Arcade File Downloads Support Forum
Articles File Help Startup DB Tips Service DB Hijack This! Analyzer

 

Bad - Remove almost always
OK Most of the time - don't need to touch
Probably not needed - Safe to remove
Generally harmless - third party applications
Bad if you don't know what it is
Unknown Item - Investigate further

Logfile of Trend Micro HijackThis v2.0.4
Up To Date Version of HijackThis
You are using the latest version of HijackThis. Check www.merijn.org frequently for updates.

Scan saved at 12:54:28 PM, on 11/9/2011
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.17103)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
Smss.exe
What is it?
Session Manager SubSystem - smss.exe

What does it do?
smss.exe - This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

Additional Reading:
Smss.exe does not resolve forward references in environment

You will not be able to end this through task manager!

More info



Virus Precaution:

The smss.exe which is from Microsoft is located at c:windowsSystem32smss.exe . We've been able to find several viruses that run as smss to trick you.

Adware.Advision - Symantec Corporation
Adware.DreamAd - Symantec Corporation
Backdoor.IRC.Aladinz.O - Symantec Corporation
Backdoor.IRC.Flood.F - Symantec Corporation
W32.Dalbug.Worm - Symantec Corporation
W32.Resdoc - Symantec Corporation

C:\WINDOWS\system32\winlogon.exe
Winlogon.exe
What is it?
Windows Logon Process - Winlogon.exe

What does it do?
Direct Quote from here:
This is the process responsible for managing user logon and logoff. Moreover, Winlogon is active only when the user presses CTRL+ALT+DEL, at which point it shows the security dialog box.

Search MS for more info: Link

Virus Precaution:
The original Winlogon.exe from Microsoft gets placed in the C:WINDOWSSystem32 directory. if you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. We've been able to find only 1 report of a virus so far.

Troj/Madr-B @ Sophos
Netsky.D @ Trend Micro

C:\WINDOWS\system32\services.exe
services.exe
services.exe is a part of Windows that manages the processes. Anytime a service starts or stops it is through services.exe. During system startup and shutdown is when this process sees most of its action. You should never end this process unless it is running outside of your windows system folder.

C:\WINDOWS\system32\lsass.exe
lsass.exe
What is it?
Local Security Authentication Server - lsass.exe

What does it do?
lsass.exe - It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.

You will not be able to end this through task manager!

From MS



The lsass.exe which is from Microsoft is located at c:windowsSystem32lsass.exe . there's a few viruses that have been found to run as lsass.exe to hide from you.

C:\WINDOWS\system32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
smc.exe

What is it?
Sygate Firewall - smc
.exe

What does it do?
smc.exe - This is the firewall process that protects you from internet based attacks. I personally have not used this firewall since I use Zone Alarm.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of smc.exe is C:PROGRAMASSYGATESPFSMC.EXE


Also .


C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
ccSvcHst.exe
We Don't know! Please post a comment with information about this file

C:\WINDOWS\System32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


C:\WINDOWS\system32\spoolsv.exe
Spoolsv.exe
What is it?
SPOOLer SerVice - spoolsv.exe

What does it do?
spoolsv.exe - The spooler service is responsible for managing spooled print/fax jobs

You will be able to end this through task manager!

More info



Virus Precaution:
The spoolsv.exe which is from Microsoft is located at c:windowsSystem32spoolsv.exe . We've been able to find several viruses that run as spoolsv to trick you.

Backdoor.Ciadoor.B - Symantec Corporation
Hacktool.Privshell - Symantec Corporation
VBS.Masscal.Worm (vbs) - Symantec Corporation
Graybird-A @ Sophos

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\SBAS\Scanner\Bin\bmagent.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\SBAS\Scanner\Bin\harvester.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Symantec\SBAS\Scanner\Bin\bmserver.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\WINDOWS\system32\Dfssvc.exe
dfssvc.exe
All of us paranoid people keep a very close eye on what processes are running in the background. I already took a look at

Alg.exe
csrss.exe
Dfssvc.exe
dwwin.exe
internat.exe
lsass.exe
msdtc.exe
smss.exe
spoolsv.exe
svchost.exe

Today I'm hoping to explain to you guys what dfssvc is.

What is it?
Distributed File System

What does it do?
Microsoft Distributed File System does for servers and shares what file systems do for hard disks. File systems provide uniform named access to collections of sectors on disks; Dfs provides a uniform naming convention and mapping for collections of servers, shares, and files. Thus, Dfs makes it possible to organize file servers and their shares into a logical hierarchy, making it considerably easier for a large corporation to manage and use its information resources. In addition, Dfs is not limited to a single file protocol and can support the mapping of servers, shares, and files, regardless of the file client being used, provided that the client supports the native server and share.

You CAN end this process through task manager!

Quoted From:
Additional Reading

Virus Precaution:
The dfssvc.exe which is from Microsoft is located in the c:windowsSystem32 folder. We've been unable to find any threats that run as dfssvc to trick you.

C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
DLSDBNT.EXE
We Don't know! Please post a comment with information about this file

C:\WINDOWS\System32\dns.exe
dns.exe

What is it?

dns.exe is associated with the microsoft windows DNS application.

What does it do?

A DNS or "domain name service" provides a database to?link?domain names to IP addresses and MAC addresses?across the internet so that routers and internetworking hardware can connect the dots from point a to point b.

More info:


C:\WINDOWS\System32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


C:\Program Files\Java\jre6\bin\jqs.exe
jqs.exe
jqs.exe - Java Quick Starter which is basically used to increase the startup time of Java applets and applications.

C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
sqlservr.exe
sqlservr.exe is Microsoft's SQL Server. SQL Server 2000 exceeds dependability requirements and provides innovative capabilities that increase employee effectiveness, integrate heterogeneous IT ecosystems, and maximize capital and operating budgets. SQL Server 2000 provides the enterprise data management platform your organization needs to adapt quickly in a fast-changing environment. More information can be found here.

c:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
sqlservr.exe
sqlservr.exe is Microsoft's SQL Server. SQL Server 2000 exceeds dependability requirements and provides innovative capabilities that increase employee effectiveness, integrate heterogeneous IT ecosystems, and maximize capital and operating budgets. SQL Server 2000 provides the enterprise data management platform your organization needs to adapt quickly in a fast-changing environment. More information can be found here.

C:\mysql\bin\mysqld-nt.exe
mysqld-nt.exe
mysqld-nt.exe is the MySQL Daemon. This is a must have for any web developer's dev box. If you're not a programmer you really shouldn't have this on ;0 Also stop the service if you're not using the databases since this can hog quite a bit of RAM.

C:\Program Files\NetTime\NeTmSvNT.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\WINDOWS\system32\ntfrs.exe
ntfrs.exe

What is it?

ntfrs.exe is associated with a windows system file "NT file replicating service"

What does it do?

Used to keep files syncronised between multiple servers for several reasons.

More info:

Needed for server related stuff.


C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Enexity\bin\Wrapper.exe
wrapper.exe
wrapper.exe is a part of the Maya accouting program and provides a help service to aid troubleshooting. This program is known to implemented into version 5.0 and later and is a non-essential process to the running of the system, but should not be terminated unless suspected to be causing problems.

C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
sqlagent.exe
sqlagent.exe - This process is from Microsoft SQL agent, this is used to get rid of scheduled jobs.

C:\Program Files\Enexity\java\bin\java.exe
java.exe

What is it?
Possibly One of Symantecs top threats currently - W32.Mydoom.M@mm - Java.exe

What does it do?
W32.Mydoom.M@mm is a mass-mailing worm that drops and executes a backdoor, detected as Backdoor.Zincite.A , that listens on TCP port 1034. The worm uses its own SMTP engine to send itself to email addresses it finds on the infected computer.

Removal:
Symantec has the full dirt ( Here )


C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
sqlwriter.exe
We Don't know! Please post a comment with information about this file

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
rtvscan.exe

What is it?
Real Time Virus scan (Symantec Security) - rtvscan.exe


What does it do?
Symantec Internet Security Suite is taking Norton AV to another level and scan the files as they enter your system instead of the usual scan right after they hit your system. You should not end this process if you have it running.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of this file is C:Program FilesSymantec_Client_SecuritySymantec AntiVirusRtvscan.exe


Also .


C:\WINDOWS\System32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


C:\WINDOWS\system32\lserver.exe
lserver.exe
lserver.exe - This is from Microsoft Windows Server, it takes care of terminal server licensing, for a secure system this is important.

C:\Program Files\Symantec\SBAS\ControlCenter\Tomcat\jakarta-tomcat-4.1.27\bin\tomcat.exe
tomcat.exe
We Don't know! Please post a comment with information about this file

C:\WINDOWS\System32\wins.exe
wins.exe
wins.exe - This is the pre decessor to the current DNS service, this offers computer name resolution services for your LAN only terminate when not in use.

C:\WINDOWS\system32\tcpsvcs.exe
tcpsvcs.exe

What is it?

Microsoft TCP/IP Networking - tcpsvcs.exe

What does it do?

tcpsvcs.exe is an essential service for Windows systems using the TCP/IP protocol, and is required to run such components as DHCP and network printing. It is a very important file and should not be tampered with.

Virus Precations

There does not seem to be any major viruses or trojans associated with tcpsvcs.exe, however you can keep updated via this Google search.


C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
DLPWDNT.EXE
We Don't know! Please post a comment with information about this file

C:\Program Files\Exchsrvr\bin\exmgmt.exe
exmgmt.exe
exmgmt.exe - This is from Microsoft Exchange Console, this allows configuration of this e-mail server product, this is non essential only terminate if causing problems.

C:\Program Files\Exchsrvr\bin\mad.exe
mad.exe
mad.exe - This process deals with important Microsoft Exchange functions for example it loads DLL's and loggs messaging, for a secure system do not remove.

C:\WINDOWS\system32\mqsvc.exe
mqsvc.exe

What is it?

mqsvc.exe is the executable file of the microsoft message queuing service.

What does it do?

Microsoft Message Queueing (MSQS)?provides guaranteed message delivery, efficient routing, security, and priority-based messaging. It can be used to implement solutions for both asynchronous and synchronous messaging scenarios.

More info:

Everything you ever wanted to know about MSQS can be found at [url=http://www.microsoft.com/windows2000/technologies/communications/msmq/default.asp]microsoft.com[/url]


C:\Program Files\Exchsrvr\bin\store.exe
store.exe
store.exe - This is with Outlook Exchange from Microsoft, this allows RAM memory for Microsoft Exchange for optimization purposes, this may cause problems on some servers.

C:\Program Files\Exchsrvr\bin\emsmta.exe
emsmta.exe
emsmta.exe - This is related to Microsoft Exchange Message Transfer Agent, for a smooth running server do not remove.

C:\WINDOWS\System32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


C:\WINDOWS\system32\winlogon.exe
Winlogon.exe
What is it?
Windows Logon Process - Winlogon.exe

What does it do?
Direct Quote from here:
This is the process responsible for managing user logon and logoff. Moreover, Winlogon is active only when the user presses CTRL+ALT+DEL, at which point it shows the security dialog box.

Search MS for more info: Link

Virus Precaution:
The original Winlogon.exe from Microsoft gets placed in the C:WINDOWSSystem32 directory. if you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. We've been able to find only 1 report of a virus so far.

Troj/Madr-B @ Sophos
Netsky.D @ Trend Micro

C:\WINDOWS\system32\rdpclip.exe
rdpclip.exe
rdpclip.exe - This is for file copy it offers function for terminal services server, this allows copying nad pasting between server and client, for a secure computer this is important.

C:\WINDOWS\Explorer.EXE
explorer.exe

What is it?
Windows Explorer - explorer.exe

What does it do?
explorer.exe - Below is a direct quote from Microsoft found on THIS page:

This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn't as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system.

I have found that stopping this process is needed sometimes to stop some other processes.

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed at C:WINDOWSSystem32explorer.exe . if you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. There's only one unique virus found through this search. All of the results are the various names of this single virus.

Deloder-A @ Sophos
MyDoom.B @ Symantec


C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
smcgui.exe
smcgui.exe is a part of one of the symantec scanning programs. I've found many reports of it just using a LOT of CPU resources. I couldn't figure out exactly what it did but its a part of a symantec scanning system so we're flagging it as safe

C:\Program Files\NetTime\NetTime.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Common Files\Java\Java Update\jusched.exe
jusched.exe

What is it?
Java Update Scheduler - jusched.exe

What does it do?
jusched.exe - This is Sun's Java automatic update utility. If you would like to disable this scheduler then go to your control panel and click on the java module. The go to the updates tab and uncheck "check for updates automatically".

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of jusched.exe is
C:Program FilesJavaj2re1.4.2_04injusched.exe. Obviously j2re1.4.2_04 is the version number. At this time my search shows nothing that you need to worry about..


C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccApp.exe
What Is It?
Norton Security - ccApp.exe
?
What Does it Do?
ccapp.exe - This is one of MANY processes that are used by Norton Security (AV + Net Security) If its under the appropriate directory you'll have nothing to worry about. If you're experiencing slowdowns you'll want to upgrade your hard drive and/or your RAM. Norton is a resource hog.
This process is referred to as Common Client App which is also used by auto protect and email checking.

Virus Precautions:
The normal location of ccapp.exe is: C:Program FilesCommon FilesSymantec Sharedccapp.exe

C:\Program Files\SC-Print2005\Msgsrv.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\WINDOWS\system32\ctfmon.exe
ctfmon.exe
What is it?
Language bar AKA Alternative User Input Services - ctfmon.exe

What does it do?
ctfmon.exe - it's an ever annoying helper tool that comes rather unexpectedly at times and liked by nearly nobody.

Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.

Loads of information can be found on microsoft's site here.

Unless you're using anything in that list above you'll want to stop this file from loading!

How do I get rid of it?
There's been a number of threads in our forum as well as others about this. A typical thread can be found here.

control panel --> regional and language options --> languages tab --> details button --> language bar button

Virus Precaution:
Just like so many of the other files I've written about so far, ctfmon.exe is located in the c:windowsSystem32ctfmon.exe. At the time of this writing there isn't any spyware, viruses or anything like that masking itself as this file. If you find any info on one then please let me know!

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
sqlmangr.exe
sqlmangr.exe SQL Server?Service Manager - provides tray access to SQL server,?the server agent and MSDTC. Available via Start -> Programs

C:\Program Files\Common Files\Java\Java Update\jucheck.exe
jucheck.exe
jucheck.exe - This is produced by the sun, it checks for Java updates.

C:\WINDOWS\system32\inetsrv\inetinfo.exe
inetinfo.exe

What is it?
IIS Debugger Tool- inetinfo.exe

What does it do?
inetinfo.exe? - This is a vital system process for anybody running an IIS based server. If you're having a problem with this process crashing then Microsoft has a patch for you here.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of this file is C:WINDOWSSYSTEM32INETSRVinetinfo.exe


C:\WINDOWS\System32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

c:\windows\system32\inetsrv\w3wp.exe
w3wp.exe
w3wp.exe - This process is related to pool in ISS, this usually locates all large amounts of resources, this should not be terminated.

C:\Program Files\Misys Homecare\Server\MHCServer.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Misys Homecare\Service Manager\Misys.Homecare.ServiceManager.Service.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Misys Homecare\Event Manager\Misys.Homecare.EventManager.RuntimeHostApplication.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Misys Homecare\Accounting\Allscripts.Homecare.Accounting.ServiceHost.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\Misys Homecare\Server\Templates\ASM_WH.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\AhsayOBM\bin\SystemTray.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\AhsayOBM\bin\Scheduler.exe
scheduler.exe
scheduler.exe - This is from Leader Technologies, this reminds a person to register a product, this is non essential

C:\Program Files\AhsayOBM\jvm\bin\bschJW.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\AhsayOBM\aua\bin\Aua.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\AhsayOBM\aua\jvm\bin\auaJW.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\AhsayOBM\jvm\bin\bJW.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\Program Files\AhsayOBM\jvm\bin\bJW.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\WINDOWS\System32\vssvc.exe
vssvc.exe
vssvc.exe - This is from Shadow Copy Service implemented towards Windows XP and onwards, this allows modified files to be backed up automatically by the system, for a secure system do not remove.

C:\WINDOWS\System32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.


c:\windows\system32\inetsrv\w3wp.exe
w3wp.exe
w3wp.exe - This process is related to pool in ISS, this usually locates all large amounts of resources, this should not be terminated.

c:\windows\system32\inetsrv\w3wp.exe
w3wp.exe
w3wp.exe - This process is related to pool in ISS, this usually locates all large amounts of resources, this should not be terminated.

C:\Program Files\Symantec\SBAS\Scanner\Bin\conduit.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

C:\WINDOWS\Explorer.EXE
explorer.exe

What is it?
Windows Explorer - explorer.exe

What does it do?
explorer.exe - Below is a direct quote from Microsoft found on THIS page:

This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn't as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system.

I have found that stopping this process is needed sometimes to stop some other processes.

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed at C:WINDOWSSystem32explorer.exe . if you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. There's only one unique virus found through this search. All of the results are the various names of this single virus.

Deloder-A @ Sophos
MyDoom.B @ Symantec


C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
DLPSP.EXE
We Don't know! Please post a comment with information about this file

C:\Program Files\Common Files\Java\Java Update\jusched.exe
jusched.exe

What is it?
Java Update Scheduler - jusched.exe

What does it do?
jusched.exe - This is Sun's Java automatic update utility. If you would like to disable this scheduler then go to your control panel and click on the java module. The go to the updates tab and uncheck "check for updates automatically".

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of jusched.exe is
C:Program FilesJavaj2re1.4.2_04injusched.exe. Obviously j2re1.4.2_04 is the version number. At this time my search shows nothing that you need to worry about..


C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccApp.exe
What Is It?
Norton Security - ccApp.exe
?
What Does it Do?
ccapp.exe - This is one of MANY processes that are used by Norton Security (AV + Net Security) If its under the appropriate directory you'll have nothing to worry about. If you're experiencing slowdowns you'll want to upgrade your hard drive and/or your RAM. Norton is a resource hog.
This process is referred to as Common Client App which is also used by auto protect and email checking.

Virus Precautions:
The normal location of ccapp.exe is: C:Program FilesCommon FilesSymantec Sharedccapp.exe

C:\WINDOWS\system32\ctfmon.exe
ctfmon.exe
What is it?
Language bar AKA Alternative User Input Services - ctfmon.exe

What does it do?
ctfmon.exe - it's an ever annoying helper tool that comes rather unexpectedly at times and liked by nearly nobody.

Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.

Loads of information can be found on microsoft's site here.

Unless you're using anything in that list above you'll want to stop this file from loading!

How do I get rid of it?
There's been a number of threads in our forum as well as others about this. A typical thread can be found here.

control panel --> regional and language options --> languages tab --> details button --> language bar button

Virus Precaution:
Just like so many of the other files I've written about so far, ctfmon.exe is located in the c:windowsSystem32ctfmon.exe. At the time of this writing there isn't any spyware, viruses or anything like that masking itself as this file. If you find any info on one then please let me know!

C:\Program Files\Common Files\Java\Java Update\jucheck.exe
jucheck.exe
jucheck.exe - This is produced by the sun, it checks for Java updates.

C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
What is it?
Internet Explorer - iexplore.exe


What does iexplore.exe do?
This is the main executable to the browser brought to you by Microsoft. If you're using this then please look into Firefox. This browser is a security hazard

Microsoft's information page.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of iexplore.exe is C:Program FilesInternet Exploreriexplore.exe There's a LOT of bugs you need to worry about if the exe is running in any location other than that one.


search Trend Micro.

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
SASCore.exe
We Don't know! Please post a comment with information about this file

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
SUPERAntiSpyware.exe
We Don't know! Please post a comment with information about this file

C:\WINDOWS\system32\msiexec.exe
MsiExec.exe
MsiExec.exe is the executable for the windows installer. This should only be running while you are running an installer. If this is still running after the installer has completed it should be safe to end this process.

C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
What is it?
Internet Explorer - iexplore.exe


What does iexplore.exe do?
This is the main executable to the browser brought to you by Microsoft. If you're using this then please look into Firefox. This browser is a security hazard

Microsoft's information page.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of iexplore.exe is C:Program FilesInternet Exploreriexplore.exe There's a LOT of bugs you need to worry about if the exe is running in any location other than that one.


search Trend Micro.

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
HijackThis.exe
This is our favorite application for fighting against malware and other trashy application that bog systems down. Our guide to using this software can be found here. We have also taken the time to write a system to process the log files created from this application here.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
AcroIEhelper.ocx AcroIEhelper.dll - Adobe Acrobat reader http://www.adobe.com/products/acrobat/reads
AcroIEhelper.ocx AcroIEhelper.dll - Adobe Acrobat reader http://www.adobe.com/products/acrobat/readstep2.html

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
Unnamed BHO
jp2ssv.dll is the java browser plugin. Without this you wont be able to run java in your browser

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Unnamed BHO
jqs_plugin.dll - Java IE Quickstart one of the MANY browser plugins related to java.

O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
DLPSP
Dell laser printer status monitor

O4 - HKLM\..\Run: [NetTime] C:\Program Files\NetTime\NetTime.exe
NetTime
"From a visitor - "This is the executable for NetTime. It is started from the registry when you check the box to start at startup. NetTime allows you to synchronize your computers' clock with a server on your local net or the internet using any of several protocols

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
Adobe Reader Speed Launcher
"Speeds up the time it takes to load the Adobe Reader PDF document reader. ""The Speed Launcher quickly opens and closes all of the files that Acrobat or Adobe Reader will use when the application starts. Opening and closing the files allows your virus protection software to check these programs and add them to its list of safe files"" - see here. Not required for Adobe Reader to function properly"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
SunJavaUpdateSched
"Checks with Sun's Java updates site to see if newer Java versions are available. Either visit the Java download page or click on Start → Control Panel → Java → Update → Update Now"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccApp
"Part of earlier versions of Norton AntiVirus - Auto-protect and E-mail check will not function without this"

O4 - HKLM\..\Run: [OBSystemTray] "C:\Program Files\AhsayOBM\bin\SystemTray.exe"
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKLM\..\Run: [SC-Print2005 Msgsrv] C:\Program Files\SC-Print2005\Msgsrv.exe /NSC-Print2005 /S
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
MsmqIntCert
"Microsoft Message Queue Server - Internal Certificate - see here for more info and here for a potential problem. Is it required?"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
Malwarebytes' Anti-Malware
"System tray access to and realtime protection agent for the registered version of MalwareBytes' Anti-Malware - which is ""considered to be the next step in the detection and removal of malware. In our product we have compiled a number of new technologies that are designed to quickly detect

O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
SUPERAntiSpyware
"SUPERAntiSpyware - spyware

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10x_ActiveX.exe -update activex
FlashPlayerUpdate
Flash player update should be found in a place like this: \%WINDIR%\%System%\macromed\flash\

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
tscuninstall
removes really old versions of terminal server client software.

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
tscuninstall
removes really old versions of terminal server client software.

O4 - HKUS\S-1-5-18\..\Run: [OBSystemTray] "C:\Program Files\AhsayOBM\bin\SystemTray.exe" (User 'SYSTEM')
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
tscuninstall
removes really old versions of terminal server client software.

O4 - HKUS\.DEFAULT\..\Run: [OBSystemTray] "C:\Program Files\AhsayOBM\bin\SystemTray.exe" (User 'Default user')
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
tscuninstall
removes really old versions of terminal server client software.

O4 - Startup: Server Management.lnk = ?


O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe


O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe


O15 - ESC Trusted Zone: http://runonce.msn.com
Trusted Zone
Do you really trust this site? If you don't really trust this site make sure you have HJT fix this line

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181139791234
Unnamed BHO
http://v5.windowsupdate.microsoft.com

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181141716140
muweb_site.cab
Microsoft Windows Update more here

O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = menardchd.org
Internet Settings
These may not be bad if your internet connection is set manually

O17 - HKLM\Software\..\Telephony: DomainName = menardchd.org
Internet Settings
These may not be bad if your internet connection is set manually

O17 - HKLM\System\CCS\Services\Tcpip\..\{D0146C98-778A-4FDA-8A63-76E77305C42F}: NameServer = 192.168.171.12
Internet Settings
These may not be bad if your internet connection is set manually

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = menardchd.org
Internet Settings
These may not be bad if your internet connection is set manually

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
AppInit_DLLs Registry value autorun
Very few known *good* purposes of this. Norton Cleansweep being the headliner of good items
Loads a .dll into memory when a user logs in. Frequently used by VERY bad hijackers.

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
SharedTaskScheduler Registry key autorun
Only a CWS variant has been known to use this. Consult a HJT expert before cleaning anything.

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
SharedTaskScheduler Registry key autorun
Only a CWS variant has been known to use this. Consult a HJT expert before cleaning anything.

O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Allscripts Homecare Accrual Accounting (AHC_AccountingService) - Allscripts Healthcare Solutions, Inc. - C:\Program Files\Misys Homecare\Accounting\Allscripts.Homecare.Accounting.ServiceHost.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Embedded Database (ASANYs_sem5) - iAnywhere Solutions, Inc. - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Brightmail Agent (BMIAGENTSVC) - Symantec Corporation - C:\Program Files\Symantec\SBAS\Scanner\Bin\bmagent.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Brightmail Conduit (BMICONDUITSVC) - Symantec Corporation - C:\Program Files\Symantec\SBAS\Scanner\Bin\conduit.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Brightmail SMTP Harvester (BMIHARVESTERSVC) - Symantec Corporation - C:\Program Files\Symantec\SBAS\Scanner\Bin\harvester.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Brightmail Server (BMISERVERSVC) - Symantec Corporation - C:\Program Files\Symantec\SBAS\Scanner\Bin\bmserver.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Symantec Event Manager

Symantec Life Update service used for auto updating symantec products in the background. Commonly in \%Program Files%\Common Files\Symantec Shared\


O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Symantec Settings Manager

Norton/symantec settings manager. There has been a couple known problem files using this startup name. Check the folder this file is running from.


O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
InstallDriver Table Manager
Related to Macrovision Corporation.

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
Java Quick Starter

Sun's java tool to cut down the load time of your java apps. found in \%Program Files%\Java\jre6\bin\


O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
LiveUpdate
Related to Norton Internet securty suite and provides up to date antivirus data for your Norton Anti

O23 - Service: Allscripts Homecare ACE (MHC_EventManager) - Allscripts Healthcare Solutions, Inc. - C:\Program Files\Misys Homecare\Event Manager\Misys.Homecare.EventManager.RuntimeHostApplication.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Allscripts Homecare Server (MHC_Server) - Allscripts Healthcare Solutions, Inc. - C:\Program Files\Misys Homecare\Server\MHCServer.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Allscripts Homecare Service Manager (MHC_ServiceManager) - Allscripts Healthcare Solutions, Inc. - C:\Program Files\Misys Homecare\Service Manager\Misys.Homecare.ServiceManager.Service.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
mr2kserv
Dell Open Management software installs this service http://www.anti-spy.info/process/mr2kserv.exe.ht

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe
MySql
belongs to MySQL Daemon. It is a service that handles the access to MySQL databases

O23 - Service: NetTime (NetTimeSvc) - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: AutoUpdateAgent (Ahsay Online Backup Manager) (OBAutoUpdate) - Unknown owner - C:\Program Files\AhsayOBM\aua\bin\Aua.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Online Backup Scheduler (Ahsay Online Backup Manager) (OBScheduler) - Unknown owner - C:\Program Files\AhsayOBM\bin\Scheduler.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: RssUVNC - UltraVNC - C:\Program Files\Enexity\bin\SLinkSW\rssuvnc.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: RssVNC Server (RssVNC) - RealVNC Ltd. - C:\Program Files\Enexity\bin\SLinkSW\rssvnc.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Endpoint Protection Manager (semsrv) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Enexity SecureLink Gatekeeper (slinksc) - Unknown owner - C:\Program Files\Enexity\bin\Wrapper.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O23 - Service: Tomcat - Alexandria Software Consulting - C:\Program Files\Symantec\SBAS\ControlCenter\Tomcat\jakarta-tomcat-4.1.27\bin\tomcat.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.