• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 784
  • Last Modified:

Extra Processes Running on Windows XP Machine

My desktop Windows XP machines with SP2 seems to have all sorts of extra processes running - I've ran Windows Defender looking for spyware and it came up empty - also I've updated my Norton and it too doesn't find any virsus. Therefore, is their something I ran run some tool so I can figure out which processes should be running and which shouldn't - in the list I have 50 processes running each time the machine boots-ups

The biggest processes being used are:
svchost, iexploere, wcauclt, wmiprvse, msmpeng., outlook, taskmgr, lasass, init, ccApp, etc etc
0
kpu8
Asked:
kpu8
  • 5
  • 3
  • 2
  • +1
2 Solutions
 
jamietonerCommented:
well the ones you listed are normal, most are windows process's that need to run the others are internet explorer, windows defender, norton and outlook. what you need to do if you want some programs not to start with windows is click start->run->type in msconfig-> click ok-> this will bring up the system config utility-> click on startup-> now remove the check next to programs you dont want to start with windows. Some of these may have services running also so click the services tab then at the bottom click hide all microsoft services and again click the ones you dont want to run, if your not sure what a process or service is search it in google and you will usually get several sites that will tell you what it is and if it needs to run at startup or not.
0
 
Jbirk1Commented:
Get a copy of hijackthis and post your log here.  http://www.merijn.org/downloads.html

Make a log and post it.  I will be able to tell you if you have anything unusual and give you a complete breakdown.
0
 
kpu8Author Commented:
OK here is my log from hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:07:41 PM, on 5/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\LxrJD31s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\UWIN\usr\etc\ums.exe
C:\Program Files\UWIN\usr\etc\init.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\MediaGateway\MediaGateway.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\UWIN\usr\etc\inetd.exe
C:\Program Files\UWIN\usr\lib\cs\tcp\at\at.svc
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\UWIN\usr\lib\cs\tcp\at\at.svc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0yahoo&bm=yh_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Microsoft WFC Forms Designer - file://D:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://D:\VJ98\vstudio6.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2E687AA8-B276-4910-BBFB-4E412F685379} (CWebsiteViewer Object) - http://klcitrixsam/WebsiteViewerRoot/WebsiteViewer.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/294c78de3b8899461000/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1118196936187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148675224437
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://remote.klng.com/tsweb/msrdp.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://connect.kl.com/connect/cds/CGC/en/CSGProxy.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Srv32 - Unknown owner - C:\WINNT\system32\srv32.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Uwin Master (UWIN_MS) - Unknown owner - C:\Program Files\UWIN\usr\etc\ums.exe
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Jbirk1Commented:
Hi, PowerRegSceduler is some very mild spyware.  You should still remove it.

Start by checking this box "O4 - Startup: PowerReg Scheduler V3.exe"

Make sure you remove Power Reg 100% as well:
View this:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453078189

Overall, most of your processes are okay.  It appears that you have Windows Stuff, Bit Defender Antispyware, Norton/Symantec Stuff, some Gateway Modem and Media Stuff indicating you probably have a Gateway computer, UWIN, and a whole lot of HP processes.  Uwin lets widnows run some Unix type stuff from what I can find.

I do not know what printer you have, but I do know that HP has installed a lot of stuff on your computer.  You have a lightscribe service probably necessary for lite scribe.  Indicates you have a burner that supports litescribe.

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

You also have a lot of Digital Imaging stuff and other HP related processes:
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

Here is more in your startup that has to do with HP

O4 - Global Startup: hpoddt01.exe.lnk = ?

I am not saying those are spyware or adware, but still it seems rediculous that HP would have 5 processes and a service running all of which take up resoruces.  You could use Add/Remove programs to remove anything from HP and still print and use litescribe.  There are minimal drivers available for most printers.  I just thought I should point that out.  If you want, you can tell me what HP hardware you have and I can point you to the latest drivers that are smaller and take fewer processes.  Still, none of that HP stuff is really harmful.  At most it might be annoying like a task bar.


CHECK THIS OUT:
O23 - Service: Srv32 - Unknown owner - C:\WINNT\system32\srv32.exe (file missing)  (VERY SUSPICIOUS)
http://www.symantec.com/avcenter/venc/data/w32.opaserv.j.worm.html

The file is apparently missing.  You may have or may be infected with that Virus/Worm.  Just some material you should read.


Also, you have a hudge load of ActiveX components installed with IE.  I would close IE nad get rid of the ones you don't use:

For instance, the support.com, cwebviewer, techtools, rdxie, Obviously leave thhe genuine activation, widnows update, microsoft form designer and visual basic stuff.  I am just suggesting cleanup.

O16 - DPF: Microsoft WFC Forms Designer - file://D:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://D:\VJ98\vstudio6.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2E687AA8-B276-4910-BBFB-4E412F685379} (CWebsiteViewer Object) - http://klcitrixsam/WebsiteViewerRoot/WebsiteViewer.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/294c78de3b8899461000/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1118196936187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148675224437
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://remote.klng.com/tsweb/msrdp.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {EBC1356E-7D5E-44EC-831D-847882F06FE5} (Gateway Client for MetaFrame) - https://connect.kl.com/connect/cds/CGC/en/CSGProxy.cab


Let me know what you find out.  Either way, I would remove the SRV32 service at the very least as well with HiJackThis.  I also suggest you read and double check taht symantec and powerreg page.

Justin
0
 
rindiCommented:
You should have pasted the hijack log to the http://hijackthis.de site into the empty space, then clicked on "analyze", and then on "Save analysis" and posted the resulting url here. I've done that for you now.

http://hijackthis.de/logfiles/081601aeb192711e6b1764cb76d60d07.html

Appart from what has already been mentioned, you don't need the following, as these aren't necessary, and messengers can be missused by 3rd parties to compromise the system. If any of these have already bee mentioned above, I appologize.

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Srv32 - Unknown owner - C:\WINNT\system32\srv32.exe (file missing)
0
 
Jbirk1Commented:
Yes, it is true teh above you mentioned can be removed.


HOwever, the first two are Gateway Software and it is not up to me to assume where or not he wants to keep his gateway software.

The next piece is Quicktime background/taskbar task.  Sure it isn't necessary, but it is harmless.

Windows messenger is common, so I didn't bother to mention it.

The microsoft office shortcut isn't malware either, nor is teh excel piece.

The next two items pertain to Windows messenger again.

Last but not least O23 ... I mentioned as very suspicous and should be removed.


Sure these otehrs you mention, rindi, can be removed; however, they are not spyware, nor are they slowing down his computer.

I don't want to have him compltely make many many changes to his computer.   Essentially, I would prefer he just make the needed changes and be happy with it.  If he wants to make changes, he can remove anything from HiJackThis.

He can even remove every item and his computer would boot up much like a clean install of Windows.



I did not paste his log into the automatic analizer because I am more than capable of reading it and deciding on my own.  It is all about understanding what each item does.

Justin
0
 
rindiCommented:
I don't think he is mainly looking for spyware, but rather to not have useless services running, so the system gets more responsive. To me all messengers are useless, and can even be missused to compromise a PC. The hijackthis analysis itself tells us that the gateway software doesn't really fullfill any usefull functions. Quicktime and other players don't belong to autoswtart either, they are often actually there to collect advertisements which for me is the same as spam and therefore malware. The m$ office stuff also isn't needed in startup (actually it isn't needed at all, as there is abetter free alternative to office, OpenOffice, so it is time to dump m$ office for good, and maybe only leave outlook on the PC!). I agree that m$ office isn't malware, but it is too expensive-ware. And for duplicates I had already appologized above!
0
 
Jbirk1Commented:
No hard feelings.

I agree that messengers don't belong in startup as I don't have any in mine.  I also agree that the messenger button in IE is useless and the Gateway software isn't really ncecessary to the operation of his computer.

I also agree that Microsoft Office isn't really necessary as Open Office can take its place as a free solution; however, he already has Microsoft Office and I cannot be sure which features he uses.  I also cannot make the decision for him which  messengers he should keep or remove et cetera.

His best bet is to be informed of all the processes and their purpose.  That was my origional intention.  I am going to highly recomend he remove the malware as well as skim back on the extras, and I gave him a breakdown of everything.  With this info, he can decide what he wants to keep and get rid of.  He should have plenty of info about what is running and what each process belongs to.
0
 
kpu8Author Commented:
Thanks to you both - huge help - I spent two nights in a row using both your suggestions
and getting my system back in running order - it works much better now and the mild spyware was cauing my dsl software to not be installed - now I'm 100% up and running with a much faster response time - across the board! I really didn't know where to begin - I spend a vast amount of my time developing website/graphics so all this was new to me!

0
 
Jbirk1Commented:
I am glad to hear everything went well for you, and that our combined help solved your problem.

Thank you for posting your question here on Expert's Exchange.  I wish you the best of luck in the future; furthermore, I hope you explore HiJackThis because it is an incredibly powerful tool as you have seen.  It will allow you to fix the hard to find problems, troubleshoot processes and startup, fix browser hijacks, remove services, remove malware, and much more.  It is my favorite all purpose tool for taking a peak at the system and cleaning up.

-Justin
0
 
rindiCommented:
your welcome
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now