REQ: Help with home network - 2DoWinXp_processes_Ian.txt (1/1)

System Configuration Utility | Startup

VTTimer.exe ( not running in Asusprog)
NeroCheck.exe
Type32.exe

dumprep 0 -k

-------------------------------------------------------------
processes in Windows task manager


Packman's portal
Key:
"Y" - Normally leave to run at start-up
"N" - Not required - typically infrequently used tasks that can be started manually if necessary
"U" - User's choice - depends whether a user deems it necessary
"X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
"?" - Unknown

--------------------------------------------------------------------------------------------------
iexplore.exe ian
asusprob.exe ian
agrsmmsg.exe ian found in packman'sPortalStartups - full list ...IBM AMR modem driver...
avgcc32.exe ian found in packman'sPortalStartups - full list ...AVG anti-virus control center.
Also enables scheduled tests,
Outlook E-mail plug-in and automatic updates
agent.exe ian ...found many times, might be part of CD recording stuff
but not found as part of free agent
agent.exe not running @ 24.3.2004
avgInet.exe ian ... not found
avgserv.exe ... not found
avgw.exe ian ...Part of AVG Anti-Virus 7.0


alg.exe ... not found but in Win XP Services, sez norton firewall depends on it

ctfmon.exe ian found in packman'sPortalStartups - full list
see C:\Documents and Settings\All Users\Documents\XP_IanStuff\PackmansPortalStartups - C_tfmon..htm

U ctfmon ctfmon.exe CTFMon is involved with the language/alternative input services in Office XP.
CTFMON.exe will continue to put itself back into MSConfig when you run the Office
XP apps as long as the Text Services and Speech applets in the Control Panel are
enabled. Not required if you don't need these features. For more info on ctfmon see here.
CTFMON can be disabled from Control Panel, Text & Speech Services

X ctfmon taskmgr32#.exe Added as a result of the SOWSAT.B VIRUS! where # is a number from 0 to 9

X Ctfmon.exe ctfmon32.exe CoolWebSearch parasite related - hijacking to Slawsearch.com

ccApp.exe ian norton AV 2003
....ccApp ccApp.exe Part of Norton AntiVirus 2003. Auto-protect and E-mail check will not function without this

....X ccApp <filename> Added as a result of the OBSORB VIRUS! Note the random filename compared to the valid Norton AntiVirus entry above

ccevtmgr.exe Part of Norton AntiVirus 2003. Event manager for scheduling
weekly scans and or automatic virus updates.
Used to start automatically via CcApp and was not required as a
seperate entry but a recent update changed this

ccpxysvc.exe Part of Norton's AntiVirus 2003, Internet Security and
Firewall products. E-mail proxy service - required for
E-mail scanning and the firewall


DrgToDsc.exe ian ...Part of Roxio EasyCD Creator 6.0 - places the Roxio Drag-to-Disc
icon in you system tray. "Easily drag and drop files for burning
to CD or DVD. Disc formatting and burning will happen automatically".
Not required for Roxio to work properly

explorer.exe ian ...Added as a result of the ZCREW VIRUS! Note - this is not the valid explorer.exe

...dlder.exe Advertising spyware. Considered to be one oft the worst - even creating a
fake "explorer.exe" file. Can be installed via versions of "Grokster", "Lime Wire" and "KaZaA"
amongst other file-sharing utilities (see here). Reported in the past as a virus

....X Explore explore.exe Adult content dialler
X explore.exe Explore.exe Added as a result of the GRAYBIRD.G VIRUS!
U explorer explorer.exe Starts Windows Explorer. Unless this has been manually added to startups or added by another program it could be a virus such as PE_BISTRO or DVLDR or MYDOOM.C. Note that it is also not the explorer.exe task/service you'll see when via CTRL+ALT+DEL
X explorer wscript.exe <filename> Sneaky way to start any VBS script. Many viruses use VBS files
X Explorer shellexpl.exe Added as a result of the GPIX and SHELDOR VIRUSES!
X explorer expl32.exe Added as a result of the RATSOU VIRUS!
X Explorer <path_to_worm> Added as a result of the AUTEX VIRUS!
X Explorer lptt01
or
Explorer ml097e explorer.exe Variant of the RapidBlaster parasite (in an "explorer" folder in Program Files). It is not recommended you manually uninstall RapidBlaster but use RapidBlaster Killer - see here. Note - this is not the valid Windows Explorer which has the same executable name
X Explorer32 Expl32.exe Added as a result of the HACKTACK VIRUS!

....explorer.exe Added as a result of the ZCREW VIRUS! Note - this is not the valid explorer.exe

...X print sharing hidden32.exe (path) explorer.exe Added as a result of the ZCREW.B VIRUS!
Note - this is not the valid Windows Explorer (explorer.exe)

....X Sustem explorer.exe Undentified VIRUS!
....X SustemUpdate explorer.exe Undentified VIRUS!


....X system Explorer.exe Added as a result of the GRAYBIRD VIRUS! Note - this is located in this
is located in C:\Windows\System (Win9x/Me), C:\Winnt\System32 (WinNT/2K),
or C:\Windows\System32 (WinXP) rather than the valid Windows Explorer
which is located in C:\Windows or C:\Winnt

.... X sysconfig iexplorer.exe Added as a result of the CULT.C VIRUS!. Note - iexplorer.exe is
not to be confused with Interrnet Explorer (iexplore.exe)

.... X WinUPD32 explorer.exe Unidentified VIRUS!

.... X system Explorer.exe Added as a result of the GRAYBIRD VIRUS! Note - this is located
in this is located in C:\Windows\System (Win9x/Me), C:\Winnt\System32 (WinNT/2K), or
C:\Windows\System32 (WinXP) rather than the valid Windows Explorer which is located in
C:\Windows or C:\Winnt

.... VSENMB.exe Malware (ie, malicious software). Also changes the system.ini Shell line to read
Shell=Explorer.exe VSENMB.exe, and it hacks the Winstart.bat as well

....X Windows explorer.exe Added as a result of an unidentified VIRUS! Note - this is
not the valid Windows Explorer (explorer.exe). It was found in the C:\Windows
directory on a WinNT machine and the wheras the valid explorer.exe would be found in C:\Winnt

....X Windows Explorer <filename>.exe Added as a result of the SDBOT VIRUS! Note - this is not the valid Windows Explorer (explorer.exe) which would only be in startups if you added it manually
....X Windows Explorer Lsas.exe Added as a result of the GAOBOT.AO VIRUS! Note - this is not the valid Windows Explorer (explorer.exe) which would only be in startups if you added it manually

....X Windowz Update V2.0 Explorer.exe Added as a result of the YODO VIRUS! Note - the valid "explorer.exe" is located in C:\Windows or C:\Winnt whereas this one is located in the System32 sub-directory

....X WinUPD32 explorer.exe Unidentified VIRUS!


LSASS.exe ... X lsass lsass.exe Added as a result of the RATSU.B VIRUS!
Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!

nisum.exe ... Y nisserv NISSERV.EXE Norton Personal Firewall
Y Nisum NISUM.EXE Norton Personal Firewall

nopdb.exe SYSTEM ... not found
Nprotect.exe ...U NPROTECT nprotect.exe Norton Protected Recycle Bin from Norton Utilities.
Adds an extra layer of safety before you remove deleted files from the Recycled Bin.
Can be listed twice which is valid - see here

playlist.exe ... not found

rxMon.exe ... N RoxioAudioCentral RxMon.exe Part of Roxio EasyCD Creator 6.0 -
places the Roxio AudioCentral icon in you system tray.
"Includes a player, media manager, ripper, tag and sound editor -
integrated in a single application". Not required for Roxio to work properly.

SMAgent.exe SYSTEM ... not found

smss.exe ...X InteliSys smss.exe Advertisingvision adware - file is located in
C:\Windows or C:\Winnt, and not in it's System32 subdirectory,
as is the case with the legitimate Smss.exe system file which would
normally NOT figure in Msconfig/Startup!

services.exe ...X Service services.exe Added as the result of the NETSKY or
NETSKY.B VIRUSES! Note - not to be confused with the valid Windows
"services.exe" which resides in C:\Windows\System (Win9x/Me),
C:\Winnt\System32 (WinNT/2K) or C:\Windows\System32 (WinXP) as this
resides in C:\Windows or C:\Winnt

spoolsv.exe system ...X load= Spoolsv.exe Added as a result of the CIADOOR.B VIRUS!
Note - "Spoolsv.exe" is located in the Windows or Winnt directory, and not
in System32, like the legitimate Spoolsv.exe system file

svchost.exe local service
svchost.exe network service
svchost.exe system
svchost.exe system

....X France svchost.exe Added as a result of the MIMAIL.L VIRUS!. This is not the valid
svchost.exe as described here


system
system idle process

taskmgr.exe ian ...
Taskmgr Taskmgr.exe System1060 homepage hi-jacker. Note - this is not a Windows file and is found in a WindowsSystem1060 directory
X Taskmgr tskmgr32.exe Homepage hi-jacker
N taskmgr.exe taskmgr.exe Windows Task Manager in Windows XP. If run from the Startup folder, the tray icon will be put to the system tray after boot. Useful to check if XP has finished running the delayed services after boot. Available via a desktop shortcut
X taskmngr lptt01
or
taskmngr ml097e taskmngr.exe Variant of the RapidBlaster parasite (in a "Taskmngr" folder in Program Files). It is not recommended you manually uninstall RapidBlaster but use RapidBlaster Killer - see here



type32.exe ian ... U Intellitype type32.exe For MS programmable keyboards.
If you disable Intellitype in Startup, any "Hot Keys" that
are changed by the user to perform functions other than default
settings, defer back to their default settings unless you have
changed them

WZQKPICK.exe ian ...N WinZip Quick Pick WZQKPICK.EXE Added with WinZip version 8.1.
"The new WinZip Quick Pick taskbar tray icon gives you instant
access to WinZip and your Zip files. Just left click the icon
to open WinZip, or right click it to instantly reopen recently
used Zip files, access your Favorite Zip Folders, open WinZip
Help, or start WinZip itself.". You can right-click and close it
- choosing to not re-load it at start-up

winlogon.exe ... X ICQ Net winlogon.exe Added as a result of the NETSKY.C or NETSKY.D or NETSKY.E or
NETSKY.K VIRUSES! - file is located in C:\Windows or C:\Winnt, and not in
it's System or System32 subdirectory, as is the case with the legitimate winlogon.exe file

...X WinAuth winlogon.exe Added as a result of an unidentified VIRUS!. This is not the valid
winlogon.exe as described here

************************************************** *
csrss.exe ... not found Looks like this is the virus


ian here ***

*** 10:56 found crss in ohm... web components.... etc, tying shutting down then restarting

X CSRSS CSRSS.EXE Search page hijacker, redirecting to http://www.search-aide.com/.
Note - this is not the valid Client Server Runtime Subsystem (csrss.exe) process,
which provides text window support, shutdown, and hard-error handling

Tue Mar 09 2004 - From: "Jim" <(E-Mail Removed)>
Subject: W98 csrss.exe


Hi, according to all sources (!) I cannot have this=20
problem unless I am running NT or later Vers than W98. But=20
I am!! crss.exe is plaguing my system, and I tried using=20
reg cleaner but it keeps making a back up, can anyone tell=20
me in laymans terms how to rid my PC of this B@*&^%$=A3D.?
Input really appreciated, as it is causing mega issues,=20
thanks Jim

....
From: "mm" <(E-Mail Removed)>


>-----Original Message-----
>Hi, according to all sources (!) I cannot have this=20
[iansnip]
>Input really appreciated, as it is causing mega issues,=20
>thanks Jim
>.
>

Find the file, note it's location, delete it from MS-DOS=20
(not DOS window).

Also check here and see if it applies to your situation:
http://www.sophos.com/virusinfo/anal...nauticala.html

mm

....
Tue Mar 09 2004
From: Alan Edwards <(E-Mail Removed)>

You don't supply enough information for me to guess.
Assuming it is a virus, what have you done about it?
What are the symptoms?
What does your anti-virus say? What does it call it?

You might try here in case this is it:
http://www.symantec.com/avcenter/ven...lbug.worm.html

....Alan

--
Alan Edwards, MS MVP W95/98 Systems
http://dts-l.org/index.html



>Hi, according to all sources (!) I cannot have this
[iansnip]
>Input really appreciated, as it is causing mega issues,
>thanks Jim

....
Tue Mar 09 08:50:04 2004

From: "william-digging a hold" <(E-Mail Removed)>

I would suggest going to www.answersthatwork.com >TASK=20
LIST >C > CSRSS. They describe two versions of CSRSS and=20
you probably have to trogan version since you cannot get=20
rid of it. I personally do not have a lot of faith in=20
Norton antivirus, but it does catch most of them. my=20
personal favorite is a freebee at=20
http://housecall.trendmicro,com. =20

I would look at ANSWERSTHATWORK.COM for information. Then=20
I would run housecall [free and good] and then i'd run=20
norton if you have it. let's go from there.
>-----Original Message-----
>Hi, according to all sources (!) I cannot have this=20
[iansnip]
>Input really appreciated, as it is causing mega issues,=20
>thanks Jim
>.
>

***