# What do these processes do?



## cliffracer (Jan 28, 2010)

I have been having security issues for awhile, and when I went into task manager today I have found some things that got my attention. I don't know what processes should or shouldn't run, so I will list them all:

AvastUI.exe 764k avast! Antivirus
csrss.exe (no user) 956k (no description) -this worried me because of the user and descriptions being blank
dwm.exe 21,636k Desktop Window Manager
ehmsas.exe 1,032k Media Center Media Status Aggregator Service
ehtray.exe 328k Media Center Tray Applet
explorer.exe 17,064k Windows Explorer
FlashUtil10d.exe 1,368k Adobe Flash Player 
hkcmd.exe 548k hkcmd Module
iexplore.exe 7,488k Internet Explorer
iexplore.exe 39,709k Internet Explorer -this worried me because I only had one window and one tab open in IE; I've also seen 3 before
igfxpers.exe 292k persistence Module
igfxsrvc.exe 1,956k igfxsrvc Module
igfxtray.exe 288k igfxTray Module
jusched.exe 292k Java(TM) Update Scheduler
mfpmp.exe 4,016k Media Foundation Protected Pipeline EXE
RthDVCpl.exe 664k HD Audio Control Panel
sm56hlpr.exe 360k SM56 Modem Helper
taskeng.exe 2,964k Task Scheduler Engine
taskmgr.exe 2,092k Windows Task Manager
winlogon.exe (no user) 932k (no description) -no user or description again
wmplayer.exe 8,572k Windows Media Player
wmpnscfg.exe 628k Windows Media Player Network Sharing Service Configuration Application

The only programs I was using at the time were IE, windows media player, and task manager, and avast is always running in the background I guess. Thanks in advance for the help.


----------



## canivari (Jan 28, 2010)

cliffracer said:


> I have been having security issues for awhile, and when I went into task manager today I have found some things that got my attention. I don't know what processes should or shouldn't run, so I will list them all:
> 
> AvastUI.exe 764k avast! Antivirus
> csrss.exe (no user) 956k (no description) -this worried me because of the user and descriptions being blank
> ...



The reason of not showing any user in the task manager in a few tasks
its because there is an issue with your windows or your user account
The best way to deal with it usualy is a formatt.
But before thinking on it you could try
to create a new user account and logon to her and check if the winlogon.exe
and csrss.exe are showing any user,if not do a formatt.
Hope that helps


----------



## gamblingman (Jan 29, 2010)

*or consider this, maybe not*

You appear to have a malicious object on your computer.

Please read:

http://www.computerforum.com/131398-important-please-read-before-posting.html


----------



## sarus86 (Jan 29, 2010)

gamblingman how can you tell that he has malicious objects on his computer? from looking at his list of process i dont see anyhting malicious but im not expert at all


----------



## cliffracer (Jan 29, 2010)

Thanks for the suggestion, canivari. gamblingman, I did post a malwarebytes and hijackthis log in another thread, and when I didn't recieve any more responses in that thread, I figured I was clean. But then I saw what I thought were suspicious processes running in task manager, so I made this thread. The ones in particular that got my attention were the no user/description ones, the extra internet explorer(s), ehmsas.exe (Media Center Media Status Aggregator Service, whatever that means), igfxpers.exe (persistence Module), igfxsrvc.exe (igfxsrvc Module), igfxtray.exe (igfxTray Module), and probably most of all mfpmp.exe (Media Foundation Protected Pipeline EXE) and wmpnscfg.exe (Windows Media Player Network Sharing Service Configuration Application). Does anyone know what those are used for?


----------



## gamblingman (Jan 29, 2010)

*To destroy the alien monster ship*

Well there is one thing that caught my attention. We can tell for sure if your infected if you post the necessary logs. But nothing can be done without more information.

csrss.exe is the one that caught my attention. There are very few applications that use this actual designation. That .exe is usually related to a malicious object that is a: trojan/virus/back-door. 

Once we see more information from the HJT log and the Malwarebytes log, then we can determine the next step.


----------



## donadoni (Jan 29, 2010)

csrss is a legitimate file on vista & 7 at least

it can contain a virus but i would bet its clean.
all your other processes seem fine.

boot into safe mode and do a scan with malwarebytes to make sure your system is clean


----------



## TFT (Jan 30, 2010)

Only if "csrss.exe" exists outside of the "System32 folder" is it likely to be a threat. If not then it is a valid system file.

iexplore.exe can exist many times irrespective of how many windows or tabs are open.

As said, you seem to have an issue with your User Account.


----------



## cliffracer (Feb 2, 2010)

Alright folks here are the logs.


----------



## gamblingman (Feb 2, 2010)

*on the next*

I dont know about everyone else, but I wont open a file from someone I don't know. I mean no offense to you. Its just that I don't like to take chances, and I am willing to bet that others would agree. Instead, would you mind posting the logs in a reply post?


----------



## cliffracer (Feb 2, 2010)

welp sorry about that lol



*malwarebytes:*

Malwarebytes' Anti-Malware 1.44
Database version: 3631
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

2/1/2010 9:26:26 PM
mbam-log-2010-02-01 (21-26-26).txt

Scan type: Quick Scan
Objects scanned: 96413
Time elapsed: 4 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


*hijackthis:*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:03 PM, on 2/1/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wikipedia.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 4699 bytes


----------



## cliffracer (Feb 4, 2010)

bump.


----------



## G25r8cer (Feb 4, 2010)

Your logs are clean. What problems exactly are you having?

Rerun hijackthis and put a check next to each of these and click "fix" 

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)


----------

