Support Forum Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

NEW HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!

If you're not finding what you're looking for please go to this forum and submit a new startup entry.

Key:

  • "Y" - Normally leave to run at start-up
  • "N" - Not required - typically infrequently used tasks that can be started manually if necessary
  • "U" - User's choice - depends whether a user deems it necessary
  • "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
  • "?" - Unknown



Startup Name Process Name Details
X(Default)llsass.exe"Added by the PROXY-GG TROJAN! Note - this malware actually changes the value data of the ""(Default)"" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank"
X.TEXTCONVlsass.exe"Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which should not normally figure in Msconfig/Startup!"
X.WMAudiolsass.exe"Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which should not normally figure in Msconfig/Startup!"
X1lsass.scr"Added by the BANCOS.V TROJAN!"
XAASSKK2LSASS.EXE"Added by the SILLYFDC.BDB WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %AppData%"
XBuildLabslsass.exe"Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which should not normally figure in Msconfig/Startup!"
XccpAppslsass.exe"Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which should not normally figure in Msconfig/Startup!"
XDarKNesS LsasSLsasS23.exeAdded by an unidentified WORM or TROJAN!
XFriendlyTypelsass.exe"Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which should not normally figure in Msconfig/Startup!"
XGeneric Host Processlsassw.exe"Added by the AGOBOT-N WORM!"
Xilassslsass.exe"Added by the INJECT-GZ TROJAN! Note - the legitimate lsass.exe process should not normally figure in Msconfig/Startup!"
Xinternetlsass.exe"Added by the DSPY-A TROJAN! Note - this is not the legitimate lsass.exe process which should not normally figure in Msconfig/Startup!"
XKeyboardlsass.exe"Added by the AGENT.US WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %CommonAppData%\Fearghus"
XLexmark_X79-55lsasss.exe"Added by the ZONEBAC TROJAN!"
XLocal Authority Servicelsass.exe"Added by the MARKTMAN-C TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XLogServicelsass.exe"Added by the BDOOR-IU BACKDOOR! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XLSA ServiceLSASS.exe"Added by the AHKER.G WORM! Note - this is not the legitimate lsass.exe process
XLSA Shell (Export Version)LSASS.exe"Added by the AHKER.K WORM and variants. Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XLSA Shellulsass.exe"Added by the AUTORUN-CW WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %UserProfile%"
XLSAShelllsass.exe"Added by the DAPROSY WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
Xlsasslsass.exe"Added by the RATSOU.B TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\Debug\UserMode"
Xlsassstart.bat"Added by the ZCREW TROJAN!"
Xlsass[path to lsass.exe]"Added by the ALADINZ.F TROJAN! Note - this is not the legitimate lasss.exe process which should NOT appear in Msconfig/Startup!"
Xlsasslsasrv.exe"Added by the MYDOOM.AG or MYDOOM.AS or MYDOOM.AU WORMS!"
XLsasswoekd.exeAdded by an unidentified WORM or TROJAN!
Xlsasselite***32.exe"EliteBar adware"
XLsassLsass.exe"Added by the ALCOP-B WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XLsassLsass.exe"Added by the VOUMIT-A WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Root%\mirc32"
XLsasSSygate.exe"Added by the SDBOT.BCA WORM!"
XLsasskavmm.exe"Added by an unidentified WORM or TROJAN! NOTE - do NOT confuse with the legitimate Kaspersky antivirus module as described here. Contrary to this impostor
XLsassLSASS.EXE"Added by the PUNYA-B WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %AppData%"
XLSASS 32ISASS32.pif"Added by the ASSIRAL-C WORM!"
XLsass 32 Managerlsass32.exe"Added by the SDBOT.EOG WORM!"
Xlsass 32-biTlsass32.exe"Added by the RBOT.QGC WORM!"
XLSASS Authoritylshosts32.exe"Added by the SDBOT-UY TROJAN!"
XLSASS Authoritylsvhosts.exe"Added by the SDBOT.BCE WORM!"
XLSASS DaemonLSASSd.exe"Added by a variant of the AGOBOT/GAOBOT WORM!"
Xlsass servicelsass2.exe"Added by a variant of the AGOBOT/GAOBOT WORM!"
Xlsass16lsass16.exe"Added by the BANKER-BXX TROJAN!"
Xlsass2k Updatelsass2k.exe"Added by a variant of the RBOT WORM!"
XLSASS32Isass32.exe"Added by the KELVIR.M WORM!"
Xlsass32lsass32.exe"Added by the LYDRA-B TROJAN!"
Xlsass64BiT.exelsass64BiT.exe"Added by the FORBOT-CK WORM!"
Xlsassiglsassig.exe"Added by the BANCOS-EC TROJAN!"
Xlsassslsasss.exe"Added by the GEEKMY-A TROJAN!"
Xlsasss.exelsasss.exe"Added by the SASSER.E WORM!"
XMicrosoftlsass.ppf"Added by the RBOT-GAA WORM!"
XMicrosoft Authority Servicelsass.exe"Added by the KALEL-D WORM! Note - this is not the legitimate lsass.exe process
XMicrosoft Lsass CenterIsass.exe"Added by a variant of the SDBOT WORM!"
XMicrosoft Lsass Centertelecomes.exe"Added by a variant of the RBOT WORM! See here"
XMicrosoft Lsass Managerlsass.exe"Added by a variant of the SDBOT WORM! Note - this is not the legitimate lsass.exe process
XMicrosoft Lsass Servicewintcp32.exe"Added by a variant of the IRCBOT TROJAN!"
XMicrosoft LSASS386 Protocolscvhost32.exe"Added by a variant of the SPYBOT WORM!"
XMicrosoft Server Applacationslsasss.exe"Added by the RBOT-AQQ WORM!"
XMicrosoft Update Machinelsasse.exe"Added by the RBOT-DI WORM!"
XMicrosoft UPDATER32lsass.exe"Added by the RANDEX.AR WORM! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!"
XMicrosoft UPDATER32LSASS32.EXE"Added by the RANDEX.AR WORM!"
XMicrosofts Updateslsasss.exe"Added by the RBOT-AEX WORM!"
XMicrosoftSourceSafelsass.exe"Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which should not normally figure in Msconfig/Startup!"
XMS lsass Startuplsass135.exe"Added by the RBOT.WM WORM!"
XMS Security Authority Servicelsass.exe"Added by the KALEL-B WORM! Note - this is not the legitimate lsass.exe process
XMSNlsass32.exe"Added by a variant of the IRCBOT BACKDOOR! See here"
XMsnmsgr.exelsass.exe"Added by the DWNLDR-GWE TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in the root directory (i.e. C:\ or D:\)"
Xmsupdater25lsasser.exe"Added by the RBOT-ATS WORM!"
XNDIS Adapterlsass2.exe"Added by the WOOTBOT.CW WORM!"
XNortonAntivirusLSASS.exe"Added by the PEXMOR WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\Temp"
XNviDiaGTlsass.exe"Added by the AUTORUN-DV WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ~A~m~B~u~R~a~D~u~L~ subfolder"
XProglsass.exe"Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which should not normally figure in Msconfig/Startup!"
XRegDoneExlsass.exe"Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process which should not normally figure in Msconfig/Startup!"
XRsWinlsass.exe"Added by the DELCANTI-B TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""12053"" subfolder"
XRsWinlsass.exe"Added by the SILLY.BR WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""4350"" subfolder"
XRTHDBPLlsass.exe"Added by the ROUTROBOT WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %AppData%\SystemProc"
XRunnerlsass.exe [trojan filename]"Added by the DROWSY-B TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XRunnerlsass.exe"Added by the ADCLICK-AG TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XServices Controllerlsassa.exeAdded by the CIADOOR.122 VIRUS!
XServicesLoadlsass.exe"Added by the DEARIS-A TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XSondBlasterlsass.exe"Added by the PROSTI.AA BACKDOOR! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\Media"
Xsystemlsasse.exe"Added by the RBOT-YL WORM!"
Xsystemlsass.exe"Added by the SATILOLER.B TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %ProgramFiles%\Common Files\System"
XSystem Analyzerlsass32.exe"Added by the SDBOT.CNI WORM!"
XSystem HandlerLSASS.EXE"Added by the NIMOS WORM! Note - this is not the legitimate lsass.exe process
XSystem Kernellsass.exe"Added by the VBBOT-G TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XSystem Monitoringlsass.exe"Added by the BRONTOK-BS WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in Documents and Settings\<User>\Local Settings\Application Data\WINDOWS"
XSystem Processlsass.exe"Added by the ADCLICK-AG TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XSystem32lsasss.exe"Added by the RBOT-XW WORM!"
XTaskLSASS.EXE"Added by the PUNYA-A WORM! Note - this is not the legitimate lsass.exe process
XToPLSASS.exe"Added by the WOWCRAFT.C TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XTraybarlsass.exe"Added by the MYDOOM.L WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XUpdatelsass.exe"Added by the ADCLICK-AG TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XUserinitlsass.exe"Added by the VIRAN-A TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Program Files%\Common Files%\System"
XViSulaBaCislsass.exe"Added by the AUTORUN.DIB WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ~A~m~B~u~R~a~D~u~L~� subfolder"
XWinDLL (slsass.exe)"rundll32.exe slsass.exestart"
XWindows Authority Servicelsass.exe"Added by the KALEL-E WORM! Note - this is not the legitimate lsass.exe process which should not normally figure in Msconfig/Startup!"
XWindows auto updateLSASS.exe"Added by the AHKER.G WORM! Note - this is not the legitimate lsass.exe process
XWindows Recavery Adwarelsass.exe"Added by an unidentified TROJAN - see here. Note - this is not the legitimate lsass.exe process
XWindows Security Authority Servicelsass.exe"Added by the KALEL-A WORM! Note - this is not the legitimate lsass.exe process
XWindows Security Policylsass32.exe"Added by the AGOBOT-CR WORM!"
XWindows Svchost Authorityslsass.exe"Added by the RBOT-UA WORM!"
XWindows System32 Driverclsass32.exe"Added by the SDBOT-AGG WORM!"
XWindows Taskmanagerlsassx.exe"Added by the KELVIR.E WORM!"
XWindows Updateslsassx.exe"Added by a variant of the SDBOT WORM!"
XWindowsFirewalllsass.exe"Messenger Blocker rogue security software - not recommended. Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %ProgramFiles%\Common Files\System"
XWindowsUpdatelsassslsasss.exe"Added by a variant of the AGENT-HZ TROJAN!"
XWindows_LowLevel_Security_Corelsass.exe"Added by the PADMIN-A TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\Repair"
XWinExecLsass.exe"Added by the CRUTLE-B WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XWinlogonLsass.exe"Added by the ALCOP-B WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%"
XWinLsassservicec.exe"Added by the SCANE WORM!"
XWinLsass[path to trojan]"Added by the SCANE WORM!"
XWinXPServicelsass.exe"Added by the ZAPCHAS-AS TROJAN! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in a ""Lavan"" subfolder"
Xwlsasswlsass.exe"Added by the RANKY.CY TROJAN!"
XZincgrubIncLsass.exe"Added by the VOUMIT-A WORM! Note - this is not the legitimate lsass.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Root%\mirc32"
X[random]lsass.scr"Added by the BANCBAN-CW TROJAN!"


DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.