[SOLVED] Erianthia's computer is running slow...

[Lyte]

Howdy y'all,

Erianthia sent me a list of her running processes and I'd appreciate some feedback on what we know to be necessities vs. optionals vs. malware.

• The ones I recognize as necessary I've highlighted in GREEN. Those are process I think are keepers.

• If there is something that I don't recognize, can't define and/or think it's malware. I'm going mark it in RED. You should verify the nature of these processes!

• If the item looks okay but is optoinal it will not be colored.

Erianthia, please don't take this post as the last word on what you can turn off, delete or keep running! This it just intended to give you a jump start as to why your computer is running slow. The items in RED will require further investigation on your part. Don't turn anything off or delete anything unless you are certain of what it does.

If anyone disagrees with any of my findings please feel free to respond, state why and add a link supporting your info. This is a GOOD learning opportunity for all of us.

System Idle Process
System
SMSS.EXE - Microsoft Windows Operating System
winlogon.exe
SERVICES.EXE
lsass.exe
sychost.exe
sychost.exe
CCSETMGR.EXE - Norton Anti-Virus - Runs in the background.
CCSETMGR.EXE- Norton Anti-Virus - Runs in the background.
CCPROXY.EXE - Symantec Internet Security Suite
SNDSrvc.exe - Norton AntiVirus Scan Service
SPBBCSvc.exe - Symantec Internet Security Service
symlcsvc.exe - Norton Internet Security Suite
spoolsv.exe
AluSchedulerSvc - Symantec LiveUpdate Scheduler
NAVAPSVC.EXE - Norton AntiVirus Auto-Protect Service
NICServ.exe - Wireless Communications Helper
NPROTECT.EXE - Background Process - Symantec Internet Security Suite
regsvc.exe - "Remote Registry Service" This may be adware! Look here and here
scardsvr.exe
mstask.exe
NOPDB.EXE - Norton Utilities / Norton Systemworks
WinMgmt.exe
sychost.exe - This may be the "LEOX.B VIRUS" virus! Look here and here and here.
explorer.exe
taskmgr.exe
SymTray.exe
CCAPP.EXE -CCAPP.EXE
WFXNT40.EXE - This one does not Google.
Gcc.exe
OdHost.exe - Wireless-G Notebook Adapter Process
IEXPLORE.EXE
Cleaner.exe - Not familar with this one... could be "Zappit System Cleaner."
NCSRVCE.EXE - This one does not Google.

Now, since it looks like you may have a virus you've got another step to go. I'd recommend creating a HIJACKTHIS log and posting it over on Geeks2Go or Malware Removal. Either of these sites will be able to confirm whether or not you have a virus and they'll guide you on how to remove it! We're not doing HJT logs yet on PC101 but hopefully soon.

Keep us posted!

Lyte

[firestorm]

Did she get a HJT log(would help alot)?
The ccAPP is Norton's. It shouldn't be deleted. Norton's is a resource hog . Will do more research on this tonight. Gotta get back to work

[OulZac]

WFXNT40.EXE - is an executable which deals with the WinFax communication process. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.

NCSRVCE.EXE - relates to newer norton (2005 and up) auto scan services, this is safe.

the only ones that would concern me are: sychost.exe - this is a trojan, and needs to be cleaned ASAP!

regsvc.exe - unless you recently turned your home pc into a server, then this is another trojan, and needs to be cleaned ASAP!

Cleaner.exe - if you did not put this there, or are not the one who added it, then it could be linked to regsvc.exe to back track steps. regadless if you installed it or not, remove it if you are unsure.

First things first, shut down these process, then reboot into safe mode, run your virus scanner, if nothing comes up, reboot back into normal mode, download the hijackthis, install it, reboot back into safe mode, and run it, then post the log, and we can walk you thorugh the remove process depending on what all is infected.

[Lyte]

Quote:

Originally Posted by firestorm

Did she get a HJT log(would help alot)?
The ccAPP is Norton's. It shouldn't be deleted. Norton's is a resource hog . Will do more research on this tonight. Gotta get back to work

Very true on both counts!

I would definately run a HJT because looking at processes will NOT show you everything. Heck, even the standard HJT won't show everything but will show a lot more.

I compared her running process for Norton against mine for McAfee and it does look like Norton has much more going on in the back ground.

Lyte

[Lyte]

Quote:

Originally Posted by OulZac

1 WFXNT40.EXE.... 2. NCSRVCE.EXE ..... 3..regsvc.exe -

1. & 2. These two Googled as "Do you mean... " and then gave me another spelling for them. Why are these spelled differently??

3. Where did you read this as a virus?

[OulZac]

Quote:

Originally Posted by Lyte

1. & 2. These two Googled as "Do you mean... " and then gave me another spelling for them. Why are these spelled differently??

3. Where did you read this as a virus?

I didnt google any of them, I know what the first two are as I have them on a work computer for those things, winfax has that exe and norton 2006 has that exe.

* this was just google for this referance however* regsvc.exe is a system service in Windows Server Suite. It allows remote computers to access the local registry. Some local programs also use this service in order to edit the registry. This program is important for the stable and secure running of your computer and should not be terminated, if you are running Windows Server Suite.

Note: regsvc.exe is also a process belonging to the Ace Spy advertising program by Retina-X Studios. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.

[Lyte]

Quote:

Originally Posted by OulZac

Note: regsvc.exe is also a process belonging to the Ace Spy advertising program by Retina-X Studios. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.

Right! I was just wonder where you read it was a the virus. It's definately malware but I think it's of the spyware/adware variety. No less annoying and potentially dangerous but not a "virus" per se.

Lyte

[OulZac]

yeah, sorry, I guess I should not call them all trojans, I am just so used to dealing with trojans on linux servers that I call them all the same thing, but in this case its far less harmless.

[fmauniverse]

Hi. I think the solution is that there are too many Norton Antivirus program processes going on. You need also to cancel some other not important processes if you want to make it a bit faster without closing Norton Antivirus.

Hope this helps.

Regards.

[Lyte]

She definately needs to clean the system and then reconsider what AV she's using. If Norton was up and running when the virus came calling and got in, that's not good! Of course, sometimes people turn the AV off cuz it does take up a lot of resources.

[Erianthia]

Thanks to everyone for taking the time to look at my Task Manger and post some feedback. Thanks, Lyte, for posting it for me! I am going to work on this project tomorrow night and post results one night this week. Hopefully I'll get this tiny beast to run faster!