Win XP - Task Manager

newboy_3

Hi

When I open up the task manager, I have, in the region of 40+ processes running. Do I need to have all these running ?

What progs do I def need to have running?

Just thought it might speed up my pc a tad.

Thanks

Newboy

T4i

I think XP SP2 has about 19 processes running with no additional software installed.

You most likely have lots of software starting up on XP boot, programs you prolly dont use everytime you switch p.c on.

Best thing to do is download hijackthis and post a log of you system. This will tell us what processes you have running.

This is my list so you can compare


The additional software I have there is:-
Nvidia Graphics Driver (nvsvc32.exe)
Kerio Firewall (kp****.exe)
Opera Browser (opera.exe)
Brother Printer/Scanner (brsvc01a.exe)
Spyware Doctor Help (sdhelp.exe)

HTH

Andy_Davies

40+ processes running sound as little on the large side but it depends on what software you've installed and what you've got running.

First question is do you run anti-virus software, and when did you last do a spyware scan?

Easiest way to find out what's what is to type them into Google, as there are plenty of sites out there that will tell you what each one is. I'd do this by creating a text file of the processes and cutting and pasting from that.

To create the text file:

1. Open a command prompt by pressing the windows key and R at the same time

2. Then type: tasklist > \tasks.txt and press enter

3. Open the text file by typing notepad \tasks.txt and press enter

You've then got details of all the processes running and can either search for them in Google or list them here and someone will look at them.

Mine looks like:

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 32 K
smss.exe 580 Console 0 40 K
csrss.exe 644 Console 0 2,240 K
winlogon.exe 668 Console 0 3,736 K
services.exe 712 Console 0 1,444 K
lsass.exe 724 Console 0 2,608 K
svchost.exe 912 Console 0 1,188 K
svchost.exe 1024 Console 0 8,676 K
svchost.exe 1168 Console 0 632 K
svchost.exe 1200 Console 0 1,656 K
spoolsv.exe 1320 Console 0 644 K
defwatch.exe 1468 Console 0 40 K
rtvscan.exe 1512 Console 0 1,912 K
cmd.exe 1664 Console 0 44 K
explorer.exe 1680 Console 0 5,532 K
atiptaxx.exe 1388 Console 0 808 K
vptray.exe 1360 Console 0 1,088 K
OUTLOOK.EXE 2036 Console 0 12,156 K
iexplore.exe 188 Console 0 16,844 K
msnmsgr.exe 640 Console 0 18,836 K
ctfmon.exe 1748 Console 0 1,616 K
taskmgr.exe 1520 Console 0 1,656 K
GreatNews.exe 1368 Console 0 32,616 K
WINWORD.EXE 2764 Console 0 5,956 K
firefox.exe 2828 Console 0 78,956 K
cmd.exe 456 Console 0 1,348 K
wmiprvse.exe 2376 Console 0 3,908 K
tasklist.exe 452 Console 0 2,932 K

(excuse the bad formatting)

albertross_2

you can download and post your hijack log here for a quick analysis:

http://www.hijackthis.de/

newboy_3

Hi Guys

Sorry for the delay in responding. I think this is what you were after.

(couldn't do the windows + R thing. When I did that it came back with..' windows coul not find, blah blah, blah').


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\KService\KService.exe
C:\Program Files\Inverse IP InSight\BT\ARMon32a.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\Stuart\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.moneysavingexpert.com/forumdisplay.html?f=5
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btinternet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btinternet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Internet
O2 - BHO: CeresObj Class - !!00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [emogxz] c:\windows\system32\emogxz.exe
O4 - HKLM\..\Run: [Dimension4] F:\D4.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe -all
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
O16 - DPF: !!17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: !!1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/bt/yregucfg.cab
O16 - DPF: !!31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: !!4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: !!56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0585f4186af83ca92919/netzip/RdxIE601.cab
O16 - DPF: !!6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137957540609
O16 - DPF: !!71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - http://register.btinternet.com/templates/btmailcontrol013.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba851.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\!!2C4390BF-A5A8-4288-AB9A-4755B6C29CF5}: NameServer = 194.74.65.69 194.72.9.34
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Inverse IP InSight Client (BT) (InverseLaunchIPI_BT) - Inverse Network Technology - C:\Program Files\Inverse IP InSight\BT\LaunchIPI.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Hope this means something to you, but also hope it doesn't expose me to anything.

Use Norton antivirus. Not sure if that checks for spyware, but i haven't run a spyware check.

Thanks 'n' rgds

newboy

thewizard

you've got alot of unnecessary programs running

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"

You can stop them

Dont know about any of the others but never stop anything that has symantec or ccApp.exe in it, as this is part of your Norton AV

Rex_Mundi

thewizard wrote:

you've got alot of unnecessary programs running

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Stopping this may prevent you being notified of updates
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
If you use messenger, why would you stop this?
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
This belongs to Nero Back It Up. Stopping it may stop your backups. This is very ill advised!!!

You can stop them

Dont know about any of the others but never stop anything that has symantec or ccApp.exe in it, as this is part of your Norton AV

Hijackthis is a VERY powerful program. If you delete, or stop the wrong program, you could muck your system up completely.

I don't know how someone can advise you to stop certain applications without first asking if you use the program associated with them. You could end up with bad advice!

Chippy_Minton

O2 - BHO: CeresObj Class - !!00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll (file missing)

ceres.dll "is a module belonging to Ceres Abetterinternet Spyware". Luckily for you the file is missing so it can't load as a BHO (Browser Helper Object). Google for remove ceres.dll and remove the other files associated with it (e.g. possibly buddy.exe).

O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe

farmmext.exe "is a process associated with the Transponder parasite. It monitors your online activities and opens pop-ups based on it. This process should be removed to protect your personal privacy." Again, Google for remove farmmext.exe.

O4 - HKLM\..\Run: [emogxz] c:\windows\system32\emogxz.exe

looks suspicious, but Google couldn't find anything on it.

wolfman

Ones I would question would be:

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\KService\KService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - HKLM\..\Run: [emogxz] c:\windows\system32\emogxz.exe
O4 - HKLM\..\Run: [Dimension4] F:\D4.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

You especially don't need things like QuickTime running at startup. I don't bother with automatic updaters myself, I do it manually every so often. I find they bog the system down.

pchelpman

There is a mix of very good advice here. Particularly about NOT changing anything with HJT unless someone who know what they are talking about recommends it.

First thing, newboy, your HJT log is incomplete.The headers are missing. They will look something like this ...

Logfile of HijackThis v1.99.1
Scan saved at 17:11:41, on 02/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

As your computer is somewhat infected with malware you should go through everything in the first 4 posts to this thread first THEN post a new HJT log so we can see how it looks afterwards.

http://forums.moneysavingexpert.com/showthread.html?t=133269

newboy_3

Here are the headers you were asking after. I have just completed another scan, but haven't changed anything yet.


Logfile of HijackThis v1.99.1
Scan saved at 12:55:44, on 07/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Someone was telling me that I could stop programmes running on start up, but cant remember the steps he told me. Something to do with commend prompt and putrting startup in there. That would list all programmes , and would be able to disable from there??

I'll have a go at what you have suggested in the meantime.

Many thanks to all.

Newboy