1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
| Bad - Remove almost always
OK Most of the time - don't need to touch
Probably not needed - Safe to remove
Generally harmless - third party applications
Bad if you don't know what it is
Unknown Item - Investigate further
--------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1Up To Date Version of HijackThis
You are using the latest version of HijackThis. Check www.merijn.org frequently for updates.
Scan saved at 19:14:56, on 4-1-2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Running processes:
C:\WINDOWS\System32\smss.exeSmss.exe
What is it?
Session Manager SubSystem - smss.exe
What does it do?
smss.exe - This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).
Additional Reading:
Smss.exe does not resolve forward references in environment
You will not be able to end this through task manager!
More info
--------------------------------------------------------------------------------
Virus Precaution:
The smss.exe which is from Microsoft is located at c:windowsSystem32smss.exe . We've been able to find several viruses that run as smss to trick you.
Adware.Advision - Symantec Corporation
Adware.DreamAd - Symantec Corporation
Backdoor.IRC.Aladinz.O - Symantec Corporation
Backdoor.IRC.Flood.F - Symantec Corporation
W32.Dalbug.Worm - Symantec Corporation
W32.Resdoc - Symantec Corporation
C:\WINDOWS\system32\winlogon.exeWinlogon.exe
What is it?
Windows Logon Process - Winlogon.exe
What does it do?
Direct Quote from here:
This is the process responsible for managing user logon and logoff. Moreover, Winlogon is active only when the user presses CTRL+ALT+DEL, at which point it shows the security dialog box.
Search MS for more info: Link
Virus Precaution:
The original Winlogon.exe from Microsoft gets placed in the C:WINDOWSSystem32 directory. if you find it anywhere else then you should be suspicious for sure.
You'll want to keep an eye on this google search for any known viruses. We've been able to find only 1 report of a virus so far.
Troj/Madr-B @ Sophos
Netsky.D @ Trend Micro
C:\WINDOWS\system32\services.exeservices.exe
services.exe is a part of Windows that manages the processes. Anytime a service starts or stops it is through services.exe. During system startup and shutdown is when this process sees most of its action. You should never end this process unless it is running outside of your windows system folder.
C:\WINDOWS\system32\lsass.exelsass.exe
What is it?
Local Security Authentication Server - lsass.exe
What does it do?
lsass.exe - It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.
You will not be able to end this through task manager!
From MS
--------------------------------------------------------------------------------
The lsass.exe which is from Microsoft is located at c:windowsSystem32lsass.exe . there's a few viruses that have been found to run as lsass.exe to hide from you.
C:\WINDOWS\system32\svchost.exeSvchost.exe
What is it?
Service Host Process - svchost.exe
What does it do?
Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.
Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost
Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService
If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.
1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt
Here's an example of what I got when I issued this command if you'd like to take a look at an example.
A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056
More Info
More Info
Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.
You'll want to keep an eye on this google search for any known viruses.
C:\WINDOWS\System32\svchost.exeSvchost.exe
What is it?
Service Host Process - svchost.exe
What does it do?
Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.
Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost
Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService
If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.
1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt
Here's an example of what I got when I issued this command if you'd like to take a look at an example.
A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056
More Info
More Info
Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.
You'll want to keep an eye on this google search for any known viruses.
C:\WINDOWS\system32\spoolsv.exeSpoolsv.exe
What is it?
SPOOLer SerVice - spoolsv.exe
What does it do?
spoolsv.exe - The spooler service is responsible for managing spooled print/fax jobs
You will be able to end this through task manager!
More info
--------------------------------------------------------------------------------
Virus Precaution:
The spoolsv.exe which is from Microsoft is located at c:windowsSystem32spoolsv.exe . We've been able to find several viruses that run as spoolsv to trick you.
Backdoor.Ciadoor.B - Symantec Corporation
Hacktool.Privshell - Symantec Corporation
VBS.Masscal.Worm (vbs) - Symantec Corporation
Graybird-A @ Sophos
C:\WINDOWS\Explorer.EXEexplorer.exe
What is it?
Windows Explorer - explorer.exe
What does it do?
explorer.exe - Below is a direct quote from Microsoft found on THIS page:
This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn't as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system.
I have found that stopping this process is needed sometimes to stop some other processes.
More Info
More Info
Virus Precaution:
The original file from Microsoft gets placed at C:WINDOWSSystem32explorer.exe . if you find it anywhere else then you should be suspicious for sure.
You'll want to keep an eye on this google search for any known viruses. There's only one unique virus found through this search. All of the results are the various names of this single virus.
Deloder-A @ Sophos
MyDoom.B @ Symantec
C:\PROGRA~1\AVGANT~1\AVG8\avgwdsvc.exeavgwdsvc.exe
avgwdsvc.exe - Belongs to AVG internet security and is a service that runs in the background.
C:\WINDOWS\system32\tcpsvcs.exetcpsvcs.exe
What is it?
Microsoft TCP/IP Networking - tcpsvcs.exe
What does it do?
tcpsvcs.exe is an essential service for Windows systems using the TCP/IP protocol, and is required to run such components as DHCP and network printing. It is a very important file and should not be tampered with.
Virus Precations
There does not seem to be any major viruses or trojans associated with tcpsvcs.exe, however you can keep updated via this Google search.
C:\WINDOWS\System32\svchost.exeSvchost.exe
What is it?
Service Host Process - svchost.exe
What does it do?
Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.
Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost
Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService
If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.
1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt
Here's an example of what I got when I issued this command if you'd like to take a look at an example.
A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056
More Info
More Info
Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.
You'll want to keep an eye on this google search for any known viruses.
C:\PROGRA~1\AVGANT~1\AVG8\avgam.exeavgam.exe
avgam.exe - AVG Internet Security is comprehensive real-time protection against viruses, spyware, identity theft, poisoned web pages, and all types of malware that can threaten your valuable personal information.
C:\PROGRA~1\AVGANT~1\AVG8\avgrsx.exeavgrsx.exe
avgrsx.exe - AVG Anti Virus resident shield offers 24 hour protection from things like your new downloads.
C:\PROGRA~1\AVGANT~1\AVG8\avgnsx.exeavgnsx.exe
avgnsx.exe - AVG Internet Securtity is comprehensive real-time protection against viruses, spyware, identity theft, poisoned web pages, and all types of malware that can threaten your valuable personal information.
C:\Program Files\Windows Live\Messenger\msnmsgr.exemsnmsgr.exe
msnmsgr.exe is the main system process for Windows Messenger AKA Microsoft Messenger. You can get more information on this file here.
Quote:
Instant message in real time, get face-to-face with webcam, send messages to your friends' cell phones, or get the latest news with MSN Alerts. It's easy to explore all the ways to stay in touch!
C:\Program Files\Windows Live\Contacts\wlcomm.exeUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
What is it?
Internet Explorer - iexplore.exe
What does iexplore.exe do?
This is the main executable to the browser brought to you by Microsoft. If you're using this then please look into Firefox. This browser is a security hazard
Microsoft's information page.
Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of iexplore.exe is C:Program FilesInternet Exploreriexplore.exe There's a LOT of bugs you need to worry about if the exe is running in any location other than that one.
search Trend Micro.
C:\Program Files\Ares\Ares.exeAres.exe
Ares.exe - It is a worm that gets into your computer, and allows hackers to get into your computer.
C:\Program Files\HijackThis\HijackThis.exeHijackThis.exe
This is our favorite application for fighting against malware and other trashy application that bog systems down. Our guide to using this software can be found here. We have also taken the time to write a system to process the log files created from this application here.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspxInternet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.comInternet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspxInternet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localInternet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = KoppelingenInternet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllAcroIEhelper.ocx AcroIEhelper.dll - Adobe Acrobat reader http://www.adobe.com/products/acrobat/reads
AcroIEhelper.ocx AcroIEhelper.dll - Adobe Acrobat reader http://www.adobe.com/products/acrobat/readstep2.html
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG Antivirus\AVG8\avgssie.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllUnnamed BHO
ssv.dll - Related to Sun_Java_software http://java.com/en/download/index.jsp
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllUnnamed BHO
WindowsLiveLogin.dll - Microsoft Windows_Live http://ideas.live.com/
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dllUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O4 - HKCU\..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exeAdobe Reader Speed Launcher
"Speeds up the time it takes to load the Adobe Reader application. Your choice but not required for Adobe Reader to function properly"
O4 - HKCU\..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exeUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O4 - HKCU\..\Run: [PUT2VIDQLG] C:\DOCUME~1\MARKVA~1\LOCALS~1\Temp\c.exeUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000Internet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllSun Java Console
Related to Sun Java
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllSun Java Console
Related to Sun Java
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLResearch
Microsoft Office related
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)File Missing
When a file is missing, you should always have HijackThis fix the item.
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)File Missing
When a file is missing, you should always have HijackThis fix the item.
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)File Missing
When a file is missing, you should always have HijackThis fix the item.
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)File Missing
When a file is missing, you should always have HijackThis fix the item.
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cabUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn...l/mjss/MJSS.cab109791.cabUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cabUnnamed BHO
MsnPUpld.cab - MSN photo upload tool
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn...aireShowdown.cab56986.cabUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-NL/a-UNO1/GAME_UNO1.cabUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cabUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cabUnnamed BHO
ZIntro.cab34246.cab - MSN Gaming Zone related
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn...tatsPAClient.cab56907.cabUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/m...ploadcontrol/MSNPUpld.cabUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.../MineSweeper.cab56986.cabUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cabUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG Antivirus\AVG8\avgpp.dllExtra Protocols
There's a few known hijackers that use this but I haven't found anything good come out of these
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLLExtra Protocols
There's a few known hijackers that use this but I haven't found anything good come out of these
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLLExtra Protocols
There's a few known hijackers that use this but I haven't found anything good come out of these
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllAppInit_DLLs Registry value autorun
Very few known *good* purposes of this. Norton Cleansweep being the headliner of good items
Loads a .dll into memory when a user logs in. Frequently used by VERY bad hijackers.
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)File Missing
When a file is missing, you should always have HijackThis fix the item.
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllShellServiceObjectDelayLoad Registry key autorun
HJT automatically weeds out the good ones here so we'll flag this as bad. Consult a HJT expert before cleaning anything.
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVGANT~1\AVG8\avgwdsvc.exeUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exeUnknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it. |
Ik vond het zelf vreemd dat er 7x hetzelfde proces in staat. /u/93853/lostworld_thumb_small.JPG?f=community)
/u/145301/mo.png?f=community)
:strip_exif()/u/29138/caffeine.gif?f=community)
). Begin eens of je de rode items herkent (zitten wat gekke tussen, met name de eerste en de laatste). Er zitten een paar missing files tussen, maar daar hoef je je geen zorgen om te maken. Je kan HJT ze laten weghalen voor het idee.:strip_icc():strip_exif()/u/4167/bacall8.jpg?f=community)
