Archived from groups: microsoft.public.windowsxp.perform_maintain (
More info?)
i also downloaed the ie-spyad but am a little confused on how to tell if it
there/working/ ?? i read the text document and that didnt help me on the
confusion? i have never really messed around in anything having to do with
the registry due to the fact that i rcvd a msg one time saying basically if
you change things it could mess up your system (if you dont know what your
doing and i didnt/dont) so since then i have been shall we say afraid to go
there a do anything....
im still working on the items you had in your reply to me and once again
above and beyond the call of duty....you can probably tell i dont have a
vast amt of knowledge with all this (this is my first computer) i really
appreciate thou the way you explained the "doc file" scenerio and also the
registry changes, i could understand that, you seem to have alot of
knowledge/info and you explain things that a person learning is able to
understand. instead of the typical "techno jargon" that only exp people
understand. thx again for all the help.
"Bob Dietz" wrote:
> Your thanks is appreciated.
>
> Glad to hear that things are looking better for you, but don't think
> that you're done and stop now. There are still those other WinPatrol
> tabs to look at.
>
> IE Helpers
> IE Helpers are also know as BHO's (Browser Helper Objects).
> When attempting to identify items, I ussually start with "Name."
> If that doesn't net decent results, I move on to "Program."
> (Actually, I paid for WinPatrol Plus and seldom resort to google.)
> If you run into something that you cannot identify,
> you'll find WinPatrol is a bit anemic here -
> BHO's cannot be disabled, they can only be deleted.
> To temporarily disable one of these items, download another free
> progarm called Toolbar Cop.
http://windowsxp.mvps.org/toolbarcop.htm
>
> Scheduled Tasks
> I have yet to run into any malware that utilizes Window task
> scheduler, so I have no special instructions. But you do want to
> know the purpose for any scheduled tasks.
>
> Services
> At minimum, you'll want to identify any non-microsoft services.
> As to the microsoft services, the WinPatrol Plus info is pretty
> light weight. Sources for info about Windows XP Services
>
http://www.theeldergeek.com/services_guide.htm
>
http://www.blackviper.com/WinXP/servicecfg.htm
>
> Active Tasks
> This corresponds to the Processes tab in Windows Task Manager.
> You really, really want to know about each of these items.
> The info in the Plus version of WinPatrol is fairly complete and
> is above average in quality. If you haven't paid for the plus version,
> start your investigation at
http://www.answersthatwork.com and click
> on the "Task List" button. If you can't find the task listed there
> move on to google. If you can't find information there either, be
> suspicious. Click the "Info" button in WinPatrol and look at the
> full path to the executable file. Locate that executable file;
> right click on it an choose Properties. You're looking for clues.
>
> Before moving on it's worth noting that you can hold down the CTRL
> key and click on multiple "Active Tasks" and then "Kill Task" them
> all in one fell swoop. This is extreamly useful when some obnoxious
> malware has started multiple different processes that keep
> re-adding startup items and restart their companion processes
> should you stop one of them.
>
> * See below for more info about processes and their associated DLLs.
>
> Cookies
> I've never felt that cookies were worth worring about.
> WinPatrol has a cookie manager, but I don't use it and
> have no opinion.
>
> File Types
> "File type" determine what happens when you double click on
> a file with any given extesion. For instance, if a file is named
> "Critical Data.doc" the ".doc" at the end is the file extension
> and information in Windows registry determines the File Type and
> what will happen. On many/most systems ".doc" is associated with
> Microsoft Word and a double click will open "Critical Data.doc"
> in Microsoft Word. If you install a new word processor ABC on
> that system, the install routine may reassociate the ".doc" file
> extension so that a double click on "Critical Data.doc" no longer
> opens it in MS Word, but rather in the newly installed ABC.
> WinPatrol alerts you when such changes are made. If you install
> and test bunches of software (like I do), that's handy.
>
> Although I don't know of any malware currently using file types
> to keep itself wedged onto systems, I think it is only a matter
> of time. Imagine that malware XYZ has been installed on your
> system. One of its files is XYZwedge and XYZwedge is the current
> associaton with the ".doc" file type. Each time you double click
> on a ".doc" file, XYZwedge reinserts XYZ into your startup items
> and then it Opens the ".doc" file in MS Word. Everything seems
> normal to you, except that the system seems to run slower and
> there are those @#$% pop-ups again.
>
> ****************************************************************
>
> If you don't already have them, ad the following to your system's
> layered protection:
> Spyware Blaster -
http://www.javacoolsoftware.com/spywareblaster.html
> IE Spyad -
https://netfiles.uiuc.edu/ehowes/www/resource.htm
> An outbound firewall like Zone Alarm.
>
http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp
> (The free for personal use version is at the bottom of the list.)
>
>
> ****************************************************************
>
> All your scans come up clean and all of the items on all of the
> WinPatrol tabs are accounted for and are suppose to be safe.
> But you still see a lot of pop-ups or the system still runs way too slow
> and/or there are many program crashes. What now?
>
> The technically inclined can download Process Viewer (prcview.exe)
> from
http://www.xmlsp.com/pview/prcview.htm
> 1) Run Process Viewer and select "Module Useage" on the "View" menu.
> 2) Right click each module and choose "Copy Module Path."
> 3) Paste the copied path into a google search box;
> enclose it in double quotes and search.
> 4) Depending on what you found in step 3, search for just the
> file name and look for pages in the results that show the
> *.dll file in another path. eg.
> Windows KB article says that in Windows XP, abc.dll is found at
> C:\Windows\System32\abc.dll
> but the path on your system is
> C:\Windows\abc.dll
> The file on your system is spyware.
> Search google for instructions about how to remove it.
> If you can't find instructions, close the "Module Useage" window.
> Right click each process in the main Process viewer window and
> choose "Modules." Look for C:\Windows\abc.dll. Find ALL of the
> processes that use abc.dll with that full path, note the name
> of each such process. In WinPatrol, hold down the CTRL key and
> click each of those named processes. In a moment, you'll
> "Kill Task" them all at once. Before you do though, close out
> ALL other running programs! The evil malware .dll is probably
> attached to a vital system process and when you "Kill Task"
> the system will likely turn off about as fast as if you pulled
> the power cord out of the electic socket! If that happens, press
> the power button to boot the machine, otherwise reboot the machine.
> Double check that c:\windows\abc.dll is no longer a part of any
> running process.
>
> Otherwise, it's probably time to fdisk; format
> and re-install Windows from scratch.
>
> --
> Bob Dietz
>
>
> linda wrote:
> > Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
> > alot less croweded than it did- also when I look at the task manager it now
> > shows 37 programs, (I have a few things running when it shows that amt) and
> > not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
> > on the winpatrol and had already disabled that, I thought it was funny seeing
> > 3 times, so I'm glad to know I was on the right track there. When I went
> > back to the winpatrol and disable the DLHelper program, a minute or so later
> > I got a pop up saying that a new program was wanting to be added to the start
> > up-and it was the DLHelper I had just disabled, so I said no on the ok to add
> > to start-up. Here's is what the list shows now: (pls read my add'l msg
> > after the winpatrol info)
> >
> > WinPatrol Startup Programs
> > Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
> > 2/11/2005
> >
> > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> > Browser: Microsoft® Windows® Operating System - Internet Explorer version
> > 6.00.2900.2180
> > Memory currently in use: 79%
> >
> > MSIE: Internet Explorer (6.00.2900.2180)
> >
> > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> > HKLM Default_Page_URL =
http://www.emachines.com
> > HKCU Start Page = http://www.comcast.net/
> > HKLM Start Page = http://www.msn.com/
> >
> > WinLogon DefaultUserName=linda
> > WinLogon DefaultDomainName=LUCY
> > WinLogon Shell=Explorer.exe
> > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
> >
> >
> >
> > VSOCheckTask
> > mcmnhdlr.exe /checktask
> > McAfee VirusScan Command Handler
> > Version: 8, 0, 0, 0
> > Copyright © 1998-2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> > Click for Plus Info
> >
> >
> >
> > VirusScan Online
> > mcvsshld.exe
> > McAfee VirusScan ActiveShield Resource
> > Version: 8, 0, 0, 0
> > Copyright © 1998-2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> > Click for Plus Info
> >
> >
> >
> > MCAgentExe
> > mcagent.exe
> > McAfee SecurityCenter Agent
> > Version: 5, 0, 0, 0
> > Copyright © 2004 Networks Associates Technology, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> > Click for Plus Info
> >
> >
> >
> > MCUpdateExe
> > mcupdate.exe
> > McAfee SecurityCenter Update Engine
> > Version: 5, 0, 0, 0
> > Copyright © 2004 Networks Associates Technology, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> > Click for Plus Info
> >
> >
> >
> > pccguide.exe
> > pccguide.exe
> > PCCGuide
> > Version: 12.10.0
> > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> > Click for Plus Info
> >
> >
> >
> > WinPatrol
> > winpatrol.exe
> > WinPatrol System Monitor
> > Version: 8.1.2.0
> > Copyright © 1997- 2004 BillP Studios
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> > Click for Plus Info
> >
> >
> >
> > MPFExe
> > MpfTray.exe
> > McAfee Personal Firewall Tray Monitor
> > Version: 6.0.0.14
> > Copyright © 2000-2004 Networks Associates Technologies, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
> > Click for Plus Info
> >
> >
> >
> > McRegWiz
> > mcregwiz.exe /autorun
> > McRegWiz Module
> > Version: 1, 0, 0, 4
> > Copyright 2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
> > Click for Plus Info
> >
> >
> >
> > Microsoft Works Update Detection
> > WkDetect.exe
> > Microsoft® Works Update Detection
> > Version: 6.00.1828.1
> > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> > Location: * Disabled *
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Microsoft Works\WkDetect.exe
> > Click for Plus Info
> >
> >
> >
> > Yahoo! Pager
> > ypager.exe -quiet
> > Yahoo! Messenger
> > Version: 6,0,0,1750
> > Copyright 1998-2004
> > Location: * Disabled *
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> > Click for Plus Info
> >
> > I wanted to say THANK-YOU so much...not only do i appreciate you taking the
> > time to help me..and also the detail instructions,they were easy for me to
> > follow and understand, as I said in my original msg. Im relatively new at all
> > this so being able to follow/understand was great. I have only posted to
> > newgroups a few times and honestly I have gotten a few responses that just
> > leave me sitting there going "HUH". Again thanks very much for your help!!!
> > Linda
> >
> >
> >
> > "Bob Dietz" wrote:
> >
> >
> >>Hi Linda,
> >>
> >>I was pretty busy yesterday. Sorry it took so long to get back to you
> >>
> >>Before you start you might want to print this out on your printer.
> >>
> >>I see some adware/spyware listed that I would have expected Lavasoft
> >>Ad-aware to have successfully removed. Let's run through the steps that
> >>will allow Ad-Aware to do it's best work.
> >>
> >>1) Start Ad-Aware.
> >>2) Click "Check for updates now." (lower right corner)
> >>3) Connect and get any available updates.
> >> Verify that your version number matches the version number
> >> of the newest available Ad-Aware.
> >>4) Once you have the latest updates installed,
> >> close Ad-Aware and any other running programs.
> >>5) To make it easier for Ad-Aware to do it's job,
> >> we're going to run it in SAFE MODE.
> >> A) Restart the computer.
> >> B) While the computer is booting - before the first
> >> "Windows" screen appears, tap the F8 key.
> >> C) When the boot menu appears, choose SAFE MODE.
> >>6) Start Ad-aware.
> >>7) Click the "Start" button in the Ad-Aware window.
> >>8) Set "Select Scan Mode" to "Perform full system scan."
> >>9) Click the "Next" button to start the scan.
> >>10) When the scan finishes, click "Next."
> >>11) "Scan Results" defaults to the "Critical Objects" tab.
> >> Changing to the "Scan Summary" tab, will give you
> >> a much clearer picture of what has been found and may
> >> save you quite a few mouse clicks as well. Be sure there
> >> is a check mark beside everything you want to remove and
> >> click "Next."
> >> * No need to click the Quarantine button, Ad-aware
> >> * automatically quarantines everything it removes.
> >>
> >>When you're done, close Ad-Aware and restart the computer letting it
> >>boot normally.
> >>Open the WinPatrol window.
> >>Click the "Title" column heading so that programs are sorted by title in
> >>A-Z order.
> >>
> >>Below you'll find your report (slightly reformatted so that programs are
> >>in A-Z order by title.) Each item is followed by my comments which are
> >>marked by asterisks. Presumably Ad-Aware will have already have
> >>eliminated most of the evil ad-ware/spyware. If bad items still remain,
> >>we'll use the WinPatrol report to figure out how to remove those items.
> >>If you were doing this on your own, you'd -
> >> 1) Select the executable name with your mouse.
> >> 2) Right click on the selection and choose "Copy."
> >> 3) Open a new browse browser window and go to
http://www.google.com
> >> 4) Right click in the Google search box and choose "Paste."
> >> 5) Click on the search button.
> >>Hint: If you install the Google toolbar (
http://toolbar.google.com ),
> >>you could select the executable name, right click and choose
> >>"Google Search."
> >>
> >>Use a little caution regarding the results of your search.
> >>Some of the sites providing the information about startup items are
> >>trying too hard to sell you something. For instance at least one site
> >>shows a very conspicuous warning "Internal IP Exposed!" This is a simple
> >> scam using javascript to display your IP in your browser on your
> >>computer. Nobody can see it how isn't sitting in front of your computer
> >>display.
> >>
> >>Here are some domains that I regard as above average. Look for these in
> >>the result of you Google spyware/adware searches.
> >>
> >>AnswersThatWork.com
> >>CastleCops.com
> >>Iamnotageek.com
> >>Neuber.com
> >>Sysinfo.org
> >>WinPatrol.com
> >>
> >>This Sysinfo.org page is worth putting in your favorites -
> >>http://www.sysinfo.org/startuplist.php
> >>
> >>
> >>*****************************************************************
> >>WinPatrol Startup Programs (Edited by Bob Dietz)
> >>
> >>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> >>Browser: Microsoft® Windows® Operating System - Internet Explorer
> >>version 6.00.2900.2180
> >>Memory currently in use: 91%
> >>********************************************************************
> >>* This memory currently in use number isn't critical, but
> >>* a lower value would be better. If you have less than 256Mb or RAM,
> >>* you should think about upgrading to more memory.
> >>********************************************************************
> >>
> >>
> >>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> >>HKLM Default_Page_URL =
http://www.emachines.com
> >>HKCU Start Page = http://www.emachines.com/
> >>HKLM Start Page = http://www.msn.com/
> >>
> >>WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
> >>WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
> >>WinLogon Shell=Explorer.exe
> >>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
> >>
> >>
> >>
> >>CleanUp
> >>mcappins.exe /v=3 /cleanup
> >>McAfee Application Installer
> >>Version: 5, 0, 0, 0
> >>Copyright © 2004 Networks Associates Technology, Inc.
> >>Location:
> >>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
> >>********************************************************************
> >>* This is part of McAfee
> >>* I recommended that you leave it enabled. The site -
> >>*
http://startup.iamnotageek.com/srch-mcappins.exe.html
> >>* describes it as
> >>* McAfee Application Installer. (What does it do and is it required?)
> >>* FWIW The Plus version of WinPatrol what it does and why it might
> >>* be required.
> >>********************************************************************
> >>
> >>
> >>
> >>eZstub
> >>eZstub.exe
> >>eZstub Module
> >>Version: 1, 0, 0, 1
> >>Copyright 2000
> >>Location:
> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> >>Path: Command /c del C:\WINDOWS\system32\eZstub.exe
> >>********************************************************************
> >>* This is an EZula component.
> >>* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
> >>* appears to be quite recent and I could find it mentioned on any
> >>* web pages. For that reason, Ad-Aware may have trouble removing
> >>* this even in SAFE MODE!
> >>* If Ad-Aware wasn't able to remove this, try using WinPatrol to
> >>* disable it. If it won't stay disabled, let me know and we'll
> >>* follow some additional steps.
> >>********************************************************************
> >>
> >>
> >>
> >>
> >>
> >>MCAgentExe
> >>mcagent.exe
> >>McAfee SecurityCenter Agent
> >>Version: 5, 0, 0, 0
> >>Copyright © 2004 Networks Associates Technology, Inc.
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> >>********************************************************************
> >>* This is part of McAfee
> >>* I recommended that you leave it enabled.
> >>*
http://startup.iamnotageek.com/srch-mcagent.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>MCUpdateExe
> >>mcupdate.exe
> >>McAfee SecurityCenter Update Engine
> >>Version: 5, 0, 0, 0
> >>Copyright © 2004 Networks Associates Technology, Inc.
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> >>********************************************************************
> >>* This is part of McAfee
> >>* I recommended that you leave it enabled.
> >>*
http://startup.iamnotageek.com/srch-mcupdate.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>Microsoft Works Update Detection
> >>WkDetect.exe
> >>Microsoft® Works Update Detection
> >>Version: 6.00.1828.1
> >>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\Microsoft Works\WkDetect.exe
> >>********************************************************************
> >>* This checks for updates to MS Works
> >>* Unless your computer has more memory than you know what
> >>* to do with, I'd recommend disabling this in WinPatrol.
> >>* Disabling is better than removal, because you can always
> >>* decide to turn it back on at a later date.
> >>*
http://startup.iamnotageek.com/srch-wkdetect.exe.html
> >>********************************************************************
> >>
> >>
> >>msnmsgr
> >>msnmsgr.exe /background
> >>MSN Messenger
> >>Version: Version 6.2
> >>Copyright (c) Microsoft Corporation 1997-2004
> >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
> >>********************************************************************
> >>* Letting MSN Messenger run is a user choice.
> >>* If you aren't sure what MSN Messenger is, you're not using
> >>* it and there is no use to have it running constantly
> >>* using up precious RAM.
> >>* Later in this report, we see that Yahoo! Pager is also running.
> >>* If you're using both of these programs, you might want to
> >>* consider replacing the two of them with Trillian, which is
> >>* open source freeware and provides the services of both programs.
> >>*
http://www.neuber.com/taskmanager/process/msnmsgr.exe.html
> >>********************************************************************
> >>
> >>
> >>MyWebSearch Email Plugin
> >>MWSOEMON.EXE
> >>My Web Search Email Plugin
> >>Version: 2,0,1,0
> >>Copyright © 2003-2004 MyWebSearch.com
> >>Location: Windows Startup Group
> >>Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
> >>********************************************************************
> >>* This is spyware.
> >>* The fact that there are four apparently identical instances
> >>* in the original report gives a little concern. I suspect
> >>* this may be the culprit with regard to the 22 instances of
> >>* rundll32.exe.
> >>* If these are still in the list after the SAFE MODE Ad-Aware scan,
> >>* try to disable them using WinPatrol.
> >>* If they refuse to stay disabled, let me know and there are other
> >>* steps we can try.
> >>* FWIW Here are some pages with more info about MyWebSearch.
> >>*
http://www.mac-net.com/445088.page
> >>*
http://www.iamnotageek.com/a/mwsoemon.exe.php
> >>*
http://www.winpatrol.com/db/freesample/mwsoemon.html
> >>********************************************************************
> >>
> >>
> >>pccguide.exe
> >>pccguide.exe
> >>PCCGuide
> >>Version: 12.10.0
> >>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> >>********************************************************************
> >>* Part of Trend Micro's PC-Cillan Anti-Virus
> >>* Do you have both PC-Cillan and McAfee installed?
> >>********************************************************************
> >>
> >>
> >>
> >>Unknown Title
> >>DLHelperEXE.exe
> >>DLHelper Module
> >>Version: 6, 0, 0, 3
> >>Copyright 2001
> >>Location: Windows Startup Group
> >>Path: C:\Documents and Settings\linda\Start
> >>Menu\Programs\Startup\DLHelperEXE.exe
> >>********************************************************************
> >>* Probably part of CasinoOnNet adware.
> >>* If that's what it is, the Ad-Aware SAFE MODE scan probably
> >>* removed it. If not, try disabling it in WinPatrol.
> >>*
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073208
> >>********************************************************************
> >>
> >>
> >>
> >>VirusScan Online
> >>mcvsshld.exe
> >>McAfee VirusScan ActiveShield Resource
> >>Version: 8, 0, 0, 0
> >>Copyright © 1998-2003 Networks Associates Technology, Inc
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> >>********************************************************************
> >>* Part of McAfee VirusScan On-Line
> >>* I recommend leaving it enabled.
> >>*
http://startup.iamnotageek.com/srch-mcvsshld.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>VSOCheckTask
> >>mcmnhdlr.exe /checktask
> >>McAfee VirusScan Command Handler
> >>Version: 8, 0, 0, 0
> >>Copyright © 1998-2003 Networks Associates Technology, Inc
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> >>********************************************************************
> >>* Part of McAfee's SecurityCenter and Virusscan Online.
> >>* I recommend leaving it enabled.
> >>*
http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>Web Offer
> >>EZPOPS~1.EXE
> >>eZstub Module
> >>Version: 1, 0, 0, 1
> >>Copyright 2000
> >>Location:
> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> >>Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
> >>********************************************************************
> >>* Another component of EZula adware.
> >>* I search for specific information about this component -
> >>*
http://www.google.com/search?q=EZPOPS%7E1.EXE
> >>* the information is pretty scant which indicates
> >>* this version of EZula is pretty new and most anti-spyware/
> >>* anti-adware programs probably won't remove it.
> >>* If the SAFE MODE Ad-Aware scan fails to remove this,
> >>* try disabling it in WinPatrol.
> >>* If it won't stay disabled, let me know - there are other
> >>* approaches to this problem.
> >>********************************************************************
> >>
> >>
> >>
> >>WinPatrol
> >>winpatrol.exe
> >>WinPatrol System Monitor
> >>Version: 8.1.2.0
> >>Copyright © 1997- 2004 BillP Studios
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> >>********************************************************************
> >>* This is WinPatrol
> >>* It's safe and I recommend that you leave it in.
> >>* But you can't really know if that's good advice until
> >>* you research it.
> >>*
http://www.google.com/search?q=winpatrol.exe
> >>********************************************************************
> >>
> >>
> >>
> >>Yahoo! Pager
> >>ypager.exe -quiet
> >>Yahoo! Messenger
> >>Version: 6,0,0,1750
> >>Copyright 1998-2004
> >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> >>********************************************************************
> >>* Yahoo! Pager is an instant messenger application like
> >>* MSN Messenger. If you aren't using these, you should disable them.
> >>* If you're only using one of them, you should disable the one
> >>* you're not using.
> >>* If you're using both of them, you should think about switching
> >>* to Trillian, an open source freeware application that can connect
> >>* to many different types of instant messaging servers.
> >>*
http://startup.iamnotageek.com/srch-ypager.exe.html
> >>********************************************************************
> >>
> >>
> >>--
> >>Bob Dietz
> >>
> >>linda wrote:
> >>
> >>>Hi Bob - this is what came up....thx for your help-prior to this when i ran
> >>>the lavasoft adware/spyware there was an item that came up that said if
> >>>affected the registry and i would select the cleanup/restore/delete for it,
> >>>it would say that the task was completed but if i ran the progam again it
> >>>showed exactly the same thing it said it had taken care of? thought i would
> >>>mention this in case it has anything to do with what's going on now....thx
> >>>again for helping...linda
> >>>
> >>
>