Have your tried running your scans in "Safe Mode
is related to SpywareGuard.khalmnpr.exe
is related to your Logitech mouse software.hpotdd01.exe
is related to HP Multimedia products.hpohmr08.exe
is related to drivers for the HP OfficeJet printer.AGRSMMSG.exe
is related to IBM AMR modem driver.wdfmgr.exe
is related to Microsoft Windows Media Player 10 and above.aawservice.exe
is related to Ad-Aware 2007 Service.msiexec.exe
belongs to the Windows Installer Component and is used to install new programs that use Windows Installer package files.csrss.exe
is the user-mode portion of the Win32 subsystem (Win32.sys is the kernel-mode portion) and the main executable for the Microsoft Client/Server Runtime Server Subsystem. It is responsible for manageing most graphical commands in Windows, console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.lsass.exe
is the Local Security Authentication Server which verifies the validity of user logons to your computer and generates the process responsible for authenticating users for the Winlogon service.mdm.exe
is Microsoft's Machine Debug Manager program which is included in Microsoft Visual Studio .NET, Microsoft Office 2007, Microsoft Office 2003, and a Microsoft Office XP post-Service Pack 3 release to provide support for program debugging.wuauclt.exe
is Windows Automatic Updates application which checks the Microsoft Windows Update website for updates to be installed.sms.exe
is added by the Troj/Dloader-KR TROJAN
unless this is a spelling error. smss.exe
is the session manager subsystem process which is responsible for starting the user session.Svchost.exe
is a generic host
process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load.
It is not unusual for multiple instances of Svchost.exe running at the same time
in Task manager in order to optimise the running of the various services.
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE
Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. To investigate these processes, see How to determine what services are running under a Svchost.exe process
Anytime you come across a suspicious file, search the name using Google or the following links:BC's File DatabaseBC's Startup Programs DatabaseFile Research CenterThreatExpert Malware SearchIf no search results are found, you are given the option to "Submit a New Sample".
Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click
on the file, Properties
and examine the General and Version tabs.
You can download and use Proces Explorer
or System Explorer
to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location
. If you right-click on the file in question and select properties, you will see more details about the file.
Anytime you come across a suspicious file which you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan
. In the "File to upload & scan
" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.