HiJackThis! Log auto analyzer V2

kernel32.dll

What is it?

kernel32.dll is a very important?Windows system file.

What does it do?

Kernel32.dll is considered?the core of the Windows opperating system. It handles Memory addressing, Input/output, Interupts etc.

More info:

There are a few common?error popups that list kernel32.dll as the culprit.?Search microsofts knowledge base at support.microsoft.com for more about kernel errors and patches to fix them.

Keep an eye on this [url=http://www.google.com/search?hl=en&lr=&q=KERNEL32.DLL+%2Bvirus+%2Bspyware+%2Badware]google search[/url] Watch for kernel32.dll with viruses, spyware adware.

MSGSRV32.EXE
MSGSRV32.EXE is a part of Windows 9x/Me. This is a 32 bit message server.? For more information on its function and why it's needed, see here.

SPOOL32.EXE
SPOOL32.EXE is your windows printer spool handler and is important for a stable windows OS.

MPREXE.EXE
MPREXE.EXE is a part of Windows 9x/Me which allows the computer to use multiple network protocols and/or multiple network interface cards. This should always be a background process and shouldn't be ended.

STIMON.EXE
STIMON.EXE is a windows process that provides extra functionality when you plug in a scanner, digital camera or some type of video/image hardware.

It is called Still Image Monitor and you can read more about it here. Quote:
Still Image Monitor (Stimon.exe) is a tool that is installed by Windows Millennium Edition (Me) and Windows 98 when a Universal Serial Bus (USB) scanning device is successfully enumerated. Stimon.exe is configured to start automatically during the Windows startup process, and is loaded from the following registry key:

mdm.exe

What is it?
Machine Debug Manager - mdm.exe

What does it do?
mdm.exe - Below is a direct quote from Microsoft found on THIS page:

The Machine Debug Manager, Mdm.exe, is a program that is installed with the Microsoft Script Editor to provide support for program debugging. The Microsoft Script Editor is included with Microsoft Office 2000, and also can be obtained from the Microsoft Windows Update Web site.

The Machine Debug Manager runs as a service and is loaded when your computer starts. If you do not use your computer for debugging purposes, you can safely turn off the Machine Debug Manager.

This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn't as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system.

Unless you're a code monkey doing some debugging turn this sucker off!

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed at C:WINDOWSSystem32mdm.exe . if you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. At this time I have not found ANY viruses that run themselves using this filename. All of the results currently affect this file in some way, but do not actually run as this filename.

mstask.exe

What is it?
MS Task scheduler - mstask.exe

What does it do?
mstask.exe - Gives you the ability to schedule tasks to be run at certain on certain days and times. I use it to automate as many tasks as I possibly can.

Virus Precaution:
When googling I was able to find

W32/Opaserv -H
W32.Myparty@mm

The mstask.exe which is from Microsoft is located at c:windowsSystem32mstask.exe . If you find it anywhere else then you should be suspicious for sure.

ssdpsrv.exe

What is it?

SSDPSRV.EXE is related to services for?network?plug and play functionality known as Simple Service Discovery Protocol (SSDP) and General Event Notification Architecture (GENA)

What does it do?

Starts up a web server on port 5000

More info:

Found [url=http://startup.iamnotageek.com/srch-ssdpsrv.exe.html]here[/url] in our startup db.

CSINJECT.EXE

CSINJECT.EXE - This process is from Norton Cleansweep, this is mandatory for the correct functioning of this product, this monitors your systems local cofiguration file to find changes made by programs, this is non essential only terminate if causing problems.

KB891711.EXE
KB891711.EXE - This process was installed mainly in Windows 98 it is a Windows security update process it keeps your computer safe from internet bound threats, this is important for a secure computer.

Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

STMGR.EXE
STMGR.EXE - Microsoft PC state manager

taskmon.exe
taskmon.exe - The Task Monitor checks the disk-access patterns of programs when they are started and stores this information in log files in the Applog folder. Task Monitor also records the number of times you use a program. The Disk Defragmenter tool uses this information to optimize your hard disk so that programs that you use frequently are loaded faster. Not required - but can be useful. Note: for Norton Anti-Virus 2002 users, loading TaskMonitor will typically solve many, if not most, of those annoying IE scripting errors (per Symantec's Knowledgebase)

systray.exe

What is it?

Your PC's system tray - Systray.exe

What does it do?

Systray.exe is the?windows service?which handles your system tray - the collection of icons found typically at the bottom right hand of your screen. MS also describe it as:

Systray.exe is a tool for system taskbar notifications. The taskbar provides a location for programs and hardware devices to display icons. For example, if your computer supports advanced power management (APM), a Battery Meter icon can appear on the taskbar.

Virus Precautions

Systray.exe is legitimately found in C:WINDOWSSYSTEM32, but?has been known to host viruses and trojans, and being the popular file that it is, it has also been passed off by many viruses and trojans in different folders. Some of?these include:

32.Ghotex.A - Symantec
Backdoor.IRC.Aladinz.P - Symantec
Backdoor.IRC.Mutebot - Symantec
IRC/Flood.av - NetworkAccosiates
W32.HLLP.Systemp - Symantec

In any case, this Google search should keep you up to date on any virus found to reside in systray.exe or create its own phony systray.exe.

How can you tell if your systray.exe is infected outside of a virus scanner? It is said under Windows2000 and XP systray.exe should NOT be displayed in your list of processes in the taskmanager. If you find systray.exe in your taskmanager chances are you have an infection.

lwbwheel.exe
Mouse driver - required if you use non-standard Windows driver features

PowerS.exe
PowerS.exe - This is from the University of Ottawa, it is part of Biomech Planar motion analysis system for power analysis and graphing, this is non essential only terminate if causing problems.

DVDTray.exe
HP CD/DVD Tray icon installed with the DVD writer software. Periodically checks for new drive firmware
Required: No

wmiexe.exe

What is it?
Windows Management Instrumentation - wmiexe.exe

What does it do?
wmiexe.exe - Here's a direct quote from MS about this: (source)
Effective management of PC and server systems in an enterprise network benefits from well-instrumented computer software and hardware, which allow system components to be monitored and controlled, both locally and remotely. Microsoft is committed to simplifying instrumentation of hardware and software under Microsoft? Windows? operating systems. Microsoft is also committed to providing consistent access to this instrumentation for both Windows-based management systems and legacy management systems that are hosted in other environments.

In Win98/NT/2000 this is a seperate process whereas in XP it is a part of svchost

More Info
More Info

Virus Precaution:
The original wmiexe.exe from Microsoft gets placed in the Located at C:WINDOWSSystem32wmiexe.exe . If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. At this time I have not found ANY viruses that run themselves using this filename. All of the results currently affect this file in some way, but do not actually run as this filename.

PCTVOICE.EXE
PCTVOICE.EXE - This process is with the backround task installed PCTEL modem, for a secure computer do not remove.

realsched.exe
What is it?
Real Player Scheduler - realsched.exe

What does it do?
realsched.exe - The Real Player automatic update utility. It has no real functional purpose. I would certainly stop this from running on startup.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of realsched.exe is C:Program FilesCommon FilesRealUpdate_OBrealsched.exe

.

cfg32.exe
We Don't know! Please post a comment with information about this file

Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

RoboTaskBarIcon.exe
Roboform - password manager and web form filler. Will work without this startup entry, as the "active" component is an integrated Internet Explorer browser plugin More information can be found here.

Quote:

Save and Remember Online Passwords: Every other site these days forces you to create a UserID and Password combination. RoboForm saves the day by saving the online passwords (AutoSave dialog) and then filling login forms from the saved data (AutoFill dialog).

acrotray.exe

What is it?
Adobe Acrobat Distiller - acrotray.exe

What does it do?
While printing large files to the PDF format this process may consume large chunks of your CPU. Do not end this process if you're printing something to PDF.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of this file is C:Program FilesAdobeAcrobat 6.0Distillracrotray.exe

Also .

Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

ZDWlan.exe
Wireless network utility, please comment about this file and what all it does.

Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

cfg32a.exe
We Don't know! Please post a comment with information about this file

DDHELP.EXE
DDHELP.EXE is a part of DirectX. This is DirectDraw Helper. You should leave this process as is if you like your video and audio :)

explorer.exe

What is it?
Windows Explorer - explorer.exe

What does it do?
explorer.exe - Below is a direct quote from Microsoft found on THIS page:

I have found that stopping this process is needed sometimes to stop some other processes.

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed at C:WINDOWSSystem32explorer.exe . if you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. There's only one unique virus found through this search. All of the results are the various names of this single virus.

Deloder-A @ Sophos
MyDoom.B @ Symantec

HijackThis.exe
This is our favorite application for fighting against malware and other trashy application that bog systems down. Our guide to using this software can be found here. We have also taken the time to write a system to process the log files created from this application here.

Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

Default Search Page
When using the search toolbar this is your default search. Should be either yahoo, msn or google cause all others suck

Unnamed BHO
Ycomp*_*_*_*.dll yt.dll - Yahoo Companion http://companion.yahoo.com/

AcroIEhelper.ocx AcroIEhelper.dll - Adobe Acrobat reader http://www.adobe.com/products/acrobat/reads
AcroIEhelper.ocx AcroIEhelper.dll - Adobe Acrobat reader http://www.adobe.com/products/acrobat/readstep2.html

File Missing
When a file is missing, you should always have HijackThis fix the item.

SDhelper.dll - SpyBot Search&Destroy http://www.safer-networking.org/index.php
SDhelper.dll - SpyBot Search&Destroy http://www.safer-networking.org/index.php

msdtc32.dll - Microsoft Distributed Transaction Coordinator Extension - see here http://www.microsof
msdtc32.dll - Microsoft Distributed Transaction Coordinator Extension - see here http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/BookofSP1/8fcbafc0-26ff-4091-9dfd-e029d5a1af7d.mspx

Unnamed BHO
RoboForm.dll - RoboForm http://www.roboform.com/

Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

cfg32r.dll - BookedSpace http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076996 adware varia
cfg32r.dll - BookedSpace http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453076996 adware variant

Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

ScanRegistry
"Added by the NERTE TROJAN! Not to be confused with the real ScanRegistry - which is a vital Windows file. This version has the executable as nsrvnt.exe not scanregw.exe"

TaskMonitor
"The Task Monitor checks the disk-access patterns of programs when they are started and stores this information in log files in the Applog folder. Task Monitor also records the number of times you use a program. The Disk Defragmenter tool uses this information to optimize your hard disk so that programs that you use frequently are loaded faster. Not required - but can be useful. Note: for Norton Anti-Virus 2002 users

PCHealth
"This is a ""scheduler"" and does not turn off PC Health. For more information refer here"

SystemTray
"For Win9x/Me - System Tray Services. Provides the Volume Control

Microsoft Webserver
Personal web server program which enables you to create and host a web server from your computer. Not required for most people

LWBMOUSE
Mouse driver - required if you use non-standard Windows driver features

PowerS
"ProlinkTest for either their AGP graphics card or TV/FM capture card. Is it required?"

DVDBitSet
DVD+RW Drive/Disc Compatibility Setting. Installed with HP DVD+RW drives to enhance compatibility with existing readers. You can also set a DVD+RW default drive write mode which is always used

DVDTray
HP CD/DVD Tray icon installed with the DVD writer software. Periodically checks for new drive firmware

PV92TRAY
"PCtel HSP V.92 modem configuration utility"

PCTVOICE
"The program PCTVoice is used by the modem to interface with your computer and also used for some V.80 functions for Video Conferencing. if you uncheck it

LoadPowerProfile
"Added by the CABRO TROJAN! Not to be confused with the valid LoadPowerProfile entry where the command is Rundll32.exe powrprof.dll"

TkBellExe
"Application Scheduler installed along with RealOne Player. Once installed

RegShave
"Part of the USB driver for your Fuji digital cameras - used when uninstalling the USB drivers

QuickTime Task
System Tray access to Apple's "Quick Time" viewer from version 5 onwards

defender
"DollarRevenue adware"

Configuration Manager
"Added by the SDBOT TROJAN!"

Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

SpywareBot
"SpywareBot spyware remover - not recommended

Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

THGuard
"Resident memory scanning for TrojanHunter"

StillImageMonitor
"Stimon.exe enables a USB still-image device (such as a scanner) to initiate data transfer to a program. For example

Machine Debug Manager
"Used by developers for debugging and is a component of several MS products including Office and Visual Studio. Those who have encountered it have unchecked it with no degradation in performance. It may cause your computer to ""hang"" if you have Visual Studio installed and this disabled because it appears to take over error handling - hence the U recommendation. For this entry it loads under the ""RunServices"" key in Me (located in C:\WINDOWS\SYSTEM). It also loads a service in XP/Vista (located in %ProgramFiles%\Common Files\Microsoft Shared\VS7Debug)"