50 processes !!

[Pseudo]

Hey guys. I was going through my process list when I realized I don't know more than half of the names and that I was running so many processes. I had Trillian, MSN, Firefox, Printkey (always running in background - handy printscreen tool) and I think an FTP program running.

Other system info...Norton Internet Security, Omega Drivers + Multires and ati-taskbar, ad-aware + ad-watch, use itunes (I think that's where the ipod helper is from).

I'll post the image of my processes. And any freedback would be appreciated. Maybe even things I dont want running or can get not to run.

http://pseudo.dynamized.com/processes.jpeg

Cheers.

[J1978]

Hi thats quite a few... Here you can check every process to see what you can get rid of.

[rspassey]

Go over to the security forum area and read the sticky on Hijack This, then proceed with dowloading it and running it FOLLOWING the guidelines pointed out in the sticky. Then post up your thread here and I will take a shot at cleaning it up. I have a feeling you have some unecessary start up programs and potential malware.

[Pseudo]

Okay Ryan, I did an ad-aware scan and virus check. Also closed all programs before running Hijackthis. Here are the log results. I hope I did everything right :S

Quote:

Logfile of HijackThis v1.99.1 Scan saved at 5:59:19 PM, on 11/13/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccProxy.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe c:\Program Files\Norton Internet Security\ISSVC.exe C:\WINDOWS\system32\Ati2evxx.exe c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\Explorer.EXE c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\sm56hlpr.exe C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe C:\Program Files\HP\HP Software Update\HPwuSchd2.exe C:\WINDOWS\system32\ctfmon.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE c:\windows\system\hpsysdrv.exe C:\Program Files\Java\jre1.5.0\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\svchost.exe C:\Documents and Settings\Compaq_Owner\My Documents\My Received Files\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox?client=...en-US:official R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Radeon Omega Drivers\v2.6.75a\ATI Tray Tools\atitray.exe" O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[rspassey]

You will want to boot in safe mode, then search and delete these file below and then run HJT and have it fix it. It is a spyware which is gathering information.

C:\WINDOWS\ALCXMNTR.EXE (find and delete this one)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE (have HJT fix this one)

This might help a little bit.

For the R1s, if the URL your homepage it's OK. If it is not, check it and have HijackThis fix the entry.

You can see now that you only have 33 processes running - much better than before. Alot of your processes before were directly related to Norton A/V - I am not a fan of it as it does use quite a bit of system resources, but it does a nice good at procting a computer.

I hope that helps a bit - might not free up as many processes but I found a spyware entry.

[Pseudo]

Okay thanks, I will be booting in safe mode to do those in a second. I forgot to mention that I found this on ad-aware. Hopefully it is the one you detected.



Also, what virus scan/firewall do you recommend. I use Avast on my other computer and zone alarm. I have used AVG Free previous to this.

Thanks. And I'll let you know how the fix goes

[rspassey]

I use a medly of AV and Firewalls on my computer. For AV right now it is Avast, and software Firewall is Zone Alarm. Both I would recomend very much. I also think some sort of router is needed - if you have one then your good, if not I would seriously consider thinking about it. I also recomend using Spyware Blaster it is great tool and I would definately say add it to your arsenal.
Also, do you mind if I copy your HJT log onto my site, SecurePc and leave it there for further examination? I had been known to spend over two hours on logs before, so I might be able to pick out something else. Good luck.

[Pseudo]

Ya sure, you can archive the log. I don't believe there is anything on it that can track it to me.

[rspassey]

No there is not.

[Pseudo]

I started in safe mode and did what you instructed. However...aclxmonitor comes up again when I do another test. In windows aclxmonitor is still deleted though. Same with R1.

[rspassey]

Try this.
- Enter msconfig (run > msconfig > startup)
- search the entries for ACLXMONITOR
- uncheck the box
- save settings and reboot
- rerun HJT and see if it is there


Does it now show up with (file missing at the end)?

[GaryRouth]

Most of your processes look pretty legitimate, though the RealTek Monitor is annoying = it's not the worst. It's apparently loading from the HKEY_Local_Machine/Software/Microsoft/Windows/CurrentVersion/Run or RunService key. You can use regedit to remove it from there if you'd like (visit a tutorial about Registry editing, though, if you haven't before).

If your cpu is a good one, it can handle a lot of work. What will slow things down is if you end up needing to use your swap file much. You can check that in Task Manager - from time to time see how much memory is free. If you've used up most or all of what's available, a little extra from a new module might help. [Of course, make sure it matches, and doesn't exceed the maximum size module for your motherboard].

I'm sure ryan will find anything that's not kosher with the startups.

The Coulomb Dialer is sometimes a false positive for a "Groove" player often used to play certain online games (the Nick jr. site requires these, for example). I'll assume you've removed the entry already: which is the safe thing to do. I believe the latest AdAware definitions don't falsely identify the game software anymore. [If you really had the dialer, and you have a modem in your PC, you'd have a bunch of area code 900 calls on your phone bill! - it's a porn dialer].

Best of luck
. . . Gary

[Another good malware doublecheck tool that I like to recommend is TrendMicro's HouseCall - http://housecall.trendmicro.com - it does require that you allow it's ActiveX control to run - but it's specific to the scan].

LATE EDIT - just saw your latest posts:
1) be sure you spell that process correctly when searching, it's "Alcxmntr.exe" and not "ACLx..."

[glc]

alcxmntr.exe is installed alongside hardware drivers for the Realtek AC97 audio device. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

[rspassey]

glc, where did you find that? Everything I found stated that it is a monitoring program, and should be removed especially if you have had instances with other spyware.

Quote:

(ALCXMNTR.EXE) Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers This is a nasty process! You should fix it and try to delete it manually!

[Pseudo]

The rededit method finally got rid of it. Thanks alot for the help guys.