Arcade File Downloads Support Forum
Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

Bad - Remove almost always
OK Most of the time - don't need to touch
Probably not needed - Safe to remove
Generally harmless - third party applications
Bad if you don't know what it is
Unknown Item - Investigate further

Logfile of Trend Micro HijackThis v2.0.4
Up To Date Version of HijackThis
You are using the latest version of HijackThis. Check www.merijn.org frequently for updates.

Scan saved at 9:10:38 AM, on 03-10-11
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
Smss.exe
What is it?
Session Manager SubSystem - smss.exe

What does it do?
smss.exe - This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

Additional Reading:
Smss.exe does not resolve forward references in environment

You will not be able to end this through task manager!

More info



Virus Precaution:

The smss.exe which is from Microsoft is located at c:windowsSystem32smss.exe . We've been able to find several viruses that run as smss to trick you.

Adware.Advision - Symantec Corporation
Adware.DreamAd - Symantec Corporation
Backdoor.IRC.Aladinz.O - Symantec Corporation
Backdoor.IRC.Flood.F - Symantec Corporation
W32.Dalbug.Worm - Symantec Corporation
W32.Resdoc - Symantec Corporation

C:\WINDOWS\system32\winlogon.exe
Winlogon.exe
What is it?
Windows Logon Process - Winlogon.exe

What does it do?
Direct Quote from here:
This is the process responsible for managing user logon and logoff. Moreover, Winlogon is active only when the user presses CTRL+ALT+DEL, at which point it shows the security dialog box.

Search MS for more info: Link

Virus Precaution:
The original Winlogon.exe from Microsoft gets placed in the C:WINDOWSSystem32 directory. if you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. We've been able to find only 1 report of a virus so far.

Troj/Madr-B @ Sophos
Netsky.D @ Trend Micro

C:\WINDOWS\system32\services.exe
services.exe
services.exe is a part of Windows that manages the processes. Anytime a service starts or stops it is through services.exe. During system startup and shutdown is when this process sees most of its action. You should never end this process unless it is running outside of your windows system folder.

C:\WINDOWS\system32\lsass.exe
lsass.exe
What is it?
Local Security Authentication Server - lsass.exe

What does it do?
lsass.exe - It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.

You will not be able to end this through task manager!

From MS



The lsass.exe which is from Microsoft is located at c:windowsSystem32lsass.exe . there's a few viruses that have been found to run as lsass.exe to hide from you.

C:\WINDOWS\system32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


C:\WINDOWS\system32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
smc.exe

What is it?
Sygate Firewall - smc
.exe

What does it do?
smc.exe - This is the firewall process that protects you from internet based attacks. I personally have not used this firewall since I use Zone Alarm.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of smc.exe is C:PROGRAMASSYGATESPFSMC.EXE


Also .


C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
ccSvcHst.exe
We Don't know! Please post a comment with information about this file

C:\Program Files\Fortinet\FortiClient\scheduler.exe
scheduler.exe
scheduler.exe - This is from Leader Technologies, this reminds a person to register a product, this is non essential

C:\Program Files\Fortinet\FortiClient\FCDBLog.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Fortinet\FortiClient\fcappdb.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Fortinet\FortiClient\FortiProxy.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\WINDOWS\system32\spoolsv.exe
Spoolsv.exe
What is it?
SPOOLer SerVice - spoolsv.exe

What does it do?
spoolsv.exe - The spooler service is responsible for managing spooled print/fax jobs

You will be able to end this through task manager!

More info



Virus Precaution:
The spoolsv.exe which is from Microsoft is located at c:windowsSystem32spoolsv.exe . We've been able to find several viruses that run as spoolsv to trick you.

Backdoor.Ciadoor.B - Symantec Corporation
Hacktool.Privshell - Symantec Corporation
VBS.Masscal.Worm (vbs) - Symantec Corporation
Graybird-A @ Sophos

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\WINDOWS\system32\dllhost.exe
DLLhost.exe

What is it?
DCOM DLL Host Process - dllhost.exe

What does it do?
dllhost.exe - DCOM DLL host process supports DLL-based COM objects and is used by many Windows programs. .NET Runtime and IIS are probably the two most common applications that use this process.

What's DCOM? "A wire protocol that enables software components to communicate directly over a network"

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the C:WINDOWSSystem32dllhost.exe directory. if you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. There's only one unique virus found through this search. All of the results are the various names of this single virus.

Nachia-A @ Sophos


C:\WINDOWS\system32\Dfssvc.exe
dfssvc.exe
All of us paranoid people keep a very close eye on what processes are running in the background. I already took a look at

Alg.exe
csrss.exe
Dfssvc.exe
dwwin.exe
internat.exe
lsass.exe
msdtc.exe
smss.exe
spoolsv.exe
svchost.exe

Today I'm hoping to explain to you guys what dfssvc is.

What is it?
Distributed File System

What does it do?
Microsoft Distributed File System does for servers and shares what file systems do for hard disks. File systems provide uniform named access to collections of sectors on disks; Dfs provides a uniform naming convention and mapping for collections of servers, shares, and files. Thus, Dfs makes it possible to organize file servers and their shares into a logical hierarchy, making it considerably easier for a large corporation to manage and use its information resources. In addition, Dfs is not limited to a single file protocol and can support the mapping of servers, shares, and files, regardless of the file client being used, provided that the client supports the native server and share.

You CAN end this process through task manager!

Quoted From:
Additional Reading

Virus Precaution:
The dfssvc.exe which is from Microsoft is located in the c:windowsSystem32 folder. We've been unable to find any threats that run as dfssvc to trick you.

C:\WINDOWS\system32\tcpsvcs.exe
tcpsvcs.exe

What is it?

Microsoft TCP/IP Networking - tcpsvcs.exe

What does it do?

tcpsvcs.exe is an essential service for Windows systems using the TCP/IP protocol, and is required to run such components as DHCP and network printing. It is a very important file and should not be tampered with.

Virus Precations

There does not seem to be any major viruses or trojans associated with tcpsvcs.exe, however you can keep updated via this Google search.


C:\WINDOWS\System32\dns.exe
dns.exe

What is it?

dns.exe is associated with the microsoft windows DNS application.

What does it do?

A DNS or "domain name service" provides a database to?link?domain names to IP addresses and MAC addresses?across the internet so that routers and internetworking hardware can connect the dots from point a to point b.

More info:


C:\WINDOWS\System32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


C:\Program Files\FolderSize\FolderSizeSvc.exe
FolderSizeSvc.exe
We Don't know! Please post a comment with information about this file

C:\WINDOWS\System32\ismserv.exe
ismserv.exe

What is it?

ismserv.exe is associated with instersite messaging windows server application.

What does it do?

allows users to send messages between two servers supporting ismserv.

More info:


C:\Program Files\Java\jre6\bin\jqs.exe
jqs.exe
jqs.exe - Java Quick Starter which is basically used to increase the startup time of Java applets and applications.

C:\Program Files\Symantec\LiveUpdate Administrator\pgsql\bin\pg_ctl.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\LiveUpdate Administrator\tomcat\bin\tomcat5.exe
tomcat5.exe
We Don't know! Please post a comment with information about this file

C:\Program Files\Symantec\LiveUpdate Administrator\pgsql\bin\postgres.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\MDaemon\APP\MDAEMON.EXE
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\LiveUpdate Administrator\pgsql\bin\postgres.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\LiveUpdate Administrator\pgsql\bin\postgres.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\WINDOWS\system32\ntfrs.exe
ntfrs.exe

What is it?

ntfrs.exe is associated with a windows system file "NT file replicating service"

What does it do?

Used to keep files syncronised between multiple servers for several reasons.

More info:

Needed for server related stuff.


C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\BIN\WSSADMIN.EXE
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\BIN\SPWRITER.EXE
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
sqlwriter.exe
We Don't know! Please post a comment with information about this file

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
rtvscan.exe

What is it?
Real Time Virus scan (Symantec Security) - rtvscan.exe


What does it do?
Symantec Internet Security Suite is taking Norton AV to another level and scan the files as they enter your system instead of the usual scan right after they hit your system. You should not end this process if you have it running.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of this file is C:Program FilesSymantec_Client_SecuritySymantec AntiVirusRtvscan.exe


Also .


C:\MDaemon\APP\CFEngine.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\MDaemon\WebAdmin\WebAdmin.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\RealVNC\VNC4\WinVNC4.exe
WinVNC4.exe
WinVNC4.exe is a part of WinVNC which is a remote desktop type application.

C:\WINDOWS\System32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


C:\WINDOWS\System32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


C:\WINDOWS\system32\CNAB4RPK.EXE
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\MDaemon\SpamAssassin\MDSpamD.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\LiveUpdate Administrator\pgsql\bin\postgres.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\WINDOWS\Explorer.EXE
explorer.exe

What is it?
Windows Explorer - explorer.exe

What does it do?
explorer.exe - Below is a direct quote from Microsoft found on THIS page:

This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn't as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system.

I have found that stopping this process is needed sometimes to stop some other processes.

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed at C:WINDOWSSystem32explorer.exe . if you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. There's only one unique virus found through this search. All of the results are the various names of this single virus.

Deloder-A @ Sophos
MyDoom.B @ Symantec


C:\Program Files\Symantec\LiveUpdate Administrator\pgsql\bin\postgres.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccApp.exe
What Is It?
Norton Security - ccApp.exe
?
What Does it Do?
ccapp.exe - This is one of MANY processes that are used by Norton Security (AV + Net Security) If its under the appropriate directory you'll have nothing to worry about. If you're experiencing slowdowns you'll want to upgrade your hard drive and/or your RAM. Norton is a resource hog.
This process is referred to as Common Client App which is also used by auto protect and email checking.

Virus Precautions:
The normal location of ccapp.exe is: C:Program FilesCommon FilesSymantec Sharedccapp.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe
UnlockerAssistant.exe
UnlockerAssistant.exe is Unlocker a program that is fantastic for removing files that give you various error messages when you try to delete them. This app will close a file that is being used by other applications so you do have to be careful when you use it.

Sadly this free program can install some crap you dont want if you are not paying attention during the install process.

C:\WINDOWS\system32\ctfmon.exe
ctfmon.exe
What is it?
Language bar AKA Alternative User Input Services - ctfmon.exe

What does it do?
ctfmon.exe - it's an ever annoying helper tool that comes rather unexpectedly at times and liked by nearly nobody.

Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.

Loads of information can be found on microsoft's site here.

Unless you're using anything in that list above you'll want to stop this file from loading!

How do I get rid of it?
There's been a number of threads in our forum as well as others about this. A typical thread can be found here.

control panel --> regional and language options --> languages tab --> details button --> language bar button

Virus Precaution:
Just like so many of the other files I've written about so far, ctfmon.exe is located in the c:windowsSystem32ctfmon.exe. At the time of this writing there isn't any spyware, viruses or anything like that masking itself as this file. If you find any info on one then please let me know!

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
smcgui.exe
smcgui.exe is a part of one of the symantec scanning programs. I've found many reports of it just using a LOT of CPU resources. I couldn't figure out exactly what it did but its a part of a symantec scanning system so we're flagging it as safe

C:\Program Files\IPMsg\ipmsg.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Fortinet\FortiClient\FortiTray.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Fortinet\FortiClient\fmon.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\LiveUpdate Administrator\pgsql\bin\postgres.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\LiveUpdate Administrator\pgsql\bin\postgres.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\WINDOWS\system32\inetsrv\inetinfo.exe
inetinfo.exe

What is it?
IIS Debugger Tool- inetinfo.exe

What does it do?
inetinfo.exe? - This is a vital system process for anybody running an IIS based server. If you're having a problem with this process crashing then Microsoft has a patch for you here.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of this file is C:WINDOWSSYSTEM32INETSRVinetinfo.exe


C:\WINDOWS\System32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


c:\windows\system32\inetsrv\w3wp.exe
w3wp.exe
w3wp.exe - This process is related to pool in ISS, this usually locates all large amounts of resources, this should not be terminated.

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\LiveUpdate Administrator\pgsql\bin\postgres.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\LiveUpdate Administrator\pgsql\bin\postgres.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

c:\windows\system32\inetsrv\w3wp.exe
w3wp.exe
w3wp.exe - This process is related to pool in ISS, this usually locates all large amounts of resources, this should not be terminated.

C:\Program Files\Fortinet\FortiClient\av_task.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Documents and Settings\Administrator.MANJUSHREEINDIA\Desktop\HijackThis.exe
HijackThis.exe
This is our favorite application for fighting against malware and other trashy application that bog systems down. Our guide to using this software can be found here. We have also taken the time to write a system to process the log files created from this application here.

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\symdelta.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\bin\Xdelta\Xdelta3.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Fortinet\FortiClient\av_task.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.3:808
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
Unnamed BHO
jp2ssv.dll is the java browser plugin. Without this you wont be able to run java in your browser

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Unnamed BHO
jqs_plugin.dll - Java IE Quickstart one of the MANY browser plugins related to java.

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccApp
"Part of earlier versions of Norton AntiVirus - Auto-protect and E-mail check will not function without this"

O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
UnlockerAssistant
"Related to Unlocker utility to unlock files when the OS reports the file is being used by an other person or program"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
Ctfmon.exe
"CoolWebSearch Ctfmon32 parasite variant"

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
tscuninstall
removes really old versions of terminal server client software.

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
tscuninstall
removes really old versions of terminal server client software.

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
tscuninstall
removes really old versions of terminal server client software.

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
tscuninstall
removes really old versions of terminal server client software.

O4 - S-1-5-18 Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe (User 'SYSTEM')


O4 - .DEFAULT Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe (User 'Default user')


O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe


O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
Internet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
Research
Microsoft Office related

O15 - ESC Trusted Zone: http://runonce.msn.com
Trusted Zone
Do you really trust this site? If you don't really trust this site make sure you have HJT fix this line

O15 - ESC Trusted Zone: http://*.mtl2dc
Trusted Zone
Do you really trust this site? If you don't really trust this site make sure you have HJT fix this line

O15 - ESC Trusted Zone: http://*.windowsupdate.com
Trusted Zone
Do you really trust this site? If you don't really trust this site make sure you have HJT fix this line

O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
Trusted Zone
Do you really trust this site? If you don't really trust this site make sure you have HJT fix this line

O16 - DPF: {4DF118B4-5498-4EEA-9277-9EBC94B38114} (STWViewerWeb Class) - http://192.168.0.10:4000/STWWebViewer.cab
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O16 - DPF: {C8A6B632-C1ED-4B65-B479-C953FB91BCA2} (STWWebSearchDvr Class) - http://192.168.0.10:4000/StwWebSearchDvr.cab
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = manjushreeindia.com
Internet Settings
These may not be bad if your internet connection is set manually

O17 - HKLM\Software\..\Telephony: DomainName = manjushreeindia.com
Internet Settings
These may not be bad if your internet connection is set manually

O17 - HKLM\System\CCS\Services\Tcpip\..\{A56CD92C-11A8-46C9-9DBD-4B7F9F784FEC}: NameServer = 192.168.0.50,192.168.0.171,125.22.47.125,4.2.2.2
Internet Settings
These may not be bad if your internet connection is set manually

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = manjushreeindia.com
Internet Settings
These may not be bad if your internet connection is set manually

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = manjushreeindia.com
Internet Settings
These may not be bad if your internet connection is set manually

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
AppInit_DLLs Registry value autorun
Very few known *good* purposes of this. Norton Cleansweep being the headliner of good items
Loads a .dll into memory when a user logs in. Frequently used by VERY bad hijackers.

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
SharedTaskScheduler Registry key autorun
Only a CWS variant has been known to use this. Consult a HJT expert before cleaning anything.

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
SharedTaskScheduler Registry key autorun
Only a CWS variant has been known to use this. Consult a HJT expert before cleaning anything.

O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Embedded Database (ASANYs_sem5) - iAnywhere Solutions, Inc. - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Symantec Event Manager

Symantec Life Update service used for auto updating symantec products in the background. Commonly in \%Program Files%\Common Files\Symantec Shared\


O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Symantec Settings Manager

Norton/symantec settings manager. There has been a couple known problem files using this startup name. Check the folder this file is running from.


O23 - Service: FortiClient Lite Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Program Files\Fortinet\FortiClient\scheduler.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
InstallDriver Table Manager
Related to Macrovision Corporation.

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
Java Quick Starter

Sun's java tool to cut down the load time of your java apps. found in \%Program Files%\Java\jre6\bin\


O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
LiveUpdate
Related to Norton Internet securty suite and provides up to date antivirus data for your Norton Anti

O23 - Service: LUA PostgreSQL - PostgreSQL Global Development Group - C:/Program Files/Symantec/LiveUpdate Administrator/pgsql/bin/pg_ctl.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: LUA Apache Tomcat (LUATomcat) - Apache Software Foundation - C:\Program Files\Symantec\LiveUpdate Administrator\tomcat\bin\tomcat5.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Endpoint Protection Manager (semsrv) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: ManageEngine ServiceDesk Plus (servicedesk) - Unknown owner - C:\AdventNet\ME\ServiceDesk\bin\wrapper.exe (file missing)
File Missing
When a file is missing, you should always have HijackThis fix the item.

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: WebAdmin - Alt-N Technologies, Ltd. - C:\MDaemon\WebAdmin\WebAdmin.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.