Support Forum Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

NEW HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

If you're not finding what you're looking for please go to this forum and submit a new startup entry.

Key:

  • "Y" - Normally leave to run at start-up
  • "N" - Not required - typically infrequently used tasks that can be started manually if necessary
  • "U" - User's choice - depends whether a user deems it necessary
  • "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
  • "?" - Unknown



Startup Name Process Name Details
Uanvshellanvshell.exeSystem Tray tool for ASUS video cards. If disabled you lose all the ASUS specific video card options in Control Panel -> Display Properties -> Advanced as well as the System Tray shortcuts toolbar
NASUSKeyV38SHELL.EXESystem tray Icon for quickly changing video modes
UCFi ShellToys Utility ManagerCFiShlMan.exe"Manager for CFi ShellToys from Cool Focus International Ltd - which ""puts all the tools you need right where you need them - just a click away on your context menu. Right-click one or more files or folders
XCmdShell.exeCmdShell.exe"Added by the BCKDR-QHY BACKDOOR!"
Xdefaultshell32.exe"Added by the BINGHE TROJAN!"
XDirectX shell driver[path to trojan]"Added by the MARKTMAN-B TROJAN!"
XExplorershellexpl.exe"Added by the SHELDOR TROJAN!"
XExplorershellexp.exe"Added by the AGENT-ZY TROJAN!"
XHardware Shell DetectionWinHSD.exe"Added by a variant of the RBOT WORM!"
?I81SHELLI81SHELL.exe"Appears to be related to drivers for an Intel 810 graphics chipset on an ASUS motherboard"
XInstalled shell32.dllOffice.exe..."Added by the LOVGATE.AO WORM!"
XInstalled shell32.dllOffice.exe"Added by the LOVGATE.E WORM!"
XLSA Shell (Export Version)LSASS.exe"Added by the AHKER.K WORM and variants. Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XLSA Shellulsass.exe"Added by the AUTORUN-CW WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %UserProfile%"
XLSAShelllsass.exe"Added by the DAPROSY WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XLTSMSGShell32.exe"Added by the LEMIR.B TROJAN!"
XMicrosoft IE Execute shellIEExec.exe"Added by the ALADINZ.N TROJAN!"
XMicrosoftShellShellcomm.exe"Added by the BANCBAN-QG TROJAN!"
UMirrorFolderShellmrfshl.exe"MirrorFolder backup software"
Xnah_Shellnah_cord.exe"Added by the HANAMBOT TROJAN!"
XNvCplDaemon32anvshell32.exe"Added by the VB-XU TROJAN!"
XorderShellorder****.exe [* = random char]"Added by the DLOADR-UN TROJAN!"
Xorder_Shellorder_smey.exe"Added by the BANKSNIF-H TROJAN!"
Xorder_Shellorder_****.exe [* = random letter]"Added by the AGENT.ARO TROJAN!"
Xorder_Shellorder_glsw.exe"Added by the DLOADR-KO TROJAN!"
Xorder_Shellorder_pgum.exe"Added by the AGENT-BSQ TROJAN!"
XPTSShellPTSShell.exe"Added by the WINKO.AO WORM!"
Xravshellexpl0rer.exe"Added by the DLOADER.MAR TROJAN!"
XRavshellexplore3.exe"Added by the PAKES.HZ TROJAN!"
XRavshellIEXPLORER.EXE"Added by the AGENT.URZ TROJAN! Note - this is not the legitimate Internet Explorer (iexplore.exe)"
XRavshellrund1132.exe"Added by the AGENT.OKZ TROJAN!"
XRavshellsvch0st.exe"Added by the NSPM.PU TROJAN! Notice the digit ""0"" in the filename rather than the lower case ""O"""
Xravshell1explore.exe"Added by the DLOADER.MJF TROJAN!"
Xravshelliexpl0re.exe"Added by the NOFERE-A TROJAN! Note the number ""0"" in the filename"
XSecure32Shell32.com StartUp"Added by the BRONTOK-CJ WORM!"
XShellShell32.exe"Added by the BADSECTOR TROJAN!"
XShellray.exeHomepage hijacker re-directing browsers to adult content websites
XShellTray.exeHomepage hijacker re-directing browsers to adult content websites
XShellwmedia16.exe"Added by the GOLDUN TROJAN!"
XShellOpen32.exe"Added by the SMALL-DL TROJAN!"
XShellExplorer.exe sound_drive16.exe"Added by the GP BACKDOOR! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The ""sound_drive16.exe"" file is located in %System%"
XShell"Explorer.exe msmsgs.exe"
XShellExplorer.exe svchost.exe"Added by the DOYORG BACKDOOR! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The legitimate svchost.exe process is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
Xshellexplorer.exe"Added by the KAKKEYS TROJAN! Note - the legitimate Windows Explorer (same filename) is located in %Windir% and would not normally appear in Msconfig/Startup unless you added it manually! This one is located in %System%"
XShellExplorer.exe iexplore.exe"Added by the KIPIS-U WORM! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The legitimate Internet Explorer (iexplore.exe) is always located in %ProgramFiles%\Internet Explorer and should not normally figure in Msconfig/Startup! This one is located in %System%\Microsoft"
XShellibm0000*.exe [* = digit]"Added by the TORPIG-C and TORPIG-J TROJANS! Filenames spotted include ibm00001.exe
XShelltaskmrg.exe"Added by the BANCBAN-FT TROJAN!"
XShellExplorer.exe winupdate.exe"Added by the AGENT-FD TROJAN! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The ""winupdate.exe"" file is located in %System%"
XShellExplorer.exe [path] ibm[RANDOM 5 DIGIT NUMBER].exe"Added by the ANSERIN TROJAN! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files"
XShellsvchost.exe"Added by the GOLDSPY-B TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XShellibm00001.dll"Added by the TORPIG-Q TROJAN!"
XShellwmedia32.exe"Added by the AGENT-BR TROJAN!"
XShellExplorer.exe winsys32.exe"Added by the DELF.CP BACKDOOR! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The ""winsys32.exe"" file is located in %Windir%"
XShellWin32.dll.exe"Added by the VB.BTX TROJAN!"
XShelltaskmam.exe"Added by the BANCBAN-OL TROJAN!"
XShellexplorer.exe msbnc.exe"Added by the AGENT-PL BACKDOOR! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The ""msbnc.exe"" file is located in %System%"
XShellExplorer.exe kbdsys.exe"Added by the DAPROSY WORM! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The ""kbdsys.exe"" file is located in %AppData%\Microsoft\Keyboard"
XShellsmsc.exe"Added by the BANCBAN-OY TROJAN!"
XShellExplorer.exe init32m.exe"Added by the DLSW-B TROJAN! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The ""init32m.exe"" file is located in %System%"
XShellExplorer.exe smssnt.exe"Added by the AGOBOT.EE TROJAN! Note - do not delete the legitimate Windows Explorer (explorer.exe) which is located in %Windir% and can be used to launch other files. The ""smssnt.exe"" file is located in %System%"
XShell API32svcnet.exe"Added by the TIBICK.C WORM!"
XShell Extensionspollsv.exe"Added by the LOVGATE.Z WORM!"
XShell Tray WindowShellTraywnd.exe"Added by the STULTDOR-A TROJAN!"
Xshell updateshellexec.exe"Added by the RBOT-ANC WORM!"
XShell.exeShell.exe"Added by the EMERLEOX.S WORM!"
XShell32Shell32.vbs"Added by the SCAFENE WORM!"
Xshell32ntldrt.exe"Added by the JLOK-A WORM!"
XShell32iexplore.exe"Added by the IRCBOT-AY BACKDOOR! Note - this is not the legitimate Internet Explorer (iexplore.exe) which is always located in %ProgramFiles%\Internet Explorer and should not normally figure in Msconfig/Startup! This one is located in %System%"
XShell32explorer.exe"Added by the SDBOT-NF WORM! Note - the legitimate Windows Explorer (same filename) is located in %Windir% and would not normally appear in Msconfig/Startup unless you added it manually! This one is located in %System%"
XShellApiSHELLMSN.EXE"Added by the NETDEV.B TROJAN!"
XShellapi32Shellapi32.exe"Added by the NETDEVIL (or NERTE) TROJAN!"
XShellapi32mcvsrte.exeAdded by an unidentified WORM! Note - do not confuse with the McAfee SecurityCenter file of the same name
Xshellbn[random].dll"SoftStop rogue security software - not recommended"
Xshellbnshlext32.exe"Malware installed by different rogue security software including SpyKillerPro and the XP AntiVirus series"
XShellCommand[path to file]"Added by the REMCON-A TROJAN!"
XShelldaemonShelldaemon.exeAdded by a variant of the AGENT.ALN TROJAN!
XShellExShellEx.exe"Added by the ANAKHA TROJAN!"
XShellNisca.exe"Added by the IBILL.Z TROJAN!"
XShellOSA+++.exeAdded by the AV TROJAN!
XShellRunlexplore_.exe"Added by the MSNOPT-A TROJAN!"
XShellRun32iexplore.exe"Added by the IRCBOT-AY BACKDOOR! Note - this is not the legitimate Internet Explorer (iexplore.exe) which is always located in %ProgramFiles%\Internet Explorer and should not normally figure in Msconfig/Startup! This one is located in %System%"
XShellspllsas.exe"Added by the YALER-A TROJAN!"
XShellsplspools.exe"Added by the PROXAGE-A TROJAN!"
Xshellsystemshellsystem.exe"Added by the UPCHAN TROJAN!"
XSMSERIALWORKERSTARTshellexcon.exe"Added by the FAKEALERT-AH TROJAN! Installed with the SpyBurner spyware remover - which is not recommended
XSOProc_RegSoAlertWxLiteNnAj"rundll32 shell32.dll ShellExec_RunDLL [path] soproc.exe"
XTime Zone Synchronizationwscript zshell.js"Added by the NETDEX-A TROJAN!"
UUBSShellUBSShell.exeUBS (United Bank of Switzerland) banking software
?V66SHELLV66SHELL.EXE"It looks to be part of the display driver set for ASUS V3800
XWINehshell.exe"Added by the MYTOB-CQ WORM!"
XWindows Explorer ShellWinexec32.exe"Added by the REDIST.B WORM!"
?Windows shellwin70.exe"??"
XWindows Shellshell.exe"Added by the MYTOB-CA WORM!"
XWindows Shelltaskgmr.exe"Added by the MYTOB.BV WORM!"
XWindows Shell Library Loaderload shell.dll"CoolWebSearch parasite variant"
Xwindows shellext.32mschost.exe"Added by the BLASTER.K WORM!"
XWindows Update System Shellsvhostcs32.exe"Added by the RBOT-AAZ WORM!"
XWinlogon ShellExplorer.exe svchost.exe"Added by the KIPIS.M WORM! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""1032"" sub-folder"
Xwinrarshellwinrarshell32.exe"Added by the SALIRA TROJAN!"
XWinshellremote.exe"Added by the MYTOB.LJ WORM!"
Xwinshellwindll32lib.exe"Added by the BAGLE-DM WORM!"
?WOOKITShell.exe appLaunchClientZone.shl"Related to the Wanadoo broadband ISP (now rebranded as Orange). What does it do and is it required?"
Xxrt_Shellxrt_****.exe"XRT spyware"
Xxrt_Shellxrt_brel.exe"Added by the AGENT.AJAT BACKDOOR!"
X[random number]"rundll32.exe shell32.dllControl_RunDLL [random number].cpl"


DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.