Great Problem

[Nighthawk]

I run Windows XP Professional on 1.7Ghz Pentium 4 Processor with 256 MB RAM and 40 GB HDD. These are the processes that run in background in my computer -
SVCHOST.EXE - LOCAL SERVICE
System Idle Process - SYSTEM
System - SYSTEM
SMSS.EXE - SYSTEM
CSRSS.EXE - SYSTEM
WINLOGON.EXE - SYSTEM
SERVICES.EXE - SYSTEM
LSASS.EXE - SYSTEM
SVCHOST.EXE - SYSTEM
SVCHOST.EXE - SYSTEM
SPOOLV.EXE - SYSTEM
INETINFO.EXE - SYSTEM

1) Is there any process in the above list which can be ended after the computer is switched on, so that I can free more RAM?

2) LSASS.EXE is a code for the Sasser Trojan Virus. It runs among my other system processes. I tried the Sasser Removal Tool from Symantec but it said my PC is not infected by it. Is it that my PC is really not infected? Or the virus was able to hide from the glitches of the tool?

3) Is there any other process which you doubt is a Trojan virus or worm process is the above list? If yes, please tell me about it and how to get rid of it.

Please do help.

[NikhilVerma]

2) lsass.exe is not a virus dude.

Post your HijackThis log file for the better assesment of the problem 8)

[technoteen]

m8 the inetinfo.exe service for IIS Server - i think none of personal home users need IIS Sever
also go to run command and enter "c:\WINDOWS\system32\services.msc" to start the services managment console, in it check which services are really required by you and disable the services you really dont require. hey but be sure about what you are disabling coz it can even cause your system to malfunction.

[Nighthawk]

Hey Nikhil .........how do I post my HackThis log file
BTW Thanx for the help.

[go4inet]

INETINFO.EXE - SYSTEM

This is only for IIS 5.0 ! which funcions under inetpub die. You can end this process. I dont think these stuffs wud bring ur RAM down.

Coz these are the basic files tht needs to be running. My better advice wud be : Upgrade to 256 MB Ram ! So tht u can have some fun

And I had 128 MB till 1 month back. Now 128 + 512 MB Ram Rocks !

[it_waaznt_me]

Please post your HijackThis Logfile for better assesment of your problem.

[mariner]

visit www.blackviper.com to get an indepth knowledge of the processes running in the background.

even dexy has written about it in the TA forums .u candownload the text file from there too.

visit www.softpedia.com for downloading "hijackthis".

lastly as vinay said upgrade ur ram if possible.

[alib_i]

you cannot stop all the svchosts ... (services hosts exe file)
but instead you need to stop a few unneccessary services ..
go to start->run->services.msc
look for services which are of no use ...
if u dont know which to stop and which not to .. then look up in the forum ..
you'll see a few posts related to this ..

[Nighthawk]

Here is my HijackThis scan result:

Logfile of HijackThis v1.98.2
Scan saved at 5:27:48 AM, on 11/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Softwares\Norman\Nvc\Bin\Zanda.exe
D:\SOFTWARES\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\SOFTWARES\NORMAN\Nvc\BIN\NYMSE.EXE
D:\SOFTWARES\NORMAN\Nvc\BIN\NIP.EXE
D:\SOFTWARES\NORMAN\Nvc\BIN\nvcoas.exe
D:\SOFTWARES\NORMAN\Nvc\BIN\nipsvc.exe
D:\SOFTWARES\NORMAN\Nvc\BIN\NJEEVES.EXE
D:\SOFTWARES\NORMAN\Nvc\BIN\NVCSCHED.EXE
D:\SOFTWARES\NORMAN\Nvc\BIN\cclaw.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
D:\Softwares\Mozila\firefox.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
D:\Softwares\Messenger\YPager.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Suraj Chandrakar\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Norman ZANDA] D:\SOFTWARES\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://D:\Softwares\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://D:\Softwares\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://D:\Softwares\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://D:\Softwares\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\SOFTWA~1\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\SOFTWA~1\MESSEN~1\YPAGER.EXE
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA806B07-DF40-402D-AD60-BAAD9073DD58}: NameServer = 202.144.96.4 202.144.50.4

[it_waaznt_me]

Quote:

Originally Posted by Nighthawk

Platform: Windows XP (WinNT 5.01.2600) <-- Install SP2 as soon as possible

Your logfile is clean except for :

Quote:

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

This is mine :

Logfile of HijackThis v1.98.2
Scan saved at 12:43:50 PM, on 11/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Cursor XP\CursorXP.exe
C:\Program Files\Desktop Architect\datray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\NIPUNN\My Documents\Setups\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediffmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Nipun's Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\Cursor XP\CursorXP.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1CDCB38-DFC1-4F27-9ECD-2D4B5249FB15}: NameServer = 202.138.97.193 202.138.96.2
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - (no file)

Plz tell me if there is any prblm.........

[amitsaudy]

Phew!
Thats huge...

[go4inet]

Hmm...if every one starts showing their hijack, this is gonna turn as a SPAM thread !

[it_waaznt_me]

Quote:

Originally Posted by nipun_the_gr8

C:\Program Files\Desktop Architect\datray.exe

<--How come this is running ...??? Desktop Architect was meant for theming in Win9X only .. and not in Win XP .. You should uninstall it . . as MS had themselve put it under not supported programs list ....


Put a checkmark next to these entries and click on Fix Checked ..

Quote:

O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - (no file)

Well...........
I use it make the desktop icon text background transparent & to outline the icon text with black...........
Is there any other way i can do dat without usin' Desktop Architect ?

[Minimalistix]

nipun_the_gr8 wrote:
Well...........
I use it make the desktop icon text background transparent & to outline the icon text with black...........
Is there any other way i can do dat without usin' Desktop Architect ?

Your HijackThis log file shows that you are running Windows XP.
So, the good news for you Nipun is that there's no need for you to run Desktop Architect
to have transparent backgrounds for your icons on your desktop anymore.

Here's how you can have that same effect in Win XP:

1. Right-Click on "My Computer" and Select "Properties".
(TIP: You may just hit Windows Key + Pause/Break)

2. Click on the "Advanced" Tab.

3. Click on "Settings" under "Performance".

4. Under "Visual Effects" check the option "Use drop shadows for icon labels on the desktop".
(2nd Last Option)


NightHawk wrote:
1) Is there any process in the above list which can be ended after the computer is switched on, so that I can free more RAM?

INETINFO.EXE - SYSTEM
NightHawk if you are NOT running a webserver off your PC with a properly configured firewall
THEN technically speaking everytime you get online you are higly vulnerable to being hacked
by hackers or some other automated exploit scripts looking for victims worldwide at random.

And Yes running IIS (Internet Information Server) does tax your RAM!!
So, here's how you can stop it from starting up automatically at boot-up.

1. Open Command Prompt (cmd.exe) and Run: "net stop iisadmin"

2. If it prompts you that some other services are dependent, press 'y' to confirm the operation.
(The other two services dependent on IIS are "SMTP" service and "WWW Publishing". These are not critical to your system, so you can safely terminate them along with the "iisadmin")

3. Now, Click on "Start" > "Run" and Run "services.msc".

4. Now Find "IIS Admin", "Simple Mail Transfer Protocol" and "World Wide Web Publising".

5. Double-Click and Set "Startup type" for "IIS Admin" to "Disabled" and for the other two to "Manual".

6. Restart your System to find out that INETINFO.EXE is gone!!