programs running in task manager

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

- I had task manager up, when i clicked on process it showed 57 were running,
the only thing i had up was "my documents" and the task manager, and one
internet page, when looking at the process it show that rundll32.exe was
listed 22 times, all under my name, fairly new at this so dont know but
thought this looked weird, has other things running, i.e. system,local
service etc, can someone tell me why that progam would be running so much?
thx (p.s.) i tried looking up rundll32.exe in the help and support section
but nothing listed ?? what does this program do?? thx again
--
linda

linda
21 answers Last reply
More about programs running task manager
  1. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Linda

    Are you using Home Edition or Professional? What Tasks are listed on the
    Application tab of Task Manager?

    --


    Hope this helps.

    Gerry
    ~~~~~~~~~~~~~~~~~~~~~~~~
    FCA

    Using invalid email address

    Stourport, Worcs, England
    Enquire, plan and execute.
    ~~~~~~~~~~~~~~~~~~~~~~~~
    Please tell the newsgroup how any
    suggested solution worked for you.

    http://dts-l.org/goodpost.htm

    ~~~~~~~~~~~~~~~~~~~~~~~~


    "linda" <linda@discussions.microsoft.com> wrote in message
    news:92305404-448C-4628-AE40-0AD46A7DDC2F@microsoft.com...
    >
    > - I had task manager up, when i clicked on process it showed 57 were
    > running,
    > the only thing i had up was "my documents" and the task manager, and
    > one
    > internet page, when looking at the process it show that rundll32.exe
    > was
    > listed 22 times, all under my name, fairly new at this so dont know
    > but
    > thought this looked weird, has other things running, i.e. system,local
    > service etc, can someone tell me why that progam would be running so
    > much?
    > thx (p.s.) i tried looking up rundll32.exe in the help and support
    > section
    > but nothing listed ?? what does this program do?? thx again
    > --
    > linda
    >
    > linda
  2. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Spyware/Virus Removal and Prevention:
    http://www.fixyourwindows.com/windowsxpsolutions.htm
    (Links to online virus scans on the same page)

    How to optimize Windows XP, 2000, ME
    for the best performance (Step-by-step Visual Guide):
    http://www.fixyourwindows.com/optimizewindows.htm

    Good Luck!
    ---
    How to successfully install Windows XP Service Pack 2:
    http://www.fixyourwindows.com/winxpsp2install.htm


    "linda" wrote:

    >
    > - I had task manager up, when i clicked on process it showed 57 were running,
    > the only thing i had up was "my documents" and the task manager, and one
    > internet page, when looking at the process it show that rundll32.exe was
    > listed 22 times, all under my name, fairly new at this so dont know but
    > thought this looked weird, has other things running, i.e. system,local
    > service etc, can someone tell me why that progam would be running so much?
    > thx (p.s.) i tried looking up rundll32.exe in the help and support section
    > but nothing listed ?? what does this program do?? thx again
    > --
    > linda
    >
    > linda
  3. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    rundll32.exe shell32.dll, Control_RunDLL ...123456.cpl Added by the KITRO.C
    (or DANDI.A) WORM! 123456 can be any random 3 to 6 digit number

    "linda" wrote:

    >
    > - I had task manager up, when i clicked on process it showed 57 were running,
    > the only thing i had up was "my documents" and the task manager, and one
    > internet page, when looking at the process it show that rundll32.exe was
    > listed 22 times, all under my name, fairly new at this so dont know but
    > thought this looked weird, has other things running, i.e. system,local
    > service etc, can someone tell me why that progam would be running so much?
    > thx (p.s.) i tried looking up rundll32.exe in the help and support section
    > but nothing listed ?? what does this program do?? thx again
    > --
    > linda
    >
    > linda
  4. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    adds "(random filename)"="rundll32 %SYSTEM% (random filename).dll,Init 1"
    (random digits).exe = (random digits).exe - 8 random digits, example: OR
    77231997.exe = 77231997.exe. Winpup.exe adult content downloader
    AGENT.B - adds "(1-5 random characters)"="RUNDLL32 %System%\(DLL
    filename).dll,StreamingDeviceSetup

    "linda" wrote:

    >
    > - I had task manager up, when i clicked on process it showed 57 were running,
    > the only thing i had up was "my documents" and the task manager, and one
    > internet page, when looking at the process it show that rundll32.exe was
    > listed 22 times, all under my name, fairly new at this so dont know but
    > thought this looked weird, has other things running, i.e. system,local
    > service etc, can someone tell me why that progam would be running so much?
    > thx (p.s.) i tried looking up rundll32.exe in the help and support section
    > but nothing listed ?? what does this program do?? thx again
    > --
    > linda
    >
    > linda
  5. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Some info on
    http://www.answersthatwork.com/Tasklist_pages/tasklist_r.htm
    re: rundll32.exe

    Perhaps an online security/virus check
    Symantec
    http://security.norton.com/sscv6/default.asp?langid=ie&venid=sym
    Trend Micro House Call:
    http://housecall.trendmicro.com/
    Panda ActiveScan;
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm
    McAfee FreeScan:
    http://us.mcafee.com/root/mfs/default.asp
    Kaspersky Labs On-line Virus Checker:
    http://www.kaspersky.com/remoteviruschk.html
    BitDefender Online Scan:
    http://www.bitdefender.com/scan/licence.php

    Free anti virus programs
    http://www.grisoft.com/us/us_dwnl7.php
    http://www.avast.com/eng/avast_4_home.html


    linda wrote:
    > - I had task manager up, when i clicked on process it showed 57 were
    > running, the only thing i had up was "my documents" and the task
    > manager, and one internet page, when looking at the process it show
    > that rundll32.exe was listed 22 times, all under my name, fairly new
    > at this so dont know but thought this looked weird, has other things
    > running, i.e. system,local service etc, can someone tell me why that
    > progam would be running so much? thx (p.s.) i tried looking up
    > rundll32.exe in the help and support section but nothing listed ??
    > what does this program do?? thx again
  6. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    i am using home edition, i also have mcaff on my system and have the trend
    mico d ownloaded the pc - illian has been monitoring my system, as far as
    what tasks are listed - newgroups is listed and i just checked my hotmail so
    that program is listed, thats it? that rundll is still listed alot??

    "Gerry Cornell" wrote:

    > Linda
    >
    > Are you using Home Edition or Professional? What Tasks are listed on the
    > Application tab of Task Manager?
    >
    > --
    >
    >
    > Hope this helps.
    >
    > Gerry
    > ~~~~~~~~~~~~~~~~~~~~~~~~
    > FCA
    >
    > Using invalid email address
    >
    > Stourport, Worcs, England
    > Enquire, plan and execute.
    > ~~~~~~~~~~~~~~~~~~~~~~~~
    > Please tell the newsgroup how any
    > suggested solution worked for you.
    >
    > http://dts-l.org/goodpost.htm
    >
    > ~~~~~~~~~~~~~~~~~~~~~~~~
    >
    >
    > "linda" <linda@discussions.microsoft.com> wrote in message
    > news:92305404-448C-4628-AE40-0AD46A7DDC2F@microsoft.com...
    > >
    > > - I had task manager up, when i clicked on process it showed 57 were
    > > running,
    > > the only thing i had up was "my documents" and the task manager, and
    > > one
    > > internet page, when looking at the process it show that rundll32.exe
    > > was
    > > listed 22 times, all under my name, fairly new at this so dont know
    > > but
    > > thought this looked weird, has other things running, i.e. system,local
    > > service etc, can someone tell me why that progam would be running so
    > > much?
    > > thx (p.s.) i tried looking up rundll32.exe in the help and support
    > > section
    > > but nothing listed ?? what does this program do?? thx again
    > > --
    > > linda
    > >
    > > linda
    >
    >
  7. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    linda wrote:
    >
    > - I had task manager up, when i clicked on process it showed 57 were running,
    > the only thing i had up was "my documents" and the task manager, and one
    > internet page, when looking at the process it show that rundll32.exe was
    > listed 22 times, all under my name, fairly new at this so dont know but
    > thought this looked weird, has other things running, i.e. system,local
    > service etc, can someone tell me why that progam would be running so much?
    > thx (p.s.) i tried looking up rundll32.exe in the help and support section
    > but nothing listed ?? what does this program do?? thx again

    Twenty two instances of rundll32.exe is excessive.
    As others have already suggested, this likely indicates some sort of
    malware (virus, worm, trojan or spyware/adware run amok.)

    If your antivirus/antispyware isn't cleaning this up for you, you'll
    have to clean it up manually. One way to start this manual cleanup would
    be to download and run WinPatrol. http://www.winpatrol.com

    Once you have WinPatrol installed, double click on it's icon in the
    system tray (looks like a Scotty dog.) WinPatrol's main window will open
    with the Startup Programs tab selected. Click the Report button in the
    lower right corner and your browser will open with a report of the
    programs being started each time windows boots. Select everything in
    that report and paste it into your reply to this post and I'll help you
    with it.

    --
    Bob Dietz
  8. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Linda

    Are your anti-virus definitions up to date? Run a full anti-virus scan.
    It is a distinct possibility that you have a virus:

    There is a virus named W32/Legemer.Worm but there is little information
    in the McAfee database on it. Symantec call the virus W32.Miroot.Worm
    and this page gives information:

    http://securityresponse.symantec.com/avcenter/venc/data/w32.miroot.worm.html

    --


    Hope this helps.

    Gerry
    ~~~~~~~~~~~~~~~~~~~~~~~~
    FCA

    Using invalid email address

    Stourport, Worcs, England
    Enquire, plan and execute.
    ~~~~~~~~~~~~~~~~~~~~~~~~
    Please tell the newsgroup how any
    suggested solution worked for you.

    http://dts-l.org/goodpost.htm

    ~~~~~~~~~~~~~~~~~~~~~~~~


    "linda" <linda@discussions.microsoft.com> wrote in message
    news:EACB696C-7988-43F4-95C9-992B862FD006@microsoft.com...
    >i am using home edition, i also have mcaff on my system and have the
    >trend
    > mico d ownloaded the pc - illian has been monitoring my system, as far
    > as
    > what tasks are listed - newgroups is listed and i just checked my
    > hotmail so
    > that program is listed, thats it? that rundll is still listed alot??
    >
    > "Gerry Cornell" wrote:
    >
    >> Linda
    >>
    >> Are you using Home Edition or Professional? What Tasks are listed on
    >> the
    >> Application tab of Task Manager?
    >>
    >> --
    >>
    >>
    >> Hope this helps.
    >>
    >> Gerry
    >> ~~~~~~~~~~~~~~~~~~~~~~~~
    >> FCA
    >>
    >> Using invalid email address
    >>
    >> Stourport, Worcs, England
    >> Enquire, plan and execute.
    >> ~~~~~~~~~~~~~~~~~~~~~~~~
    >> Please tell the newsgroup how any
    >> suggested solution worked for you.
    >>
    >> http://dts-l.org/goodpost.htm
    >>
    >> ~~~~~~~~~~~~~~~~~~~~~~~~
    >>
    >>
    >> "linda" <linda@discussions.microsoft.com> wrote in message
    >> news:92305404-448C-4628-AE40-0AD46A7DDC2F@microsoft.com...
    >> >
    >> > - I had task manager up, when i clicked on process it showed 57
    >> > were
    >> > running,
    >> > the only thing i had up was "my documents" and the task manager,
    >> > and
    >> > one
    >> > internet page, when looking at the process it show that
    >> > rundll32.exe
    >> > was
    >> > listed 22 times, all under my name, fairly new at this so dont know
    >> > but
    >> > thought this looked weird, has other things running, i.e.
    >> > system,local
    >> > service etc, can someone tell me why that progam would be running
    >> > so
    >> > much?
    >> > thx (p.s.) i tried looking up rundll32.exe in the help and support
    >> > section
    >> > but nothing listed ?? what does this program do?? thx again
    >> > --
    >> > linda
    >> >
    >> > linda
    >>
    >>
  9. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    hi bob-thx for your offer, i have the program installed and i brought up the
    start up programs from the mail win patrol. i have about 19 things
    listed...but ? is how do i copy those to you, the only option i see is to
    select an item and then it says to press info, i tried to cut/paste but that
    didnt work......(told you i was new at this :). can u help? thx linda

    "Bob Dietz" wrote:

    > linda wrote:
    > >
    > > - I had task manager up, when i clicked on process it showed 57 were running,
    > > the only thing i had up was "my documents" and the task manager, and one
    > > internet page, when looking at the process it show that rundll32.exe was
    > > listed 22 times, all under my name, fairly new at this so dont know but
    > > thought this looked weird, has other things running, i.e. system,local
    > > service etc, can someone tell me why that progam would be running so much?
    > > thx (p.s.) i tried looking up rundll32.exe in the help and support section
    > > but nothing listed ?? what does this program do?? thx again
    >
    > Twenty two instances of rundll32.exe is excessive.
    > As others have already suggested, this likely indicates some sort of
    > malware (virus, worm, trojan or spyware/adware run amok.)
    >
    > If your antivirus/antispyware isn't cleaning this up for you, you'll
    > have to clean it up manually. One way to start this manual cleanup would
    > be to download and run WinPatrol. http://www.winpatrol.com
    >
    > Once you have WinPatrol installed, double click on it's icon in the
    > system tray (looks like a Scotty dog.) WinPatrol's main window will open
    > with the Startup Programs tab selected. Click the Report button in the
    > lower right corner and your browser will open with a report of the
    > programs being started each time windows boots. Select everything in
    > that report and paste it into your reply to this post and I'll help you
    > with it.
    >
    > --
    > Bob Dietz
    >
  10. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    1) Open WinPatrol.
    2) Click on the Report button in the bottom right corner of the window.
    3) After a moment, Internet Explore (or your default browser) will open
    with a report. Click on a blank part of that page and press the CTRL
    and C keys at the same time.
    4) Start a reply to this message, then press CTRL and V keys at the
    same time to paste the report into the message.

    --
    Bob Dietz

    linda wrote:
    > hi bob-thx for your offer, i have the program installed and i brought up the
    > start up programs from the mail win patrol. i have about 19 things
    > listed...but ? is how do i copy those to you, the only option i see is to
    > select an item and then it says to press info, i tried to cut/paste but that
    > didnt work......(told you i was new at this :). can u help? thx linda
    >
    > "Bob Dietz" wrote:
    >
    >
    >>linda wrote:
    >>
    >>>
    >>>- I had task manager up, when i clicked on process it showed 57 were running,
    >>>the only thing i had up was "my documents" and the task manager, and one
    >>>internet page, when looking at the process it show that rundll32.exe was
    >>>listed 22 times, all under my name, fairly new at this so dont know but
    >>>thought this looked weird, has other things running, i.e. system,local
    >>>service etc, can someone tell me why that progam would be running so much?
    >>>thx (p.s.) i tried looking up rundll32.exe in the help and support section
    >>>but nothing listed ?? what does this program do?? thx again
    >>
    >>Twenty two instances of rundll32.exe is excessive.
    >>As others have already suggested, this likely indicates some sort of
    >>malware (virus, worm, trojan or spyware/adware run amok.)
    >>
    >>If your antivirus/antispyware isn't cleaning this up for you, you'll
    >>have to clean it up manually. One way to start this manual cleanup would
    >>be to download and run WinPatrol. http://www.winpatrol.com
    >>
    >>Once you have WinPatrol installed, double click on it's icon in the
    >>system tray (looks like a Scotty dog.) WinPatrol's main window will open
    >>with the Startup Programs tab selected. Click the Report button in the
    >>lower right corner and your browser will open with a report of the
    >>programs being started each time windows boots. Select everything in
    >>that report and paste it into your reply to this post and I'll help you
    >>with it.
    >>
    >>--
    >>Bob Dietz
    >>
  11. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Opps. I left out a step in my previous post.

    1) Open WinPatrol.
    2) Click on the Report button in the bottom right corner of the window.
    3) After a moment, Internet Explore (or your default browser) will open
    with a report. Click on a blank part of that page and press the CTRL
    and A keys at the same time to select everything.
    4) Press the CTRL and C keys at the same time to copy everything to
    the clip board.
    5) Start a reply to this message, then press CTRL and V keys at the
    same time to paste the report into the message.

    --
    Bob Dietz

    linda wrote:
    > hi bob-thx for your offer, i have the program installed and i brought up the
    > start up programs from the mail win patrol. i have about 19 things
    > listed...but ? is how do i copy those to you, the only option i see is to
    > select an item and then it says to press info, i tried to cut/paste but that
    > didnt work......(told you i was new at this :). can u help? thx linda
    >
    > "Bob Dietz" wrote:
    >
    >
    >>linda wrote:
    >>
    >>>
    >>>- I had task manager up, when i clicked on process it showed 57 were running,
    >>>the only thing i had up was "my documents" and the task manager, and one
    >>>internet page, when looking at the process it show that rundll32.exe was
    >>>listed 22 times, all under my name, fairly new at this so dont know but
    >>>thought this looked weird, has other things running, i.e. system,local
    >>>service etc, can someone tell me why that progam would be running so much?
    >>>thx (p.s.) i tried looking up rundll32.exe in the help and support section
    >>>but nothing listed ?? what does this program do?? thx again
    >>
    >>Twenty two instances of rundll32.exe is excessive.
    >>As others have already suggested, this likely indicates some sort of
    >>malware (virus, worm, trojan or spyware/adware run amok.)
    >>
    >>If your antivirus/antispyware isn't cleaning this up for you, you'll
    >>have to clean it up manually. One way to start this manual cleanup would
    >>be to download and run WinPatrol. http://www.winpatrol.com
    >>
    >>Once you have WinPatrol installed, double click on it's icon in the
    >>system tray (looks like a Scotty dog.) WinPatrol's main window will open
    >>with the Startup Programs tab selected. Click the Report button in the
    >>lower right corner and your browser will open with a report of the
    >>programs being started each time windows boots. Select everything in
    >>that report and paste it into your reply to this post and I'll help you
    >>with it.
    >>
    >>--
    >>Bob Dietz
    >>
  12. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Hi Bob - this is what came up....thx for your help-prior to this when i ran
    the lavasoft adware/spyware there was an item that came up that said if
    affected the registry and i would select the cleanup/restore/delete for it,
    it would say that the task was completed but if i ran the progam again it
    showed exactly the same thing it said it had taken care of? thought i would
    mention this in case it has anything to do with what's going on now....thx
    again for helping...linda

    WinPatrol Startup Programs
    Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 11:17:08 AM, on
    2/08/2005

    Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    Browser: Microsoft® Windows® Operating System - Internet Explorer version
    6.00.2900.2180
    Memory currently in use: 91%

    MSIE: Internet Explorer (6.00.2900.2180)

    HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    HKLM Default_Page_URL = http://www.emachines.com
    HKCU Start Page = http://www.emachines.com/
    HKLM Start Page = http://www.msn.com/

    WinLogon DefaultUserName=linda
    WinLogon DefaultDomainName=LUCY
    WinLogon Shell=Explorer.exe
    WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,


    VSOCheckTask
    mcmnhdlr.exe /checktask
    McAfee VirusScan Command Handler
    Version: 8, 0, 0, 0
    Copyright © 1998-2003 Networks Associates Technology, Inc
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    Click for Plus Info


    VirusScan Online
    mcvsshld.exe
    McAfee VirusScan ActiveShield Resource
    Version: 8, 0, 0, 0
    Copyright © 1998-2003 Networks Associates Technology, Inc
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    Click for Plus Info


    MCAgentExe
    mcagent.exe
    McAfee SecurityCenter Agent
    Version: 5, 0, 0, 0
    Copyright © 2004 Networks Associates Technology, Inc.
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    Click for Plus Info


    MCUpdateExe
    mcupdate.exe
    McAfee SecurityCenter Update Engine
    Version: 5, 0, 0, 0
    Copyright © 2004 Networks Associates Technology, Inc.
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    Click for Plus Info


    pccguide.exe
    pccguide.exe
    PCCGuide
    Version: 12.10.0
    Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    Click for Plus Info


    MyWebSearch Email Plugin
    MWSOEMON.EXE
    My Web Search Email Plugin
    Version: 2,0,1,0
    Copyright © 2003-2004 MyWebSearch.com
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    Click for Plus Info


    CleanUp
    mcappins.exe /v=3 /cleanup
    McAfee Application Installer
    Version: 5, 0, 0, 0
    Copyright © 2004 Networks Associates Technology, Inc.
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    Click for Plus Info


    WinPatrol
    winpatrol.exe
    WinPatrol System Monitor
    Version: 8.1.2.0
    Copyright © 1997- 2004 BillP Studios
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    Click for Plus Info


    msnmsgr
    msnmsgr.exe /background
    MSN Messenger
    Version: Version 6.2
    Copyright (c) Microsoft Corporation 1997-2004
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
    Click for Plus Info


    Yahoo! Pager
    ypager.exe -quiet
    Yahoo! Messenger
    Version: 6,0,0,1750
    Copyright 1998-2004
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    Click for Plus Info


    Microsoft Works Update Detection
    WkDetect.exe
    Microsoft® Works Update Detection
    Version: 6.00.1828.1
    Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\Microsoft Works\WkDetect.exe
    Click for Plus Info


    MyWebSearch Email Plugin
    MWSOEMON.EXE
    My Web Search Email Plugin
    Version: 2,0,1,0
    Copyright © 2003-2004 MyWebSearch.com
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    Click for Plus Info


    eZstub
    eZstub.exe
    eZstub Module
    Version: 1, 0, 0, 1
    Copyright 2000
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Path: Command /c del C:\WINDOWS\system32\eZstub.exe
    Click for Plus Info


    Web Offer
    EZPOPS~1.EXE
    eZstub Module
    Version: 1, 0, 0, 1
    Copyright 2000
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
    Click for Plus Info


    MyWebSearch Email Plugin
    MWSOEMON.EXE
    My Web Search Email Plugin
    Version: 2,0,1,0
    Copyright © 2003-2004 MyWebSearch.com
    Location: Windows Startup Group
    Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    Click for Plus Info


    Unknown Title
    DLHelperEXE.exe
    DLHelper Module
    Version: 6, 0, 0, 3
    Copyright 2001
    Location: Windows Startup Group
    Path: C:\Documents and Settings\linda\Start
    Menu\Programs\Startup\DLHelperEXE.exe
    Click for Plus Info


    MyWebSearch Email Plugin
    MWSOEMON.EXE
    My Web Search Email Plugin
    Version: 2,0,1,0
    Copyright © 2003-2004 MyWebSearch.com
    Location: Windows Startup Group
    Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    Click for Plus Info


    "linda" wrote:

    > hi bob-thx for your offer, i have the program installed and i brought up the
    > start up programs from the mail win patrol. i have about 19 things
    > listed...but ? is how do i copy those to you, the only option i see is to
    > select an item and then it says to press info, i tried to cut/paste but that
    > didnt work......(told you i was new at this :). can u help? thx linda
    >
    > "Bob Dietz" wrote:
    >
    > > linda wrote:
    > > >
    > > > - I had task manager up, when i clicked on process it showed 57 were running,
    > > > the only thing i had up was "my documents" and the task manager, and one
    > > > internet page, when looking at the process it show that rundll32.exe was
    > > > listed 22 times, all under my name, fairly new at this so dont know but
    > > > thought this looked weird, has other things running, i.e. system,local
    > > > service etc, can someone tell me why that progam would be running so much?
    > > > thx (p.s.) i tried looking up rundll32.exe in the help and support section
    > > > but nothing listed ?? what does this program do?? thx again
    > >
    > > Twenty two instances of rundll32.exe is excessive.
    > > As others have already suggested, this likely indicates some sort of
    > > malware (virus, worm, trojan or spyware/adware run amok.)
    > >
    > > If your antivirus/antispyware isn't cleaning this up for you, you'll
    > > have to clean it up manually. One way to start this manual cleanup would
    > > be to download and run WinPatrol. http://www.winpatrol.com
    > >
    > > Once you have WinPatrol installed, double click on it's icon in the
    > > system tray (looks like a Scotty dog.) WinPatrol's main window will open
    > > with the Startup Programs tab selected. Click the Report button in the
    > > lower right corner and your browser will open with a report of the
    > > programs being started each time windows boots. Select everything in
    > > that report and paste it into your reply to this post and I'll help you
    > > with it.
    > >
    > > --
    > > Bob Dietz
    > >
  13. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Linda

    "DLHelperEXE.exe". Research suggests this is either spyware (Downloader
    for Microgaming/casino) or a Download helper distributed with some
    software that allows the software installation to redirect downloads
    locations. In which case it is not required once the installation is
    finished. If you right click the file and select Properties what
    information is provided?

    --


    Hope this helps.

    Gerry
    ~~~~~~~~~~~~~~~~~~~~~~~~
    FCA

    Using invalid email address

    Stourport, Worcs, England
    Enquire, plan and execute.
    ~~~~~~~~~~~~~~~~~~~~~~~~
    Please tell the newsgroup how any
    suggested solution worked for you.

    http://dts-l.org/goodpost.htm

    ~~~~~~~~~~~~~~~~~~~~~~~~


    "linda" <linda@discussions.microsoft.com> wrote in message
    news:6B36F447-5491-4C6B-97F4-54ED26A4FC95@microsoft.com...
    > Hi Bob - this is what came up....thx for your help-prior to this when
    > i ran
    > the lavasoft adware/spyware there was an item that came up that said
    > if
    > affected the registry and i would select the cleanup/restore/delete
    > for it,
    > it would say that the task was completed but if i ran the progam again
    > it
    > showed exactly the same thing it said it had taken care of? thought i
    > would
    > mention this in case it has anything to do with what's going on
    > now....thx
    > again for helping...linda
    >
    > WinPatrol Startup Programs
    > Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 11:17:08 AM, on
    > 2/08/2005
    >
    > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    > Browser: Microsoft® Windows® Operating System - Internet Explorer
    > version
    > 6.00.2900.2180
    > Memory currently in use: 91%
    >
    > MSIE: Internet Explorer (6.00.2900.2180)
    >
    > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    > HKLM Default_Page_URL = http://www.emachines.com
    > HKCU Start Page = http://www.emachines.com/
    > HKLM Start Page = http://www.msn.com/
    >
    > WinLogon DefaultUserName=linda
    > WinLogon DefaultDomainName=LUCY
    > WinLogon Shell=Explorer.exe
    > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    >
    >
    >
    > VSOCheckTask
    > mcmnhdlr.exe /checktask
    > McAfee VirusScan Command Handler
    > Version: 8, 0, 0, 0
    > Copyright © 1998-2003 Networks Associates Technology, Inc
    > Location:
    > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    > Click for Plus Info
    >
    >
    >
    > VirusScan Online
    > mcvsshld.exe
    > McAfee VirusScan ActiveShield Resource
    > Version: 8, 0, 0, 0
    > Copyright © 1998-2003 Networks Associates Technology, Inc
    > Location:
    > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    > Click for Plus Info
    >
    >
    >
    > MCAgentExe
    > mcagent.exe
    > McAfee SecurityCenter Agent
    > Version: 5, 0, 0, 0
    > Copyright © 2004 Networks Associates Technology, Inc.
    > Location:
    > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    > Click for Plus Info
    >
    >
    >
    > MCUpdateExe
    > mcupdate.exe
    > McAfee SecurityCenter Update Engine
    > Version: 5, 0, 0, 0
    > Copyright © 2004 Networks Associates Technology, Inc.
    > Location:
    > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    > Click for Plus Info
    >
    >
    >
    > pccguide.exe
    > pccguide.exe
    > PCCGuide
    > Version: 12.10.0
    > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    > Location:
    > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    > Click for Plus Info
    >
    >
    >
    > MyWebSearch Email Plugin
    > MWSOEMON.EXE
    > My Web Search Email Plugin
    > Version: 2,0,1,0
    > Copyright © 2003-2004 MyWebSearch.com
    > Location:
    > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    > Click for Plus Info
    >
    >
    >
    > CleanUp
    > mcappins.exe /v=3 /cleanup
    > McAfee Application Installer
    > Version: 5, 0, 0, 0
    > Copyright © 2004 Networks Associates Technology, Inc.
    > Location:
    > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    > Click for Plus Info
    >
    >
    >
    > WinPatrol
    > winpatrol.exe
    > WinPatrol System Monitor
    > Version: 8.1.2.0
    > Copyright © 1997- 2004 BillP Studios
    > Location:
    > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    > Click for Plus Info
    >
    >
    >
    > msnmsgr
    > msnmsgr.exe /background
    > MSN Messenger
    > Version: Version 6.2
    > Copyright (c) Microsoft Corporation 1997-2004
    > Location:
    > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
    > Click for Plus Info
    >
    >
    >
    > Yahoo! Pager
    > ypager.exe -quiet
    > Yahoo! Messenger
    > Version: 6,0,0,1750
    > Copyright 1998-2004
    > Location:
    > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    > Click for Plus Info
    >
    >
    >
    > Microsoft Works Update Detection
    > WkDetect.exe
    > Microsoft® Works Update Detection
    > Version: 6.00.1828.1
    > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    > Location:
    > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\Microsoft Works\WkDetect.exe
    > Click for Plus Info
    >
    >
    >
    > MyWebSearch Email Plugin
    > MWSOEMON.EXE
    > My Web Search Email Plugin
    > Version: 2,0,1,0
    > Copyright © 2003-2004 MyWebSearch.com
    > Location:
    > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    > Click for Plus Info
    >
    >
    >
    > eZstub
    > eZstub.exe
    > eZstub Module
    > Version: 1, 0, 0, 1
    > Copyright 2000
    > Location:
    > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    > Path: Command /c del C:\WINDOWS\system32\eZstub.exe
    > Click for Plus Info
    >
    >
    >
    > Web Offer
    > EZPOPS~1.EXE
    > eZstub Module
    > Version: 1, 0, 0, 1
    > Copyright 2000
    > Location:
    > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    > Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
    > Click for Plus Info
    >
    >
    >
    > MyWebSearch Email Plugin
    > MWSOEMON.EXE
    > My Web Search Email Plugin
    > Version: 2,0,1,0
    > Copyright © 2003-2004 MyWebSearch.com
    > Location: Windows Startup Group
    > Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    > Click for Plus Info
    >
    >
    >
    > Unknown Title
    > DLHelperEXE.exe
    > DLHelper Module
    > Version: 6, 0, 0, 3
    > Copyright 2001
    > Location: Windows Startup Group
    > Path: C:\Documents and Settings\linda\Start
    > Menu\Programs\Startup\Tis item is
    > Click for Plus Info
    >
    >
    >
    > MyWebSearch Email Plugin
    > MWSOEMON.EXE
    > My Web Search Email Plugin
    > Version: 2,0,1,0
    > Copyright © 2003-2004 MyWebSearch.com
    > Location: Windows Startup Group
    > Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    > Click for Plus Info
    >
    >
    >
    >
    >
    > "linda" wrote:
    >
    >> hi bob-thx for your offer, i have the program installed and i brought
    >> up the
    >> start up programs from the mail win patrol. i have about 19 things
    >> listed...but ? is how do i copy those to you, the only option i see
    >> is to
    >> select an item and then it says to press info, i tried to cut/paste
    >> but that
    >> didnt work......(told you i was new at this :). can u help? thx linda
    >>
    >> "Bob Dietz" wrote:
    >>
    >> > linda wrote:
    >> > >
    >> > > - I had task manager up, when i clicked on process it showed 57
    >> > > were running,
    >> > > the only thing i had up was "my documents" and the task manager,
    >> > > and one
    >> > > internet page, when looking at the process it show that
    >> > > rundll32.exe was
    >> > > listed 22 times, all under my name, fairly new at this so dont
    >> > > know but
    >> > > thought this looked weird, has other things running, i.e.
    >> > > system,local
    >> > > service etc, can someone tell me why that progam would be running
    >> > > so much?
    >> > > thx (p.s.) i tried looking up rundll32.exe in the help and
    >> > > support section
    >> > > but nothing listed ?? what does this program do?? thx again
    >> >
    >> > Twenty two instances of rundll32.exe is excessive.
    >> > As others have already suggested, this likely indicates some sort
    >> > of
    >> > malware (virus, worm, trojan or spyware/adware run amok.)
    >> >
    >> > If your antivirus/antispyware isn't cleaning this up for you,
    >> > you'll
    >> > have to clean it up manually. One way to start this manual cleanup
    >> > would
    >> > be to download and run WinPatrol. http://www.winpatrol.com
    >> >
    >> > Once you have WinPatrol installed, double click on it's icon in the
    >> > system tray (looks like a Scotty dog.) WinPatrol's main window will
    >> > open
    >> > with the Startup Programs tab selected. Click the Report button in
    >> > the
    >> > lower right corner and your browser will open with a report of the
    >> > programs being started each time windows boots. Select everything
    >> > in
    >> > that report and paste it into your reply to this post and I'll help
    >> > you
    >> > with it.
    >> >
    >> > --
    >> > Bob Dietz
    >> >
  14. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Hi Linda,

    I was pretty busy yesterday. Sorry it took so long to get back to you

    Before you start you might want to print this out on your printer.

    I see some adware/spyware listed that I would have expected Lavasoft
    Ad-aware to have successfully removed. Let's run through the steps that
    will allow Ad-Aware to do it's best work.

    1) Start Ad-Aware.
    2) Click "Check for updates now." (lower right corner)
    3) Connect and get any available updates.
    Verify that your version number matches the version number
    of the newest available Ad-Aware.
    4) Once you have the latest updates installed,
    close Ad-Aware and any other running programs.
    5) To make it easier for Ad-Aware to do it's job,
    we're going to run it in SAFE MODE.
    A) Restart the computer.
    B) While the computer is booting - before the first
    "Windows" screen appears, tap the F8 key.
    C) When the boot menu appears, choose SAFE MODE.
    6) Start Ad-aware.
    7) Click the "Start" button in the Ad-Aware window.
    8) Set "Select Scan Mode" to "Perform full system scan."
    9) Click the "Next" button to start the scan.
    10) When the scan finishes, click "Next."
    11) "Scan Results" defaults to the "Critical Objects" tab.
    Changing to the "Scan Summary" tab, will give you
    a much clearer picture of what has been found and may
    save you quite a few mouse clicks as well. Be sure there
    is a check mark beside everything you want to remove and
    click "Next."
    * No need to click the Quarantine button, Ad-aware
    * automatically quarantines everything it removes.

    When you're done, close Ad-Aware and restart the computer letting it
    boot normally.
    Open the WinPatrol window.
    Click the "Title" column heading so that programs are sorted by title in
    A-Z order.

    Below you'll find your report (slightly reformatted so that programs are
    in A-Z order by title.) Each item is followed by my comments which are
    marked by asterisks. Presumably Ad-Aware will have already have
    eliminated most of the evil ad-ware/spyware. If bad items still remain,
    we'll use the WinPatrol report to figure out how to remove those items.
    If you were doing this on your own, you'd -
    1) Select the executable name with your mouse.
    2) Right click on the selection and choose "Copy."
    3) Open a new browse browser window and go to http://www.google.com
    4) Right click in the Google search box and choose "Paste."
    5) Click on the search button.
    Hint: If you install the Google toolbar ( http://toolbar.google.com ),
    you could select the executable name, right click and choose
    "Google Search."

    Use a little caution regarding the results of your search.
    Some of the sites providing the information about startup items are
    trying too hard to sell you something. For instance at least one site
    shows a very conspicuous warning "Internal IP Exposed!" This is a simple
    scam using javascript to display your IP in your browser on your
    computer. Nobody can see it how isn't sitting in front of your computer
    display.

    Here are some domains that I regard as above average. Look for these in
    the result of you Google spyware/adware searches.

    AnswersThatWork.com
    CastleCops.com
    Iamnotageek.com
    Neuber.com
    Sysinfo.org
    WinPatrol.com

    This Sysinfo.org page is worth putting in your favorites -
    http://www.sysinfo.org/startuplist.php


    *****************************************************************
    WinPatrol Startup Programs (Edited by Bob Dietz)

    Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    Browser: Microsoft® Windows® Operating System - Internet Explorer
    version 6.00.2900.2180
    Memory currently in use: 91%
    ********************************************************************
    * This memory currently in use number isn't critical, but
    * a lower value would be better. If you have less than 256Mb or RAM,
    * you should think about upgrading to more memory.
    ********************************************************************


    HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    HKLM Default_Page_URL = http://www.emachines.com
    HKCU Start Page = http://www.emachines.com/
    HKLM Start Page = http://www.msn.com/

    WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
    WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
    WinLogon Shell=Explorer.exe
    WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,


    CleanUp
    mcappins.exe /v=3 /cleanup
    McAfee Application Installer
    Version: 5, 0, 0, 0
    Copyright © 2004 Networks Associates Technology, Inc.
    Location:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    ********************************************************************
    * This is part of McAfee
    * I recommended that you leave it enabled. The site -
    * http://startup.iamnotageek.com/srch-mcappins.exe.html
    * describes it as
    * McAfee Application Installer. (What does it do and is it required?)
    * FWIW The Plus version of WinPatrol what it does and why it might
    * be required.
    ********************************************************************


    eZstub
    eZstub.exe
    eZstub Module
    Version: 1, 0, 0, 1
    Copyright 2000
    Location:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Path: Command /c del C:\WINDOWS\system32\eZstub.exe
    ********************************************************************
    * This is an EZula component.
    * The other EZula component in this list - Web Offers - EZPOPS~1.EXE
    * appears to be quite recent and I could find it mentioned on any
    * web pages. For that reason, Ad-Aware may have trouble removing
    * this even in SAFE MODE!
    * If Ad-Aware wasn't able to remove this, try using WinPatrol to
    * disable it. If it won't stay disabled, let me know and we'll
    * follow some additional steps.
    ********************************************************************


    MCAgentExe
    mcagent.exe
    McAfee SecurityCenter Agent
    Version: 5, 0, 0, 0
    Copyright © 2004 Networks Associates Technology, Inc.
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    ********************************************************************
    * This is part of McAfee
    * I recommended that you leave it enabled.
    * http://startup.iamnotageek.com/srch-mcagent.exe.html
    ********************************************************************


    MCUpdateExe
    mcupdate.exe
    McAfee SecurityCenter Update Engine
    Version: 5, 0, 0, 0
    Copyright © 2004 Networks Associates Technology, Inc.
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    ********************************************************************
    * This is part of McAfee
    * I recommended that you leave it enabled.
    * http://startup.iamnotageek.com/srch-mcupdate.exe.html
    ********************************************************************


    Microsoft Works Update Detection
    WkDetect.exe
    Microsoft® Works Update Detection
    Version: 6.00.1828.1
    Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\Microsoft Works\WkDetect.exe
    ********************************************************************
    * This checks for updates to MS Works
    * Unless your computer has more memory than you know what
    * to do with, I'd recommend disabling this in WinPatrol.
    * Disabling is better than removal, because you can always
    * decide to turn it back on at a later date.
    * http://startup.iamnotageek.com/srch-wkdetect.exe.html
    ********************************************************************


    msnmsgr
    msnmsgr.exe /background
    MSN Messenger
    Version: Version 6.2
    Copyright (c) Microsoft Corporation 1997-2004
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
    ********************************************************************
    * Letting MSN Messenger run is a user choice.
    * If you aren't sure what MSN Messenger is, you're not using
    * it and there is no use to have it running constantly
    * using up precious RAM.
    * Later in this report, we see that Yahoo! Pager is also running.
    * If you're using both of these programs, you might want to
    * consider replacing the two of them with Trillian, which is
    * open source freeware and provides the services of both programs.
    * http://www.neuber.com/taskmanager/process/msnmsgr.exe.html
    ********************************************************************


    MyWebSearch Email Plugin
    MWSOEMON.EXE
    My Web Search Email Plugin
    Version: 2,0,1,0
    Copyright © 2003-2004 MyWebSearch.com
    Location: Windows Startup Group
    Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    ********************************************************************
    * This is spyware.
    * The fact that there are four apparently identical instances
    * in the original report gives a little concern. I suspect
    * this may be the culprit with regard to the 22 instances of
    * rundll32.exe.
    * If these are still in the list after the SAFE MODE Ad-Aware scan,
    * try to disable them using WinPatrol.
    * If they refuse to stay disabled, let me know and there are other
    * steps we can try.
    * FWIW Here are some pages with more info about MyWebSearch.
    * http://www.mac-net.com/445088.page
    * http://www.iamnotageek.com/a/mwsoemon.exe.php
    * http://www.winpatrol.com/db/freesample/mwsoemon.html
    ********************************************************************


    pccguide.exe
    pccguide.exe
    PCCGuide
    Version: 12.10.0
    Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    ********************************************************************
    * Part of Trend Micro's PC-Cillan Anti-Virus
    * Do you have both PC-Cillan and McAfee installed?
    ********************************************************************


    Unknown Title
    DLHelperEXE.exe
    DLHelper Module
    Version: 6, 0, 0, 3
    Copyright 2001
    Location: Windows Startup Group
    Path: C:\Documents and Settings\linda\Start
    Menu\Programs\Startup\DLHelperEXE.exe
    ********************************************************************
    * Probably part of CasinoOnNet adware.
    * If that's what it is, the Ad-Aware SAFE MODE scan probably
    * removed it. If not, try disabling it in WinPatrol.
    * http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073208
    ********************************************************************


    VirusScan Online
    mcvsshld.exe
    McAfee VirusScan ActiveShield Resource
    Version: 8, 0, 0, 0
    Copyright © 1998-2003 Networks Associates Technology, Inc
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    ********************************************************************
    * Part of McAfee VirusScan On-Line
    * I recommend leaving it enabled.
    * http://startup.iamnotageek.com/srch-mcvsshld.exe.html
    ********************************************************************


    VSOCheckTask
    mcmnhdlr.exe /checktask
    McAfee VirusScan Command Handler
    Version: 8, 0, 0, 0
    Copyright © 1998-2003 Networks Associates Technology, Inc
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    ********************************************************************
    * Part of McAfee's SecurityCenter and Virusscan Online.
    * I recommend leaving it enabled.
    * http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
    ********************************************************************


    Web Offer
    EZPOPS~1.EXE
    eZstub Module
    Version: 1, 0, 0, 1
    Copyright 2000
    Location:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
    ********************************************************************
    * Another component of EZula adware.
    * I search for specific information about this component -
    * http://www.google.com/search?q=EZPOPS%7E1.EXE
    * the information is pretty scant which indicates
    * this version of EZula is pretty new and most anti-spyware/
    * anti-adware programs probably won't remove it.
    * If the SAFE MODE Ad-Aware scan fails to remove this,
    * try disabling it in WinPatrol.
    * If it won't stay disabled, let me know - there are other
    * approaches to this problem.
    ********************************************************************


    WinPatrol
    winpatrol.exe
    WinPatrol System Monitor
    Version: 8.1.2.0
    Copyright © 1997- 2004 BillP Studios
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    ********************************************************************
    * This is WinPatrol
    * It's safe and I recommend that you leave it in.
    * But you can't really know if that's good advice until
    * you research it.
    * http://www.google.com/search?q=winpatrol.exe
    ********************************************************************


    Yahoo! Pager
    ypager.exe -quiet
    Yahoo! Messenger
    Version: 6,0,0,1750
    Copyright 1998-2004
    Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    ********************************************************************
    * Yahoo! Pager is an instant messenger application like
    * MSN Messenger. If you aren't using these, you should disable them.
    * If you're only using one of them, you should disable the one
    * you're not using.
    * If you're using both of them, you should think about switching
    * to Trillian, an open source freeware application that can connect
    * to many different types of instant messaging servers.
    * http://startup.iamnotageek.com/srch-ypager.exe.html
    ********************************************************************


    --
    Bob Dietz

    linda wrote:
    > Hi Bob - this is what came up....thx for your help-prior to this when i ran
    > the lavasoft adware/spyware there was an item that came up that said if
    > affected the registry and i would select the cleanup/restore/delete for it,
    > it would say that the task was completed but if i ran the progam again it
    > showed exactly the same thing it said it had taken care of? thought i would
    > mention this in case it has anything to do with what's going on now....thx
    > again for helping...linda
    >
  15. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
    alot less croweded than it did- also when I look at the task manager it now
    shows 37 programs, (I have a few things running when it shows that amt) and
    not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
    on the winpatrol and had already disabled that, I thought it was funny seeing
    3 times, so I'm glad to know I was on the right track there. When I went
    back to the winpatrol and disable the DLHelper program, a minute or so later
    I got a pop up saying that a new program was wanting to be added to the start
    up-and it was the DLHelper I had just disabled, so I said no on the ok to add
    to start-up. Here's is what the list shows now: (pls read my add'l msg
    after the winpatrol info)

    WinPatrol Startup Programs
    Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
    2/11/2005

    Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    Browser: Microsoft® Windows® Operating System - Internet Explorer version
    6.00.2900.2180
    Memory currently in use: 79%

    MSIE: Internet Explorer (6.00.2900.2180)

    HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    HKLM Default_Page_URL = http://www.emachines.com
    HKCU Start Page = http://www.comcast.net/
    HKLM Start Page = http://www.msn.com/

    WinLogon DefaultUserName=linda
    WinLogon DefaultDomainName=LUCY
    WinLogon Shell=Explorer.exe
    WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,


    VSOCheckTask
    mcmnhdlr.exe /checktask
    McAfee VirusScan Command Handler
    Version: 8, 0, 0, 0
    Copyright © 1998-2003 Networks Associates Technology, Inc
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    Click for Plus Info


    VirusScan Online
    mcvsshld.exe
    McAfee VirusScan ActiveShield Resource
    Version: 8, 0, 0, 0
    Copyright © 1998-2003 Networks Associates Technology, Inc
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    Click for Plus Info


    MCAgentExe
    mcagent.exe
    McAfee SecurityCenter Agent
    Version: 5, 0, 0, 0
    Copyright © 2004 Networks Associates Technology, Inc.
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    Click for Plus Info


    MCUpdateExe
    mcupdate.exe
    McAfee SecurityCenter Update Engine
    Version: 5, 0, 0, 0
    Copyright © 2004 Networks Associates Technology, Inc.
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    Click for Plus Info


    pccguide.exe
    pccguide.exe
    PCCGuide
    Version: 12.10.0
    Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    Click for Plus Info


    WinPatrol
    winpatrol.exe
    WinPatrol System Monitor
    Version: 8.1.2.0
    Copyright © 1997- 2004 BillP Studios
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    Click for Plus Info


    MPFExe
    MpfTray.exe
    McAfee Personal Firewall Tray Monitor
    Version: 6.0.0.14
    Copyright © 2000-2004 Networks Associates Technologies, Inc.
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
    Click for Plus Info


    McRegWiz
    mcregwiz.exe /autorun
    McRegWiz Module
    Version: 1, 0, 0, 4
    Copyright 2003 Networks Associates Technology, Inc
    Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    Click for Plus Info


    Microsoft Works Update Detection
    WkDetect.exe
    Microsoft® Works Update Detection
    Version: 6.00.1828.1
    Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    Location: * Disabled *
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\Microsoft Works\WkDetect.exe
    Click for Plus Info


    Yahoo! Pager
    ypager.exe -quiet
    Yahoo! Messenger
    Version: 6,0,0,1750
    Copyright 1998-2004
    Location: * Disabled *
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    Click for Plus Info

    I wanted to say THANK-YOU so much...not only do i appreciate you taking the
    time to help me..and also the detail instructions,they were easy for me to
    follow and understand, as I said in my original msg. Im relatively new at all
    this so being able to follow/understand was great. I have only posted to
    newgroups a few times and honestly I have gotten a few responses that just
    leave me sitting there going "HUH". Again thanks very much for your help!!!
    Linda


    "Bob Dietz" wrote:

    > Hi Linda,
    >
    > I was pretty busy yesterday. Sorry it took so long to get back to you
    >
    > Before you start you might want to print this out on your printer.
    >
    > I see some adware/spyware listed that I would have expected Lavasoft
    > Ad-aware to have successfully removed. Let's run through the steps that
    > will allow Ad-Aware to do it's best work.
    >
    > 1) Start Ad-Aware.
    > 2) Click "Check for updates now." (lower right corner)
    > 3) Connect and get any available updates.
    > Verify that your version number matches the version number
    > of the newest available Ad-Aware.
    > 4) Once you have the latest updates installed,
    > close Ad-Aware and any other running programs.
    > 5) To make it easier for Ad-Aware to do it's job,
    > we're going to run it in SAFE MODE.
    > A) Restart the computer.
    > B) While the computer is booting - before the first
    > "Windows" screen appears, tap the F8 key.
    > C) When the boot menu appears, choose SAFE MODE.
    > 6) Start Ad-aware.
    > 7) Click the "Start" button in the Ad-Aware window.
    > 8) Set "Select Scan Mode" to "Perform full system scan."
    > 9) Click the "Next" button to start the scan.
    > 10) When the scan finishes, click "Next."
    > 11) "Scan Results" defaults to the "Critical Objects" tab.
    > Changing to the "Scan Summary" tab, will give you
    > a much clearer picture of what has been found and may
    > save you quite a few mouse clicks as well. Be sure there
    > is a check mark beside everything you want to remove and
    > click "Next."
    > * No need to click the Quarantine button, Ad-aware
    > * automatically quarantines everything it removes.
    >
    > When you're done, close Ad-Aware and restart the computer letting it
    > boot normally.
    > Open the WinPatrol window.
    > Click the "Title" column heading so that programs are sorted by title in
    > A-Z order.
    >
    > Below you'll find your report (slightly reformatted so that programs are
    > in A-Z order by title.) Each item is followed by my comments which are
    > marked by asterisks. Presumably Ad-Aware will have already have
    > eliminated most of the evil ad-ware/spyware. If bad items still remain,
    > we'll use the WinPatrol report to figure out how to remove those items.
    > If you were doing this on your own, you'd -
    > 1) Select the executable name with your mouse.
    > 2) Right click on the selection and choose "Copy."
    > 3) Open a new browse browser window and go to http://www.google.com
    > 4) Right click in the Google search box and choose "Paste."
    > 5) Click on the search button.
    > Hint: If you install the Google toolbar ( http://toolbar.google.com ),
    > you could select the executable name, right click and choose
    > "Google Search."
    >
    > Use a little caution regarding the results of your search.
    > Some of the sites providing the information about startup items are
    > trying too hard to sell you something. For instance at least one site
    > shows a very conspicuous warning "Internal IP Exposed!" This is a simple
    > scam using javascript to display your IP in your browser on your
    > computer. Nobody can see it how isn't sitting in front of your computer
    > display.
    >
    > Here are some domains that I regard as above average. Look for these in
    > the result of you Google spyware/adware searches.
    >
    > AnswersThatWork.com
    > CastleCops.com
    > Iamnotageek.com
    > Neuber.com
    > Sysinfo.org
    > WinPatrol.com
    >
    > This Sysinfo.org page is worth putting in your favorites -
    > http://www.sysinfo.org/startuplist.php
    >
    >
    > *****************************************************************
    > WinPatrol Startup Programs (Edited by Bob Dietz)
    >
    > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    > Browser: Microsoft® Windows® Operating System - Internet Explorer
    > version 6.00.2900.2180
    > Memory currently in use: 91%
    > ********************************************************************
    > * This memory currently in use number isn't critical, but
    > * a lower value would be better. If you have less than 256Mb or RAM,
    > * you should think about upgrading to more memory.
    > ********************************************************************
    >
    >
    > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    > HKLM Default_Page_URL = http://www.emachines.com
    > HKCU Start Page = http://www.emachines.com/
    > HKLM Start Page = http://www.msn.com/
    >
    > WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
    > WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
    > WinLogon Shell=Explorer.exe
    > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    >
    >
    >
    > CleanUp
    > mcappins.exe /v=3 /cleanup
    > McAfee Application Installer
    > Version: 5, 0, 0, 0
    > Copyright © 2004 Networks Associates Technology, Inc.
    > Location:
    > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    > ********************************************************************
    > * This is part of McAfee
    > * I recommended that you leave it enabled. The site -
    > * http://startup.iamnotageek.com/srch-mcappins.exe.html
    > * describes it as
    > * McAfee Application Installer. (What does it do and is it required?)
    > * FWIW The Plus version of WinPatrol what it does and why it might
    > * be required.
    > ********************************************************************
    >
    >
    >
    > eZstub
    > eZstub.exe
    > eZstub Module
    > Version: 1, 0, 0, 1
    > Copyright 2000
    > Location:
    > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    > Path: Command /c del C:\WINDOWS\system32\eZstub.exe
    > ********************************************************************
    > * This is an EZula component.
    > * The other EZula component in this list - Web Offers - EZPOPS~1.EXE
    > * appears to be quite recent and I could find it mentioned on any
    > * web pages. For that reason, Ad-Aware may have trouble removing
    > * this even in SAFE MODE!
    > * If Ad-Aware wasn't able to remove this, try using WinPatrol to
    > * disable it. If it won't stay disabled, let me know and we'll
    > * follow some additional steps.
    > ********************************************************************
    >
    >
    >
    >
    >
    > MCAgentExe
    > mcagent.exe
    > McAfee SecurityCenter Agent
    > Version: 5, 0, 0, 0
    > Copyright © 2004 Networks Associates Technology, Inc.
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    > ********************************************************************
    > * This is part of McAfee
    > * I recommended that you leave it enabled.
    > * http://startup.iamnotageek.com/srch-mcagent.exe.html
    > ********************************************************************
    >
    >
    >
    > MCUpdateExe
    > mcupdate.exe
    > McAfee SecurityCenter Update Engine
    > Version: 5, 0, 0, 0
    > Copyright © 2004 Networks Associates Technology, Inc.
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    > ********************************************************************
    > * This is part of McAfee
    > * I recommended that you leave it enabled.
    > * http://startup.iamnotageek.com/srch-mcupdate.exe.html
    > ********************************************************************
    >
    >
    >
    > Microsoft Works Update Detection
    > WkDetect.exe
    > Microsoft® Works Update Detection
    > Version: 6.00.1828.1
    > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    > Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\Microsoft Works\WkDetect.exe
    > ********************************************************************
    > * This checks for updates to MS Works
    > * Unless your computer has more memory than you know what
    > * to do with, I'd recommend disabling this in WinPatrol.
    > * Disabling is better than removal, because you can always
    > * decide to turn it back on at a later date.
    > * http://startup.iamnotageek.com/srch-wkdetect.exe.html
    > ********************************************************************
    >
    >
    > msnmsgr
    > msnmsgr.exe /background
    > MSN Messenger
    > Version: Version 6.2
    > Copyright (c) Microsoft Corporation 1997-2004
    > Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
    > ********************************************************************
    > * Letting MSN Messenger run is a user choice.
    > * If you aren't sure what MSN Messenger is, you're not using
    > * it and there is no use to have it running constantly
    > * using up precious RAM.
    > * Later in this report, we see that Yahoo! Pager is also running.
    > * If you're using both of these programs, you might want to
    > * consider replacing the two of them with Trillian, which is
    > * open source freeware and provides the services of both programs.
    > * http://www.neuber.com/taskmanager/process/msnmsgr.exe.html
    > ********************************************************************
    >
    >
    > MyWebSearch Email Plugin
    > MWSOEMON.EXE
    > My Web Search Email Plugin
    > Version: 2,0,1,0
    > Copyright © 2003-2004 MyWebSearch.com
    > Location: Windows Startup Group
    > Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    > ********************************************************************
    > * This is spyware.
    > * The fact that there are four apparently identical instances
    > * in the original report gives a little concern. I suspect
    > * this may be the culprit with regard to the 22 instances of
    > * rundll32.exe.
    > * If these are still in the list after the SAFE MODE Ad-Aware scan,
    > * try to disable them using WinPatrol.
    > * If they refuse to stay disabled, let me know and there are other
    > * steps we can try.
    > * FWIW Here are some pages with more info about MyWebSearch.
    > * http://www.mac-net.com/445088.page
    > * http://www.iamnotageek.com/a/mwsoemon.exe.php
    > * http://www.winpatrol.com/db/freesample/mwsoemon.html
    > ********************************************************************
    >
    >
    > pccguide.exe
    > pccguide.exe
    > PCCGuide
    > Version: 12.10.0
    > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    > ********************************************************************
    > * Part of Trend Micro's PC-Cillan Anti-Virus
    > * Do you have both PC-Cillan and McAfee installed?
    > ********************************************************************
    >
    >
    >
    > Unknown Title
    > DLHelperEXE.exe
    > DLHelper Module
    > Version: 6, 0, 0, 3
    > Copyright 2001
    > Location: Windows Startup Group
    > Path: C:\Documents and Settings\linda\Start
    > Menu\Programs\Startup\DLHelperEXE.exe
    > ********************************************************************
    > * Probably part of CasinoOnNet adware.
    > * If that's what it is, the Ad-Aware SAFE MODE scan probably
    > * removed it. If not, try disabling it in WinPatrol.
    > * http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073208
    > ********************************************************************
    >
    >
    >
    > VirusScan Online
    > mcvsshld.exe
    > McAfee VirusScan ActiveShield Resource
    > Version: 8, 0, 0, 0
    > Copyright © 1998-2003 Networks Associates Technology, Inc
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    > ********************************************************************
    > * Part of McAfee VirusScan On-Line
    > * I recommend leaving it enabled.
    > * http://startup.iamnotageek.com/srch-mcvsshld.exe.html
    > ********************************************************************
    >
    >
    >
    > VSOCheckTask
    > mcmnhdlr.exe /checktask
    > McAfee VirusScan Command Handler
    > Version: 8, 0, 0, 0
    > Copyright © 1998-2003 Networks Associates Technology, Inc
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    > ********************************************************************
    > * Part of McAfee's SecurityCenter and Virusscan Online.
    > * I recommend leaving it enabled.
    > * http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
    > ********************************************************************
    >
    >
    >
    > Web Offer
    > EZPOPS~1.EXE
    > eZstub Module
    > Version: 1, 0, 0, 1
    > Copyright 2000
    > Location:
    > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    > Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
    > ********************************************************************
    > * Another component of EZula adware.
    > * I search for specific information about this component -
    > * http://www.google.com/search?q=EZPOPS%7E1.EXE
    > * the information is pretty scant which indicates
    > * this version of EZula is pretty new and most anti-spyware/
    > * anti-adware programs probably won't remove it.
    > * If the SAFE MODE Ad-Aware scan fails to remove this,
    > * try disabling it in WinPatrol.
    > * If it won't stay disabled, let me know - there are other
    > * approaches to this problem.
    > ********************************************************************
    >
    >
    >
    > WinPatrol
    > winpatrol.exe
    > WinPatrol System Monitor
    > Version: 8.1.2.0
    > Copyright © 1997- 2004 BillP Studios
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    > ********************************************************************
    > * This is WinPatrol
    > * It's safe and I recommend that you leave it in.
    > * But you can't really know if that's good advice until
    > * you research it.
    > * http://www.google.com/search?q=winpatrol.exe
    > ********************************************************************
    >
    >
    >
    > Yahoo! Pager
    > ypager.exe -quiet
    > Yahoo! Messenger
    > Version: 6,0,0,1750
    > Copyright 1998-2004
    > Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    > ********************************************************************
    > * Yahoo! Pager is an instant messenger application like
    > * MSN Messenger. If you aren't using these, you should disable them.
    > * If you're only using one of them, you should disable the one
    > * you're not using.
    > * If you're using both of them, you should think about switching
    > * to Trillian, an open source freeware application that can connect
    > * to many different types of instant messaging servers.
    > * http://startup.iamnotageek.com/srch-ypager.exe.html
    > ********************************************************************
    >
    >
    > --
    > Bob Dietz
    >
    > linda wrote:
    > > Hi Bob - this is what came up....thx for your help-prior to this when i ran
    > > the lavasoft adware/spyware there was an item that came up that said if
    > > affected the registry and i would select the cleanup/restore/delete for it,
    > > it would say that the task was completed but if i ran the progam again it
    > > showed exactly the same thing it said it had taken care of? thought i would
    > > mention this in case it has anything to do with what's going on now....thx
    > > again for helping...linda
    > >
    >
  16. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Hi Bob- I also wanted to let you know that the reason Im showing both McAff
    and Trend Micro is that when I went to their site to do a "house call"
    (friend of mine had recomm it) it would not scan, so I downloaded the free
    trial version and it will be expiring in about a week...I like the way the
    program runs, would you recommend? and.....last thing, i did put that sysinfo
    in my favorties and have been going in and looking around...thx
    again.....bye...linda

    "linda" wrote:

    > Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
    > alot less croweded than it did- also when I look at the task manager it now
    > shows 37 programs, (I have a few things running when it shows that amt) and
    > not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
    > on the winpatrol and had already disabled that, I thought it was funny seeing
    > 3 times, so I'm glad to know I was on the right track there. When I went
    > back to the winpatrol and disable the DLHelper program, a minute or so later
    > I got a pop up saying that a new program was wanting to be added to the start
    > up-and it was the DLHelper I had just disabled, so I said no on the ok to add
    > to start-up. Here's is what the list shows now: (pls read my add'l msg
    > after the winpatrol info)
    >
    > WinPatrol Startup Programs
    > Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
    > 2/11/2005
    >
    > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    > Browser: Microsoft® Windows® Operating System - Internet Explorer version
    > 6.00.2900.2180
    > Memory currently in use: 79%
    >
    > MSIE: Internet Explorer (6.00.2900.2180)
    >
    > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    > HKLM Default_Page_URL = http://www.emachines.com
    > HKCU Start Page = http://www.comcast.net/
    > HKLM Start Page = http://www.msn.com/
    >
    > WinLogon DefaultUserName=linda
    > WinLogon DefaultDomainName=LUCY
    > WinLogon Shell=Explorer.exe
    > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    >
    >
    >
    > VSOCheckTask
    > mcmnhdlr.exe /checktask
    > McAfee VirusScan Command Handler
    > Version: 8, 0, 0, 0
    > Copyright © 1998-2003 Networks Associates Technology, Inc
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    > Click for Plus Info
    >
    >
    >
    > VirusScan Online
    > mcvsshld.exe
    > McAfee VirusScan ActiveShield Resource
    > Version: 8, 0, 0, 0
    > Copyright © 1998-2003 Networks Associates Technology, Inc
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    > Click for Plus Info
    >
    >
    >
    > MCAgentExe
    > mcagent.exe
    > McAfee SecurityCenter Agent
    > Version: 5, 0, 0, 0
    > Copyright © 2004 Networks Associates Technology, Inc.
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    > Click for Plus Info
    >
    >
    >
    > MCUpdateExe
    > mcupdate.exe
    > McAfee SecurityCenter Update Engine
    > Version: 5, 0, 0, 0
    > Copyright © 2004 Networks Associates Technology, Inc.
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    > Click for Plus Info
    >
    >
    >
    > pccguide.exe
    > pccguide.exe
    > PCCGuide
    > Version: 12.10.0
    > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    > Click for Plus Info
    >
    >
    >
    > WinPatrol
    > winpatrol.exe
    > WinPatrol System Monitor
    > Version: 8.1.2.0
    > Copyright © 1997- 2004 BillP Studios
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    > Click for Plus Info
    >
    >
    >
    > MPFExe
    > MpfTray.exe
    > McAfee Personal Firewall Tray Monitor
    > Version: 6.0.0.14
    > Copyright © 2000-2004 Networks Associates Technologies, Inc.
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
    > Click for Plus Info
    >
    >
    >
    > McRegWiz
    > mcregwiz.exe /autorun
    > McRegWiz Module
    > Version: 1, 0, 0, 4
    > Copyright 2003 Networks Associates Technology, Inc
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    > Click for Plus Info
    >
    >
    >
    > Microsoft Works Update Detection
    > WkDetect.exe
    > Microsoft® Works Update Detection
    > Version: 6.00.1828.1
    > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    > Location: * Disabled *
    > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\Microsoft Works\WkDetect.exe
    > Click for Plus Info
    >
    >
    >
    > Yahoo! Pager
    > ypager.exe -quiet
    > Yahoo! Messenger
    > Version: 6,0,0,1750
    > Copyright 1998-2004
    > Location: * Disabled *
    > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    > Click for Plus Info
    >
    > I wanted to say THANK-YOU so much...not only do i appreciate you taking the
    > time to help me..and also the detail instructions,they were easy for me to
    > follow and understand, as I said in my original msg. Im relatively new at all
    > this so being able to follow/understand was great. I have only posted to
    > newgroups a few times and honestly I have gotten a few responses that just
    > leave me sitting there going "HUH". Again thanks very much for your help!!!
    > Linda
    >
    >
    >
    > "Bob Dietz" wrote:
    >
    > > Hi Linda,
    > >
    > > I was pretty busy yesterday. Sorry it took so long to get back to you
    > >
    > > Before you start you might want to print this out on your printer.
    > >
    > > I see some adware/spyware listed that I would have expected Lavasoft
    > > Ad-aware to have successfully removed. Let's run through the steps that
    > > will allow Ad-Aware to do it's best work.
    > >
    > > 1) Start Ad-Aware.
    > > 2) Click "Check for updates now." (lower right corner)
    > > 3) Connect and get any available updates.
    > > Verify that your version number matches the version number
    > > of the newest available Ad-Aware.
    > > 4) Once you have the latest updates installed,
    > > close Ad-Aware and any other running programs.
    > > 5) To make it easier for Ad-Aware to do it's job,
    > > we're going to run it in SAFE MODE.
    > > A) Restart the computer.
    > > B) While the computer is booting - before the first
    > > "Windows" screen appears, tap the F8 key.
    > > C) When the boot menu appears, choose SAFE MODE.
    > > 6) Start Ad-aware.
    > > 7) Click the "Start" button in the Ad-Aware window.
    > > 8) Set "Select Scan Mode" to "Perform full system scan."
    > > 9) Click the "Next" button to start the scan.
    > > 10) When the scan finishes, click "Next."
    > > 11) "Scan Results" defaults to the "Critical Objects" tab.
    > > Changing to the "Scan Summary" tab, will give you
    > > a much clearer picture of what has been found and may
    > > save you quite a few mouse clicks as well. Be sure there
    > > is a check mark beside everything you want to remove and
    > > click "Next."
    > > * No need to click the Quarantine button, Ad-aware
    > > * automatically quarantines everything it removes.
    > >
    > > When you're done, close Ad-Aware and restart the computer letting it
    > > boot normally.
    > > Open the WinPatrol window.
    > > Click the "Title" column heading so that programs are sorted by title in
    > > A-Z order.
    > >
    > > Below you'll find your report (slightly reformatted so that programs are
    > > in A-Z order by title.) Each item is followed by my comments which are
    > > marked by asterisks. Presumably Ad-Aware will have already have
    > > eliminated most of the evil ad-ware/spyware. If bad items still remain,
    > > we'll use the WinPatrol report to figure out how to remove those items.
    > > If you were doing this on your own, you'd -
    > > 1) Select the executable name with your mouse.
    > > 2) Right click on the selection and choose "Copy."
    > > 3) Open a new browse browser window and go to http://www.google.com
    > > 4) Right click in the Google search box and choose "Paste."
    > > 5) Click on the search button.
    > > Hint: If you install the Google toolbar ( http://toolbar.google.com ),
    > > you could select the executable name, right click and choose
    > > "Google Search."
    > >
    > > Use a little caution regarding the results of your search.
    > > Some of the sites providing the information about startup items are
    > > trying too hard to sell you something. For instance at least one site
    > > shows a very conspicuous warning "Internal IP Exposed!" This is a simple
    > > scam using javascript to display your IP in your browser on your
    > > computer. Nobody can see it how isn't sitting in front of your computer
    > > display.
    > >
    > > Here are some domains that I regard as above average. Look for these in
    > > the result of you Google spyware/adware searches.
    > >
    > > AnswersThatWork.com
    > > CastleCops.com
    > > Iamnotageek.com
    > > Neuber.com
    > > Sysinfo.org
    > > WinPatrol.com
    > >
    > > This Sysinfo.org page is worth putting in your favorites -
    > > http://www.sysinfo.org/startuplist.php
    > >
    > >
    > > *****************************************************************
    > > WinPatrol Startup Programs (Edited by Bob Dietz)
    > >
    > > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    > > Browser: Microsoft® Windows® Operating System - Internet Explorer
    > > version 6.00.2900.2180
    > > Memory currently in use: 91%
    > > ********************************************************************
    > > * This memory currently in use number isn't critical, but
    > > * a lower value would be better. If you have less than 256Mb or RAM,
    > > * you should think about upgrading to more memory.
    > > ********************************************************************
    > >
    > >
    > > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    > > HKLM Default_Page_URL = http://www.emachines.com
    > > HKCU Start Page = http://www.emachines.com/
    > > HKLM Start Page = http://www.msn.com/
    > >
    > > WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
    > > WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
    > > WinLogon Shell=Explorer.exe
    > > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    > >
    > >
    > >
    > > CleanUp
    > > mcappins.exe /v=3 /cleanup
    > > McAfee Application Installer
    > > Version: 5, 0, 0, 0
    > > Copyright © 2004 Networks Associates Technology, Inc.
    > > Location:
    > > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    > > ********************************************************************
    > > * This is part of McAfee
    > > * I recommended that you leave it enabled. The site -
    > > * http://startup.iamnotageek.com/srch-mcappins.exe.html
    > > * describes it as
    > > * McAfee Application Installer. (What does it do and is it required?)
    > > * FWIW The Plus version of WinPatrol what it does and why it might
    > > * be required.
    > > ********************************************************************
    > >
    > >
    > >
    > > eZstub
    > > eZstub.exe
    > > eZstub Module
    > > Version: 1, 0, 0, 1
    > > Copyright 2000
    > > Location:
    > > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    > > Path: Command /c del C:\WINDOWS\system32\eZstub.exe
    > > ********************************************************************
    > > * This is an EZula component.
    > > * The other EZula component in this list - Web Offers - EZPOPS~1.EXE
    > > * appears to be quite recent and I could find it mentioned on any
    > > * web pages. For that reason, Ad-Aware may have trouble removing
    > > * this even in SAFE MODE!
    > > * If Ad-Aware wasn't able to remove this, try using WinPatrol to
    > > * disable it. If it won't stay disabled, let me know and we'll
    > > * follow some additional steps.
    > > ********************************************************************
    > >
    > >
    > >
    > >
    > >
    > > MCAgentExe
    > > mcagent.exe
    > > McAfee SecurityCenter Agent
    > > Version: 5, 0, 0, 0
    > > Copyright © 2004 Networks Associates Technology, Inc.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    > > ********************************************************************
    > > * This is part of McAfee
    > > * I recommended that you leave it enabled.
    > > * http://startup.iamnotageek.com/srch-mcagent.exe.html
    > > ********************************************************************
    > >
    > >
    > >
    > > MCUpdateExe
    > > mcupdate.exe
    > > McAfee SecurityCenter Update Engine
    > > Version: 5, 0, 0, 0
    > > Copyright © 2004 Networks Associates Technology, Inc.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    > > ********************************************************************
    > > * This is part of McAfee
    > > * I recommended that you leave it enabled.
    > > * http://startup.iamnotageek.com/srch-mcupdate.exe.html
    > > ********************************************************************
    > >
    > >
    > >
    > > Microsoft Works Update Detection
    > > WkDetect.exe
    > > Microsoft® Works Update Detection
    > > Version: 6.00.1828.1
    > > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    > > Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\Microsoft Works\WkDetect.exe
    > > ********************************************************************
    > > * This checks for updates to MS Works
    > > * Unless your computer has more memory than you know what
    > > * to do with, I'd recommend disabling this in WinPatrol.
    > > * Disabling is better than removal, because you can always
    > > * decide to turn it back on at a later date.
    > > * http://startup.iamnotageek.com/srch-wkdetect.exe.html
    > > ********************************************************************
    > >
    > >
    > > msnmsgr
    > > msnmsgr.exe /background
    > > MSN Messenger
    > > Version: Version 6.2
    > > Copyright (c) Microsoft Corporation 1997-2004
    > > Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
    > > ********************************************************************
    > > * Letting MSN Messenger run is a user choice.
    > > * If you aren't sure what MSN Messenger is, you're not using
    > > * it and there is no use to have it running constantly
    > > * using up precious RAM.
    > > * Later in this report, we see that Yahoo! Pager is also running.
    > > * If you're using both of these programs, you might want to
    > > * consider replacing the two of them with Trillian, which is
    > > * open source freeware and provides the services of both programs.
    > > * http://www.neuber.com/taskmanager/process/msnmsgr.exe.html
    > > ********************************************************************
    > >
    > >
    > > MyWebSearch Email Plugin
    > > MWSOEMON.EXE
    > > My Web Search Email Plugin
    > > Version: 2,0,1,0
    > > Copyright © 2003-2004 MyWebSearch.com
    > > Location: Windows Startup Group
    > > Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    > > ********************************************************************
    > > * This is spyware.
    > > * The fact that there are four apparently identical instances
    > > * in the original report gives a little concern. I suspect
    > > * this may be the culprit with regard to the 22 instances of
    > > * rundll32.exe.
    > > * If these are still in the list after the SAFE MODE Ad-Aware scan,
    > > * try to disable them using WinPatrol.
    > > * If they refuse to stay disabled, let me know and there are other
    > > * steps we can try.
    > > * FWIW Here are some pages with more info about MyWebSearch.
    > > * http://www.mac-net.com/445088.page
    > > * http://www.iamnotageek.com/a/mwsoemon.exe.php
    > > * http://www.winpatrol.com/db/freesample/mwsoemon.html
    > > ********************************************************************
    > >
    > >
    > > pccguide.exe
    > > pccguide.exe
    > > PCCGuide
    > > Version: 12.10.0
    > > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    > > ********************************************************************
    > > * Part of Trend Micro's PC-Cillan Anti-Virus
    > > * Do you have both PC-Cillan and McAfee installed?
    > > ********************************************************************
    > >
    > >
    > >
    > > Unknown Title
    > > DLHelperEXE.exe
    > > DLHelper Module
    > > Version: 6, 0, 0, 3
    > > Copyright 2001
    > > Location: Windows Startup Group
    > > Path: C:\Documents and Settings\linda\Start
    > > Menu\Programs\Startup\DLHelperEXE.exe
    > > ********************************************************************
    > > * Probably part of CasinoOnNet adware.
    > > * If that's what it is, the Ad-Aware SAFE MODE scan probably
    > > * removed it. If not, try disabling it in WinPatrol.
    > > * http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073208
    > > ********************************************************************
    > >
    > >
    > >
    > > VirusScan Online
    > > mcvsshld.exe
    > > McAfee VirusScan ActiveShield Resource
    > > Version: 8, 0, 0, 0
    > > Copyright © 1998-2003 Networks Associates Technology, Inc
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    > > ********************************************************************
    > > * Part of McAfee VirusScan On-Line
    > > * I recommend leaving it enabled.
    > > * http://startup.iamnotageek.com/srch-mcvsshld.exe.html
    > > ********************************************************************
    > >
    > >
    > >
    > > VSOCheckTask
    > > mcmnhdlr.exe /checktask
    > > McAfee VirusScan Command Handler
    > > Version: 8, 0, 0, 0
    > > Copyright © 1998-2003 Networks Associates Technology, Inc
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    > > ********************************************************************
    > > * Part of McAfee's SecurityCenter and Virusscan Online.
    > > * I recommend leaving it enabled.
    > > * http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
    > > ********************************************************************
    > >
    > >
    > >
    > > Web Offer
    > > EZPOPS~1.EXE
    > > eZstub Module
    > > Version: 1, 0, 0, 1
    > > Copyright 2000
    > > Location:
    > > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    > > Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
    > > ********************************************************************
    > > * Another component of EZula adware.
    > > * I search for specific information about this component -
    > > * http://www.google.com/search?q=EZPOPS%7E1.EXE
    > > * the information is pretty scant which indicates
    > > * this version of EZula is pretty new and most anti-spyware/
    > > * anti-adware programs probably won't remove it.
    > > * If the SAFE MODE Ad-Aware scan fails to remove this,
    > > * try disabling it in WinPatrol.
    > > * If it won't stay disabled, let me know - there are other
    > > * approaches to this problem.
    > > ********************************************************************
    > >
    > >
    > >
    > > WinPatrol
    > > winpatrol.exe
    > > WinPatrol System Monitor
    > > Version: 8.1.2.0
    > > Copyright © 1997- 2004 BillP Studios
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    > > ********************************************************************
    > > * This is WinPatrol
    > > * It's safe and I recommend that you leave it in.
    > > * But you can't really know if that's good advice until
    > > * you research it.
    > > * http://www.google.com/search?q=winpatrol.exe
    > > ********************************************************************
    > >
    > >
    > >
    > > Yahoo! Pager
    > > ypager.exe -quiet
    > > Yahoo! Messenger
    > > Version: 6,0,0,1750
    > > Copyright 1998-2004
    > > Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    > > ********************************************************************
    > > * Yahoo! Pager is an instant messenger application like
    > > * MSN Messenger. If you aren't using these, you should disable them.
    > > * If you're only using one of them, you should disable the one
    > > * you're not using.
    > > * If you're using both of them, you should think about switching
    > > * to Trillian, an open source freeware application that can connect
    > > * to many different types of instant messaging servers.
    > > * http://startup.iamnotageek.com/srch-ypager.exe.html
    > > ********************************************************************
    > >
    > >
    > > --
    > > Bob Dietz
    > >
    > > linda wrote:
    > > > Hi Bob - this is what came up....thx for your help-prior to this when i ran
    > > > the lavasoft adware/spyware there was an item that came up that said if
    > > > affected the registry and i would select the cleanup/restore/delete for it,
    > > > it would say that the task was completed but if i ran the progam again it
    > > > showed exactly the same thing it said it had taken care of? thought i would
    > > > mention this in case it has anything to do with what's going on now....thx
    > > > again for helping...linda
    > > >
    > >
  17. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Your thanks is appreciated. :)

    Glad to hear that things are looking better for you, but don't think
    that you're done and stop now. There are still those other WinPatrol
    tabs to look at.

    IE Helpers
    IE Helpers are also know as BHO's (Browser Helper Objects).
    When attempting to identify items, I ussually start with "Name."
    If that doesn't net decent results, I move on to "Program."
    (Actually, I paid for WinPatrol Plus and seldom resort to google.)
    If you run into something that you cannot identify,
    you'll find WinPatrol is a bit anemic here -
    BHO's cannot be disabled, they can only be deleted.
    To temporarily disable one of these items, download another free
    progarm called Toolbar Cop. http://windowsxp.mvps.org/toolbarcop.htm

    Scheduled Tasks
    I have yet to run into any malware that utilizes Window task
    scheduler, so I have no special instructions. But you do want to
    know the purpose for any scheduled tasks.

    Services
    At minimum, you'll want to identify any non-microsoft services.
    As to the microsoft services, the WinPatrol Plus info is pretty
    light weight. Sources for info about Windows XP Services
    http://www.theeldergeek.com/services_guide.htm
    http://www.blackviper.com/WinXP/servicecfg.htm

    Active Tasks
    This corresponds to the Processes tab in Windows Task Manager.
    You really, really want to know about each of these items.
    The info in the Plus version of WinPatrol is fairly complete and
    is above average in quality. If you haven't paid for the plus version,
    start your investigation at http://www.answersthatwork.com and click
    on the "Task List" button. If you can't find the task listed there
    move on to google. If you can't find information there either, be
    suspicious. Click the "Info" button in WinPatrol and look at the
    full path to the executable file. Locate that executable file;
    right click on it an choose Properties. You're looking for clues.

    Before moving on it's worth noting that you can hold down the CTRL
    key and click on multiple "Active Tasks" and then "Kill Task" them
    all in one fell swoop. This is extreamly useful when some obnoxious
    malware has started multiple different processes that keep
    re-adding startup items and restart their companion processes
    should you stop one of them.

    * See below for more info about processes and their associated DLLs.

    Cookies
    I've never felt that cookies were worth worring about.
    WinPatrol has a cookie manager, but I don't use it and
    have no opinion.

    File Types
    "File type" determine what happens when you double click on
    a file with any given extesion. For instance, if a file is named
    "Critical Data.doc" the ".doc" at the end is the file extension
    and information in Windows registry determines the File Type and
    what will happen. On many/most systems ".doc" is associated with
    Microsoft Word and a double click will open "Critical Data.doc"
    in Microsoft Word. If you install a new word processor ABC on
    that system, the install routine may reassociate the ".doc" file
    extension so that a double click on "Critical Data.doc" no longer
    opens it in MS Word, but rather in the newly installed ABC.
    WinPatrol alerts you when such changes are made. If you install
    and test bunches of software (like I do), that's handy.

    Although I don't know of any malware currently using file types
    to keep itself wedged onto systems, I think it is only a matter
    of time. Imagine that malware XYZ has been installed on your
    system. One of its files is XYZwedge and XYZwedge is the current
    associaton with the ".doc" file type. Each time you double click
    on a ".doc" file, XYZwedge reinserts XYZ into your startup items
    and then it Opens the ".doc" file in MS Word. Everything seems
    normal to you, except that the system seems to run slower and
    there are those @#$% pop-ups again.

    ****************************************************************

    If you don't already have them, ad the following to your system's
    layered protection:
    Spyware Blaster - http://www.javacoolsoftware.com/spywareblaster.html
    IE Spyad - https://netfiles.uiuc.edu/ehowes/www/resource.htm
    An outbound firewall like Zone Alarm.
    http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp
    (The free for personal use version is at the bottom of the list.)


    ****************************************************************

    All your scans come up clean and all of the items on all of the
    WinPatrol tabs are accounted for and are suppose to be safe.
    But you still see a lot of pop-ups or the system still runs way too slow
    and/or there are many program crashes. What now?

    The technically inclined can download Process Viewer (prcview.exe)
    from http://www.xmlsp.com/pview/prcview.htm
    1) Run Process Viewer and select "Module Useage" on the "View" menu.
    2) Right click each module and choose "Copy Module Path."
    3) Paste the copied path into a google search box;
    enclose it in double quotes and search.
    4) Depending on what you found in step 3, search for just the
    file name and look for pages in the results that show the
    *.dll file in another path. eg.
    Windows KB article says that in Windows XP, abc.dll is found at
    C:\Windows\System32\abc.dll
    but the path on your system is
    C:\Windows\abc.dll
    The file on your system is spyware.
    Search google for instructions about how to remove it.
    If you can't find instructions, close the "Module Useage" window.
    Right click each process in the main Process viewer window and
    choose "Modules." Look for C:\Windows\abc.dll. Find ALL of the
    processes that use abc.dll with that full path, note the name
    of each such process. In WinPatrol, hold down the CTRL key and
    click each of those named processes. In a moment, you'll
    "Kill Task" them all at once. Before you do though, close out
    ALL other running programs! The evil malware .dll is probably
    attached to a vital system process and when you "Kill Task"
    the system will likely turn off about as fast as if you pulled
    the power cord out of the electic socket! If that happens, press
    the power button to boot the machine, otherwise reboot the machine.
    Double check that c:\windows\abc.dll is no longer a part of any
    running process.

    Otherwise, it's probably time to fdisk; format
    and re-install Windows from scratch. :(

    --
    Bob Dietz


    linda wrote:
    > Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
    > alot less croweded than it did- also when I look at the task manager it now
    > shows 37 programs, (I have a few things running when it shows that amt) and
    > not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
    > on the winpatrol and had already disabled that, I thought it was funny seeing
    > 3 times, so I'm glad to know I was on the right track there. When I went
    > back to the winpatrol and disable the DLHelper program, a minute or so later
    > I got a pop up saying that a new program was wanting to be added to the start
    > up-and it was the DLHelper I had just disabled, so I said no on the ok to add
    > to start-up. Here's is what the list shows now: (pls read my add'l msg
    > after the winpatrol info)
    >
    > WinPatrol Startup Programs
    > Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
    > 2/11/2005
    >
    > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    > Browser: Microsoft® Windows® Operating System - Internet Explorer version
    > 6.00.2900.2180
    > Memory currently in use: 79%
    >
    > MSIE: Internet Explorer (6.00.2900.2180)
    >
    > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    > HKLM Default_Page_URL = http://www.emachines.com
    > HKCU Start Page = http://www.comcast.net/
    > HKLM Start Page = http://www.msn.com/
    >
    > WinLogon DefaultUserName=linda
    > WinLogon DefaultDomainName=LUCY
    > WinLogon Shell=Explorer.exe
    > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    >
    >
    >
    > VSOCheckTask
    > mcmnhdlr.exe /checktask
    > McAfee VirusScan Command Handler
    > Version: 8, 0, 0, 0
    > Copyright © 1998-2003 Networks Associates Technology, Inc
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    > Click for Plus Info
    >
    >
    >
    > VirusScan Online
    > mcvsshld.exe
    > McAfee VirusScan ActiveShield Resource
    > Version: 8, 0, 0, 0
    > Copyright © 1998-2003 Networks Associates Technology, Inc
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    > Click for Plus Info
    >
    >
    >
    > MCAgentExe
    > mcagent.exe
    > McAfee SecurityCenter Agent
    > Version: 5, 0, 0, 0
    > Copyright © 2004 Networks Associates Technology, Inc.
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    > Click for Plus Info
    >
    >
    >
    > MCUpdateExe
    > mcupdate.exe
    > McAfee SecurityCenter Update Engine
    > Version: 5, 0, 0, 0
    > Copyright © 2004 Networks Associates Technology, Inc.
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    > Click for Plus Info
    >
    >
    >
    > pccguide.exe
    > pccguide.exe
    > PCCGuide
    > Version: 12.10.0
    > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    > Click for Plus Info
    >
    >
    >
    > WinPatrol
    > winpatrol.exe
    > WinPatrol System Monitor
    > Version: 8.1.2.0
    > Copyright © 1997- 2004 BillP Studios
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    > Click for Plus Info
    >
    >
    >
    > MPFExe
    > MpfTray.exe
    > McAfee Personal Firewall Tray Monitor
    > Version: 6.0.0.14
    > Copyright © 2000-2004 Networks Associates Technologies, Inc.
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
    > Click for Plus Info
    >
    >
    >
    > McRegWiz
    > mcregwiz.exe /autorun
    > McRegWiz Module
    > Version: 1, 0, 0, 4
    > Copyright 2003 Networks Associates Technology, Inc
    > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    > Click for Plus Info
    >
    >
    >
    > Microsoft Works Update Detection
    > WkDetect.exe
    > Microsoft® Works Update Detection
    > Version: 6.00.1828.1
    > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    > Location: * Disabled *
    > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\Microsoft Works\WkDetect.exe
    > Click for Plus Info
    >
    >
    >
    > Yahoo! Pager
    > ypager.exe -quiet
    > Yahoo! Messenger
    > Version: 6,0,0,1750
    > Copyright 1998-2004
    > Location: * Disabled *
    > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    > Click for Plus Info
    >
    > I wanted to say THANK-YOU so much...not only do i appreciate you taking the
    > time to help me..and also the detail instructions,they were easy for me to
    > follow and understand, as I said in my original msg. Im relatively new at all
    > this so being able to follow/understand was great. I have only posted to
    > newgroups a few times and honestly I have gotten a few responses that just
    > leave me sitting there going "HUH". Again thanks very much for your help!!!
    > Linda
    >
    >
    >
    > "Bob Dietz" wrote:
    >
    >
    >>Hi Linda,
    >>
    >>I was pretty busy yesterday. Sorry it took so long to get back to you
    >>
    >>Before you start you might want to print this out on your printer.
    >>
    >>I see some adware/spyware listed that I would have expected Lavasoft
    >>Ad-aware to have successfully removed. Let's run through the steps that
    >>will allow Ad-Aware to do it's best work.
    >>
    >>1) Start Ad-Aware.
    >>2) Click "Check for updates now." (lower right corner)
    >>3) Connect and get any available updates.
    >> Verify that your version number matches the version number
    >> of the newest available Ad-Aware.
    >>4) Once you have the latest updates installed,
    >> close Ad-Aware and any other running programs.
    >>5) To make it easier for Ad-Aware to do it's job,
    >> we're going to run it in SAFE MODE.
    >> A) Restart the computer.
    >> B) While the computer is booting - before the first
    >> "Windows" screen appears, tap the F8 key.
    >> C) When the boot menu appears, choose SAFE MODE.
    >>6) Start Ad-aware.
    >>7) Click the "Start" button in the Ad-Aware window.
    >>8) Set "Select Scan Mode" to "Perform full system scan."
    >>9) Click the "Next" button to start the scan.
    >>10) When the scan finishes, click "Next."
    >>11) "Scan Results" defaults to the "Critical Objects" tab.
    >> Changing to the "Scan Summary" tab, will give you
    >> a much clearer picture of what has been found and may
    >> save you quite a few mouse clicks as well. Be sure there
    >> is a check mark beside everything you want to remove and
    >> click "Next."
    >> * No need to click the Quarantine button, Ad-aware
    >> * automatically quarantines everything it removes.
    >>
    >>When you're done, close Ad-Aware and restart the computer letting it
    >>boot normally.
    >>Open the WinPatrol window.
    >>Click the "Title" column heading so that programs are sorted by title in
    >>A-Z order.
    >>
    >>Below you'll find your report (slightly reformatted so that programs are
    >>in A-Z order by title.) Each item is followed by my comments which are
    >>marked by asterisks. Presumably Ad-Aware will have already have
    >>eliminated most of the evil ad-ware/spyware. If bad items still remain,
    >>we'll use the WinPatrol report to figure out how to remove those items.
    >>If you were doing this on your own, you'd -
    >> 1) Select the executable name with your mouse.
    >> 2) Right click on the selection and choose "Copy."
    >> 3) Open a new browse browser window and go to http://www.google.com
    >> 4) Right click in the Google search box and choose "Paste."
    >> 5) Click on the search button.
    >>Hint: If you install the Google toolbar ( http://toolbar.google.com ),
    >>you could select the executable name, right click and choose
    >>"Google Search."
    >>
    >>Use a little caution regarding the results of your search.
    >>Some of the sites providing the information about startup items are
    >>trying too hard to sell you something. For instance at least one site
    >>shows a very conspicuous warning "Internal IP Exposed!" This is a simple
    >> scam using javascript to display your IP in your browser on your
    >>computer. Nobody can see it how isn't sitting in front of your computer
    >>display.
    >>
    >>Here are some domains that I regard as above average. Look for these in
    >>the result of you Google spyware/adware searches.
    >>
    >>AnswersThatWork.com
    >>CastleCops.com
    >>Iamnotageek.com
    >>Neuber.com
    >>Sysinfo.org
    >>WinPatrol.com
    >>
    >>This Sysinfo.org page is worth putting in your favorites -
    >>http://www.sysinfo.org/startuplist.php
    >>
    >>
    >>*****************************************************************
    >>WinPatrol Startup Programs (Edited by Bob Dietz)
    >>
    >>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    >>Browser: Microsoft® Windows® Operating System - Internet Explorer
    >>version 6.00.2900.2180
    >>Memory currently in use: 91%
    >>********************************************************************
    >>* This memory currently in use number isn't critical, but
    >>* a lower value would be better. If you have less than 256Mb or RAM,
    >>* you should think about upgrading to more memory.
    >>********************************************************************
    >>
    >>
    >>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    >>HKLM Default_Page_URL = http://www.emachines.com
    >>HKCU Start Page = http://www.emachines.com/
    >>HKLM Start Page = http://www.msn.com/
    >>
    >>WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
    >>WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
    >>WinLogon Shell=Explorer.exe
    >>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    >>
    >>
    >>
    >>CleanUp
    >>mcappins.exe /v=3 /cleanup
    >>McAfee Application Installer
    >>Version: 5, 0, 0, 0
    >>Copyright © 2004 Networks Associates Technology, Inc.
    >>Location:
    >>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    >>********************************************************************
    >>* This is part of McAfee
    >>* I recommended that you leave it enabled. The site -
    >>* http://startup.iamnotageek.com/srch-mcappins.exe.html
    >>* describes it as
    >>* McAfee Application Installer. (What does it do and is it required?)
    >>* FWIW The Plus version of WinPatrol what it does and why it might
    >>* be required.
    >>********************************************************************
    >>
    >>
    >>
    >>eZstub
    >>eZstub.exe
    >>eZstub Module
    >>Version: 1, 0, 0, 1
    >>Copyright 2000
    >>Location:
    >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    >>Path: Command /c del C:\WINDOWS\system32\eZstub.exe
    >>********************************************************************
    >>* This is an EZula component.
    >>* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
    >>* appears to be quite recent and I could find it mentioned on any
    >>* web pages. For that reason, Ad-Aware may have trouble removing
    >>* this even in SAFE MODE!
    >>* If Ad-Aware wasn't able to remove this, try using WinPatrol to
    >>* disable it. If it won't stay disabled, let me know and we'll
    >>* follow some additional steps.
    >>********************************************************************
    >>
    >>
    >>
    >>
    >>
    >>MCAgentExe
    >>mcagent.exe
    >>McAfee SecurityCenter Agent
    >>Version: 5, 0, 0, 0
    >>Copyright © 2004 Networks Associates Technology, Inc.
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    >>********************************************************************
    >>* This is part of McAfee
    >>* I recommended that you leave it enabled.
    >>* http://startup.iamnotageek.com/srch-mcagent.exe.html
    >>********************************************************************
    >>
    >>
    >>
    >>MCUpdateExe
    >>mcupdate.exe
    >>McAfee SecurityCenter Update Engine
    >>Version: 5, 0, 0, 0
    >>Copyright © 2004 Networks Associates Technology, Inc.
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    >>********************************************************************
    >>* This is part of McAfee
    >>* I recommended that you leave it enabled.
    >>* http://startup.iamnotageek.com/srch-mcupdate.exe.html
    >>********************************************************************
    >>
    >>
    >>
    >>Microsoft Works Update Detection
    >>WkDetect.exe
    >>Microsoft® Works Update Detection
    >>Version: 6.00.1828.1
    >>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\Program Files\Microsoft Works\WkDetect.exe
    >>********************************************************************
    >>* This checks for updates to MS Works
    >>* Unless your computer has more memory than you know what
    >>* to do with, I'd recommend disabling this in WinPatrol.
    >>* Disabling is better than removal, because you can always
    >>* decide to turn it back on at a later date.
    >>* http://startup.iamnotageek.com/srch-wkdetect.exe.html
    >>********************************************************************
    >>
    >>
    >>msnmsgr
    >>msnmsgr.exe /background
    >>MSN Messenger
    >>Version: Version 6.2
    >>Copyright (c) Microsoft Corporation 1997-2004
    >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
    >>********************************************************************
    >>* Letting MSN Messenger run is a user choice.
    >>* If you aren't sure what MSN Messenger is, you're not using
    >>* it and there is no use to have it running constantly
    >>* using up precious RAM.
    >>* Later in this report, we see that Yahoo! Pager is also running.
    >>* If you're using both of these programs, you might want to
    >>* consider replacing the two of them with Trillian, which is
    >>* open source freeware and provides the services of both programs.
    >>* http://www.neuber.com/taskmanager/process/msnmsgr.exe.html
    >>********************************************************************
    >>
    >>
    >>MyWebSearch Email Plugin
    >>MWSOEMON.EXE
    >>My Web Search Email Plugin
    >>Version: 2,0,1,0
    >>Copyright © 2003-2004 MyWebSearch.com
    >>Location: Windows Startup Group
    >>Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    >>********************************************************************
    >>* This is spyware.
    >>* The fact that there are four apparently identical instances
    >>* in the original report gives a little concern. I suspect
    >>* this may be the culprit with regard to the 22 instances of
    >>* rundll32.exe.
    >>* If these are still in the list after the SAFE MODE Ad-Aware scan,
    >>* try to disable them using WinPatrol.
    >>* If they refuse to stay disabled, let me know and there are other
    >>* steps we can try.
    >>* FWIW Here are some pages with more info about MyWebSearch.
    >>* http://www.mac-net.com/445088.page
    >>* http://www.iamnotageek.com/a/mwsoemon.exe.php
    >>* http://www.winpatrol.com/db/freesample/mwsoemon.html
    >>********************************************************************
    >>
    >>
    >>pccguide.exe
    >>pccguide.exe
    >>PCCGuide
    >>Version: 12.10.0
    >>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    >>********************************************************************
    >>* Part of Trend Micro's PC-Cillan Anti-Virus
    >>* Do you have both PC-Cillan and McAfee installed?
    >>********************************************************************
    >>
    >>
    >>
    >>Unknown Title
    >>DLHelperEXE.exe
    >>DLHelper Module
    >>Version: 6, 0, 0, 3
    >>Copyright 2001
    >>Location: Windows Startup Group
    >>Path: C:\Documents and Settings\linda\Start
    >>Menu\Programs\Startup\DLHelperEXE.exe
    >>********************************************************************
    >>* Probably part of CasinoOnNet adware.
    >>* If that's what it is, the Ad-Aware SAFE MODE scan probably
    >>* removed it. If not, try disabling it in WinPatrol.
    >>* http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073208
    >>********************************************************************
    >>
    >>
    >>
    >>VirusScan Online
    >>mcvsshld.exe
    >>McAfee VirusScan ActiveShield Resource
    >>Version: 8, 0, 0, 0
    >>Copyright © 1998-2003 Networks Associates Technology, Inc
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    >>********************************************************************
    >>* Part of McAfee VirusScan On-Line
    >>* I recommend leaving it enabled.
    >>* http://startup.iamnotageek.com/srch-mcvsshld.exe.html
    >>********************************************************************
    >>
    >>
    >>
    >>VSOCheckTask
    >>mcmnhdlr.exe /checktask
    >>McAfee VirusScan Command Handler
    >>Version: 8, 0, 0, 0
    >>Copyright © 1998-2003 Networks Associates Technology, Inc
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    >>********************************************************************
    >>* Part of McAfee's SecurityCenter and Virusscan Online.
    >>* I recommend leaving it enabled.
    >>* http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
    >>********************************************************************
    >>
    >>
    >>
    >>Web Offer
    >>EZPOPS~1.EXE
    >>eZstub Module
    >>Version: 1, 0, 0, 1
    >>Copyright 2000
    >>Location:
    >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    >>Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
    >>********************************************************************
    >>* Another component of EZula adware.
    >>* I search for specific information about this component -
    >>* http://www.google.com/search?q=EZPOPS%7E1.EXE
    >>* the information is pretty scant which indicates
    >>* this version of EZula is pretty new and most anti-spyware/
    >>* anti-adware programs probably won't remove it.
    >>* If the SAFE MODE Ad-Aware scan fails to remove this,
    >>* try disabling it in WinPatrol.
    >>* If it won't stay disabled, let me know - there are other
    >>* approaches to this problem.
    >>********************************************************************
    >>
    >>
    >>
    >>WinPatrol
    >>winpatrol.exe
    >>WinPatrol System Monitor
    >>Version: 8.1.2.0
    >>Copyright © 1997- 2004 BillP Studios
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    >>********************************************************************
    >>* This is WinPatrol
    >>* It's safe and I recommend that you leave it in.
    >>* But you can't really know if that's good advice until
    >>* you research it.
    >>* http://www.google.com/search?q=winpatrol.exe
    >>********************************************************************
    >>
    >>
    >>
    >>Yahoo! Pager
    >>ypager.exe -quiet
    >>Yahoo! Messenger
    >>Version: 6,0,0,1750
    >>Copyright 1998-2004
    >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    >>********************************************************************
    >>* Yahoo! Pager is an instant messenger application like
    >>* MSN Messenger. If you aren't using these, you should disable them.
    >>* If you're only using one of them, you should disable the one
    >>* you're not using.
    >>* If you're using both of them, you should think about switching
    >>* to Trillian, an open source freeware application that can connect
    >>* to many different types of instant messaging servers.
    >>* http://startup.iamnotageek.com/srch-ypager.exe.html
    >>********************************************************************
    >>
    >>
    >>--
    >>Bob Dietz
    >>
    >>linda wrote:
    >>
    >>>Hi Bob - this is what came up....thx for your help-prior to this when i ran
    >>>the lavasoft adware/spyware there was an item that came up that said if
    >>>affected the registry and i would select the cleanup/restore/delete for it,
    >>>it would say that the task was completed but if i ran the progam again it
    >>>showed exactly the same thing it said it had taken care of? thought i would
    >>>mention this in case it has anything to do with what's going on now....thx
    >>>again for helping...linda
    >>>
    >>
  18. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    Everyone needs to run an anti-virus program.
    The anti-virus program should be set to scan ALL NEW FILES - no matter
    what the file extension is. It should also scan in-bound email.
    It should be able to update its definitons daily.
    You should be able to (and you should) schedule a full system scan once
    a week.
    Other than that I'm close agnositic about choice of anti-virus.

    For personal use, I like the free versions of Avast and AVG.
    I prefer AVG's ui (easier for newbies). I perfer Avast's more extensive
    configuration options.

    --
    Bob Dietz

    linda wrote:
    > Hi Bob- I also wanted to let you know that the reason Im showing both McAff
    > and Trend Micro is that when I went to their site to do a "house call"
    > (friend of mine had recomm it) it would not scan, so I downloaded the free
    > trial version and it will be expiring in about a week...I like the way the
    > program runs, would you recommend? and.....last thing, i did put that sysinfo
    > in my favorties and have been going in and looking around...thx
    > again.....bye...linda
    >
    > "linda" wrote:
    >
    >
    >>Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
    >>alot less croweded than it did- also when I look at the task manager it now
    >>shows 37 programs, (I have a few things running when it shows that amt) and
    >>not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
    >>on the winpatrol and had already disabled that, I thought it was funny seeing
    >>3 times, so I'm glad to know I was on the right track there. When I went
    >>back to the winpatrol and disable the DLHelper program, a minute or so later
    >>I got a pop up saying that a new program was wanting to be added to the start
    >>up-and it was the DLHelper I had just disabled, so I said no on the ok to add
    >>to start-up. Here's is what the list shows now: (pls read my add'l msg
    >>after the winpatrol info)
    >>
    >>WinPatrol Startup Programs
    >>Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
    >>2/11/2005
    >>
    >>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    >>Browser: Microsoft® Windows® Operating System - Internet Explorer version
    >>6.00.2900.2180
    >>Memory currently in use: 79%
    >>
    >>MSIE: Internet Explorer (6.00.2900.2180)
    >>
    >>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    >>HKLM Default_Page_URL = http://www.emachines.com
    >>HKCU Start Page = http://www.comcast.net/
    >>HKLM Start Page = http://www.msn.com/
    >>
    >>WinLogon DefaultUserName=linda
    >>WinLogon DefaultDomainName=LUCY
    >>WinLogon Shell=Explorer.exe
    >>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    >>
    >>
    >>
    >>VSOCheckTask
    >>mcmnhdlr.exe /checktask
    >>McAfee VirusScan Command Handler
    >>Version: 8, 0, 0, 0
    >>Copyright © 1998-2003 Networks Associates Technology, Inc
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    >>Click for Plus Info
    >>
    >>
    >>
    >>VirusScan Online
    >>mcvsshld.exe
    >>McAfee VirusScan ActiveShield Resource
    >>Version: 8, 0, 0, 0
    >>Copyright © 1998-2003 Networks Associates Technology, Inc
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    >>Click for Plus Info
    >>
    >>
    >>
    >>MCAgentExe
    >>mcagent.exe
    >>McAfee SecurityCenter Agent
    >>Version: 5, 0, 0, 0
    >>Copyright © 2004 Networks Associates Technology, Inc.
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    >>Click for Plus Info
    >>
    >>
    >>
    >>MCUpdateExe
    >>mcupdate.exe
    >>McAfee SecurityCenter Update Engine
    >>Version: 5, 0, 0, 0
    >>Copyright © 2004 Networks Associates Technology, Inc.
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    >>Click for Plus Info
    >>
    >>
    >>
    >>pccguide.exe
    >>pccguide.exe
    >>PCCGuide
    >>Version: 12.10.0
    >>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    >>Click for Plus Info
    >>
    >>
    >>
    >>WinPatrol
    >>winpatrol.exe
    >>WinPatrol System Monitor
    >>Version: 8.1.2.0
    >>Copyright © 1997- 2004 BillP Studios
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    >>Click for Plus Info
    >>
    >>
    >>
    >>MPFExe
    >>MpfTray.exe
    >>McAfee Personal Firewall Tray Monitor
    >>Version: 6.0.0.14
    >>Copyright © 2000-2004 Networks Associates Technologies, Inc.
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
    >>Click for Plus Info
    >>
    >>
    >>
    >>McRegWiz
    >>mcregwiz.exe /autorun
    >>McRegWiz Module
    >>Version: 1, 0, 0, 4
    >>Copyright 2003 Networks Associates Technology, Inc
    >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    >>Click for Plus Info
    >>
    >>
    >>
    >>Microsoft Works Update Detection
    >>WkDetect.exe
    >>Microsoft® Works Update Detection
    >>Version: 6.00.1828.1
    >>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    >>Location: * Disabled *
    >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\Program Files\Microsoft Works\WkDetect.exe
    >>Click for Plus Info
    >>
    >>
    >>
    >>Yahoo! Pager
    >>ypager.exe -quiet
    >>Yahoo! Messenger
    >>Version: 6,0,0,1750
    >>Copyright 1998-2004
    >>Location: * Disabled *
    >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    >>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    >>Click for Plus Info
    >>
    >>I wanted to say THANK-YOU so much...not only do i appreciate you taking the
    >>time to help me..and also the detail instructions,they were easy for me to
    >>follow and understand, as I said in my original msg. Im relatively new at all
    >>this so being able to follow/understand was great. I have only posted to
    >>newgroups a few times and honestly I have gotten a few responses that just
    >>leave me sitting there going "HUH". Again thanks very much for your help!!!
    >>Linda
    >>
    >>
    >>
    >>"Bob Dietz" wrote:
    >>
    >>
    >>>Hi Linda,
    >>>
    >>>I was pretty busy yesterday. Sorry it took so long to get back to you
    >>>
    >>>Before you start you might want to print this out on your printer.
    >>>
    >>>I see some adware/spyware listed that I would have expected Lavasoft
    >>>Ad-aware to have successfully removed. Let's run through the steps that
    >>>will allow Ad-Aware to do it's best work.
    >>>
    >>>1) Start Ad-Aware.
    >>>2) Click "Check for updates now." (lower right corner)
    >>>3) Connect and get any available updates.
    >>> Verify that your version number matches the version number
    >>> of the newest available Ad-Aware.
    >>>4) Once you have the latest updates installed,
    >>> close Ad-Aware and any other running programs.
    >>>5) To make it easier for Ad-Aware to do it's job,
    >>> we're going to run it in SAFE MODE.
    >>> A) Restart the computer.
    >>> B) While the computer is booting - before the first
    >>> "Windows" screen appears, tap the F8 key.
    >>> C) When the boot menu appears, choose SAFE MODE.
    >>>6) Start Ad-aware.
    >>>7) Click the "Start" button in the Ad-Aware window.
    >>>8) Set "Select Scan Mode" to "Perform full system scan."
    >>>9) Click the "Next" button to start the scan.
    >>>10) When the scan finishes, click "Next."
    >>>11) "Scan Results" defaults to the "Critical Objects" tab.
    >>> Changing to the "Scan Summary" tab, will give you
    >>> a much clearer picture of what has been found and may
    >>> save you quite a few mouse clicks as well. Be sure there
    >>> is a check mark beside everything you want to remove and
    >>> click "Next."
    >>> * No need to click the Quarantine button, Ad-aware
    >>> * automatically quarantines everything it removes.
    >>>
    >>>When you're done, close Ad-Aware and restart the computer letting it
    >>>boot normally.
    >>>Open the WinPatrol window.
    >>>Click the "Title" column heading so that programs are sorted by title in
    >>>A-Z order.
    >>>
    >>>Below you'll find your report (slightly reformatted so that programs are
    >>>in A-Z order by title.) Each item is followed by my comments which are
    >>>marked by asterisks. Presumably Ad-Aware will have already have
    >>>eliminated most of the evil ad-ware/spyware. If bad items still remain,
    >>>we'll use the WinPatrol report to figure out how to remove those items.
    >>>If you were doing this on your own, you'd -
    >>> 1) Select the executable name with your mouse.
    >>> 2) Right click on the selection and choose "Copy."
    >>> 3) Open a new browse browser window and go to http://www.google.com
    >>> 4) Right click in the Google search box and choose "Paste."
    >>> 5) Click on the search button.
    >>>Hint: If you install the Google toolbar ( http://toolbar.google.com ),
    >>>you could select the executable name, right click and choose
    >>>"Google Search."
    >>>
    >>>Use a little caution regarding the results of your search.
    >>>Some of the sites providing the information about startup items are
    >>>trying too hard to sell you something. For instance at least one site
    >>>shows a very conspicuous warning "Internal IP Exposed!" This is a simple
    >>> scam using javascript to display your IP in your browser on your
    >>>computer. Nobody can see it how isn't sitting in front of your computer
    >>>display.
    >>>
    >>>Here are some domains that I regard as above average. Look for these in
    >>>the result of you Google spyware/adware searches.
    >>>
    >>>AnswersThatWork.com
    >>>CastleCops.com
    >>>Iamnotageek.com
    >>>Neuber.com
    >>>Sysinfo.org
    >>>WinPatrol.com
    >>>
    >>>This Sysinfo.org page is worth putting in your favorites -
    >>>http://www.sysinfo.org/startuplist.php
    >>>
    >>>
    >>>*****************************************************************
    >>>WinPatrol Startup Programs (Edited by Bob Dietz)
    >>>
    >>>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    >>>Browser: Microsoft® Windows® Operating System - Internet Explorer
    >>>version 6.00.2900.2180
    >>>Memory currently in use: 91%
    >>>********************************************************************
    >>>* This memory currently in use number isn't critical, but
    >>>* a lower value would be better. If you have less than 256Mb or RAM,
    >>>* you should think about upgrading to more memory.
    >>>********************************************************************
    >>>
    >>>
    >>>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    >>>HKLM Default_Page_URL = http://www.emachines.com
    >>>HKCU Start Page = http://www.emachines.com/
    >>>HKLM Start Page = http://www.msn.com/
    >>>
    >>>WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
    >>>WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
    >>>WinLogon Shell=Explorer.exe
    >>>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    >>>
    >>>
    >>>
    >>>CleanUp
    >>>mcappins.exe /v=3 /cleanup
    >>>McAfee Application Installer
    >>>Version: 5, 0, 0, 0
    >>>Copyright © 2004 Networks Associates Technology, Inc.
    >>>Location:
    >>>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>>Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    >>>********************************************************************
    >>>* This is part of McAfee
    >>>* I recommended that you leave it enabled. The site -
    >>>* http://startup.iamnotageek.com/srch-mcappins.exe.html
    >>>* describes it as
    >>>* McAfee Application Installer. (What does it do and is it required?)
    >>>* FWIW The Plus version of WinPatrol what it does and why it might
    >>>* be required.
    >>>********************************************************************
    >>>
    >>>
    >>>
    >>>eZstub
    >>>eZstub.exe
    >>>eZstub Module
    >>>Version: 1, 0, 0, 1
    >>>Copyright 2000
    >>>Location:
    >>>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    >>>Path: Command /c del C:\WINDOWS\system32\eZstub.exe
    >>>********************************************************************
    >>>* This is an EZula component.
    >>>* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
    >>>* appears to be quite recent and I could find it mentioned on any
    >>>* web pages. For that reason, Ad-Aware may have trouble removing
    >>>* this even in SAFE MODE!
    >>>* If Ad-Aware wasn't able to remove this, try using WinPatrol to
    >>>* disable it. If it won't stay disabled, let me know and we'll
    >>>* follow some additional steps.
    >>>********************************************************************
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>MCAgentExe
    >>>mcagent.exe
    >>>McAfee SecurityCenter Agent
    >>>Version: 5, 0, 0, 0
    >>>Copyright © 2004 Networks Associates Technology, Inc.
    >>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    >>>********************************************************************
    >>>* This is part of McAfee
    >>>* I recommended that you leave it enabled.
    >>>* http://startup.iamnotageek.com/srch-mcagent.exe.html
    >>>********************************************************************
    >>>
    >>>
    >>>
    >>>MCUpdateExe
    >>>mcupdate.exe
    >>>McAfee SecurityCenter Update Engine
    >>>Version: 5, 0, 0, 0
    >>>Copyright © 2004 Networks Associates Technology, Inc.
    >>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    >>>********************************************************************
    >>>* This is part of McAfee
    >>>* I recommended that you leave it enabled.
    >>>* http://startup.iamnotageek.com/srch-mcupdate.exe.html
    >>>********************************************************************
    >>>
    >>>
    >>>
    >>>Microsoft Works Update Detection
    >>>WkDetect.exe
    >>>Microsoft® Works Update Detection
    >>>Version: 6.00.1828.1
    >>>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    >>>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    >>>Path: C:\Program Files\Microsoft Works\WkDetect.exe
    >>>********************************************************************
    >>>* This checks for updates to MS Works
    >>>* Unless your computer has more memory than you know what
    >>>* to do with, I'd recommend disabling this in WinPatrol.
    >>>* Disabling is better than removal, because you can always
    >>>* decide to turn it back on at a later date.
    >>>* http://startup.iamnotageek.com/srch-wkdetect.exe.html
    >>>********************************************************************
    >>>
    >>>
    >>>msnmsgr
    >>>msnmsgr.exe /background
    >>>MSN Messenger
    >>>Version: Version 6.2
    >>>Copyright (c) Microsoft Corporation 1997-2004
    >>>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    >>>Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
    >>>********************************************************************
    >>>* Letting MSN Messenger run is a user choice.
    >>>* If you aren't sure what MSN Messenger is, you're not using
    >>>* it and there is no use to have it running constantly
    >>>* using up precious RAM.
    >>>* Later in this report, we see that Yahoo! Pager is also running.
    >>>* If you're using both of these programs, you might want to
    >>>* consider replacing the two of them with Trillian, which is
    >>>* open source freeware and provides the services of both programs.
    >>>* http://www.neuber.com/taskmanager/process/msnmsgr.exe.html
    >>>********************************************************************
    >>>
    >>>
    >>>MyWebSearch Email Plugin
    >>>MWSOEMON.EXE
    >>>My Web Search Email Plugin
    >>>Version: 2,0,1,0
    >>>Copyright © 2003-2004 MyWebSearch.com
    >>>Location: Windows Startup Group
    >>>Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    >>>********************************************************************
    >>>* This is spyware.
    >>>* The fact that there are four apparently identical instances
    >>>* in the original report gives a little concern. I suspect
    >>>* this may be the culprit with regard to the 22 instances of
    >>>* rundll32.exe.
    >>>* If these are still in the list after the SAFE MODE Ad-Aware scan,
    >>>* try to disable them using WinPatrol.
    >>>* If they refuse to stay disabled, let me know and there are other
    >>>* steps we can try.
    >>>* FWIW Here are some pages with more info about MyWebSearch.
    >>>* http://www.mac-net.com/445088.page
    >>>* http://www.iamnotageek.com/a/mwsoemon.exe.php
    >>>* http://www.winpatrol.com/db/freesample/mwsoemon.html
    >>>********************************************************************
    >>>
    >>>
    >>>pccguide.exe
    >>>pccguide.exe
    >>>PCCGuide
    >>>Version: 12.10.0
    >>>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    >>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    >>>********************************************************************
    >>>* Part of Trend Micro's PC-Cillan Anti-Virus
    >>>* Do you have both PC-Cillan and McAfee installed?
    >>>********************************************************************
    >>>
    >>>
    >>>
    >>>Unknown Title
    >>>DLHelperEXE.exe
    >>>DLHelper Module
    >>>Version: 6, 0, 0, 3
    >>>Copyright 2001
    >>>Location: Windows Startup Group
    >>>Path: C:\Documents and Settings\linda\Start
    >>>Menu\Programs\Startup\DLHelperEXE.exe
    >>>********************************************************************
    >>>* Probably part of CasinoOnNet adware.
    >>>* If that's what it is, the Ad-Aware SAFE MODE scan probably
    >>>* removed it. If not, try disabling it in WinPatrol.
    >>>* http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073208
    >>>********************************************************************
    >>>
    >>>
    >>>
    >>>VirusScan Online
    >>>mcvsshld.exe
    >>>McAfee VirusScan ActiveShield Resource
    >>>Version: 8, 0, 0, 0
    >>>Copyright © 1998-2003 Networks Associates Technology, Inc
    >>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    >>>********************************************************************
    >>>* Part of McAfee VirusScan On-Line
    >>>* I recommend leaving it enabled.
    >>>* http://startup.iamnotageek.com/srch-mcvsshld.exe.html
    >>>********************************************************************
    >>>
    >>>
    >>>
    >>>VSOCheckTask
    >>>mcmnhdlr.exe /checktask
    >>>McAfee VirusScan Command Handler
    >>>Version: 8, 0, 0, 0
    >>>Copyright © 1998-2003 Networks Associates Technology, Inc
    >>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    >>>********************************************************************
    >>>* Part of McAfee's SecurityCenter and Virusscan Online.
    >>>* I recommend leaving it enabled.
    >>>* http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
    >>>********************************************************************
    >>>
    >>>
    >>>
    >>>Web Offer
    >>>EZPOPS~1.EXE
    >>>eZstub Module
    >>>Version: 1, 0, 0, 1
    >>>Copyright 2000
    >>>Location:
    >>>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    >>>Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
    >>>********************************************************************
    >>>* Another component of EZula adware.
    >>>* I search for specific information about this component -
    >>>* http://www.google.com/search?q=EZPOPS%7E1.EXE
    >>>* the information is pretty scant which indicates
    >>>* this version of EZula is pretty new and most anti-spyware/
    >>>* anti-adware programs probably won't remove it.
    >>>* If the SAFE MODE Ad-Aware scan fails to remove this,
    >>>* try disabling it in WinPatrol.
    >>>* If it won't stay disabled, let me know - there are other
    >>>* approaches to this problem.
    >>>********************************************************************
    >>>
    >>>
    >>>
    >>>WinPatrol
    >>>winpatrol.exe
    >>>WinPatrol System Monitor
    >>>Version: 8.1.2.0
    >>>Copyright © 1997- 2004 BillP Studios
    >>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    >>>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    >>>********************************************************************
    >>>* This is WinPatrol
    >>>* It's safe and I recommend that you leave it in.
    >>>* But you can't really know if that's good advice until
    >>>* you research it.
    >>>* http://www.google.com/search?q=winpatrol.exe
    >>>********************************************************************
    >>>
    >>>
    >>>
    >>>Yahoo! Pager
    >>>ypager.exe -quiet
    >>>Yahoo! Messenger
    >>>Version: 6,0,0,1750
    >>>Copyright 1998-2004
    >>>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    >>>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    >>>********************************************************************
    >>>* Yahoo! Pager is an instant messenger application like
    >>>* MSN Messenger. If you aren't using these, you should disable them.
    >>>* If you're only using one of them, you should disable the one
    >>>* you're not using.
    >>>* If you're using both of them, you should think about switching
    >>>* to Trillian, an open source freeware application that can connect
    >>>* to many different types of instant messaging servers.
    >>>* http://startup.iamnotageek.com/srch-ypager.exe.html
    >>>********************************************************************
    >>>
    >>>
    >>>--
    >>>Bob Dietz
    >>>
    >>>linda wrote:
    >>>
    >>>>Hi Bob - this is what came up....thx for your help-prior to this when i ran
    >>>>the lavasoft adware/spyware there was an item that came up that said if
    >>>>affected the registry and i would select the cleanup/restore/delete for it,
    >>>>it would say that the task was completed but if i ran the progam again it
    >>>>showed exactly the same thing it said it had taken care of? thought i would
    >>>>mention this in case it has anything to do with what's going on now....thx
    >>>>again for helping...linda
    >>>>
    >>>
  19. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    hi bob-just looked and saw your msg, didnt want u to think i was ignoring :)
    been busy and will try and look at it all tonight or tomarrow, since i just
    scanned over it....want to be able to give it full attention.....linda

    "Bob Dietz" wrote:

    > Your thanks is appreciated. :)
    >
    > Glad to hear that things are looking better for you, but don't think
    > that you're done and stop now. There are still those other WinPatrol
    > tabs to look at.
    >
    > IE Helpers
    > IE Helpers are also know as BHO's (Browser Helper Objects).
    > When attempting to identify items, I ussually start with "Name."
    > If that doesn't net decent results, I move on to "Program."
    > (Actually, I paid for WinPatrol Plus and seldom resort to google.)
    > If you run into something that you cannot identify,
    > you'll find WinPatrol is a bit anemic here -
    > BHO's cannot be disabled, they can only be deleted.
    > To temporarily disable one of these items, download another free
    > progarm called Toolbar Cop. http://windowsxp.mvps.org/toolbarcop.htm
    >
    > Scheduled Tasks
    > I have yet to run into any malware that utilizes Window task
    > scheduler, so I have no special instructions. But you do want to
    > know the purpose for any scheduled tasks.
    >
    > Services
    > At minimum, you'll want to identify any non-microsoft services.
    > As to the microsoft services, the WinPatrol Plus info is pretty
    > light weight. Sources for info about Windows XP Services
    > http://www.theeldergeek.com/services_guide.htm
    > http://www.blackviper.com/WinXP/servicecfg.htm
    >
    > Active Tasks
    > This corresponds to the Processes tab in Windows Task Manager.
    > You really, really want to know about each of these items.
    > The info in the Plus version of WinPatrol is fairly complete and
    > is above average in quality. If you haven't paid for the plus version,
    > start your investigation at http://www.answersthatwork.com and click
    > on the "Task List" button. If you can't find the task listed there
    > move on to google. If you can't find information there either, be
    > suspicious. Click the "Info" button in WinPatrol and look at the
    > full path to the executable file. Locate that executable file;
    > right click on it an choose Properties. You're looking for clues.
    >
    > Before moving on it's worth noting that you can hold down the CTRL
    > key and click on multiple "Active Tasks" and then "Kill Task" them
    > all in one fell swoop. This is extreamly useful when some obnoxious
    > malware has started multiple different processes that keep
    > re-adding startup items and restart their companion processes
    > should you stop one of them.
    >
    > * See below for more info about processes and their associated DLLs.
    >
    > Cookies
    > I've never felt that cookies were worth worring about.
    > WinPatrol has a cookie manager, but I don't use it and
    > have no opinion.
    >
    > File Types
    > "File type" determine what happens when you double click on
    > a file with any given extesion. For instance, if a file is named
    > "Critical Data.doc" the ".doc" at the end is the file extension
    > and information in Windows registry determines the File Type and
    > what will happen. On many/most systems ".doc" is associated with
    > Microsoft Word and a double click will open "Critical Data.doc"
    > in Microsoft Word. If you install a new word processor ABC on
    > that system, the install routine may reassociate the ".doc" file
    > extension so that a double click on "Critical Data.doc" no longer
    > opens it in MS Word, but rather in the newly installed ABC.
    > WinPatrol alerts you when such changes are made. If you install
    > and test bunches of software (like I do), that's handy.
    >
    > Although I don't know of any malware currently using file types
    > to keep itself wedged onto systems, I think it is only a matter
    > of time. Imagine that malware XYZ has been installed on your
    > system. One of its files is XYZwedge and XYZwedge is the current
    > associaton with the ".doc" file type. Each time you double click
    > on a ".doc" file, XYZwedge reinserts XYZ into your startup items
    > and then it Opens the ".doc" file in MS Word. Everything seems
    > normal to you, except that the system seems to run slower and
    > there are those @#$% pop-ups again.
    >
    > ****************************************************************
    >
    > If you don't already have them, ad the following to your system's
    > layered protection:
    > Spyware Blaster - http://www.javacoolsoftware.com/spywareblaster.html
    > IE Spyad - https://netfiles.uiuc.edu/ehowes/www/resource.htm
    > An outbound firewall like Zone Alarm.
    > http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp
    > (The free for personal use version is at the bottom of the list.)
    >
    >
    > ****************************************************************
    >
    > All your scans come up clean and all of the items on all of the
    > WinPatrol tabs are accounted for and are suppose to be safe.
    > But you still see a lot of pop-ups or the system still runs way too slow
    > and/or there are many program crashes. What now?
    >
    > The technically inclined can download Process Viewer (prcview.exe)
    > from http://www.xmlsp.com/pview/prcview.htm
    > 1) Run Process Viewer and select "Module Useage" on the "View" menu.
    > 2) Right click each module and choose "Copy Module Path."
    > 3) Paste the copied path into a google search box;
    > enclose it in double quotes and search.
    > 4) Depending on what you found in step 3, search for just the
    > file name and look for pages in the results that show the
    > *.dll file in another path. eg.
    > Windows KB article says that in Windows XP, abc.dll is found at
    > C:\Windows\System32\abc.dll
    > but the path on your system is
    > C:\Windows\abc.dll
    > The file on your system is spyware.
    > Search google for instructions about how to remove it.
    > If you can't find instructions, close the "Module Useage" window.
    > Right click each process in the main Process viewer window and
    > choose "Modules." Look for C:\Windows\abc.dll. Find ALL of the
    > processes that use abc.dll with that full path, note the name
    > of each such process. In WinPatrol, hold down the CTRL key and
    > click each of those named processes. In a moment, you'll
    > "Kill Task" them all at once. Before you do though, close out
    > ALL other running programs! The evil malware .dll is probably
    > attached to a vital system process and when you "Kill Task"
    > the system will likely turn off about as fast as if you pulled
    > the power cord out of the electic socket! If that happens, press
    > the power button to boot the machine, otherwise reboot the machine.
    > Double check that c:\windows\abc.dll is no longer a part of any
    > running process.
    >
    > Otherwise, it's probably time to fdisk; format
    > and re-install Windows from scratch. :(
    >
    > --
    > Bob Dietz
    >
    >
    > linda wrote:
    > > Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
    > > alot less croweded than it did- also when I look at the task manager it now
    > > shows 37 programs, (I have a few things running when it shows that amt) and
    > > not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
    > > on the winpatrol and had already disabled that, I thought it was funny seeing
    > > 3 times, so I'm glad to know I was on the right track there. When I went
    > > back to the winpatrol and disable the DLHelper program, a minute or so later
    > > I got a pop up saying that a new program was wanting to be added to the start
    > > up-and it was the DLHelper I had just disabled, so I said no on the ok to add
    > > to start-up. Here's is what the list shows now: (pls read my add'l msg
    > > after the winpatrol info)
    > >
    > > WinPatrol Startup Programs
    > > Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
    > > 2/11/2005
    > >
    > > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    > > Browser: Microsoft® Windows® Operating System - Internet Explorer version
    > > 6.00.2900.2180
    > > Memory currently in use: 79%
    > >
    > > MSIE: Internet Explorer (6.00.2900.2180)
    > >
    > > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    > > HKLM Default_Page_URL = http://www.emachines.com
    > > HKCU Start Page = http://www.comcast.net/
    > > HKLM Start Page = http://www.msn.com/
    > >
    > > WinLogon DefaultUserName=linda
    > > WinLogon DefaultDomainName=LUCY
    > > WinLogon Shell=Explorer.exe
    > > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    > >
    > >
    > >
    > > VSOCheckTask
    > > mcmnhdlr.exe /checktask
    > > McAfee VirusScan Command Handler
    > > Version: 8, 0, 0, 0
    > > Copyright © 1998-2003 Networks Associates Technology, Inc
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    > > Click for Plus Info
    > >
    > >
    > >
    > > VirusScan Online
    > > mcvsshld.exe
    > > McAfee VirusScan ActiveShield Resource
    > > Version: 8, 0, 0, 0
    > > Copyright © 1998-2003 Networks Associates Technology, Inc
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > MCAgentExe
    > > mcagent.exe
    > > McAfee SecurityCenter Agent
    > > Version: 5, 0, 0, 0
    > > Copyright © 2004 Networks Associates Technology, Inc.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > MCUpdateExe
    > > mcupdate.exe
    > > McAfee SecurityCenter Update Engine
    > > Version: 5, 0, 0, 0
    > > Copyright © 2004 Networks Associates Technology, Inc.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > pccguide.exe
    > > pccguide.exe
    > > PCCGuide
    > > Version: 12.10.0
    > > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > WinPatrol
    > > winpatrol.exe
    > > WinPatrol System Monitor
    > > Version: 8.1.2.0
    > > Copyright © 1997- 2004 BillP Studios
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > MPFExe
    > > MpfTray.exe
    > > McAfee Personal Firewall Tray Monitor
    > > Version: 6.0.0.14
    > > Copyright © 2000-2004 Networks Associates Technologies, Inc.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > McRegWiz
    > > mcregwiz.exe /autorun
    > > McRegWiz Module
    > > Version: 1, 0, 0, 4
    > > Copyright 2003 Networks Associates Technology, Inc
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    > > Click for Plus Info
    > >
    > >
    > >
    > > Microsoft Works Update Detection
    > > WkDetect.exe
    > > Microsoft® Works Update Detection
    > > Version: 6.00.1828.1
    > > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    > > Location: * Disabled *
    > > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\Microsoft Works\WkDetect.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > Yahoo! Pager
    > > ypager.exe -quiet
    > > Yahoo! Messenger
    > > Version: 6,0,0,1750
    > > Copyright 1998-2004
    > > Location: * Disabled *
    > > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    > > Click for Plus Info
    > >
    > > I wanted to say THANK-YOU so much...not only do i appreciate you taking the
    > > time to help me..and also the detail instructions,they were easy for me to
    > > follow and understand, as I said in my original msg. Im relatively new at all
    > > this so being able to follow/understand was great. I have only posted to
    > > newgroups a few times and honestly I have gotten a few responses that just
    > > leave me sitting there going "HUH". Again thanks very much for your help!!!
    > > Linda
    > >
    > >
    > >
    > > "Bob Dietz" wrote:
    > >
    > >
    > >>Hi Linda,
    > >>
    > >>I was pretty busy yesterday. Sorry it took so long to get back to you
    > >>
    > >>Before you start you might want to print this out on your printer.
    > >>
    > >>I see some adware/spyware listed that I would have expected Lavasoft
    > >>Ad-aware to have successfully removed. Let's run through the steps that
    > >>will allow Ad-Aware to do it's best work.
    > >>
    > >>1) Start Ad-Aware.
    > >>2) Click "Check for updates now." (lower right corner)
    > >>3) Connect and get any available updates.
    > >> Verify that your version number matches the version number
    > >> of the newest available Ad-Aware.
    > >>4) Once you have the latest updates installed,
    > >> close Ad-Aware and any other running programs.
    > >>5) To make it easier for Ad-Aware to do it's job,
    > >> we're going to run it in SAFE MODE.
    > >> A) Restart the computer.
    > >> B) While the computer is booting - before the first
    > >> "Windows" screen appears, tap the F8 key.
    > >> C) When the boot menu appears, choose SAFE MODE.
    > >>6) Start Ad-aware.
    > >>7) Click the "Start" button in the Ad-Aware window.
    > >>8) Set "Select Scan Mode" to "Perform full system scan."
    > >>9) Click the "Next" button to start the scan.
    > >>10) When the scan finishes, click "Next."
    > >>11) "Scan Results" defaults to the "Critical Objects" tab.
    > >> Changing to the "Scan Summary" tab, will give you
    > >> a much clearer picture of what has been found and may
    > >> save you quite a few mouse clicks as well. Be sure there
    > >> is a check mark beside everything you want to remove and
    > >> click "Next."
    > >> * No need to click the Quarantine button, Ad-aware
    > >> * automatically quarantines everything it removes.
    > >>
    > >>When you're done, close Ad-Aware and restart the computer letting it
    > >>boot normally.
    > >>Open the WinPatrol window.
    > >>Click the "Title" column heading so that programs are sorted by title in
    > >>A-Z order.
    > >>
    > >>Below you'll find your report (slightly reformatted so that programs are
    > >>in A-Z order by title.) Each item is followed by my comments which are
    > >>marked by asterisks. Presumably Ad-Aware will have already have
    > >>eliminated most of the evil ad-ware/spyware. If bad items still remain,
    > >>we'll use the WinPatrol report to figure out how to remove those items.
    > >>If you were doing this on your own, you'd -
    > >> 1) Select the executable name with your mouse.
    > >> 2) Right click on the selection and choose "Copy."
    > >> 3) Open a new browse browser window and go to http://www.google.com
    > >> 4) Right click in the Google search box and choose "Paste."
    > >> 5) Click on the search button.
    > >>Hint: If you install the Google toolbar ( http://toolbar.google.com ),
    > >>you could select the executable name, right click and choose
    > >>"Google Search."
    > >>
    > >>Use a little caution regarding the results of your search.
    > >>Some of the sites providing the information about startup items are
    > >>trying too hard to sell you something. For instance at least one site
    > >>shows a very conspicuous warning "Internal IP Exposed!" This is a simple
    > >> scam using javascript to display your IP in your browser on your
    > >>computer. Nobody can see it how isn't sitting in front of your computer
    > >>display.
    > >>
    > >>Here are some domains that I regard as above average. Look for these in
    > >>the result of you Google spyware/adware searches.
    > >>
    > >>AnswersThatWork.com
    > >>CastleCops.com
    > >>Iamnotageek.com
    > >>Neuber.com
    > >>Sysinfo.org
    > >>WinPatrol.com
    > >>
    > >>This Sysinfo.org page is worth putting in your favorites -
    > >>http://www.sysinfo.org/startuplist.php
    > >>
    > >>
    > >>*****************************************************************
    > >>WinPatrol Startup Programs (Edited by Bob Dietz)
    > >>
    > >>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    > >>Browser: Microsoft® Windows® Operating System - Internet Explorer
    > >>version 6.00.2900.2180
    > >>Memory currently in use: 91%
    > >>********************************************************************
    > >>* This memory currently in use number isn't critical, but
    > >>* a lower value would be better. If you have less than 256Mb or RAM,
    > >>* you should think about upgrading to more memory.
    > >>********************************************************************
    > >>
    > >>
    > >>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    > >>HKLM Default_Page_URL = http://www.emachines.com
    > >>HKCU Start Page = http://www.emachines.com/
    > >>HKLM Start Page = http://www.msn.com/
    > >>
    > >>WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
    > >>WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
    > >>WinLogon Shell=Explorer.exe
    > >>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    > >>
    > >>
    > >>
    > >>CleanUp
    > >>mcappins.exe /v=3 /cleanup
    > >>McAfee Application Installer
    > >>Version: 5, 0, 0, 0
    > >>Copyright © 2004 Networks Associates Technology, Inc.
    > >>Location:
    > >>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    > >>********************************************************************
    > >>* This is part of McAfee
    > >>* I recommended that you leave it enabled. The site -
    > >>* http://startup.iamnotageek.com/srch-mcappins.exe.html
    > >>* describes it as
    > >>* McAfee Application Installer. (What does it do and is it required?)
    > >>* FWIW The Plus version of WinPatrol what it does and why it might
    > >>* be required.
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>eZstub
    > >>eZstub.exe
    > >>eZstub Module
    > >>Version: 1, 0, 0, 1
    > >>Copyright 2000
    > >>Location:
    > >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    > >>Path: Command /c del C:\WINDOWS\system32\eZstub.exe
    > >>********************************************************************
    > >>* This is an EZula component.
    > >>* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
    > >>* appears to be quite recent and I could find it mentioned on any
    > >>* web pages. For that reason, Ad-Aware may have trouble removing
    > >>* this even in SAFE MODE!
    > >>* If Ad-Aware wasn't able to remove this, try using WinPatrol to
    > >>* disable it. If it won't stay disabled, let me know and we'll
    > >>* follow some additional steps.
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>
    > >>
    > >>MCAgentExe
    > >>mcagent.exe
    > >>McAfee SecurityCenter Agent
    > >>Version: 5, 0, 0, 0
    > >>Copyright © 2004 Networks Associates Technology, Inc.
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    > >>********************************************************************
    > >>* This is part of McAfee
    > >>* I recommended that you leave it enabled.
    > >>* http://startup.iamnotageek.com/srch-mcagent.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>MCUpdateExe
    > >>mcupdate.exe
    > >>McAfee SecurityCenter Update Engine
    > >>Version: 5, 0, 0, 0
    > >>Copyright © 2004 Networks Associates Technology, Inc.
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    > >>********************************************************************
    > >>* This is part of McAfee
    > >>* I recommended that you leave it enabled.
    > >>* http://startup.iamnotageek.com/srch-mcupdate.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>Microsoft Works Update Detection
    > >>WkDetect.exe
    > >>Microsoft® Works Update Detection
    > >>Version: 6.00.1828.1
    > >>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    > >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\Microsoft Works\WkDetect.exe
    > >>********************************************************************
    > >>* This checks for updates to MS Works
    > >>* Unless your computer has more memory than you know what
    > >>* to do with, I'd recommend disabling this in WinPatrol.
    > >>* Disabling is better than removal, because you can always
    > >>* decide to turn it back on at a later date.
    > >>* http://startup.iamnotageek.com/srch-wkdetect.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>msnmsgr
    > >>msnmsgr.exe /background
    > >>MSN Messenger
    > >>Version: Version 6.2
    > >>Copyright (c) Microsoft Corporation 1997-2004
    > >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
    > >>********************************************************************
    > >>* Letting MSN Messenger run is a user choice.
    > >>* If you aren't sure what MSN Messenger is, you're not using
    > >>* it and there is no use to have it running constantly
    > >>* using up precious RAM.
    > >>* Later in this report, we see that Yahoo! Pager is also running.
    > >>* If you're using both of these programs, you might want to
    > >>* consider replacing the two of them with Trillian, which is
    > >>* open source freeware and provides the services of both programs.
    > >>* http://www.neuber.com/taskmanager/process/msnmsgr.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>MyWebSearch Email Plugin
    > >>MWSOEMON.EXE
    > >>My Web Search Email Plugin
    > >>Version: 2,0,1,0
    > >>Copyright © 2003-2004 MyWebSearch.com
    > >>Location: Windows Startup Group
    > >>Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    > >>********************************************************************
    > >>* This is spyware.
    > >>* The fact that there are four apparently identical instances
    > >>* in the original report gives a little concern. I suspect
    > >>* this may be the culprit with regard to the 22 instances of
    > >>* rundll32.exe.
    > >>* If these are still in the list after the SAFE MODE Ad-Aware scan,
    > >>* try to disable them using WinPatrol.
    > >>* If they refuse to stay disabled, let me know and there are other
    > >>* steps we can try.
    > >>* FWIW Here are some pages with more info about MyWebSearch.
    > >>* http://www.mac-net.com/445088.page
    > >>* http://www.iamnotageek.com/a/mwsoemon.exe.php
    > >>* http://www.winpatrol.com/db/freesample/mwsoemon.html
    > >>********************************************************************
    > >>
    > >>
    > >>pccguide.exe
    > >>pccguide.exe
    > >>PCCGuide
    > >>Version: 12.10.0
    > >>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    > >>********************************************************************
    > >>* Part of Trend Micro's PC-Cillan Anti-Virus
    > >>* Do you have both PC-Cillan and McAfee installed?
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>Unknown Title
    > >>DLHelperEXE.exe
    > >>DLHelper Module
    > >>Version: 6, 0, 0, 3
    > >>Copyright 2001
    > >>Location: Windows Startup Group
    > >>Path: C:\Documents and Settings\linda\Start
    > >>Menu\Programs\Startup\DLHelperEXE.exe
    > >>********************************************************************
    > >>* Probably part of CasinoOnNet adware.
    > >>* If that's what it is, the Ad-Aware SAFE MODE scan probably
    > >>* removed it. If not, try disabling it in WinPatrol.
    > >>* http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073208
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>VirusScan Online
    > >>mcvsshld.exe
    > >>McAfee VirusScan ActiveShield Resource
    > >>Version: 8, 0, 0, 0
    > >>Copyright © 1998-2003 Networks Associates Technology, Inc
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    > >>********************************************************************
    > >>* Part of McAfee VirusScan On-Line
    > >>* I recommend leaving it enabled.
    > >>* http://startup.iamnotageek.com/srch-mcvsshld.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>VSOCheckTask
    > >>mcmnhdlr.exe /checktask
    > >>McAfee VirusScan Command Handler
    > >>Version: 8, 0, 0, 0
    > >>Copyright © 1998-2003 Networks Associates Technology, Inc
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    > >>********************************************************************
    > >>* Part of McAfee's SecurityCenter and Virusscan Online.
    > >>* I recommend leaving it enabled.
    > >>* http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>Web Offer
    > >>EZPOPS~1.EXE
    > >>eZstub Module
    > >>Version: 1, 0, 0, 1
    > >>Copyright 2000
    > >>Location:
    > >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    > >>Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
    > >>********************************************************************
    > >>* Another component of EZula adware.
    > >>* I search for specific information about this component -
    > >>* http://www.google.com/search?q=EZPOPS%7E1.EXE
    > >>* the information is pretty scant which indicates
    > >>* this version of EZula is pretty new and most anti-spyware/
    > >>* anti-adware programs probably won't remove it.
    > >>* If the SAFE MODE Ad-Aware scan fails to remove this,
    > >>* try disabling it in WinPatrol.
    > >>* If it won't stay disabled, let me know - there are other
    > >>* approaches to this problem.
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>WinPatrol
    > >>winpatrol.exe
    > >>WinPatrol System Monitor
    > >>Version: 8.1.2.0
    > >>Copyright © 1997- 2004 BillP Studios
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    > >>********************************************************************
    > >>* This is WinPatrol
    > >>* It's safe and I recommend that you leave it in.
    > >>* But you can't really know if that's good advice until
    > >>* you research it.
    > >>* http://www.google.com/search?q=winpatrol.exe
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>Yahoo! Pager
    > >>ypager.exe -quiet
    > >>Yahoo! Messenger
    > >>Version: 6,0,0,1750
    > >>Copyright 1998-2004
    > >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    > >>********************************************************************
    > >>* Yahoo! Pager is an instant messenger application like
    > >>* MSN Messenger. If you aren't using these, you should disable them.
    > >>* If you're only using one of them, you should disable the one
    > >>* you're not using.
    > >>* If you're using both of them, you should think about switching
    > >>* to Trillian, an open source freeware application that can connect
    > >>* to many different types of instant messaging servers.
    > >>* http://startup.iamnotageek.com/srch-ypager.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>--
    > >>Bob Dietz
    > >>
    > >>linda wrote:
    > >>
    > >>>Hi Bob - this is what came up....thx for your help-prior to this when i ran
    > >>>the lavasoft adware/spyware there was an item that came up that said if
    > >>>affected the registry and i would select the cleanup/restore/delete for it,
    > >>>it would say that the task was completed but if i ran the progam again it
    > >>>showed exactly the same thing it said it had taken care of? thought i would
    > >>>mention this in case it has anything to do with what's going on now....thx
    > >>>again for helping...linda
    > >>>
    > >>
    >
  20. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    hi bob - i started going thur ur instructions, i have a couple things i
    wanted to ask you. you mentioned that under the services tab...that i will
    want to identify microsoft items, what do i do if i find other items? also i
    downloaded the items you had listed (the ones that were'nt downloads i saved
    the pages in my favorites) the first one i went to install "the toolbar cop"
    i saved it to my desktop then scanned for any viruses, when i went to open
    the zip file i rcvd the msg that it was a .exe file and did i really want to
    open well i clicked yes i did, right after that my mcafee popped up and said
    it was a suspicious script and what did i want to do? well i wasnt sure so i
    stopped it. i dont know much about the "suspicious script" msgs and have only
    rvcd a few of them and not knowing i always have stopped them..
    continued in next msg......


    ..c"Bob Dietz" wrote:

    > Your thanks is appreciated. :)
    >
    > Glad to hear that things are looking better for you, but don't think
    > that you're done and stop now. There are still those other WinPatrol
    > tabs to look at.
    >
    > IE Helpers
    > IE Helpers are also know as BHO's (Browser Helper Objects).
    > When attempting to identify items, I ussually start with "Name."
    > If that doesn't net decent results, I move on to "Program."
    > (Actually, I paid for WinPatrol Plus and seldom resort to google.)
    > If you run into something that you cannot identify,
    > you'll find WinPatrol is a bit anemic here -
    > BHO's cannot be disabled, they can only be deleted.
    > To temporarily disable one of these items, download another free
    > progarm called Toolbar Cop. http://windowsxp.mvps.org/toolbarcop.htm
    >
    > Scheduled Tasks
    > I have yet to run into any malware that utilizes Window task
    > scheduler, so I have no special instructions. But you do want to
    > know the purpose for any scheduled tasks.
    >
    > Services
    > At minimum, you'll want to identify any non-microsoft services.
    > As to the microsoft services, the WinPatrol Plus info is pretty
    > light weight. Sources for info about Windows XP Services
    > http://www.theeldergeek.com/services_guide.htm
    > http://www.blackviper.com/WinXP/servicecfg.htm
    >
    > Active Tasks
    > This corresponds to the Processes tab in Windows Task Manager.
    > You really, really want to know about each of these items.
    > The info in the Plus version of WinPatrol is fairly complete and
    > is above average in quality. If you haven't paid for the plus version,
    > start your investigation at http://www.answersthatwork.com and click
    > on the "Task List" button. If you can't find the task listed there
    > move on to google. If you can't find information there either, be
    > suspicious. Click the "Info" button in WinPatrol and look at the
    > full path to the executable file. Locate that executable file;
    > right click on it an choose Properties. You're looking for clues.
    >
    > Before moving on it's worth noting that you can hold down the CTRL
    > key and click on multiple "Active Tasks" and then "Kill Task" them
    > all in one fell swoop. This is extreamly useful when some obnoxious
    > malware has started multiple different processes that keep
    > re-adding startup items and restart their companion processes
    > should you stop one of them.
    >
    > * See below for more info about processes and their associated DLLs.
    >
    > Cookies
    > I've never felt that cookies were worth worring about.
    > WinPatrol has a cookie manager, but I don't use it and
    > have no opinion.
    >
    > File Types
    > "File type" determine what happens when you double click on
    > a file with any given extesion. For instance, if a file is named
    > "Critical Data.doc" the ".doc" at the end is the file extension
    > and information in Windows registry determines the File Type and
    > what will happen. On many/most systems ".doc" is associated with
    > Microsoft Word and a double click will open "Critical Data.doc"
    > in Microsoft Word. If you install a new word processor ABC on
    > that system, the install routine may reassociate the ".doc" file
    > extension so that a double click on "Critical Data.doc" no longer
    > opens it in MS Word, but rather in the newly installed ABC.
    > WinPatrol alerts you when such changes are made. If you install
    > and test bunches of software (like I do), that's handy.
    >
    > Although I don't know of any malware currently using file types
    > to keep itself wedged onto systems, I think it is only a matter
    > of time. Imagine that malware XYZ has been installed on your
    > system. One of its files is XYZwedge and XYZwedge is the current
    > associaton with the ".doc" file type. Each time you double click
    > on a ".doc" file, XYZwedge reinserts XYZ into your startup items
    > and then it Opens the ".doc" file in MS Word. Everything seems
    > normal to you, except that the system seems to run slower and
    > there are those @#$% pop-ups again.
    >
    > ****************************************************************
    >
    > If you don't already have them, ad the following to your system's
    > layered protection:
    > Spyware Blaster - http://www.javacoolsoftware.com/spywareblaster.html
    > IE Spyad - https://netfiles.uiuc.edu/ehowes/www/resource.htm
    > An outbound firewall like Zone Alarm.
    > http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp
    > (The free for personal use version is at the bottom of the list.)
    >
    >
    > ****************************************************************
    >
    > All your scans come up clean and all of the items on all of the
    > WinPatrol tabs are accounted for and are suppose to be safe.
    > But you still see a lot of pop-ups or the system still runs way too slow
    > and/or there are many program crashes. What now?
    >
    > The technically inclined can download Process Viewer (prcview.exe)
    > from http://www.xmlsp.com/pview/prcview.htm
    > 1) Run Process Viewer and select "Module Useage" on the "View" menu.
    > 2) Right click each module and choose "Copy Module Path."
    > 3) Paste the copied path into a google search box;
    > enclose it in double quotes and search.
    > 4) Depending on what you found in step 3, search for just the
    > file name and look for pages in the results that show the
    > *.dll file in another path. eg.
    > Windows KB article says that in Windows XP, abc.dll is found at
    > C:\Windows\System32\abc.dll
    > but the path on your system is
    > C:\Windows\abc.dll
    > The file on your system is spyware.
    > Search google for instructions about how to remove it.
    > If you can't find instructions, close the "Module Useage" window.
    > Right click each process in the main Process viewer window and
    > choose "Modules." Look for C:\Windows\abc.dll. Find ALL of the
    > processes that use abc.dll with that full path, note the name
    > of each such process. In WinPatrol, hold down the CTRL key and
    > click each of those named processes. In a moment, you'll
    > "Kill Task" them all at once. Before you do though, close out
    > ALL other running programs! The evil malware .dll is probably
    > attached to a vital system process and when you "Kill Task"
    > the system will likely turn off about as fast as if you pulled
    > the power cord out of the electic socket! If that happens, press
    > the power button to boot the machine, otherwise reboot the machine.
    > Double check that c:\windows\abc.dll is no longer a part of any
    > running process.
    >
    > Otherwise, it's probably time to fdisk; format
    > and re-install Windows from scratch. :(
    >
    > --
    > Bob Dietz
    >
    >
    > linda wrote:
    > > Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
    > > alot less croweded than it did- also when I look at the task manager it now
    > > shows 37 programs, (I have a few things running when it shows that amt) and
    > > not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
    > > on the winpatrol and had already disabled that, I thought it was funny seeing
    > > 3 times, so I'm glad to know I was on the right track there. When I went
    > > back to the winpatrol and disable the DLHelper program, a minute or so later
    > > I got a pop up saying that a new program was wanting to be added to the start
    > > up-and it was the DLHelper I had just disabled, so I said no on the ok to add
    > > to start-up. Here's is what the list shows now: (pls read my add'l msg
    > > after the winpatrol info)
    > >
    > > WinPatrol Startup Programs
    > > Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
    > > 2/11/2005
    > >
    > > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    > > Browser: Microsoft® Windows® Operating System - Internet Explorer version
    > > 6.00.2900.2180
    > > Memory currently in use: 79%
    > >
    > > MSIE: Internet Explorer (6.00.2900.2180)
    > >
    > > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    > > HKLM Default_Page_URL = http://www.emachines.com
    > > HKCU Start Page = http://www.comcast.net/
    > > HKLM Start Page = http://www.msn.com/
    > >
    > > WinLogon DefaultUserName=linda
    > > WinLogon DefaultDomainName=LUCY
    > > WinLogon Shell=Explorer.exe
    > > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    > >
    > >
    > >
    > > VSOCheckTask
    > > mcmnhdlr.exe /checktask
    > > McAfee VirusScan Command Handler
    > > Version: 8, 0, 0, 0
    > > Copyright © 1998-2003 Networks Associates Technology, Inc
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    > > Click for Plus Info
    > >
    > >
    > >
    > > VirusScan Online
    > > mcvsshld.exe
    > > McAfee VirusScan ActiveShield Resource
    > > Version: 8, 0, 0, 0
    > > Copyright © 1998-2003 Networks Associates Technology, Inc
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > MCAgentExe
    > > mcagent.exe
    > > McAfee SecurityCenter Agent
    > > Version: 5, 0, 0, 0
    > > Copyright © 2004 Networks Associates Technology, Inc.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > MCUpdateExe
    > > mcupdate.exe
    > > McAfee SecurityCenter Update Engine
    > > Version: 5, 0, 0, 0
    > > Copyright © 2004 Networks Associates Technology, Inc.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > pccguide.exe
    > > pccguide.exe
    > > PCCGuide
    > > Version: 12.10.0
    > > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > WinPatrol
    > > winpatrol.exe
    > > WinPatrol System Monitor
    > > Version: 8.1.2.0
    > > Copyright © 1997- 2004 BillP Studios
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > MPFExe
    > > MpfTray.exe
    > > McAfee Personal Firewall Tray Monitor
    > > Version: 6.0.0.14
    > > Copyright © 2000-2004 Networks Associates Technologies, Inc.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > McRegWiz
    > > mcregwiz.exe /autorun
    > > McRegWiz Module
    > > Version: 1, 0, 0, 4
    > > Copyright 2003 Networks Associates Technology, Inc
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    > > Click for Plus Info
    > >
    > >
    > >
    > > Microsoft Works Update Detection
    > > WkDetect.exe
    > > Microsoft® Works Update Detection
    > > Version: 6.00.1828.1
    > > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    > > Location: * Disabled *
    > > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\Microsoft Works\WkDetect.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > Yahoo! Pager
    > > ypager.exe -quiet
    > > Yahoo! Messenger
    > > Version: 6,0,0,1750
    > > Copyright 1998-2004
    > > Location: * Disabled *
    > > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    > > Click for Plus Info
    > >
    > > I wanted to say THANK-YOU so much...not only do i appreciate you taking the
    > > time to help me..and also the detail instructions,they were easy for me to
    > > follow and understand, as I said in my original msg. Im relatively new at all
    > > this so being able to follow/understand was great. I have only posted to
    > > newgroups a few times and honestly I have gotten a few responses that just
    > > leave me sitting there going "HUH". Again thanks very much for your help!!!
    > > Linda
    > >
    > >
    > >
    > > "Bob Dietz" wrote:
    > >
    > >
    > >>Hi Linda,
    > >>
    > >>I was pretty busy yesterday. Sorry it took so long to get back to you
    > >>
    > >>Before you start you might want to print this out on your printer.
    > >>
    > >>I see some adware/spyware listed that I would have expected Lavasoft
    > >>Ad-aware to have successfully removed. Let's run through the steps that
    > >>will allow Ad-Aware to do it's best work.
    > >>
    > >>1) Start Ad-Aware.
    > >>2) Click "Check for updates now." (lower right corner)
    > >>3) Connect and get any available updates.
    > >> Verify that your version number matches the version number
    > >> of the newest available Ad-Aware.
    > >>4) Once you have the latest updates installed,
    > >> close Ad-Aware and any other running programs.
    > >>5) To make it easier for Ad-Aware to do it's job,
    > >> we're going to run it in SAFE MODE.
    > >> A) Restart the computer.
    > >> B) While the computer is booting - before the first
    > >> "Windows" screen appears, tap the F8 key.
    > >> C) When the boot menu appears, choose SAFE MODE.
    > >>6) Start Ad-aware.
    > >>7) Click the "Start" button in the Ad-Aware window.
    > >>8) Set "Select Scan Mode" to "Perform full system scan."
    > >>9) Click the "Next" button to start the scan.
    > >>10) When the scan finishes, click "Next."
    > >>11) "Scan Results" defaults to the "Critical Objects" tab.
    > >> Changing to the "Scan Summary" tab, will give you
    > >> a much clearer picture of what has been found and may
    > >> save you quite a few mouse clicks as well. Be sure there
    > >> is a check mark beside everything you want to remove and
    > >> click "Next."
    > >> * No need to click the Quarantine button, Ad-aware
    > >> * automatically quarantines everything it removes.
    > >>
    > >>When you're done, close Ad-Aware and restart the computer letting it
    > >>boot normally.
    > >>Open the WinPatrol window.
    > >>Click the "Title" column heading so that programs are sorted by title in
    > >>A-Z order.
    > >>
    > >>Below you'll find your report (slightly reformatted so that programs are
    > >>in A-Z order by title.) Each item is followed by my comments which are
    > >>marked by asterisks. Presumably Ad-Aware will have already have
    > >>eliminated most of the evil ad-ware/spyware. If bad items still remain,
    > >>we'll use the WinPatrol report to figure out how to remove those items.
    > >>If you were doing this on your own, you'd -
    > >> 1) Select the executable name with your mouse.
    > >> 2) Right click on the selection and choose "Copy."
    > >> 3) Open a new browse browser window and go to http://www.google.com
    > >> 4) Right click in the Google search box and choose "Paste."
    > >> 5) Click on the search button.
    > >>Hint: If you install the Google toolbar ( http://toolbar.google.com ),
    > >>you could select the executable name, right click and choose
    > >>"Google Search."
    > >>
    > >>Use a little caution regarding the results of your search.
    > >>Some of the sites providing the information about startup items are
    > >>trying too hard to sell you something. For instance at least one site
    > >>shows a very conspicuous warning "Internal IP Exposed!" This is a simple
    > >> scam using javascript to display your IP in your browser on your
    > >>computer. Nobody can see it how isn't sitting in front of your computer
    > >>display.
    > >>
    > >>Here are some domains that I regard as above average. Look for these in
    > >>the result of you Google spyware/adware searches.
    > >>
    > >>AnswersThatWork.com
    > >>CastleCops.com
    > >>Iamnotageek.com
    > >>Neuber.com
    > >>Sysinfo.org
    > >>WinPatrol.com
    > >>
    > >>This Sysinfo.org page is worth putting in your favorites -
    > >>http://www.sysinfo.org/startuplist.php
    > >>
    > >>
    > >>*****************************************************************
    > >>WinPatrol Startup Programs (Edited by Bob Dietz)
    > >>
    > >>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    > >>Browser: Microsoft® Windows® Operating System - Internet Explorer
    > >>version 6.00.2900.2180
    > >>Memory currently in use: 91%
    > >>********************************************************************
    > >>* This memory currently in use number isn't critical, but
    > >>* a lower value would be better. If you have less than 256Mb or RAM,
    > >>* you should think about upgrading to more memory.
    > >>********************************************************************
    > >>
    > >>
    > >>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    > >>HKLM Default_Page_URL = http://www.emachines.com
    > >>HKCU Start Page = http://www.emachines.com/
    > >>HKLM Start Page = http://www.msn.com/
    > >>
    > >>WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
    > >>WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
    > >>WinLogon Shell=Explorer.exe
    > >>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    > >>
    > >>
    > >>
    > >>CleanUp
    > >>mcappins.exe /v=3 /cleanup
    > >>McAfee Application Installer
    > >>Version: 5, 0, 0, 0
    > >>Copyright © 2004 Networks Associates Technology, Inc.
    > >>Location:
    > >>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    > >>********************************************************************
    > >>* This is part of McAfee
    > >>* I recommended that you leave it enabled. The site -
    > >>* http://startup.iamnotageek.com/srch-mcappins.exe.html
    > >>* describes it as
    > >>* McAfee Application Installer. (What does it do and is it required?)
    > >>* FWIW The Plus version of WinPatrol what it does and why it might
    > >>* be required.
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>eZstub
    > >>eZstub.exe
    > >>eZstub Module
    > >>Version: 1, 0, 0, 1
    > >>Copyright 2000
    > >>Location:
    > >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    > >>Path: Command /c del C:\WINDOWS\system32\eZstub.exe
    > >>********************************************************************
    > >>* This is an EZula component.
    > >>* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
    > >>* appears to be quite recent and I could find it mentioned on any
    > >>* web pages. For that reason, Ad-Aware may have trouble removing
    > >>* this even in SAFE MODE!
    > >>* If Ad-Aware wasn't able to remove this, try using WinPatrol to
    > >>* disable it. If it won't stay disabled, let me know and we'll
    > >>* follow some additional steps.
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>
    > >>
    > >>MCAgentExe
    > >>mcagent.exe
    > >>McAfee SecurityCenter Agent
    > >>Version: 5, 0, 0, 0
    > >>Copyright © 2004 Networks Associates Technology, Inc.
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    > >>********************************************************************
    > >>* This is part of McAfee
    > >>* I recommended that you leave it enabled.
    > >>* http://startup.iamnotageek.com/srch-mcagent.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>MCUpdateExe
    > >>mcupdate.exe
    > >>McAfee SecurityCenter Update Engine
    > >>Version: 5, 0, 0, 0
    > >>Copyright © 2004 Networks Associates Technology, Inc.
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    > >>********************************************************************
    > >>* This is part of McAfee
    > >>* I recommended that you leave it enabled.
    > >>* http://startup.iamnotageek.com/srch-mcupdate.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>Microsoft Works Update Detection
    > >>WkDetect.exe
    > >>Microsoft® Works Update Detection
    > >>Version: 6.00.1828.1
    > >>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    > >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\Microsoft Works\WkDetect.exe
    > >>********************************************************************
    > >>* This checks for updates to MS Works
    > >>* Unless your computer has more memory than you know what
    > >>* to do with, I'd recommend disabling this in WinPatrol.
    > >>* Disabling is better than removal, because you can always
    > >>* decide to turn it back on at a later date.
    > >>* http://startup.iamnotageek.com/srch-wkdetect.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>msnmsgr
    > >>msnmsgr.exe /background
    > >>MSN Messenger
    > >>Version: Version 6.2
    > >>Copyright (c) Microsoft Corporation 1997-2004
    > >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
    > >>********************************************************************
    > >>* Letting MSN Messenger run is a user choice.
    > >>* If you aren't sure what MSN Messenger is, you're not using
    > >>* it and there is no use to have it running constantly
    > >>* using up precious RAM.
    > >>* Later in this report, we see that Yahoo! Pager is also running.
    > >>* If you're using both of these programs, you might want to
    > >>* consider replacing the two of them with Trillian, which is
    > >>* open source freeware and provides the services of both programs.
    > >>* http://www.neuber.com/taskmanager/process/msnmsgr.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>MyWebSearch Email Plugin
    > >>MWSOEMON.EXE
    > >>My Web Search Email Plugin
    > >>Version: 2,0,1,0
    > >>Copyright © 2003-2004 MyWebSearch.com
    > >>Location: Windows Startup Group
    > >>Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    > >>********************************************************************
    > >>* This is spyware.
    > >>* The fact that there are four apparently identical instances
    > >>* in the original report gives a little concern. I suspect
    > >>* this may be the culprit with regard to the 22 instances of
    > >>* rundll32.exe.
    > >>* If these are still in the list after the SAFE MODE Ad-Aware scan,
    > >>* try to disable them using WinPatrol.
    > >>* If they refuse to stay disabled, let me know and there are other
    > >>* steps we can try.
    > >>* FWIW Here are some pages with more info about MyWebSearch.
    > >>* http://www.mac-net.com/445088.page
    > >>* http://www.iamnotageek.com/a/mwsoemon.exe.php
    > >>* http://www.winpatrol.com/db/freesample/mwsoemon.html
    > >>********************************************************************
    > >>
    > >>
    > >>pccguide.exe
    > >>pccguide.exe
    > >>PCCGuide
    > >>Version: 12.10.0
    > >>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    > >>********************************************************************
    > >>* Part of Trend Micro's PC-Cillan Anti-Virus
    > >>* Do you have both PC-Cillan and McAfee installed?
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>Unknown Title
    > >>DLHelperEXE.exe
    > >>DLHelper Module
    > >>Version: 6, 0, 0, 3
    > >>Copyright 2001
    > >>Location: Windows Startup Group
    > >>Path: C:\Documents and Settings\linda\Start
    > >>Menu\Programs\Startup\DLHelperEXE.exe
    > >>********************************************************************
    > >>* Probably part of CasinoOnNet adware.
    > >>* If that's what it is, the Ad-Aware SAFE MODE scan probably
    > >>* removed it. If not, try disabling it in WinPatrol.
    > >>* http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073208
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>VirusScan Online
    > >>mcvsshld.exe
    > >>McAfee VirusScan ActiveShield Resource
    > >>Version: 8, 0, 0, 0
    > >>Copyright © 1998-2003 Networks Associates Technology, Inc
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    > >>********************************************************************
    > >>* Part of McAfee VirusScan On-Line
    > >>* I recommend leaving it enabled.
    > >>* http://startup.iamnotageek.com/srch-mcvsshld.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>VSOCheckTask
    > >>mcmnhdlr.exe /checktask
    > >>McAfee VirusScan Command Handler
    > >>Version: 8, 0, 0, 0
    > >>Copyright © 1998-2003 Networks Associates Technology, Inc
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    > >>********************************************************************
    > >>* Part of McAfee's SecurityCenter and Virusscan Online.
    > >>* I recommend leaving it enabled.
    > >>* http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>Web Offer
    > >>EZPOPS~1.EXE
    > >>eZstub Module
    > >>Version: 1, 0, 0, 1
    > >>Copyright 2000
    > >>Location:
    > >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    > >>Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
    > >>********************************************************************
    > >>* Another component of EZula adware.
    > >>* I search for specific information about this component -
    > >>* http://www.google.com/search?q=EZPOPS%7E1.EXE
    > >>* the information is pretty scant which indicates
    > >>* this version of EZula is pretty new and most anti-spyware/
    > >>* anti-adware programs probably won't remove it.
    > >>* If the SAFE MODE Ad-Aware scan fails to remove this,
    > >>* try disabling it in WinPatrol.
    > >>* If it won't stay disabled, let me know - there are other
    > >>* approaches to this problem.
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>WinPatrol
    > >>winpatrol.exe
    > >>WinPatrol System Monitor
    > >>Version: 8.1.2.0
    > >>Copyright © 1997- 2004 BillP Studios
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    > >>********************************************************************
    > >>* This is WinPatrol
    > >>* It's safe and I recommend that you leave it in.
    > >>* But you can't really know if that's good advice until
    > >>* you research it.
    > >>* http://www.google.com/search?q=winpatrol.exe
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>Yahoo! Pager
    > >>ypager.exe -quiet
    > >>Yahoo! Messenger
    > >>Version: 6,0,0,1750
    > >>Copyright 1998-2004
    > >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    > >>********************************************************************
    > >>* Yahoo! Pager is an instant messenger application like
    > >>* MSN Messenger. If you aren't using these, you should disable them.
    > >>* If you're only using one of them, you should disable the one
    > >>* you're not using.
    > >>* If you're using both of them, you should think about switching
    > >>* to Trillian, an open source freeware application that can connect
    > >>* to many different types of instant messaging servers.
    > >>* http://startup.iamnotageek.com/srch-ypager.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>--
    > >>Bob Dietz
    > >>
    > >>linda wrote:
    > >>
    > >>>Hi Bob - this is what came up....thx for your help-prior to this when i ran
    > >>>the lavasoft adware/spyware there was an item that came up that said if
    > >>>affected the registry and i would select the cleanup/restore/delete for it,
    > >>>it would say that the task was completed but if i ran the progam again it
    > >>>showed exactly the same thing it said it had taken care of? thought i would
    > >>>mention this in case it has anything to do with what's going on now....thx
    > >>>again for helping...linda
    > >>>
    > >>
    >
  21. Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

    i also downloaed the ie-spyad but am a little confused on how to tell if it
    there/working/ ?? i read the text document and that didnt help me on the
    confusion? i have never really messed around in anything having to do with
    the registry due to the fact that i rcvd a msg one time saying basically if
    you change things it could mess up your system (if you dont know what your
    doing and i didnt/dont) so since then i have been shall we say afraid to go
    there a do anything....

    im still working on the items you had in your reply to me and once again
    above and beyond the call of duty....you can probably tell i dont have a
    vast amt of knowledge with all this (this is my first computer) i really
    appreciate thou the way you explained the "doc file" scenerio and also the
    registry changes, i could understand that, you seem to have alot of
    knowledge/info and you explain things that a person learning is able to
    understand. instead of the typical "techno jargon" that only exp people
    understand. thx again for all the help.


    "Bob Dietz" wrote:

    > Your thanks is appreciated. :)
    >
    > Glad to hear that things are looking better for you, but don't think
    > that you're done and stop now. There are still those other WinPatrol
    > tabs to look at.
    >
    > IE Helpers
    > IE Helpers are also know as BHO's (Browser Helper Objects).
    > When attempting to identify items, I ussually start with "Name."
    > If that doesn't net decent results, I move on to "Program."
    > (Actually, I paid for WinPatrol Plus and seldom resort to google.)
    > If you run into something that you cannot identify,
    > you'll find WinPatrol is a bit anemic here -
    > BHO's cannot be disabled, they can only be deleted.
    > To temporarily disable one of these items, download another free
    > progarm called Toolbar Cop. http://windowsxp.mvps.org/toolbarcop.htm
    >
    > Scheduled Tasks
    > I have yet to run into any malware that utilizes Window task
    > scheduler, so I have no special instructions. But you do want to
    > know the purpose for any scheduled tasks.
    >
    > Services
    > At minimum, you'll want to identify any non-microsoft services.
    > As to the microsoft services, the WinPatrol Plus info is pretty
    > light weight. Sources for info about Windows XP Services
    > http://www.theeldergeek.com/services_guide.htm
    > http://www.blackviper.com/WinXP/servicecfg.htm
    >
    > Active Tasks
    > This corresponds to the Processes tab in Windows Task Manager.
    > You really, really want to know about each of these items.
    > The info in the Plus version of WinPatrol is fairly complete and
    > is above average in quality. If you haven't paid for the plus version,
    > start your investigation at http://www.answersthatwork.com and click
    > on the "Task List" button. If you can't find the task listed there
    > move on to google. If you can't find information there either, be
    > suspicious. Click the "Info" button in WinPatrol and look at the
    > full path to the executable file. Locate that executable file;
    > right click on it an choose Properties. You're looking for clues.
    >
    > Before moving on it's worth noting that you can hold down the CTRL
    > key and click on multiple "Active Tasks" and then "Kill Task" them
    > all in one fell swoop. This is extreamly useful when some obnoxious
    > malware has started multiple different processes that keep
    > re-adding startup items and restart their companion processes
    > should you stop one of them.
    >
    > * See below for more info about processes and their associated DLLs.
    >
    > Cookies
    > I've never felt that cookies were worth worring about.
    > WinPatrol has a cookie manager, but I don't use it and
    > have no opinion.
    >
    > File Types
    > "File type" determine what happens when you double click on
    > a file with any given extesion. For instance, if a file is named
    > "Critical Data.doc" the ".doc" at the end is the file extension
    > and information in Windows registry determines the File Type and
    > what will happen. On many/most systems ".doc" is associated with
    > Microsoft Word and a double click will open "Critical Data.doc"
    > in Microsoft Word. If you install a new word processor ABC on
    > that system, the install routine may reassociate the ".doc" file
    > extension so that a double click on "Critical Data.doc" no longer
    > opens it in MS Word, but rather in the newly installed ABC.
    > WinPatrol alerts you when such changes are made. If you install
    > and test bunches of software (like I do), that's handy.
    >
    > Although I don't know of any malware currently using file types
    > to keep itself wedged onto systems, I think it is only a matter
    > of time. Imagine that malware XYZ has been installed on your
    > system. One of its files is XYZwedge and XYZwedge is the current
    > associaton with the ".doc" file type. Each time you double click
    > on a ".doc" file, XYZwedge reinserts XYZ into your startup items
    > and then it Opens the ".doc" file in MS Word. Everything seems
    > normal to you, except that the system seems to run slower and
    > there are those @#$% pop-ups again.
    >
    > ****************************************************************
    >
    > If you don't already have them, ad the following to your system's
    > layered protection:
    > Spyware Blaster - http://www.javacoolsoftware.com/spywareblaster.html
    > IE Spyad - https://netfiles.uiuc.edu/ehowes/www/resource.htm
    > An outbound firewall like Zone Alarm.
    > http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp
    > (The free for personal use version is at the bottom of the list.)
    >
    >
    > ****************************************************************
    >
    > All your scans come up clean and all of the items on all of the
    > WinPatrol tabs are accounted for and are suppose to be safe.
    > But you still see a lot of pop-ups or the system still runs way too slow
    > and/or there are many program crashes. What now?
    >
    > The technically inclined can download Process Viewer (prcview.exe)
    > from http://www.xmlsp.com/pview/prcview.htm
    > 1) Run Process Viewer and select "Module Useage" on the "View" menu.
    > 2) Right click each module and choose "Copy Module Path."
    > 3) Paste the copied path into a google search box;
    > enclose it in double quotes and search.
    > 4) Depending on what you found in step 3, search for just the
    > file name and look for pages in the results that show the
    > *.dll file in another path. eg.
    > Windows KB article says that in Windows XP, abc.dll is found at
    > C:\Windows\System32\abc.dll
    > but the path on your system is
    > C:\Windows\abc.dll
    > The file on your system is spyware.
    > Search google for instructions about how to remove it.
    > If you can't find instructions, close the "Module Useage" window.
    > Right click each process in the main Process viewer window and
    > choose "Modules." Look for C:\Windows\abc.dll. Find ALL of the
    > processes that use abc.dll with that full path, note the name
    > of each such process. In WinPatrol, hold down the CTRL key and
    > click each of those named processes. In a moment, you'll
    > "Kill Task" them all at once. Before you do though, close out
    > ALL other running programs! The evil malware .dll is probably
    > attached to a vital system process and when you "Kill Task"
    > the system will likely turn off about as fast as if you pulled
    > the power cord out of the electic socket! If that happens, press
    > the power button to boot the machine, otherwise reboot the machine.
    > Double check that c:\windows\abc.dll is no longer a part of any
    > running process.
    >
    > Otherwise, it's probably time to fdisk; format
    > and re-install Windows from scratch. :(
    >
    > --
    > Bob Dietz
    >
    >
    > linda wrote:
    > > Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
    > > alot less croweded than it did- also when I look at the task manager it now
    > > shows 37 programs, (I have a few things running when it shows that amt) and
    > > not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
    > > on the winpatrol and had already disabled that, I thought it was funny seeing
    > > 3 times, so I'm glad to know I was on the right track there. When I went
    > > back to the winpatrol and disable the DLHelper program, a minute or so later
    > > I got a pop up saying that a new program was wanting to be added to the start
    > > up-and it was the DLHelper I had just disabled, so I said no on the ok to add
    > > to start-up. Here's is what the list shows now: (pls read my add'l msg
    > > after the winpatrol info)
    > >
    > > WinPatrol Startup Programs
    > > Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
    > > 2/11/2005
    > >
    > > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    > > Browser: Microsoft® Windows® Operating System - Internet Explorer version
    > > 6.00.2900.2180
    > > Memory currently in use: 79%
    > >
    > > MSIE: Internet Explorer (6.00.2900.2180)
    > >
    > > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    > > HKLM Default_Page_URL = http://www.emachines.com
    > > HKCU Start Page = http://www.comcast.net/
    > > HKLM Start Page = http://www.msn.com/
    > >
    > > WinLogon DefaultUserName=linda
    > > WinLogon DefaultDomainName=LUCY
    > > WinLogon Shell=Explorer.exe
    > > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    > >
    > >
    > >
    > > VSOCheckTask
    > > mcmnhdlr.exe /checktask
    > > McAfee VirusScan Command Handler
    > > Version: 8, 0, 0, 0
    > > Copyright © 1998-2003 Networks Associates Technology, Inc
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    > > Click for Plus Info
    > >
    > >
    > >
    > > VirusScan Online
    > > mcvsshld.exe
    > > McAfee VirusScan ActiveShield Resource
    > > Version: 8, 0, 0, 0
    > > Copyright © 1998-2003 Networks Associates Technology, Inc
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > MCAgentExe
    > > mcagent.exe
    > > McAfee SecurityCenter Agent
    > > Version: 5, 0, 0, 0
    > > Copyright © 2004 Networks Associates Technology, Inc.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > MCUpdateExe
    > > mcupdate.exe
    > > McAfee SecurityCenter Update Engine
    > > Version: 5, 0, 0, 0
    > > Copyright © 2004 Networks Associates Technology, Inc.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > pccguide.exe
    > > pccguide.exe
    > > PCCGuide
    > > Version: 12.10.0
    > > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > WinPatrol
    > > winpatrol.exe
    > > WinPatrol System Monitor
    > > Version: 8.1.2.0
    > > Copyright © 1997- 2004 BillP Studios
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > MPFExe
    > > MpfTray.exe
    > > McAfee Personal Firewall Tray Monitor
    > > Version: 6.0.0.14
    > > Copyright © 2000-2004 Networks Associates Technologies, Inc.
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > McRegWiz
    > > mcregwiz.exe /autorun
    > > McRegWiz Module
    > > Version: 1, 0, 0, 4
    > > Copyright 2003 Networks Associates Technology, Inc
    > > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    > > Click for Plus Info
    > >
    > >
    > >
    > > Microsoft Works Update Detection
    > > WkDetect.exe
    > > Microsoft® Works Update Detection
    > > Version: 6.00.1828.1
    > > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    > > Location: * Disabled *
    > > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\Microsoft Works\WkDetect.exe
    > > Click for Plus Info
    > >
    > >
    > >
    > > Yahoo! Pager
    > > ypager.exe -quiet
    > > Yahoo! Messenger
    > > Version: 6,0,0,1750
    > > Copyright 1998-2004
    > > Location: * Disabled *
    > > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    > > Click for Plus Info
    > >
    > > I wanted to say THANK-YOU so much...not only do i appreciate you taking the
    > > time to help me..and also the detail instructions,they were easy for me to
    > > follow and understand, as I said in my original msg. Im relatively new at all
    > > this so being able to follow/understand was great. I have only posted to
    > > newgroups a few times and honestly I have gotten a few responses that just
    > > leave me sitting there going "HUH". Again thanks very much for your help!!!
    > > Linda
    > >
    > >
    > >
    > > "Bob Dietz" wrote:
    > >
    > >
    > >>Hi Linda,
    > >>
    > >>I was pretty busy yesterday. Sorry it took so long to get back to you
    > >>
    > >>Before you start you might want to print this out on your printer.
    > >>
    > >>I see some adware/spyware listed that I would have expected Lavasoft
    > >>Ad-aware to have successfully removed. Let's run through the steps that
    > >>will allow Ad-Aware to do it's best work.
    > >>
    > >>1) Start Ad-Aware.
    > >>2) Click "Check for updates now." (lower right corner)
    > >>3) Connect and get any available updates.
    > >> Verify that your version number matches the version number
    > >> of the newest available Ad-Aware.
    > >>4) Once you have the latest updates installed,
    > >> close Ad-Aware and any other running programs.
    > >>5) To make it easier for Ad-Aware to do it's job,
    > >> we're going to run it in SAFE MODE.
    > >> A) Restart the computer.
    > >> B) While the computer is booting - before the first
    > >> "Windows" screen appears, tap the F8 key.
    > >> C) When the boot menu appears, choose SAFE MODE.
    > >>6) Start Ad-aware.
    > >>7) Click the "Start" button in the Ad-Aware window.
    > >>8) Set "Select Scan Mode" to "Perform full system scan."
    > >>9) Click the "Next" button to start the scan.
    > >>10) When the scan finishes, click "Next."
    > >>11) "Scan Results" defaults to the "Critical Objects" tab.
    > >> Changing to the "Scan Summary" tab, will give you
    > >> a much clearer picture of what has been found and may
    > >> save you quite a few mouse clicks as well. Be sure there
    > >> is a check mark beside everything you want to remove and
    > >> click "Next."
    > >> * No need to click the Quarantine button, Ad-aware
    > >> * automatically quarantines everything it removes.
    > >>
    > >>When you're done, close Ad-Aware and restart the computer letting it
    > >>boot normally.
    > >>Open the WinPatrol window.
    > >>Click the "Title" column heading so that programs are sorted by title in
    > >>A-Z order.
    > >>
    > >>Below you'll find your report (slightly reformatted so that programs are
    > >>in A-Z order by title.) Each item is followed by my comments which are
    > >>marked by asterisks. Presumably Ad-Aware will have already have
    > >>eliminated most of the evil ad-ware/spyware. If bad items still remain,
    > >>we'll use the WinPatrol report to figure out how to remove those items.
    > >>If you were doing this on your own, you'd -
    > >> 1) Select the executable name with your mouse.
    > >> 2) Right click on the selection and choose "Copy."
    > >> 3) Open a new browse browser window and go to http://www.google.com
    > >> 4) Right click in the Google search box and choose "Paste."
    > >> 5) Click on the search button.
    > >>Hint: If you install the Google toolbar ( http://toolbar.google.com ),
    > >>you could select the executable name, right click and choose
    > >>"Google Search."
    > >>
    > >>Use a little caution regarding the results of your search.
    > >>Some of the sites providing the information about startup items are
    > >>trying too hard to sell you something. For instance at least one site
    > >>shows a very conspicuous warning "Internal IP Exposed!" This is a simple
    > >> scam using javascript to display your IP in your browser on your
    > >>computer. Nobody can see it how isn't sitting in front of your computer
    > >>display.
    > >>
    > >>Here are some domains that I regard as above average. Look for these in
    > >>the result of you Google spyware/adware searches.
    > >>
    > >>AnswersThatWork.com
    > >>CastleCops.com
    > >>Iamnotageek.com
    > >>Neuber.com
    > >>Sysinfo.org
    > >>WinPatrol.com
    > >>
    > >>This Sysinfo.org page is worth putting in your favorites -
    > >>http://www.sysinfo.org/startuplist.php
    > >>
    > >>
    > >>*****************************************************************
    > >>WinPatrol Startup Programs (Edited by Bob Dietz)
    > >>
    > >>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
    > >>Browser: Microsoft® Windows® Operating System - Internet Explorer
    > >>version 6.00.2900.2180
    > >>Memory currently in use: 91%
    > >>********************************************************************
    > >>* This memory currently in use number isn't critical, but
    > >>* a lower value would be better. If you have less than 256Mb or RAM,
    > >>* you should think about upgrading to more memory.
    > >>********************************************************************
    > >>
    > >>
    > >>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
    > >>HKLM Default_Page_URL = http://www.emachines.com
    > >>HKCU Start Page = http://www.emachines.com/
    > >>HKLM Start Page = http://www.msn.com/
    > >>
    > >>WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
    > >>WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
    > >>WinLogon Shell=Explorer.exe
    > >>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
    > >>
    > >>
    > >>
    > >>CleanUp
    > >>mcappins.exe /v=3 /cleanup
    > >>McAfee Application Installer
    > >>Version: 5, 0, 0, 0
    > >>Copyright © 2004 Networks Associates Technology, Inc.
    > >>Location:
    > >>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    > >>********************************************************************
    > >>* This is part of McAfee
    > >>* I recommended that you leave it enabled. The site -
    > >>* http://startup.iamnotageek.com/srch-mcappins.exe.html
    > >>* describes it as
    > >>* McAfee Application Installer. (What does it do and is it required?)
    > >>* FWIW The Plus version of WinPatrol what it does and why it might
    > >>* be required.
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>eZstub
    > >>eZstub.exe
    > >>eZstub Module
    > >>Version: 1, 0, 0, 1
    > >>Copyright 2000
    > >>Location:
    > >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    > >>Path: Command /c del C:\WINDOWS\system32\eZstub.exe
    > >>********************************************************************
    > >>* This is an EZula component.
    > >>* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
    > >>* appears to be quite recent and I could find it mentioned on any
    > >>* web pages. For that reason, Ad-Aware may have trouble removing
    > >>* this even in SAFE MODE!
    > >>* If Ad-Aware wasn't able to remove this, try using WinPatrol to
    > >>* disable it. If it won't stay disabled, let me know and we'll
    > >>* follow some additional steps.
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>
    > >>
    > >>MCAgentExe
    > >>mcagent.exe
    > >>McAfee SecurityCenter Agent
    > >>Version: 5, 0, 0, 0
    > >>Copyright © 2004 Networks Associates Technology, Inc.
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
    > >>********************************************************************
    > >>* This is part of McAfee
    > >>* I recommended that you leave it enabled.
    > >>* http://startup.iamnotageek.com/srch-mcagent.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>MCUpdateExe
    > >>mcupdate.exe
    > >>McAfee SecurityCenter Update Engine
    > >>Version: 5, 0, 0, 0
    > >>Copyright © 2004 Networks Associates Technology, Inc.
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
    > >>********************************************************************
    > >>* This is part of McAfee
    > >>* I recommended that you leave it enabled.
    > >>* http://startup.iamnotageek.com/srch-mcupdate.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>Microsoft Works Update Detection
    > >>WkDetect.exe
    > >>Microsoft® Works Update Detection
    > >>Version: 6.00.1828.1
    > >>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
    > >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\Microsoft Works\WkDetect.exe
    > >>********************************************************************
    > >>* This checks for updates to MS Works
    > >>* Unless your computer has more memory than you know what
    > >>* to do with, I'd recommend disabling this in WinPatrol.
    > >>* Disabling is better than removal, because you can always
    > >>* decide to turn it back on at a later date.
    > >>* http://startup.iamnotageek.com/srch-wkdetect.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>msnmsgr
    > >>msnmsgr.exe /background
    > >>MSN Messenger
    > >>Version: Version 6.2
    > >>Copyright (c) Microsoft Corporation 1997-2004
    > >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
    > >>********************************************************************
    > >>* Letting MSN Messenger run is a user choice.
    > >>* If you aren't sure what MSN Messenger is, you're not using
    > >>* it and there is no use to have it running constantly
    > >>* using up precious RAM.
    > >>* Later in this report, we see that Yahoo! Pager is also running.
    > >>* If you're using both of these programs, you might want to
    > >>* consider replacing the two of them with Trillian, which is
    > >>* open source freeware and provides the services of both programs.
    > >>* http://www.neuber.com/taskmanager/process/msnmsgr.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>MyWebSearch Email Plugin
    > >>MWSOEMON.EXE
    > >>My Web Search Email Plugin
    > >>Version: 2,0,1,0
    > >>Copyright © 2003-2004 MyWebSearch.com
    > >>Location: Windows Startup Group
    > >>Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    > >>********************************************************************
    > >>* This is spyware.
    > >>* The fact that there are four apparently identical instances
    > >>* in the original report gives a little concern. I suspect
    > >>* this may be the culprit with regard to the 22 instances of
    > >>* rundll32.exe.
    > >>* If these are still in the list after the SAFE MODE Ad-Aware scan,
    > >>* try to disable them using WinPatrol.
    > >>* If they refuse to stay disabled, let me know and there are other
    > >>* steps we can try.
    > >>* FWIW Here are some pages with more info about MyWebSearch.
    > >>* http://www.mac-net.com/445088.page
    > >>* http://www.iamnotageek.com/a/mwsoemon.exe.php
    > >>* http://www.winpatrol.com/db/freesample/mwsoemon.html
    > >>********************************************************************
    > >>
    > >>
    > >>pccguide.exe
    > >>pccguide.exe
    > >>PCCGuide
    > >>Version: 12.10.0
    > >>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
    > >>********************************************************************
    > >>* Part of Trend Micro's PC-Cillan Anti-Virus
    > >>* Do you have both PC-Cillan and McAfee installed?
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>Unknown Title
    > >>DLHelperEXE.exe
    > >>DLHelper Module
    > >>Version: 6, 0, 0, 3
    > >>Copyright 2001
    > >>Location: Windows Startup Group
    > >>Path: C:\Documents and Settings\linda\Start
    > >>Menu\Programs\Startup\DLHelperEXE.exe
    > >>********************************************************************
    > >>* Probably part of CasinoOnNet adware.
    > >>* If that's what it is, the Ad-Aware SAFE MODE scan probably
    > >>* removed it. If not, try disabling it in WinPatrol.
    > >>* http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073208
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>VirusScan Online
    > >>mcvsshld.exe
    > >>McAfee VirusScan ActiveShield Resource
    > >>Version: 8, 0, 0, 0
    > >>Copyright © 1998-2003 Networks Associates Technology, Inc
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
    > >>********************************************************************
    > >>* Part of McAfee VirusScan On-Line
    > >>* I recommend leaving it enabled.
    > >>* http://startup.iamnotageek.com/srch-mcvsshld.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>VSOCheckTask
    > >>mcmnhdlr.exe /checktask
    > >>McAfee VirusScan Command Handler
    > >>Version: 8, 0, 0, 0
    > >>Copyright © 1998-2003 Networks Associates Technology, Inc
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
    > >>********************************************************************
    > >>* Part of McAfee's SecurityCenter and Virusscan Online.
    > >>* I recommend leaving it enabled.
    > >>* http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>Web Offer
    > >>EZPOPS~1.EXE
    > >>eZstub Module
    > >>Version: 1, 0, 0, 1
    > >>Copyright 2000
    > >>Location:
    > >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    > >>Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
    > >>********************************************************************
    > >>* Another component of EZula adware.
    > >>* I search for specific information about this component -
    > >>* http://www.google.com/search?q=EZPOPS%7E1.EXE
    > >>* the information is pretty scant which indicates
    > >>* this version of EZula is pretty new and most anti-spyware/
    > >>* anti-adware programs probably won't remove it.
    > >>* If the SAFE MODE Ad-Aware scan fails to remove this,
    > >>* try disabling it in WinPatrol.
    > >>* If it won't stay disabled, let me know - there are other
    > >>* approaches to this problem.
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>WinPatrol
    > >>winpatrol.exe
    > >>WinPatrol System Monitor
    > >>Version: 8.1.2.0
    > >>Copyright © 1997- 2004 BillP Studios
    > >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    > >>********************************************************************
    > >>* This is WinPatrol
    > >>* It's safe and I recommend that you leave it in.
    > >>* But you can't really know if that's good advice until
    > >>* you research it.
    > >>* http://www.google.com/search?q=winpatrol.exe
    > >>********************************************************************
    > >>
    > >>
    > >>
    > >>Yahoo! Pager
    > >>ypager.exe -quiet
    > >>Yahoo! Messenger
    > >>Version: 6,0,0,1750
    > >>Copyright 1998-2004
    > >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    > >>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    > >>********************************************************************
    > >>* Yahoo! Pager is an instant messenger application like
    > >>* MSN Messenger. If you aren't using these, you should disable them.
    > >>* If you're only using one of them, you should disable the one
    > >>* you're not using.
    > >>* If you're using both of them, you should think about switching
    > >>* to Trillian, an open source freeware application that can connect
    > >>* to many different types of instant messaging servers.
    > >>* http://startup.iamnotageek.com/srch-ypager.exe.html
    > >>********************************************************************
    > >>
    > >>
    > >>--
    > >>Bob Dietz
    > >>
    > >>linda wrote:
    > >>
    > >>>Hi Bob - this is what came up....thx for your help-prior to this when i ran
    > >>>the lavasoft adware/spyware there was an item that came up that said if
    > >>>affected the registry and i would select the cleanup/restore/delete for it,
    > >>>it would say that the task was completed but if i ran the progam again it
    > >>>showed exactly the same thing it said it had taken care of? thought i would
    > >>>mention this in case it has anything to do with what's going on now....thx
    > >>>again for helping...linda
    > >>>
    > >>
    >
Ask a new question

Read More

Rundll32 Microsoft Task Manager Windows XP