is located in %Root%{$####-####-####-####-####$} - where # represents a digit), see examples here and here	No
Windows Registry Viewer	X	regview.exe -rundll32 /SYSTEM32 taskmgr.exe	Detected by Malwarebytes as Trojan.Regview. The file is located in %Root%{$####-####-####-####-####$} - where # represents a digit, see examples here and here. Note - do not delete the legitimate taskmgr.exe process which is always located in %System%	No
regWink	X	regWink.exe	Detected by Dr.Web as Trojan.MulDrop5.34020 and by Malwarebytes as Trojan.Agent.E. Note - this entry loads from the Windows Startup folder and the file is located in %Root%NVIDIADisplayDriver	No
RegWiz.vbs	X	RegWiz.vbs	Detected by McAfee as Generic Dropper and by Malwarebytes as Trojan.Agent.VBS. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
RegWork	U	RegWork.exe	RegWork history cleaner by Honlyn Limited - 'helps you make your computer more effective by allowing you to delete unneeded temporary internet files, delete cookies & much more.' Detected by Symantec as PUA.RegWork and by Malwarebytes as PUP.Optional.RegWork. The file is located in %ProgramFiles%RegWork. If bundled with another installer or not installed by choice then remove it	No
rejestr	X	rejestr.exe	Detected by Dr.Web as Trojan.DownLoader4.633	No
Kinofilmoff.Net	X	Reklamer.exe	Detected by Sophos as Troj/Agent-NGX and by Malwarebytes as Trojan.InfoStealer	No
Launcher	N	relaunch.exe	Audio Applications Launcher for the Philips Rythmic Edge soundcard (the Philips Rhythmic Edge is the same as the Thunderbird PCI soundcard - see TBtray)	No
Reload	X	reload.exe	Detected by Symantec as Trojan.Lazar	No
reload	X	reload.vbs	Detected by McAfee as VBS/Loveletter.as	No
Memory relocation service	X	reloc32.exe	Detected by Symantec as W32.Relfeer	No
MacromediaFlesh	X	RelockSystem.exe	Detected by Malwarebytes as Trojan.Banker.E. The file is located in %AppData%RelockSystem	No
TheCooler	X	relooc'exe.sys	Detected by Dr.Web as Trojan.DownLoader11.5838 and by Malwarebytes as Trojan.Downloader.E	No
SystemProvider	X	reloocsys.com	Detected by Dr.Web as Trojan.DownLoader11.10508 and by Malwarebytes as Trojan.Agent.SP. The file is located in %System%	No
SystemProvider	X	reloocsys.com	Detected by Dr.Web as Trojan.DownLoader11.34135 and by Malwarebytes as Trojan.Agent.SP. The file is located in %Temp%	No
TheCooler	X	reloocsys.exe	Detected by Dr.Web as Trojan.DownLoader11.14877 and by Malwarebytes as Trojan.Downloader.E	No
browser	X	remcos.exe	Detected by Malwarebytes as Spyware.KeyLogger. The file is located in %AppData%remcos	No
RemHelp	N	Remhelp.exe	BT Voyager ADSL Modem Help related	No
BReader	N	remin.exe	Birthday Reminder 5.0 - as the name implies	No
Scanner Reminder	?	remind.exe	Part of older versions of the range of internet security products from Quick Heal - including Total Security, Internet Security and AntiVirus. Also included by vendors who use the Quick Heal engine such as Omniquad and iQon. What does it do and is it required?	No
reminder-ScanSoft Product Registration	N	REMIND32.EXE	Registration reminder for ScanSoft products such as PaperPort, OmniPage & TextBridge	No
reminder-ScanSoft Produkt Registrierung	N	REMIND32.EXE	Registration reminder for ScanSoft products such as PaperPort, OmniPage & TextBridge	No
Pinnacle Systems - Studio Family	N	Remind32.exe	Registration reminder for the Pinnacle PCTV solution for watching and recording TV on a desktop/laptop from Pinnacle Systems (which became Avid Technology and then Corel). The Pinnacle PCTV product line was sold to Hauppauge Digital	No
Hewlett-Packard Recorder	N	Remind32.exe	HP multifunction registration	No
Corel Registration	N	Remind32.exe	Registration reminder for Corel products	No
Reminder-cpqXXXXX	N	remind32.exe	Compaq printer registration reminder - where X represents a digit	No
Reminder-hpcXXXXX	N	remind32.exe	HP CD-Writer Plus registration reminder - where X represents a digit. The file is located in %ProgramFiles%CD-Writer PlusE-Reg	No
Reminder-hpcXXXXX	N	remind32.exe	HP DeskJet printer registration reminder - where X represents a digit. The file is located in %ProgramFiles%HP DeskJet [Model] Seriesereg	No
Reminder-hpcXXXXX	N	Remind32.exe	HP C series digital camera registration reminder - where X represents a digit. The file is located in %ProgramFiles%HP PhotoSmartC[model] CameraRegistration	No
Reminder-hpcXXXXX	N	Remind32.exe	HP digital camera registration reminder - where X represents a digit. The file is located in %ProgramFiles%HP PhotoSmartDigital CameraREGISTER	No
Reminder-iqiXXXXX	N	REMIND32.EXE	HP digital camera registration reminder - where X represents a digit. The file is located in %ProgramFiles%HP PhotoSmartDigital CameraREGISTER	No
PC Pitstop Diskmd3 Reminder	U	Reminder-Diskmd3.exe	Registration reminder for the Disk MD disk defragmenter utility from PC Pitstop LLC - which is detected by Malwarebytes as PUP.Optional.DiskMD. The file is located in %ProgramFiles%PCPitstopDiskMD3. If bundled with another installer or not installed by choice then remove it	Yes
PitFrame Module	U	Reminder-Diskmd3.exe	Registration reminder for the Disk MD disk defragmenter utility from PC Pitstop LLC - which is detected by Malwarebytes as PUP.Optional.DiskMD. The file is located in %ProgramFiles%PCPitstopDiskMD3. If bundled with another installer or not installed by choice then remove it. This is the 7/Vista MSConfig and Windows Defender entry	Yes
Reminder-Diskmd3	U	Reminder-Diskmd3.exe	Registration reminder for the Disk MD disk defragmenter utility from PC Pitstop LLC - which is detected by Malwarebytes as PUP.Optional.DiskMD. The file is located in %ProgramFiles%PCPitstopDiskMD3. If bundled with another installer or not installed by choice then remove it	Yes
PC Pitstop Optimize Reminder	U	Reminder-Optimize3.exe	Registration reminder for the Optimize system optimization utility from PC Pitstop LLC - which is detected by Malwarebytes as PUP.Optional.PCPOptimize. The file is located in %ProgramFiles%PCPitstopOptimize3. If bundled with another installer or not installed by choice then remove it	Yes
PitFrame Module	U	Reminder-Optimize3.exe	Registration reminder for the Optimize system optimization utility from PC Pitstop LLC - which is detected by Malwarebytes as PUP.Optional.PCPOptimize. The file is located in %ProgramFiles%PCPitstopOptimize3. If bundled with another installer or not installed by choice then remove it. This is the 7/Vista MSConfig and Windows Defender entry from an earlier release	Yes
Reminder-Optimize3	U	Reminder-Optimize3.exe	Registration reminder for the Optimize system optimization utility from PC Pitstop LLC - which is detected by Malwarebytes as PUP.Optional.PCPOptimize. The file is located in %ProgramFiles%PCPitstopOptimize3. If bundled with another installer or not installed by choice then remove it	Yes
PC Matic	N	Reminder-PCMatic.exe	Registration reminder for the PC Matic utility suite from PC Pitstop LLC - which 'provides the best protection against modern threats by utilizing a white list that allows only trusted applications to run and blocking the polymorphic viruses that escape most security products today'	Yes
PC Pitstop PC Matic Reminder	N	Reminder-PCMatic.exe	Registration reminder for the PC Matic utility suite from PC Pitstop LLC - which 'provides the best protection against modern threats by utilizing a white list that allows only trusted applications to run and blocking the polymorphic viruses that escape most security products today'	Yes
Reminder-PCMatic	N	Reminder-PCMatic.exe	Registration reminder for the PC Matic utility suite from PC Pitstop LLC - which 'provides the best protection against modern threats by utilizing a white list that allows only trusted applications to run and blocking the polymorphic viruses that escape most security products today'	Yes
MedionReminder	?	Reminder.exe	Part of PowerRecover protection and recovery software from CyberLink. What does it do and is it required?	No
Vinade Reminder	U	Reminder.exe	Vinade Reminder from Vinade Solutions Inc - 'With this easy to use reminder tool you can send your reminder to your screen, cell phone, pager, or email. It has a very user friendly interface with an easy to use wizard for creating your reminders'	No
PC Pitstop Disk MD	N	Reminder.exe	Registration reminder for Disk MD 2.0 - a disk defragmenter utility from PC Pitstop LLC. Now superseded by Disk MD 3.0 (which is detected by Malwarebytes as PUP.Optional.DiskMD). This is the 7/Vista MSConfig and Windows Defender entry	Yes
PC Pitstop Optimize Reminder	N	Reminder.exe	Registration reminder for Optimize 2.0 - a system optimization utility from PC Pitstop LLC. Now superseded by Optimize 3.0 (which is detected by Malwarebytes as PUP.Optional.PCPOptimize)	Yes
Kana Reminder	N	Reminder.exe	Kana Reminder is a program which can be used to set a reminder to be triggered at a specified time	No
PitFrame Module	N	Reminder.exe	Registration reminder for Optimize 2.0 - a system optimization utility from PC Pitstop LLC. Now superseded by Optimize 3.0 (which is detected by Malwarebytes as PUP.Optional.PCPOptimize). This is the 7/Vista MSConfig and Windows Defender entry	Yes
CreateCD_Reminder	N	reminder.exe	Reminder to create system recovery CD/DVDs on a Sony Vaio laptop or desktop	No
PCPitstop Disk MD Registration Reminder	N	Reminder.exe	Registration reminder for Disk MD 2.0 - a disk defragmenter utility from PC Pitstop LLC. Now superseded by Disk MD 3.0 (which is detected by Malwarebytes as PUP.Optional.DiskMD)	Yes
PCPitstop Registration Reminder	N	Reminder.exe	Registration reminder for the Exterminate antimalware package from PC Pitstop LLC. Now superseded by PC Matic	No
Acer Tour Reminder	N	Reminder.exe	Popup reminder to run Acer Tour - which comes pre-installed with various Acer laptops and provides an interactive tour of the new PC, covering installed features, programs and usage guides	No
Reminder	N	reminder.exe	From MS Money - reminds you of your bills. Located in %ProgramFiles%Microsoft MoneySystem	No
Reminder	N	Reminder.exe	Registration reminder for Disk MD 2.0 - a disk defragmenter utility from PC Pitstop LLC. Now superseded by Disk MD 3.0 (which is detected by Malwarebytes as PUP.Optional.DiskMD). Located in %ProgramFiles%PCPitstopDisk MD	Yes
Reminder	N	Reminder.exe	Registration reminder for Optimize 2.0 - a system optimization utility from PC Pitstop LLC. Now superseded by Optimize 3.0 (which is detected by Malwarebytes as PUP.Optional.PCPOptimize). Located in %ProgramFiles%PCPitstopOptimize2	Yes
Reminder	X	Reminder.exe	Registration reminder for the Secure Expert Cleaner rogue privacy program - not recommended, removal instructions here. Detected by Malwarebytes as Rogue.SecureExpertCleaner. Located in %ProgramFiles%SecureExpertCleaner	No
Reminder	N	Reminder.exe	Toshiba RDC Reminder. Located in %ProgramFiles%TOSHIBAReminder	No
Reminder	N	Reminder.exe	Backup recovery reminder from Dixons Store group. Located in %ProgramFiles%TTGReminder	No
Reminder	N	Reminder.exe	Popup reminder to run Acer Tour - which comes pre-installed with various Acer laptops and provides an interactive tour of the new PC, covering installed features, programs and usage guides. The file is located in %Root%AcerAcerTour	No
Reminder_MUI	?	Reminder_MUI.exe	File properties show it's by The TechGuys - a PC support service found in Currys, PC Wolrd and Dixons in the UK. What does it do and is it required?	No
RemindMe	U	RemindMe.exe	Remind-Me - calendar software	No
Remind_XP	N	Remind_XP.exe	HP-specific program that reminds users to create System Recovery CDs. Once they use the Recovery CD Creator (Start → PC Help & Tools → Recovery CD Creator) to make the recovery CDs the entry will remove itself from the startup list	No
Reminder	N	Remind_XP.exe	HP-specific program that reminds users to create System Recovery CDs. Once they use the Recovery CD Creator (Start → PC Help & Tools → Recovery CD Creator) to make the recovery CDs the entry will remove itself from the startup list	No
FM	X	Remittance Copy.exe	Detected by Malwarebytes as Backdoor.Agent.DC. The file is located in %AppData%	No
backup	X	Remold.exe	Detected by Malwarebytes as Trojan.Banker.LDR. The file is located in %LocalAppData%	No
remote master	U	remote master.exe	Required if you want your ASUS Remote control to work at all. Available via Start → Programs	No
java	X	remote.cmd	Detected by Sophos as Troj/Banker-EHG	No
hotdlll	X	remote.cmd	Detected by Sophos as Troj/Banker-EHG and by Malwarebytes as Trojan.Banker.ASD	No
Remote	U	Remote.exe	Remote Control driver for LifeView internal and external TV products from Animation Technologies Inc. Typically located in %ProgramFile%LifeView TVR or %ProgramFile%TVR	No
Remote	U	remote.exe	Watchdog surveillance software. Uninstall this software unless you put it there yourself. Located in %Windir%Wdc	No
Winshell	X	remote.exe	Detected by Trend Micro as WORM_MYTOB.LJ and by Malwarebytes as Trojan.Agent.WS	No
TvrRemote	U	Remote.exe	Remote Control driver for LifeView internal and external TV products	No
Remote_Agent	N	RemoteAgent.exe	Cyberlink Power VCR II 3.0 is a TV tuner recording utility. If you want to schedule recordings you'll need this, otherwise can be disabled	No
Remote Computer	X	RemoteComputer.exe	Detected by Kaspersky as Trojan.Win32.Scar.bkar and by Malwarebytes as Backdoor.Bot. The file is located in %System%	No
Sistray32	X	remotehost.pif	Detected by Symantec as W32.Holcas.A@mm	No
PCTVRemote	U	remoterm.exe	Controls the remote control on some Pinnacle Systems TV tuners (now owned by Corel)	No
PCTVUSB2Remote	U	remoterm.exe	Controls the remote control on some Pinnacle Systems TV tuners (now owned by Corel)	No
RemoveCpl	N	RemoveCpl.exe	Related to a Belkin 54Mbps Wireless Utility Control Panel applet	No
Removed.exe	X	Removed.exe	GatorCheat - adware downloader	No
RemoveIT Pro [version]	U	removeit.exe	RemoveIT Pro by InCode Solutions - 'Locates & Removes many new Spyware, Malware, Virus, Worms, Trojans and Adware that other popular AV program missed!' Detected by Malwarebytes as PUP.Optional.RemoveITPro. The file is located in %ProgramFiles%InCode SolutionsRemoveIT Pro [version]. If bundled with another installer or not installed by choice then remove it, removal instructions here	No
zonealarm	X	removeme.exe	Detected by Sophos as W32/Forbot-BG	No
Spyware remover	X	Remove_spyware.exe	Unidentified - but not known to belong to any known spyware remover and strongly suspected to be malware related. The file is located in %Windir%	No
Windows Update 32	X	rempss.exe	Detected by Sophos as W32/Forbot-FW	No
Agente	?	Remupd.exe	Part of an older version of the Panda Security range of internet security products. Is this an update reminder (guess because of the name), virus definition update reminder or something similar?	No
renameme	X	renameme.exe	Detected by Malwarebytes as Backdoor.Agent.Gen. The file is located in %AppData%	No
Shell	X	Renova.exe	Detected by Dr.Web as Trojan.StartPage.49467 and by Malwarebytes as Worm.Renova	No
Reon Kadena	X	Reon Kadena.exe	Detected by Dr.Web as Trojan.Peflog.767 and by Malwarebytes as Trojan.Agent.RK	No
MSN Messenger	X	REOSMSNGR.EXE	Added by a variant of W32.Spybot.Worm. The file is located in %System%	No
reouv	X	reouv.exe	Detected by Sophos as W32/SillyFDC-FX	No
reoxmae.vbs	X	reoxmae.vbs	Detected by Malwarebytes as Trojan.Script. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
Repair Registry Pro	X	RepairRegistryPro.exe	Repair Registry Pro rogue registry cleaner - not recommended, removal instructions here	No
System Restore Data	X	repcale.exe beird.exe	Detected by Trend Micro as WORM_RANDON.AN	No
LAsIAf32	X	RePEAtLD.exe	Detected by Symantec as W32.HLLW.Repeatld	No
repl	X	repl.exe	Detected by Trend Micro as TROJ_YABE.CD	No
Replay Center	U	ReplayRadio.exe	Replay Radio - 'makes it easy to automatically record your favorite radio shows, so you can listen wherever and whenever you like'	No
replay_telecorder_skype	N	replay_telecorder_skype.exe	Replay Telecorder from Applian Technologies for the Skype VOIP software - which allows you to 'record phone calls, video chats, conference calls, voice mail - anything that you can see or hear within Skype'	No
Realplear	X	RepLeay.exe	Detected by Dr.Web as Trojan.Fsysna.6491 and by Malwarebytes as Trojan.Agent.E	No
RepliGo Assistant	U	RepliGoMon.exe	Cerience RepliGo software - 'any document you have on your PC can be transferred to your mobile device'	No
HKLMRun, Windows Configure report.exe	X	report.exe	Detected by Dr.Web as Trojan.Siggen3.28491	No
[random hex numbers]	X	report.exe	Detected by Symantec as Trojan.Tatanarg	No
Remote Registry Service	X	repsvc.exe	Detected by Kaspersky as Backdoor.Win32.IRCBot.ock and by Malwarebytes as Backdoor.IRCBot.RSGen. The file is located in %Windir%	No
requester	X	requester.*.exe	Added by a variant of Trojan.Muquest - where * represents one of more digits. The file is located in %System%	No
Requester	X	requester.11.exe	Detected by Symantec as Trojan.Muquest	No
requests02.exe	X	requests02.exe	Detected by Dr.Web as Trojan.DownLoader10.40794 and by Malwarebytes as Trojan.Downloader.E. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
Windows applicaton	X	Requirement 1.exe	Detected by Sophos as Troj/Agent-WKW and by Malwarebytes as Trojan.Agent	No
rer.bat	X	rer.bat	Detected by Malwarebytes as Trojan.PasswordStealer. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
svc	X	rernea.exe	Detected by Malwarebytes as Trojan.Downloader. The file is located in %System%	No
Intel(M)	X	res.exe	Detected by Dr.Web as Trojan.Siggen5.23631 and by Malwarebytes as Backdoor.Agent.ITN	No
RESUPDATE	X	res.exe	Detected by McAfee as Trojan-FEXE and by Malwarebytes as Backdoor.Agent.RS	No
*resbootdev.exe	X	resbootdev.exe	Detected by Sophos as Troj/Agent-TTQ	No
*rescatacct.exe	X	rescatacct.exe	Detected by Sophos as Troj/FakeAV-EQX	No
ResChanger2004	U	ResChanger2004.exe	EVGA graphic card utility providing easy access to display settings	No
RescueMe	X	rescueme.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %UserProfile%My UserPrograms	No
Research Soft	U	Research Soft.exe	Detected by Malwarebytes as PUP.Optional.ResearchSoft. The file is located in %ProgramFiles%Marketing Research AssociationResearch Soft. If bundled with another installer or not installed by choice then remove it	No
reserv	X	reserv.exe	Detected by Malwarebytes as Backdoor.Agent.E. The file is located in %AppData%reserved	No
Timer Recording Manager	U	ReserveModule.exe	Timed recordings for Sony Giga Pocket - which 'is a software application installed on select Sony Vaio desktops that allows you to watch and record television programs on your computer'	No
AdsOff Startup	U	reset.exe	AdsOff by InterCan Tech - 'works with your web browser to automatically remove Internet advertising from web pages and accelerate web browsing up to 200%.' No longer supported	No
TrialReseter	X	resetTrial.exe	Detected by Malwarebytes as Trojan.Backdoor. The file is located in %AppData%Adobe	No
Picture Package VCD Maker	U	Residence.exe	Sony 'Picture Package®' software for their range of Digital Handycam video cameras. Used to connect the camcorder via USB and allows the user to burn the content directly to a CD	No
ResizeEnableRunner	U	ResizeEnableRunner.exe	ResizeEnable by Digi Tallis 'lets you turn usually non-resizeable windows into resizeable windows. Most windows will respond correctly, but some may not!'	No
Java Updater 12.02.3	X	resman.exe	Detected by McAfee as RDN/Generic.bfr and by Malwarebytes as Trojan.Agent.JV	No
load	X	resman.exe	Detected by McAfee as RDN/Generic.bfr and by Malwarebytes as Trojan.Agent.JV. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'load' value data to include the file 'resman.exe' (which is located in %Temp%)	No
Java Updater	X	resman.exe	Detected by McAfee as RDN/Generic.bfr and by Malwarebytes as Backdoor.Agent.JVGen	No
Remote Event System	X	resmsvc.exe	Detected by Dr.Web as BackDoor.IRC.Suicide.107	No
Repil	X	resp.exe	Detected by Malwarebytes as Trojan.Agent.E. The file is located in %AppData%ModeK - see here	No
RESpyWare.exe	X	RESpyWare.exe	RESpyWare rogue security software - not recommended, removal instructions here. The file is located in %ProgramFiles%RESpyWare SoftwareRESpyWare. A member of the AntiAID family	No
LoadService	X	Rest In Peace	Detected by Sophos as W32/Kangaroo-A	No
AdobeMedia	X	Restart Service.exe	Detected by Malwarebytes as Trojan.Agent.RST. The file is located in %Temp%AppLaunch	No
restart	X	restart.exe	Detected by Malwarebytes as Trojan.Agent.RSTGen. The file is located in %AppData%	No
Data LifeGuard	?	Restart.exe	Part of the Data LifeGuard diagnostic tools for Western Digital's series of hard drives	No
Windows Firewall Test3	X	restbot	Detected by Malwarebytes as Backdoor.Bot. The file is located in %UserTemp%	No
Restore	X	restore.exe	Antispyware Shield Pro rogue security software - not recommended, removal instructions here	No
SvcManager	X	restore3.exe	Detected by Sophos as Troj/Agent-DSS	No
crash0001	X	restorecrashwin32.bat	Detected by Sophos as Troj/Agent-ZC	No
RestoreDesktop	U	RestoreDesktop.exe	Restore Desktop by Softwarium - 'is a Windows Context Menu addition that automatically saves and restores the icons' positions on the Windows desktop after a resolution change.' No longer available	No
restorer32_a	X	restorer32_a.exe	Detected by Kaspersky as Trojan-Downloader.Win32.Agent.cqqb and by Malwarebytes as Trojan.FakeAlert. Note - this malware creates two entries, one loaded from HKLMRun with the file located in %System% and one loaded from HKCURun with the file located in %UserProfile%	No
restorer64_a	X	restorer64_a.exe	Detected by Sophos as Troj/Dldr-BY and by Malwarebytes as Trojan.FakeAlert	No
restory	X	restory.exe	Detected by Symantec as Trojan.Retsam	No
SUBDIR	X	restrict.exe	Detected by McAfee as RDN/Generic.bfr and by Malwarebytes as Trojan.Agent.SBD	No
resagnt	X	restun.exe	Adware downloader. Detected by Panda as Downloader.ALQ	No
CPDONOAFCMKFGIE	X	result.exe	Detected by McAfee as RDN/Generic BackDoor and by Malwarebytes as Backdoor.IRCBot.E	No
KLKPJAGMOLKAKPO	X	result.exe	Detected by McAfee as RDN/Generic.bfr and by Malwarebytes as Trojan.Agent.EXFR	No
ResultsHubBar	U	ResultsHubBar.exe	Detected by Malwarebytes as PUP.Optional.ResultsHub. Note - this entry loads from the Windows Startup folder and the file is located in %CommonAppData%Results Hub. If bundled with another installer or not installed by choice then remove it, removal instructions here	No
ResumeFixClocks	U	resumefix.exe	Part of the RadeonTweaker utility for overclocking ATI Radeon graphics cards	No
Registry Service	X	resvs.exe	Detected by Sophos as W32/Delbot-I	No
Mania Win Restore	N	RESWIN.EXE	Pinball Mania for Windows from 21st Century Entertainment LTD (1995). Runs briefly at start-up then terminates	No
Systam13	X	resx.exe	Added by a variant of W32.IRCBot. The file is located in %System% - see here	No
runner1	X	retadpu.exe	Detected by Trend Micro as TROJ_AGENT.SLZ	No
runner1	X	retadpu[random digits].exe	Detected by Trend Micro as TROJ_SMALL.CTV and by Malwarebytes as Trojan.Agent	No
RetailProUpdate	X	RetailProUpdate.exe	Detected by Malwarebytes as Trojan.InfoStealer.RTP. The file is located in %AppData%Installed - see here	No
Wings Server	U	RetailServer.exe	Multi-user retail version of Wings Accounting software from Wings Infonet Ltd	No
Wings	U	RetailSingleUser.exe	Single-user retail version of Wings Accounting software from Wings Infonet Ltd	No
retime	X	retime.exe	Detected by Symantec as Trojan.Gipma	No
RetrieverScheduler	U	retrieverscheduler.exe	80-20 Retriever from 80-20 - '80-20 Retriever is a powerful personal search tool that encompasses email folders, archived email, and local or network file systems, giving users one point of fast, accurate search for all personal information'. Real-time scheduler - shortcut available	No
RetroExpress	U	RetroExpress.exe	Retrospect Express backup and recovery software from Retrospect, Inc (was Dantz) - included with some removable drives from Iomega, Western Digital, Maxtor (Seagate) and maybe others	No
UPOFRLNV	X	reukdeof.exe	Detected by McAfee as Generic.dx	No
RevCode-****	X	RevCode-****.exe	Detected by Malwarebytes as Trojan.Agent.Generic - where * represents a character. The file is located in %AppData%	No
revealing_dc	X	revealingdc.exe	Detected by Symantec as Adware.Revealing	No
revealing_st	X	revealingst.exe	Detected by Symantec as Adware.Revealing	No
revealing_u	X	revealingu.exe	Detected by Symantec as Adware.Revealing	No
kmmsoft	X	revo.exe	Detected by Sophos as W32/Autorun-QR and by Malwarebytes as Spyware.OnlineGames	No
revo	X	revo.exe	Detected by Trend Micro as WORM_ONLINEG.AFU and by Malwarebytes as Spyware.OnlineGames	No
RevoTaskbarApp	U	RevoTask.exe	Control Panel for the M-Audio Revolution 7.1 sound card. The sound card will function without it - but changes to speaker setup and sound modification (Bass/Treble etc) will not be available	No
Revo Uninstaller	U	revouninstaller.exe	Revo Uninstaller by VS Revo Group Ltd. - 'helps you to uninstall software and remove unwanted programs installed on your computer easily!'	No
rex.vbs	X	rex.vbs	Detected by Malwarebytes as Backdoor.NanoCore. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
RexSyMon	N	rexsymon.exe	Intellisync for REX synchronization software for the now discontinued Intel/Xircom REX 6000 ultra-thin PDA - for sharing information between the PDA and PC	No
rezoqaraxeab	X	rezoqaraxeab.exe	Detected by Sophos as Troj/Cutwail-AH and by Malwarebytes as Trojan.Ransom.Gen	No
RFAgent	U	rfagent.exe	Registry First Aid by KsL Software - scans the Windows registry for orphan file/folder references, finds these files or folders on your drives that may have been moved from their initial locations, and then corrects your registry entries to match the located files or folders	No
Registry First Aid	U	rfagent32.exe	Registry First Aid by KsL Software - scans the Windows registry for orphan file/folder references, finds these files or folders on your drives that may have been moved from their initial locations, and then corrects your registry entries to match the located files or folders	No
Registry First Aid Agent	U	rfagent32.exe	Registry First Aid by KsL Software - scans the Windows registry for orphan file/folder references, finds these files or folders on your drives that may have been moved from their initial locations, and then corrects your registry entries to match the located files or folders	No
rfagent	U	rfagent32.exe	Registry First Aid by KsL Software - scans the Windows registry for orphan file/folder references, finds these files or folders on your drives that may have been moved from their initial locations, and then corrects your registry entries to match the located files or folders	Yes
Registry First Aid	U	rfagent64.exe	Registry First Aid - scans the Windows registry for orphan file/folder references, finds these files or folders on your drives that may have been moved from their initial locations, and then corrects your registry entries to match the located files or folders	No
Registry First Aid Agent	U	rfagent64.exe	Registry First Aid - scans the Windows registry for orphan file/folder references, finds these files or folders on your drives that may have been moved from their initial locations, and then corrects your registry entries to match the located files or folders	No
rfagent	U	rfagent64.exe	Registry First Aid - scans the Windows registry for orphan file/folder references, finds these files or folders on your drives that may have been moved from their initial locations, and then corrects your registry entries to match the located files or folders	No
RadioController	?	RfBtnHelper.exe	Part of Acer Launch Manager (by Dritek System Inc.). Controls the wireless on/off button?	No
RFCILHKT	X	RFCILHKT.exe	Detected by Sophos as Troj/Agent-RGM	No
Windows-TCP-IP	X	rfkampig.exe	Detected by Symantec as Trojan.Gipma	No
Rocket Live! Central 2	N	RFLVCentral2.exe	Custom version of Creative Live! Central 2 webcam bundled software for the Rocketfish HD Webcam series (by Creative), which allows the user to get more out of their webcam experience. 'The Media Show and Desktop Share features enhance your sharing experiences with friends and family while the audio and visual effects spice up your chats with voice and backdrop changes'	No
RegiFast	X	RFManager.exe	RegiFast adware	No
RFnSQSbf.exe	X	RFnSQSbf.exe	Detected by Malwarebytes as Trojan.Agent.RV. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
Reality Fusion GameCam SE	N	RFTRay.exe	Reality Fusion GameCam Video Interaction Technology Software that comes with the Logitech QuickCam PC video camera and other USB cameras. It's only an icon that appears on your System Tray	No
rfw	Y	Rfw.exe	Rising firewall	No
RfwMain	Y	rfwmain.exe	Rising firewall	No
Rg2catbd	X	Rg2catbd.exe	Added by a variant of the BANLOAD family of TROJANS!	No
Windows ASN Service	X	rge.exe	Detected by Sophos as W32/Rbot-AOK	No
Rgoogle	X	RGoogle.exe	Detected by Malwarebytes as Trojan.Agent.GGL. The file is located in %CommonAppData%Google	No
RGSC	N	RGSCLauncher.exe	Launcher related to the Rockstar Games Social Club	No
rgstryedtr	X	rgstryedtr.exe	Detected by Malwarebytes as Trojan.Agent.E. The file is located in %Windir%	No
RGZCDHTN	X	RGZCDHTN.exe	SafeSearch adware	No
RH	U	rh32.exe	EuroFonts - adds Euro symbols to pre-Euro computers	No
Rhex	X	Rhex.exe	Detected by Dr.Web as Trojan.MulDrop5.7212 and by Malwarebytes as Trojan.Agent.RHE	No
default drivers checker	X	rhgpv.exe	Detected by McAfee as Generic.dx and by Malwarebytes as Trojan.Agent	No
RhinoBlocker	U	RhinoBlocker.exe	RhinoBlocker - pop-up stopper	No
Microsoft IT Update	X	Rhost32.exe	Detected by Kaspersky as Net-Worm.Win32.Kolabc.bza and by Malwarebytes as Trojan.Agent. The file is located in %System%	No
MTI0CVXC05FY	X	RHPAJQMS.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %AppData%	No
RHPTray	N	RHPTray.exe	System tray access to Red Hot Pawn - online chess	No
XtraRichi	U	Richi_Skype_Com.exe	Richi MP3 Ringback Tones extension for the Skype VOIP software - which adds MP3 ringtones and answering machine capabilities	No
richtx64.exe	X	richtx64.exe	Detected by Trend Micro as TROJ_ALUREON.AVM and by Malwarebytes as Trojan.Agent	No
richup	X	richup.exe	Detected by Symantec as Spyware.SafeSurfing	No
amputate	U	rickshaws.exe	Detected by Malwarebytes as PUP.Optional.DotDo.PrxySvrRST. The file is located in %ProgramFiles%umm. If bundled with another installer or not installed by choice then remove it, removal instructions here	No
heaton	U	rickshaws.exe	Detected by Malwarebytes as PUP.Optional.DotDo. Note - this entry loads from the Windows Startup folder and the file is located in %ProgramFiles%umm. If bundled with another installer or not installed by choice then remove it, removal instructions here	No
micrometer	U	rickshaws.exe	Detected by Malwarebytes as PUP.Optional.DotDo.PrxySvrRST. The file is located in %ProgramFiles%umm. If bundled with another installer or not installed by choice then remove it, removal instructions here	No
varmints	U	rickshaws.exe	Detected by Malwarebytes as PUP.Optional.DotDo.PrxySvrRST. The file is located in %ProgramFiles%umm. If bundled with another installer or not installed by choice then remove it, removal instructions here	No
ens	U	rickshaws.exe	Detected by Malwarebytes as PUP.Optional.DotDo.PrxySvrRST. The file is located in %ProgramFiles%umm. If bundled with another installer or not installed by choice then remove it, removal instructions here	No
finish	U	rickshaws.exe	Detected by Malwarebytes as PUP.Optional.DotDo.PrxySvrRST. The file is located in %ProgramFiles%umm. If bundled with another installer or not installed by choice then remove it, removal instructions here	No
RidSpywareShield	U	RidSpywareShield.exe	Real-time protection for Rid Spyware by Crawler, LLC - 'Free real-time protection that effectively removes spyware, adware, trojans, keyloggers, home page hijackers and other malware threats from your computer.' Detected as a potentially unwanted program or adware by some vendors - see here. The file is located in %ProgramFiles%Rid Spyware. If bundled with another installer or not installed by choice then remove it	No
RidSpywareUpdater	U	RidSpywareUpdate.exe	Updater for Rid Spyware by Crawler, LLC - 'Free real-time protection that effectively removes spyware, adware, trojans, keyloggers, home page hijackers and other malware threats from your computer.' Detected as a potentially unwanted program or adware by some vendors - see here. The file is located in %ProgramFiles%Rid Spyware. If bundled with another installer or not installed by choice then remove it	No
rieysha	X	rieysha.exe	Added by unidentified malware. The file is located in %Windir%	No
Right Backup_startup	U	RightBackup.exe	Right Backup online backup utility by Systweak Software. Detected by Malwarebytes as PUP.Optional.SysTweak. The file is located in %ProgramFiles%Right Backup. If bundled with another installer or not installed by choice then remove it	No
riheqgoquguq	X	riheqgoquguq.exe	Detected by McAfee as RDN/Generic Downloader.x!is and by Malwarebytes as Trojan.Agent.US	No
rihobtomocte	X	rihobtomocte.exe	Detected by Dr.Web as Trojan.DownLoader9.61675 and by Malwarebytes as Trojan.Agent.US	No
BlackBerryAutoUpdate	N	RIMAutoUpdate.exe	Automatic updates for BlackBerry smartphones, provided by Research In Motion. Run manually when required	No
RIMBBLaunchAgent.exe	U	RIMBBLaunchAgent.exe	Research In Motion USB driver agent used when backing up a Blackberry smart phone	No
RIMDeviceManager	U	RIMDeviceManager.exe	Device Manager for BlackBerry smartphones, provided by Research In Motion	No
RinGxnfk	X	ringxnfk.exe	Detected by Malwarebytes as Trojan.Inject. The file is located in %LocalAppData%jcytnkvw	No
ringxnfk.exe	X	ringxnfk.exe	Detected by Malwarebytes as Trojan.Inject. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
Random Interface Network Manager	X	rinsv.exe	Detected by Sophos as W32/Delbot-L	No
[4 or more characters]	X	rinti.exe	Detected by Malwarebytes as Trojan.Vonteera. The file is located in %AppData%[4 or more characters]	No
Riorad Manager	N	riomgr.exe	Riorad Explorer by Red Chair Software - which 'is hands-down the most advanced Windows software companion for your Rio MP3 player.' No longer supported	No
Riorad SB-Riot Manager	N	riomgr.exe	Part of Riorad Explorer by Red Chair Software - which 'is hands-down the most advanced Windows software companion for your Rio MP3 player.' No longer supported	No
rIOphosIs	X	rIOPHosIs.vBS	Detected by Symantec as W97M.Riosys	No
RIOTBOT	X	RIOTBOT.exe	Detected by Dr.Web as Trojan.Inject.29686 and by Malwarebytes as Backdoor.Bot.E	No
RiotResponse	X	RiotResponse.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %AppData%Microsoft - see here	No
RiotResponse.exe	X	RiotResponse.exe	Detected by Malwarebytes as Trojan.Agent. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
rious	X	rious.exe	Detected by Malwarebytes as Worm.SFDC. The file is located in %UserProfile% - see here	No
RIP 2007 Clock	U	RIP 2007 Clock.exe	Clock gadget included with the Rest In Peace theme for MyColors from Stardock Corporation	No
WindowsUpdate	X	rip.exe	Detected by Sophos as Troj/Fareit-DVM and by Malwarebytes as Backdoor.IRCBot.Gen	No
ripelannari	X	ripelannari.exe	Detected by McAfee as RDN/Generic Downloader.x!mr and by Malwarebytes as Trojan.Agent.TMP	No
riqotosori	X	riqotosori.exe	Detected by McAfee as RDN/Generic Downloader.x!lw and by Malwarebytes as Trojan.Agent.US	No
riuom	X	riuom.exe	Detected by Malwarebytes as Trojan.Downloader. The file is located in %UserProfile% - see here	No
RivaTuner	U	RivaTuner.exe	RivaTuner is a tweaking utility for NVIDIA (and to a lesser extent AMD/ATI) chipset based graphics cards. This startup entry is for XP and can appear twice - with registry key names of 'RivaTuner' and 'RivaTunerStartupDaemon' respectively. The former minimizes it to the System Tray and is primarily required only if you want to use the 'Launcher' or monitoring options. The latter applies overclocking changes to clocks and memory (for example) at startup and then exits. See the FAQ for more information	Yes
RivaTuner Application	U	RivaTuner.exe	RivaTuner is a tweaking utility for NVIDIA (and to a lesser extent AMD/ATI) chipset based graphics cards. This startup entry is for XP and can appear twice - with registry key names of 'RivaTuner' and 'RivaTunerStartupDaemon' respectively. The former minimizes it to the System Tray and is primarily required only if you want to use the 'Launcher' or monitoring options. The latter applies overclocking changes to clocks and memory (for example) at startup and then exits. See the FAQ for more information	Yes
RivaTunerStartupDaemon	U	RivaTuner.exe	Part of RivaTuner - a tweaking utility for NVIDIA (and to a lesser extent AMD/ATI) chipset based graphics cards. This entry is for XP and applies overclocking changes to clocks and memory (for example) at startup and then exits. See the FAQ for more information	Yes
RivaTuner	U	RivaTunerWrapper.exe	RivaTuner is a tweaking utility for NVIDIA (and to a lesser extent AMD/ATI) chipset based graphics cards. This startup entry is for Windows 10/8/7/Vista and can appear twice - with registry key names of 'RivaTuner' and 'RivaTunerStartupDaemon' respectively. Both load the main application (RivaTuner.exe). The former minimizes it to the System Tray and is primarily required only if you want to use the 'Launcher' or monitoring options. The latter applies overclocking changes to clocks and memory (for example) at startup and then exits. See the FAQ for more information	Yes
RivaTunerStartupDaemon	U	RivaTunerWrapper.exe	Part of RivaTuner - a tweaking utility for NVIDIA (and to a lesser extent AMD/ATI) chipset based graphics cards. This entry is for Windows 10/8/7/Vista and loads the main application (RivaTuner.exe) to apply overclocking changes to clocks and memory (for example) at startup and then exits. See the FAQ for more information	Yes
RivaTunerWrapper Application	U	RivaTunerWrapper.exe	RivaTuner is a tweaking utility for NVIDIA (and to a lesser extent AMD/ATI) chipset based graphics cards. This startup entry is for Windows 10/8/7/Vista and can appear twice - with registry key names of 'RivaTuner' and 'RivaTunerStartupDaemon' respectively. Both load the main application (RivaTuner.exe). The former minimizes it to the System Tray and is primarily required only if you want to use the 'Launcher' or monitoring options. The latter applies overclocking changes to clocks and memory (for example) at startup and then exits. See the FAQ for more information	Yes
miaul	U	RJFC.exe	Detected by Malwarebytes as PUP.Optional.Vonteera. The file is located in %AppData%miaul. If bundled with another installer or not installed by choice then remove it	No
rjfeud	X	rjfeud.exe	Detected by Malwarebytes as Trojan.Downloader. The file is located in %UserProfile%	No
Chrome Browser	X	rjmynangs.exe	Detected by Malwarebytes as Trojan.PWS.Zbot.AI. Note - this is not the legitimate Google Chrome browser and the file is located in %CommonFiles%Chrome Browser0	No
rjuIB55IgyTB.exe	X	rjuIB55IgyTB.exe	Detected by Dr.Web as Trojan.DownLoader8.22321 and by Malwarebytes as Trojan.MSIL. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
OSS	X	rk.exe	MarketScore/Netsetter/Relevant Knowledge parasite	No
rkahskri.exe	X	rkahskri.exe	Detected by Malwarebytes as Backdoor.Bot. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
WindowsRegKey update	X	rkbuouoxfl.exe	Detected by Sophos as W32/Rbot-OO	No
rkfree	U	rkfree.exe	Revealer Keylogger Free keystroke logger/monitoring program - remove unless you installed it yourself!	No
65438761234587528	X	rkgnd.exe	ANG AntiVirus 09 rogue security software - not recommended, removal instructions here	No
RK Launcher	U	RKLauncher.exe	RK Launcher by RaduKing - 'is a free application that will allow the user to have a visually pleasing bar at the side of the screen that is used to quickly launch shortcuts'	No
rlPympjVAQQ.exe	X	rlPympjVAQQ.exe	Detected by Sophos as Mal/FakeAV-IK	No
OSS	X	rlvknlg.exe	MarketScore/Netsetter/Relevant Knowledge parasite	No
RelevantKnowledge	U	rlvknlg.exe	Detected by Malwarebytes as PUP.Adware.RelevantKnowledge. The file is located in %ProgramFiles%relevantknowledge	No
MicrosoftUpdate	X	RLvPxQO.exe	Detected by Malwarebytes as Trojan.Agent.MUGen. The file is located in %AppData%	No
Micro	X	RLvPxQO.exe	Detected by Malwarebytes as Trojan.Zapchast. The file is located in %AppData%	No
JAVA	X	RLvPxQO.exe	Detected by Malwarebytes as Trojan.Zapchast. The file is located in %AppData%	No
perelsi	X	RLvPxQO.exe	Detected by Malwarebytes as Trojan.Zapchast. The file is located in %AppData%	No
cssrs	X	RLvPxQO.exe	Detected by Malwarebytes as Trojan.Zapchast. The file is located in %AppData%	No
Security	X	RLvPxQO.exe	Detected by Malwarebytes as Trojan.Zapchast. The file is located in %AppData%	No
Crhome	X	RLvPxQO.exe	Detected by Malwarebytes as Trojan.Zapchast. The file is located in %AppData%	No
Remote Storage Access	X	rmasvc.exe	Detected by Microsoft as Worm:Win32/Slenfbot.KC	No
Windows Terminal Manager	X	rmbsvc.exe	Added by a variant of W32.IRCBot. The file is located in %System%	No
RMClock	U	RMClock.exe	'RightMark CPU Clock Utility (RMClock) is a small GUI application designed for real-time CPU frequency, throttling and load level monitoring and on-the-fly adjustment of the CPU performance level on supported CPU models via processor's power management model-specific registers (MSRs)'	No
RightMark CPU Clock Utility	U	RMClock.exe	'RightMark CPU Clock Utility (RMClock) is a small GUI application designed for real-time CPU frequency, throttling and load level monitoring and on-the-fly adjustment of the CPU performance level on supported CPU models via processor's power management model-specific registers (MSRs)'	No
rmctrl	U	rmctrl.exe	Remote Control background application for Cyberlink's PowerDVD version 4 and above. Enables you to use a remote control with your DVD drive if your drive came with one. Not required if you don't have a remote control, or don't wish to use one	No
RemoteControl	U	rmctrl.exe	Remote Control background application for Cyberlink's PowerDVD version 4 and above. Enables you to use a remote control with your DVD drive if your drive came with one. Not required if you don't have a remote control, or don't wish to use one	No
Supports RAS Connections	X	rmdynvq.exe	Detected by Malwarebytes as Backdoor.IRCBot. The file is located in %System%	No
Taskman	X	rmhzb.exe	Detected by Trend Micro as WORM_PALEVO.AH and by Malwarebytes as Worm.Palevo. Note - this entry adds a HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon 'Taskman' entry which loads the file 'rmhzb.exe' (which is located in %AppData%)	No
Windows Service Agccnt	X	rmizjgz.exe	Detected by Sophos as W32/Sdbot-DIM	No
RMremote	?	RmRemote.exe	Remote control driver for the mow discontinued REALmagic Xcard and Hollywood+ hardware-accelerated MPEG decoder cards from Sigma Designs	No
MicrosoftUpdate	X	rmsm.exe	Detected by Symantec as W32.Barten@mm and by Malwarebytes as Trojan.Agent.MUGen	No
Extender Resource Monitor	N	RMSysTry.exe	Related to Windows Media Center from Microsoft. Reports system resource utilization after you add your first Media Center extender.	No
Desktop Maestro Vista Tray	N	RMTray.exe	Part of Desktop Maestro from PC Tools by Symantec (now discontinued) - which 'combines the features of our award winning products, Registry Mechanic and Privacy Guardian to ensure that you have the range of tools at your fingertips to ensure optimal system performance, stability and user privacy'. This entry is created when Desktop Maestro is installed on Vista and loads the System Tray icon (deskmech.exe) on runs a registry scan at startup - if either are enabled. Run manually at regular intervals	Yes
DesktopMaestro	N	RMTray.exe	Part of Desktop Maestro from PC Tools by Symantec (now discontinued) - which 'combines the features of our award winning products, Registry Mechanic and Privacy Guardian to ensure that you have the range of tools at your fingertips to ensure optimal system performance, stability and user privacy'. This entry is created when Desktop Maestro is installed on Vista and loads the System Tray icon (deskmech.exe) on runs a registry scan at startup - if either are enabled. Run manually at regular intervals	Yes
Registry Mechanic Vista Tray	N	RMTray.exe	Part of Registry Mechanic from PC Tools by Symantec (now discontinued) - which 'is an advanced registry cleaner for Windows that can safely clean, repair and optimize your registry in a few simple mouse clicks!' This entry is created when Registry Mechanic is installed on Vista and loads the System Tray icon (RegMech.exe) and runs a registry scan at startup - if either are enabled. Run manually at regular intervals	Yes
RegistryMechanic	N	RMTray.exe	Part of Registry Mechanic from PC Tools by Symantec (now discontinued) - which 'is an advanced registry cleaner for Windows that can safely clean, repair and optimize your registry in a few simple mouse clicks!' This entry is created when Registry Mechanic is installed on Vista and loads the System Tray icon (RegMech.exe) and runs a registry scan at startup - if either are enabled. Run manually at regular intervals	Yes
DialUp Network Application	X	Rnaap.exe	Added by a variant of W32/Sdbot.worm. The file is located in %System%	No
Remote Access	U	rnaapp.exe	Dial-up networking application - not normally found in the startup locations. It runs when you connect to the net via this method (ie, analogue 56K modem) and terminates after the connection is closed	No
RealPlayer Ath Check	X	rnathchk.exe	Detected by Symantec as W32.Mytob.AG@mm	No
rncsys32.exe	X	rncsys32.exe	Detected by Malwarebytes as Trojan.Agent. Note - the file is located in %AllUsersStartup% and/or %UserStartup% and its presence there ensures it runs when Windows starts	No
RandomDriver	X	rnd.exe	Detected by Malwarebytes as Trojan.PasswordStealer. The file is located in %AppData%random	No
Microsoft Setup Initializazion	X	rnd.exe	Detected by Dr.Web as BackDoor.IRC.Sdbot.16814 and by Malwarebytes as Backdoor.Bot	No
file laoder configuration	X	rnd32.exe	Detected by Trend Micro as WORM_RBOT.BQJ	No
rndll.exe	X	rndll.exe	Detected by Sophos as Troj/DwnLdr-KQF. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
Firevall Administrating	X	rndll.exe	Detected by Sophos as W32/Pushbot-B and by Malwarebytes as Backdoor.Bot	No
RunDLL Service	X	rndll.exe	Detected by Malwarebytes as Backdoor.Agent.WF. The file is located in %AppData% - see here	No
rndll2	?	rndll2.exe	Suspect as the file is located in %ProgramFiles%Internet Explorer	No
Run DLL	X	rndll32.exe	Detected by Sophos as Troj/Ircbrut-H	No
rnds	X	rnds92.exe	Detected by Dr.Web as Trojan.DownLoader10.4725 and by Malwarebytes as Trojan.Downloader.E	No
randomseed	X	rndseed.exe	Detected by Dr.Web as Trojan.Siggen5.44559 and by Malwarebytes as Trojan.Banker	No
setupdata	X	rnll32.exe	Detected by Sophos as Troj/QQPass-AG	No
Kgjg	X	rnnypbw.exe	Detected by ThreatTrack Security as QuickLinks/Forethought adware. The file is located in %System%	No
Zonesoft Cleaner	X	rnsys.exe	Added by a variant of W32/Sdbot.worm. The file is located in %System%	No
rnwabmig	X	rnwabmig.exe	Detected by Sophos as Troj/Agent-LMI	No
xibquxs	X	rnxntup.exe	Added by a variant of Infostealer.Orcu.B. The file is located in %Windir%	No
xmnfuruwk	X	rnxntup.exe	Detected by Symantec as Infostealer.Orcu.B	No
hhtnsn	X	rnxntup.exe	Added by a variant of Infostealer.Orcu.B. The file is located in %Windir%	No
sjduwiwx	X	rnxntup.exe	Added by a variant of Infostealer.Orcu.B. The file is located in %Windir%	No
BeebBeebIamASheep	X	RoamingBeebBeebIamASheep.exe	Detected by Malwarebytes as Spyware.Agent.E. The file is located in %AppData%	No
Le Petit Robert V3 Hyperappel	U	RobertHA.exe	Allows you to select a word or phrase within a document, application, web-page, etc and search for it within the 'Le Petit Robert' French dictionary from Le Robert. See here for more information	No
load	X	RobloxAppLanucher.exe	Detected by Malwarebytes as Backdoor.NanoCore.E. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'load' value data to include the file 'RobloxAppLanucher.exe' (which is located in %AppData%)	No
Explorer	X	RobloxPlayerBeta.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %AppData%RobloxFiles	No
robmob	X	robmob.exerobmob.exeminer.exe	Detected by Malwarebytes as Trojan.MSIL. The file is located in %AppData%robmob	No
robmob	X	robmob.exerobmobslaves.exe	Detected by Malwarebytes as Trojan.MSIL. The file is located in %AppData%robmob	No
RoboForm	N	RoboFormWatcher.exe	Roboform password manager - 'securely stores your passwords on your computer and automatically logs you into online accounts'	No
RoboFormWatcher	N	RoboFormWatcher.exe	Roboform password manager - 'securely stores your passwords on your computer and automatically logs you into online accounts'	No
RoboForm	N	RoboTaskBarIcon.exe	Roboform password manager - 'securely stores your passwords on your computer and automatically logs you into online accounts'	No
robqaddubuzy	X	robqaddubuzy.exe	Detected by Malwarebytes as Trojan.Agent.US. The file is located in %UserProfile% - see here	No
Roccat Talk	U	Roccat Talk.exe	System Tray access to and notifications for the ROCCAT Talk utility for their gaming hardware which 'lets your compatible ROCCAT gaming devices joins forces for amazing features that will enhance your performance in game'	No
ROCCAT Swarm.	U	ROCCAT_Swarm_Monitor.exe	System Tray access to and notifications for the ROCCAT Swarm utility for their gaming hardware which 'represents a powerful ecosystem where computers, peripherals and mobile devices are brought together in unison for a completely unique experience'	No
Adobe	X	Rock.exe	Detected by McAfee as RDN/Generic.sb!l and by Malwarebytes as Trojan.Agent.FLA	No
RocketDock	U	RocketDock.exe	'RocketDock is a smoothly animated, alpha blended application launcher. It provides a nice clean interface to drop shortcuts on for easy access and organization'	Yes
RocketDock.exe	U	RocketDock.exe	'RocketDock is a smoothly animated, alpha blended application launcher. It provides a nice clean interface to drop shortcuts on for easy access and organization'	Yes
Rocket.Time	U	RocketTime.exe	Rocket.Time - time synchronization software from Rocket Software	No
RockMelt Update	N	RockMeltUpdate.exe	Automatic updates for the RockMelt browser (now acquired by Yahoo!) - which 'is providing a fundamentally better Web experience by re-imagining the browser around how you use the internet today'	No
ROC_roc_dec12	Y	ROC_roc_dec12.exe	Part of AVG Secure Search which 'alerts you before you visit dangerous webpages to make sure your identity, personal information, and computer are protected'	No
ROC_ROC_NT	Y	ROC_ROC_NT.exe	Part of AVG Secure Search which 'alerts you before you visit dangerous webpages to make sure your identity, personal information, and computer are protected'	No
ROC_roc_ssl_v12	Y	ROC_roc_ssl_v12.exe	Part of AVG Secure Search which 'alerts you before you visit dangerous webpages to make sure your identity, personal information, and computer are protected'	No
RogersAgent	U	rogersagent.exe	'Rogers Self Help Software is a free suite of tools and utilities for your computer that keeps your system running properly, and makes your Hi-Speed Internet experience smooth and trouble-free'	No
RogersServicepointAgent.exe	Y	RogersServicepointAgent.exe	Rogers Servicepoint Agent tool installed when you choose to install their Online Protection internet security suite - sourced by Radialpoint. Apart from downloading the suite installation files, the exact purpose is unknown at this time but it may be used to source critical updates and alerts so should therefore be left enabled	No
Malwarebytes' RogueRemover PRO	Y	RogueRemoverPRO.exe	Part of Malwarebytes RogueRemover PRO - the realtime 'RogueMonitor will alert you before you download a rogue application keeping you safe and secure before trouble occurs'. Now discontinued and the functionality is included in Malwarebytes	Yes
RogueMonitor	Y	RogueRemoverPRO.exe	Part of Malwarebytes RogueRemover PRO - the realtime 'RogueMonitor will alert you before you download a rogue application keeping you safe and secure before trouble occurs'. Now discontinued and the functionality is included in Malwarebytes	Yes
RogueRemoverPRO	Y	RogueRemoverPRO.exe	Part of Malwarebytes RogueRemover PRO - the realtime 'RogueMonitor will alert you before you download a rogue application keeping you safe and secure before trouble occurs'. Now discontinued and the functionality is included in Malwarebytes	Yes
VZZNLF	X	ROkHfl.exe	Detected by McAfee as RDN/Generic BackDoor!ua and by Malwarebytes as Backdoor.Agent.DCE	No
RollModel	X	roll.exe	Detected by Malwarebytes as Backdoor.Agent.DCEGen. The file is located in %System%MSDCSC	No
Rollback	U	RollbackTray.exe	RollBack Rx system restore utility by Horizon Data Sys	No
rolypopv3	X	rolypops.exe	Detected by Trend Micro as TROJ_FAKR.BC	No
Romantic-Devil.R.exe	X	Romantic-Devil.R.exe	Detected by Dr.Web as Trojan.StartPage.44997. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
ROM	X	ROMServer.exe	Detected by Dr.Web as Trojan.DownLoader4.57028. Note - this is not the legitimate process for LiteManager Pro which is normally located in %ProgramFiles%LiteManager Pro - Server. This one is located in %Windir%ROM	No
Adobe Update Manager	X	ROMServer.exe	Detected by Symantec as Trojan.Ratopak	No
GlitchInstrumentation	X	Ron.exe	Detected by Symantec as Trojan.Smackup and by Malwarebytes as Trojan.Agent	No
Ronda	X	Ronda.exe	Detected by Malwarebytes as Backdoor.Fynloski. The file is located in %AppData%	No
rundll32	X	rookie.vbs	Detected by Sophos as VBS/Rookie-A	No
DevicePath	X	Root.exe	Detected by Trend Micro as WORM_GRUEL.G	No
Rundll32	X	Root.exe	Detected by Trend Micro as WORM_GRUEL.G	No
MediaPath	X	Root.exe	Detected by Trend Micro as WORM_GRUEL.G	No
Reproductor Media Video	X	root12.exe	Detected by McAfee as RDN/Generic.bfr!hu and by Malwarebytes as Trojan.Agent.HWI	No
Windows Root Account	X	Root32.exe	Detected by Symantec as Backdoor.Lithium	No
Root System Service	X	rootsvc32.exe	Detected by Sophos as W32/Autorun-BGZ and by Malwarebytes as Worm.Kolab	No
testss	X	roro.exe	Detected by Malwarebytes as Trojan.Agent.E.Generic. The file is located in %Windir%	No
Registry Value Name	X	roses.exe	Detected by Sophos as W32/Rbot-AFT	No
RosTika	X	RosTika.exe	Detected by Sophos as W32/Brontok-BU	No
rothisacqixr	X	rothisacqixr.exe	Detected by McAfee as RDN/Generic.tfr!ef and by Malwarebytes as Trojan.Agent.US	No
rotzipzegsac	X	rotzipzegsac.exe	Detected by McAfee as RDN/Generic Dropper!vd and by Malwarebytes as Trojan.Agent.US	No
ROUTD	?	ROUTD.exe	The file is located in %Windir%. What does it do and is it required?	No
help.exe	X	route.exe	Detected by Dr.Web as Trojan.DownLoader10.3417 and by Malwarebytes as Trojan.Agent.IDGen	No
Router	X	Router.exe	Detected by Kaspersky as Trojan-Downloader.Win32.Agent.gdi. The file is located in %ProgramFiles%Router	No
Microsoft Router Manager	X	router.exe	Detected by Malwarebytes as Backdoor.Bot	No
CryptLoad	N	RouterClient.exe	CryptLoad download manager	No
Easy CD Creator	N	RoxAssist.exe	Roxio Assistant is designed to correct engine initialization errors in Easy CD & DVD Creator 6. If the engine does not initialize, the applications in Easy CD & DVD Creator will not recognize your recorder. After running this program you should receive the message 'Engine initialized successfully with full recorder support'. If this doesn't happen you may have to add support for newer drives using Roxio Updater, check for product updates and even re-install the software. See this thread for more information	Yes
RoxAssist	N	RoxAssist.exe	Roxio Assistant is designed to correct engine initialization errors in Easy CD & DVD Creator 6. If the engine does not initialize, the applications in Easy CD & DVD Creator will not recognize your recorder. After running this program you should receive the message 'Engine initialized successfully with full recorder support'. If this doesn't happen you may have to add support for newer drives using Roxio Updater, check for product updates and even re-install the software. See this thread for more information	Yes
RoxAssistant	N	RoxAssist.exe	Roxio Assistant is designed to correct engine initialization errors in Easy CD & DVD Creator 6. If the engine does not initialize, the applications in Easy CD & DVD Creator will not recognize your recorder. After running this program you should receive the message 'Engine initialized successfully with full recorder support'. If this doesn't happen you may have to add support for newer drives using Roxio Updater, check for product updates and even re-install the software. See this thread for more information	Yes
Desktop Disc Tool	N	RoxioBurnLauncher.exe	Background process installed with Roxio Creator multimedia suites. Monitors your optical drive and launches the main Roxio Burn (Roxio Burn.exe) desktop tool when blank media or media containing data is inserted	Yes
Roxio Burn	N	RoxioBurnLauncher.exe	Background process installed with Roxio Creator multimedia suites. Monitors your optical drive and launches the main Roxio Burn (Roxio Burn.exe) desktop tool when blank media or media containing data is inserted	Yes
RoxioBurnLauncher	N	RoxioBurnLauncher.exe	Background process installed with Roxio Creator multimedia suites. Monitors your optical drive and launches the main Roxio Burn (Roxio Burn.exe) desktop tool when blank media or media containing data is inserted	Yes
RoxWatchTray	N	RoxWatchTray.exe	System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Easy Media Creator 8 multimedia suite. All of these options are available from the Media Manager utility. The 'Watched Folders' feature monitors specified locations for new pictures, songs and videos being added and makes them available to the Media Manager - if you have 512MB of memory or less available it's recommended you also disable the associated 'Roxio Hard Drive Watcher (RoxWatch)' service as well as the combination has been known to use significant amount of memory and cause other problems	No
RoxWatchTray	N	RoxWatchTray10.exe	System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Easy Media Creator 10 multimedia suite. All of these options are available from the Media Manager utility. The 'Watched Folders' feature monitors specified locations for new pictures, songs and videos being added and makes them available to the Media Manager - if you have 512MB of memory or less available it's recommended you also disable the associated 'Roxio Hard Drive Watcher 10 (RoxWatch10)' service as well as the combination has been known to use significant amount of memory and cause other problems	No
RoxWatchTray10	N	RoxWatchTray10.exe	System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Easy Media Creator 10 multimedia suite. All of these options are available from the Media Manager utility. The 'Watched Folders' feature monitors specified locations for new pictures, songs and videos being added and makes them available to the Media Manager - if you have 512MB of memory or less available it's recommended you also disable the associated 'Roxio Hard Drive Watcher 10 (RoxWatch10)' service as well as the combination has been known to use significant amount of memory and cause other problems	No
RoxWatchTray	N	RoxWatchTray11.exe	System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Easy Media Creator 2009 multimedia suite. All of these options are available from the Media Manager utility. The 'Watched Folders' feature monitors specified locations for new pictures, songs and videos being added and makes them available to the Media Manager - if you have 512MB of memory or less available it's recommended you also disable the associated 'Roxio Hard Drive Watcher 11 (RoxWatch11)' service as well as the combination has been known to use significant amount of memory and cause other problems	No
RoxWatchTray11	N	RoxWatchTray11.exe	System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Easy Media Creator 2009 multimedia suite. All of these options are available from the Media Manager utility. The 'Watched Folders' feature monitors specified locations for new pictures, songs and videos being added and makes them available to the Media Manager - if you have 512MB of memory or less available it's recommended you also disable the associated 'Roxio Hard Drive Watcher 11 (RoxWatch11)' service as well as the combination has been known to use significant amount of memory and cause other problems	No
RoxWatchTray	N	RoxWatchTray12.exe	System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Creator multimedia suite. All of these options are available from the Media Manager utility. The 'Watched Folders' feature monitors specified locations for new pictures, songs and videos being added and makes them available to the Media Manager - if you have 512MB of memory or less available it's recommended you also disable the associated 'Roxio Hard Drive Watcher 12 (RoxWatch12)' service as well as the combination has been known to use significant amount of memory and cause other problems	No
RoxWatchTray12	N	RoxWatchTray12.exe	System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Creator multimedia suite. All of these options are available from the Media Manager utility. The 'Watched Folders' feature monitors specified locations for new pictures, songs and videos being added and makes them available to the Media Manager - if you have 512MB of memory or less available it's recommended you also disable the associated 'Roxio Hard Drive Watcher 12 (RoxWatch12)' service as well as the combination has been known to use significant amount of memory and cause other problems	No
RoxWatchTray	N	RoxWatchTray12OEM.exe	On the full version of the product this provides System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Creator multimedia suite - see the entry for RoxWatchTray (RoxWatchTray12.exe). This is the OEM version installed by various PC manufacturers (also known as Roxio Creator Starter) and these features are not available without an upgrade. Also disable the associated 'Roxio Hard Drive Watcher 12 (RoxWatch12)' service as well	Yes
RoxWatchTray12OEM	N	RoxWatchTray12OEM.exe	On the full version of the product this provides System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Creator multimedia suite - see the entry for RoxWatchTray (RoxWatchTray12.exe). This is the OEM version installed by various PC manufacturers (also known as Roxio Creator Starter) and these features are not available without an upgrade. Also disable the associated 'Roxio Hard Drive Watcher 12 (RoxWatch12)' service as well	Yes
CommonSDK	N	RoxWatchTray12OEM.exe	On the full version of the product this provides System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Creator multimedia suite - see the entry for RoxWatchTray (RoxWatchTray12.exe). This is the OEM version installed by various PC manufacturers (also known as Roxio Creator Starter) and these features are not available without an upgrade. Also disable the associated 'Roxio Hard Drive Watcher 12 (RoxWatch12)' service as well	Yes
RoxWatchTray	N	RoxWatchTray13.exe	System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Creator multimedia suite. All of these options are available from the Media Manager utility. The 'Watched Folders' feature monitors specified locations for new pictures, songs and videos being added and makes them available to the Media Manager - if you have 512MB of memory or less available it's recommended you also disable the associated 'Roxio Hard Drive Watcher 13 (RoxWatch13)' service as well as the combination has been known to use significant amount of memory and cause other problems	No
RoxWatchTray13	N	RoxWatchTray13.exe	System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Creator multimedia suite. All of these options are available from the Media Manager utility. The 'Watched Folders' feature monitors specified locations for new pictures, songs and videos being added and makes them available to the Media Manager - if you have 512MB of memory or less available it's recommended you also disable the associated 'Roxio Hard Drive Watcher 13 (RoxWatch13)' service as well as the combination has been known to use significant amount of memory and cause other problems	No
RoxWatchTray	N	RoxWatchTray9.exe	System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Easy Media Creator 9 multimedia suite. All of these options are available from the Media Manager utility. The 'Watched Folders' feature monitors specified locations for new pictures, songs and videos being added and makes them available to the Media Manager - if you have 512MB of memory or less available it's recommended you also disable the associated 'Roxio Hard Drive Watcher 9 (RoxWatch9)' service as well as the combination has been known to use significant amount of memory and cause other problems	Yes
RoxWatchTray9	N	RoxWatchTray9.exe	System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Easy Media Creator 9 multimedia suite. All of these options are available from the Media Manager utility. The 'Watched Folders' feature monitors specified locations for new pictures, songs and videos being added and makes them available to the Media Manager - if you have 512MB of memory or less available it's recommended you also disable the associated 'Roxio Hard Drive Watcher 9 (RoxWatch9)' service as well as the combination has been known to use significant amount of memory and cause other problems	Yes
CommonSDK	N	RoxWatchTray9.exe	System Tray access to managing the 'Watched Folders', 'LiveShares' and 'MediaSpace' features of the Roxio Easy Media Creator 9 multimedia suite. All of these options are available from the Media Manager utility. The 'Watched Folders' feature monitors specified locations for new pictures, songs and videos being added and makes them available to the Media Manager - if you have 512MB of memory or less available it's recommended you also disable the associated 'Roxio Hard Drive Watcher 9 (RoxWatch9)' service as well as the combination has been known to use significant amount of memory and cause other problems	Yes
startkey	X	royale.exe	Detected by Malwarebytes as Backdoor.Bot. The file is located in %System%	No
RP32	U	rp32.exe	Unicenter Remote Control (was Remotely Possible) from Enterprise International for remote control and access to Win9x/NT systems	No
Remote Procedure Call For Windows 32bit.	X	rpc.exe	Detected by Sophos as W32/Rbot-MD and by Malwarebytes as Worm.AutoRun	No
RPC Drivers	X	rpcall.exe	Detected by Trend Micro as WORM_SDBOT.FLY	No
WindowsHive	X	rpcc.exe	Detected by Sophos as Troj/Dlena-A	No
rpcc	X	rpcc.exe	Detected by Sophos as Troj/Spammit-E	No
rpcda Win32	X	rpcda.exe	Detected by Sophos as W32/Rbot-AEE	No
Config Loader	X	rpcfix.exe	Detected by Sophos as W32/Agobot-R	No
Generic Host Process for Win32 Service	X	rpchost.exe	Detected by Symantec as W32.IRCBot.DCN	No
RocketPipe	X	rpclient.exe	Detected by Dr.Web as Trojan.Click2.43527	No
Sysmon	X	rpcmon.exe	Detected by Symantec as W32.Randex.ATX	No
mobsfmon	X	RpcPperf.exe	Detected by Malwarebytes as Ransom.FileCryptor. The file is located in %AppData%diskPING	No
Microsoft Distributed COM Services	X	rpcss.exe	Detected by Dr.Web as Win32.HLLW.Autoruner1.10634 and by Malwarebytes as Worm.AutoRun	No
RPC System Service	X	rpcss.exe	Detected by Malwarebytes as Trojan.Logger.NR. Note - this should not be confused with the legitimate Remote Procedure Call (RPC) service which uses the svchost.exe process to load RpcSs.dll and the file is located in %System%	No
System Setup	X	rpcxcmod.exe	Added by an unidentified WORM or TROJAN!	No
MSVsmt	X	rpcxctx.exe	Added by an unidentified WORM or TROJAN!	No
Rpcx Intelligent Security	X	rpcxis.exe	Detected by Trend Micro as WORM_AGOBOT.ACN	No
WSAConfiguration	X	rpcxmn32.exe	Detected by Trend Micro as WORM_AGOBOT.ABG	No
Social Security Agency	X	rpcxsocsa.exe	Added by a variant of Backdoor:Win32/Rbot. The file is located in %System%	No
Microsoft Windows Key	X	rpcxsys.exe	Detected by Trend Micro as WORM_AGOBOT.AAK and by Malwarebytes as Trojan.MWF.Gen	No
UserInit StartUp	X	rpcxuisu.exe	Added by a variant of W32/Sdbot.worm. The file is located in %System%	No
Microsoft Windows Secure Server	X	rpcxWindows.exe	Detected by Sophos as W32/Rbot-LL and by Malwarebytes as Trojan.MWF.Gen	No
RpcxWindows Extensions	X	rpcxwinex.exe	Detected by Trend Micro as WORM_RBOT.ACP	No
Microsoft Windows Secure Update	X	rpcxwinupdt.exe	Detected by Malwarebytes as Trojan.MWF.Gen. The file is located in %System%	No
windowsupdate	X	RPC[RANDOM CHARACTERS].exe	Detected by Symantec as W32.IRCBot.B and by Malwarebytes as Backdoor.IRCBot.Gen	No
RpdcServ	X	RpdcServ.exe	Detected by Malwarebytes as Backdoor.Agent.DC. The file is located in %AppData%Subset	No
rpga	X	rpgchk.exe	Detected by McAfee as Generic.tfr	No
RapidGet	X	RPGManager.exe	Detected by McAfee as Generic.tfr	No
Remote Access Monitor	X	rpgsvc.exe	Added by a variant of W32.IRCBot. The file is located in %System% - see here	No
RPMKickstart	U	RPMKickstart.exe	Part of the GIGABYTE Smart 6 utilities suite. 'Smart Recovery allows users to easily roll-back system settings to a previous known working status. Users can simple select the day, week or month without prior setup of a backup time flag'	No
rpmvpqbfvfjhgtecquj	X	rpmvpqbfvfjhgtecquj.exe	Detected by Dr.Web as Trojan.DownLoader6.36532	No
TELUS eProtect	Y	Rps.exe	Main program for the TELUS eProtect internet security suite for TELUS ISP customers - sourced by Radialpoint	No
Gestionnaire de sécurité Sympatico	Y	Rps.exe	Main program for the Bell Security Manager internet security suite for Bell Canada ISP customers - sourced by Radialpoint	No
Verizon Internet Security Suite	Y	Rps.exe	Main program for the Verizon Internet Security Suite for Verizon ISP customers - sourced by Radialpoint	No
Services de sécurité Vidéotron	Y	Rps.exe	Main program for the Vidéotron Security Services internet security suite for Vidéotron ISP customers - sourced by Radialpoint	No
Aliant Security Services	Y	Rps.exe	Main program for the Aliant Security Services internet security suite for Bell Aliant ISP customers - sourced by Radialpoint	No
Pcguard	Y	Rps.exe	Main program for the PC Guard internet security package for Virgin Media ISP customers - sourced by Radialpoint. Now superseded by Virgin Media Security - which is also sourced by Radialpoint	Yes
ntl Netguard	Y	RPS.exe	Main program for the ntl Netguard internet security package for NTL ISP customers - sourced by Radialpoint. Now superseded by Virgin Media Security - which is also sourced by Radialpoint	No
Sympatico Security Manager	Y	Rps.exe	Main program for the Sympatico Security Manager internet security suite for Bell Canada ISP customers - sourced by Radialpoint	No
AT&T Internet Security Suite	Y	Rps.exe	Main program for the AT&T Internet Security Suite for AT&T ISP customers - sourced by Radialpoint	No
Rps	Y	Rps.exe	Main program for internet security suites sourced by Radialpoint for ISP customers such as Virgin Media, AT&T, Bell Canada, TELUS Corporation and Verizon Online	Yes
Security Manager	Y	Rps.exe	Main program for the Bell Security Manager internet security suite for Bell ISP customers - sourced by Radialpoint	No
Freedom	Y	Rps.exe	Main program for internet security suites by Radialpoint. Radialpoint also source online security services for ISP customers such as Virgin Media, AT&T, Bell Canada, TELUS Corporation and Verizon Online	No
Radialpoint Security Services	Y	Rps.exe	Main program for internet security suites by Radialpoint. Radialpoint also source online security services for ISP customers such as Virgin Media, AT&T, Bell Canada, TELUS Corporation and Verizon Online	No
Centinela ONO	Y	Rps.exe	Main program for the Centinela ONO Security Services internet security suite for ONO ISP customers - sourced by Radialpoint	No
windows update system	X	rpsrun.exe	Detected by McAfee as RDN/Generic Downloader.x and by Malwarebytes as Trojan.Agent.WUGen	No
RPSP	U	Rpsserv32.exe	Red Pill Spy surveillance software. Uninstall this software unless you put it there yourself	No
RealPlayer Cloud Service UI	N	rpsystray.exe	System Tray access to RealPlayer Cloud (now RealTimes) - which 'is ideal for uploading and organizing your favorite movies on the cloud. Using your free account, you can view them from any device, share them, download them if necessary as well as discovering the latest trends'	No
RealPlayer Cloud Service UI	N	rpsystray.exe	User Interface for RealPlayer Cloud by RealNetworks, Inc. - which 'is an easy way to move, watch, and share your videos and ensures it will properly play on TV, smartphones, and tablet. RealPlayer Cloud enables you to move, watch and share your videos'	No
RealTimes	N	rpsystray.exe	System Tray access to RealTimes - which 'brings your memories to life by automatically and instantly creating video montages called RealTimes Stories from your entire digital photo and video collection. You can customize these RealTimes Stories with your own music, titles and effects, and share them with friends and family either privately or through social media'	No
rqjupd32.exe	X	rqjupd32.exe	Detected by Malwarebytes as Trojan.PasswordStealer. Note - the file is located in %AllUsersStartup% and/or %UserStartup% and its presence there ensures it runs when Windows starts	No
msnmsgr	X	rr.exe	Detected by McAfee as Generic Dropper and by Malwarebytes as Backdoor.Agent	No
ReleaseRAM	U	RRAM.exe	'Release RAM allows your computer to run faster and uses your computer's RAM more efficiently'	No
WinProtect	X	rrdxecxxvtv.exe	Detected by Dr.Web as Trojan.DownLoader6.29094. The file is located in %ProgramFiles%	No
RRE Start	X	RRE.exe	Detected by Dr.Web as Trojan.Siggen2.46206 and by Malwarebytes as Trojan.Agent.Gen	No
Windows Update	X	rrgw3nec.qmq.$$$$$$$$$	Detected by McAfee as RDN/Generic PWS.y!ut and by Malwarebytes as Backdoor.Agent.E	No
Startup	X	rrining.exe	Detected by Dr.Web as Trojan.DownLoader9.9849 and by Malwarebytes as Trojan.MSIL.RN	No
RRMedic	X	rrmedic.exe	Troubleshooting utility for the RoadRunner cable internet service. Not required and you are advised to completely uninstall it. Provides a lot of false alarms and gets a lot of people panicking about there internet connection	No
Windows LoL Layer	X	rrntsbq.exe	Detected by Kaspersky as Backdoor.Win32.Bifrose.dpoa and by Malwarebytes as Backdoor.Bot. The file is located in %System%	No
Rapid Restore	U	rrpcsb.exe	XPoint 'Rapid Restore PC' - 'a Managed Recovery solution that enables IT Administrators to protect the corporate image, while offloading personal data backup and recovery chores to the end user'	No
AdobeReaderPro	X	rruxdkf.exe	Detected by Kaspersky as Backdoor.Win32.Rbot.adf and by Malwarebytes as Backdoor.Bot. The file is located in %System%	No
load	X	rs.exe	Detected by Malwarebytes as Trojan.Redlonam. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'load' value data to include the file 'rs.exe' (which is located in %AppData%FolderN)	No
rs32net	X	rs32net.exe	Detected by Sophos as Troj/Agent-IFH	No
arjtqhalyp	X	rsacir.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %System%	No
RSAgent	U	RSAgent.exe	RegServe by Xionix Inc 'makes managing your computers registry easy by automatically scanning your computer for corrupt or damaged registry files.' Detected by Malwarebytes as PUP.Optional.RegDefense. The file is located in %ProgramFiles%RegServe. If bundled with another installer or not installed by choice then remove it	No
[8 hex numbers]	X	rsbmsc.exe	Detected by Avira as BDS/Agent.adt. The file is located in %System%	No
Rsbot293.exe	X	Rsbot293.exe	Detected by Malwarebytes as Trojan.MSIL.Bladabindi. The file is located in %AppData%Microsoft	No
Rscmpt	U	Rscmpt.exe	Required on the GeFroce 64 meg MX card to show the full 64 meg memory and appears to be a software memory emulator running under the Win2K - see here. High CPU useage results - hence the U status	No
RandomScreen	U	RSD.exe	RandomScreen Deluxe by angGoGo Software - 'is a powerful, easy to use utility for managing your screensavers and desktop wallpaper. You can run randomly your all screensavers or show favorite picture or flash in screensaver, change desktop wallpaper, play mp3 in screensaver background'	No
(Default)	X	rsddoser.exe	Detected by Microsoft as PWS:MSIL/Petun.A. Note - this malware actually changes the value data of the '(Default)' key in HKLMRun and HKCURun in order to force Windows to launch it at boot. The name field in MSConfig may be blank	No
Red Swoosh EDN Client	U	RSEDNClient.exe	Red Swoosh distributed networking software - a desktop client that enables users to download and stream files from each other, rather than from webservers. Now superseded by the Akamai NetSession Interface download manager which is used by companies such as Adobe and Corel to download and install their online products. Required for the download to start and complete but once finished it can be disabled and re-instated at a later date if needed	No
(Default)	X	RSEpicbot2007.exe	Detected by Malwarebytes as Trojan.Clicker. Note - this malware actually changes the value data of the '(Default)' key in HKCURun in order to force Windows to launch it at boot. The name field in MSConfig may be blank and the file is located in %AppData%MicrosoftWindowsStart MenuPrograms (10/8/7/Vista) or %UserProfile%Start MenuPrograms (XP)	No
Microsoft Server	X	rserv.exe	Detected by Trend Micro as WORM_AGOBOT.AVS	No
Synchronization Manager	X	rservers.exe	Detected by Sophos as W32/Forbot-FM	No
syste34	X	rsg.exe	Detected by Malwarebytes as Backdoor.Remcos. The file is located in %ProgramFiles%esrtsts	No
rsmb	X	rsmb.exe	Detected by Sophos as W32/Stration-H	No
rsmb32	X	rsmb32.exe	Detected by Symantec as W32.Stration.AV@mm	No
Randsoft Harmony '98	U	rsMenu.exe	Randsoft Harmony '98 (superseded by Enterprise Harmony 99) for CASIO - synchronization software for use with Microsoft® Outlook 97/98/2000	No
rsMenu	U	rsMenu.exe	Enterprise Harmony 99 for CASIO - synchronization software for use with Microsoft® Outlook 97/98/2000. Formally Randsoft Harmony '98	No
Enterprise Harmony	U	rsMenu.exe	Enterprise Harmony 99 for CASIO - synchronization software for use with Microsoft® Outlook 97/98/2000	No
Enterprise Harmony '99	U	rsMenu.exe	Enterprise Harmony 99 for CASIO - synchronization software for use with Microsoft® Outlook 97/98/2000	No
rsn32.exe	X	rsn32.exe	Detected by Malwarebytes as Trojan.Agent.TMGen. The file is located in %Temp%	No
defrag.exe	X	rsnotify.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %AppData%pe explorer	No
Resource Meter	N	rsrcmtr.exe	Windows Resource Meter. Available via Start → Programs. You may want this enabled if your PC is suffering from crashes and want to know potential causes	No
RSRCMTZ	?	RSRCMTZ.exe	The file is located in %Windir%. What does it do and is it required?	No
VgaDriver	X	RsrVga32.exe	Detected by Sophos as Troj/Keylog-AH	No
rsrvmon.exe	X	rsrvmon.exe	Detected by Kaspersky as Trojan-Clicker.Win32.Agent.ny. The file is located in %System%drivers	No
RssReader	U	RssReader.exe	RssReader - a free RSS reader able to display any RSS and Atom news feed (XML)	No
WinFix service	X	rsswjzgp.exe	Detected by Sophos as W32/Rbot-FAE	No
Random Interface Network	X	rst.exe	Detected by Sophos as W32/Delbot-P	No
Alcohol120	X	rst.exe	Detected by Dr.Web as Trojan.Siggen5.37516 and by Malwarebytes as Trojan.Agent.E	No
SCISound	X	rstray.exe	Detected by Trend Micro as TSPY_KEYLOGGE.LQ and by Malwarebytes as Trojan.Keylogger.OL	No
*Restore	Y	rstrui.exe	Part of Windows System Restore and added as a RunOnce registry entry. Leave alone	No
SystemRestore	X	rstrui_w.exe	Detected by Malwarebytes as Backdoor.Bot. The file is located in %Windir%	No
HKLM	X	RSUp.exe	Detected by McAfee as RDN/Generic.bfr!hx and by Malwarebytes as Backdoor.HMCPol.Gen	No
HKCU	X	RSUp.exe	Detected by McAfee as RDN/Generic.bfr!hx and by Malwarebytes as Backdoor.HMCPol.Gen	No
Network Administration Service	X	rsvc32.exe	Detected by Trend Micro as WORM_RBOT.ABH	No
MSN UPDATER	X	RSVC32.EXE	Detected by Sophos as W32/Rbot-HW	No
rsvp	X	rsvp.exe /waitservice	Detected by Microsoft as TrojanDownloader:Win32/Horst.Q. Note - this is not the legitimate rsvp.exe which is always located in %System%. This one is located in either %Windir%, %Windir%System, %Temp%, %AppData%, %AppData%Microsoft or %System%drivers	No
Remote Access Domain	X	rswsvc.exe	Detected by Microsoft as Worm:Win32/Slenfbot.FP	No
rtasks	X	rtasks.exe	Part of rogue software including members of the AVSystemCare security suite family (see here for examples), WinAntiVirus Pro 2006 and WinAntiVirus Pro 2007	No
rtcdll	U	rtcdll.exe	RTCDLL is 'Real Time Communication' and is associated with Windows Messenger (the IM application, not messenger service). It is only necessary if you use Windows Messenger. Most people use MSN Messenger instead, so it is not required in those cases	No
RtDCpl	N	RtDCpl.exe	Control Panel applet installed with the 32-bit drivers for on-board Realtek HD audio	No
RtHDVCpl	N	RtDCpl.exe	Control Panel applet installed with the 32-bit drivers for on-board Realtek HD audio	No
RtHDVCpl	U	RtDCpl64.exe	Control Panel applet installed with the 64-bit drivers for on-board Realtek HD audio	No
startkey	X	rtfmsv.exe	Detected by Sophos as Troj/Edepol-C and by Malwarebytes as Backdoor.Bot	No
RtsFT	U	RTFTrack.exe	Related to webcams based upon Realtek camera controllers	No
NET	X	RTHDCPL.EX	Detected by Malwarebytes as Backdoor.Agent.DEM. The file is located in %AppData%Media	No
WIN	X	RTHDCPL.EX	Detected by Malwarebytes as Backdoor.Agent.DEM. The file is located in %AppData%Media	No
Realtek HD Audio Sound Effect Manager	U	RTHDCPL.EXE	Realtek HD Audio Control Panel, installed with the XP/2K drivers for on-board Realtek HD audio codecs. Provides a default (but optional) System Tray icon which allows you to manage audio device settings and gives you access to the Sound Manager and other multimedia functions. You will also receive notifications when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged it it may not be detected and therefore may not work	Yes
Realtek HD Audio Sound Effect Manager	X	Rthdcpl.exe	Detected by Malwarebytes as Trojan.Agent.FI. Note the space at the beginning and end of the 'Startup Item' field and this is not the legitimate Realtek file of the same name which is normally located in %System%. This one is located in %MyDocuments%Realtek	No
RTHDCPL	U	RTHDCPL.EXE	Realtek HD Audio Control Panel, installed with the XP/2K drivers for on-board Realtek HD audio codecs. Provides a default (but optional) System Tray icon which allows you to manage audio device settings and gives you access to the Sound Manager and other multimedia functions. You will also receive notifications when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged it it may not be detected and therefore may not work	Yes
HD Audio Background Process	?	RtHDVBg.exe	Installed with the 32-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. The exact purpose is unknown at present	No
RtHDVBg	?	RtHDVBg.exe	Installed with the 32-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. The exact purpose is unknown at present	No
RtHDVBg_Dolby	?	RtHDVBg.exe	Installed with the 32-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. The exact purpose is unknown at present	No
Realtek HD Audio Manager	U	RtHDVCpl.exe	Realtek HD Audio Manager, installed with the 32-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. Provides a default (but optional) System Tray icon which allows you to manage audio device settings and gives you access to the Sound Manager and other multimedia functions. You will also receive notifications when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged in it may not be detected and therefore may not work	Yes
Realtek Semiconductor	X	RtHDVCpl.exe	Detected by Sophos as Troj/FakeAV-FYI and by Malwarebytes as Worm.Dorkbot. Note that this is the valid Realtek HD Audio Manager process which has the same filename and is located in %ProgramFiles%RealtekAudioHDA. This one is located in %Windir%	No
Wnd32	X	RtHDVCpl.exe	Detected by Malwarebytes as Worm.AutoRun.WNGen. Note that this is not the valid Realtek HD Audio Manager process which has the same filename and is located in %ProgramFiles%RealtekAudioHDA. This one is located in %ProgramFiles%Wnd32	No
DB Audio Control Panel	X	RtHDVCpl.exe	Detected by Dr.Web as Trojan.Inject1.4872 and by Malwarebytes as Worm.Dorkbot. Note that this is the valid Realtek HD Audio Manager process which has the same filename and is located in %ProgramFiles%RealtekAudioHDA. This one is located in %AppData%	No
HD Audio Control Panel	U	RtHDVCpl.exe	Realtek HD Audio Manager, installed with the 32-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. Provides a default (but optional) System Tray icon which allows you to manage audio device settings and gives you access to the Sound Manager and other multimedia functions. You will also receive notifications when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged in it may not be detected and therefore may not work	Yes
RtHDVCpl	U	RtHDVCpl.exe	Realtek HD Audio Manager, installed with the 32-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. Provides a default (but optional) System Tray icon which allows you to manage audio device settings and gives you access to the Sound Manager and other multimedia functions. You will also receive notifications when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged in it may not be detected and therefore may not work	Yes
RtI2SBgProc	U	RtI2SBgProc64.exe	Installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek I2S audio codecs. The exact purpose is unknown at present	No
Realtek HD Audio Universal Service	U	RtkAudUService64.exe	Support service installed with the 64-bit drivers for on-board Realtek HD audio chipsets	Yes
RtkAudUService	U	RtkAudUService64.exe	Support service installed with the 64-bit drivers for on-board Realtek HD audio chipsets	Yes
msMGR	X	rtkmsg.exe	Detected by Sophos as W32/Sdbot-BPY	No
Realtek Audio Settings	X	RtkNGUI.exe	Detected by Malwarebytes as Trojan.InfoStealer.AI. Note - this is not the legitimate Realtek process which has the same filename and is normally located in %ProgramFiles%RealtekAudioHDA. This one is located in %ProgramFiles%Realtek	No
Realtek Audio Task	X	RtkNGUI.exe	Detected by Malwarebytes as Trojan.InfoStealer.AI. Note - this is not the legitimate Realtek process which has the same filename and is normally located in %ProgramFiles%RealtekAudioHDA. This one is located in %ProgramFiles%Realtek	No
Realtek HD Audio	X	RtkNGui.exe	Detected by Malwarebytes as Backdoor.Agent. Note - this is not the legitimate Realtek process which has the same filename and is normally located in %ProgramFiles%RealtekAudioHDA. This one is located in %AppData%	No
Realtek HD Audio Manager	U	RtkNGUI.exe	Realtek HD Audio Manager, installed with the 32-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. Manages audio device settings and gives you notifications (if enabled) when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged in it may not be detected and therefore may not work	No
RTHDVCPL	U	RtkNGUI.exe	Realtek HD Audio Manager, installed with the 32-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. Manages audio device settings and gives you notifications (if enabled) when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged in it may not be detected and therefore may not work	No
RtkNGUI	U	RtkNGUI.exe	Realtek HD Audio Manager, installed with the 32-bit 10/8/7/Vista drivers for on-board Realtek I2S audio codecs. Manages audio device settings and gives you notifications (if enabled) when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged in it may not be detected and therefore may not work	No
Realtek HD Audio Manager	U	RtkNGUI64.exe	Realtek HD Audio Manager, installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. Manages audio device settings and gives you notifications (if enabled) when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged in it may not be detected and therefore may not work	Yes
RTHDVCPL	U	RtkNGUI64.exe	Realtek HD Audio Manager, installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek HD audio codecs. Manages audio device settings and gives you notifications (if enabled) when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged in it may not be detected and therefore may not work	Yes
RtkNGUI	U	RtkNGUI64.exe	Realtek HD Audio Manager, installed with the 64-bit 10/8/7/Vista drivers for on-board Realtek I2S audio codecs. Manages audio device settings and gives you notifications (if enabled) when devices are plugged into and removed from the jacks (such as headphones and a microphone). In some cases, if this is not running when such a device is plugged in it may not be detected and therefore may not work	No
rtl.exe	X	rtl.exe	Detected by Sophos as Troj/Tiotua-J	No
MicroUpdate	X	RtlAudio.exe	Detected by Malwarebytes as Backdoor.Agent.DCEGen. The file is located in %AppData%MSDCSC	No
RtlAudio	X	RtlAudio.exe	Detected by Sophos as Troj/GrayBir-U	No
FF4NJ6C2IIND	X	RTLCPL.exe	Detected by McAfee as PWS-Zbot.gen.zy and by Malwarebytes as Backdoor.Agent	No
00401C6XX500	X	RTLCPL.exe	Detected by McAfee as PWS-Zbot.gen.zy and by Malwarebytes as Backdoor.Agent	No
4M6002Y7G4C2	X	RTLCPL.exe	Detected by McAfee as PWS-Zbot.gen.zy and by Malwarebytes as Backdoor.Agent	No
[various names]	X	RtlFindVal.exe	Fake startup entry created by the Wareout rogue spyware and dialer remover - not recommended, removal instructions here. Archived version of Andrew Clover's original page	No
RtlMon.exe	N	RtlMon.exe	Monitor for a RealTek network card	No
RtlUpd64	X	RtlUpd64.exe	Detected by Malwarebytes as Trojan.MSIL. The file is located in %AppData%Acrobat	No
WG111v2 Smart Wizard Wireless Setting	U	RtlWake.exe	Netgear WG111 54 Mbps Wireless-G USB Adapter configuration utility	No
RTMonitor	Y	RTMONI~1.exe	Real-time monitor for Cheyenne AntiVirus - acquired by CA and no longer available	No
rtos	X	rtos.exe	IRC trojan	No
java checksys	X	rtpmp.exe	Detected by Dr.Web as Trojan.Siggen2.44523 and by Malwarebytes as Trojan.Agent	No
Microsoft Runtime Process for Win32 Services	X	rtproc32.exe	Detected by Dr.Web as BackDoor.Pablos.135 and by Malwarebytes as Trojan.Agent	No
Remote Terminal Task	X	rtsbsvc.exe	Detected by Microsoft as Worm:Win32/Slenfbot.LJ	No
RtsCM	U	RTSCM.EXE	Camera manager installed with the 32-bit drivers for webcams based upon Realtek camera controllers	No
RtsCM	U	RTSCM64.EXE	Camera manager installed with the 64-bit drivers for webcams based upon Realtek camera controllers	No
ertyuop	X	rttrwq.exe	Detected by Sophos as W32/AutoRun-APA and by Malwarebytes as Spyware.OnlineGames	No
Media SDK	X	RTTT.EXE.exe	Detected by Malwarebytes as Backdoor.Agent.SDK.Generic. The file is located in %AppData%RTTTT	No
Microsoft	X	rtvcscan.exe	Detected by Sophos as W32/Rbot-GGU and by Malwarebytes as Trojan.Agent.MSGen	No
RtkOSD	?	RtVOsd.exe	Installed with the 32-bit 8/7/Vista drivers for on-board Realtek HD audio codecs. The exact purpose is unknown at present but based upon the filename it may be used to provide on-screen volume level changes	No
RtvOsd	X	RtvOsd.exe	Detected by Malwarebytes as Trojan.Agent. Note - this is not the legitimate Realtek HD audio driver file which is normally located in %ProgramFiles%RealtekAudioOSD - this one is located in %AppData%Microsoft	No
RtkOSD	?	RtVOsd64.exe	Installed with the 64-bit 8/7/Vista drivers for on-board Realtek HD audio codecs. The exact purpose is unknown at present but based upon the filename it may be used to provide on-screen volume level changes	No
rtvscn95	Y	rtvscn95.exe	Real-time virus scanner component of Norton Anti-Virus Corporate Edition	No
AirLive WL1600USB Wireless Lan Utility	U	RtWLan.exe	Air Live WL1600USB Wireless USB Adapter configuration utility (based upon a Realtek chipset)	No
AirLive WL-1700USB Wireless Lan Utility	U	RtWLan.exe	Air Live WL-1700USB Long Distance Wireless USB Adapter configuration utility (based upon a Realtek chipset)	No
AirLive WL-5480USB WLAN USB Utility	U	RtWLan.exe	Air Live WL-5480USB Wireless USB Adapter configuration utility (based upon a Realtek chipset)	No
Micronet SP907GK Wireless Network Utility	U	RtWLan.exe	Micronet SP907GK Wireless LAN USB Adapter configuration utility (based upon a Realtek chipset)	No
Micronet Wireless Network Utility	U	RtWLan.exe	Micronet wireless network configuration utility (based upon a Realtek chipset)	No
TP-LINK Wireless Utility	U	RtWLan.exe	TP-LINK Wireless configuration utility (based upon a Realtek chipset)	No
REALTEK RTL8185 Wireless LAN Utility	U	RtWLan.exe	wireless LAN configuration utility for Realtek RTL8185 chipsets built in to some computers	No
REALTEK RTL8187 Wireless LAN Utility	U	RtWLan.exe	wireless LAN configuration utility for Realtek RTL8187 chipsets built in to some computers	No
REALTEK RTL8187SE Wireless LAN Utility	U	RtWLan.exe	wireless LAN configuration utility for Realtek RTL8187SE chipsets built in to some computers	No
AWUS036H Wireless LAN Utility	U	RtWLan.exe	Alfa AWUS036H Wireless LAN USB adapter configuration utility (based upon a Realtek chipset)	No
Edimax 11n USB Wireless LAN Utility	U	RtWLan.exe	Edimax Wireless USB Adapter configuration utility (based upon a Realtek chipset)	No
RtWLan	U	RtWLan.exe	Netgear WG111 54 Mbps Wireless-G USB Adapter configuration utility (based upon a Realtek chipset)	No
Quicktlme	X	ru.exe	QuickPage - Switch dialer and hijacker variant, see here. Also detected by Sophos as Dial/Switch-A	No
RubeL	X	RubeL.exe	Detected by Sophos as Troj/Ruby-B	No
LIU	N	RUBICON.EXE	Logitech Internet Update. Used to update drivers/software for Logitech's Wingman, QuickCam, etc devices. Reports claim it doesn't work very well and you can manually update the files anyway	No
rubotodezru	X	rubotodezru.exe	Detected by McAfee as RDN/Generic.hra!ca and by Malwarebytes as Trojan.Agent.US	No
Ruby13	X	Ruby13.exe	Detected by Symantec as W32.Mexer.E@mm	No
Ruby14	X	RUBY14.EXE	Detected by Sophos as W32/Fightrub-A	No
rubymeafarca	X	rubymeafarca.exe	Detected by Malwarebytes as Trojan.Agent.US. The file is located in %UserProfile%	No
rudaranbiru	X	rudaranbiru.exe	Detected by McAfee as RDN/Generic Dropper!va and by Malwarebytes as Trojan.Agent.US	No
Showme	X	Ruden.vbs	Detected by Sophos as WM97/Handle-A	No
69rp	X	ruhxqzap.exe	Detected by Malwarebytes as Trojan.Backdoor.BHI. The file is located in %System%	No
RuLaunch	U	RuLaunch.exe	Instant Updater for McAfee's VirusScan, Internet Security, Quick Clean, Uninstaller and Firewall products. In the case of VirusScan leave it enabled unless you update manually on a regular basis	No
McAfee.InstantUpdate.Monitor	U	RuLaunch.exe	Instant Updater for McAfee's VirusScan, Internet Security, Quick Clean, Uninstaller and Firewall products. In the case of VirusScan leave it enabled unless you update manually on a regular basis	No
IniciarProgramas	X	run.bat	Detected by McAfee as RDN/Sdbot.bfr and by Malwarebytes as Trojan.Server	No
Windows applicaton	X	Run.exe	Detected by Dr.Web as Trojan.DownLoader6.24602 and by Malwarebytes as Trojan.Agent	No
COC	U	run.exe	GIGABYTE Cloud OC 'is an entirely new application that allows you to overclock your system via LAN, wireless LAN or Bluetooth with any Internet browser capable device'	No
svchost	X	run.exe	Detected by Dr.Web as Trojan.Inject1.20907 and by Malwarebytes as Trojan.Agent	No
cfhack	X	run.exe	Detected by McAfee as RDN/Generic.bfr!ft and by Malwarebytes as Trojan.Agent.CFH	No
repacks	X	run.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %UserTemp%repack	No
runs	X	run.exe	Detected by Sophos as W32/Rbot-BWF	No
run.exe	X	run.exe	Detected by Malwarebytes as Backdoor.Agent.RNGen. The file is located in %Temp% - see here	No
Google Update	X	run.exe	Detected by Malwarebytes as Trojan.BitCoinMiner.E. The file is located in %Root%Programfles	No
Windows	X	run.exe	Detected by Symantec as W32.Spybot.OFN	No
ICOOL	U	run.exe	GIGABYTE i-Cool utility allows users to reduce heat generated by CPU through reducing the CPU clock speed and enabling CPU fan to run slower and quieter'	No
scvhost	X	run.exe	Detected by Malwarebytes as Backdoor.SpyRat. The file is located in %UserTemp%cp32	No
SDBOK	U	run.exe	Part of the GIGABYTE Smart 6 utilities suite. 'Smart DualBIOS not only allows double protection for the motherboard with two physical BIOS ROMs, it also includes a new feature that can record important passwords and dates'	No
sc	U	run.exe	All-In-One_SPY stealth monitoring software - allows monitoring and recording of all actions performed on a computer. It records all keystrokes, remembers addresses of Internet pages visited, and maintains a log file listing all applicationsrun on the computer. It can create screenshots and record sounds from the computer's microphone to a sound file	No
ADOBE	X	Run.exe	Detected by McAfee as RDN/Generic BackDoor and by Malwarebytes as Trojan.Agent.ADBE	No
GEST	U	run.exe	Dynamic energy management utility installed with GIGABYTE motherboards	No
360	X	run.vbs	Detected by McAfee as Generic.dx!bbpb	No
cg	U	run.vbs	Detected by Malwarebytes as PUP.BitCoinMiner and associated with Bitcoin. Note - this entry loads from the Windows Startup folder and the file is located in %AppData%cg. Remove unless you installed it yourself	No
RUN32	X	run32 .exe	Detected by McAfee as Generic.bfr	No
run32	X	run32.exe	Detected by Malwarebytes as Worm.AutoIT. The file is located in %AppData%	No
RUN32	X	Run32.exe	Detected by Kaspersky as Trojan.Win32.Scar.cnvw and by Malwarebytes as Worm.AutoIT. The file is located in %ProgramFiles%	No
Run32.dll	X	Run32.exe	Detected by Sophos as Troj/VB-FLO and by Malwarebytes as Trojan.Agent.ST	No
run32.exe	X	run32.exe	Detected by Malwarebytes as Backdoor.Agent. The file is located in %Temp%	No
Windows Executable	X	run32.exe	Detected by Malwarebytes as Backdoor.Agent. The file is located in %System%	No
system	X	run32.exe	Detected by Malwarebytes as Trojan.AutoIt. The file is located in %Temp%	No
RunDll	X	run32.exe	Detected by Dr.Web as Trojan.DownLoader5.29969 and by Malwarebytes as Backdoor.Messa	No
System	X	run322.exe	Detected by Symantec as Backdoor.Lanfilt	No
Microsoft Office Starter	X	run32925.exe	Detected by McAfee as RDN/Generic.tfr!eg and by Malwarebytes as Trojan.Agent.OFC	No
Microsoft	X	run32dil.exe	Detected by Malwarebytes as Trojan.Agent.E.Generic. The file is located in %AppData%JAVA - see here	No
klp	U	run32dll.exe	PAL PC Spy - key recorder and screen capture utility which controls and monitors everything that happens on your pc and online	No
run32	X	run32dll.exe	Detected by Sophos as W32/Sdbot-CWB and by Malwarebytes as Worm.AutoIT	No
run32dll	X	run32dll.exe	Detected by Dr.Web as Trojan.DownLoader10.26893 and by Malwarebytes as Trojan.Agent. The file is located in %AppData%	No
run32dll	X	run32dll.exe	Detected by McAfee as RDN/Generic BackDoor!vl and by Malwarebytes as Backdoor.Agent.DCEGen. The file is located in %System%MSDCSCF6Rn0VQ9mhpn	No
run32dll	X	run32dll.exe	Detected by McAfee as RDN/Generic Dropper!tu and by Malwarebytes as Backdoor.Agent.RDL. The file is located in %Temp%JAVA	No
run32dll.exe	X	run32dll.exe	Detected by McAfee as Generic.bfr!eb and by Malwarebytes as Trojan.Agent	No
WindowsComponent	X	Run32dll.exe	Detected by McAfee as RDN/Generic.bfr!he and by Malwarebytes as Backdoor.Agent.E	No
winstro	X	RUN32DLL.exe	Detected by Symantec as Backdoor.FTP_Ana	No
Run32	X	run33.exe	Detected by Sophos as Troj/StartPa-BT and by Malwarebytes as Worm.AutoIT	No
adsmini	X	runadsmini.exe	Detected by Dr.Web as Trojan.DownLoader7.20916 and by Malwarebytes as Trojan.DownLoader.Gen	No
Introduction-Registration	N	RUNALL.EXE	For Compaq PC's. Should only run on first use for PC Introduction and Compaq registration	No
runAP.exe	N	runAP.exe	Not required but what is it?	No
runAPI68	X	runAPI35.exe	Detected by Dr.Web as Trojan.Inject.57495 and by Malwarebytes as Backdoor.Agent	No
runAPI78	X	runAPI47.exe	Detected by Sophos as Troj/Mdrop-DRE and by Malwarebytes as Backdoor.Agent	No
runAPI82	X	runAPI57.exe	Detected by McAfee as RDN/Generic BackDoor!uz and by Malwarebytes as Backdoor.Agent	No
runAPI83	X	runAPI68.exe	Detected by McAfee as Generic.bfr!ei and by Malwarebytes as Backdoor.Agent	No
runAPI35	X	runAPI82.exe	Detected by Sophos as Mal/MsilDyn-C and by Malwarebytes as Backdoor.Agent	No
runAPI35	X	runAPI92.exe	Detected by Dr.Web as Trojan.Siggen3.5133 and by Malwarebytes as Backdoor.Agent	No
Microsoft Dll	X	runapidll.exe	Detected by Sophos as W32/Rbot-GRG	No
Runapp32	X	Runapp32.exe	Detected by Symantec as Backdoor.Neodurk	No
jyoryOu1u3CDhOVgYarH	X	runas.exe	Detected by Malwarebytes as Trojan.Ransom.IS. The file is located in %AppData%AdobeFlash PlayerAssetCache	No
WinPersistence	X	runas.exe	Detected by McAfee as Downloader.a!yz and by Malwarebytes as Trojan.Agent	No
SystemRun	X	runas.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %Windir% - see here	No
BackupSoft	U	RunBackupSoft.exe	Backup software by Dura Micro, Inc for Toshiba (and possibly others) external hard drives	No
TrustedAntivirus	X	runbst.exe	TrustedAntivirus rogue security software - not recommended. A member of the AVSystemCare family	No
AlfaAntivirus	X	runbst.exe	Detected by Malwarebytes as Rogue.AlfaAntiVirus. The file is located in %ProgramFiles%AlfaAntivirus	No
atf.exe	X	runbst.exe	Part of the TrustedAntivirus rogue security software - not recommended. A member of the AVSystemCare family	No
Taskbell.exe	X	Rund1.exe	Detected by Symantec as Trojan.Yipid	No
Rund11	X	Rund11.EXE	Detected by Sophos as W32/Mario-C. Notice the digit '1' used in both the startup entry and filename, rather than a lower case 'L'	No
Avptask	X	rund1132.exe	Detected by Trend Micro as TROJ_AGENT.PKZ	No
Ravshell	X	rund1132.exe	Detected by Trend Micro as TROJ_AGENT.OKZ	No
ravtask	X	rund1132.exe	Detected by Trend Micro as TROJ_DLOADER.IYT	No
rund1132	X	rund1132.exe	Detected by Sophos as W32/Dopbot-A and by Malwarebytes as Virus.Sality	No
Rund1132.exe	X	Rund1132.exe	Detected by Sophos as Troj/StartPa-HS and by Malwarebytes as Virus.Sality	No
sys001	X	rund1132.exe	Detected by Sophos as Troj/Small-DLD	No
Tencent QQ	X	Rund1132.exe qq.dll,Rundll32	Detected by Symantec as Trojan.PWS.QQPass.F	No
Remote Registry Service	X	rundat.exe	Detected by Dr.Web as BackDoor.IRC.Sdbot.18633 and by Malwarebytes as Backdoor.IRCBot.RSGen	No
runddlfile	X	runddl.exe	Detected by Trend Micro as TROJ_DELF.D	No
Local Service	X	runddl32.exe	Detected by Trend Micro as WORM_RBOT.ACJ and by Malwarebytes as Backdoor.Agent	No
SysDeskqqfx	X	Runddll32.exe	Detected by Symantec as Infostealer.Changgame and by Malwarebytes as Backdoor.Agent.SD	No
Rundll32	X	RUNDDLL32.EXE	Detected by Malwarebytes as Trojan.Downloader. The file is located in %System%	No
Windows AutomaticUpdater	X	runddls.exe	Added by a variant of Backdoor:Win32/Rbot. The file is located in %System%	No
Windows Explorer	X	RundII.exe	Detected by Trend Micro as WORM_WOOTBOT.BX	No
filename process	X	Rundil16.exe	Detected by Symantec as W32.Gaobot.ZX	No
ctfnom	X	rundIl32.exe	Detected by Sophos as Troj/LegMir-AW and by Malwarebytes as Backdoor.Agent. Note that the letter after the 'd' in the filename is an upper case 'i'	No
LoadPowerProfile	X	rundl.exe	Detected by Symantec as W32.Tofazzol. Not to be confused with the valid LoadPowerProfile entry where the command is Rundll32.exe powrprof.dll	No
RUN DLL	X	rundl1.exe	Detected by McAfee as Downloader-MX and by Malwarebytes as Trojan.Downloader.MH	No
PowerPrifile	X	rundl132 [path] kernel.dll,PowerProfileEnable	Detected by Symantec as W32.Inmota.Worm	No
ryy	X	rundl132.exe	Detected by Sophos as Troj/PWS-ANA and by Malwarebytes as Worm.Viking	No
load	X	rundl132.exe	Detected by Sophos as W32/Looked-CK	No
[random]	X	rundl13a.exe	Detected by Sophos as Troj/Gampass-L	No
NvCpl	X	rundl32.exe	Detected by Sophos as W32/Agobot-TO. Note - the valid version of this entry has the command line as 'rundll32.exe NvCpl.dll,NvStartup'	No
run32	X	rundl32.exe	Detected by Dr.Web as Trojan.Click2.53699 and by Malwarebytes as Worm.AutoIT	No
Windows Live	X	rundl32.exe	Detected by McAfee as RDN/Generic.bfr!he and by Malwarebytes as Backdoor.Agent.WL	No
RUNDLL32	X	rundl32.exe	Detected by Sophos as W32/Demotry-A	No
rundl35.exe	X	rundl35.exe	Detected by Malwarebytes as Trojan.Downloader.RDL.Generic. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
startwindowskeyuser	X	rundle2.exe	Detected by Symantec as W32.JavaKiller.Trojan	No
rundle32.exe	X	rundle32.exe	Detected by Malwarebytes as Trojan.Downloader.RDL.Generic. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
LTM2	X	RundlI.exe	Detected by Trend Micro as TROJ_MULTIDRP.BG and by Malwarebytes as Backdoor.Litmus	No
Windows TM	X	rundlI32.exe	Detected by Microsoft as Backdoor:Win32/Rbot.EL	No
rundli32	X	rundli32.exe	Detected by Symantec as W32.Lade	No
Windows Network Controller	X	rundlI32.exe	Detected by Trend Micro as WORM_SPYBOT.AIX and by Malwarebytes as Backdoor.Bot. Note the upper case 'i' after the lower case 'L' in the filename	No
rundll 32	X	rundll 32.exe	Detected by Malwarebytes as Trojan.Agent.E. The file is located in %AppData%	No
Captcha7	X	rundll captcha.dll	Detected by Trend Micro as TROJ_TINY.WRE	No
Taskbar Display Controls	N	RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY	Only appears in MSCONFIG if you have a Display Settings icon in the System Tray allowing resolution changes on the fly. Can also be disabled under Control Panel → Display → Settings → Advanced → General. Also appears if you have Win95 with the QuickRes 'Powertoy' installed	No
DNE Binding Watchdog	Y	rundll dnes.dll,DnDneCheckBindings	Deterministic NDIS Extender (DNE) is an NDIS-compliant module which appears to be a network device driver to all protocol stacks and a protocol driver to all network device drivers. Part of Gilat Communications internet satellite systems. Required if you have this system. Also installed by Winproxy - a proxy program for sharing internet connections through one computer. Required if you want it to work	No
DNE DUN Watchdog	Y	rundll dnes.dll,DnDneCheckDUN13	Deterministic NDIS Extender (DNE) is an NDIS-compliant module which appears to be a network device driver to all protocol stacks and a protocol driver to all network device drivers. Part of Gilat Communications internet satellite systems. Required if you have this system. Also installed by Winproxy - a proxy program for sharing internet connections through one computer. Required if you want it to work	No
Hotfix-KB5504305	X	rundll##.exe	Detected by Malwarebytes as Trojan.Agent - where # represents a digit. The file is located in %System% - see examples here and here	No
IE Per-User Initialization utility	X	rundll.exe	Detected by Dr.Web as Trojan.DownLoader10.28761 and by Malwarebytes as Backdoor.Agent.Gen. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %LocalAppData%	No
@	X	RUNDLL.EXE	Detected by Sophos as W32/Spybot-DN. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%	No
RundllSvr	X	Rundll.exe	Detected by Symantec as W32.Huayu. Note - this is NOT the WinMe/9x system file of the same name as described here	No
Google Chrome	X	rundll.exe	Detected by Malwarebytes as Spyware.Password.MSIL. Note - this is not a legitimate Google Chrome browser entry and the file is not the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %UserTemp%	No
(Default)	X	rundll.exe	Detected by Dr.Web as Win32.HLLW.Autoruner2.5761 and by Malwarebytes as PUP.HackTool.ACGen. Note - this entry actually changes the value data of the '(Default)' key in HKCURun in order to force Windows to launch it at boot. The name field in MSConfig may be blank and the file is located in %Temp%. If bundled with another installer or not installed by choice then remove it	No
myur	X	rundll.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %Temp%	No
run	X	rundll.exe	Detected by Malwarebytes as Trojan.Agent.E. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'run' value data to include the file 'rundll.exe' (which is located in %Root%Fsize)	No
wingl	X	rundll.exe	Detected by Malwarebytes as Backdoor.Agent.E. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%Winlg32	No
HKLM	X	Rundll.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. The file is located in %Windir%Win32	No
MSTray	X	rundll.exe	Detected by Sophos as Troj/Bamer-C. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%	No
Skype	X	rundll.exe	Detected by Malwarebytes as Backdoor.SpyNet. The file is located in %System%AppsWindows	No
SystemVolume	X	rundll.exe	Detected by Malwarebytes as Trojan.Agent.E. The file is located in %Root%Fsize	No
Microsoft Service	X	rundll.exe	Detected by Sophos as W32/Popo-A and by Malwarebytes as Backdoor.Rbot. Note - this is not the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%	No
Windows Upate	X	rundll.exe	Detected by Symantec as Trojan.Hako. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here	No
Windows Config	X	RUNDLL.EXE	Detected by Sophos as W32/Spybot-DX. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%	No
HKCU	X	Rundll.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. The file is located in %Windir%Win32	No
Windows32	X	rundll.exe	Detected by Sophos as W32/Agobot-LK and by Malwarebytes as Backdoor.Messa. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%	No
RegistryConfig	X	rundll.exe	Detected by Sophos as W32/Agobot-KN. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%	No
Policies	X	Rundll.exe	Detected by Malwarebytes as Backdoor.Agent.PGen. The file is located in %Windir%Win32	No
recover.bmp.exe	X	Rundll.exe	Detected by Sophos as Troj/AnaFTP-01. Note - this is NOT the WinMe/9x system file of the same name as described here	No
load	X	rundll.exe	Detected by Dr.Web as Trojan.DownLoader10.28761. Note - this entry modifies the legitimate HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows 'load' value data to include the file 'rundll.exe' (which is located in %LocalAppData% and is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here)	No
rundll	X	rundll.exe	Detected by McAfee as RDN/Generic.bfr and by Malwarebytes as Trojan.Agent. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %Root%$AVG	No
RunDll	X	RunDll.exe	Detected by Sophos as Troj/QQPass-AH and by Malwarebytes as Trojan.Agent. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%	No
RunDLL Kernel File Core	X	rundll.exe	Added by a variant of Backdoor:Win32/Rbot. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%Com	No
rundll.exe	X	rundll.exe	Detected by McAfee as RDN/Generic.bfr and by Malwarebytes as Backdoor.Agent.E. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %LocalAppData%	No
winapp	X	rundll.exe	Detected by Malwarebytes as Backdoor.Agent.E. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %AppData%Resources	No
WindowsStore	X	rundll.exe	Detected by Malwarebytes as Backdoor.SpyNet. The file is located in %System%AppsWindows	No
Microsoft	X	rundll.exe	Detected by Sophos as W32/Rbot-GSJ and by Malwarebytes as Trojan.Agent.MSGen. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%	No
Windows Firevall Control C	X	rundll.exe	Detected by Microsoft as Backdoor:Win32/Gaertob.A and by Malwarebytes as Trojan.Agent. Note - this is NOT the WinMe/9x system file of the same name as described here	No
Windows Firevall Control Center	X	rundll.exe	Detected by Trend Micro as WORM_BUZUS.BBU and by Malwarebytes as Trojan.Agent. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%	No
Genuie	X	rundll.exe	Detected by Malwarebytes as Trojan.Agent.GNE. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%	No
Win32 USB Driver	X	rundll.exe	Detected by Sophos as W32/Forbot-BN. Note - this is NOT the WinMe/9x system file of the same name which is located in %Windir% as described here. This one is located in %System%	No
WEBCHECK	X	Rundll.exe	Detected by McAfee as RDN/Generic.dx and by Malwarebytes as Backdoor.Agent.AND	No
LoadPowerProfile	X	Rundll.exe powerprof.dll	Detected by Symantec as Backdoor.LoxoScam. Note - do not confuse with the valid LoadPowerProfile entry! Note that the infected version uses 'Rundll.exe' whereas the uninfected version uses 'Rundll32.exe'	No
AAACLEAN	?	rundll.exe setupx.dll,InstallHinfSection [path] AAACLEAN.INF	The 'AAACLEAN.INF' file is located in %Windir%INF	No
clnwall	?	rundll.exe setupx.dll,InstallHinfSection [path] delwall.inf	The 'delwall.inf' file is located in %Windir%inf	No
AAAKeyboard	?	rundll.exe setupx.dll,InstallHinfSection [path] KBDCLEAN.INF	The 'KBDCLEAN.INF' file is located in %Windir%INF	No
LLMODCL2	?	rundll.exe setupx.dll,InstallHinfSection [path] LLMODCL2.INF	The 'LLMODCL2.INF' file is located in %Windir%INF	No
LLMODCL3	?	rundll.exe setupx.dll,InstallHinfSection [path] LLMODCL2.INF	The 'LLMODCL2.INF' file is located in %Windir%INF	No
ZIBMACC	U	rundll.exe setupx.dll,InstallHinfSection [path] ZIBMACC.INF	ZIBMACC.INF is an IBM file that is only loaded and installed under a recovery operation. The file is a support file for IBM access to the system if needed. You may delete this file. This is as from IBM Technical Support (USA - 800-887-7435)	No
Sound	X	rundll1.exe	Detected by Dr.Web as Trojan.DownLoader8.12938 and by Malwarebytes as Trojan.Agent	No
Windows Running DLL Service	X	rundll128.exe	Added by a variant of W32.IRCBot. The file is located in %System%	No
Regro	X	rundll132.exe	Detected by Symantec as Infostealer.Okarag	No
Win32 USB2.0 Driver	X	rundll16.exe	Detected by Trend Micro as WORM_WOOTBOT.H and by Malwarebytes as Backdoor.Bot	No
svchost	X	rundll16.exe	Detected by Sophos as Troj/StartPa-PB and by Malwarebytes as Backdoor.Bot.E	No
Windows DLL Loader	X	RUNDLL16.EXE	Detected by Trend Micro as BKDR_DOMWIS.A and by Malwarebytes as Trojan.Downloader	No
SYSTEM	X	RUNDLL16.exe	Detected by Sophos as Troj/Delf-EW	No
RDLL	X	RunDll16.exe	Detected by Symantec as Backdoor.Sdbot.F	No
Rundll16	X	Rundll16.exe	Added by multiple malware. The file is located in %Windir%	No
rundll32	X	rundll16.exe	Detected by McAfee as Generic BackDoor and by Malwarebytes as Backdoor.Agent.RDL	No
ttool	X	rundll22.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %Windir%	No
Microsoft Update Module	X	rundll24.exe	Detected by Sophos as W32/Rbot-PS and by Malwarebytes as Backdoor.Bot	No
Host-process Windows (Rundll3.exe)	X	rundll3.exe	Detected by Avira as TR.Crypt.XPACK.lybuk and by Malwarebytes as Trojan.Agent.SF	No
rundll32	X	rundll32	Detected by Malwarebytes as Trojan.Backdoor. The file is located in %System%	No
rundll32	X	rundll32 .exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %AppData% - see here	No
rundll32	X	rundll32 .exe	Detected by Sophos as W32/Ainslot-Q and by Malwarebytes as Trojan.Agent. The file is located in %UserTemp%	No
AME_CSA	N	rundll32 amecsa.cpl,RUN_DLL	Loads ADSL modem Control Panel applet	No
Arucer	X	rundll32 Arucer.dll,Arucer	Provides support for the Energizer UsbCharger (Energizer UsbCharger.exe) utility that detects and shows the charging status for the Energizer® Duo USB/mains battery charger. Note - it appears that the product has now been withdrawn from the Energizer product line-up after it was discovered that this file contains the ARUGIZER TROJAN	No
Arucer Dynamic Link Library	X	rundll32 Arucer.dll,Arucer	Provides support for the Energizer UsbCharger (Energizer UsbCharger.exe) utility that detects and shows the charging status for the Energizer® Duo USB/mains battery charger. Note - it appears that the product has now been withdrawn from the Energizer product line-up after it was discovered that this file contains the ARUGIZER TROJAN	No
AudCtrl	?	RunDll32 AudCtrl.dll,RCMonitor	Audio control panel? The 'AudCtrl.dll' file is located in %System%	No
AUNPS2	X	RUNDLL32 AUNPS2.dll,_Run@16	AUNPS adware	No
AxFilter	?	Rundll32 AXFILTER.dll,Rundll32	The 'AXFILTER.dll' file is located in %System%	No
C6501Sound	N	RunDll32 c6501.cpl,CMICtrlWnd	System tray control panel for C-Media CM6501 based soundcards - often included on popular motherboards with in-built audio	No
Cmaudio	N	Rundll32 cmicnfg.cpl,CMICtrlWnd	System Tray control panel for C-Media based soundcards - often included on popular motherboards with in-built audio	No
Rundll32 cmicnfg	N	Rundll32 cmicnfg.cpl,CMICtrlWnd	System Tray control panel for C-Media based soundcards - often included on popular motherboards with in-built audio	No
CmPCIaudio	N	RunDll32 CMICNFG3.CPL,CMICtrlWnd	System Tray control panel for C-Media based PCI soundcards	No
gfxtray	X	rundll32 ctccw32.dll,findwnd	Detected by Kaspersky as Backdoor.Win32.Agent.aou. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ctccw32.dll' is located in %System%	No
MBMon	U	Rundll32 CTMBHA.DLL,MBMon	Creative Filter AudioControlMB Module - installed with the Creative Audigy line of sound cards and processors. Can be disabled without causing a problem	No
SoundFusion	?	RunDll32 cwaprops.cpl,CrystalControlWnd	Control Panel entry for a Terratec soundcard based upon a Cirrus Logic 'SoundFusion' DSP. Does it need to run at start-up every time?	No
SoundFusion	?	rundll32 cwcprops.cpl,CrystalControlWnd	Control Panel entry for the Terratec DMX Xfire 1024 soundcard based upon a Cirrus Logic 'SoundFusion' DSP. Does it need to run at start-up every time?	No
autoupdate	X	rundll32 DATADX.DLL,SHStart	Added by a variant of Adware:Win32/Qoologic. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'DATADX.DLL' file is located in %System%	No
RunDll32 essprops	Y	RunDll32 essprops.cpl,TaskbarIconWnd	Associated with a audio drivers from ESS Technology	No
GsiFinal	?	rundll32 gspndll.dll,postInstall final	USB DSL modem related. What does it do and is it required?	No
Bluetooth HCI Monitor	?	RunDll32 HCIMNTR.DLL,RunCheckHCIMode	Related to the Bluetooth short-range wireless communications technology. What does it do and is it required?	No
SoundFusion	?	rundll32 hercplgs.cpl,BootEntryPoint	Control Panel entry for Hercules Fortissimo soundcards based upon a Cirrus Logic 'SoundFusion' DSP. Does it need to run at start-up every time?	No
xkstartup	?	RunDll32 InstZ82.dll,SetUsbPrinterPort	On a system with a Lexmark printer	No
ControlPanel	X	rundll32 internat.dll,LoadKeyboardProfile	CoolWebSearch parasite variant	No
jx_Key	U	Rundll32 JXKey.dll,Rundll32Main	Boolospy keystroke logger/monitoring program - remove unless you installed it yourself!	No
kernctl32	X	rundll32 kctl32.dll,initialize	Added by the AGENT.AT TROJAN!	No
WinXPLoad	U	Rundll32 LoadDll, LoadExe WinXPLoad.exe	Compaq hotkey related - required if you use the hotkeys	No
MMhid	U	rundll32 mmhid.dll,StartMmHid	Human Interface Device Server for Win98 which is required only if you are using USB Audio Devices you can disable via Msconfig. Typical examples are USB multimedia keyboards with volume control and web-ready keyboards. For example - loaded by default with MS DSS80 Speakers because they have Volume, Mute and Bass controls on the speaker. Some users may experience problems disabling this - if this is the case then re-enable it. Equivalent to Hidserv in XP/Me/2K/98SE	No
NVCLOCK	?	rundll32 nvclock.dll,fnNvclock	Overclocking utility for NVIDIA based graphics cards?	No
offsettings.DLL	?	RunDLL32 offsettings.DLL,DriveMap	Part of Starfield Technologies Workspace Desktop (owned by GoDaddy). 'The tool promotes its use as an extension of the GoDaddy web interface, allowing users added functionality, such as drag-and-dropping media files into their GoDaddy web based email client, desktop notification, and others'	No
P17Helper	U	Rundll32 P17.dll,P17Helper	ASIO (Audio Stream In/Out) drivers for the SoundBlaster Audigy 2 series soundcards - for recording and home project studios. Required if you use this functionality	No
RSS	X	rundll32 RSSToolbar.dll,DllRunMain	'Related Sites' toolbar - SearchAndClick hijacker variant	No
SbUsb AudCtrl	U	RunDll32 sbusbdll.dll,RCMonitor	Control for Soundblaster MP3 external (USB) sound card	No
SysPnP	X	rundll32 setupapi, InstallHinfSection [varies] oemsyspnp.inf	CoolWebSearch PnP parasite variant	No
keymgrldr	X	rundll32 setupapi, InstallHinfSection.. keymgr3.inf	CoolWebSearch Oemsyspnp parasite variant	No
SOProc_RegSoAlertWxLiteNnAj	X	rundll32 shell32.dll,ShellExec_RunDLL [path] soproc.exe	SoftwareOnline Intelligent Downloader - 'Bundle engine to enable download of end user approved third party applications and reporting of installs for billing purposes only'. Said to monitor user's browsing habits and display pop-up ads	No
P17Helper	?	Rundll32 SPIRun.dll,RunDLLEntry	Related to Creative audio products. What does it do and is it required?	No
SPIRun	?	Rundll32 SPIRun.dll,RunDLLEntry	Related to Creative audio products. What does it do and is it required?	No
SRFirstRun	?	rundll32 srclient.dll,CreateFirstRunRp	Created by execution of the Windows XP sr.inf file, which installs the Windows XP System Restore feature, needed for example when installing System Restore into Windows Server 2003. Does this indeed need to run at every bootup?	No
autoupdate	X	rundll32 SUPDATE.DLL,SHStart	Added by a variant of Adware:Win32/Qoologic. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'SUPDATE.DLL' file is located in %System%	No
Tweak UI	X	RunDLL32 tweakUI.dll,TWEAKUI /tweakmeup	Detected by Symantec as Backdoor.Subwoofer. Note - the real Tweak UI entry for this is 'rundll32.exe tweakui.cpl,tweakmeup'. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
sp	X	rundll32 [path to DLL],DllInstall	Detected by Sophos as Troj/Ablank-W and Troj/Ablank-Z	No
actx16gt	X	rundll32 [path to trojan]	Detected by Malwarebytes as Trojan.Inject. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
InboxAce	U	rundll32 [path] 1gbar.dll	InboxAce toolbar - powered by the Ask Partner Network toolbars by IAC Applications (was Mindspark). Detected by Malwarebytes as PUP.Optional.MindSpark. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '1gbar.dll' file is located in %ProgramFiles%InboxAce_1gbar.bin - where represents a number or letter. If bundled with another installer or not installed by choice then remove it.	No
SmileyCentral	U	rundll32 [path] 1vbar.dll	Smiley Central toolbar (now replaced by Motitags) - powered by the Ask Partner Network toolbars by IAC Applications (was Mindspark). Detected by Malwarebytes as PUP.Optional.MindSpark. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '1vbar.dll' file is located in %ProgramFiles%SmileyCentral_1vbar.bin - where represents a number or letter. If bundled with another installer or not installed by choice then remove it.	No
PackageTracer	U	rundll32 [path] 69bar.dll	PackageTracer toolbar - powered by the Ask Partner Network toolbars by IAC Applications (was Mindspark). Detected by Malwarebytes as PUP.Optional.MindSpark. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '69bar.dll' file is located in %ProgramFiles%PackageTracer_69bar.bin - where represents a number or letter. If bundled with another installer or not installed by choice then remove it.	No
PhenomenaTracker	U	rundll32 [path] 76bar.dll	PhenomenaTracker toolbar (now retired) - powered by the Ask Partner Network toolbars by IAC Applications (was Mindspark). Detected by Malwarebytes as PUP.Optional.MindSpark. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '76bar.dll' file is located in %ProgramFiles%PhenomenaTracker_76bar.bin - where represents a number or letter. If bundled with another installer or not installed by choice then remove it.	No
9d3b	X	rundll32 [path] 9d3b.dll	Detected by Quick Heal as TrojanDropper.Agent.zac. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '9d3b.dll' is located in %Windir%Downloaded Program Files	No
API-GSVC	X	rundll32 [path] adprtext.dll,DllRegisterServer	Detected by Malwarebytes as Trojan.Agent.E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'adprtext.dll' file is located in %AppData%cmdisvc6 - see here	No
anshgey	X	rundll32 [path] anshgey.dll	Detected by Sophos as Troj/Symmi-H and by Malwarebytes as Trojan.Agent.PRX. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'anshgey.dll' file is located in %LocalAppData%	No
awxDTools	U	rundll32 [path] awxDTools.dll,awxRegisterDll	Windows shell extension for Daemon Tools which extends the context-menu of supported image files (i.e.: .cue, .iso, *.ccd ..)	No
BrowseIgnite	U	rundll32 [path] biapp.dll	'Browse Ignite is a free browser plug-in that connects you with more information so you can dive into ideas you see while browsing the internet.' Detected by Malwarebytes as PUP.Optional.BrowseIgnite. The 'biapp.dll' file is located in %CommonFiles%System1044. If bundled with another installer or not installed by choice then remove it	No
Identities	X	rundll32 [path] btmbnzxtq.dll	Detected by Dr.Web as Trojan.AVKill.31004. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'btmbnzxtq.dll' file is located in %LocalAppData%VMwareIdentities	No
mscfs	U	RUNDLL32 [path] cfsys.dll,cfs	AllSum adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'cfsys.dll' file is located in %System%msibm	No
accw0866	X	rundll32 [path] cmdl_950.dll,DllRegisterServer	Detected by Malwarebytes as Trojan.Ursnif. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'cmdl_950.dll' file is located in %System%	No
babeie	X	rundll32 [path] CNBabe.dll,DllStartup	CommonName/Toolbar search hijacker - see the archived version of Andrew Clover's page. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'CNBabe.dll' file is located in %ProgramFiles%CommonNameToolbar	No
MultiCore	X	Rundll32 [path] core.dll,DllStartUP	Detected by Malwarebytes as RiskWare.Agent.E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'core.dll' file is located in %AppData%BCNXMR - see here	No
DirectX 11	X	rundll32 [path] d3dx11_31.dll,includes_func_runnded	Detected by Malwarebytes as Trojan.Agent.E.Generic. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'd3dx11_31.dll' file is located in %UserTemp%	No
exe2stub	X	rundll32 [path] ddesexnt.dll	Detected by Malwarebytes as Backdoor.Papras. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ddesexnt.dll' file is located in %System%	No
expastub	X	rundll32 [path] debuexnt.dll	Detected by Malwarebytes as Backdoor.Papras. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'debuexnt.dll' file is located in %System%	No
expagent	X	rundll32 [path] debumsg.dll	Detected by Malwarebytes as Trojan.Agent.NR. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'debumsg.dll' file is located in %System%	No
expaator	X	rundll32 [path] debusdtc.dll	Detected by Malwarebytes as Backdoor.Papras. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'debusdtc.dll' file is located in %System%	No
expadctr	X	rundll32 [path] debusync.dll	Detected by Malwarebytes as Backdoor.Papras. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'debusync.dll' file is located in %System%	No
DLBTCATS	Y	rundll32 [path] DLBTtime.dll,_RunDLLEntry@16	Resolves a timing problem where a Dell service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
DLBUCATS	Y	rundll32 [path] DLBUtime.dll,_RunDLLEntry@16	Resolves a timing problem where a Dell service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
DLBXCATS	Y	rundll32 [path] DLBXtime.dll,_RunDLLEntry@16	Resolves a timing problem where a Dell service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
DLCCCATS	Y	rundll32 [path] DLCCtime.dll,_RunDLLEntry@16	Resolves a timing problem where a Dell service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll). If you use the 964 printer, Dell recommends leaving dlcctime.dll in place as it fixes compatibility issues on some Dell systems. If you receive an error message on system startup that reads: 'Error in C:WINDOWSSystem32spooldriversW32x863DLCCtime.dll Missing entry: RunDLLEntry' Dell offers help here	No
DLCDCATS	Y	rundll32 [path] DLCDtime.dll,_RunDLLEntry@16	Resolves a timing problem where a Dell service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
DLCFCATS	Y	rundll32 [path] DLCFtime.dll,_RunDLLEntry@16	Resolves a timing problem where a Dell service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
DLCGCATS	Y	rundll32 [path] DLCGtime.dll,_RunDLLEntry@16	Resolves a timing problem where a Dell service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
DLCICATS	Y	rundll32 [path] DLCItime.dll,_RunDLLEntry@16	Resolves a timing problem where a Dell service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
DLCJCATS	Y	rundll32 [path] DLCJtime.dll,_RunDLLEntry@16	Resolves a timing problem where a Dell service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
DLCQCATS	Y	rundll32 [path] DLCQtime.dll,_RunDLLEntry@16	Resolves a timing problem where a Dell service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
DLCXCATS	Y	rundll32 [path] DLCXtime.dll,_RunDLLEntry@16	Resolves a timing problem where a Dell service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
drvupd	X	rundll32 [path] drvupd.inf	Installs a 'searchforge.com' hijack. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'drvupd.inf' file is located in %Windir%	No
PopularScreensaversWallpaper	X	rundll32 [path] F3SCRCTR.DLL,LES	MyWebSearch parasite - see here. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'F3SCRCTR.DLL' file is located in %ProgramFiles%MyWebSearchbar.bin - where represents a number or letter	No
fgatvmt	X	rundll32 [path] fgatvmt.dll,fgatvmt	Detected by Sophos as Troj/HkMain-CT and by Malwarebytes as Trojan.Rundll.BNT. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'fgatvmt.dll' file is located in %LocalAppData%	No
sta	X	rundll32 [path] fjzkp.dll	Detected by Sophos as Troj/Mdrop-CSP. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'fjzkp.dll' file is located in %System%	No
Adobe	X	rundll32 [path] fnswk.dll	Detected by Sophos as Troj/Mdrop-EZN and by Malwarebytes as Trojan.Tracur.ED. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'fnswk.dll' file is located in %LocalAppData%AdobeAdobe	No
RunDll32	X	RunDll32 [path] GbpSv.dll,EnableLUA	Detected by McAfee as PWS-Banker!gzz and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'GbpSv.dll' file is located in %System%	No
WeatherBlink	U	rundll32 [path] gcbar.dll	WeatherBlink toolbar - powered by the Ask Partner Network toolbars by IAC Applications (was Mindspark). Detected by Malwarebytes as PUP.Optional.MindSpark. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'gcbar.dll' file is located in %ProgramFiles%WeatherBlinkbar.bin - where represents a number or letter. If bundled with another installer or not installed by choice then remove it.	No
gieymum	X	rundll32 [path] gieymum.dll	Detected by Sophos as Troj/HkMain-DA. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'gieymum.dll' file is located in %LocalAppData%	No
Martin Prikryl	X	rundll32 [path] hcckwgrr.dll	Detected by Dr.Web as Trojan.MulDrop4.38009 and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'hcckwgrr.dll' file is located in %LocalAppData%Martin Prikryl	No
kiopulo	X	rundll32 [path] kiopulo.dll,kiopulo	Detected by Dr.Web as Trojan.DownLoader6.45475 and by Malwarebytes as Trojan.Winlogon. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'kiopulo.dll' file is located in %LocalAppData%	No
klierpa	X	rundll32 [path] klierpa.dll	Detected by Malwarebytes as Trojan.Graftor. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'klierpa.dll' file is located in %LocalAppData%	No
kpueraf	X	rundll32 [path] kpueraf.dll	Detected by Dr.Web as Trojan.DownLoader7.591 and by Malwarebytes as Trojan.Symmi. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'kpueraf.dll' file is located in %LocalAppData%	No
lozzide	X	rundll32 [path] lozzide.dll,lozzide	Detected by Dr.Web as Trojan.DownLoader12.16114 and by Malwarebytes as Trojan.Rundll.BNT. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'lozzide.dll' file is located in %LocalAppData%	No
LXBSCATS	Y	rundll32 [path] LXBStime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXBTCATS	Y	rundll32 [path] LXBTtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXBUCATS	Y	rundll32 [path] LXBUtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXBXCATS	Y	rundll32 [path] LXBXtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXBYCATS	Y	rundll32 [path] LXBYtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXCCCATS	Y	rundll32 [path] LXCCtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXCDCATS	Y	rundll32 [path] LXCDtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXCECATS	Y	rundll32 [path] LXCEtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXCFCATS	Y	rundll32 [path] LXCFtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXCGCATS	Y	rundll32 [path] LXCGtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXCICATS	Y	rundll32 [path] LXCItime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXCJCATS	Y	rundll32 [path] LXCJtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXCQCATS	Y	rundll32 [path] LXCQtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXCRCATS	Y	rundll32 [path] LXCRtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXCTCATS	Y	rundll32 [path] LXCTtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXCYCATS	Y	rundll32 [path] LXCYtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXDBCATS	Y	rundll32 [path] LXDBtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXDCCATS	Y	rundll32 [path] LXDCtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details	No
LXDDCATS	Y	rundll32 [path] LXDDtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXDICATS	Y	rundll32 [path] LXDItime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
LXDJCATS	Y	rundll32 [path] LXDJtime.dll,_RunDLLEntry@16	Resolves a timing problem where the Lexmark Communications service tries to communicate with the printer but Windows is too busy - by either delaying the start of the service or restarting if the service failed to load. See here for more details on a similar Lexmark DLL entry (LXDCtime.dll)	No
MyWebSearch Plugin	U	rundll32 [path] M3PLUGIN.DLL,UPF	MyWebSearch toolbar by IAC Applications (was Mindspark). Detected by Malwarebytes as PUP.Optional.MindSpark. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'M3PLUGIN.DLL' file is located in %ProgramFiles%MyWebSearchbar.bin - where represents a number or letter. If bundled with another installer or not installed by choice then remove it	No
bipro	X	rundll32 [path] mmduch.dll	Detected by Sophos as Troj/Mdrop-CVM and by Malwarebytes as Trojan.Agent.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'mmduch.dll' file is located in %Windir%$NtUninstallMTF1011$	No
mnigfiu	X	rundll32 [path] mnigfiu.dll	Detected by McAfee as RDN/Generic BackDoor!td and by Malwarebytes as Trojan.Proxyagent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'mnigfiu.dll' file is located in %LocalAppData%	No
MSHTTPS Loader	X	rundll32 [path] mshttps.dll	Detected by Dr.Web as Trojan.Siggen6.4988. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'mshttps.dll' file is located in %AppData%	No
ncgekyc	X	rundll32 [path] ncgekyc.dll,ncgekyc	Detected by Sophos as Troj/HkMain-CT and by Malwarebytes as Trojan.Rundll.BNT. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ncgekyc.dll' file is located in %LocalAppData%	No
ndmsi	X	rundll32 [path] ndmsi.dll	Detected by Malwarebytes as Trojan.Medfos. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ndmsi.dll' file is located in %AppData%	No
New.net Startup	X	rundll32 [path] NewDotNet.dll,ClientStartup	Detected by Microsoft as Adware:Win32/NewDotNet. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
New.net Startup	X	rundll32 [path] NEWDOT~1.dll,ClientStartup	Detected by Microsoft as Adware:Win32/NewDotNet. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
New.net Startup	X	rundll32 [path] NEWDOT~1.dll,NewDotNetStartup	Detected by Microsoft as Adware:Win32/NewDotNet. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
New.net Startup	X	rundll32 [path] NEWDOT~2.dll,ClientStartup	Detected by Microsoft as Adware:Win32/NewDotNet. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
New.net Startup	X	rundll32 [path] NEWDOT~2.dll,NewDotNetStartup	Detected by Microsoft as Adware:Win32/NewDotNet. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
NetManage LaunchNow Init	?	RunDLL32 [path] nmgoinn.dll,VerifyStartMenu	NetManage business software related (now part of Micro Focus). The 'nmgoinn.dll' file is located in %ProgramFiles%NetManagecommon	No
nscsr	X	rundll32 [path] nscsr.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'nscsr.dll' file is located in %AppData%	No
Vmware	X	rundll32 [path] oewzzbry.dll	Detected by Dr.Web as Trojan.AVKill.31003. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'oewzzbry.dll' file is located in %LocalAppData%MozillaVMware	No
P17RunE	?	RunDll32 [path] P17RunE.dll,RunDLLEntry	Related to drivers for the Creative Sound Blaster Audigy & Audigy 2 soundcards. What does it do and is it required?	No
peokyur	X	rundll32 [path] peokyur.dll	Detected by McAfee as RDN/Generic Dropper and by Malwarebytes as Trojan.Ghixa. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'peokyur.dll' file is located in %LocalAppData%	No
MYQDBBL	X	rundll32 [path] pgnfled.b	Detected by McAfee as Generic.IL. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'pgnfled.b' file is located in %AppData%MicrosoftProtect	No
primnog	X	rundll32 [path] primnog.dll	Detected by Dr.Web as Trojan.DownLoader6.55143 and by Malwarebytes as Trojan.Dropper. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'primnog.dll' file is located in %LocalAppData%	No
prituus	X	rundll32 [path] prituus.dll	Detected by Dr.Web as Trojan.DownLoader7.13863 and by Malwarebytes as Trojan.Notify. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'prituus.dll' file is located in %LocalAppData%	No
psdsr	X	rundll32 [path] psdsr.dll	Detected by Dr.Web as Trojan.DownLoader6.42724. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'psdsr.dll' file is located in %AppData%	No
PWRMGRTR	Y	rundll32 [path] PWRMGRTR.DLL,PwrMgrBkGndMonitor	Background power monitor for IBM ThinkPad laptops. Leave it alone to ensure proper power management functions	No
BMMGAG	U	RunDll32 [path] pwrmonit.dll,StartPwrMonitor	Part of the Battery MaxiMiser and Power Management Features set for some IBM/Lenovo Thinkpad notebooks. This entry displays the battery gauge icon in the Taskbar (not the System Tray). Provides shortcuts to the proprietary power saving settings and to a battery information window	Yes
pwrmonit	U	RunDll32 [path] pwrmonit.dll,StartPwrMonitor	Part of the Battery MaxiMiser and Power Management Features set for some IBM/Lenovo Thinkpad notebooks. This entry displays the battery gauge icon in the Taskbar (not the System Tray). Provides shortcuts to the proprietary power saving settings and to a battery information window	Yes
Tesco.net	N	rundll32 [path] RyDial.dll,QuickStart	Tesco.net dial-up ISP software - not required	No
ntlfreedom	N	rundll32 [path] RyDial.dll,QuickStart	NTL Freedom dial-up ISP software - no longer in use	No
Creative SB Monitoring Utility	U	RunDll32 [path] sbavmon.dll,SBAVMonitor	Creative SB AVStream Monitoring Utility - part of the driver providing support for Creative Sound Blaster audio products. The 'sbavmon.dll' file is located in %System%	No
SurfBuddy	X	rundll32 [path] sbuddy.dll	SurfBuddy adware - not to be confused with the legitimate SurfBuddy application by SurfApps!. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
UEWUQWE	X	rundll32 [path] seivtb.sf	Detected by McAfee as Generic.IL. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'seivtb.sf' file is located in %AppData%MicrosoftProtect	No
Update	X	rundll32 [path] Sophosup.dll	Detected by Sophos as Troj/Hiloti-CY. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'Sophosup.dll' file is located in %AppData%SophosSophosUpdate	No
sydpasq	X	rundll32 [path] sydpasq.dll	Detected by Malwarebytes as Trojan.Rundll.BNT. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'sydpasq.dll' file is located in %LocalAppData%	No
TmProvider	X	rundll32 [path] TMPprovider###.dll	Detected by Malwarebytes as Backdoor.Havex. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'TMPprovider###.dll' file is located in %System%, where # represents a digit - see examples here and here	No
uvjsfua	X	rundll32 [path] uvjsfua.dll	Detected by Sophos as Troj/HkMain-DA. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'uvjsfua.dll' file is located in %LocalAppData%	No
uvjshua	X	rundll32 [path] uvjshua.dll	Detected by Sophos as Troj/HkMain-DA and by Malwarebytes as Trojan.Rundll.BNT. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'uvjshua.dll' file is located in %LocalAppData%	No
WebSpecials	X	rundll32 [path] webspec.dll	WebSpecials adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
SystemWin	X	rundll32 [path] win.dll,run	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'win.dll' file is located in %LocalAppData%	No
SystemWin2	X	rundll32 [path] win2.dll,run	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'win2.dll' file is located in %LocalAppData%	No
Microsoft	X	rundll32 [path] windrv.dat	Detected by Dr.Web as Trojan.KillProc.12029 and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
winupdate	X	rundll32 [path] winnew.dll,run	Detected by McAfee as PWS-Banker!gz3 and by Malwarebytes as Spyware.PasswordStealer. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'winnew.dll' file is located in %LocalAppData%	No
xbbhywa	X	rundll32 [path] xbbhywa.dll,xbbhywa	Detected by Sophos as Mal/Zbot-TN and by Malwarebytes as Trojan.Rundll.BNT. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'xbbhywa.dll' file is located in %LocalAppData%	No
ctfmon	X	rundll32 [path] [filename]	Detected by Malwarebytes as Trojan.Agent.E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The file is located in %UserTemp%	No
TcpIpCfg	X	Rundll32 [path] [filename].dll	Detected by Malwarebytes as Trojan.Downloader.MTH. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The DLL file is located in %AppData% - see examples here and here	No
KB[6 numbers]	X	rundll32 [path] [filename].dll	Detected by Malwarebytes as Backdoor.Agent.KB. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The DLL file is located in %AppData%Microsoft - see an example here	No
Intel Update	X	rundll32 [path] [filename].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AA and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[filename].dll' file is located in %AppData%	No
AppleProfileProfile	X	rundll32 [path] [filename].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AA and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[filename].dll' file is located in %AppData%	No
Update	X	rundll32 [path] [filename].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AA and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[filename].dll' file is located in %AppData%	No
ODBC Update	X	rundll32 [path] [filename].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AA and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[filename].dll' file is located in %AppData%	No
MicrosoftVerifierPolicy	X	rundll32 [path] [filename].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AA and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[filename].dll' file is located in %AppData%	No
MicrosoftBackupVerifier	X	rundll32 [path] [filename].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AA and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[filename].dll' file is located in %AppData%	No
Local Update	X	rundll32 [path] [filename].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AA and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[filename].dll' file is located in %AppData%	No
JavaNotifierProfile	X	rundll32 [path] [filename].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AA and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[filename].dll' file is located in %AppData%	No
DisplayProfilePolicy	X	rundll32 [path] [filename].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AA and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[filename].dll' file is located in %AppData%	No
Adobe Update	X	rundll32 [path] [filename].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AA and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[filename].dll' file is located in %AppData%	No
Netscape Update	X	rundll32 [path] [filename].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AA and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[filename].dll' file is located in %AppData%	No
System Photo Imager	X	RunDll32 [path] [random].dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The DLL file is located in %Windir%[folder] - see examples here and here	No
JavaStart	X	rundll32 [path] [random].ilk	Detected by Malwarebytes as Trojan.Banker. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].ilk' file is located in %AppData%MicrosoftWindows[folder]	No
Image	X	rundll32 [path] [trojan filename],Install	Detected by Trend Micro as TROJ_WINSHOW.Y	No
System32	X	rundll32-.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %AppData%	No
NT security	X	rundll32.com	Detected by Sophos as W32/Rbot-AJC	No
Atalho	X	rundll32.cpl	Detected by Malwarebytes as Trojan.Banker. Note - this entry loads from the Windows Startup folder and the file is located in %UserProfile%MicrosoftWindowsUpdate	No
Windows Firewall Cpl	X	rundll32.cpl	Detected by Malwarebytes as Trojan.Banker.CPL. The file is located in %UserProfile%MicrosoftWindowsUpdate	No
Microsoft Update	X	rundll32.dll	Detected by Malwarebytes as Backdoor.Bot. The file is located in %System%	No
wwnotify	X	rundll32.dll [random].tmp NotifierInit	Detected by Symantec as Trojan.Cridex. The '[random].tmp' file is located in %CommonAppData%	No
RunDLL32.exe	X	RunDLL32.exe	Detected by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Root%ProgramData	No
Rundll32.exe	X	Rundll32.exe	Detected by Malwarebytes as Trojan.Downloader.RDL.Generic. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
LTT2	X	rundll32.exe	Detected by Sophos as Troj/Lineage-BI	No
rundll32.exe	X	rundll32.exe	Detected by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %UserTemp%	No
RealNetwork	X	rundll32.exe	Detected by Malwarebytes as Trojan.Agent.RDL. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %UserTemp%	No
Loadhg	X	rundll32.exe	Detected by Sophos as Troj/Lineag-ABX. Note - this entry either replaces or loads the legitimate rundll32.exe process, which is located in %System% (NT/2K/XP). Which is the case is unknown at this time	No
loadMecq3	X	rundll32.exe	Detected by Sophos as Troj/LegMir-AS and by Malwarebytes as Password.Stealer.E. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Root%	No
Windows Audio Driver	X	rundll32.exe	Detected by Dr.Web as Trojan.DownLoader6.32520. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%	No
loadMect2	X	rundll32.exe	Detected by Malwarebytes as Password.Stealer.E. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %ProgramFiles%	No
loadMefs	X	rundll32.exe	Detected by Sophos as Troj/LegMir-JB. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%inf	No
Microsoft (R) Windows DLL Loader	X	rundll32.exe	Detected by Symantec as Backdoor.Ranky.W. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%dll	No
_rx	X	rundll32.exe	Detected by Sophos as Troj/Lineag-AB. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%command	No
Default Key	X	rundll32.exe	Detected by Malwarebytes as Backdoor.Agent.E. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %LocalAppData%Default Folder	No
LoadPowerProfile	X	Rundll32.exe	Detected by Symantec as W32.Miroot.Worm. Note - do not confuse with the valid LoadPowerProfile entry which has 'powrprof.dll' appended to the command/data line	No
Adobe32 ARM	X	rundll32.exe	Detected by Kaspersky as Trojan.Win32.Swisyn.arlt. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %WinDir%Adobe32 ARM	No
SunJavaUpdateSched	X	rundll32.exe	Detected by Malwarebytes as Backdoor.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%	No
(Default)	X	rundll32.exe	Detected by Malwarebytes as Backdoor.Agent. Note - this malware actually changes the value data of the '(Default)' key in HKCURun in order to force Windows to launch it at boot and the name field in MSConfig may be blank. Also, this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT) - this one is located in %AppData%	No
Host-process Windows (Rundll32.exe)	X	rundll32.exe	Detected by Dr.Web as Trojan.DownLoader6.51189 and by Malwarebytes as Trojan.Agent.SF. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%	No
HKLM	X	rundll32.exe	Detected by McAfee as Generic.bfr!cc and by Malwarebytes as Backdoor.HMCPol.Gen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Root%dirinstallrundll32.exeinstallrundll32.exe	No
Host-process Windows (Rundll32.exe)	X	rundll32.exe	Detected by Dr.Web as Trojan.DownLoader6.47266 and by Malwarebytes as Trojan.Agent.SF. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%System32	No
HKLM	X	rundll32.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %System%install	No
HKLM	X	rundll32.exe	Detected by Kaspersky as Backdoor.Win32.Bifrose.dumi and by Malwarebytes as Backdoor.HMCPol.Gen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%install	No
HKLM	X	rundll32.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%systenm	No
Windows Host Process	X	rundll32.exe	Detected by McAfee as RDN/Generic.bfr and by Malwarebytes as Trojan.Agent.WHPGen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %LocalAppData%FlashContainer	No
Windows Host Process	X	rundll32.exe	Detected by Malwarebytes as Trojan.Agent.WHPGen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %UserTemp%	No
Win Update Service	X	Rundll32.exe	Detected by Dr.Web as Trojan.DownLoader9.44506 and by Malwarebytes as Trojan.Agent.E. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%Mango	No
runSoundAPI	X	rundll32.exe	Detected by Dr.Web as Trojan.DownLoader7.2525. Note - this is not the legitimate rundll32.exe process, which is located in %System% (8/7/Vista/XP/2K/NT). This one is located in %Windir% - which would be the correct location for WinMe/98	No
Windows DLL Loader	X	rundll32.exe	Detected by Sophos as W32/Whipser-B. Note - this entry replaces the legitimate rundll32.exe process, which is located in %System% (10/8/7/Vista/XP/2K/NT)	No
ca84c702-c758-4421-974e-b02662e76d7c_6	X	rundll32.exe	Antimalware Defender rogue security software - not recommended, removal instructions here! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
zt	X	rundll32.exe	Detected by Sophos as Troj/Lineag-ABA. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%Intel	No
HKCU	X	rundll32.exe	Detected by McAfee as Generic.bfr!cc and by Malwarebytes as Backdoor.HMCPol.Gen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Root%dirinstallrundll32.exeinstallrundll32.exe	No
Windows System	X	rundll32.exe	Detected by Malwarebytes as Backdoor.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%	No
HKCU	X	rundll32.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %System%install	No
Microsoft Updater	X	rundll32.exe	Detected by Malwarebytes as Backdoor.Bot. Note - this entry either replaces or loads the legitimate rundll32.exe process, which is always located in %System%. Which is the case is unknown at this time	No
HKCU	X	rundll32.exe	Detected by Kaspersky as Backdoor.Win32.Bifrose.dumi and by Malwarebytes as Backdoor.HMCPol.Gen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%install	No
HKCU	X	rundll32.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%systenm	No
NET Framework	X	Rundll32.exe	Detected by McAfee as RDN/Ransom and by Malwarebytes as Backdoor.Agent.DC. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%Microsoft	No
rx	X	rundll32.exe	Detected by Sophos as Troj/Lineage-BP. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%	No
Microsoft Setup Initializazion	X	rundll32.exe	Detected by Symantec as W32.Randex.gen and by Malwarebytes as Backdoor.Bot. Note that this entry loads or modifies the file rundll32.exe, which is otherwise a legitimate Microsoft file used to launch DLL file types	No
rzt	X	rundll32.exe	Detected by Trend Micro as TSPY_LINEAGE.BDP and by Malwarebytes as Trojan.Agent.TZ. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%Intel	No
Tray	X	rundll32.exe	Detected by Sophos as Troj/Lineag-ADR. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%command	No
Policies	X	rundll32.exe	Detected by McAfee as Generic.bfr!cc and by Malwarebytes as Backdoor.Agent.PGen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Root%dirinstallrundll32.exeinstallrundll32.exe	No
Policies	X	rundll32.exe	Detected by Malwarebytes as Backdoor.Agent.PGen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %System%install	No
Policies	X	rundll32.exe	Detected by Kaspersky as Backdoor.Win32.Bifrose.dumi and by Malwarebytes as Backdoor.Agent.PGen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%install	No
Policies	X	rundll32.exe	Detected by Malwarebytes as Backdoor.Agent.PGen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%systenm	No
WindowsRundll	X	rundll32.exe	Detected by Malwarebytes as Backdoor.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%Microsoft	No
FPbLOnFBUU	X	rundll32.exe	Detected by Dr.Web as Trojan.Siggen2.55304 and by Malwarebytes as Trojan.Agent.RDL. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Temp%	No
load	X	rundll32.exe	Detected by Symantec as Infostealer.Wowcraft. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %ProgramFiles%	No
whitehouse	X	rundll32.exe	Detected by Malwarebytes as Trojan.Banker.E. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %UserTemp%	No
Rr2	X	rundll32.exe	Detected by Sophos as Troj/Lineag-ADI. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%addins	No
Ljx	X	rundll32.exe	Detected by Sophos as Troj/Lineag-ABD. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%inf	No
Rhg	X	rundll32.exe	Detected by Sophos as Troj/Lineag-BIT. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%inf	No
Windows Explorer	X	rundll32.exe	Detected by Malwarebytes as Backdoor.Bot. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%	No
rro	X	rundll32.exe	Detected by Sophos as Troj/Lineag-AAE and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %ProgramFiles%Microsoft	No
Regrx	X	rundll32.exe	Detected by Sophos as Troj/Wayic-A and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%	No
Rundll21	X	Rundll32.exe	Detected by Sophos as Troj/VB-GKW and by Malwarebytes as Backdoor.Agent.DCEGen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %System%MSDCSC	No
Windows Update	X	rundll32.exe	Detected by Symantec as W32.Addnu. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %LocalAppData%Microsoft	No
SysWy	X	rundll32.exe	Detected by Sophos as Troj/Lineage-JH. Note - this entry either replaces or loads the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT)	No
sys	X	rundll32.exe	Detected by Sophos as Troj/Lineage-G. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%Intel	No
adobeupdater	X	rundll32.exe	Detected by Malwarebytes as Trojan.VBAgent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%# # - where # represents a digit, see examples here and here	No
microsoft	X	rundll32.exe	Detected by McAfee as Generic.mfr and by Malwarebytes as Trojan.Agent.MSGen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %System%microsoft	No
TaskMan	X	Rundll32.exe	Detected by Symantec as Backdoor.Dvldr and by Malwarebytes as Trojan.Agent.Gen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%Fonts	No
rundll32	X	rundll32.exe	Detected by Malwarebytes as Backdoor.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%	No
rundll32	X	rundll32.exe	Detected by McAfee as RDN/Generic BackDoor!tp and by Malwarebytes as Backdoor.Agent.RDL. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%FolderName	No
Rundll32	X	Rundll32.exe	Detected by McAfee as RDN/Generic.bfr and by Malwarebytes as Backdoor.Agent.DCEGen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %CommonAppData%MicrosoftWindowsStart MenuMSDCSC (10/8/7/Vista) or %AllUsersProfile%Start MenuMSDCSC (XP)	No
rundll32	X	rundll32.exe	Detected by Malwarebytes as Trojan.MSIL. The file is located in %LocalAppData%	No
Rundll32	X	Rundll32.exe	Detected by Malwarebytes as Trojan.Backdoor.VB. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Root%	No
rundll32	X	rundll32.exe	Detected by Malwarebytes as Trojan.Logger.VB. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Root%config	No
rundll32	X	rundll32.exe	Detected by Sophos as Troj/Agent-EZ. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %System%SHELLEXT	No
Win32 Rundll Loader	X	Rundll32.exe	Detected by Trend Micro as BKDR_SDBOT.A. Note - this is not to be confused with the legitimate rundll32.exe file!	No
rundll32	X	rundll32.exe	Detected by McAfee as Generic.dx and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Temp%	No
rundll32	X	rundll32.exe	Detected by McAfee as RDN/Generic BackDoor!wt and by Malwarebytes as Backdoor.Agent.DCE. Not - this is not legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Temp%JAVA	No
Microsoft Update 32	X	rundll32.exe	Detected by Kaspersky as Backdoor.Win32.Rbot.aie and by Malwarebytes as Backdoor.Bot. Note - this malware modifies the legitimate rundll32.exe process which is always located in %System% and is used to launch DLL file types	No
rundll32	X	rundll32.exe	Detected by McAfee as RDN/Generic BackDoor and by Malwarebytes as Backdoor.Agent.DCEGen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Temp%MSDCSC	No
rundll32	X	rundll32.exe	Detected by McAfee as Generic Downloader.x. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir% and loads from HKLMpoliciesExplorerRun	No
rundll32	X	rundll32.exe	Detected by Symantec as W32.HLLW.Sanker. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir% and loads from HKLMRun	No
RUNDLL32	X	RUNDLL32.EXE	Detected by Dr.Web as Trojan.Siggen5.4677. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%inf	No
rundll32	X	rundll32.exe	Detected by McAfee as Generic BackDoor.xa and by Malwarebytes as Backdoor.Agent.DCEGen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%MSDCSC	No
Microsoft Update checker	X	rundll32.exe	Detected by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir% - see here	No
.NET Framework	X	rundll32.exe	Detected by Dr.Web as Trojan.KillProc.30638 and by Malwarebytes as Trojan.Agent.NF. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %AppData%Microsoft	No
SQLBrowser	X	rundll32.exe	Detected by Malwarebytes as Backdoor.Bot.E. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Temp%	No
RKrx	X	rundll32.exe	Detected by Sophos as Troj/Lineag-ADA. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%down	No
RKrx	X	rundll32.exe	Added by a variant of Troj/Lineag-ADA. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %Windir%inf	No
zhtngyzTdd	X	rundll32.exe	Detected by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). This one is located in %UserTemp%	No
InfoData	X	rundll32.exe *******.dll,realset [ = random char]	Added by the VUNDO TROJAN! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The random DLL file is located in %System%	No
Rundll32_8	X	rundll32.exe 1.dll,DllRunServer	Detected by Symantec as Adware.BrowserAid. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '1.dll' file is located in %Root%	No
ctfmon.exe	X	rundll32.exe 2i0g.dat	Detected by Sophos as Troj/Ransom-TI and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
VoodooBanshee	U	rundll32.exe 3DBBps.dll,BansheeLoadSettings	Loads the configuration settings for a 3dfx Voodoo Banshee chipset based graphics card. If you change some of the settings from default you probably need this - otherwise maybe not	No
3dfx Tools	Y	rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot	Updates the registry with information that can't be held for Voodoo 3/4/5 series graphics cards. Important for owners of these cards	No
ctfmon.exe	X	rundll32.exe 4nie2.dat	Detected by Sophos as Troj/Reveton-CR and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
56a10a26-dc02-40f3-a4da-8fa92d06b357_33	X	rundll32.exe 56a10a26-dc02-40f3-a4da-8fa92d06b357_33.avi	Security Defender rogue security software - not recommended, removal instructions here. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '56a10a26-dc02-40f3-a4da-8fa92d06b357_33.avi' file is located in %CommonAppData%	No
ctfmon.exe	X	rundll32.exe 6zlh6z.dat	Detected by Sophos as Troj/Ransom-RT and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
ctfmon.exe	X	rundll32.exe 8codfo.dat	Detected by Sophos as Troj/Agent-ABQP and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
ctfmon.exe	X	rundll32.exe 9wwil.dat	Detected by Sophos as Troj/Ransom-QV and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
ctfmon32.exe	X	rundll32.exe a9jmr.dat	Detected by Malwarebytes as Trojan.Agent.Gen. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
ctfmon.exe	X	rundll32.exe adoj1.dat	Detected by Sophos as Troj/Reveton-CS and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
delsubmit	X	rundll32.exe advpack.dll,DelNodeRunDLL32 submit.exe	CoolWebSearch parasite variant	No
wextract_cleanup#	Y	rundll32.exe advpack.dll,DelNodeRunDLL32 [path] IXP00#.TMP	Used to clean up temporary or cab files created by installer software for a wide variety of software - where # represents a digit. It normally loads via the HKLMRunOnce key and should disappear after a system restart	No
WinDLL (algs.exe)	X	rundll32.exe algs.exe,start	Detected by Kaspersky as Backdoor.Win32.Akbot.e and by Malwarebytes as Backdoor.Bot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'algs.exe' file is located in %System%	No
KB926239	Y	rundll32.exe apphelp.dll,ShimFlushCache	Microsoft KB926239 fix. Windows Media Player 10 may close unexpectedly on a Windows XP-based computer	No
WinDLL (asdfsa.exe)	X	rundll32.exe asdfsa.exe,start	Detected by Trend Micro as WORM_SDBOT.GAV. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'asdfsa.exe' file is located in %System%	No
PostSetupCheck	X	Rundll32.exe atgban.dll	TrafficSol adware variant. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'atgban.dll' file is located in %System%	No
UpdateHook	?	rundll32.exe AUHKNEW.DLL,RenameDll	The 'AUHKNEW.DLL' file is located in %System%	No
ctfmon.exe	X	rundll32.exe awibdo.dat	Detected by Dr.Web as Trojan.DownLoader8.31997 and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
ctfmon32.exe	X	rundll32.exe ba90.dat	Live Security Professional rogue security software - not recommended, removal instructions here. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
BCMHal	U	rundll32.exe bcmhal9x.dll,bcinit	BlasterControl for Creative video cards - controls for desktop settings, monitor configuration, colour adjustments and performance tuning. May be needed to retain settings	No
WinDLL (bee.dll)	X	rundll32.exe bee.dll,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'bee.dll' file is located in %System%	No
WinDLL (bix.exe)	X	rundll32.exe bix.exe,start	Detected by Kaspersky as Net-Worm.Win32.Kolab.ol. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'bix.exe' file is located in %System%	No
Systems Restart	X	Rundll32.exe boln.dll,DllRegisterServer	Detected by Symantec as Trojan.StartPage.J. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
ctfmon.exe	X	rundll32.exe bri47.dat	Detected by Sophos as Troj/Reveton-CM and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
BluetoothAuthenticationAgent	U	rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent	If your system has Bluetooth (either integrated or via an adapter) and use's Microsoft's support software/drivers, this entry is required in order to successfully 'pair' your system with a Bluetooth device (such as a mobile phone, PDA, headset) using this wireless protocol (via a PIN)	Yes
rundll32	U	rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent	If your system has Bluetooth (either integrated or via an adapter) and use's Microsoft's support software/drivers, this entry is required in order to successfully 'pair' your system with a Bluetooth device (such as a mobile phone, PDA, headset) using this wireless protocol (via a PIN)	Yes
Intel PROSetWireless Bluetooth	U	rundll32.exe btmshell.dll,TrayApp	Provides support for Bluetooth short-range wireless products from Intel. If you don't use any Bluetooth devices (such as mice, keyboards, headsets and phones) with your PC you can disable this	Yes
BTMTrayAgent	U	rundll32.exe btmshell.dll,TrayApp	Provides support for Bluetooth short-range wireless products from Intel and Motorola (and maybe others). If you don't use any Bluetooth devices (such as mice, keyboards, headsets and phones) with your PC you can disable this	Yes
Intel PROSetWireless Bluetooth	U	rundll32.exe btmshellex.dll,TrayApp	Provides support for Bluetooth short-range wireless products from Intel (and maybe others). If you don't use any Bluetooth devices (such as mice, keyboards, headsets and phones) with your PC you can disable this	Yes
Intel(R) Wireless Bluetooth(R)	U	rundll32.exe btmshellex.dll,TrayApp	Provides support for Bluetooth short-range wireless products from Intel (and maybe others). If you don't use any Bluetooth devices (such as mice, keyboards, headsets and phones) with your PC you can disable this	Yes
Btmshellex	U	rundll32.exe btmshellex.dll,TrayApp	Provides support for Bluetooth short-range wireless products from Intel (and maybe others). If you don't use any Bluetooth devices (such as mice, keyboards, headsets and phones) with your PC you can disable this	Yes
BTMTrayAgent	U	rundll32.exe btmshellex.dll,TrayApp	Provides support for Bluetooth short-range wireless products from Intel (and maybe others). If you don't use any Bluetooth devices (such as mice, keyboards, headsets and phones) with your PC you can disable this	Yes
ca84c702-c758-4421-974e-b02662e76d7c_6	X	rundll32.exe ca84c702-c758-4421-974e-b02662e76d7c_6.avi	Antimalware Defender rogue security software - not recommended, removal instructions here. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ca84c702-c758-4421-974e-b02662e76d7c_6.avi' file is located in %System% and %AppData%	No
WildTangent CDA	?	RUNDLL32.exe cdaEngine0400.dll,cdaEngineMain	Part of the WildTangent on-line games system. What does it do and is it required?	No
ExFilter	X	Rundll32.exe cdnspie.dll,ExecFilter	CNav adware installed with HyperSnap Installer. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'cdnspie.dll' file is located in %ProgramFiles%CNNICCdn	No
RegistryCheck	X	rundll32.exe chkreg.dll,CheckRegistry	Ulubione adult content dialer. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
PostSetupCheck	X	Rundll32.exe cpmsky.dll	TrafficSol adware variant. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'cpmsky.dll' file is located in %System%	No
CrazyTalk Serve	N	rundll32.exe CrazyTalk.dll,DIIServeMediaFile	CrazyTalk from Reallusion - 'the worlds only facial animation tool that gives you the power to create talking animated images from a single photograph, complete with emotions.' Can apparently be installed without your knowledge as well as being a legitimate download in it's own right from sites such as TUCOWS	No
WinDLL (csmss.exe)	X	rundll32.exe CSMSS.EXE,start	Detected by Trend Micro as WORM_AKBOT.U. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'CSMSS.EXE' file is located in %System%	No
WinDLL (ctfmonm.exe)	X	rundll32.exe ctfmonm.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ctfmonm.exe' file is located in %System%	No
Control	X	rundll32.exe ctrlpan.dll,Restore ControlPanel	CoolWebSearch Msconfd parasite variant	No
WinDLL (dasada.exe)	X	rundll32.exe dasada.exe,start	Added by a variant of Backdoor.Sdbot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'dasda.exe' file is located in %System%	No
WinDLL (dasda.com)	X	rundll32.exe dasda.com,start	Detected by Trend Micro as WORM_SDBOT.GAV. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'dasda.com' file is located in %System%	No
DeadAIM	N	rundll32.exe DeadAIM.ocm,ExportedCheckODLs	DeadAIM - feature enhancing product for AOL's Instant Messenger program. No longer available	No
WinDLL (diem.exe)	X	rundll32.exe diem.exe,start	Detected by Trend Micro as WORM_AKBOT.E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'diem.exe' file is located in %System%	No
WinDLL (dlfksdld.exe)	X	rundll32.exe dlfksdld.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'dlfksdld.exe' file is located in %System%	No
.Net Recovery	X	rundll32.exe dotnetfx.dll,repair	Detected by Symantec as W32.Delezium and by Malwarebytes as Spyware.OnlineGames. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'dotnetfx.dll' file is located in %System%	No
drkly16j	U	rundll32.exe drkly16j.dll,ServiceCheck	KidsWatch Time Control parental control software	No
MSDrive	X	rundll32.exe drv[random].dll,startup	Added by a variant of Trojan:Win32/Adialer.OP! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'drv[random].dll' file is located in %System%	No
CTDrive	X	rundll32.exe drv[random].dll,startup	Added by a variant of Trojan:Win32/Adialer.OP! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'drv[random].dll' file is located in %System%	No
MSDisp32	X	rundll32.exe drv[random].dll,startup	Added by a variant of Trojan:Win32/Adialer.OP! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'drv[random].dll' file is located in %System%	No
A70F6A1D-0195-42a2-934C-D8AC0F7C08EB	X	rundll32.exe E6F1873B.dll, D9EBC318C	Detected by Symantec as Adware.BrowserAid. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'E6F1873B.DLL' file is located in %System%	No
Encrypted Disk Auto Mount	Y	rundll32.exe edshell.dll,MountAll	'Paragon Encrypted Disk is a set of system drivers, plug-ins, wizards and utilities to store your data in an encrypted form but use these data in a common way as if they are not encrypted'	No
Microsoft® Windows® Operating System	N	RunDLL32.exe ehuihlp.dll,BootMediaCenter	Starts Windows Media Center every time Vista (Home Premium or Ultimate) or Windows 7 (Home Premium, Professional or Ultimate) boots. Disable by unchecking the 'Start Windows Media Center when Windows Starts' option via Windows Media Center → Tasks → Settings → General → Startup and Window Behaviour	Yes
Windows Media Center	N	RunDLL32.exe ehuihlp.dll,BootMediaCenter	Starts Windows Media Center every time Vista (Home Premium or Ultimate) or Windows 7 (Home Premium, Professional or Ultimate) boots. Disable by unchecking the 'Start Windows Media Center when Windows Starts' option via Windows Media Center → Tasks → Settings → General → Startup and Window Behaviour	Yes
ctfmon.exe	X	rundll32.exe f4e1.dat	Detected by Sophos as Troj/Reveton-CP and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
ctfmon.exe	X	rundll32.exe fjmqe.dat	Detected by Sophos as Troj/Reveton-CL and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
fstsvc	X	rundll32.exe fstsvc.dll,start	Detected by Sophos as W32/Akbot-AA. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'fstsvc.dll' file is located in %System%	No
ftutil2	U	rundll32.exe ftutil2.dll,SetWriteCacheMode	Related to Promise Technology's FastTrak SX4030/4060 PCI ATA Raid 5 controller (and possibly others)	No
wupipenimi	X	Rundll32.exe fumitoga.dll,s	Detected by Microsoft as Trojan:Win32/Vundo.JC.dll. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'fumitoga.dll' file is located in %System%	No
Gddlib	X	rundll32.exe gddlib.dll,start	Detected by Trend Micro as WORM_AKBOT.EG. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'gddlib.dll' file is located in %System%	No
postSetupCheck	X	Rundll32.exe gzmrt.dll	TrafficSol adware variant. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'gzmrt.dll' file is located in %System%	No
HBService	X	Rundll32.exe HBmhly.dll,StartService	Added by the ONLINEGAMES.SKNV TROJAN! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'HBmhly.dll' file is located in %System%	No
he3bbcff	X	rundll32.exe he3bbcff.dll,EnableRunDLL32	LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'he3bbcff.dll' file is located in %System%	No
he3e3fc4	X	rundll32.exe he3e3fc4.dll,EnableRunDLL32	LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'he3e3fc4.dll' file is located in %System%	No
wupipenimi	X	Rundll32.exe hupojoyu.dll,s	Detected by Microsoft as Trojan:Win32/Vundo.JC.dll. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'hupojoyu.dll' file is located in %System%	No
icdd7ee6	X	rundll32.exe icdd7ee6.dll,EnableRunDLL32	LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'icdd7ee6.dll' file is located in %System%	No
icddefff	X	rundll32.exe icddefff.dll,EnableRunDLL32	LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'icddefff.dll' file is located in %System%	No
ICSDCLT	U	rundll32.exe Icsdclt.dll,ICSClient	Internet Connection Sharing allows more than one computer to simultaneously access the internet with a single connection. Also required when networking two machines	No
iel2cde8	X	rundll32.exe iel2cde8.dll,EnableRunDLL32	LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'iel2cde8.dll' file is located in %System%	No
ielcaabe	X	rundll32.exe ielcaabe.dll,EnableRunDLL32	LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ielcaabe.dll' file is located in %System%	No
winnets	X	rundll32.exe initrealtek.dll	Detected by Dr.Web as Trojan.Siggen6.833 and by Malwarebytes as Backdoor.Agent.IRGen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'initrealtek.dll' file is located in %System%	No
BluetoothAuthenticationAgent	U	rundll32.exe irprops.cpl,BluetoothAuthenticationAgent	If your system has Bluetooth (either integrated or via an adapter) and use's Microsoft's support software/drivers, this entry is required in order to successfully 'pair' your system with a Bluetooth device (such as a mobile phone, PDA, headset) using this wireless protocol (via a PIN). Should you get the error message, 'Rundll irprops.cpl missing entry Bluetooth authentication agent', click here for more information	Yes
rundll32	U	rundll32.exe irprops.cpl,BluetoothAuthenticationAgent	If your system has Bluetooth (either integrated or via an adapter) and use's Microsoft's support software/drivers, this entry is required in order to successfully 'pair' your system with a Bluetooth device (such as a mobile phone, PDA, headset) using this wireless protocol (via a PIN). Should you get the error message, 'Rundll irprops.cpl missing entry Bluetooth authentication agent', click here for more information	Yes
iSecurity applet	X	rundll32.exe iSecurity.cpl,SecurityMonitor	Detected by Malwarebytes as Rogue.ISecurity. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'iSecurity.cpl' file is located in %System%	No
WinDLL (jbi32.dll)	X	rundll32.exe jbi32.dll,start	Detected by Trend Micro as WORM_AKBOT.E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'jbi32.dll' file is located in %System%	No
wupipenimi	X	Rundll32.exe jinorije.dll,s	Detected by Microsoft as Trojan:Win32/Vundo.JC.dll. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'jinorije.dll' file is located in %System%	No
jmudkve.dll	X	rundll32.exe jmudkve.dll,mzrwkwf	Detected by Sophos as Troj/Agent-DJD. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'jmudkve.dll' file is located in %System%	No
DisableKeybaord	X	Rundll32.exe Keyboard,Disable	Detected by Sophos as Troj/VB-HE. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
kw3eef76	X	rundll32.exe kw3eef76.dll,EnableRunDLL32	LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'kw3eef76.dll' file is located in %System%	No
WinDLL (lcass.exe)	X	rundll32.exe lcass.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'lcass.exe' file is located in %System%	No
LHTTSENG	N	rundll32.exe lhttseng.inf,RemoveCabinet	Left over after installation of the British English version of the Lernout & Hauspie Text To Speech (TTS) Engine	No
li01f948	X	rundll32.exe li01f948.dll,EnableRunDLL32	LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'li01f948.dll' file is located in %System%	No
LibGLTime	X	Rundll32.exe LibGLTime.dll	Detected by Sophos as Troj/Sefnit-B. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'LibGLTime.dll' file is located in %LocalAppData%SystemMapPlay	No
libtec	X	rundll32.exe libtec.dll,start	Detected by Sophos as W32/Akbot-AI. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'libtec.dll' file is located in %System%	No
ltssvc	X	rundll32.exe ltssvc.dll,start	Detected by Sophos as W32/Akbot-AG. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ltssvc.dll' file is located in %System%	No
wupipenimi	X	Rundll32.exe luyenofe.dll,s	Detected by Microsoft as Trojan:Win32/Vundo.JC.dll. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'luyenofe.dll' file is located in %System%	No
MigrationVendorSetupCaller	Y	rundll32.exe migrate.dll,CallVendorSetupDlls	Used by applications when upgrading to a newer OS so that the application runs smoothly - see here. This entry is no longer needed when migration is complete and all is running smoothly on the new OS	No
LicCtrl	Y	rundll32.exe MMFS.DLL,Service	Part of the eLicense Copy Protection scheme employed by some software and games. If it is not running the eLicense wrapper is unable to extract and execute the program. The 'MMFS.DLL' file is located in %Windir%	No
MMSystem	X	rundll32.exe mmsystem.dll,RunDll32	Detected by Sophos as W32/Funner-A. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'mmsystem.dll' file is located in %System%	No
DisableMouse	X	Rundll32.exe Mouse,Disable	Detected by Sophos as Troj/VB-HE. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
TakeMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
GetitAll	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
MainDownloads	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
ContentDownload	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
GetMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
GetTheMusic	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
DesktopUpdate	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
DownloadLegalMusic	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
DownloadMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
DownloadsAndMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
SearchMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
YourMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
LosMejoresMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
LotsOfGames	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
LotsOfJokes	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
MoreContent	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
ChansonsMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
CoolDownloads	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
CoolMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
ScreenSaverPlus	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
GreatDownloads	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
NiceDownloads	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
NiceMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
TheBestMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
ThemeMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
NewDownloads	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
NewMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
EntraOcio	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
DescargaBromas	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
FastDownloads	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
ConnectAndDownload	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
NumberOneMP3	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
FreeMP3download	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
MP3Collection	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
MP3download	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
MP3files	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
MP3freeDownload	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
MP3freeDownloads	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
MP3nice	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
MP3Themes	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
MP3ToTheMax	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
UtilitiesAndSoftware	X	rundll32.exe MSA64CHK.dll,DllMostrar	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA64CHK.dll' file is located in %System%	No
Desktop	X	rundll32.exe msconfd.dll,Restore ControlPanel	Detected by Symantec as Trojan.Bookmarker and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'msconfd.dll' file is located in %System%	No
Mass storage check registry	N	rundll32.exe MSDServ.dll,check registry	Used with a USB based smartmedia card reader	No
CheckMsgPlus	U	Rundll32.exe MsgPlusH.dll,VerifyInstallation	Auto-update feature for MSN Messenger Plus - a 3rd party extension to MSN Messenger	No
Rundll32_7	X	rundll32.exe msiefr40.dll,DllRunServer	Detected by Symantec as Adware.BrowserAid. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'msiefr40.dll' file is located in %System%	No
R	X	rundll32.exe msprt.dll	Chinese originated browser hijacker - redirecting to 4199.com Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
WinDLL (mysnlive.exe)	X	rundll32.exe mysnlive.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'mysnlive.exe' file is located in %System%	No
notepad	X	rundll32.exe notepad.dll,_IWMPEvents@0	Detected by Microsoft as Trojan:Win32/Opachki.A and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'notepad.dll' file is located in %System%	No
notepad	X	rundll32.exe notepad.dll,_NtLoad@0	Detected by Sophos as Troj/Agent-NJZ and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'notepad.dll' file is located in %System%	No
notepad	X	rundll32.exe ntload.dll,_IWMPEvents@0	Detected by Microsoft as Trojan:Win32/Opachki.A and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ntload.dll' file is located in %UserProfile%	No
NvCpl	U	RUNDLL32.EXE NvCpl.dll,NvStartup	If you use a utility (such as RivaTuner) to overclock any of the default display settings (system clock, memory clock, etc) for NVIDIA based graphics chipsets and want to apply these new settings at startup then this entry will maintain these. Leaving this entry enabled doesn't appear to have an impact on startup time. Not required if you use default settings and if you disable this entry you may also have to disable the associated 'NVIDIA Display Driver Service' or 'NVIDIA Driver Helper Service'. Included with drivers since late 2002	Yes
NvCplDaemon	U	RUNDLL32.EXE NvCpl.dll,NvStartup	If you use a utility (such as RivaTuner) to overclock any of the default display settings (system clock, memory clock, etc) for NVIDIA based graphics chipsets and want to apply these new settings at startup then this entry will maintain these. Leaving this entry enabled doesn't appear to have an impact on startup time. Not required if you use default settings and if you disable this entry you may also have to disable the associated 'NVIDIA Display Driver Service' or 'NVIDIA Driver Helper Service'. Included with drivers since late 2002	Yes
NVIDIA Compatible Windows Vista Display driver, Version *	U	RUNDLL32.EXE NvCpl.dll,NvStartup	If you use a utility (such as RivaTuner) to overclock any of the default display settings (system clock, memory clock, etc) for NVIDIA based graphics chipsets and want to apply these new settings at startup then this entry will maintain these. Leaving this entry enabled doesn't appear to have an impact on startup time. Not required if you use default settings and if you disable this entry you may also have to disable the associated 'NVIDIA Display Driver Service' or 'NVIDIA Driver Helper Service'. Included with drivers since late 2002	Yes
NVIDIA Compatible Windows7 Display driver, Version *	U	RUNDLL32.EXE NvCpl.dll,NvStartup	If you use a utility (such as RivaTuner) to overclock any of the default display settings (system clock, memory clock, etc) for NVIDIA based graphics chipsets and want to apply these new settings at startup then this entry will maintain these. Leaving this entry enabled doesn't appear to have an impact on startup time. Not required if you use default settings and if you disable this entry you may also have to disable the associated 'NVIDIA Display Driver Service' or 'NVIDIA Driver Helper Service'. Included with drivers since late 2002	Yes
NVHotkey	U	rundll32.exe nvHotkey.dll	Enables the use of 'hot keys' for changing setting on NVIDIA graphics	No
NVIEW	U	rundll32.exe nview.dll,nViewLoadHook	Part of NVIDIA's NVIEW Display Management Software - included in drivers for consumer and professional graphics products. In earlier drivers this entry enables the Desktop Manager and makes it's features such as multiple desktops and hot keys available to the user. Available via Control Panel → NVIDIA nView Desktop Manager	Yes
rundll32	U	rundll32.exe nview.dll,nViewLoadHook	Part of NVIDIA's NVIEW Display Management Software - included in drivers for consumer and professional graphics products. In earlier drivers this entry enables the Desktop Manager and makes it's features such as multiple desktops and hot keys available to the user. Available via Control Panel → NVIDIA nView Desktop Manager	Yes
NvRegisterMCTray	Y	RUNDLL32.EXE NVMCTRAY.DLL,NvMCRegisterApp NvCpl.dll	Registers the NVIDIA Control Panel (NvCpl.dll) via the NVIDIA Media Center Library (NVMCTRAY.DLL) on the first reboot only after the installation of NVIDIA graphics drivers on Win Me/XP. Added with NVIDIA graphics drivers since GeForce/ION Driver - Release 186. Both files are located in %System%	Yes
NvRegisterMCTrayNview	Y	RUNDLL32.EXE NVMCTRAY.DLL,NvMCRegisterApp nView.dll	Registers the NVIDIA Nview Desktop Manager (nView.dll) via the NVIDIA Media Center Library (NVMCTRAY.DLL) on the first reboot only after the installation of NVIDIA graphics drivers on Win Me/XP. Added with NVIDIA graphics drivers since GeForce/ION Driver - Release 186. Both files are located in %System%	Yes
NVIDIA Media Center Library	U	RunDLL32.exe NvMCTray.dll,NvTaskbarInit	Installed with display drivers for NVIDIA based graphics cards since late 2002, this entry allows the System Tray icon to be displayed - which gives access to (amongst others) the display settings (such as Antialiasing, Rotation and Colour) and the Desktop Manager (nView). If you don't change display settings very often then this is not required and settings can be changed manually via display properties. No tray icon option is available in Vista. May be required for some 3D applications to recognize your card correctly - such as the game 'Everquest'	Yes
NVMCTRAY	U	RunDLL32.exe NvMCTray.dll,NvTaskbarInit	Installed with display drivers for NVIDIA based graphics cards since late 2002, this entry allows the System Tray icon to be displayed - which gives access to (amongst others) the display settings (such as Antialiasing, Rotation and Colour) and the Desktop Manager (nView). If you don't change display settings very often then this is not required and settings can be changed manually via display properties. No tray icon option is available in Vista. May be required for some 3D applications to recognize your card correctly - such as the game 'Everquest'	Yes
NvMediaCenter	U	RunDLL32.exe NvMCTray.dll,NvTaskbarInit	Installed with display drivers for NVIDIA based graphics cards since late 2002, this entry allows the System Tray icon to be displayed - which gives access to (amongst others) the display settings (such as Antialiasing, Rotation and Colour) and the Desktop Manager (nView). If you don't change display settings very often then this is not required and settings can be changed manually via display properties. No tray icon option is available in Vista. May be required for some 3D applications to recognize your card correctly - such as the game 'Everquest'	Yes
RunDLL32	U	RunDLL32.exe NvMCTray.dll,NvTaskbarInit	Installed with display drivers for NVIDIA based graphics cards since late 2002, this entry allows the System Tray icon to be displayed - which gives access to (amongst others) the display settings (such as Antialiasing, Rotation and Colour) and the Desktop Manager (nView). If you don't change display settings very often then this is not required and settings can be changed manually via display properties. No tray icon option is available in Vista. May be required for some 3D applications to recognize your card correctly - such as the game 'Everquest'	Yes
NvCplDaemon	U	RUNDLL32.EXE NvQTwk,NvCplDaemon	Installed with display drivers for NVIDIA based graphics cards prior to late 2002, this entry allows the System Tray icon to be displayed - which gives access to (amongst others) the display settings (such as Antialiasing, OpenGL, Direct3D and colour) and Desktop Manager (nView). If you don't change display settings very often then this is not required and settings can be changed manually via display properties	Yes
RUNDLL32	U	RUNDLL32.EXE NvQTwk,NvCplDaemon	Installed with display drivers for NVIDIA based graphics cards prior to late 2002, this entry allows the System Tray icon to be displayed - which gives access to (amongst others) the display settings (such as Antialiasing, OpenGL, Direct3D and colour) and Desktop Manager (nView). If you don't change display settings very often then this is not required and settings can be changed manually via display properties	Yes
NvColorInit	?	rundll32.exe NVQTWK.DLL,NvColorInit	Associated with Nvidia based graphics cards. Initializes color settings?	No
NVidia QuickTweak	N	rundll32.exe NVQTWK.DLL,NvTaskbarInit	System Tray icon used to manage settings for NVIDIA based graphics cards. May be required for some 3D applications to recognize your card correctly - such as the game 'Everquest'. Otherwise, settings can be changed manually via Display Properties	No
NVQuickTweak	N	rundll32.exe NVQTWK.DLL,NvTaskbarInit	System Tray icon used to manage settings for NVIDIA based graphics cards. May be required for some 3D applications to recognize your card correctly - such as the game 'Everquest'. Otherwise, settings can be changed manually via Display Properties	No
NvInitialize	N	rundll32.exe NVQTWK.DLL,NvXTInit	Thought to enable the clock frequency option on NVIDIA control panels. You can overclock without leaving this enabled	No
NVIDIA Capture Server Proxy	U	rundll32.exe nvspcap.dll,ShadowPlayOnSystemStart	ShadowPlay records the up to the last 20 minutes of your gameplay. Just pulled off an amazing stunt? Hit a hotkey and the game video will be saved to disk. Or, use the manual mode to capture video for as long as you like.' Part of the NVIDIA GeForce Experience companion application for their range of GeForce graphics cards. 64-bit version	No
NVIDIA GeForce Experience	U	rundll32.exe nvspcap.dll,ShadowPlayOnSystemStart	ShadowPlay records the up to the last 20 minutes of your gameplay. Just pulled off an amazing stunt? Hit a hotkey and the game video will be saved to disk. Or, use the manual mode to capture video for as long as you like.' Part of the NVIDIA GeForce Experience companion application for their range of GeForce graphics cards. 64-bit version	No
ShadowPlay	U	rundll32.exe nvspcap.dll,ShadowPlayOnSystemStart	ShadowPlay records the up to the last 20 minutes of your gameplay. Just pulled off an amazing stunt? Hit a hotkey and the game video will be saved to disk. Or, use the manual mode to capture video for as long as you like.' Part of the NVIDIA GeForce Experience companion application for their range of GeForce graphics cards. 64-bit version	No
NVIDIA Capture Server Proxy	U	rundll32.exe nvspcap64.dll,ShadowPlayOnSystemStart	ShadowPlay records the up to the last 20 minutes of your gameplay. Just pulled off an amazing stunt? Hit a hotkey and the game video will be saved to disk. Or, use the manual mode to capture video for as long as you like.' Part of the NVIDIA GeForce Experience companion application for their range of GeForce graphics cards. 64-bit version	Yes
NVIDIA GeForce Experience	U	rundll32.exe nvspcap64.dll,ShadowPlayOnSystemStart	ShadowPlay records the up to the last 20 minutes of your gameplay. Just pulled off an amazing stunt? Hit a hotkey and the game video will be saved to disk. Or, use the manual mode to capture video for as long as you like.' Part of the NVIDIA GeForce Experience companion application for their range of GeForce graphics cards. 64-bit version	Yes
ShadowPlay	U	rundll32.exe nvspcap64.dll,ShadowPlayOnSystemStart	ShadowPlay records the up to the last 20 minutes of your gameplay. Just pulled off an amazing stunt? Hit a hotkey and the game video will be saved to disk. Or, use the manual mode to capture video for as long as you like.' Part of the NVIDIA GeForce Experience companion application for their range of GeForce graphics cards. 64-bit version	Yes
NVIDIA Driver Helper Service, Version *	U	RUNDLL32.EXE nvsvc.dll,nvsvcStart	Initially installed with Vista display drivers for NVIDIA based graphics cards. This entry replaced the 'NVIDIA Display Driver Service' or 'NVIDIA Driver Helper Service' in XP - which was used in part to maintain overclocked display settings. In a GeForce 8800GT test system this isn't the case. Disabling it caused no ill effects but it's exact purpose isn't known - hence the 'U' recommendation	Yes
NvSvc	U	RUNDLL32.EXE nvsvc.dll,nvsvcStart	Initially installed with Vista display drivers for NVIDIA based graphics cards. This entry replaced the 'NVIDIA Display Driver Service' or 'NVIDIA Driver Helper Service' in XP - which was used in part to maintain overclocked display settings. In a GeForce 8800GT test system this isn't the case. Disabling it caused no ill effects but it's exact purpose isn't known - hence the 'U' recommendation	Yes
NVRotateSysTray	U	rundll32.exe nvsysrot.dll,Enable	System Tray access to quickly rotate the display for NVIDIA graphics cards - part of the nView desktop management software	No
nxgsvc	X	rundll32.exe nxgsvc.dll,start	Detected by Trend Micro as WORM_AKBOT.BA. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'nxgsvc.dll' file is located in %System%	No
nxosys	X	rundll32.exe nxosys.dll,start	Detected by Trend Micro as WORM_AKBOT.BD. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'nxosys.dll' file is located in %System%	No
OfotoNow USB Detection	N	Rundll32.exe OFUSBS.dll,WatchForConnection OfotoNow	Autodetects when a digital camera is attached to a USB port and launches the OfotoNow imaging software (now Kodak Gallery. Available via Start → All Programs	No
Microsoft® Windows® Operating System	N	rundll32.exe oobefldr.dll,ShowWelcomeCenter	Shows the Welcome Center every time you boot into Windows Vista - which 'pulls all the tasks you'll most likely want to complete when you set up your computer into a single location'	Yes
WindowsWelcomeCenter	N	rundll32.exe oobefldr.dll,ShowWelcomeCenter	Shows the Welcome Center every time you boot into Windows Vista - which 'pulls all the tasks you'll most likely want to complete when you set up your computer into a single location'	Yes
PD0620 STISvc	?	RunDLL32.exe P0620Pin.dll,RunDLL32EP 513	Related to the Creative WebCam Instant. The 'P0620Pin.dll' file description is 'Installation Plug-In'. What does it do and is it required?	No
PD0630 STISvc	?	RunDLL32.exe P0630Pin.dll,RunDLL32EP 513	Related to the Creative WebCam Live!. The 'P0630Pin.dll' file description is 'Installation Plug-In'. What does it do and is it required?	No
PD0870 STISvc	?	RunDLL32.exe P0870Pin.dll,RunDLL32EP 513	Related to the Creative WebCam Live! Motion. The 'P0870Pin.dll' file description is 'Installation Plug-In'. What does it do and is it required?	No
USB2Check	N	RUNDLL32.EXE PCLECoInst.dll,CheckUSBController	Related to products from Pinnacle Systems. CoInstaller - you can execute the USB2.0 interface check program (Usb2Check.exe file) to check if your system is a USB2.0 enabled system	No
LoadPowerScheme	X	rundll32.exe powerprof.dll CheckPowerProfile	Ulubione adult content dialer. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
LoadPowerProfile	U	Rundll32.exe powrprof.dll	Power management specifics such as monitor shut-off, system standby, etc. Associated with power management and is listed twice - see here. Loads your selected power scheme. May not be required - depends upon whether you modify the default Control Panel → Power Options settings	No
wupipenimi	X	Rundll32.exe poyimimu.dll,s	Detected by Microsoft as Trojan:Win32/Vundo.JC.dll. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'poyimimu.dll' file is located in %System%	No
WinDLL (ProsFix.exe)	X	rundll32.exe ProsFix.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ProsFix.exe' file is located in %System%	No
PtiuPbmd	U	Rundll32.exe ptipbm.dll,SetWriteBack	Installed with the miniport drivers for Promise hard drive controllers in both RAID and non-RAID installations. Tells the drivers that the connected Drives should use the 'Write Back' Caching. You can disable this if you don't want to use 'Write Back' Caching or if you have not connected any driver to your Promise Controller	No
Rundll32	U	Rundll32.exe ptipbm.dll,SetWriteBack	Installed with the miniport drivers for Promise hard drive controllers in both RAID and non-RAID installations. Tells the drivers that the connected Drives should use the 'Write Back' Caching. You can disable this if you don't want to use 'Write Back' Caching or if you have not connected any driver to your Promise Controller	No
Ptipbmf	?	rundll32.exe ptipbmf.dll,SetWriteCacheMode	Installed with the miniport drivers for Promise hard drive controllers in both RAID and non-RAID installations. May be necessary in order to maintain preferences applied to the RAID array connected to the Promise controller	No
SetCacheMode	?	rundll32.exe ptipbmf.dll,SetWriteCacheMode	Installed with the miniport drivers for Promise hard drive controllers in both RAID and non-RAID installations. May be necessary in order to maintain preferences applied to the RAID array connected to the Promise controller	No
rundll32	?	rundll32.exe ptipbmf.dll,SetWriteCacheMode	Installed with the miniport drivers for Promise hard drive controllers in both RAID and non-RAID installations. May be necessary in order to maintain preferences applied to the RAID array connected to the Promise controller	No
PTRGMYGK	X	rundll32.exe ptmg1v.dll,DllRunMain	Added by an unidentified TROJAN, WORM or other malware! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
WinDLL (qwex.dll)	X	rundll32.exe qwex.dll,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'qwex.dll' file is located in %System%	No
ctfmon.exe	X	rundll32.exe qwiddo.dat	Detected by Sophos as Troj/Reveton-CQ and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
readdb40	X	rundll32.exe readdb40.dll,EnableRunDLL32	LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'readdb40.dll' file is located in %System%	No
WinDLL (redyLive.exe)	X	rundll32.exe redyLive.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'redyLive.exe' file is located in %System%	No
Module Call initialize	X	RUNDLL32.EXE reg.dll,ondll_reg	Detected by Symantec as W32.HLLW.Lovgate.C@mm. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'reg.dll' file is located in %System%	No
Remote Procedure Call Locator	X	RUNDLL32.EXE reg678.dll ondll_reg	Detected by Trend Micro as WORM_LOVGATE.F. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
LoadHTML	X	rundll32.exe regsvr32.exe,MShtmpre	MatrixSearch adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
govurarope	X	Rundll32.exe retasevo.dll,s	Detected by Sophos as Troj/BHO-HG. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'retasevo.dll' file is located in %System%	No
ctfmon.exe	X	rundll32.exe riwli.dat	Detected by Sophos as Mal/Ransom-AJ and by Malwarebytes as Trojan.Agent. Note - this is not the legitimate rundll32.exe process, which is located in %Windir% (Me/98) or %System% (10/8/7/Vista/XP/2K/NT). Both files are located in %CommonAppData%	No
run	X	rundll32.exe rsrc.dll	Chinese originated browser hijacker - redirecting to 4199.com Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
Savsvc	X	rundll32.exe savsvc.dll,start	Detected by Trend Micro as WORM_AKBOT.BE. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'savsvc.dll' file is located in %System%	No
WinDLL (scvhost32.dll)	X	rundll32.exe scvhost32.dll,start	Detected by Trend Micro as WORM_AKBOT.M. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'scvhost32.dll' file is located in %System%	No
Compaq Computer Security	?	Rundll32.exe SECURE32.CPL,Service	The 'SECURE32.CPL' file is located in %ProgramFiles%COMPAQSECURI~1	No
APPLEMODE	X	RunDLL32.exe Shell32.DLL,Control_RunDLL appleService.cpl	Detected by McAfee as RDN/Generic.bfr!hw and by Malwarebytes as Trojan.Banker.CPL. Note that rundll32.exe and shell32.dll are legitimate Microsoft files and shouldn't be deleted. The 'appleService.cpl' file is located in %Windir%	No
Shell	X	rundll32.exe shell32.dll,Control_RunDLL dat[random hex number].tmp	Detected by Symantec as W32.Wowinzi.A and by Malwarebytes as Trojan.Agent. Note that rundll32.exe and shell32.dll are legitimate Microsoft files and shouldn't be deleted. The 'dat[random hex number].tmp' file is located in %Temp%	No
InitRealtek	X	rundll32.exe shell32.dll,Control_RunDLL initrealtek.dll	Detected by Dr.Web as Trojan.Siggen4.38925 and by Malwarebytes as Backdoor.Agent.IRGen. Note that rundll32.exe and shell32.dll are legitimate Microsoft files and shouldn't be deleted	No
Network	X	rundll32.exe shell32.dll,Control_RunDLL network.cpl	Detected by Dr.Web as Trojan.DownLoader7.2129 and by Malwarebytes as Trojan.Agent. Note that rundll32.exe and shell32.dll are legitimate Microsoft files and shouldn't be deleted. The 'network.cpl' file is located in %System%	No
monitor	X	RunDLL32.exe Shell32.DLL,Control_RunDLL ServicoWindows.cpl	Detected by Malwarebytes as Trojan.Banker.Gen. Note that rundll32.exe and shell32.dll are legitimate Microsoft files and shouldn't be deleted. The 'ServicoWindows.cpl' file is located in %Windir%	No
teste	X	RunDLL32.exe Shell32.DLL,Control_RunDLL ServicoWindows.cpl	Detected by Sophos as Troj/Agent-AGLF and by Malwarebytes as Trojan.Banker.Gen. Note that rundll32.exe and shell32.dll are legitimate Microsoft files and shouldn't be deleted	No
FwdDevice	X	rundll32.exe shell32.dll,Control_RunDLL [path] NewDir.cpl	Detected by Malwarebytes as Trojan.Banker.CPL. Note - this entry uses the legitimate rundll32.exe file located in %Windir%SysWOW64 (rather than the one located in %System%) and the legitimate 'shell32.dll' (also located in %Windir%SysWOW64) to load the 'NewDir.cpl' file - which is located in %ProgramFiles%New_Docs	No
[random number]	X	rundll32.exe shell32.dll,Control_RunDLL [random number].cpl	Detected by Symantec as W32.Kitro.C.Worm and by Trend Micro as WORM_DANDI.A. Note that rundll32.exe and shell32.dll are legitimate Microsoft files and shouldn't be deleted. The '[random number].cpl' file is located in %Windir%	No
Java Platform SE Auto Updater	X	Rundll32.exe shell32.dll,ShellExec_RunDLL [path] msdtc.exe	Detected by Malwarebytes as Backdoor.Bot.E.Generic. Note that rundll32.exe and shell32.dll are legitimate Microsoft files and shouldn't be deleted. Also, this is not the legitimate Distributed Transaction Coordinator (MSDTC) service which has the same filename and is located in %System% as this one is located in %AppData%Oracle	No
IntelPowerAgent#	X	rundll32.exe shell32.dll,ShellExec_RunDLL [path] [random].exe	Detected by Malwarebytes as Trojan.Agent - where # represents one or more digits. Note that rundll32.exe and shell32.dll are legitimate Microsoft files and shouldn't be deleted. The '[random].exe' file is located in %CommonAppData%	No
si91e44b	X	rundll32.exe si91e44b.dll,EnableRunDLL32	LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'si91e44b.dll' file is located in %System%	No
LoadSIPS	X	rundll32.exe SIPSPI32.dll,SIPSPI32	123Mania adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'SIPSPI32.dll' file is located in the System folder	No
wupipenimi	X	Rundll32.exe siremase.dll,s	Detected by Microsoft as Trojan:Win32/Vundo.JC.dll. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'siremase.dll' file is located in %System%	No
SiSPower	Y	Rundll32.exe SiSPower.dll,ModeAgent	Power scheme manager for Silicon Integrated Systems (SiS) based mobile chipsets	Yes
WinDLL (slmss.exe)	X	rundll32.exe slmss.exe,start	Detected by Trend Micro as WORM_AKBOT.AW. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'slmss.exe' file is located in %System%	No
WinDLL (slsass.exe)	X	rundll32.exe slsass.exe,start	Detected by Kaspersky as Backdoor.Win32.Akbot.e. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'slsass.exe' file is located in %System%	No
WinDLL (smaprnter.exe)	X	rundll32.exe smaprnter.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'smaprnter.exe' file is located in %System%	No
Samsung MJC-900 Series Monitor	U	RUNDLL32.EXE SMMASHLL.DLL,AutoUpdatePnPValue	Samsung MJC-900 Series multi-function printer monitor - monitors ink levels, paper present and other parameters	No
WinDLL (smms.exe)	X	rundll32.exe smms.exe,start	Detected by Kaspersky as Backdoor.Win32.Akbot.e Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'smms.exe' file is located in %System%	No
Systems Restart	X	Rundll32.exe snim.dll,DllRegisterServer	Detected by Symantec as Trojan.StartPage.I. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
spa_start	X	Rundll32.exe sprt_ads.dll	Superiorads adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'sprt_ads.dll' file is located in %System%	No
sre	X	rundll32.exe sre.dll,Register	CoolWebSearch parasite variant - also detected by Kaspersky as the AGENT.FC TROJAN!	No
WinDll (sslms.exe)	X	rundll32.exe sslms.exe,start	Detected by Sophos as W32/Akbot-AS. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'sslms.exe' file is located in %System%	No
WinDLL (start0s.exe)	X	rundll32.exe start0s.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'start0s.exe' file is located in %System%	No
WinDLL (steam.dll)	X	rundll32.exe steam.dll,start	Detected by Trend Micro as WORM_AKBOT.M. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'steam.dll' file is located in %System%	No
WIAWizardMenu	N	RUNDLL32.EXE sti_ci.dll,WiaCreateWizardMenu	Still Image Class Installer - installed with a webcam	No
{12EE7A5E-0674-42f9-A76B-000000004D00}	X	rundll32.exe stlb2.dll, DllRunMain	Detected by Symantec as Adware.BrowserAid. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'stlb2.dll' file is located in %System%	No
{2CF0B992-5EEB-4143-99C2-5297EF71F44B}	X	rundll32.exe stlbupdt.DLL,DllRunMain	Detected by Symantec as Adware.BrowserAid. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'stlbupdt.dll' file is located in %System%	No
stlbupdt	X	rundll32.exe stlbupdt.DLL,DllRunMain	Detected by Symantec as Adware.BrowserAid. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'stlbupdt.dll' file is located in %System%	No
AdslTaskBar	Y	rundll32.exe stmctrl.dll,TaskBar	ISP software, initializes DSL modem	No
supdate2.dll	X	rundll32.exe supdate2.dll,Run	Detected by Sophos as Troj/Zlob-VL. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'supdate2.dll' file is located in %System%	No
WinDLL (svc.exe)	X	rundll32.exe svc.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'svc.exe' file is located in %System%	No
WinDLL (svchost.dll)	X	rundll32.exe svchost.dll,start	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'svchost.dll' file is located in %System%	No
System Check	U	Rundll32.exe SysDll32.dll,SystemCheck	XPCSpy Pro keystroke logger/monitoring program - remove unless you installed it yourself! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
SystemHelp	X	rundll32.exe SystemHper.dll,Install	Detected by Kaspersky as Trojan-GameThief.Win32.WOW.cnz. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'SystemHper.dll' file is located in %System%	No
WinDLL (sysx32.dll)	X	rundll32.exe sysx32.dll,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'sysx32.dll' file is located in %System%	No
wupipenimi	X	Rundll32.exe tamuyiko.dll,s	Detected by Microsoft as Trojan:Win32/Vundo.JC.dll. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'tamuyiko.dll' file is located in %System%	No
Tcsvc	X	rundll32.exe tcsvc.dll,start	Detected by Trend Micro as BKDR_AGENT.BCL. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'tcsvc.dll' file is located in %System%	No
WinDLL (tepmlayer.exe)	X	rundll32.exe tepmlayer.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'tepmlayer.exe' file is located in %System%	No
WinDLL (tmp.exe)	X	rundll32.exe tmp.exe,start	Detected by Kaspersky as Net-Worm.Win32.Kolab.l. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'tmp.exe' file is located in %System%	No
WinDLL (tock24.dll)	X	rundll32.exe tock24.dll,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'tock24.dll' file is located in %System%	No
WinDLL (tqurity.exe)	X	rundll32.exe tqurity.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'tqurity.exe' file is located in %System%	No
transys	X	rundll32.exe transys.dll,start	Detected by Sophos as W32/Akbot-AE. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'transys.dll' file is located in %System%	No
wupipenimi	X	Rundll32.exe tuduriro.dll,s	Detected by Microsoft as Trojan:Win32/Vundo.JC.dll. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'tuduriro.dll' file is located in %System%	No
Tweak UI	U	RUNDLL32.EXE TWEAKUI.CPL,TweakLogon	Automatically logs you on if you have Microsoft's Tweak UI 'powertoy' for Win9x/Me/2k installed. This version can also be installed in WinXP but isn't recommended - see here	No
Tweak UI 1.33 deutsch	U	RUNDLL32.EXE TWEAKUI.CPL,TweakLogon	Automatically logs you on if you have Microsoft's Tweak UI 'powertoy' for Win9x/Me/2k installed - German version. This version can also be installed in WinXP but isn't recommended - see here	No
Tweak UI	U	RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp	Restores settings that can't be retained if you have Microsoft's Tweak UI 'powertoy' for Win9x/Me/2k installed. This version can also be installed in WinXP but isn't recommended - see here	No
Tweak UI 1.33 deutsch	U	RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp	Restores settings that can't be retained if you have Microsoft's Tweak UI 'powertoy' for Win9x/Me/2k installed - German version. This version can also be installed in WinXP but isn't recommended - see here	No
UCmore XP - The Search Accelerator	U	rundll32.exe UCMTSAIE.dll,DllShowTB	UCmore toolbar - search accelerator	No
uhvjsul.dll	X	rundll32.exe uhvjsul.dll,mrpmvyf	Detected by Total Defense as Busky G. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'uhvjsul.dll' file is located in %System%	No
RunOnceBabyReboot	X	rundll32.exe url.dll,FileProtocolHandler [url]	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'url.dll' file is also a legitimate file located in %System% - see examples here and here	No
ShutDownWindows	X	Rundll32.exe User,ExitWindows	Detected by Sophos as Troj/VB-HE. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
utasvc	X	rundll32.exe utasvc.dll,start	Detected by Sophos as W32/Akbot-AB. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'utasvc.dll' file is located in %System%	No
VF0060 STISvc	?	RunDLL32.exe V0060Pin.dll,RunDLL32EP 513	Related to the Creative WebCam Live! Ultra. The 'V0060Pin.dll' file description is 'Installation Plug-In'. What does it do and is it required?	No
VF0070 STISvc	?	RunDLL32.exe V0070Pin.dll,RunDLL32EP 513	Related to the Creative WebCam Live! Ultra for Notebooks. The 'V0070Pin.dll' file description is 'Installation Plug-In'. What does it do and is it required?	No
V128IITV	?	Rundll32.exe v128iitv.dll,STBTV_SwitchTo640x480	Loads drivers for some STB graphics cards. May be used for such a card with a TV out option to change the resolution to 640 x 480?	No
V128IID	Y	Rundll32.exe v128iitw.dll,STB_InitTweak	Loads drivers for some STB graphics cards such as the STB nVIDIA TNT 16MB. Required if you don't want to experience lock-ups or error messages	No
WinDLL (v4mon.dll)	X	rundll32.exe v4mon.dll,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'v4mon.dll' file is located in %System%	No
wupipenimi	X	Rundll32.exe vafefudo.dll,s	Detected by Microsoft as Trojan:Win32/Vundo.JC.dll. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'vafefudo.dll' file is located in %System%	No
WinDLL (vdm32.dll)	X	rundll32.exe vdm32.dll,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'vdm32.dll' file is located in %System%	No
WinDLL (vxd32.dll)	X	rundll32.exe vxd32.dll,start	Detected by Trend Micro as WORM_AKBOT.R. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'vxd32.dll' file is located in %System%	No
WinDLL (wchshield.exe)	X	rundll32.exe wchshield.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wchshield.exe' file is located in %System%	No
Startwd	X	rundll32.exe wd081025.dll,Hook	Detected by Kaspersky as Trojan-Banker.Win32.Agent.de. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wd081025.dll' file is located in %System%	No
Winfast2KLoadDefault	U	rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings	Loads default settings for Leadtek Winfast graphics cards	Yes
WinFast_Gamma	U	Rundll32.exe wfcpl.dll,DllLoadGammaRampSettings	Loads if you change the gamma settings on Leadtek WinFast graphics cards	No
WinFast_Taskbar	U	rundll32.exe wftask.dll,WFDllLoadDefaultSettings	Loads default settings for Leadtek WinFast graphics cards	No
WinDLL (wimimi.exe)	X	rundll32.exe wimimi.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wimimi.exe' file is located in %System%	No
mscheck	X	rundll32.exe wincheck071008.dll mymain	Detected by Trend Micro as TROJ_AGENT.ADXI. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wincheck071008.dll' file is located in %System%	No
wincls	X	rundll32.exe wincls.dll,start	Detected by Sophos as W32/Akbot-AR. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wincls.dll' file is located in %System%	No
WinDLL (windns32.dll)	X	rundll32.exe windns32.dll,start	Detected by Kaspersky as Backdoor.Win32.Akbot.e Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'windns32.dll' file is located in %System%	No
WinDLL (wingatey32.exe)	X	rundll32.exe wingatey32.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wingatey32.exe' file is located in %System%	No
Userinit	X	rundll32.exe winsys16_070813.dll	Detected by Sophos as W32/AutoRun-C and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'winsys16_070813.dll' file is located in %System%	No
WinDLL (wintcp.exe)	X	rundll32.exe wintcp.exe,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wintcp.exe' file is located in %System%	No
WinDLL (wintmp.exe)	X	rundll32.exe wintmp.exe,start	Detected by Kaspersky as Backdoor.Win32.Akbot.e. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wintmp.exe' file is located in %System%	No
wm41a398	X	rundll32.exe wm41a398.dll,EnableRunDLL32	LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wm41a398.dll' file is located in %System%	No
wmcbaaca	X	rundll32.exe wmcbaaca.dll,EnableRunDLL32	LZIO.com adware downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wmcbaaca.dll' file is located in %System%	No
wrclib	X	rundll32.exe wrclib.dll,start	Detected by Sophos as W32/Akbot-AH. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wrclib.dll' file is located in %System%	No
WinDLL (Wseclayer.exe)	X	rundll32.exe Wseclayer.exe,start	Detected by Kaspersky as Backdoor.Win32.Akbot.e. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'Wseclayer.exe' file is located in %System%	No
WinDLL (wsync32.dll)	X	rundll32.exe wsync32.dll,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wsync32.dll' file is located in %System%	No
wtzlank.dll	X	rundll32.exe wtzlank.dll,qttwuwc	DisableKey adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wtzlank.dll' file is located in %System%	No
Windows Update Svc	X	rundll32.exe xpupdate.dll	Contra-Virus rogue security software - not recommended, removal instructions here. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'xpupdate.dll' file is located in %System%	No
WinDLL (xvd32.dll)	X	rundll32.exe xvd32.dll,start	Added by a variant of W32.IRCBot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'xvd32.dll' file is located in %System%	No
wupipenimi	X	Rundll32.exe yidurufo.dll,s	Detected by Microsoft as Trojan:Win32/Vundo.JC.dll. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'yidurufo.dll' file is located in %System%	No
YaAutoRepair	?	rundll32.exe yrepair.dll,Rundll32	Appears to be related to software from Yahoo China. What does it do and is it required?	No
zsmscc	X	rundll32.exe zsmscc071001.dll mymain	Detected by Trend Micro as TROJ_GENETIK.KQ. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'zsmscc071001.dll' file is located in %System%	No
NvCplWow64	X	Rundll32.exe [filename]	Detected by Malwarebytes as Trojan.Agent. Note - this entry uses the legitimate rundll32.exe file located in %Windir%SysWOW64 (rather than the one located in %System%) to load the target file - which is located in %AppData%Microsoft Corporation	No
(default)	X	rundll32.exe [path to DLL file],Do98Work	Detected by Symantec as Backdoor.Hesive.B. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. Note - this malware actually changes the value data of the '(Default)' key in HKCURun, HKLMRun and HKLMRunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank	No
WinTray	X	rundll32.exe [path to DLL],CssFormat	Detected by Malwarebytes as Trojan.Banker. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
CryptoUpdate	X	rundll32.exe [path to file]	Detected by Malwarebytes as Trojan.Ransom.CryptoWall. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted, see an example here	No
wdvcnx	X	rundll32.exe [path to trojan]	Detected by Kaspersky as Trojan-GameThief.Win32.OnLineGames.xegt. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
dnheds	X	rundll32.exe [path to trojan]	Detected by Kaspersky as Trojan-GameThief.Win32.OnLineGames.xfck Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
Configuring	X	rundll32.exe [path to [filename].cpl]	Detected by Malwarebytes as Password.Stealer.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
ipv4	X	rundll32.exe [path to [random].dll],CallWindows	Detected by Malwarebytes as Trojan.Qhost. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
NvCplDaemonTool	X	rundll32.exe [path] adload4C.dll,_IWMPEvents	Detected by Sophos as Troj/Agent-QXD and by Malwarebytes as Trojan.Agent.WIMP. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'adload4C.dll' file is located in %System%	No
AgerePadClock	X	rundll32.exe [path] AgerePadClock.dll	Detected by Symantec as Trojan.Sefnit. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'AgerePadClock.dll' file is located in %AppData%acxmapdb	No
altsi	X	rundll32.exe [path] altsi.dll,PixelMap	Detected by Malwarebytes as Spyware.Password. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'altsi.dll' file is located in %AppData%	No
Windows rundll32 updater	X	Rundll32.exe [path] Amti.dll	Detected by Symantec as W32.Amtian. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'Amti.dll' file is located in %Windir%Amti	No
apanli	X	rundll32.exe [path] apanli.dll	Detected by Malwarebytes as Trojan.Dropper. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'apanli.dll' file is located in %AppData%	No
apcat	X	rundll32.exe [path] apcat.dll	Detected by Malwarebytes as Trojan.RedirRdll2.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'apcat.dll' file is located in %AppData%	No
APISupport	U	Rundll32.exe [path] APISupport.dll	Detected by Malwarebytes as PUP.Optional.Conduit. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'APISupport.dll' file is located in %LocalAppData%ConduitAPISupport. If bundled with another installer or not installed by choice then remove it	No
APISupport	U	Rundll32.exe [path] APISupport.dll	Detected by Malwarebytes as PUP.Optional.Conduit. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'APISupport.dll' file is located in %LocalAppData%TBAPISupport. If bundled with another installer or not installed by choice then remove it	No
ApplePolicyBackup	X	rundll32.exe [path] ApplePolicyBackup.dll	Detected by Sophos as Troj/Mdrop-DUQ. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ApplePolicyBackup.dll' file is located in %AppData%	No
AW TrayIcon	X	RunDll32.exe [path] arcadeweb32.dll, RunTrayIcon	Detected by Malwarebytes as PUP.Optional.ArcadeWeb. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'arcadeweb32.dll' file is located in %ProgramFiles%ArcadeWeb. If bundled with another installer or not installed by choice then remove it	No
TrayIcRun	U	RunDll32.exe [path] arcadeweb32.dll, RunTrayIcon	Detected by Malwarebytes as PUP.Optional.ArcadeWeb. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'arcadeweb32.dll' file is located in %ProgramFiles%ArcadeWeb. If bundled with another installer or not installed by choice then remove it	No
ASK	U	rundll32.exe [path] ASK.dll rdl	Stealth Keylogger keystroke logger/monitoring program - remove unless you installed it yourself! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
CognizanceTS	U	rundll32.exe [path] AsTsVcc.dll,RegisterModule	Cognizance Corp Identity And Access Management suite for corporate VPN connections. Enable if you use the VPN software	No
autochk	X	rundll32.exe [path] autochk.dll,_IWMPEvents@16	Detected by Symantec as Trojan.Opachki and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'autochk.dll' file is located in %System%	No
BackgroundContainer	U	Rundll32.exe [path] BackgroundContainer.dll	Detected by Malwarebytes as PUP.Optional.Conduit. Note - this entry uses the legitimate rundll32.exe file located in %Windir%SysWOW64 (rather than the one located in %System%) to load the 'BackgroundContainer.dll' file which is located in %LocalAppData%ConduitBackgroundContainer. If bundled with another installer or not installed by choice then remove it	No
BatInfEx	U	rundll32.exe [path] BatInfEx.dll,BMMAutonomicMonitor	Part of the Battery MaxiMiser and Power Management Features set for some IBM/Lenovo Thinkpad notebooks. This entry is needed for the battery information and monitoring program as well as the Battery Maximizer Wizard	Yes
BMMMONWND	U	rundll32.exe [path] BatInfEx.dll,BMMAutonomicMonitor	Part of the Battery MaxiMiser and Power Management Features set for some IBM/Lenovo Thinkpad notebooks. This entry is needed for the battery information and monitoring program as well as the Battery Maximizer Wizard	Yes
BatLogEx	U	rundll32.exe [path] BatLogEx.DLL,StartBattLog	Part of the Battery MaxiMiser and Power Management Features set for some IBM/Lenovo Thinkpad notebooks. This entry logs changes in battery conditions such as charging, discharging, life, etc	Yes
BLOG	U	rundll32.exe [path] BatLogEx.DLL,StartBattLog	Part of the Battery MaxiMiser and Power Management Features set for some IBM/Lenovo Thinkpad notebooks. This entry logs changes in battery conditions such as charging, discharging, life, etc	Yes
BIE	X	Rundll32.exe [path] BDPlugin.dll,Rundll32	BDplugin parasite. Detected by McAfee as Adware-BDSearch. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted and the 'BDPlugin.dll' file is located in %Windir%Downloaded Program Files	No
Systems Restart	X	Rundll32.exe [path] beem.dll, DllRegisterServer	Browser hijacker - the file serves to register a dll implemented as a browser plugin. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'beem.dll' file is located in %System%	No
Acronis Popup Blocker	U	RunDll32.exe [path] Blocker.dll,Run	Part of Acronis Privacy Expert - anti-spyware and security suite	No
msav	?	rundll32.exe [path] bnnhjx.dll	Related to Bitrix security products	No
msav	X	rundll32.exe [path] bqoyaft.dll	Detected by Malwarebytes as Trojan.FakeAlert. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'bqoyaft.dll' file is located in %AppData%Bitrix Security	No
brauns	X	rundll32.exe [path] brauns.dll,StrToUintW	Detected by Malwarebytes as Trojan.Midhos. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'brauns.dll' file is located in %AppData%	No
RunDLL	X	rundll32.exe [path] Bridge.dll,Load	Detected by Symantec as Adware.WinFavorites. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'Bridge.dll' file is located in %System%	No
BookedSpace	X	RunDLL32.EXE [path] bs2.dll,DllRun	BookedSpace parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'bs2.dll' file is located in %Windir%	No
Bsx3	X	RunDLL32.EXE [path] bs3.dll,DllRun	BookedSpace parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'bs3.dll' file is located in %Windir%	No
BluetoothManager	X	rundll32.exe [path] bstack.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'bstack.dll' file is located in %AppData%Microsoft	No
bxsx5	X	RunDLL32.EXE [path] bsx5.dll,DllRun	BookedSpace parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'bsx5.dll' file is located in %Windir%	No
BluetoothS	X	rundll32.exe [path] BtvStack.dll,BTHF_Register	Detected by Trend Micro as TROJ_REDYMS.BTWN and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'BtvStack.dll' file is located in %AppData%	No
bxxs5	X	RunDLL32.EXE [path] bxxs5.dll,dllrun	BookedSpace parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'bxxs5.dll' file is located in %Windir%	No
calc	X	rundll32.exe [path] calc.dll,_IWMPEvents@0	Detected by McAfee as Opachki.a and by Malwarebytes as Trojan.Downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'calc.dll' file is located in %System%	No
cfgmgr51	X	RunDLL32.EXE [path] cfgmgr51.dll,DllRun	BookedSpace parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'cfgmgr51.dll' file is located in %Windir%	No
cfgmgr52	X	RunDLL32.EXE [path] cfgmgr52.dll,DllRun	BookedSpace parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'cfgmgr52.dll' file is located in %Windir%	No
Cm106Sound	N	RunDll32.exe [path] cm106.dll,CMICtrlWnd	Installed with USB soundcard products based upon the C-Media CM106 integrated single chip USB audio solution. The 'cm106.dll' file is located in %System%	No
Cm112Sound	N	RunDll32.exe [path] cm112.dll,CMICtrlWnd	Installed with USB soundcard products based upon the C-Media CM112 integrated single chip USB audio solution. The 'cm112.dll' file is located in %System%	No
cesmain.dll	X	Rundll32.exe [path] cmail.dll,Rundll32	CnsMin (Chinese Keywords) hijacker related. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'cmail.dll' file is located in %ProgramFiles%3721Ces	No
Cmaudio8788	U	RunDll32.exe [path] cmicnfgp.cpl,CMICtrlWnd	Installed with soundcard products based upon the C-Media Oxygen HD-CMI8788-PCI 8-channel HD sound processor. The 'cmicnfgp.cpl' file is located in %System%	No
Zenet	X	rundll32.exe [path] CNBabe.dll,DllStartup	CommonName/Zenet search hijacker - see the archived version of Andrew Clover's page. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'CNBabe.dll' file is located in %ProgramFiles%CommonNameToolbar	No
CnsMin	X	Rundll32.exe [path] CNSMIN.dll,Rundll32	CnsMin (Chinese Keywords) hijacker related. Detected by Malwarebytes as Adware.CnsMin. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
cobvcs	X	rundll32.exe [path] cobvcs.dll	Detected by Malwarebytes as Trojan.RedirRdll2.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'cobvcs.dll' file is located in %AppData%	No
CPU Watcher	X	rundll32.exe [path] cpu.dll,load	Detected by Sophos as Troj/Dloader-LO. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'cpu.dll' file is located in %Windir%	No
csfmg	X	rundll32.exe [path] csfmg.dll	Detected by Sophos as Troj/Mdrop-EAU. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'csfmg.dll' file is located in %UserTemp%	No
snp2uvc	N	rundll32.exe [path] csnp2uvc.dll,ResetCIDS	Installation utility for a Sonix webcam	No
98D0CE0C16B1	X	rundll32.exe [path] D0CE0C16B1,D0CE0C16B1	BrowserAid foistware variant. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
dabrun	X	rundll32.exe [path] dabapi.dll,Rundll32	Detected by ThreatTrack Security as SinaUpdateCenter adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'dabapi.dll' file is located in %System%	No
DfrgCommonSnap	X	rundll32.exe [path] DfrgCommonSnap.dll,tapinet64	Detected by McAfee as Generic.tfr!j. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'DfrgCommonSnap.dll' file is located in %LocalAppData%DRMUserARM	No
DiagnosticsService	X	rundll32.exe [path] DiagnosticsService.dll	Detected by Symantec as Infostealer.Mysayad and by Malwarebytes as Spyware.InfoStealer.FK. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'DiagnosticsService.dll' file is located in %AppData%Client	No
Doctor	X	rundll32.exe [path] Doctor.dll	Detected by Dr.Web as Trojan.Siggen6.4967 and by Malwarebytes as Spyware.OnlineGames.E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'Doctor.dll' file is located in %Temp%	No
dordi	X	rundll32.exe [path] dordi.dll,Init	Detected by Malwarebytes as Trojan.Dropper. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'dordi.dll' file is located in %AppData%	No
Netscape	X	Rundll32.exe [path] drjgudct.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'drjgudct.dll' file is located in %LocalAppData%Netscape	No
Dsdcmsoon	X	rundll32.exe [path] Dsdcmsoon.dll,Setting	Detected by Malwarebytes as Trojan.Agent.DSD. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'Dsdcmsoon.dll' file is located in %AppData%Programs - see here	No
Desktop Cleanup Wizard	X	rundll32.exe [path] dskclean.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'dskclean.dll' file is located in %LocalAppData%Desktop Cleanup Wizard - see here	No
Acronis Toolbar Helper	X	rundll32.exe [path] dskclean.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'dskclean.dll' file is located in %LocalAppData%Desktop Cleanup Wizard - see here	No
Desktop Cleanup Wizard	X	rundll32.exe [path] dskclnwiz.dll	Detected by Malwarebytes as Rogue.DiskCleanUp. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'dskclnwiz.dll' file is located in %AppData% - see here	No
Eapobjmon	X	rundll32.exe [path] Eapobjmon.dll,WdMapSnap d3dGLCres	Detected by Sophos as Troj/DwnLdr-ITR. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'Eapobjmon.dll' file is located in %AppData%SystemMapTray	No
NvCplDaemonTool	X	rundll32.exe [path] EBLOAD~1.DLL_IWMPEvents	Detected by Sophos as Mal/Sinowal-N and by Malwarebytes as Trojan.Agent.WIMP. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'EBLOAD~1.DLL' file is located in %System%	No
EFI Job Monitor	U	rundll32.exe [path] efjm.dll,run	Ricoh Imagio Printer/Scanner driver status monitor	No
instant Access	X	rundll32.exe [path] EGACCESS4_***.dll,InstantAccess	Dialer.InstantAccess premium rate adult content dialer variant - where **** represents digits. Detected by Malwarebytes as Adware.EGDAccess. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
Instant Access	X	rundll32.exe [path] EGCOMLIB_****.dll,InstantAccess	Dialer.InstantAccess premium rate adult content dialer variant - where **** represents digits. Detected by Malwarebytes as Adware.EGDAccess. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
Instant Access	X	rundll32.exe [path] EGCOMSERVICE_****.dll,InstantAccess	Dialer.InstantAccess premium rate adult content dialer variant - where **** represents digits. Detected by Malwarebytes as Adware.EGDAccess. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
Instant Access	X	rundll32.exe [path] EGDACCESS_****.dll,InstantAccess	Dialer.InstantAccess premium rate adult content dialer variant - where **** represents digits. Detected by Malwarebytes as Adware.EGDAccess. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
Instant Access	X	rundll32.exe [path] EGDHTML_****.dll,InstantAccess	Dialer.InstantAccess premium rate adult content dialer variant - where **** represents digits. Detected by Malwarebytes as Adware.EGDAccess. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
Instant Access	X	rundll32.exe [path] eg_auth_****.dll,InstantAccess	Dialer.InstantAccess premium rate adult content dialer variant - where **** represents digits. Detected by Malwarebytes as Adware.EGDAccess. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
NTRedirect	U	rundll32.exe [path] enhancedNT.dll	Detected by Malwarebytes as PUP.Optional.BabSolution. Note - this entry uses the legitimate rundll32.exe file located in %Windir%SysWOW64 (rather than the one located in %System%) to load the 'enhancedNT.dll' file which is located in %AppData%BabSolutionShared. If bundled with another installer or not installed by choice then remove it	No
final	X	rundll32.exe [path] final.dat	Detected by Dr.Web as Trojan.PWS.Panda.4574 and by Malwarebytes as Trojan.Agent.FN. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'final.dat' file is located in %Temp%	No
NvCplDaemonTool	X	rundll32.exe [path] fload33.dll_IWMPEvents	Detected by Malwarebytes as Trojan.Agent.WIMP. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'fload33.dll' file is located in %UserProfile%	No
fpsfx	X	rundll32.exe [path] fpsfx.dll	Detected by Malwarebytes as Spyware.Password. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'fpsfx.dll' file is located in %AppData%	No
fvceg	X	rundll32.exe [path] fvceg.dll	Detected by Malwarebytes as Trojan.RedirRdll2.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'fvceg.dll' file is located in %AppData%	No
fxapimm	X	rundll32.exe [path] fxapimm.dll	Detected by Sophos as Troj/Mdrop-DKE. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'fxapimm.dll' file is located in %LocalAppData%appMaindb	No
CPM[random]	X	rundll32.exe [path] gimujewa.dll,a	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'gimujewa.dll' file is located in %System%	No
[random]	X	rundll32.exe [path] graphic_dispatcher.ico	Detected by Malwarebytes as RiskWare.Agent.E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'graphic_dispatcher.ico' file is located in %System%	No
gretmp	X	rundll32.exe [path] gretmp.dll	Detected by Malwarebytes as Trojan.RedirRdll2.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'gretmp.dll' file is located in %AppData%	No
Inoyikotadoqev	X	rundll32.exe [path] gv2scotl.dll	Detected by Dr.Web as Trojan.MulDrop4.26089. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'gv2scotl.dll' file is located in %Windir%	No
hid_start	X	Rundll32.exe [path] gzmrotate.dll	AdRotator/IconAds adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'gzmrotate.dll' file is located in %System%	No
RichMedia	X	rundll32.exe [path] hbcast.dll,WaitWindows	Henbang adware variant. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
RichMedia	X	Rundll32.exe [path] HBHelper.dll	HenBang adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'HBHelper.dll' file is located in %ProgramFiles%hbclient	No
helper.dll	X	rundll32.exe [path] helper.dll	CnsMin (Chinese Keywords) hijacker related. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'helper.dll' file is located in %ProgramFiles%3721	No
Disker	X	rundll32.exe [path] HIMYM.DLL	Detected by Dr.Web as Trojan.DownLoader4.63430 and by Malwarebytes as Trojan.Onlinegames. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'HIMYM.DLL' file is located in %Temp%	No
XL3OWZ6XGA_4940	X	rundll32.exe [path] house.jpg	Detected by Malwarebytes as Trojan.Banker.JPG. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'house.jpg' file is located in %UserTemp% - see here	No
IKL	U	rundll32.exe [path] IKL.dll	IKL surveillance software. Uninstall this software unless you put it there yourself	No
Egiciwuvubom	X	rundll32.exe [path] ilscac.dll	Detected by Sophos as Troj/Hiloti-CS. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ilscac.dll' file is located in %Windir%	No
Msn	X	rundll32.exe [path] ilss32.dll,network	Detected by Sophos as Troj/Banlo-E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ilss32.dll' file is located in %System%	No
Rundll32_8	X	rundll32.exe [path] inetp60.dll,DllRunServer	BrowserAid foistware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'inetp60.dll' file is located in %System%	No
Configuring	X	rundll32.exe [path] iqqbtc2ql.dll	Detected by Malwarebytes as Trojan.PWS. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'iqqbtc2ql.dll' file is located in %ProgramFiles%Windows NT	No
IWL	U	rundll32.exe [path] IWL.dll	IKL surveillance software. Uninstall this software unless you put it there yourself	No
*J7PugHy	X	rundll32.exe [path] IZsROY7X.-MP	Detected by Trend Micro as WORM_MORCUT.A. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'IZsROY7X.-MP' file is located in %LocalAppData%jlc3V7we (10/8/7/Vista) or %UserProfile%Local Settingsjlc3V7we (XP)	No
JSIModule	X	rundll32.exe [path] jsi.dll	Detected by McAfee as Generic PUP.z and by Malwarebytes as Adware.Zugo. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'jsi.dll' file is located in %ProgramFiles%Secret Crush Revealer	No
Junimong	U	rundll32.exe [path] Junimong.dll	Detected by Malwarebytes as PUP.Optional.Junimong. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'Junimong.dll' file is located in %LocalAppData%JunimongBin. If bundled with another installer or not installed by choice then remove it	No
Egiciwuvubom	X	rundll32.exe [path] kbinph.dll	Detected by Sophos as Troj/Hiloti-CL. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'kbinph.dll' file is located in %Windir%	No
KEI	U	rundll32.exe [path] KEI.dll	IKL surveillance software. Uninstall this software unless you put it there yourself	No
lpc	X	rundll32.exe [path] kwbn45.dll	Detected by Symantec as Trojan.Banksun and by Malwarebytes as Trojan.Ambler. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'kwbn45.dll' file is located in %AppData%Sun	No
[8 characters]	X	rundll32.exe [path] laa.dll	Detected by Malwarebytes as Spyware.Banker. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'laa.dll' file is located in %AppData%	No
Userinit	X	rundll32.exe [path] labconf32.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'labconf32.dll' file is located in %System%TerraSoft	No
Logitech Download Assistant	N	rundll32.exe [path] LogiLDA.dll,LogiFetch	Part of the Logitech SetPoint control software for their range of wired and wireless keyboards and pointing devices (mice, trackballs, etc). Downloads the latest updates if you have automatic updates configured	Yes
lpsps	X	rundll32.exe [path] lpsps.dll	Detected by Malwarebytes as Trojan.RedirRdll2.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'lpsps.dll' file is located in %AppData%	No
lstrmn	X	rundll32.exe [path] lstrmn.dll,lstrmn	Detected by Malwarebytes as Trojan.Agent.PrxySvrRST. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'lstrmn.dll' file is located in %LocalAppData%	No
M3000Mnt	U	Rundll32.exe [path] M3000Rmv.dll ,WinMainRmv /StartStillMnt	Bison Electronics Inc webcam driver, used on notebooks from a number of manufacturers including Acer, Asus, Lenovo & Samsung	No
manec	X	rundll32.exe [path] manec.dll	Detected by Malwarebytes as Trojan.Agent.DKY. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'manec.dll' file is located in %AppData%	No
Egiciwuvubom	X	rundll32.exe [path] marpapv.dll	Detected by Sophos as Troj/Hiloti-BV. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'marpapv.dll' file is located in %Windir%	No
tsiVideo	X	rundll32.exe [path] mdi064.dll,runme	Detected by Sophos as Troj/Agent-AFIB and by Malwarebytes as PUP.BitcoinMiner. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'mdi064.dll' file is located in %UserTemp%	No
mgpad	X	rundll32.exe [path] mgpad.dll	Detected by Sophos as Troj/DwnLdr-JUT. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'mgpad.dll' file is located in %UserTemp%	No
MicrosoftOnlineOnline	X	rundll32.exe [path] MicrosoftOnlineOnline.dll	Detected by Sophos as CXmal/Tracur-C. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MicrosoftOnlineOnline.dll' file is located in %CommonAppData%	No
Minecraft.jar	X	rundll32.exe [path] Minecraft.jar	Detected by Dr.Web as Trojan.Siggen5.43944 and by Malwarebytes as Trojan.Agent.MC. Note - this entry loads from the Windows Startup folder. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'Minecraft.jar' file is located in %Temp%RarSFX0	No
mmcbrowse97	X	rundll32.exe [path] mmcbrowse97.dll	Detected by Malwarebytes as Trojan.Downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'mmcbrowse97.dll' file is located in %LocalAppData%mmcbrowse97	No
mpapr	X	rundll32.exe [path] mpapr.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'mpapr.dll' file is located in %AppData%	No
Disker	X	rundll32.exe [path] MS2011Helper.DLL	Detected by Dr.Web as Trojan.DownLoader2.64512 and by Malwarebytes as Trojan.Onlinegames. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MS2011Helper.DLL' file is located in %Temp%	No
Dialer	X	rundll32.exe [path] MSA32CHK.dll,Reg	Matrix parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSA32CHK.dll' file is located in %System%	No
Display Card Driver	X	rundll32.exe [path] msdap.dll	Detected by Symantec as Backdoor.Mudsy and by Malwarebytes as Backdoor.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'msdap.dll' file is located in %System%	No
ysolss	X	RUNDLL32.EXE [path] msdheuzg.dll	Detected by Malwarebytes as Spyware.OnlineGames. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'msdheuzg.dll' file is located in %System%	No
Egiciwuvubom	X	rundll32.exe [path] msftrelg.dll	Detected by Sophos as Troj/Agent-TEN. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'msftrelg.dll' file is located in %Windir%	No
MSNGS	X	Rundll32.exe [path] msmsgs.txt	Detected by Trend Micro as TROJ_MURLO.CF and by Malwarebytes as Trojan.Banker. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'msmsgs.txt' file is located in %Windir%	No
msPathTime	X	rundll32.exe [path] msPathTime.dll	Detected by Malwarebytes as IPH.Trojan.Blueinit. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'msPathTime.dll' file is located in %AppData%mfcGLCtrl	No
Protected Storage	X	RUNDLL32.EXE [path] MSSIGN30.DLL ondll_reg	Detected by Sophos as W32/Lovgate-F. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSSIGN30.DLL' file is located in %System%	No
VFW Encoder/Decoder Settings	X	RUNDLL32.exe [path] MSSIGN30.DLL ondll_reg	Detected by Sophos as W32/Lovgate-F. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'MSSIGN30.DLL' file is located in %System%	No
MSxmlHpr	X	RUNDLL32.EXE [path] msxm192z.dll,w	Detected by Symantec as Infostealer.Wowcraft. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'msxm192z.dll' is located in %System%	No
muryne	X	rundll32.exe [path] muryne.dll	Detected by Malwarebytes as Trojan.Midhos. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'muryne.dll' file is located in %AppData%	No
Netscape	X	Rundll32.exe [path] mxtfrulf.dll	Detected by McAfee as Generic.dx and by Malwarebytes as Backdoor.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'mxtfrulf.dll' file is located in %LocalAppData%Netscape	No
zsmscc	X	rundll32.exe [path] mycc071208.dll mymain	Detected by Kaspersky as Trojan-Downloader.Win32.Agent.fzk. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'mycc071208.dll' file is located in %System%	No
NAVUpd	X	rundll32.exe [path] navupd.dll,Startup	Detected by Symantec as Infostealer.Navu. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'navupd.dll' file is located in %Windir%	No
NextLive	U	rundll32.exe [path] nengine.dll	Detected by Malwarebytes as PUP.Optional.NextLive. If bundled with another installer or not installed by choice then remove it. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'nengine.dll' file is located in %AppData%newnext.me	No
update	X	rundll32.exe [path] netupdate.dll	Detected by Malwarebytes as Trojan.Agent.E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'netupdate.dll' file is located in %Temp%	No
BelNotify	U	rundll32.exe [path] NPBelv32.dll,RunDll32_BelNotify	BelNotify from Belarc, Inc - 'proactively tells the end-user about specials, tech tips, updates, and upgrades, and more, all based on their installed software, hardware and specified preferences'	No
RFX_auto_upgrade	N	rundll32.exe [path] npvpg005.dll,auto_upg_check	Auto-upgrade for the RichFX player browser plugin	No
NTRedirect	U	rundll32.exe [path] NTRedirect.dll	Detected by Malwarebytes as PUP.Optional.BabSolution. Note - this entry uses the legitimate rundll32.exe file located in %Windir%SysWOW64 (rather than the one located in %System%) to load the 'NTRedirect.dll' file is located in %AppData%BabSolutionShared. If bundled with another installer or not installed by choice then remove it	No
calc	X	rundll32.exe [path] ntuser.dll,_IWMPEvents@0	Detected by McAfee as Opachki.a and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ntuser.dll' file is located in %UserProfile%	No
odbcMouseSvcs	X	rundll32.exe [path] odbcMouseSvcs.dll,winEventlib	Detected by Sophos as Troj/Sefnit-J. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'odbcMouseSvcs.dll' file is located in %LocalAppData%mfcobjPlay	No
oo4	X	RunDLL32.EXE [path] oo4.dll,DllRun	BookedSpace parasite. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'oo4.dll' file is located in %Windir%	No
Instant Access	X	rundll32.exe [path] p2esocks_****.dll,InstantAccess	Dialer.InstantAccess premium rate adult content dialer variant - where **** represents digits. Detected by Malwarebytes as Adware.EGDAccess. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
Windows Performance Monitor	X	rundll32.exe [path] PerformanceMonitor.dll,DllInstall	Detected by Malwarebytes as Backdoor.Bot.E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'PerformanceMonitor.dll' file is located in %LocalAppData%MicrosoftPerformanceMonitor	No
autochk	X	rundll32.exe [path] protect.dll,_IWMPEvents@16	Detected by Symantec as Trojan.Opachki and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'protect.dll' file is located in %UserProfile%	No
Microsoft system protection service	U	rundll32.exe [path] protecthost.dll,DllInstall	Detected by Malwarebytes as PUP.Optional.ProtectHost. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'protecthost.dll' file is located in %LocalAppData%MicrosoftProtect. If bundled with another installer or not installed by choice then remove it	No
psext	X	rundll32.exe [path] psext.dll	Detected by Malwarebytes as Trojan.RedirRdll2.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'psext.dll' file is located in %AppData%	No
pump64	X	rundll32.exe [path] pump64.dll,pump64	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'pump64.dll' file is located in %LocalAppData%	No
ForceShow	X	rundll32.exe [path] QaBar.dll,ForceShowBar	AdultLinks.QBar parasite related! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'QaBar.dll' file is located in %System%	No
qescam	X	rundll32.exe [path] qescam.dll	Detected by Malwarebytes as Trojan.RedirRdll2.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'qescam.dll' file is located in %AppData%	No
qkoszvd.dll	X	rundll32.exe qkoszvd.dll,jwezubg	Detected by Sophos as Troj/Dloadr-AVD. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'qkoszvd.dll' file is located in %System%	No
NvCplDaemonTool	X	rundll32.exe [path] qloadAC.dll,_IWMPEvents	Detected by Sophos as Troj/Sinowal-AS and by Malwarebytes as Trojan.Agent.WIMP. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'qloadAC.dll' file is located in %System% and %UserProfile%	No
rerap	X	rundll32.exe [path] rerap.dll	Detected by Dr.Web as Trojan.DownLoader7.16415. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'rerap.dll' file is located in %AppData%	No
rfdvng	X	rundll32.exe [path] rfdvng.dll	Detected by Dr.Web as Trojan.DownLoader7.10023 and by Malwarebytes as Trojan.Medfos. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'rfdvng.dll' file is located in %AppData%	No
logonUiInit	X	Rundll32.exe [path] rgtndz.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'rgtndz.dll' file is located in %System%	No
rmdrfje.dll	X	rundll32.exe rmdrfje.dll,[random characters]	Detected by Sophos as Troj/Dloadr-ANM. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'rmdrfje.dll' file is located in %Windir%	No
Video Library	X	rundll32.exe [path] Rpcqt.dll,Sets	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'Rpcqt.dll' file is located in %Temp%	No
RSA[9 or more digits]	X	rundll32.exe [path] RSA[9 or more digits].dll	Detected by Malwarebytes as Trojan.Agent.E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'RSA[9 or more digits].dll' file is located in %AppData%MicrosoftCryptoRSA	No
saSyncMgr	X	rundll32.exe [path] sasync.dll,SyncWait	Browser hijacker - redirecting to Searchant.com. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'sasync.dll' file is located in %System%	No
sbasc	X	rundll32.exe [path] sbasc.dll	Detected by Malwarebytes as Trojan.RedirRdll2.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'sbasc.dll' file is located in %AppData%	No
HEPER	X	RUNDLL32.EXE [path] ScanerHelper.dll	Detected by Microsoft as PWS:Win32/OnLineGames.GL. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ScanerHelper.dll' file is located in %System%	No
HEPER	X	RUNDLL32.EXE [path] ScanerHelper.dll	Detected by Malwarebytes as Trojan.PWS.WoW. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ScanerHelper.dll' file is located in %UserTemp%	No
setoc	X	rundll32.exe [path] setoc.dll	Detected by Malwarebytes as Trojan.RedirRdll2.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'setoc.dll' file is located in %AppData%	No
smft463P	X	rundll32.exe [path] smft463P.dll,HoonBoom	Detected by Malwarebytes as Trojan.Injector.Cn. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'smft463P.dll' file is located in %Root%AuGzZk	No
smx4pnp	X	rundll32.exe [path] smx4pnp.dll	Detected by Trend Micro as TROJ_SASFIS.VR. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'smx4pnp.dll' file is located in %UserProfile%Microsoft	No
sbafoberebe	X	rundll32.exe [path] sntsrbdm.dll	Detected by McAfee as RDN/Generic Downloader.x!jw. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'sntsrbdm.dll' file is located in %Windir%	No
Song	U	rundll32.exe [path] Song.dll	Detected by Malwarebytes as PUP.Optional.Song. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'Song.dll' file is located in %LocalAppData%SongBin. If bundled with another installer or not installed by choice then remove it	No
spa_start	X	Rundll32.exe [path] spads.dll	IconAds adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'spads.dll' file is located in %System%	No
srePostpone	?	rundll32.exe [path] srescan.dll,DoSpecialAction	Related to the ZoneAlarm Antispy scanner	No
StopSignSsFwMon	U	Rundll32.exe [path] ssfwmon.dll,VerifyStatus	eAcceleration Stop-Sign security software related - previously not recommended (see here). It has now been delisted, so make sure you have the latest version - hence the 'U' recommendation	No
vegas	X	rundll32.exe [path] sshnas.dll,DllWork	Detected by Malwarebytes as Trojan.FakeAlert. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'sshnas.dll' file is located in %System% or %UserTemp%	No
LosAlamos	X	rundll32.exe [path] sshnas21.dll	Detected by Malwarebytes as Trojan.FakeAlert. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'sshnas21.dll' file is located in %System%	No
Canaveral	X	rundll32.exe [path] sshnas21.dll,BackupReadW	Detected by Malwarebytes as Trojan.Downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'sshnas21.dll' file is located in %System% or %UserTemp%	No
Metropolis	X	rundll32.exe [path] sshnas21.dll,GetHandle	Detected by Malwarebytes as Trojan.FakeAlert. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'sshnas21.dll' file is located in %System% or %UserTemp%	No
byywttsys	X	rundll32.exe [path] ssrstu.dll	Detected by Malwarebytes as Trojan.Dropper. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ssrstu.dll' file is located in %System%	No
gedcbbsys	X	rundll32.exe [path] ssrstu.dll	Detected by Malwarebytes as Trojan.Dropper. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ssrstu.dll' file is located in %System%	No
StopSignSsSsMon	U	Rundll32.exe [path] ssssmon.dll,VerifyStatus	eAcceleration Stop-Sign security software related - previously not recommended (see here). It has now been delisted, so make sure you have the latest version - hence the 'U' recommendation	No
StopSignSsTsMon	U	Rundll32.exe [path] sstsmon.dll,VerifyStatus	eAcceleration Stop-Sign security software related - previously not recommended (see here). It has now been delisted, so make sure you have the latest version - hence the 'U' recommendation	No
stipc	X	rundll32.exe [path] stipc.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'stipc.dll' file is located in %AppData%	No
{2CF0B992-5EEB-4143-99C0-5297EF71F444}	X	rundll32.exe [path] stlbdist.dll,DllRunMain	BrowserAid foistware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'stlbdist.dll' file is located in %System%	No
StopSignStatus	U	Rundll32.exe [path] stopsinfo.dll,VerifyStatus	Installer for eAcceleration Stop-Sign security software - previously not recommended (see here). It has now been delisted, so make sure you have the latest version - hence the 'U' recommendation	No
[random]	?	rundll32.exe [path] streamci,StreamingDeviceSetup	Used by multiple devices for initial installations. Should only run once and the file is located in %System%	No
strFree	X	rundll32.exe [path] strFree.dll	Detected by Sophos as Troj/Mdrop-DRG. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'strFree.dll' file is located in %UserProfile%Microsoft	No
SdScans**	X	rundll32.exe [path] stup_tmp.#32,Ini	Detected by Panda as the Sdscan.A - where * represents a random upper case letter. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'stup_tmp.#32' file is located in %Windir%	No
SWL	U	rundll32.exe [path] SWL.dll rdl	StealthWeblog surveillance software. Uninstall this software unless you put it there yourself! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
Sysmppcvppp	X	rundll32.exe [path] SysTdSvr.dll	Detected by Kaspersky as AdWare.Win32.NewWeb.x. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'SysTdSvr.dll' file is located in %System%	No
systemdrea	X	rundll32.exe [path] systemdrea.dll	Detected by Sophos as Troj/Agent-RKB. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'systemdrea.dll' file is located in %UserProfile%Microsoft	No
SystemKey	U	rundll32.exe [path] SystemKey.dll rdl	Stealth Keylogger keystroke logger/monitoring program - remove unless you installed it yourself! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
SystemMessenger	X	rundll32.exe [path] SystemMessenger.dll	Stealth Chat Monitor spyware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
SystemWeb	U	rundll32.exe [path] SystemWeb.dll rdl	StealthWeblog surveillance software. Uninstall this software unless you put it there yourself! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
IE Menu Extension toolbar	X	rundll32.exe [path] tbextn.dll DllShowTB	IEMenuExt trackware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
Games toolbar	X	rundll32.exe [path] tbGame.dll DllShowTB	Topconverting.com/180Search 'Games Toolbar' adware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
TBHostSupport	U	Rundll32.exe [path] TBHostSupport.dll	Detected by Malwarebytes as PUP.Optional.Conduit. Note - this entry uses the legitimate rundll32.exe file located in %Windir%SysWOW64 (rather than the one located in %System%) to load the file 'TBHostSupport.dll' which is located in %LocalAppData%TBHostSupport. If bundled with another installer or not installed by choice then remove it	No
ConduitFloatingPlugin_[random]	U	Rundll32.exe [path] TBVerifier.dll	Detected by Malwarebytes as PUP.Optional.Conduit. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'TBVerifier.dll' file is located in %AppData%ValueAppsCH. If bundled with another installer or not installed by choice then remove it	No
tdirv	X	rundll32.exe [path] tdirv.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'tdirv.dll' file is located in %AppData%	No
Windows Theft Protection	X	rundll32.exe [path] TheftProtection.dll,DllInstall	Detected by Malwarebytes as Trojan.Agent.THF. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'TheftProtection.dll' file is located in %LocalAppData%MicrosoftPerformanceTheftProtection	No
PowerMgr	X	Rundll32.exe [path] tmp*.tmp,Init	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'tmp.tmp' file is located in %UserTemp% - where represents anything	No
Authentic-ID Toolbar	Y	rundll32.exe [path] ToolbarATL.dll,LoadTrayIcon	Authentic-ID Toolbar - website authentication utility. Warns you when a site is recognized for phishing or isn't authentic, for example	No
tsiVideo	X	rundll32.exe [path] tsiVi032.dll,startme	Detected by Sophos as Troj/Agent-AEWO and by Malwarebytes as PUP.BitcoinMiner. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'tsiVi032.dll' file is located in %UserTemp%	No
IDAVLab	X	Rundll32.exe [path] ueqfjttz.dll	Detected by Malwarebytes as Trojan.Reveton. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'ueqfjttz.dll' file is located in %LocalAppData%IDAVLab	No
Wallpaper	X	rundll32.exe [path] undersystem.dll,net	Detected by McAfee as FakeAV-M.bfr!c and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'undersystem.dll' file is located in %UserProfile%	No
Rundll32	X	Rundll32.exe [path] unicode2.nls	Detected by Dr.Web as Trojan.Siggen4.39246 and by Malwarebytes as Trojan.Backdoor. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'unicode2.nls' file is located in %AppData%MicrosoftWindows	No
ppap	X	rundll32.exe [path] update.dll	Detected by Malwarebytes as Trojan.Agent.UD. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'update.dll' file is located in %UserTemp%	No
DustApps	U	rundll32.exe [path] updater.dll	Detected by Malwarebytes as PUP.Optional.DustApps. Note - this entry uses the legitimate rundll32.exe file located in %Windir%SysWOW64 (rather than the one located in %System%) to load the 'updater.dll' file which is located in %LocalAppData%DustApps. If bundled with another installer or not installed by choice then remove it	No
Egiciwuvubom	X	rundll32.exe [path] upesvt.dll	Detected by Sophos as Troj/Agent-TEO. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'upesvt.dll' file is located in %Windir%	No
upnits	X	rundll32.exe [path] upnits.dll	Detected by Malwarebytes as Trojan.RedirRdll2.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'upnits.dll' file is located in %AppData%	No
V3smx4pnp	X	rundll32.exe [path] V3smx4pnp.dll	Detected by Symantec as Trojan.Smaxin. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'V3smx4pnp.dll' file is located in %UserProfile%Microsoft	No
vdAHBMyiRUZlHK	X	rundll32.exe [path] vdAHBMyiRUZlHK.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'vdAHBMyiRUZlHK.dll' file is located in %UserTemp%vdAHBMyiRUZlHK	No
VMwareTiay	X	rundll32.exe [path] Vmware76406.dat,xx	Detected by Malwarebytes as Spyware.OnlineGames. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'Vmware76406.dat' file is located in %UserTemp% - see here	No
VolunteerJoint	X	rundll32.exe [path] VolunteerJoint.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'VolunteerJoint.dll' file is located in %LocalAppData%	No
cmds	X	rundll32.exe [path] vtsqn.dll	Detected by Malwarebytes as Malware.Trace. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'vtsqn.dll' file is located in %UserTemp%	No
W3KNetwork	X	rundll32.exe [path] w3knet.dll,dllinitrun	Detected by McAfee as Adware-Web3000. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
wehloi	X	rundll32.exe [path] wehloi.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wehloi.dll' file is located in %AppData%	No
WinHacker	N	rundll32.exe [path] wh95.dll,HackMe	WinHacker tweaking utility by Wedge Software. There are far better tweakers and, unlike WinHacker, most are free	No
WinHacker 95	N	rundll32.exe [path] wh95.dll,HackMe	WinHacker tweaking utility by Wedge Software. There are far better tweakers and, unlike WinHacker, most are free	No
wilsg	X	rundll32.exe [path] wilsg.dll,ARawDecodeInit	Detected by Dr.Web as Trojan.DownLoader8.18141. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wilsg.dll' file is located in %AppData%	No
wilsg	X	rundll32.exe [path] wilsg.dll,New	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wilsg.dll' file is located in %AppData%	No
wilsg	X	rundll32.exe [path] wilsg.dll,SetScissorRect	Detected by Dr.Web as Trojan.DownLoader8.15853. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wilsg.dll' file is located in %AppData%	No
Spooler de Impressão	X	rundll32.exe [path] windll.dll	Detected by McAfee as Generic Downloader.x!gfd and by Malwarebytes as Trojan.Banker. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'windll.dll' file is located in %Windir%netaps	No
WindosSysDrivers	X	rundll32.exe [path] WindosSysDrivers.dll	Detected by Sophos as Troj/PWS-BOB. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'AgerePadClock.dll' file is located in %UserProfile%Microsoft	No
WindowsNetsDll	X	rundll32.exe [path] WindowsNetsDll.dll	Detected by Sophos as Troj/Mdrop-DEK. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'WindowsNetsDll.dll' file is located in %UserProfile%Microsoft	No
WinFlyer32.dll	X	rundll32.exe [path] WinFlyer32.dll	Detected by Trend Micro as TROJ_AGENT.NFD. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'WinFlyer32.dll' file is located in %System%	No
winhelp	X	rundll32.exe [path] winhelp.dll,get	Detected by Sophos as Troj/Mdrop-DCW and by Malwarebytes as Worm.Email. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'winhelp.dll' file is located in %System%	No
winshell32	X	rundll32.exe [path to winshell32.cpl]	Detected by Dr.Web as Trojan.PWS.Banker1.7375 and by Malwarebytes as Trojan.Banker. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
winshell32	X	rundll32.exe [path] winshell32.dll	Detected by Kaspersky as Trojan-Downloader.Win32.Agent.drhh. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'winshell32.dll' file is located in %Windir%	No
Spooler de Impressão	X	rundll32.exe [path] winsys.dll	Detected by Malwarebytes as Trojan.Banker. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'windll.dll' file is located in %Windir%ocxlist	No
wmdnte	X	rundll32.exe [path] wmdnte.dll	Detected by Malwarebytes as Trojan.Medfos. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wmdnte.dll' file is located in %AppData%	No
THXAudio	X	rundll32.exe [path] wmshlp.dll	Detected by Dr.Web as Trojan.DownLoader6.40916 and by Malwarebytes as Trojan.Proxy. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wmshlp.dll' file is located in %CommonAppData%MSICRD	No
TactXCI	X	rundll32.exe [path] wmshlp.dll	Detected by Symantec as Infostealer.Proxydown and by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wmshlp.dll' file is located in %AppData%MicrosoftCommonFiles	No
NvCplDaemonTool	X	rundll32.exe [path] wtload08.dll,_IWMPEvents	Detected by Sophos as Troj/Sinowa-Gen and by Malwarebytes as Trojan.Agent.WIMP. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wtload08.dll' file is located in %System% and %UserProfile%	No
byvtroaudio	X	rundll32.exe [path] wvtsrs.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wvtsrs.dll' file is located in %System%	No
gebawtaudio	X	rundll32.exe [path] wvtsrs.dll	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'wvtsrs.dll' file is located in %System%	No
Systems Restart	X	Rundll32.exe [path] zolk.dll,DllRegisterServer	Added by a variant of Trojan.StartPage. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'zolk.dll' file is located in %System%	No
lpc	X	rundll32.exe [path] zxvd32.dll	Detected by Symantec as Trojan.Banksun and by Malwarebytes as Trojan.Ambler. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The 'zxvd32.dll' file is located in %AppData%Sun	No
svchost64	X	rundll32.exe [path] [12 hex numbers].dll	Detected by Malwarebytes as Trojan.Downloader. Note - this entry loads from the Windows Startup folder and rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The DLL file is located in %Temp%	No
Windows Time	X	rundll32.exe [path] [12 random letters].dll,EntryPoint	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[12 random letters].dll' file is located in %CommonAppData%	No
Taskhost	X	rundll32.exe [path] [32 hex characters].dll	Detected by Malwarebytes as Adware.Agent.CLK. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[32 hex characters].dll' file is located in %CommonAppData%WindowsMsg	No
Network	X	rundll32.exe [path] [dropped DLL]	Detected by Symantec as Trojan.Cyxorp - where the DLL file is located in %UserProfile% and is one of the following: dlllibrary.dll, inilibrary.dll, internetmodule.dll, profileuser.dll or sys32config.dll. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
v3configure	X	rundll32.exe [path] [filename]	Detected by Symantec as Infostealer.Bankeiya.B and by Malwarebytes as Trojan.Agent.E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The file is located in %UserTemp%	No
winabc	X	rundll32.exe [path] [filename].dll,InstallLaunchEv	Detected by Sophos as Troj/Lineage-PN. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The [filename].dll file is located in %UserTemp%	No
dseg	X	rundll32.exe [path] [filename].dll,IsXMLNS	Detected by Malwarebytes as Adware.KorAd. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The file is located in %UserTemp%[random]	No
Disker	X	rundll32.exe [path] [name].DLL	Detected by Dr.Web as Trojan.PWS.Wow.2045 and by Malwarebytes as Trojan.Onlinegames. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The DLL file is typically found in %Temp%	No
Egiciwuvubom	X	rundll32.exe [path] [random name].dll	Detected by Sophos as W32/AutoRun-BHY. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The DLL file is located in %Windir%	No
MemoryManager	X	rundll32.exe [path] [random name].dll	Detected by Microsoft as Win32/Vundo. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
GPLv3	X	rundll32.exe [path] [random name].dll	Detected by Microsoft as Win32/Vundo. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
SLDT	X	rundll32.exe [path] [random].cpl	Detected by Microsoft as TrojanDownloader:Win32/Bebeber.A and by Malwarebytes as Spyware.Password. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].cpl' file is located in %Temp%	No
winupdt	X	RUNDLL32.EXE [path] [random].dll	Detected by Kaspersky as Email-Worm.Win32.Mabutu.a and by Malwarebytes as Trojan.Downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %Windir%	No
MicrosoftCheckApp	X	rundll32.exe [path] [random].DLL	Detected by Malwarebytes as Trojan.Agent.VER. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
Pwulinubesida	X	rundll32.exe [path] [random].dll	Detected by Malwarebytes as Trojan.Agent.HL. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The DLL file is located in %Windir%	No
mlkkhesys	X	rundll32.exe [path] [random].dll	Detected by Sophos as Troj/Mdrop-CPA. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %System%	No
NVIDIASpace	X	rundll32.exe [path] [random].dll	Detected by Malwarebytes as Trojan.Agent.RNSE. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. See examples here and here	No
WindowsService	X	rundll32.exe [path] [random].dll	Detected by Sophos as Troj/Vundo-X and by Malwarebytes as Trojan.Agent.WSGen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The DLL file is located in %Windir%	No
JavaSoft	X	rundll32.exe [path] [random].dll	Detected by Malwarebytes as Trojan.Agent.JSGen. Note - this entry loads from HKCURun and rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The DLL file is located in %LocalAppData%JavaSoft - see examples here and here	No
mcexecwin	X	rundll32.exe [path] [random].dll, RestoreWindows	Detected by Malwarebytes as Trojan.Agent. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %Temp%	No
uPc+MV0N[random]	X	rundll32.exe [path] [random].dll, SystemServer	Detected by Malwarebytes as Trojan.Downloader.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %System% - see examples here and here	No
Google	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Apple	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Profile	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Update	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Policy	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Directx	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Verifier	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Java	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Manager	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Windows	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Mouse	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Tray	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Keyboard	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Display	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Backup	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Service	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Intel	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Microsoft	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.Agent.E.Generic. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Notifier	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Microsoft as Trojan:Win32/Tracur.AK and by Malwarebytes as Trojan.SHarpro. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %AppData%[folder name][folder name]	No
Adobe	X	rundll32.exe [path] [random].dll,DllRegisterServer	Detected by Malwarebytes as Trojan.Agent.HPLGen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' file is located in %LocalAppData%AppleAdobe - see examples here and here	No
webadhhh	X	rundll32.exe [path] [random].hta	Detected by Malwarebytes as Trojan.PMovie. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].hta' file is located in %CommonAppData%adhhh	No
[UserName]-PC	X	rundll32.exe [path] [UserName]-PC.dll	Detected by Malwarebytes as Trojan.Banker. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[UserName]-PC.dll' file is located in %AppData%	No
jhdfhasdfhkjasd	X	rundll32.exe [path] [UserName]-PC.dll	Detected by Malwarebytes as Trojan.Banker.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[UserName]-PC.dll' file is located in %AppData%	No
[Word1 Word2]	U	rundll32.exe [path] [Word1Word2].dll	Detected by Malwarebytes as PUP.Optional.CrossAd.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[Word1Word2].dll' file is located in %LocalAppData%[Word1 Word2]Bin. If bundled with another installer or not installed by choice then remove it	No
[Word1 Word2]	U	rundll32.exe [path] [Word1Word2].dll	Detected by Malwarebytes as PUP.Optional.CrossAd.Gen. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[Word1Word2].dll' file is located in %LocalAppData%[Word1 Word2]xBin. If bundled with another installer or not installed by choice then remove it	No
hivew	X	rundll32.exe [random digits]don.dll,Set1	Detected by Malwarebytes as Trojan.Downloader. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random digits]don.dll' file is located in %UserTemp% - see examples here and here	No
winupd	X	RUNDLL32.EXE [random value].dll,_mainRD	Detected by Symantec as W32.Mota.A. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The random DLL file is located in %Windir%	No
EvtMgr	X	rundll32.exe [random]	Detected by Malwarebytes as Backdoor.Farfli.E. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The file is located in %Root%[5 or 6 characters]	No
MSServer	X	Rundll32.exe [random].dll,#1	Added by unidentified malware. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The file is typically found in either %System% or the %UserTemp% folder	No
Remote System Protection	X	rundll32.exe [random].dll,HUI_proc	Detected by Microsoft as Trojan:Win32/Ertfor.B. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random].dll' is located in %System%	No
MSSMSGS	X	rundll32.exe [random].rom	Detected by Malwarebytes as Backdoor.Bot. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted	No
yahoo!	X	rundll32.exe [random]don.dll,Set	Detected by Trend Micro as TROJ_AGENT.HOZZ. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The '[random]don.dll' file is located in %UserTemp%	No
Rundll	X	rundll32.exe [worm filename].dll	Detected by Trend Micro as WORM_MYTOB.IG. Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. The random DLL file is located in %System%	No
KU0RGXBVFK	X	rundll32.exe.lnk	Detected by McAfee as RDN/Generic BackDoor!uk and by Malwarebytes as Backdoor.Agent.REL	No
IntelUpdate	X	rundll32.lnk	Detected by Dr.Web as Trojan.DownLoader8.50757 and by Malwarebytes as Trojan.Agent. Note that the target of the 'rundll32.lnk' file is 'Rundll32.exe' and both files are located in %Root%ProgramDataIntelIntelUpdate	No
Adobe Reader Update	X	rundll32.lnk	Detected by Dr.Web as Trojan.DownLoader9.42788 and by Malwarebytes as Trojan.Downloader.MI	No
Windows Security Assistant	X	rundll32.vbe	CoolWebSearch Alfasearch parasite variant - also detected as the STARTPA-U TROJAN!	No
rundll32	X	rundll32.vbs	Detected by Dr.Web as Trojan.Siggen3.50353	No
stlbdist	X	rundll32exe stlbdist.dll,DllRunMain	Hijacker pointing to www.searchandclick.com	No
rundll32s.exe	X	rundll32s.exe	Detected by Malwarebytes as Trojan.Dropper.MSIL. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
rundll33.exe	X	rundll33.exe	Detected by Malwarebytes as Trojan.Downloader.RDL.Generic. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
xccinit	X	rundll33.exe [path] xccdf16_090131a.dll	Detected by Sophos as Troj/Buzus-AD and by Malwarebytes as Spyware.OnlineGames. Note - the 'rundll33.exe' file is located in %System%inf and the 'xccdf16_090131a.dll' file is located in %Windir%	No
xccinit	X	rundll33.exe [path] xccdf16_090305a.dll	Detected by Sophos as Troj/Buzus-AF and by Malwarebytes as Spyware.OnlineGames. Note - the 'rundll33.exe' file is located in %System%inf and the 'xccdf16_090305a.dll' file is located in %Windir%	No
Rundll64	X	Rundll64	Detected by McAfee as RDN/Generic.bfr and by Malwarebytes as Backdoor.Agent.DC	No
Microsoft Install Shield Services	X	rundll64	Detected by Sophos as W32/Rbot-FSH	No
MSConfigs	X	RUNDLL64.dll.vbs	Detected by Sophos as W32/Wekode-B and by Malwarebytes as Spyware.OnlineGames	No
Microsoft® Windows® Operating System	X	rundll64.exe	Detected by Dr.Web as Trojan.Siggen2.22967 and by Malwarebytes as Backdoor.Agent	No
Adobe Reader	X	rundll64.exe	Detected by Malwarebytes as Trojan.Agent.E.Generic. The file is located in %AppData%System32	No
AdobeReaderU	X	rundll64.exe	Detected by McAfee as RDN/Generic Downloader.x and by Malwarebytes as Backdoor.Agent.E	No
Windows Running DLL Service	X	rundll64.exe	Detected by Microsoft as Worm:Win32/Slenfbot.HV	No
rundll32	X	rundll64.exe	Detected by Trend Micro as TROJ_DELF.BKC	No
Mircrosoft Windows Config DLL	X	rundllc32b.exe	Detected by Sophos as W32/Rbot-ZY	No
rundlle33.exe	X	rundlle33.exe	Detected by Malwarebytes as Backdoor.Agent.RDL. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
rundlll.exe	X	rundlll.exe	Detected by Dr.Web as Trojan.Siggen2.24214 and by Malwarebytes as Trojan.Downloader. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
PowerManagement	X	Rundlll.exe	Detected by Symantec as Backdoor.Surdux	No
rundlll32	X	rundlll32.exe	Detected by McAfee as RDN/Generic BackDoor!yb and by Malwarebytes as Backdoor.Agent.E	No
RundllQQ32	X	RundllQQ32.exe	Detected by Malwarebytes as Trojan.Backdoor. The file is located in %Windir%inf	No
rundlls.exe	X	rundlls.exe	Detected by Malwarebytes as Backdoor.Bot. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
Rundlls	X	Rundllsr.exe	Detected by McAfee as RDN/Generic PWS.y!zp and by Malwarebytes as Backdoor.Agent.E	No
Rundllsystem32	X	Rundllsystem32.exe	Detected by Trend Micro as BKDR_NETDEVIL.B	No
Run05	X	rundll_32.exe	Detected by Sophos as Troj/Bancos-DT	No
Rundll	X	Rundll~.exe	Detected by Sophos as W32/Delf-KT	No
RUNDNB	X	Rundnb.exe	Detected by Sophos as Dial/Dialer-C	No
RUNDNM	X	Rundnm.exe	Detected by Sophos as Troj/Delf-HA	No
MICROSOFTSECURITYUPDATEAGENT	X	rundrv32.exe	Detected by McAfee as RDN/Spybot.bfr!d and by Malwarebytes as Backdoor.Messa	No
AdobeManager	X	rundtl.exe	Detected by Malwarebytes as Adware.SmartBrowser. The file is located in %AppData%Adobe	No
Microsoftf DDEs ContDLL	X	rune.pif	Detected by Sophos as W32/Rbot-AGF	No
Runescape BOT.exe	X	Runescape BOT.exe	Detected by Dr.Web as Trojan.PWS.Siggen.27369	No
system32	X	runescape.exe	Detected by Sophos as Mal/Agent-XB and by Malwarebytes as Backdoor.Agent	No
bs_stealth	X	RunescapeDdoserV1_03.exe	Detected by Malwarebytes as Backdoor.Agent.BSGen. The file is located in %AppData% - see here	No
fc	X	runfc.exe	Detected by Symantec as W32.Campurf@mm	No
rundll	X	runhostdl.exe	Detected by Dr.Web as Trojan.DownLoader4.33064 and by Malwarebytes as Trojan.Agent	No
runhosts	X	runhosts.exe	Detected by Dr.Web as Trojan.DownLoader25.50651 and by Malwarebytes as Trojan.BitCoinMiner	No
AdobeReader	X	runhosts.exe	Detected by Dr.Web as Trojan.DownLoader25.50651 and by Malwarebytes as Trojan.BitCoinMiner	No
[random hex numbers]	X	RuniDlll.exe	Detected by Malwarebytes as Backdoor.Agent.TPL. The file is located in %Templates%Microsoft - see an example here	No
Java Runtime Value	X	runjava.exe	Detected by Sophos as W32/Rbot-DDJ	No
Lenovo Dynamic Brightness System	U	runldbs.exe	On supported Lenovo desktops (with compatible monitors) this protects your eyes by automatically adjusting screen brightness based on surrounding light conditions	No
Lenovo Eye Distance System	U	RunLEDS.exe	On supported Lenovo desktops (with compatible monitors) this alerts you if you are too close to the screen	No
AdobeManager	X	runlld.exe	Detected by Malwarebytes as Adware.SmartBrowser. The file is located in %AppData%MicrosoftWindows	No
sdsr	X	runlli32.exe	Detected by Sophos as Troj/QQPass-U	No
Rnudll32	X	runlli32.exe	Detected by Sophos as Troj/QQPass-U	No
Regexit	X	runlli32.exe	Detected by Sophos as Troj/QQPass-U	No
Rundil32	X	runlli32.exe	Detected by Sophos as Troj/QQPass-U	No
Rundli32	X	runlli32.exe	Detected by Sophos as Troj/QQPass-U	No
chope	X	runlli32.exe	Detected by Sophos as Troj/QQPass-U	No
HKEYok	X	runlli32.exe	Detected by Sophos as Troj/QQPass-U	No
[various names]	X	runload32.exe	Fake startup entry created by the Wareout rogue spyware and dialer remover - not recommended, removal instructions here. Archived version of Andrew Clover's original page	No
Microsoftf DDEs ContrDL	X	runm.pif	Detected by Sophos as W32/Rbot-AFQ	No
update	X	runme.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %UserTemp%update	No
Open2Enter	X	runme.exe	First2Enter - Switch dialer and hijacker variant, see here	No
gitthub	X	runme.exe	Detected by Malwarebytes as Trojan.BitCoinMiner. The file is located in %UserTemp%gitthub	No
NumLock	X	runme.exe	Detected by Sophos as W32/Delf-IO	No
Open2Enter	X	runme2.exe	First2Enter - Switch dialer and hijacker variant, see here	No
KODAK Software Updater	N	runner.exe	Software updater for Kodak products - automatically detects an internet connection and downloads any available updates	No
runnit	X	runnit.exe	Detected by McAfee as RDN/Generic PWS.y!b2g and by Malwarebytes as Trojan.Agent.TPLGen	No
OLEDb Service	X	runoledb32.exe	Added by the SPYRE.B TROJAN!	No
RunOnce	U	RUNONCE.EXE	Part of MS Data Access Components - only required if you use these	No
mdac_runonce	N	runonce.exe	Associated with MS Data Access Components (MDAC). Sometimes left over after installation - not required. NOTE :- don't delete 'runonce.exe'.	No
Runonce	X	runouce.exe	Detected by Sophos as W32/Chir-B	No
Paperport	N	runppdrv.exe	Loads the drivers associated with monitoring scanner status associated with PaperPort software. Can be a resource hog	No
PCDrProfiler	U	RunProfiler.exe	Part of PC Doctor software installed for some machines. Disabling or enabling it is down to your preference	No
zxcd	X	runr.exe	Detected by Dr.Web as Trojan.DownLoader6.46754 and by Malwarebytes as Trojan.Yoddos	No
Microsoftf DDos Contr0l	X	runs.pif	Detected by Sophos as W32/Rbot-AMH	No
Micosoft Data Core	X	runservice.exe	Detected by Trend Micro as WORM_IRCBOT.BK	No
LicCtrl	Y	runservice.exe	Part of the eLicense Copy Protection scheme employed by some software and games. If it is not running the eLicense wrapper is unable to extract and execute the program. Runs as a service on an NT based OS (such as Windows 10/8/7/Vista/XP)	No
Audiosysstems	X	runservices.exe	Detected by McAfee as RDN/Generic BackDoor!ua and by Malwarebytes as Backdoor.Messa.E	No
infoSiw	U	RunSI.exe	Detected by Malwarebytes as PUP.Optional.InfoSIW. The file is located in %AppData%infoSiw. If bundled with another installer or not installed by choice then remove it	No
runsql	X	runsql.exe	Detected by Malwarebytes as Backdoor.Bot. The file is located in %Windir% - see here	No
Srv32 spool service	X	runsrv32.exe	Topantispyware adware	No
Adware.Srv32	X	runsrv32.exe	Detected by Trend Micro as TROJ_RENOS.AV	No
runsvc	X	runsvc.exe	Detected by Sophos as Troj/Small-CF	No
RunServices	X	runsvc32.exe	Detected by Trend Micro as WORM_AGOBOT.QJ	No
Windows Network Component	X	runsvhost32.exe	Detected by Malwarebytes as Backdoor.PWin.Gen. The file is located in %CommonFiles%	No
runsvn32.exe	X	runsvn32.exe	Detected by McAfee as Generic.dc and by Malwarebytes as Trojan.StartPage	No
RunSysd32	U	RunSysd32.exe	DesktopShield2000 by Stéphane Groleau. Locks the desktop at bootup so that users cannot bypass the Windows screensaver password. Only essential if using the program and is an optional setting. It can be disabled from within	No
HKLM	X	runsystem4.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. The file is located in %Windir%install	No
HKCU	X	runsystem4.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. The file is located in %Windir%install	No
Policies	X	runsystem4.exe	Detected by Malwarebytes as Backdoor.Agent.PGen. The file is located in %Windir%install	No
HKLM	X	RunSystemDLL.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. The file is located in %Windir%win62 - see here	No
HKCU	X	RunSystemDLL.exe	Detected by Malwarebytes as Backdoor.HMCPol.Gen. The file is located in %Windir%win62 - see here	No
Policies	X	RunSystemDLL.exe	Detected by Malwarebytes as Backdoor.Agent.PGen. The file is located in %Windir%win62 - see here	No
setupa	X	runt32.exe	Detected by Sophos as Troj/QQPass-K	No
SystemCheck	X	Runtime.exe	Detected by McAfee as Generic.dx and by Malwarebytes as Trojan.Agent	No
Runtime	X	Runtime.exe	Detected by Malwarebytes as Trojan.Agent.SFR. The file is located in %AppData%sysfiles - see here	No
runtime	X	runtime.exe	Detected by McAfee as Generic.dx and by Malwarebytes as Trojan.Agent.CFR	No
Runtime.exe	X	Runtime.exe	Detected by McAfee as Generic PWS.y and by Malwarebytes as Backdoor.Agent.RNT. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
Runtime.exe	X	Runtime.exe	Detected by McAfee as Generic PWS.y and by Malwarebytes as Backdoor.Agent.RNTGen. Note - this entry loads from HKCURun and the file is located in %UserStartup%	No
runtime.exe	X	runtime.exe	Added by a variant of the Tibs malware	No
XML Bootrecovery	X	runtime.exe	Detected by Dr.Web as Trojan.Siggen5.6169	No
smrtdrv	X	runtime.exe	Detected by Sophos as W32/Agobot-MN	No
RunTime	X	RunTime1.exe.lnk	Detected by McAfee as Generic BackDoor and by Malwarebytes as Backdoor.Agent.DCE	No
RuntimeBroker	X	RuntimeBroker.exe	Detected by Malwarebytes as Trojan.Agent.FDGI.Generic. The file is located in %Root%[6 digits]	No
Idleservice	X	runtimes.exe	Detected by Malwarebytes as Backdoor.Agent.IMN. The file is located in %AppData%Icey	No
WINDOWS-FIREWALL	X	runtll3d2.exe	Detected by McAfee as RDN/Generic.tfr!dm and by Malwarebytes as Backdoor.Messa.E	No
RunTray	U	RunTray.exe	Detected by Malwarebytes as HackTool.DDoS. The file is located in %System%	No
MozillaManager	X	runudp.exe	Detected by McAfee as Generic.dx!dl and by Malwarebytes as Trojan.Agent	No
runwin32	X	runwin32.exe	Detected by Sophos as Troj/ESearch-A	No
Windosupdate manager	X	runwin32.exe	Detected by Kaspersky as Backdoor.Win32.SdBot.nns. The file is located in %System%	No
preload	N	RUNXMLPL.exe	Software found on Acer computers from Wistron. Information suggests it maps keyboard buttons to operating system functions	No
Open2Enter	X	run_21.exe	First2Enter - Switch dialer and hijacker variant, see here	No
Classes	X	run_21.exe	First2Enter - Switch dialer and hijacker variant, see here	No
ScrSav	U	run_Acer.exe	Pre-installed screensaver on various Acer laptops that displays an animated Acer logo	No
Run_cd	X	Run_cd.exe	Detected by Trend Micro as BKDR_GHOST.23	No
run_ctrl.exe	X	run_ctrl.exe	Detected by Dr.Web as Trojan.DownLoader11.24925 and by Malwarebytes as Trojan.Downloader.E. Note - the file is located in %UserStartup% and its presence there ensures it runs when Windows starts	No
MSTask	X	run_dll.exe	Yuupsearch adware	No
Rambler Update RunOnce	U	rupdate_standalone.exe	Detected by Malwarebytes as PUP.Optional.Rambler. The file is located in %LocalAppData%RamblerRamblerUpdater. If bundled with another installer or not installed by choice then remove it	No
Rupsw32	U	Rupsw32.exe	MegaTec Rups, UPS monitoring software - monitor and control DB9 UPS running on either Windows & Novell NetWare (with RUPS 2000) or Unix (with RUPS for Unix / Plus) operating systems	No
RUSB3MON	U	rusb3mon.exe	Supports USB 3.0 ports based upon the Renesas (was NEC) range of controllers on both system motherboards and external disk drives. Disabling it didn't seem to have any ill effects on USB 3.0 transfer speeds but it may be required to support power management features	No
NAV	X	RuxDLL32.exe	Detected by Symantec as W32.Mapson.D.Worm	No
Remote Access Adapter	X	rvasvc.exe	Added by a variant of W32.IRCBot. The file is located in %System%	No
RVCHOST.EXE	X	Rvchost.exe	Detected by Sophos as Troj/Delf-AC	No
AdobeReaderPro	X	rvdjlefr.exe	Detected by Sophos as W32/Rbot-CQZ and by Malwarebytes as Backdoor.Bot	No
Yahoo Messengger	X	RVHIOST.exe	Detected by Sophos as W32/Sohana-AC and by Malwarebytes as Backdoor.Bot	No
Wizard Install	X	Rvhoot.exe	Detected by Malwarebytes as Trojan.Banker.WZ. The file is located in %AppData%Wizard Install	No
Yahoo Messengger	X	RVHOST.exe	Detected by Sophos as W32/SillyFDC-G and by Malwarebytes as Backdoor.Bot	No
Windows LoL Layer	X	rvinfjz.exe	Detected by Kaspersky as Net-Worm.Win32.Kolab.fxx and by Malwarebytes as Backdoor.Bot. The file is located in %System%	No
CoreDrive	X	rvsplasmatic.exe	Detected by McAfee as RDN/Generic BackDoor!zq and by Malwarebytes as Backdoor.Agent.DCGen	No
updmgr	X	rvupdmgr.exe	KeenVal adware	No
Rwdoikdngudtnbmv.exe	X	Rwdoikdngudtnbmv.exe	Detected by McAfee as RDN/Ransom!ee and by Malwarebytes as Backdoor.IRCBot.E	No
[14 random numbers]	X	rwg.exe	Green AV rogue security software - not recommended, removal instructions here. The most common entry has the number 03874569874596	No
rwo	X	rwo.exe	Detected by Malwarebytes as Trojan.Agent.Kkore. The file is located in %Windir%	No
Remote Access Tool	X	rwosvc.exe	Added by a variant of W32.IRCBot. The file is located in %System% - see here	No
WNSI	X	rwsa.exe	Detected by Symantec as Adware.PurityScan - also see the archived version of Andrew Clover's page. The file is located in %System%	No
Ussi	X	rwsa.exe	Detected by Symantec as Adware.PurityScan - also see the archived version of Andrew Clover's page	No
{----**}	X	rwwnw64d.exe	ZenoSearch adware variant where ** are random characters	No
DW_Start	X	rwwnw64d.exe	ZenoSearch adware variant	No
Microsoft Update Machine	X	rxhost.exe	Detected by Trend Micro as WORM_RBOT.FC and by Malwarebytes as Backdoor.Bot	No
RoxioAudioCentral	N	RxMon.exe	Part of Roxio EasyCD Creator 6.0 - places the Roxio AudioCentral icon in you system tray. 'Includes a player, media manager, ripper, tag and sound editor - integrated in a single application'. Not required for Roxio to work properly.	No
RxMon	N	rxmon9x.exe	Part of the Dell Resolution Assistant (RA) - 'a diagnostic program that allows you to contact Dell. When it was factory-installed by Dell, it allowed you to perform hardware and software diagnostics that provided alerts to potential problems and enabled real-time communication with Dell RA techs. Now, you can use RA only to contact Dell by e-mail'	No
RxUser	N	RxUser.exe	Part of the Dell Resolution Assistant (RA) - 'a diagnostic program that allows you to contact Dell. When it was factory-installed by Dell, it allowed you to perform hardware and software diagnostics that provided alerts to potential problems and enabled real-time communication with Dell RA techs. Now, you can use RA only to contact Dell by e-mail'	No
Microsoft Update Machine	X	rxxhost.exe	Detected by Trend Micro as WORM_RBOT.EP and by Malwarebytes as Backdoor.Bot	No
Microsoft Update DLL	X	rxxhost.exe	Detected by Malwarebytes as Backdoor.Bot. The file is located in %System%	No
rybhutpecimi	X	rybhutpecimi.exe	Detected by McAfee as RDN/Generic Downloader.x!hz and by Malwarebytes as Trojan.Agent.US	No
rydanmxe.exe	X	rydanmxe.exe	Detected by Sophos as Troj/Dloadr-AZZ	No
ryiixhp	X	ryiixhp.exe	Detected by Sophos as Troj/IRCBot-ABR	No
rymmytgocagn	X	rymmytgocagn.exe	Detected by Malwarebytes as Trojan.Agent.US. The file is located in %UserProfile%	No
rymuxhuxxick	X	rymuxhuxxick.exe	Detected by Malwarebytes as Trojan.MSIL.HS. The file is located in %UserProfile%	No
rypdubcifobf	X	rypdubcifobf.exe	Detected by McAfee as PWS-Zbot-FAQD!3F27B68103E9 and by Malwarebytes as Trojan.Agent.US	No
rysvizqopyni	X	rysvizqopyni.exe	Detected by Malwarebytes as Trojan.Agent.US. The file is located in %UserProfile% - see here	No
Rytcuyyuvnfwmnwh.exe	X	Rytcuyyuvnfwmnwh.exe	Detected by Malwarebytes as Trojan.FakeAdobe. The file is located in %AppData%	No
SB13mini	X	RYZO32.EXE	Detected by Sophos as W32/Spybot-EJ	No
rz.scr	X	rz.scr	Detected by Sophos as W32/SillyFDC-AY	No
windowsproesssecure	X	RZNwB.exe	Detected by Dr.Web as Trojan.DownLoader10.28932 and by Malwarebytes as Trojan.Agent.E	No
Winds Sersc Agts	X	rzrzncrtz.exe	Detected by Sophos as W32/Rbot-GTV	No
Razer Synapse	U	RzSynapse.exe	Razer Synapse - 'is a groundbreaking application that instantly stores your custom settings and Razer add-ons online in the cloud and lets you retrieve them at will from any location. It completely eliminates the painstaking reconfiguration process and lets you spend more time dominating the competition'	No
Windows Services	X	rzzrpzbyt.exe	Detected by Malwarebytes as Backdoor.Agent.Gen. The file is located in %CommonFiles%Windows0	No
Windows Device Installer	X	rzzvwcjiy.exe	Detected by Malwarebytes as Trojan.Agent. The file is located in %CommonFiles%Windows Device Installer.{GUID}	No
Microsoft	X	r_server.exe	Detected by Dr.Web as Trojan.Siggen5.19909 and by Malwarebytes as Trojan.Agent.MSGen. The file is located in %System%	No
R_server	Y	r_server.exe	Radmin - remote admistrator server. Note - the file is located in %ProgramFiles%Radmin	No
Microsoft	X	r_server.exe	Detected by Dr.Web as Trojan.Siggen5.19909 and by Malwarebytes as Trojan.Agent.MSGen. The file is located in %Windir%	No
r_server	X	r_server.exe	Detected by Sophos as Troj/HacDef-DR. Note - do not confuse with the valid Radmin file with the same name which is located in %ProgramFiles%Radmin. This one is located in %System%	No
Microsoft	X	r_server.exe	Detected by Dr.Web as Trojan.Siggen5.19909 and by Malwarebytes as Trojan.Agent.MSGen. The file is located in %Windir%Windows	No

Notes & Warnings

If you can help identify new entries and verify/identify those entries with a '?' status (especially hardware specific - such as laptops and motherboards) then please E-mail us (startups_at_pacs-portal_dot_co_dot_uk).

'Status' key:

'Y' - Normally leave to run at start-up
'N' - Not required or not recommended - typically infrequently used tasks that can be started manually if necessary
'U' - user's choice - depends whether a user deems it necessary
'X' - Definitely not required - typically viruses, spyware, adware and 'resource hogs'
'?' - Unknown

Variables:

%System% - refers to the System folder; by default this is
- C:WindowsSystem32 (10/8/7/Vista/XP)
- C:WindowsSysWOW64 (64-bit 10/8/7/Vista)
- C:WinntSystem32 (2K)
- C:WindowsSystem (Me/9x)
%Windir% - refers to the Windows installation folder; by default this is
- C:Windows (10/8/7/Vista/XP/Me/9x)
- C:Winnt (2K)
%ProgramFiles% - refers to the Program Files folder; typically the path is C:Program Files or C:Program Files (x86)
%CommonFiles% - refers to the Common Program Files folder; typically the path is C:Program FilesCommon Files
%Root% - refers to the highest directory level on a hard drive - i.e., C:, D:
%UserProfile% - refers to the current user's profile folder; by default this is
- C:Users{user} (10/8/7/Vista)
- C:Documents and Settings{user} (XP/2K)
%AllUsersProfile% - refers to the common profile folder for all users; by default this is
- C:ProgramData (10/8/7/Vista - Note: this directory is hidden by default)
- C:Documents and SettingsAll Users (XP/2K)
%AppData% - refers to the current user's Application Data folder; by default this is
- C:Users{user}AppDataRoaming (10/8/7/Vista)
- C:Documents and Settings{user}Application Data (XP/2K)
%CommonAppData% - refers to the common Application Data folder for all users; by default this is
- C:ProgramData (10/8/7/Vista - Note: this directory is hidden by default)
- C:Documents and SettingsAll UsersApplication Data (XP/2K)
%LocalAppData% - refers to the current user's Local Application Data folder; by default this is
- C:Users{user}AppDataLocal (10/8/7/Vista)
- C:Documents and Settings{user}Local SettingsApplication Data (XP/2K)
%MyDocuments% - refers to the current user's Documents folder; by default this is
- C:Users{user}Documents (10/8/7/Vista)
- C:Documents and Settings{user}My Documents (XP/2K)
%CommonDocuments% - refers to the common Documents folder; by default this is
- C:UsersPublicPublic Documents (10/8/7/Vista - Note: the real path is C:UsersPublicDocuments)
- C:Documents and SettingsAll UsersDocuments (XP/2K)
%Favorites% - refers to the current user's Favorites folder; by default this is
- C:Users{user}Favorites (10/8/7/Vista)
- C:Documents and Settings{user}Favorites (XP/2K)
%CommonFavorites% - refers to the common Favorites folder; by default this is
- C:UsersPublicFavorites (10/8/7/Vista)
- C:Documents and SettingsAll UsersFavorites (XP/2K)
%MyMusic% - refers to the current user's Music folder; by default this is
- C:Users{user}Music (10/8/7/Vista)
- C:Documents and Settings{user}My DocumentsMy Music (XP/2K)
%CommonMusic% - refers to the common Music folder; by default this is
- C:UsersPublicPublic Music (10/8/7/Vista - Note: the real path is C:UsersPublicMusic)
- C:Documents and SettingsAll UsersDocumentsMy Music (XP/2K)
%MyPictures% - refers to the current user's Pictures folder; by default this is
- C:Users{user}Pictures (10/8/7/Vista)
- C:Documents and Settings{user}My DocumentsMy Pictures (XP/2K)
%CommonPictures% - refers to the common Pictures folder; by default this is
- C:UsersPublicPublic Pictures (10/8/7/Vista - Note: the real path is C:UsersPublicPictures)
- C:Documents and SettingsAll UsersDocumentsMy Pictures (XP/2K)
%UserTemp% - refers to the current user's Temp folder; by default this is
- C:Users{user}AppDataLocalTemp (10/8/7/Vista)
- C:Documents and Settings{user}Local SettingsTemp (XP/2K)
%WinTemp% - refers to the Windows Temp folder; typically the path is C:WindowsTemp
%Temp% - refers to either or both of the %UserTemp% and %WinTemp% folders where the location isn't specified, or %Root%Temp
%Templates% - refers to the current user's Templates folder; by default this is
- C:Users{user}AppDataRoamingMicrosoftWindowsTemplates (10/8/7/Vista)
- C:Documents and Settings{user}Templates (XP/2K)
%UserStartup% - refers to the current user's Startup folder; by default this is
- C:Users{user}AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup (10/8/7/Vista)
- C:Documents and Settings{user}Start MenuProgramsStartup (XP/2K)
%AllUsersStartup% - refers to the All User Startup folder; by default this is
- C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup (10/8/7/Vista - Note: this directory is hidden by default)
- C:Documents and SettingsAll UsersStart MenuProgramsStartup (XP/2K)
%Cookies% - refers to the Cookies folder; by default this is (hidden by default)
- C:Users{user}AppDataRoamingMicrosoftWindowsCookies (10/8/7/Vista)
- C:Documents and Settings{user}Cookies (XP/2K)
%Desktop% - refers to the users desktop folder; by default this is
- C:Users{user}Desktop (10/8/7/Vista)
- C:Documents and Settings{user}Desktop (XP/2K)
%Recycled% - refers to the Recyled Bin; by default this is
- %Root%$RECYCLE.BIN (10/8/7/Vista)
- %Root%RECYCLER (XP)
%FilePath% - refers to any folder location

DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. We will not be held responsible if changes you make cause a system failure.

WARNING: This is NOT a list of tasks/processes taken from the Task Manager (CTRL+SHIFT+ESC) 'Processes' tab. This displays some startup programs AND other background tasks and 'Services'. These pages are concerned with startup programs from the common startup locations shown above ONLY. Please do not submit entries collected from this method as they will not be used. For a list of tasks/processes you should try the list at PC Pitstop, the Process Library from Uniblue or one of the many others now available.

Therefore, before ending a task/process via CTRL+SHIFT+ESC just because it has an 'X' recommendation, please check whether it's in the registry or common startup locations first. An example would be 'svchost.exe' - which doesn't appear in either under normal conditions but does via CTRL+SHIFT+ESC. If in doubt, don't do anything.

To avoid the database becoming too large, all malware entries are only shown using the registry version which is common to all Windows versions. Otherwise there would be multiple entries for popular filenames that viruses often use - such as 'svchost.exe' above for example. Multiple malware can also use the same start-up entries, in this case only those with significant differences (such as file location) are repeated in this database.

As more than 25K entries in this database related to malware you should use a quality internet security package. Which ever you choose, keep it updated and get the latest version at least every two years.

There are a number of virus and malware entries listed in this database where specific removal instructions haven't been given. If this is the case then you could try ComboFix, a program written by sUBs that can remove many different types of Trojans and Worms. See here for a tutorial on how to use the program.

NOTE: A number of entries are repeated due to the way that different operating systems display startup items. For example, WinMe lists 'POPROXY.EXE' as 'Norton eMail Protect' in both MSCONFIG and the registry whereas WinXP lists it as 'Poproxy' in MSCONFIG and 'Norton eMail Protect' in the registry.

SERVICES: 'Services' from the Windows 8/7/Vista/XP/2K/NT operating systems are not included. We fully understand that some programs with these OS's use 'Services' as an alternative to load their component parts at startup but these are handled in a different way. We recommend you try BlackViper for information on services for the relevant operating systems.

Copyright

Presentation, format & comments Copyright © 2001 - 2019 Pacman's Portal
Portions Copyright © Peter Forrest, Denny Denham, Sylvain Prevost, Tony Klein, CastleCops & Bleeping Computer
Powered by Malwarebytes
All rights reserved

Site Map

Home

The Download Now link will download a small installer file to your desktop. Remain online and double-click the installer to proceed with the actual download.

CyberLink PowerDVD can not only process traditional DVDs and Blu-ray, but it also supports digital video formats such as MKV, H.264, 3D , and even 4k. This new build, version 15, also supports online video from providers like YouTube and Vimeo, or you can upload your own on CyberLink Cloud. The suite, although pricey, offers a home-theater experience for those who consume a lot of media on the go.

Pros

Optimized media: CyberLink PowerDVD's TrueTheater Smart Enhancement can automatically optimize your video and audio quality. Skin tones appear more lifelike, and movies' black levels are richer, thanks to customized adjustments in hue and saturation from TrueTheater Color. Video noise reduction removes the haziness effect of compression found in many online videos, delivering a more vibrant picture. Video enhancement works on movies under 2,048 pixels x 1,152 pixels, making it compatible with most FullHD sources.

Auto-tune your audio: TrueTheater Sound applies smart tweaks to give your audio a boost. The enhancements bring a deeper bass level, immersive ambient sound, better vocals, and captivating surround-sound effects. The optimization is more noticeable on audio headsets but can improve audio quality on standard speakers, too.

The Swiss Army Knife player: PowerDVD 15 can process a large amount of video, audio, and image formats. Using your hardware memory, the player churns out 4k video without stutter. PowerDVD also allows you to view high frame-rate videos (from 120 frames per second, up to 240 fps), like those made by the new iPhone 6 or GoPro without Apple iMovie. We appreciate the direct NAS playback and DLNA support.

Watch longer using less power: PowerDVD performs admirably without wasting system resources. Better power consumption means longer battery life for your devices.

A DVR for online streams: Download YouTube or Vimeo movies to watch offline at your convenience. Hear a song that you like? PowerDVD can rip audio tracks for later listening. CyberLink Cloud allows you to store videos, sync music, make playlists, and stream them directly wherever you are. TrueTheater enhancements are also available for online videos.

Cons

Buying a ticket to your own show: With so many free options out there, it can be hard to justify paying for a media player. Cineastes will want to pony up for the premium version, as PowerDVD greatly enhances your entertainment when hardware is limited to your laptop and a mobile device. PowerDVD Standard is pretty minimal, missing many important features like Blu-Ray playback. It's more cost-effective to splurge for the Pro or even Ultra option.

Free Download Powerdvd Se Dvd Decoder Xp Free Download

Bare-bones Web search: PowerDVD may support YouTube and Vimeo, but search functionality leaves much to be desired. Keywords bring up video thumbnails without information, like dates and view counts. Unless you already know which video you would like to view, copying and pasting direct URLs from the services' respective Web searches was the best way to get to your content on PowerDVD. CyberLink also allows you to log in to your accounts, but managing them still requires a browser.

Bottom Line

If you're in the market for a more sophisticated video watching experience, PowerDVD delivers. With its Smart Enhancement and TrueTheater technology, CyberLink delivers a cinematic experience without the expensive hardware.

CyberLink PowerDVD Preview

A Dress Of White Silk Richard Matheson Pdf Printer

Ping Golf Club Serial Number Check

Comments are closed.