Sign in with
Sign up | Sign in
Your question

programs running in task manager

Last response: in Windows XP
Share
February 4, 2005 12:39:01 AM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

- I had task manager up, when i clicked on process it showed 57 were running,
the only thing i had up was "my documents" and the task manager, and one
internet page, when looking at the process it show that rundll32.exe was
listed 22 times, all under my name, fairly new at this so dont know but
thought this looked weird, has other things running, i.e. system,local
service etc, can someone tell me why that progam would be running so much?
thx (p.s.) i tried looking up rundll32.exe in the help and support section
but nothing listed ?? what does this program do?? thx again
--
linda

linda
Anonymous
February 4, 2005 1:21:35 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Linda

Are you using Home Edition or Professional? What Tasks are listed on the
Application tab of Task Manager?

--


Hope this helps.

Gerry
~~~~~~~~~~~~~~~~~~~~~~~~
FCA

Using invalid email address

Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~
Please tell the newsgroup how any
suggested solution worked for you.

http://dts-l.org/goodpost.htm

~~~~~~~~~~~~~~~~~~~~~~~~


"linda" <linda@discussions.microsoft.com> wrote in message
news:92305404-448C-4628-AE40-0AD46A7DDC2F@microsoft.com...
>
> - I had task manager up, when i clicked on process it showed 57 were
> running,
> the only thing i had up was "my documents" and the task manager, and
> one
> internet page, when looking at the process it show that rundll32.exe
> was
> listed 22 times, all under my name, fairly new at this so dont know
> but
> thought this looked weird, has other things running, i.e. system,local
> service etc, can someone tell me why that progam would be running so
> much?
> thx (p.s.) i tried looking up rundll32.exe in the help and support
> section
> but nothing listed ?? what does this program do?? thx again
> --
> linda
>
> linda
Anonymous
February 4, 2005 3:05:04 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Spyware/Virus Removal and Prevention:
http://www.fixyourwindows.com/windowsxpsolutions.htm
(Links to online virus scans on the same page)

How to optimize Windows XP, 2000, ME
for the best performance (Step-by-step Visual Guide):
http://www.fixyourwindows.com/optimizewindows.htm

Good Luck!
---
How to successfully install Windows XP Service Pack 2:
http://www.fixyourwindows.com/winxpsp2install.htm



"linda" wrote:

>
> - I had task manager up, when i clicked on process it showed 57 were running,
> the only thing i had up was "my documents" and the task manager, and one
> internet page, when looking at the process it show that rundll32.exe was
> listed 22 times, all under my name, fairly new at this so dont know but
> thought this looked weird, has other things running, i.e. system,local
> service etc, can someone tell me why that progam would be running so much?
> thx (p.s.) i tried looking up rundll32.exe in the help and support section
> but nothing listed ?? what does this program do?? thx again
> --
> linda
>
> linda
Related resources
Anonymous
February 4, 2005 9:27:01 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

rundll32.exe shell32.dll, Control_RunDLL ...123456.cpl Added by the KITRO.C
(or DANDI.A) WORM! 123456 can be any random 3 to 6 digit number

"linda" wrote:

>
> - I had task manager up, when i clicked on process it showed 57 were running,
> the only thing i had up was "my documents" and the task manager, and one
> internet page, when looking at the process it show that rundll32.exe was
> listed 22 times, all under my name, fairly new at this so dont know but
> thought this looked weird, has other things running, i.e. system,local
> service etc, can someone tell me why that progam would be running so much?
> thx (p.s.) i tried looking up rundll32.exe in the help and support section
> but nothing listed ?? what does this program do?? thx again
> --
> linda
>
> linda
Anonymous
February 4, 2005 9:39:03 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

adds "(random filename)"="rundll32 %SYSTEM% (random filename).dll,Init 1"
(random digits).exe = (random digits).exe - 8 random digits, example: OR
77231997.exe = 77231997.exe. Winpup.exe adult content downloader
AGENT.B - adds "(1-5 random characters)"="RUNDLL32 %System%\(DLL
filename).dll,StreamingDeviceSetup

"linda" wrote:

>
> - I had task manager up, when i clicked on process it showed 57 were running,
> the only thing i had up was "my documents" and the task manager, and one
> internet page, when looking at the process it show that rundll32.exe was
> listed 22 times, all under my name, fairly new at this so dont know but
> thought this looked weird, has other things running, i.e. system,local
> service etc, can someone tell me why that progam would be running so much?
> thx (p.s.) i tried looking up rundll32.exe in the help and support section
> but nothing listed ?? what does this program do?? thx again
> --
> linda
>
> linda
Anonymous
February 4, 2005 11:02:14 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Some info on
http://www.answersthatwork.com/Tasklist_pages/tasklist_...
re: rundll32.exe

Perhaps an online security/virus check
Symantec
http://security.norton.com/sscv6/default.asp?langid=ie&...
Trend Micro House Call:
http://housecall.trendmicro.com/
Panda ActiveScan;
http://www.pandasoftware.com/activescan/com/activescan_...
McAfee FreeScan:
http://us.mcafee.com/root/mfs/default.asp
Kaspersky Labs On-line Virus Checker:
http://www.kaspersky.com/remoteviruschk.html
BitDefender Online Scan:
http://www.bitdefender.com/scan/licence.php

Free anti virus programs
http://www.grisoft.com/us/us_dwnl7.php
http://www.avast.com/eng/avast_4_home.html



linda wrote:
> - I had task manager up, when i clicked on process it showed 57 were
> running, the only thing i had up was "my documents" and the task
> manager, and one internet page, when looking at the process it show
> that rundll32.exe was listed 22 times, all under my name, fairly new
> at this so dont know but thought this looked weird, has other things
> running, i.e. system,local service etc, can someone tell me why that
> progam would be running so much? thx (p.s.) i tried looking up
> rundll32.exe in the help and support section but nothing listed ??
> what does this program do?? thx again
February 6, 2005 12:19:02 AM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

i am using home edition, i also have mcaff on my system and have the trend
mico d ownloaded the pc - illian has been monitoring my system, as far as
what tasks are listed - newgroups is listed and i just checked my hotmail so
that program is listed, thats it? that rundll is still listed alot??

"Gerry Cornell" wrote:

> Linda
>
> Are you using Home Edition or Professional? What Tasks are listed on the
> Application tab of Task Manager?
>
> --
>
>
> Hope this helps.
>
> Gerry
> ~~~~~~~~~~~~~~~~~~~~~~~~
> FCA
>
> Using invalid email address
>
> Stourport, Worcs, England
> Enquire, plan and execute.
> ~~~~~~~~~~~~~~~~~~~~~~~~
> Please tell the newsgroup how any
> suggested solution worked for you.
>
> http://dts-l.org/goodpost.htm
>
> ~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> "linda" <linda@discussions.microsoft.com> wrote in message
> news:92305404-448C-4628-AE40-0AD46A7DDC2F@microsoft.com...
> >
> > - I had task manager up, when i clicked on process it showed 57 were
> > running,
> > the only thing i had up was "my documents" and the task manager, and
> > one
> > internet page, when looking at the process it show that rundll32.exe
> > was
> > listed 22 times, all under my name, fairly new at this so dont know
> > but
> > thought this looked weird, has other things running, i.e. system,local
> > service etc, can someone tell me why that progam would be running so
> > much?
> > thx (p.s.) i tried looking up rundll32.exe in the help and support
> > section
> > but nothing listed ?? what does this program do?? thx again
> > --
> > linda
> >
> > linda
>
>
Anonymous
February 6, 2005 12:00:20 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

linda wrote:
>
> - I had task manager up, when i clicked on process it showed 57 were running,
> the only thing i had up was "my documents" and the task manager, and one
> internet page, when looking at the process it show that rundll32.exe was
> listed 22 times, all under my name, fairly new at this so dont know but
> thought this looked weird, has other things running, i.e. system,local
> service etc, can someone tell me why that progam would be running so much?
> thx (p.s.) i tried looking up rundll32.exe in the help and support section
> but nothing listed ?? what does this program do?? thx again

Twenty two instances of rundll32.exe is excessive.
As others have already suggested, this likely indicates some sort of
malware (virus, worm, trojan or spyware/adware run amok.)

If your antivirus/antispyware isn't cleaning this up for you, you'll
have to clean it up manually. One way to start this manual cleanup would
be to download and run WinPatrol. http://www.winpatrol.com

Once you have WinPatrol installed, double click on it's icon in the
system tray (looks like a Scotty dog.) WinPatrol's main window will open
with the Startup Programs tab selected. Click the Report button in the
lower right corner and your browser will open with a report of the
programs being started each time windows boots. Select everything in
that report and paste it into your reply to this post and I'll help you
with it.

--
Bob Dietz
Anonymous
February 6, 2005 1:53:44 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Linda

Are your anti-virus definitions up to date? Run a full anti-virus scan.
It is a distinct possibility that you have a virus:

There is a virus named W32/Legemer.Worm but there is little information
in the McAfee database on it. Symantec call the virus W32.Miroot.Worm
and this page gives information:

http://securityresponse.symantec.com/avcenter/venc/data...

--


Hope this helps.

Gerry
~~~~~~~~~~~~~~~~~~~~~~~~
FCA

Using invalid email address

Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~
Please tell the newsgroup how any
suggested solution worked for you.

http://dts-l.org/goodpost.htm

~~~~~~~~~~~~~~~~~~~~~~~~




"linda" <linda@discussions.microsoft.com> wrote in message
news:EACB696C-7988-43F4-95C9-992B862FD006@microsoft.com...
>i am using home edition, i also have mcaff on my system and have the
>trend
> mico d ownloaded the pc - illian has been monitoring my system, as far
> as
> what tasks are listed - newgroups is listed and i just checked my
> hotmail so
> that program is listed, thats it? that rundll is still listed alot??
>
> "Gerry Cornell" wrote:
>
>> Linda
>>
>> Are you using Home Edition or Professional? What Tasks are listed on
>> the
>> Application tab of Task Manager?
>>
>> --
>>
>>
>> Hope this helps.
>>
>> Gerry
>> ~~~~~~~~~~~~~~~~~~~~~~~~
>> FCA
>>
>> Using invalid email address
>>
>> Stourport, Worcs, England
>> Enquire, plan and execute.
>> ~~~~~~~~~~~~~~~~~~~~~~~~
>> Please tell the newsgroup how any
>> suggested solution worked for you.
>>
>> http://dts-l.org/goodpost.htm
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~
>>
>>
>> "linda" <linda@discussions.microsoft.com> wrote in message
>> news:92305404-448C-4628-AE40-0AD46A7DDC2F@microsoft.com...
>> >
>> > - I had task manager up, when i clicked on process it showed 57
>> > were
>> > running,
>> > the only thing i had up was "my documents" and the task manager,
>> > and
>> > one
>> > internet page, when looking at the process it show that
>> > rundll32.exe
>> > was
>> > listed 22 times, all under my name, fairly new at this so dont know
>> > but
>> > thought this looked weird, has other things running, i.e.
>> > system,local
>> > service etc, can someone tell me why that progam would be running
>> > so
>> > much?
>> > thx (p.s.) i tried looking up rundll32.exe in the help and support
>> > section
>> > but nothing listed ?? what does this program do?? thx again
>> > --
>> > linda
>> >
>> > linda
>>
>>
February 7, 2005 5:05:06 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

hi bob-thx for your offer, i have the program installed and i brought up the
start up programs from the mail win patrol. i have about 19 things
listed...but ? is how do i copy those to you, the only option i see is to
select an item and then it says to press info, i tried to cut/paste but that
didnt work......(told you i was new at this :) . can u help? thx linda

"Bob Dietz" wrote:

> linda wrote:
> >
> > - I had task manager up, when i clicked on process it showed 57 were running,
> > the only thing i had up was "my documents" and the task manager, and one
> > internet page, when looking at the process it show that rundll32.exe was
> > listed 22 times, all under my name, fairly new at this so dont know but
> > thought this looked weird, has other things running, i.e. system,local
> > service etc, can someone tell me why that progam would be running so much?
> > thx (p.s.) i tried looking up rundll32.exe in the help and support section
> > but nothing listed ?? what does this program do?? thx again
>
> Twenty two instances of rundll32.exe is excessive.
> As others have already suggested, this likely indicates some sort of
> malware (virus, worm, trojan or spyware/adware run amok.)
>
> If your antivirus/antispyware isn't cleaning this up for you, you'll
> have to clean it up manually. One way to start this manual cleanup would
> be to download and run WinPatrol. http://www.winpatrol.com
>
> Once you have WinPatrol installed, double click on it's icon in the
> system tray (looks like a Scotty dog.) WinPatrol's main window will open
> with the Startup Programs tab selected. Click the Report button in the
> lower right corner and your browser will open with a report of the
> programs being started each time windows boots. Select everything in
> that report and paste it into your reply to this post and I'll help you
> with it.
>
> --
> Bob Dietz
>
Anonymous
February 7, 2005 9:22:25 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

1) Open WinPatrol.
2) Click on the Report button in the bottom right corner of the window.
3) After a moment, Internet Explore (or your default browser) will open
with a report. Click on a blank part of that page and press the CTRL
and C keys at the same time.
4) Start a reply to this message, then press CTRL and V keys at the
same time to paste the report into the message.

--
Bob Dietz

linda wrote:
> hi bob-thx for your offer, i have the program installed and i brought up the
> start up programs from the mail win patrol. i have about 19 things
> listed...but ? is how do i copy those to you, the only option i see is to
> select an item and then it says to press info, i tried to cut/paste but that
> didnt work......(told you i was new at this :) . can u help? thx linda
>
> "Bob Dietz" wrote:
>
>
>>linda wrote:
>>
>>>
>>>- I had task manager up, when i clicked on process it showed 57 were running,
>>>the only thing i had up was "my documents" and the task manager, and one
>>>internet page, when looking at the process it show that rundll32.exe was
>>>listed 22 times, all under my name, fairly new at this so dont know but
>>>thought this looked weird, has other things running, i.e. system,local
>>>service etc, can someone tell me why that progam would be running so much?
>>>thx (p.s.) i tried looking up rundll32.exe in the help and support section
>>>but nothing listed ?? what does this program do?? thx again
>>
>>Twenty two instances of rundll32.exe is excessive.
>>As others have already suggested, this likely indicates some sort of
>>malware (virus, worm, trojan or spyware/adware run amok.)
>>
>>If your antivirus/antispyware isn't cleaning this up for you, you'll
>>have to clean it up manually. One way to start this manual cleanup would
>>be to download and run WinPatrol. http://www.winpatrol.com
>>
>>Once you have WinPatrol installed, double click on it's icon in the
>>system tray (looks like a Scotty dog.) WinPatrol's main window will open
>>with the Startup Programs tab selected. Click the Report button in the
>>lower right corner and your browser will open with a report of the
>>programs being started each time windows boots. Select everything in
>>that report and paste it into your reply to this post and I'll help you
>>with it.
>>
>>--
>>Bob Dietz
>>
Anonymous
February 7, 2005 10:09:27 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Opps. I left out a step in my previous post.

1) Open WinPatrol.
2) Click on the Report button in the bottom right corner of the window.
3) After a moment, Internet Explore (or your default browser) will open
with a report. Click on a blank part of that page and press the CTRL
and A keys at the same time to select everything.
4) Press the CTRL and C keys at the same time to copy everything to
the clip board.
5) Start a reply to this message, then press CTRL and V keys at the
same time to paste the report into the message.

--
Bob Dietz

linda wrote:
> hi bob-thx for your offer, i have the program installed and i brought up the
> start up programs from the mail win patrol. i have about 19 things
> listed...but ? is how do i copy those to you, the only option i see is to
> select an item and then it says to press info, i tried to cut/paste but that
> didnt work......(told you i was new at this :) . can u help? thx linda
>
> "Bob Dietz" wrote:
>
>
>>linda wrote:
>>
>>>
>>>- I had task manager up, when i clicked on process it showed 57 were running,
>>>the only thing i had up was "my documents" and the task manager, and one
>>>internet page, when looking at the process it show that rundll32.exe was
>>>listed 22 times, all under my name, fairly new at this so dont know but
>>>thought this looked weird, has other things running, i.e. system,local
>>>service etc, can someone tell me why that progam would be running so much?
>>>thx (p.s.) i tried looking up rundll32.exe in the help and support section
>>>but nothing listed ?? what does this program do?? thx again
>>
>>Twenty two instances of rundll32.exe is excessive.
>>As others have already suggested, this likely indicates some sort of
>>malware (virus, worm, trojan or spyware/adware run amok.)
>>
>>If your antivirus/antispyware isn't cleaning this up for you, you'll
>>have to clean it up manually. One way to start this manual cleanup would
>>be to download and run WinPatrol. http://www.winpatrol.com
>>
>>Once you have WinPatrol installed, double click on it's icon in the
>>system tray (looks like a Scotty dog.) WinPatrol's main window will open
>>with the Startup Programs tab selected. Click the Report button in the
>>lower right corner and your browser will open with a report of the
>>programs being started each time windows boots. Select everything in
>>that report and paste it into your reply to this post and I'll help you
>>with it.
>>
>>--
>>Bob Dietz
>>
February 8, 2005 2:25:04 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Hi Bob - this is what came up....thx for your help-prior to this when i ran
the lavasoft adware/spyware there was an item that came up that said if
affected the registry and i would select the cleanup/restore/delete for it,
it would say that the task was completed but if i ran the progam again it
showed exactly the same thing it said it had taken care of? thought i would
mention this in case it has anything to do with what's going on now....thx
again for helping...linda

WinPatrol Startup Programs
Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 11:17:08 AM, on
2/08/2005

Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
Browser: Microsoft® Windows® Operating System - Internet Explorer version
6.00.2900.2180
Memory currently in use: 91%

MSIE: Internet Explorer (6.00.2900.2180)

HKCU Window Title = Microsoft Internet Explorer provided by Comcast
HKLM Default_Page_URL = http://www.emachines.com
HKCU Start Page = http://www.emachines.com/
HKLM Start Page = http://www.msn.com/

WinLogon DefaultUserName=linda
WinLogon DefaultDomainName=LUCY
WinLogon Shell=Explorer.exe
WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,



VSOCheckTask
mcmnhdlr.exe /checktask
McAfee VirusScan Command Handler
Version: 8, 0, 0, 0
Copyright © 1998-2003 Networks Associates Technology, Inc
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
Click for Plus Info



VirusScan Online
mcvsshld.exe
McAfee VirusScan ActiveShield Resource
Version: 8, 0, 0, 0
Copyright © 1998-2003 Networks Associates Technology, Inc
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
Click for Plus Info



MCAgentExe
mcagent.exe
McAfee SecurityCenter Agent
Version: 5, 0, 0, 0
Copyright © 2004 Networks Associates Technology, Inc.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
Click for Plus Info



MCUpdateExe
mcupdate.exe
McAfee SecurityCenter Update Engine
Version: 5, 0, 0, 0
Copyright © 2004 Networks Associates Technology, Inc.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
Click for Plus Info



pccguide.exe
pccguide.exe
PCCGuide
Version: 12.10.0
Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
Click for Plus Info



MyWebSearch Email Plugin
MWSOEMON.EXE
My Web Search Email Plugin
Version: 2,0,1,0
Copyright © 2003-2004 MyWebSearch.com
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
Click for Plus Info



CleanUp
mcappins.exe /v=3 /cleanup
McAfee Application Installer
Version: 5, 0, 0, 0
Copyright © 2004 Networks Associates Technology, Inc.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
Click for Plus Info



WinPatrol
winpatrol.exe
WinPatrol System Monitor
Version: 8.1.2.0
Copyright © 1997- 2004 BillP Studios
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
Click for Plus Info



msnmsgr
msnmsgr.exe /background
MSN Messenger
Version: Version 6.2
Copyright (c) Microsoft Corporation 1997-2004
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
Click for Plus Info



Yahoo! Pager
ypager.exe -quiet
Yahoo! Messenger
Version: 6,0,0,1750
Copyright 1998-2004
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
Click for Plus Info



Microsoft Works Update Detection
WkDetect.exe
Microsoft® Works Update Detection
Version: 6.00.1828.1
Copyright © Microsoft Corporation 1987-2000. All rights reserved.
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Microsoft Works\WkDetect.exe
Click for Plus Info



MyWebSearch Email Plugin
MWSOEMON.EXE
My Web Search Email Plugin
Version: 2,0,1,0
Copyright © 2003-2004 MyWebSearch.com
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
Click for Plus Info



eZstub
eZstub.exe
eZstub Module
Version: 1, 0, 0, 1
Copyright 2000
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Path: Command /c del C:\WINDOWS\system32\eZstub.exe
Click for Plus Info



Web Offer
EZPOPS~1.EXE
eZstub Module
Version: 1, 0, 0, 1
Copyright 2000
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
Click for Plus Info



MyWebSearch Email Plugin
MWSOEMON.EXE
My Web Search Email Plugin
Version: 2,0,1,0
Copyright © 2003-2004 MyWebSearch.com
Location: Windows Startup Group
Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
Click for Plus Info



Unknown Title
DLHelperEXE.exe
DLHelper Module
Version: 6, 0, 0, 3
Copyright 2001
Location: Windows Startup Group
Path: C:\Documents and Settings\linda\Start
Menu\Programs\Startup\DLHelperEXE.exe
Click for Plus Info



MyWebSearch Email Plugin
MWSOEMON.EXE
My Web Search Email Plugin
Version: 2,0,1,0
Copyright © 2003-2004 MyWebSearch.com
Location: Windows Startup Group
Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
Click for Plus Info





"linda" wrote:

> hi bob-thx for your offer, i have the program installed and i brought up the
> start up programs from the mail win patrol. i have about 19 things
> listed...but ? is how do i copy those to you, the only option i see is to
> select an item and then it says to press info, i tried to cut/paste but that
> didnt work......(told you i was new at this :) . can u help? thx linda
>
> "Bob Dietz" wrote:
>
> > linda wrote:
> > >
> > > - I had task manager up, when i clicked on process it showed 57 were running,
> > > the only thing i had up was "my documents" and the task manager, and one
> > > internet page, when looking at the process it show that rundll32.exe was
> > > listed 22 times, all under my name, fairly new at this so dont know but
> > > thought this looked weird, has other things running, i.e. system,local
> > > service etc, can someone tell me why that progam would be running so much?
> > > thx (p.s.) i tried looking up rundll32.exe in the help and support section
> > > but nothing listed ?? what does this program do?? thx again
> >
> > Twenty two instances of rundll32.exe is excessive.
> > As others have already suggested, this likely indicates some sort of
> > malware (virus, worm, trojan or spyware/adware run amok.)
> >
> > If your antivirus/antispyware isn't cleaning this up for you, you'll
> > have to clean it up manually. One way to start this manual cleanup would
> > be to download and run WinPatrol. http://www.winpatrol.com
> >
> > Once you have WinPatrol installed, double click on it's icon in the
> > system tray (looks like a Scotty dog.) WinPatrol's main window will open
> > with the Startup Programs tab selected. Click the Report button in the
> > lower right corner and your browser will open with a report of the
> > programs being started each time windows boots. Select everything in
> > that report and paste it into your reply to this post and I'll help you
> > with it.
> >
> > --
> > Bob Dietz
> >
Anonymous
February 8, 2005 11:54:02 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Linda

"DLHelperEXE.exe". Research suggests this is either spyware (Downloader
for Microgaming/casino) or a Download helper distributed with some
software that allows the software installation to redirect downloads
locations. In which case it is not required once the installation is
finished. If you right click the file and select Properties what
information is provided?

--


Hope this helps.

Gerry
~~~~~~~~~~~~~~~~~~~~~~~~
FCA

Using invalid email address

Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~
Please tell the newsgroup how any
suggested solution worked for you.

http://dts-l.org/goodpost.htm

~~~~~~~~~~~~~~~~~~~~~~~~




"linda" <linda@discussions.microsoft.com> wrote in message
news:6B36F447-5491-4C6B-97F4-54ED26A4FC95@microsoft.com...
> Hi Bob - this is what came up....thx for your help-prior to this when
> i ran
> the lavasoft adware/spyware there was an item that came up that said
> if
> affected the registry and i would select the cleanup/restore/delete
> for it,
> it would say that the task was completed but if i ran the progam again
> it
> showed exactly the same thing it said it had taken care of? thought i
> would
> mention this in case it has anything to do with what's going on
> now....thx
> again for helping...linda
>
> WinPatrol Startup Programs
> Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 11:17:08 AM, on
> 2/08/2005
>
> Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> Browser: Microsoft® Windows® Operating System - Internet Explorer
> version
> 6.00.2900.2180
> Memory currently in use: 91%
>
> MSIE: Internet Explorer (6.00.2900.2180)
>
> HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> HKLM Default_Page_URL = http://www.emachines.com
> HKCU Start Page = http://www.emachines.com/
> HKLM Start Page = http://www.msn.com/
>
> WinLogon DefaultUserName=linda
> WinLogon DefaultDomainName=LUCY
> WinLogon Shell=Explorer.exe
> WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
>
>
>
> VSOCheckTask
> mcmnhdlr.exe /checktask
> McAfee VirusScan Command Handler
> Version: 8, 0, 0, 0
> Copyright © 1998-2003 Networks Associates Technology, Inc
> Location:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> Click for Plus Info
>
>
>
> VirusScan Online
> mcvsshld.exe
> McAfee VirusScan ActiveShield Resource
> Version: 8, 0, 0, 0
> Copyright © 1998-2003 Networks Associates Technology, Inc
> Location:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> Click for Plus Info
>
>
>
> MCAgentExe
> mcagent.exe
> McAfee SecurityCenter Agent
> Version: 5, 0, 0, 0
> Copyright © 2004 Networks Associates Technology, Inc.
> Location:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> Click for Plus Info
>
>
>
> MCUpdateExe
> mcupdate.exe
> McAfee SecurityCenter Update Engine
> Version: 5, 0, 0, 0
> Copyright © 2004 Networks Associates Technology, Inc.
> Location:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> Click for Plus Info
>
>
>
> pccguide.exe
> pccguide.exe
> PCCGuide
> Version: 12.10.0
> Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> Location:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> Click for Plus Info
>
>
>
> MyWebSearch Email Plugin
> MWSOEMON.EXE
> My Web Search Email Plugin
> Version: 2,0,1,0
> Copyright © 2003-2004 MyWebSearch.com
> Location:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
> Click for Plus Info
>
>
>
> CleanUp
> mcappins.exe /v=3 /cleanup
> McAfee Application Installer
> Version: 5, 0, 0, 0
> Copyright © 2004 Networks Associates Technology, Inc.
> Location:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
> Click for Plus Info
>
>
>
> WinPatrol
> winpatrol.exe
> WinPatrol System Monitor
> Version: 8.1.2.0
> Copyright © 1997- 2004 BillP Studios
> Location:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> Click for Plus Info
>
>
>
> msnmsgr
> msnmsgr.exe /background
> MSN Messenger
> Version: Version 6.2
> Copyright (c) Microsoft Corporation 1997-2004
> Location:
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
> Click for Plus Info
>
>
>
> Yahoo! Pager
> ypager.exe -quiet
> Yahoo! Messenger
> Version: 6,0,0,1750
> Copyright 1998-2004
> Location:
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> Click for Plus Info
>
>
>
> Microsoft Works Update Detection
> WkDetect.exe
> Microsoft® Works Update Detection
> Version: 6.00.1828.1
> Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> Location:
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\Microsoft Works\WkDetect.exe
> Click for Plus Info
>
>
>
> MyWebSearch Email Plugin
> MWSOEMON.EXE
> My Web Search Email Plugin
> Version: 2,0,1,0
> Copyright © 2003-2004 MyWebSearch.com
> Location:
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
> Click for Plus Info
>
>
>
> eZstub
> eZstub.exe
> eZstub Module
> Version: 1, 0, 0, 1
> Copyright 2000
> Location:
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> Path: Command /c del C:\WINDOWS\system32\eZstub.exe
> Click for Plus Info
>
>
>
> Web Offer
> EZPOPS~1.EXE
> eZstub Module
> Version: 1, 0, 0, 1
> Copyright 2000
> Location:
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
> Click for Plus Info
>
>
>
> MyWebSearch Email Plugin
> MWSOEMON.EXE
> My Web Search Email Plugin
> Version: 2,0,1,0
> Copyright © 2003-2004 MyWebSearch.com
> Location: Windows Startup Group
> Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
> Click for Plus Info
>
>
>
> Unknown Title
> DLHelperEXE.exe
> DLHelper Module
> Version: 6, 0, 0, 3
> Copyright 2001
> Location: Windows Startup Group
> Path: C:\Documents and Settings\linda\Start
> Menu\Programs\Startup\Tis item is
> Click for Plus Info
>
>
>
> MyWebSearch Email Plugin
> MWSOEMON.EXE
> My Web Search Email Plugin
> Version: 2,0,1,0
> Copyright © 2003-2004 MyWebSearch.com
> Location: Windows Startup Group
> Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
> Click for Plus Info
>
>
>
>
>
> "linda" wrote:
>
>> hi bob-thx for your offer, i have the program installed and i brought
>> up the
>> start up programs from the mail win patrol. i have about 19 things
>> listed...but ? is how do i copy those to you, the only option i see
>> is to
>> select an item and then it says to press info, i tried to cut/paste
>> but that
>> didnt work......(told you i was new at this :) . can u help? thx linda
>>
>> "Bob Dietz" wrote:
>>
>> > linda wrote:
>> > >
>> > > - I had task manager up, when i clicked on process it showed 57
>> > > were running,
>> > > the only thing i had up was "my documents" and the task manager,
>> > > and one
>> > > internet page, when looking at the process it show that
>> > > rundll32.exe was
>> > > listed 22 times, all under my name, fairly new at this so dont
>> > > know but
>> > > thought this looked weird, has other things running, i.e.
>> > > system,local
>> > > service etc, can someone tell me why that progam would be running
>> > > so much?
>> > > thx (p.s.) i tried looking up rundll32.exe in the help and
>> > > support section
>> > > but nothing listed ?? what does this program do?? thx again
>> >
>> > Twenty two instances of rundll32.exe is excessive.
>> > As others have already suggested, this likely indicates some sort
>> > of
>> > malware (virus, worm, trojan or spyware/adware run amok.)
>> >
>> > If your antivirus/antispyware isn't cleaning this up for you,
>> > you'll
>> > have to clean it up manually. One way to start this manual cleanup
>> > would
>> > be to download and run WinPatrol. http://www.winpatrol.com
>> >
>> > Once you have WinPatrol installed, double click on it's icon in the
>> > system tray (looks like a Scotty dog.) WinPatrol's main window will
>> > open
>> > with the Startup Programs tab selected. Click the Report button in
>> > the
>> > lower right corner and your browser will open with a report of the
>> > programs being started each time windows boots. Select everything
>> > in
>> > that report and paste it into your reply to this post and I'll help
>> > you
>> > with it.
>> >
>> > --
>> > Bob Dietz
>> >
Anonymous
February 10, 2005 8:18:26 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Hi Linda,

I was pretty busy yesterday. Sorry it took so long to get back to you

Before you start you might want to print this out on your printer.

I see some adware/spyware listed that I would have expected Lavasoft
Ad-aware to have successfully removed. Let's run through the steps that
will allow Ad-Aware to do it's best work.

1) Start Ad-Aware.
2) Click "Check for updates now." (lower right corner)
3) Connect and get any available updates.
Verify that your version number matches the version number
of the newest available Ad-Aware.
4) Once you have the latest updates installed,
close Ad-Aware and any other running programs.
5) To make it easier for Ad-Aware to do it's job,
we're going to run it in SAFE MODE.
A) Restart the computer.
B) While the computer is booting - before the first
"Windows" screen appears, tap the F8 key.
C) When the boot menu appears, choose SAFE MODE.
6) Start Ad-aware.
7) Click the "Start" button in the Ad-Aware window.
8) Set "Select Scan Mode" to "Perform full system scan."
9) Click the "Next" button to start the scan.
10) When the scan finishes, click "Next."
11) "Scan Results" defaults to the "Critical Objects" tab.
Changing to the "Scan Summary" tab, will give you
a much clearer picture of what has been found and may
save you quite a few mouse clicks as well. Be sure there
is a check mark beside everything you want to remove and
click "Next."
* No need to click the Quarantine button, Ad-aware
* automatically quarantines everything it removes.

When you're done, close Ad-Aware and restart the computer letting it
boot normally.
Open the WinPatrol window.
Click the "Title" column heading so that programs are sorted by title in
A-Z order.

Below you'll find your report (slightly reformatted so that programs are
in A-Z order by title.) Each item is followed by my comments which are
marked by asterisks. Presumably Ad-Aware will have already have
eliminated most of the evil ad-ware/spyware. If bad items still remain,
we'll use the WinPatrol report to figure out how to remove those items.
If you were doing this on your own, you'd -
1) Select the executable name with your mouse.
2) Right click on the selection and choose "Copy."
3) Open a new browse browser window and go to http://www.google.com
4) Right click in the Google search box and choose "Paste."
5) Click on the search button.
Hint: If you install the Google toolbar ( http://toolbar.google.com ),
you could select the executable name, right click and choose
"Google Search."

Use a little caution regarding the results of your search.
Some of the sites providing the information about startup items are
trying too hard to sell you something. For instance at least one site
shows a very conspicuous warning "Internal IP Exposed!" This is a simple
scam using javascript to display your IP in your browser on your
computer. Nobody can see it how isn't sitting in front of your computer
display.

Here are some domains that I regard as above average. Look for these in
the result of you Google spyware/adware searches.

AnswersThatWork.com
CastleCops.com
Iamnotageek.com
Neuber.com
Sysinfo.org
WinPatrol.com

This Sysinfo.org page is worth putting in your favorites -
http://www.sysinfo.org/startuplist.php


*****************************************************************
WinPatrol Startup Programs (Edited by Bob Dietz)

Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
Browser: Microsoft® Windows® Operating System - Internet Explorer
version 6.00.2900.2180
Memory currently in use: 91%
********************************************************************
* This memory currently in use number isn't critical, but
* a lower value would be better. If you have less than 256Mb or RAM,
* you should think about upgrading to more memory.
********************************************************************


HKCU Window Title = Microsoft Internet Explorer provided by Comcast
HKLM Default_Page_URL = http://www.emachines.com
HKCU Start Page = http://www.emachines.com/
HKLM Start Page = http://www.msn.com/

WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
WinLogon Shell=Explorer.exe
WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,



CleanUp
mcappins.exe /v=3 /cleanup
McAfee Application Installer
Version: 5, 0, 0, 0
Copyright © 2004 Networks Associates Technology, Inc.
Location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
********************************************************************
* This is part of McAfee
* I recommended that you leave it enabled. The site -
* http://startup.iamnotageek.com/srch-mcappins.exe.html
* describes it as
* McAfee Application Installer. (What does it do and is it required?)
* FWIW The Plus version of WinPatrol what it does and why it might
* be required.
********************************************************************



eZstub
eZstub.exe
eZstub Module
Version: 1, 0, 0, 1
Copyright 2000
Location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Path: Command /c del C:\WINDOWS\system32\eZstub.exe
********************************************************************
* This is an EZula component.
* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
* appears to be quite recent and I could find it mentioned on any
* web pages. For that reason, Ad-Aware may have trouble removing
* this even in SAFE MODE!
* If Ad-Aware wasn't able to remove this, try using WinPatrol to
* disable it. If it won't stay disabled, let me know and we'll
* follow some additional steps.
********************************************************************





MCAgentExe
mcagent.exe
McAfee SecurityCenter Agent
Version: 5, 0, 0, 0
Copyright © 2004 Networks Associates Technology, Inc.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
********************************************************************
* This is part of McAfee
* I recommended that you leave it enabled.
* http://startup.iamnotageek.com/srch-mcagent.exe.html
********************************************************************



MCUpdateExe
mcupdate.exe
McAfee SecurityCenter Update Engine
Version: 5, 0, 0, 0
Copyright © 2004 Networks Associates Technology, Inc.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
********************************************************************
* This is part of McAfee
* I recommended that you leave it enabled.
* http://startup.iamnotageek.com/srch-mcupdate.exe.html
********************************************************************



Microsoft Works Update Detection
WkDetect.exe
Microsoft® Works Update Detection
Version: 6.00.1828.1
Copyright © Microsoft Corporation 1987-2000. All rights reserved.
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Microsoft Works\WkDetect.exe
********************************************************************
* This checks for updates to MS Works
* Unless your computer has more memory than you know what
* to do with, I'd recommend disabling this in WinPatrol.
* Disabling is better than removal, because you can always
* decide to turn it back on at a later date.
* http://startup.iamnotageek.com/srch-wkdetect.exe.html
********************************************************************


msnmsgr
msnmsgr.exe /background
MSN Messenger
Version: Version 6.2
Copyright (c) Microsoft Corporation 1997-2004
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
********************************************************************
* Letting MSN Messenger run is a user choice.
* If you aren't sure what MSN Messenger is, you're not using
* it and there is no use to have it running constantly
* using up precious RAM.
* Later in this report, we see that Yahoo! Pager is also running.
* If you're using both of these programs, you might want to
* consider replacing the two of them with Trillian, which is
* open source freeware and provides the services of both programs.
* http://www.neuber.com/taskmanager/process/msnmsgr.exe.h...
********************************************************************


MyWebSearch Email Plugin
MWSOEMON.EXE
My Web Search Email Plugin
Version: 2,0,1,0
Copyright © 2003-2004 MyWebSearch.com
Location: Windows Startup Group
Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
********************************************************************
* This is spyware.
* The fact that there are four apparently identical instances
* in the original report gives a little concern. I suspect
* this may be the culprit with regard to the 22 instances of
* rundll32.exe.
* If these are still in the list after the SAFE MODE Ad-Aware scan,
* try to disable them using WinPatrol.
* If they refuse to stay disabled, let me know and there are other
* steps we can try.
* FWIW Here are some pages with more info about MyWebSearch.
* http://www.mac-net.com/445088.page
* http://www.iamnotageek.com/a/mwsoemon.exe.php
* http://www.winpatrol.com/db/freesample/mwsoemon.html
********************************************************************


pccguide.exe
pccguide.exe
PCCGuide
Version: 12.10.0
Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
********************************************************************
* Part of Trend Micro's PC-Cillan Anti-Virus
* Do you have both PC-Cillan and McAfee installed?
********************************************************************



Unknown Title
DLHelperEXE.exe
DLHelper Module
Version: 6, 0, 0, 3
Copyright 2001
Location: Windows Startup Group
Path: C:\Documents and Settings\linda\Start
Menu\Programs\Startup\DLHelperEXE.exe
********************************************************************
* Probably part of CasinoOnNet adware.
* If that's what it is, the Ad-Aware SAFE MODE scan probably
* removed it. If not, try disabling it in WinPatrol.
* http://www3.ca.com/securityadvisor/pest/pest.aspx?id=45...
********************************************************************



VirusScan Online
mcvsshld.exe
McAfee VirusScan ActiveShield Resource
Version: 8, 0, 0, 0
Copyright © 1998-2003 Networks Associates Technology, Inc
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
********************************************************************
* Part of McAfee VirusScan On-Line
* I recommend leaving it enabled.
* http://startup.iamnotageek.com/srch-mcvsshld.exe.html
********************************************************************



VSOCheckTask
mcmnhdlr.exe /checktask
McAfee VirusScan Command Handler
Version: 8, 0, 0, 0
Copyright © 1998-2003 Networks Associates Technology, Inc
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
********************************************************************
* Part of McAfee's SecurityCenter and Virusscan Online.
* I recommend leaving it enabled.
* http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
********************************************************************



Web Offer
EZPOPS~1.EXE
eZstub Module
Version: 1, 0, 0, 1
Copyright 2000
Location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
********************************************************************
* Another component of EZula adware.
* I search for specific information about this component -
* http://www.google.com/search?q=EZPOPS%7E1.EXE
* the information is pretty scant which indicates
* this version of EZula is pretty new and most anti-spyware/
* anti-adware programs probably won't remove it.
* If the SAFE MODE Ad-Aware scan fails to remove this,
* try disabling it in WinPatrol.
* If it won't stay disabled, let me know - there are other
* approaches to this problem.
********************************************************************



WinPatrol
winpatrol.exe
WinPatrol System Monitor
Version: 8.1.2.0
Copyright © 1997- 2004 BillP Studios
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
********************************************************************
* This is WinPatrol
* It's safe and I recommend that you leave it in.
* But you can't really know if that's good advice until
* you research it.
* http://www.google.com/search?q=winpatrol.exe
********************************************************************



Yahoo! Pager
ypager.exe -quiet
Yahoo! Messenger
Version: 6,0,0,1750
Copyright 1998-2004
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
********************************************************************
* Yahoo! Pager is an instant messenger application like
* MSN Messenger. If you aren't using these, you should disable them.
* If you're only using one of them, you should disable the one
* you're not using.
* If you're using both of them, you should think about switching
* to Trillian, an open source freeware application that can connect
* to many different types of instant messaging servers.
* http://startup.iamnotageek.com/srch-ypager.exe.html
********************************************************************


--
Bob Dietz

linda wrote:
> Hi Bob - this is what came up....thx for your help-prior to this when i ran
> the lavasoft adware/spyware there was an item that came up that said if
> affected the registry and i would select the cleanup/restore/delete for it,
> it would say that the task was completed but if i ran the progam again it
> showed exactly the same thing it said it had taken care of? thought i would
> mention this in case it has anything to do with what's going on now....thx
> again for helping...linda
>
February 11, 2005 11:05:02 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
alot less croweded than it did- also when I look at the task manager it now
shows 37 programs, (I have a few things running when it shows that amt) and
not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
on the winpatrol and had already disabled that, I thought it was funny seeing
3 times, so I'm glad to know I was on the right track there. When I went
back to the winpatrol and disable the DLHelper program, a minute or so later
I got a pop up saying that a new program was wanting to be added to the start
up-and it was the DLHelper I had just disabled, so I said no on the ok to add
to start-up. Here's is what the list shows now: (pls read my add'l msg
after the winpatrol info)

WinPatrol Startup Programs
Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
2/11/2005

Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
Browser: Microsoft® Windows® Operating System - Internet Explorer version
6.00.2900.2180
Memory currently in use: 79%

MSIE: Internet Explorer (6.00.2900.2180)

HKCU Window Title = Microsoft Internet Explorer provided by Comcast
HKLM Default_Page_URL = http://www.emachines.com
HKCU Start Page = http://www.comcast.net/
HKLM Start Page = http://www.msn.com/

WinLogon DefaultUserName=linda
WinLogon DefaultDomainName=LUCY
WinLogon Shell=Explorer.exe
WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,



VSOCheckTask
mcmnhdlr.exe /checktask
McAfee VirusScan Command Handler
Version: 8, 0, 0, 0
Copyright © 1998-2003 Networks Associates Technology, Inc
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
Click for Plus Info



VirusScan Online
mcvsshld.exe
McAfee VirusScan ActiveShield Resource
Version: 8, 0, 0, 0
Copyright © 1998-2003 Networks Associates Technology, Inc
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
Click for Plus Info



MCAgentExe
mcagent.exe
McAfee SecurityCenter Agent
Version: 5, 0, 0, 0
Copyright © 2004 Networks Associates Technology, Inc.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
Click for Plus Info



MCUpdateExe
mcupdate.exe
McAfee SecurityCenter Update Engine
Version: 5, 0, 0, 0
Copyright © 2004 Networks Associates Technology, Inc.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
Click for Plus Info



pccguide.exe
pccguide.exe
PCCGuide
Version: 12.10.0
Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
Click for Plus Info



WinPatrol
winpatrol.exe
WinPatrol System Monitor
Version: 8.1.2.0
Copyright © 1997- 2004 BillP Studios
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
Click for Plus Info



MPFExe
MpfTray.exe
McAfee Personal Firewall Tray Monitor
Version: 6.0.0.14
Copyright © 2000-2004 Networks Associates Technologies, Inc.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
Click for Plus Info



McRegWiz
mcregwiz.exe /autorun
McRegWiz Module
Version: 1, 0, 0, 4
Copyright 2003 Networks Associates Technology, Inc
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
Click for Plus Info



Microsoft Works Update Detection
WkDetect.exe
Microsoft® Works Update Detection
Version: 6.00.1828.1
Copyright © Microsoft Corporation 1987-2000. All rights reserved.
Location: * Disabled *
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Microsoft Works\WkDetect.exe
Click for Plus Info



Yahoo! Pager
ypager.exe -quiet
Yahoo! Messenger
Version: 6,0,0,1750
Copyright 1998-2004
Location: * Disabled *
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
Click for Plus Info

I wanted to say THANK-YOU so much...not only do i appreciate you taking the
time to help me..and also the detail instructions,they were easy for me to
follow and understand, as I said in my original msg. Im relatively new at all
this so being able to follow/understand was great. I have only posted to
newgroups a few times and honestly I have gotten a few responses that just
leave me sitting there going "HUH". Again thanks very much for your help!!!
Linda



"Bob Dietz" wrote:

> Hi Linda,
>
> I was pretty busy yesterday. Sorry it took so long to get back to you
>
> Before you start you might want to print this out on your printer.
>
> I see some adware/spyware listed that I would have expected Lavasoft
> Ad-aware to have successfully removed. Let's run through the steps that
> will allow Ad-Aware to do it's best work.
>
> 1) Start Ad-Aware.
> 2) Click "Check for updates now." (lower right corner)
> 3) Connect and get any available updates.
> Verify that your version number matches the version number
> of the newest available Ad-Aware.
> 4) Once you have the latest updates installed,
> close Ad-Aware and any other running programs.
> 5) To make it easier for Ad-Aware to do it's job,
> we're going to run it in SAFE MODE.
> A) Restart the computer.
> B) While the computer is booting - before the first
> "Windows" screen appears, tap the F8 key.
> C) When the boot menu appears, choose SAFE MODE.
> 6) Start Ad-aware.
> 7) Click the "Start" button in the Ad-Aware window.
> 8) Set "Select Scan Mode" to "Perform full system scan."
> 9) Click the "Next" button to start the scan.
> 10) When the scan finishes, click "Next."
> 11) "Scan Results" defaults to the "Critical Objects" tab.
> Changing to the "Scan Summary" tab, will give you
> a much clearer picture of what has been found and may
> save you quite a few mouse clicks as well. Be sure there
> is a check mark beside everything you want to remove and
> click "Next."
> * No need to click the Quarantine button, Ad-aware
> * automatically quarantines everything it removes.
>
> When you're done, close Ad-Aware and restart the computer letting it
> boot normally.
> Open the WinPatrol window.
> Click the "Title" column heading so that programs are sorted by title in
> A-Z order.
>
> Below you'll find your report (slightly reformatted so that programs are
> in A-Z order by title.) Each item is followed by my comments which are
> marked by asterisks. Presumably Ad-Aware will have already have
> eliminated most of the evil ad-ware/spyware. If bad items still remain,
> we'll use the WinPatrol report to figure out how to remove those items.
> If you were doing this on your own, you'd -
> 1) Select the executable name with your mouse.
> 2) Right click on the selection and choose "Copy."
> 3) Open a new browse browser window and go to http://www.google.com
> 4) Right click in the Google search box and choose "Paste."
> 5) Click on the search button.
> Hint: If you install the Google toolbar ( http://toolbar.google.com ),
> you could select the executable name, right click and choose
> "Google Search."
>
> Use a little caution regarding the results of your search.
> Some of the sites providing the information about startup items are
> trying too hard to sell you something. For instance at least one site
> shows a very conspicuous warning "Internal IP Exposed!" This is a simple
> scam using javascript to display your IP in your browser on your
> computer. Nobody can see it how isn't sitting in front of your computer
> display.
>
> Here are some domains that I regard as above average. Look for these in
> the result of you Google spyware/adware searches.
>
> AnswersThatWork.com
> CastleCops.com
> Iamnotageek.com
> Neuber.com
> Sysinfo.org
> WinPatrol.com
>
> This Sysinfo.org page is worth putting in your favorites -
> http://www.sysinfo.org/startuplist.php
>
>
> *****************************************************************
> WinPatrol Startup Programs (Edited by Bob Dietz)
>
> Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> Browser: Microsoft® Windows® Operating System - Internet Explorer
> version 6.00.2900.2180
> Memory currently in use: 91%
> ********************************************************************
> * This memory currently in use number isn't critical, but
> * a lower value would be better. If you have less than 256Mb or RAM,
> * you should think about upgrading to more memory.
> ********************************************************************
>
>
> HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> HKLM Default_Page_URL = http://www.emachines.com
> HKCU Start Page = http://www.emachines.com/
> HKLM Start Page = http://www.msn.com/
>
> WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
> WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
> WinLogon Shell=Explorer.exe
> WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
>
>
>
> CleanUp
> mcappins.exe /v=3 /cleanup
> McAfee Application Installer
> Version: 5, 0, 0, 0
> Copyright © 2004 Networks Associates Technology, Inc.
> Location:
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
> ********************************************************************
> * This is part of McAfee
> * I recommended that you leave it enabled. The site -
> * http://startup.iamnotageek.com/srch-mcappins.exe.html
> * describes it as
> * McAfee Application Installer. (What does it do and is it required?)
> * FWIW The Plus version of WinPatrol what it does and why it might
> * be required.
> ********************************************************************
>
>
>
> eZstub
> eZstub.exe
> eZstub Module
> Version: 1, 0, 0, 1
> Copyright 2000
> Location:
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> Path: Command /c del C:\WINDOWS\system32\eZstub.exe
> ********************************************************************
> * This is an EZula component.
> * The other EZula component in this list - Web Offers - EZPOPS~1.EXE
> * appears to be quite recent and I could find it mentioned on any
> * web pages. For that reason, Ad-Aware may have trouble removing
> * this even in SAFE MODE!
> * If Ad-Aware wasn't able to remove this, try using WinPatrol to
> * disable it. If it won't stay disabled, let me know and we'll
> * follow some additional steps.
> ********************************************************************
>
>
>
>
>
> MCAgentExe
> mcagent.exe
> McAfee SecurityCenter Agent
> Version: 5, 0, 0, 0
> Copyright © 2004 Networks Associates Technology, Inc.
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> ********************************************************************
> * This is part of McAfee
> * I recommended that you leave it enabled.
> * http://startup.iamnotageek.com/srch-mcagent.exe.html
> ********************************************************************
>
>
>
> MCUpdateExe
> mcupdate.exe
> McAfee SecurityCenter Update Engine
> Version: 5, 0, 0, 0
> Copyright © 2004 Networks Associates Technology, Inc.
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> ********************************************************************
> * This is part of McAfee
> * I recommended that you leave it enabled.
> * http://startup.iamnotageek.com/srch-mcupdate.exe.html
> ********************************************************************
>
>
>
> Microsoft Works Update Detection
> WkDetect.exe
> Microsoft® Works Update Detection
> Version: 6.00.1828.1
> Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\Microsoft Works\WkDetect.exe
> ********************************************************************
> * This checks for updates to MS Works
> * Unless your computer has more memory than you know what
> * to do with, I'd recommend disabling this in WinPatrol.
> * Disabling is better than removal, because you can always
> * decide to turn it back on at a later date.
> * http://startup.iamnotageek.com/srch-wkdetect.exe.html
> ********************************************************************
>
>
> msnmsgr
> msnmsgr.exe /background
> MSN Messenger
> Version: Version 6.2
> Copyright (c) Microsoft Corporation 1997-2004
> Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
> ********************************************************************
> * Letting MSN Messenger run is a user choice.
> * If you aren't sure what MSN Messenger is, you're not using
> * it and there is no use to have it running constantly
> * using up precious RAM.
> * Later in this report, we see that Yahoo! Pager is also running.
> * If you're using both of these programs, you might want to
> * consider replacing the two of them with Trillian, which is
> * open source freeware and provides the services of both programs.
> * http://www.neuber.com/taskmanager/process/msnmsgr.exe.h...
> ********************************************************************
>
>
> MyWebSearch Email Plugin
> MWSOEMON.EXE
> My Web Search Email Plugin
> Version: 2,0,1,0
> Copyright © 2003-2004 MyWebSearch.com
> Location: Windows Startup Group
> Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
> ********************************************************************
> * This is spyware.
> * The fact that there are four apparently identical instances
> * in the original report gives a little concern. I suspect
> * this may be the culprit with regard to the 22 instances of
> * rundll32.exe.
> * If these are still in the list after the SAFE MODE Ad-Aware scan,
> * try to disable them using WinPatrol.
> * If they refuse to stay disabled, let me know and there are other
> * steps we can try.
> * FWIW Here are some pages with more info about MyWebSearch.
> * http://www.mac-net.com/445088.page
> * http://www.iamnotageek.com/a/mwsoemon.exe.php
> * http://www.winpatrol.com/db/freesample/mwsoemon.html
> ********************************************************************
>
>
> pccguide.exe
> pccguide.exe
> PCCGuide
> Version: 12.10.0
> Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> ********************************************************************
> * Part of Trend Micro's PC-Cillan Anti-Virus
> * Do you have both PC-Cillan and McAfee installed?
> ********************************************************************
>
>
>
> Unknown Title
> DLHelperEXE.exe
> DLHelper Module
> Version: 6, 0, 0, 3
> Copyright 2001
> Location: Windows Startup Group
> Path: C:\Documents and Settings\linda\Start
> Menu\Programs\Startup\DLHelperEXE.exe
> ********************************************************************
> * Probably part of CasinoOnNet adware.
> * If that's what it is, the Ad-Aware SAFE MODE scan probably
> * removed it. If not, try disabling it in WinPatrol.
> * http://www3.ca.com/securityadvisor/pest/pest.aspx?id=45...
> ********************************************************************
>
>
>
> VirusScan Online
> mcvsshld.exe
> McAfee VirusScan ActiveShield Resource
> Version: 8, 0, 0, 0
> Copyright © 1998-2003 Networks Associates Technology, Inc
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> ********************************************************************
> * Part of McAfee VirusScan On-Line
> * I recommend leaving it enabled.
> * http://startup.iamnotageek.com/srch-mcvsshld.exe.html
> ********************************************************************
>
>
>
> VSOCheckTask
> mcmnhdlr.exe /checktask
> McAfee VirusScan Command Handler
> Version: 8, 0, 0, 0
> Copyright © 1998-2003 Networks Associates Technology, Inc
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> ********************************************************************
> * Part of McAfee's SecurityCenter and Virusscan Online.
> * I recommend leaving it enabled.
> * http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
> ********************************************************************
>
>
>
> Web Offer
> EZPOPS~1.EXE
> eZstub Module
> Version: 1, 0, 0, 1
> Copyright 2000
> Location:
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
> ********************************************************************
> * Another component of EZula adware.
> * I search for specific information about this component -
> * http://www.google.com/search?q=EZPOPS%7E1.EXE
> * the information is pretty scant which indicates
> * this version of EZula is pretty new and most anti-spyware/
> * anti-adware programs probably won't remove it.
> * If the SAFE MODE Ad-Aware scan fails to remove this,
> * try disabling it in WinPatrol.
> * If it won't stay disabled, let me know - there are other
> * approaches to this problem.
> ********************************************************************
>
>
>
> WinPatrol
> winpatrol.exe
> WinPatrol System Monitor
> Version: 8.1.2.0
> Copyright © 1997- 2004 BillP Studios
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> ********************************************************************
> * This is WinPatrol
> * It's safe and I recommend that you leave it in.
> * But you can't really know if that's good advice until
> * you research it.
> * http://www.google.com/search?q=winpatrol.exe
> ********************************************************************
>
>
>
> Yahoo! Pager
> ypager.exe -quiet
> Yahoo! Messenger
> Version: 6,0,0,1750
> Copyright 1998-2004
> Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> ********************************************************************
> * Yahoo! Pager is an instant messenger application like
> * MSN Messenger. If you aren't using these, you should disable them.
> * If you're only using one of them, you should disable the one
> * you're not using.
> * If you're using both of them, you should think about switching
> * to Trillian, an open source freeware application that can connect
> * to many different types of instant messaging servers.
> * http://startup.iamnotageek.com/srch-ypager.exe.html
> ********************************************************************
>
>
> --
> Bob Dietz
>
> linda wrote:
> > Hi Bob - this is what came up....thx for your help-prior to this when i ran
> > the lavasoft adware/spyware there was an item that came up that said if
> > affected the registry and i would select the cleanup/restore/delete for it,
> > it would say that the task was completed but if i ran the progam again it
> > showed exactly the same thing it said it had taken care of? thought i would
> > mention this in case it has anything to do with what's going on now....thx
> > again for helping...linda
> >
>
February 12, 2005 12:45:02 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Hi Bob- I also wanted to let you know that the reason Im showing both McAff
and Trend Micro is that when I went to their site to do a "house call"
(friend of mine had recomm it) it would not scan, so I downloaded the free
trial version and it will be expiring in about a week...I like the way the
program runs, would you recommend? and.....last thing, i did put that sysinfo
in my favorties and have been going in and looking around...thx
again.....bye...linda

"linda" wrote:

> Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
> alot less croweded than it did- also when I look at the task manager it now
> shows 37 programs, (I have a few things running when it shows that amt) and
> not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
> on the winpatrol and had already disabled that, I thought it was funny seeing
> 3 times, so I'm glad to know I was on the right track there. When I went
> back to the winpatrol and disable the DLHelper program, a minute or so later
> I got a pop up saying that a new program was wanting to be added to the start
> up-and it was the DLHelper I had just disabled, so I said no on the ok to add
> to start-up. Here's is what the list shows now: (pls read my add'l msg
> after the winpatrol info)
>
> WinPatrol Startup Programs
> Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
> 2/11/2005
>
> Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> Browser: Microsoft® Windows® Operating System - Internet Explorer version
> 6.00.2900.2180
> Memory currently in use: 79%
>
> MSIE: Internet Explorer (6.00.2900.2180)
>
> HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> HKLM Default_Page_URL = http://www.emachines.com
> HKCU Start Page = http://www.comcast.net/
> HKLM Start Page = http://www.msn.com/
>
> WinLogon DefaultUserName=linda
> WinLogon DefaultDomainName=LUCY
> WinLogon Shell=Explorer.exe
> WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
>
>
>
> VSOCheckTask
> mcmnhdlr.exe /checktask
> McAfee VirusScan Command Handler
> Version: 8, 0, 0, 0
> Copyright © 1998-2003 Networks Associates Technology, Inc
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> Click for Plus Info
>
>
>
> VirusScan Online
> mcvsshld.exe
> McAfee VirusScan ActiveShield Resource
> Version: 8, 0, 0, 0
> Copyright © 1998-2003 Networks Associates Technology, Inc
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> Click for Plus Info
>
>
>
> MCAgentExe
> mcagent.exe
> McAfee SecurityCenter Agent
> Version: 5, 0, 0, 0
> Copyright © 2004 Networks Associates Technology, Inc.
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> Click for Plus Info
>
>
>
> MCUpdateExe
> mcupdate.exe
> McAfee SecurityCenter Update Engine
> Version: 5, 0, 0, 0
> Copyright © 2004 Networks Associates Technology, Inc.
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> Click for Plus Info
>
>
>
> pccguide.exe
> pccguide.exe
> PCCGuide
> Version: 12.10.0
> Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> Click for Plus Info
>
>
>
> WinPatrol
> winpatrol.exe
> WinPatrol System Monitor
> Version: 8.1.2.0
> Copyright © 1997- 2004 BillP Studios
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> Click for Plus Info
>
>
>
> MPFExe
> MpfTray.exe
> McAfee Personal Firewall Tray Monitor
> Version: 6.0.0.14
> Copyright © 2000-2004 Networks Associates Technologies, Inc.
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
> Click for Plus Info
>
>
>
> McRegWiz
> mcregwiz.exe /autorun
> McRegWiz Module
> Version: 1, 0, 0, 4
> Copyright 2003 Networks Associates Technology, Inc
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
> Click for Plus Info
>
>
>
> Microsoft Works Update Detection
> WkDetect.exe
> Microsoft® Works Update Detection
> Version: 6.00.1828.1
> Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> Location: * Disabled *
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\Microsoft Works\WkDetect.exe
> Click for Plus Info
>
>
>
> Yahoo! Pager
> ypager.exe -quiet
> Yahoo! Messenger
> Version: 6,0,0,1750
> Copyright 1998-2004
> Location: * Disabled *
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> Click for Plus Info
>
> I wanted to say THANK-YOU so much...not only do i appreciate you taking the
> time to help me..and also the detail instructions,they were easy for me to
> follow and understand, as I said in my original msg. Im relatively new at all
> this so being able to follow/understand was great. I have only posted to
> newgroups a few times and honestly I have gotten a few responses that just
> leave me sitting there going "HUH". Again thanks very much for your help!!!
> Linda
>
>
>
> "Bob Dietz" wrote:
>
> > Hi Linda,
> >
> > I was pretty busy yesterday. Sorry it took so long to get back to you
> >
> > Before you start you might want to print this out on your printer.
> >
> > I see some adware/spyware listed that I would have expected Lavasoft
> > Ad-aware to have successfully removed. Let's run through the steps that
> > will allow Ad-Aware to do it's best work.
> >
> > 1) Start Ad-Aware.
> > 2) Click "Check for updates now." (lower right corner)
> > 3) Connect and get any available updates.
> > Verify that your version number matches the version number
> > of the newest available Ad-Aware.
> > 4) Once you have the latest updates installed,
> > close Ad-Aware and any other running programs.
> > 5) To make it easier for Ad-Aware to do it's job,
> > we're going to run it in SAFE MODE.
> > A) Restart the computer.
> > B) While the computer is booting - before the first
> > "Windows" screen appears, tap the F8 key.
> > C) When the boot menu appears, choose SAFE MODE.
> > 6) Start Ad-aware.
> > 7) Click the "Start" button in the Ad-Aware window.
> > 8) Set "Select Scan Mode" to "Perform full system scan."
> > 9) Click the "Next" button to start the scan.
> > 10) When the scan finishes, click "Next."
> > 11) "Scan Results" defaults to the "Critical Objects" tab.
> > Changing to the "Scan Summary" tab, will give you
> > a much clearer picture of what has been found and may
> > save you quite a few mouse clicks as well. Be sure there
> > is a check mark beside everything you want to remove and
> > click "Next."
> > * No need to click the Quarantine button, Ad-aware
> > * automatically quarantines everything it removes.
> >
> > When you're done, close Ad-Aware and restart the computer letting it
> > boot normally.
> > Open the WinPatrol window.
> > Click the "Title" column heading so that programs are sorted by title in
> > A-Z order.
> >
> > Below you'll find your report (slightly reformatted so that programs are
> > in A-Z order by title.) Each item is followed by my comments which are
> > marked by asterisks. Presumably Ad-Aware will have already have
> > eliminated most of the evil ad-ware/spyware. If bad items still remain,
> > we'll use the WinPatrol report to figure out how to remove those items.
> > If you were doing this on your own, you'd -
> > 1) Select the executable name with your mouse.
> > 2) Right click on the selection and choose "Copy."
> > 3) Open a new browse browser window and go to http://www.google.com
> > 4) Right click in the Google search box and choose "Paste."
> > 5) Click on the search button.
> > Hint: If you install the Google toolbar ( http://toolbar.google.com ),
> > you could select the executable name, right click and choose
> > "Google Search."
> >
> > Use a little caution regarding the results of your search.
> > Some of the sites providing the information about startup items are
> > trying too hard to sell you something. For instance at least one site
> > shows a very conspicuous warning "Internal IP Exposed!" This is a simple
> > scam using javascript to display your IP in your browser on your
> > computer. Nobody can see it how isn't sitting in front of your computer
> > display.
> >
> > Here are some domains that I regard as above average. Look for these in
> > the result of you Google spyware/adware searches.
> >
> > AnswersThatWork.com
> > CastleCops.com
> > Iamnotageek.com
> > Neuber.com
> > Sysinfo.org
> > WinPatrol.com
> >
> > This Sysinfo.org page is worth putting in your favorites -
> > http://www.sysinfo.org/startuplist.php
> >
> >
> > *****************************************************************
> > WinPatrol Startup Programs (Edited by Bob Dietz)
> >
> > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> > Browser: Microsoft® Windows® Operating System - Internet Explorer
> > version 6.00.2900.2180
> > Memory currently in use: 91%
> > ********************************************************************
> > * This memory currently in use number isn't critical, but
> > * a lower value would be better. If you have less than 256Mb or RAM,
> > * you should think about upgrading to more memory.
> > ********************************************************************
> >
> >
> > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> > HKLM Default_Page_URL = http://www.emachines.com
> > HKCU Start Page = http://www.emachines.com/
> > HKLM Start Page = http://www.msn.com/
> >
> > WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
> > WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
> > WinLogon Shell=Explorer.exe
> > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
> >
> >
> >
> > CleanUp
> > mcappins.exe /v=3 /cleanup
> > McAfee Application Installer
> > Version: 5, 0, 0, 0
> > Copyright © 2004 Networks Associates Technology, Inc.
> > Location:
> > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
> > ********************************************************************
> > * This is part of McAfee
> > * I recommended that you leave it enabled. The site -
> > * http://startup.iamnotageek.com/srch-mcappins.exe.html
> > * describes it as
> > * McAfee Application Installer. (What does it do and is it required?)
> > * FWIW The Plus version of WinPatrol what it does and why it might
> > * be required.
> > ********************************************************************
> >
> >
> >
> > eZstub
> > eZstub.exe
> > eZstub Module
> > Version: 1, 0, 0, 1
> > Copyright 2000
> > Location:
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> > Path: Command /c del C:\WINDOWS\system32\eZstub.exe
> > ********************************************************************
> > * This is an EZula component.
> > * The other EZula component in this list - Web Offers - EZPOPS~1.EXE
> > * appears to be quite recent and I could find it mentioned on any
> > * web pages. For that reason, Ad-Aware may have trouble removing
> > * this even in SAFE MODE!
> > * If Ad-Aware wasn't able to remove this, try using WinPatrol to
> > * disable it. If it won't stay disabled, let me know and we'll
> > * follow some additional steps.
> > ********************************************************************
> >
> >
> >
> >
> >
> > MCAgentExe
> > mcagent.exe
> > McAfee SecurityCenter Agent
> > Version: 5, 0, 0, 0
> > Copyright © 2004 Networks Associates Technology, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> > ********************************************************************
> > * This is part of McAfee
> > * I recommended that you leave it enabled.
> > * http://startup.iamnotageek.com/srch-mcagent.exe.html
> > ********************************************************************
> >
> >
> >
> > MCUpdateExe
> > mcupdate.exe
> > McAfee SecurityCenter Update Engine
> > Version: 5, 0, 0, 0
> > Copyright © 2004 Networks Associates Technology, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> > ********************************************************************
> > * This is part of McAfee
> > * I recommended that you leave it enabled.
> > * http://startup.iamnotageek.com/srch-mcupdate.exe.html
> > ********************************************************************
> >
> >
> >
> > Microsoft Works Update Detection
> > WkDetect.exe
> > Microsoft® Works Update Detection
> > Version: 6.00.1828.1
> > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> > Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Microsoft Works\WkDetect.exe
> > ********************************************************************
> > * This checks for updates to MS Works
> > * Unless your computer has more memory than you know what
> > * to do with, I'd recommend disabling this in WinPatrol.
> > * Disabling is better than removal, because you can always
> > * decide to turn it back on at a later date.
> > * http://startup.iamnotageek.com/srch-wkdetect.exe.html
> > ********************************************************************
> >
> >
> > msnmsgr
> > msnmsgr.exe /background
> > MSN Messenger
> > Version: Version 6.2
> > Copyright (c) Microsoft Corporation 1997-2004
> > Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
> > ********************************************************************
> > * Letting MSN Messenger run is a user choice.
> > * If you aren't sure what MSN Messenger is, you're not using
> > * it and there is no use to have it running constantly
> > * using up precious RAM.
> > * Later in this report, we see that Yahoo! Pager is also running.
> > * If you're using both of these programs, you might want to
> > * consider replacing the two of them with Trillian, which is
> > * open source freeware and provides the services of both programs.
> > * http://www.neuber.com/taskmanager/process/msnmsgr.exe.h...
> > ********************************************************************
> >
> >
> > MyWebSearch Email Plugin
> > MWSOEMON.EXE
> > My Web Search Email Plugin
> > Version: 2,0,1,0
> > Copyright © 2003-2004 MyWebSearch.com
> > Location: Windows Startup Group
> > Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
> > ********************************************************************
> > * This is spyware.
> > * The fact that there are four apparently identical instances
> > * in the original report gives a little concern. I suspect
> > * this may be the culprit with regard to the 22 instances of
> > * rundll32.exe.
> > * If these are still in the list after the SAFE MODE Ad-Aware scan,
> > * try to disable them using WinPatrol.
> > * If they refuse to stay disabled, let me know and there are other
> > * steps we can try.
> > * FWIW Here are some pages with more info about MyWebSearch.
> > * http://www.mac-net.com/445088.page
> > * http://www.iamnotageek.com/a/mwsoemon.exe.php
> > * http://www.winpatrol.com/db/freesample/mwsoemon.html
> > ********************************************************************
> >
> >
> > pccguide.exe
> > pccguide.exe
> > PCCGuide
> > Version: 12.10.0
> > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> > ********************************************************************
> > * Part of Trend Micro's PC-Cillan Anti-Virus
> > * Do you have both PC-Cillan and McAfee installed?
> > ********************************************************************
> >
> >
> >
> > Unknown Title
> > DLHelperEXE.exe
> > DLHelper Module
> > Version: 6, 0, 0, 3
> > Copyright 2001
> > Location: Windows Startup Group
> > Path: C:\Documents and Settings\linda\Start
> > Menu\Programs\Startup\DLHelperEXE.exe
> > ********************************************************************
> > * Probably part of CasinoOnNet adware.
> > * If that's what it is, the Ad-Aware SAFE MODE scan probably
> > * removed it. If not, try disabling it in WinPatrol.
> > * http://www3.ca.com/securityadvisor/pest/pest.aspx?id=45...
> > ********************************************************************
> >
> >
> >
> > VirusScan Online
> > mcvsshld.exe
> > McAfee VirusScan ActiveShield Resource
> > Version: 8, 0, 0, 0
> > Copyright © 1998-2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> > ********************************************************************
> > * Part of McAfee VirusScan On-Line
> > * I recommend leaving it enabled.
> > * http://startup.iamnotageek.com/srch-mcvsshld.exe.html
> > ********************************************************************
> >
> >
> >
> > VSOCheckTask
> > mcmnhdlr.exe /checktask
> > McAfee VirusScan Command Handler
> > Version: 8, 0, 0, 0
> > Copyright © 1998-2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> > ********************************************************************
> > * Part of McAfee's SecurityCenter and Virusscan Online.
> > * I recommend leaving it enabled.
> > * http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
> > ********************************************************************
> >
> >
> >
> > Web Offer
> > EZPOPS~1.EXE
> > eZstub Module
> > Version: 1, 0, 0, 1
> > Copyright 2000
> > Location:
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> > Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
> > ********************************************************************
> > * Another component of EZula adware.
> > * I search for specific information about this component -
> > * http://www.google.com/search?q=EZPOPS%7E1.EXE
> > * the information is pretty scant which indicates
> > * this version of EZula is pretty new and most anti-spyware/
> > * anti-adware programs probably won't remove it.
> > * If the SAFE MODE Ad-Aware scan fails to remove this,
> > * try disabling it in WinPatrol.
> > * If it won't stay disabled, let me know - there are other
> > * approaches to this problem.
> > ********************************************************************
> >
> >
> >
> > WinPatrol
> > winpatrol.exe
> > WinPatrol System Monitor
> > Version: 8.1.2.0
> > Copyright © 1997- 2004 BillP Studios
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> > ********************************************************************
> > * This is WinPatrol
> > * It's safe and I recommend that you leave it in.
> > * But you can't really know if that's good advice until
> > * you research it.
> > * http://www.google.com/search?q=winpatrol.exe
> > ********************************************************************
> >
> >
> >
> > Yahoo! Pager
> > ypager.exe -quiet
> > Yahoo! Messenger
> > Version: 6,0,0,1750
> > Copyright 1998-2004
> > Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> > ********************************************************************
> > * Yahoo! Pager is an instant messenger application like
> > * MSN Messenger. If you aren't using these, you should disable them.
> > * If you're only using one of them, you should disable the one
> > * you're not using.
> > * If you're using both of them, you should think about switching
> > * to Trillian, an open source freeware application that can connect
> > * to many different types of instant messaging servers.
> > * http://startup.iamnotageek.com/srch-ypager.exe.html
> > ********************************************************************
> >
> >
> > --
> > Bob Dietz
> >
> > linda wrote:
> > > Hi Bob - this is what came up....thx for your help-prior to this when i ran
> > > the lavasoft adware/spyware there was an item that came up that said if
> > > affected the registry and i would select the cleanup/restore/delete for it,
> > > it would say that the task was completed but if i ran the progam again it
> > > showed exactly the same thing it said it had taken care of? thought i would
> > > mention this in case it has anything to do with what's going on now....thx
> > > again for helping...linda
> > >
> >
Anonymous
February 12, 2005 2:59:46 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Your thanks is appreciated. :) 

Glad to hear that things are looking better for you, but don't think
that you're done and stop now. There are still those other WinPatrol
tabs to look at.

IE Helpers
IE Helpers are also know as BHO's (Browser Helper Objects).
When attempting to identify items, I ussually start with "Name."
If that doesn't net decent results, I move on to "Program."
(Actually, I paid for WinPatrol Plus and seldom resort to google.)
If you run into something that you cannot identify,
you'll find WinPatrol is a bit anemic here -
BHO's cannot be disabled, they can only be deleted.
To temporarily disable one of these items, download another free
progarm called Toolbar Cop. http://windowsxp.mvps.org/toolbarcop.htm

Scheduled Tasks
I have yet to run into any malware that utilizes Window task
scheduler, so I have no special instructions. But you do want to
know the purpose for any scheduled tasks.

Services
At minimum, you'll want to identify any non-microsoft services.
As to the microsoft services, the WinPatrol Plus info is pretty
light weight. Sources for info about Windows XP Services
http://www.theeldergeek.com/services_guide.htm
http://www.blackviper.com/WinXP/servicecfg.htm

Active Tasks
This corresponds to the Processes tab in Windows Task Manager.
You really, really want to know about each of these items.
The info in the Plus version of WinPatrol is fairly complete and
is above average in quality. If you haven't paid for the plus version,
start your investigation at http://www.answersthatwork.com and click
on the "Task List" button. If you can't find the task listed there
move on to google. If you can't find information there either, be
suspicious. Click the "Info" button in WinPatrol and look at the
full path to the executable file. Locate that executable file;
right click on it an choose Properties. You're looking for clues.

Before moving on it's worth noting that you can hold down the CTRL
key and click on multiple "Active Tasks" and then "Kill Task" them
all in one fell swoop. This is extreamly useful when some obnoxious
malware has started multiple different processes that keep
re-adding startup items and restart their companion processes
should you stop one of them.

* See below for more info about processes and their associated DLLs.

Cookies
I've never felt that cookies were worth worring about.
WinPatrol has a cookie manager, but I don't use it and
have no opinion.

File Types
"File type" determine what happens when you double click on
a file with any given extesion. For instance, if a file is named
"Critical Data.doc" the ".doc" at the end is the file extension
and information in Windows registry determines the File Type and
what will happen. On many/most systems ".doc" is associated with
Microsoft Word and a double click will open "Critical Data.doc"
in Microsoft Word. If you install a new word processor ABC on
that system, the install routine may reassociate the ".doc" file
extension so that a double click on "Critical Data.doc" no longer
opens it in MS Word, but rather in the newly installed ABC.
WinPatrol alerts you when such changes are made. If you install
and test bunches of software (like I do), that's handy.

Although I don't know of any malware currently using file types
to keep itself wedged onto systems, I think it is only a matter
of time. Imagine that malware XYZ has been installed on your
system. One of its files is XYZwedge and XYZwedge is the current
associaton with the ".doc" file type. Each time you double click
on a ".doc" file, XYZwedge reinserts XYZ into your startup items
and then it Opens the ".doc" file in MS Word. Everything seems
normal to you, except that the system seems to run slower and
there are those @#$% pop-ups again.

****************************************************************

If you don't already have them, ad the following to your system's
layered protection:
Spyware Blaster - http://www.javacoolsoftware.com/spywareblaster.html
IE Spyad - https://netfiles.uiuc.edu/ehowes/www/resource.htm
An outbound firewall like Zone Alarm.
http://www.zonelabs.com/store/content/company/products/...
(The free for personal use version is at the bottom of the list.)


****************************************************************

All your scans come up clean and all of the items on all of the
WinPatrol tabs are accounted for and are suppose to be safe.
But you still see a lot of pop-ups or the system still runs way too slow
and/or there are many program crashes. What now?

The technically inclined can download Process Viewer (prcview.exe)
from http://www.xmlsp.com/pview/prcview.htm
1) Run Process Viewer and select "Module Useage" on the "View" menu.
2) Right click each module and choose "Copy Module Path."
3) Paste the copied path into a google search box;
enclose it in double quotes and search.
4) Depending on what you found in step 3, search for just the
file name and look for pages in the results that show the
*.dll file in another path. eg.
Windows KB article says that in Windows XP, abc.dll is found at
C:\Windows\System32\abc.dll
but the path on your system is
C:\Windows\abc.dll
The file on your system is spyware.
Search google for instructions about how to remove it.
If you can't find instructions, close the "Module Useage" window.
Right click each process in the main Process viewer window and
choose "Modules." Look for C:\Windows\abc.dll. Find ALL of the
processes that use abc.dll with that full path, note the name
of each such process. In WinPatrol, hold down the CTRL key and
click each of those named processes. In a moment, you'll
"Kill Task" them all at once. Before you do though, close out
ALL other running programs! The evil malware .dll is probably
attached to a vital system process and when you "Kill Task"
the system will likely turn off about as fast as if you pulled
the power cord out of the electic socket! If that happens, press
the power button to boot the machine, otherwise reboot the machine.
Double check that c:\windows\abc.dll is no longer a part of any
running process.

Otherwise, it's probably time to fdisk; format
and re-install Windows from scratch. :( 

--
Bob Dietz


linda wrote:
> Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
> alot less croweded than it did- also when I look at the task manager it now
> shows 37 programs, (I have a few things running when it shows that amt) and
> not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
> on the winpatrol and had already disabled that, I thought it was funny seeing
> 3 times, so I'm glad to know I was on the right track there. When I went
> back to the winpatrol and disable the DLHelper program, a minute or so later
> I got a pop up saying that a new program was wanting to be added to the start
> up-and it was the DLHelper I had just disabled, so I said no on the ok to add
> to start-up. Here's is what the list shows now: (pls read my add'l msg
> after the winpatrol info)
>
> WinPatrol Startup Programs
> Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
> 2/11/2005
>
> Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> Browser: Microsoft® Windows® Operating System - Internet Explorer version
> 6.00.2900.2180
> Memory currently in use: 79%
>
> MSIE: Internet Explorer (6.00.2900.2180)
>
> HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> HKLM Default_Page_URL = http://www.emachines.com
> HKCU Start Page = http://www.comcast.net/
> HKLM Start Page = http://www.msn.com/
>
> WinLogon DefaultUserName=linda
> WinLogon DefaultDomainName=LUCY
> WinLogon Shell=Explorer.exe
> WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
>
>
>
> VSOCheckTask
> mcmnhdlr.exe /checktask
> McAfee VirusScan Command Handler
> Version: 8, 0, 0, 0
> Copyright © 1998-2003 Networks Associates Technology, Inc
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> Click for Plus Info
>
>
>
> VirusScan Online
> mcvsshld.exe
> McAfee VirusScan ActiveShield Resource
> Version: 8, 0, 0, 0
> Copyright © 1998-2003 Networks Associates Technology, Inc
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> Click for Plus Info
>
>
>
> MCAgentExe
> mcagent.exe
> McAfee SecurityCenter Agent
> Version: 5, 0, 0, 0
> Copyright © 2004 Networks Associates Technology, Inc.
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> Click for Plus Info
>
>
>
> MCUpdateExe
> mcupdate.exe
> McAfee SecurityCenter Update Engine
> Version: 5, 0, 0, 0
> Copyright © 2004 Networks Associates Technology, Inc.
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> Click for Plus Info
>
>
>
> pccguide.exe
> pccguide.exe
> PCCGuide
> Version: 12.10.0
> Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> Click for Plus Info
>
>
>
> WinPatrol
> winpatrol.exe
> WinPatrol System Monitor
> Version: 8.1.2.0
> Copyright © 1997- 2004 BillP Studios
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> Click for Plus Info
>
>
>
> MPFExe
> MpfTray.exe
> McAfee Personal Firewall Tray Monitor
> Version: 6.0.0.14
> Copyright © 2000-2004 Networks Associates Technologies, Inc.
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
> Click for Plus Info
>
>
>
> McRegWiz
> mcregwiz.exe /autorun
> McRegWiz Module
> Version: 1, 0, 0, 4
> Copyright 2003 Networks Associates Technology, Inc
> Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
> Click for Plus Info
>
>
>
> Microsoft Works Update Detection
> WkDetect.exe
> Microsoft® Works Update Detection
> Version: 6.00.1828.1
> Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> Location: * Disabled *
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\Microsoft Works\WkDetect.exe
> Click for Plus Info
>
>
>
> Yahoo! Pager
> ypager.exe -quiet
> Yahoo! Messenger
> Version: 6,0,0,1750
> Copyright 1998-2004
> Location: * Disabled *
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> Click for Plus Info
>
> I wanted to say THANK-YOU so much...not only do i appreciate you taking the
> time to help me..and also the detail instructions,they were easy for me to
> follow and understand, as I said in my original msg. Im relatively new at all
> this so being able to follow/understand was great. I have only posted to
> newgroups a few times and honestly I have gotten a few responses that just
> leave me sitting there going "HUH". Again thanks very much for your help!!!
> Linda
>
>
>
> "Bob Dietz" wrote:
>
>
>>Hi Linda,
>>
>>I was pretty busy yesterday. Sorry it took so long to get back to you
>>
>>Before you start you might want to print this out on your printer.
>>
>>I see some adware/spyware listed that I would have expected Lavasoft
>>Ad-aware to have successfully removed. Let's run through the steps that
>>will allow Ad-Aware to do it's best work.
>>
>>1) Start Ad-Aware.
>>2) Click "Check for updates now." (lower right corner)
>>3) Connect and get any available updates.
>> Verify that your version number matches the version number
>> of the newest available Ad-Aware.
>>4) Once you have the latest updates installed,
>> close Ad-Aware and any other running programs.
>>5) To make it easier for Ad-Aware to do it's job,
>> we're going to run it in SAFE MODE.
>> A) Restart the computer.
>> B) While the computer is booting - before the first
>> "Windows" screen appears, tap the F8 key.
>> C) When the boot menu appears, choose SAFE MODE.
>>6) Start Ad-aware.
>>7) Click the "Start" button in the Ad-Aware window.
>>8) Set "Select Scan Mode" to "Perform full system scan."
>>9) Click the "Next" button to start the scan.
>>10) When the scan finishes, click "Next."
>>11) "Scan Results" defaults to the "Critical Objects" tab.
>> Changing to the "Scan Summary" tab, will give you
>> a much clearer picture of what has been found and may
>> save you quite a few mouse clicks as well. Be sure there
>> is a check mark beside everything you want to remove and
>> click "Next."
>> * No need to click the Quarantine button, Ad-aware
>> * automatically quarantines everything it removes.
>>
>>When you're done, close Ad-Aware and restart the computer letting it
>>boot normally.
>>Open the WinPatrol window.
>>Click the "Title" column heading so that programs are sorted by title in
>>A-Z order.
>>
>>Below you'll find your report (slightly reformatted so that programs are
>>in A-Z order by title.) Each item is followed by my comments which are
>>marked by asterisks. Presumably Ad-Aware will have already have
>>eliminated most of the evil ad-ware/spyware. If bad items still remain,
>>we'll use the WinPatrol report to figure out how to remove those items.
>>If you were doing this on your own, you'd -
>> 1) Select the executable name with your mouse.
>> 2) Right click on the selection and choose "Copy."
>> 3) Open a new browse browser window and go to http://www.google.com
>> 4) Right click in the Google search box and choose "Paste."
>> 5) Click on the search button.
>>Hint: If you install the Google toolbar ( http://toolbar.google.com ),
>>you could select the executable name, right click and choose
>>"Google Search."
>>
>>Use a little caution regarding the results of your search.
>>Some of the sites providing the information about startup items are
>>trying too hard to sell you something. For instance at least one site
>>shows a very conspicuous warning "Internal IP Exposed!" This is a simple
>> scam using javascript to display your IP in your browser on your
>>computer. Nobody can see it how isn't sitting in front of your computer
>>display.
>>
>>Here are some domains that I regard as above average. Look for these in
>>the result of you Google spyware/adware searches.
>>
>>AnswersThatWork.com
>>CastleCops.com
>>Iamnotageek.com
>>Neuber.com
>>Sysinfo.org
>>WinPatrol.com
>>
>>This Sysinfo.org page is worth putting in your favorites -
>>http://www.sysinfo.org/startuplist.php
>>
>>
>>*****************************************************************
>>WinPatrol Startup Programs (Edited by Bob Dietz)
>>
>>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
>>Browser: Microsoft® Windows® Operating System - Internet Explorer
>>version 6.00.2900.2180
>>Memory currently in use: 91%
>>********************************************************************
>>* This memory currently in use number isn't critical, but
>>* a lower value would be better. If you have less than 256Mb or RAM,
>>* you should think about upgrading to more memory.
>>********************************************************************
>>
>>
>>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
>>HKLM Default_Page_URL = http://www.emachines.com
>>HKCU Start Page = http://www.emachines.com/
>>HKLM Start Page = http://www.msn.com/
>>
>>WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
>>WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
>>WinLogon Shell=Explorer.exe
>>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
>>
>>
>>
>>CleanUp
>>mcappins.exe /v=3 /cleanup
>>McAfee Application Installer
>>Version: 5, 0, 0, 0
>>Copyright © 2004 Networks Associates Technology, Inc.
>>Location:
>>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
>>********************************************************************
>>* This is part of McAfee
>>* I recommended that you leave it enabled. The site -
>>* http://startup.iamnotageek.com/srch-mcappins.exe.html
>>* describes it as
>>* McAfee Application Installer. (What does it do and is it required?)
>>* FWIW The Plus version of WinPatrol what it does and why it might
>>* be required.
>>********************************************************************
>>
>>
>>
>>eZstub
>>eZstub.exe
>>eZstub Module
>>Version: 1, 0, 0, 1
>>Copyright 2000
>>Location:
>>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
>>Path: Command /c del C:\WINDOWS\system32\eZstub.exe
>>********************************************************************
>>* This is an EZula component.
>>* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
>>* appears to be quite recent and I could find it mentioned on any
>>* web pages. For that reason, Ad-Aware may have trouble removing
>>* this even in SAFE MODE!
>>* If Ad-Aware wasn't able to remove this, try using WinPatrol to
>>* disable it. If it won't stay disabled, let me know and we'll
>>* follow some additional steps.
>>********************************************************************
>>
>>
>>
>>
>>
>>MCAgentExe
>>mcagent.exe
>>McAfee SecurityCenter Agent
>>Version: 5, 0, 0, 0
>>Copyright © 2004 Networks Associates Technology, Inc.
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
>>********************************************************************
>>* This is part of McAfee
>>* I recommended that you leave it enabled.
>>* http://startup.iamnotageek.com/srch-mcagent.exe.html
>>********************************************************************
>>
>>
>>
>>MCUpdateExe
>>mcupdate.exe
>>McAfee SecurityCenter Update Engine
>>Version: 5, 0, 0, 0
>>Copyright © 2004 Networks Associates Technology, Inc.
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
>>********************************************************************
>>* This is part of McAfee
>>* I recommended that you leave it enabled.
>>* http://startup.iamnotageek.com/srch-mcupdate.exe.html
>>********************************************************************
>>
>>
>>
>>Microsoft Works Update Detection
>>WkDetect.exe
>>Microsoft® Works Update Detection
>>Version: 6.00.1828.1
>>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
>>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\Program Files\Microsoft Works\WkDetect.exe
>>********************************************************************
>>* This checks for updates to MS Works
>>* Unless your computer has more memory than you know what
>>* to do with, I'd recommend disabling this in WinPatrol.
>>* Disabling is better than removal, because you can always
>>* decide to turn it back on at a later date.
>>* http://startup.iamnotageek.com/srch-wkdetect.exe.html
>>********************************************************************
>>
>>
>>msnmsgr
>>msnmsgr.exe /background
>>MSN Messenger
>>Version: Version 6.2
>>Copyright (c) Microsoft Corporation 1997-2004
>>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
>>********************************************************************
>>* Letting MSN Messenger run is a user choice.
>>* If you aren't sure what MSN Messenger is, you're not using
>>* it and there is no use to have it running constantly
>>* using up precious RAM.
>>* Later in this report, we see that Yahoo! Pager is also running.
>>* If you're using both of these programs, you might want to
>>* consider replacing the two of them with Trillian, which is
>>* open source freeware and provides the services of both programs.
>>* http://www.neuber.com/taskmanager/process/msnmsgr.exe.h...
>>********************************************************************
>>
>>
>>MyWebSearch Email Plugin
>>MWSOEMON.EXE
>>My Web Search Email Plugin
>>Version: 2,0,1,0
>>Copyright © 2003-2004 MyWebSearch.com
>>Location: Windows Startup Group
>>Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
>>********************************************************************
>>* This is spyware.
>>* The fact that there are four apparently identical instances
>>* in the original report gives a little concern. I suspect
>>* this may be the culprit with regard to the 22 instances of
>>* rundll32.exe.
>>* If these are still in the list after the SAFE MODE Ad-Aware scan,
>>* try to disable them using WinPatrol.
>>* If they refuse to stay disabled, let me know and there are other
>>* steps we can try.
>>* FWIW Here are some pages with more info about MyWebSearch.
>>* http://www.mac-net.com/445088.page
>>* http://www.iamnotageek.com/a/mwsoemon.exe.php
>>* http://www.winpatrol.com/db/freesample/mwsoemon.html
>>********************************************************************
>>
>>
>>pccguide.exe
>>pccguide.exe
>>PCCGuide
>>Version: 12.10.0
>>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
>>********************************************************************
>>* Part of Trend Micro's PC-Cillan Anti-Virus
>>* Do you have both PC-Cillan and McAfee installed?
>>********************************************************************
>>
>>
>>
>>Unknown Title
>>DLHelperEXE.exe
>>DLHelper Module
>>Version: 6, 0, 0, 3
>>Copyright 2001
>>Location: Windows Startup Group
>>Path: C:\Documents and Settings\linda\Start
>>Menu\Programs\Startup\DLHelperEXE.exe
>>********************************************************************
>>* Probably part of CasinoOnNet adware.
>>* If that's what it is, the Ad-Aware SAFE MODE scan probably
>>* removed it. If not, try disabling it in WinPatrol.
>>* http://www3.ca.com/securityadvisor/pest/pest.aspx?id=45...
>>********************************************************************
>>
>>
>>
>>VirusScan Online
>>mcvsshld.exe
>>McAfee VirusScan ActiveShield Resource
>>Version: 8, 0, 0, 0
>>Copyright © 1998-2003 Networks Associates Technology, Inc
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
>>********************************************************************
>>* Part of McAfee VirusScan On-Line
>>* I recommend leaving it enabled.
>>* http://startup.iamnotageek.com/srch-mcvsshld.exe.html
>>********************************************************************
>>
>>
>>
>>VSOCheckTask
>>mcmnhdlr.exe /checktask
>>McAfee VirusScan Command Handler
>>Version: 8, 0, 0, 0
>>Copyright © 1998-2003 Networks Associates Technology, Inc
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
>>********************************************************************
>>* Part of McAfee's SecurityCenter and Virusscan Online.
>>* I recommend leaving it enabled.
>>* http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
>>********************************************************************
>>
>>
>>
>>Web Offer
>>EZPOPS~1.EXE
>>eZstub Module
>>Version: 1, 0, 0, 1
>>Copyright 2000
>>Location:
>>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
>>Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
>>********************************************************************
>>* Another component of EZula adware.
>>* I search for specific information about this component -
>>* http://www.google.com/search?q=EZPOPS%7E1.EXE
>>* the information is pretty scant which indicates
>>* this version of EZula is pretty new and most anti-spyware/
>>* anti-adware programs probably won't remove it.
>>* If the SAFE MODE Ad-Aware scan fails to remove this,
>>* try disabling it in WinPatrol.
>>* If it won't stay disabled, let me know - there are other
>>* approaches to this problem.
>>********************************************************************
>>
>>
>>
>>WinPatrol
>>winpatrol.exe
>>WinPatrol System Monitor
>>Version: 8.1.2.0
>>Copyright © 1997- 2004 BillP Studios
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
>>********************************************************************
>>* This is WinPatrol
>>* It's safe and I recommend that you leave it in.
>>* But you can't really know if that's good advice until
>>* you research it.
>>* http://www.google.com/search?q=winpatrol.exe
>>********************************************************************
>>
>>
>>
>>Yahoo! Pager
>>ypager.exe -quiet
>>Yahoo! Messenger
>>Version: 6,0,0,1750
>>Copyright 1998-2004
>>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
>>********************************************************************
>>* Yahoo! Pager is an instant messenger application like
>>* MSN Messenger. If you aren't using these, you should disable them.
>>* If you're only using one of them, you should disable the one
>>* you're not using.
>>* If you're using both of them, you should think about switching
>>* to Trillian, an open source freeware application that can connect
>>* to many different types of instant messaging servers.
>>* http://startup.iamnotageek.com/srch-ypager.exe.html
>>********************************************************************
>>
>>
>>--
>>Bob Dietz
>>
>>linda wrote:
>>
>>>Hi Bob - this is what came up....thx for your help-prior to this when i ran
>>>the lavasoft adware/spyware there was an item that came up that said if
>>>affected the registry and i would select the cleanup/restore/delete for it,
>>>it would say that the task was completed but if i ran the progam again it
>>>showed exactly the same thing it said it had taken care of? thought i would
>>>mention this in case it has anything to do with what's going on now....thx
>>>again for helping...linda
>>>
>>
Anonymous
February 12, 2005 3:19:39 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Everyone needs to run an anti-virus program.
The anti-virus program should be set to scan ALL NEW FILES - no matter
what the file extension is. It should also scan in-bound email.
It should be able to update its definitons daily.
You should be able to (and you should) schedule a full system scan once
a week.
Other than that I'm close agnositic about choice of anti-virus.

For personal use, I like the free versions of Avast and AVG.
I prefer AVG's ui (easier for newbies). I perfer Avast's more extensive
configuration options.

--
Bob Dietz

linda wrote:
> Hi Bob- I also wanted to let you know that the reason Im showing both McAff
> and Trend Micro is that when I went to their site to do a "house call"
> (friend of mine had recomm it) it would not scan, so I downloaded the free
> trial version and it will be expiring in about a week...I like the way the
> program runs, would you recommend? and.....last thing, i did put that sysinfo
> in my favorties and have been going in and looking around...thx
> again.....bye...linda
>
> "linda" wrote:
>
>
>>Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
>>alot less croweded than it did- also when I look at the task manager it now
>>shows 37 programs, (I have a few things running when it shows that amt) and
>>not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
>>on the winpatrol and had already disabled that, I thought it was funny seeing
>>3 times, so I'm glad to know I was on the right track there. When I went
>>back to the winpatrol and disable the DLHelper program, a minute or so later
>>I got a pop up saying that a new program was wanting to be added to the start
>>up-and it was the DLHelper I had just disabled, so I said no on the ok to add
>>to start-up. Here's is what the list shows now: (pls read my add'l msg
>>after the winpatrol info)
>>
>>WinPatrol Startup Programs
>>Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
>>2/11/2005
>>
>>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
>>Browser: Microsoft® Windows® Operating System - Internet Explorer version
>>6.00.2900.2180
>>Memory currently in use: 79%
>>
>>MSIE: Internet Explorer (6.00.2900.2180)
>>
>>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
>>HKLM Default_Page_URL = http://www.emachines.com
>>HKCU Start Page = http://www.comcast.net/
>>HKLM Start Page = http://www.msn.com/
>>
>>WinLogon DefaultUserName=linda
>>WinLogon DefaultDomainName=LUCY
>>WinLogon Shell=Explorer.exe
>>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
>>
>>
>>
>>VSOCheckTask
>>mcmnhdlr.exe /checktask
>>McAfee VirusScan Command Handler
>>Version: 8, 0, 0, 0
>>Copyright © 1998-2003 Networks Associates Technology, Inc
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
>>Click for Plus Info
>>
>>
>>
>>VirusScan Online
>>mcvsshld.exe
>>McAfee VirusScan ActiveShield Resource
>>Version: 8, 0, 0, 0
>>Copyright © 1998-2003 Networks Associates Technology, Inc
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
>>Click for Plus Info
>>
>>
>>
>>MCAgentExe
>>mcagent.exe
>>McAfee SecurityCenter Agent
>>Version: 5, 0, 0, 0
>>Copyright © 2004 Networks Associates Technology, Inc.
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
>>Click for Plus Info
>>
>>
>>
>>MCUpdateExe
>>mcupdate.exe
>>McAfee SecurityCenter Update Engine
>>Version: 5, 0, 0, 0
>>Copyright © 2004 Networks Associates Technology, Inc.
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
>>Click for Plus Info
>>
>>
>>
>>pccguide.exe
>>pccguide.exe
>>PCCGuide
>>Version: 12.10.0
>>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
>>Click for Plus Info
>>
>>
>>
>>WinPatrol
>>winpatrol.exe
>>WinPatrol System Monitor
>>Version: 8.1.2.0
>>Copyright © 1997- 2004 BillP Studios
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
>>Click for Plus Info
>>
>>
>>
>>MPFExe
>>MpfTray.exe
>>McAfee Personal Firewall Tray Monitor
>>Version: 6.0.0.14
>>Copyright © 2000-2004 Networks Associates Technologies, Inc.
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
>>Click for Plus Info
>>
>>
>>
>>McRegWiz
>>mcregwiz.exe /autorun
>>McRegWiz Module
>>Version: 1, 0, 0, 4
>>Copyright 2003 Networks Associates Technology, Inc
>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
>>Click for Plus Info
>>
>>
>>
>>Microsoft Works Update Detection
>>WkDetect.exe
>>Microsoft® Works Update Detection
>>Version: 6.00.1828.1
>>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
>>Location: * Disabled *
>>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\Program Files\Microsoft Works\WkDetect.exe
>>Click for Plus Info
>>
>>
>>
>>Yahoo! Pager
>>ypager.exe -quiet
>>Yahoo! Messenger
>>Version: 6,0,0,1750
>>Copyright 1998-2004
>>Location: * Disabled *
>>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
>>Click for Plus Info
>>
>>I wanted to say THANK-YOU so much...not only do i appreciate you taking the
>>time to help me..and also the detail instructions,they were easy for me to
>>follow and understand, as I said in my original msg. Im relatively new at all
>>this so being able to follow/understand was great. I have only posted to
>>newgroups a few times and honestly I have gotten a few responses that just
>>leave me sitting there going "HUH". Again thanks very much for your help!!!
>>Linda
>>
>>
>>
>>"Bob Dietz" wrote:
>>
>>
>>>Hi Linda,
>>>
>>>I was pretty busy yesterday. Sorry it took so long to get back to you
>>>
>>>Before you start you might want to print this out on your printer.
>>>
>>>I see some adware/spyware listed that I would have expected Lavasoft
>>>Ad-aware to have successfully removed. Let's run through the steps that
>>>will allow Ad-Aware to do it's best work.
>>>
>>>1) Start Ad-Aware.
>>>2) Click "Check for updates now." (lower right corner)
>>>3) Connect and get any available updates.
>>> Verify that your version number matches the version number
>>> of the newest available Ad-Aware.
>>>4) Once you have the latest updates installed,
>>> close Ad-Aware and any other running programs.
>>>5) To make it easier for Ad-Aware to do it's job,
>>> we're going to run it in SAFE MODE.
>>> A) Restart the computer.
>>> B) While the computer is booting - before the first
>>> "Windows" screen appears, tap the F8 key.
>>> C) When the boot menu appears, choose SAFE MODE.
>>>6) Start Ad-aware.
>>>7) Click the "Start" button in the Ad-Aware window.
>>>8) Set "Select Scan Mode" to "Perform full system scan."
>>>9) Click the "Next" button to start the scan.
>>>10) When the scan finishes, click "Next."
>>>11) "Scan Results" defaults to the "Critical Objects" tab.
>>> Changing to the "Scan Summary" tab, will give you
>>> a much clearer picture of what has been found and may
>>> save you quite a few mouse clicks as well. Be sure there
>>> is a check mark beside everything you want to remove and
>>> click "Next."
>>> * No need to click the Quarantine button, Ad-aware
>>> * automatically quarantines everything it removes.
>>>
>>>When you're done, close Ad-Aware and restart the computer letting it
>>>boot normally.
>>>Open the WinPatrol window.
>>>Click the "Title" column heading so that programs are sorted by title in
>>>A-Z order.
>>>
>>>Below you'll find your report (slightly reformatted so that programs are
>>>in A-Z order by title.) Each item is followed by my comments which are
>>>marked by asterisks. Presumably Ad-Aware will have already have
>>>eliminated most of the evil ad-ware/spyware. If bad items still remain,
>>>we'll use the WinPatrol report to figure out how to remove those items.
>>>If you were doing this on your own, you'd -
>>> 1) Select the executable name with your mouse.
>>> 2) Right click on the selection and choose "Copy."
>>> 3) Open a new browse browser window and go to http://www.google.com
>>> 4) Right click in the Google search box and choose "Paste."
>>> 5) Click on the search button.
>>>Hint: If you install the Google toolbar ( http://toolbar.google.com ),
>>>you could select the executable name, right click and choose
>>>"Google Search."
>>>
>>>Use a little caution regarding the results of your search.
>>>Some of the sites providing the information about startup items are
>>>trying too hard to sell you something. For instance at least one site
>>>shows a very conspicuous warning "Internal IP Exposed!" This is a simple
>>> scam using javascript to display your IP in your browser on your
>>>computer. Nobody can see it how isn't sitting in front of your computer
>>>display.
>>>
>>>Here are some domains that I regard as above average. Look for these in
>>>the result of you Google spyware/adware searches.
>>>
>>>AnswersThatWork.com
>>>CastleCops.com
>>>Iamnotageek.com
>>>Neuber.com
>>>Sysinfo.org
>>>WinPatrol.com
>>>
>>>This Sysinfo.org page is worth putting in your favorites -
>>>http://www.sysinfo.org/startuplist.php
>>>
>>>
>>>*****************************************************************
>>>WinPatrol Startup Programs (Edited by Bob Dietz)
>>>
>>>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
>>>Browser: Microsoft® Windows® Operating System - Internet Explorer
>>>version 6.00.2900.2180
>>>Memory currently in use: 91%
>>>********************************************************************
>>>* This memory currently in use number isn't critical, but
>>>* a lower value would be better. If you have less than 256Mb or RAM,
>>>* you should think about upgrading to more memory.
>>>********************************************************************
>>>
>>>
>>>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
>>>HKLM Default_Page_URL = http://www.emachines.com
>>>HKCU Start Page = http://www.emachines.com/
>>>HKLM Start Page = http://www.msn.com/
>>>
>>>WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
>>>WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
>>>WinLogon Shell=Explorer.exe
>>>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
>>>
>>>
>>>
>>>CleanUp
>>>mcappins.exe /v=3 /cleanup
>>>McAfee Application Installer
>>>Version: 5, 0, 0, 0
>>>Copyright © 2004 Networks Associates Technology, Inc.
>>>Location:
>>>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>>Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
>>>********************************************************************
>>>* This is part of McAfee
>>>* I recommended that you leave it enabled. The site -
>>>* http://startup.iamnotageek.com/srch-mcappins.exe.html
>>>* describes it as
>>>* McAfee Application Installer. (What does it do and is it required?)
>>>* FWIW The Plus version of WinPatrol what it does and why it might
>>>* be required.
>>>********************************************************************
>>>
>>>
>>>
>>>eZstub
>>>eZstub.exe
>>>eZstub Module
>>>Version: 1, 0, 0, 1
>>>Copyright 2000
>>>Location:
>>>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
>>>Path: Command /c del C:\WINDOWS\system32\eZstub.exe
>>>********************************************************************
>>>* This is an EZula component.
>>>* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
>>>* appears to be quite recent and I could find it mentioned on any
>>>* web pages. For that reason, Ad-Aware may have trouble removing
>>>* this even in SAFE MODE!
>>>* If Ad-Aware wasn't able to remove this, try using WinPatrol to
>>>* disable it. If it won't stay disabled, let me know and we'll
>>>* follow some additional steps.
>>>********************************************************************
>>>
>>>
>>>
>>>
>>>
>>>MCAgentExe
>>>mcagent.exe
>>>McAfee SecurityCenter Agent
>>>Version: 5, 0, 0, 0
>>>Copyright © 2004 Networks Associates Technology, Inc.
>>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
>>>********************************************************************
>>>* This is part of McAfee
>>>* I recommended that you leave it enabled.
>>>* http://startup.iamnotageek.com/srch-mcagent.exe.html
>>>********************************************************************
>>>
>>>
>>>
>>>MCUpdateExe
>>>mcupdate.exe
>>>McAfee SecurityCenter Update Engine
>>>Version: 5, 0, 0, 0
>>>Copyright © 2004 Networks Associates Technology, Inc.
>>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
>>>********************************************************************
>>>* This is part of McAfee
>>>* I recommended that you leave it enabled.
>>>* http://startup.iamnotageek.com/srch-mcupdate.exe.html
>>>********************************************************************
>>>
>>>
>>>
>>>Microsoft Works Update Detection
>>>WkDetect.exe
>>>Microsoft® Works Update Detection
>>>Version: 6.00.1828.1
>>>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
>>>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>>>Path: C:\Program Files\Microsoft Works\WkDetect.exe
>>>********************************************************************
>>>* This checks for updates to MS Works
>>>* Unless your computer has more memory than you know what
>>>* to do with, I'd recommend disabling this in WinPatrol.
>>>* Disabling is better than removal, because you can always
>>>* decide to turn it back on at a later date.
>>>* http://startup.iamnotageek.com/srch-wkdetect.exe.html
>>>********************************************************************
>>>
>>>
>>>msnmsgr
>>>msnmsgr.exe /background
>>>MSN Messenger
>>>Version: Version 6.2
>>>Copyright (c) Microsoft Corporation 1997-2004
>>>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>>>Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
>>>********************************************************************
>>>* Letting MSN Messenger run is a user choice.
>>>* If you aren't sure what MSN Messenger is, you're not using
>>>* it and there is no use to have it running constantly
>>>* using up precious RAM.
>>>* Later in this report, we see that Yahoo! Pager is also running.
>>>* If you're using both of these programs, you might want to
>>>* consider replacing the two of them with Trillian, which is
>>>* open source freeware and provides the services of both programs.
>>>* http://www.neuber.com/taskmanager/process/msnmsgr.exe.h...
>>>********************************************************************
>>>
>>>
>>>MyWebSearch Email Plugin
>>>MWSOEMON.EXE
>>>My Web Search Email Plugin
>>>Version: 2,0,1,0
>>>Copyright © 2003-2004 MyWebSearch.com
>>>Location: Windows Startup Group
>>>Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
>>>********************************************************************
>>>* This is spyware.
>>>* The fact that there are four apparently identical instances
>>>* in the original report gives a little concern. I suspect
>>>* this may be the culprit with regard to the 22 instances of
>>>* rundll32.exe.
>>>* If these are still in the list after the SAFE MODE Ad-Aware scan,
>>>* try to disable them using WinPatrol.
>>>* If they refuse to stay disabled, let me know and there are other
>>>* steps we can try.
>>>* FWIW Here are some pages with more info about MyWebSearch.
>>>* http://www.mac-net.com/445088.page
>>>* http://www.iamnotageek.com/a/mwsoemon.exe.php
>>>* http://www.winpatrol.com/db/freesample/mwsoemon.html
>>>********************************************************************
>>>
>>>
>>>pccguide.exe
>>>pccguide.exe
>>>PCCGuide
>>>Version: 12.10.0
>>>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
>>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
>>>********************************************************************
>>>* Part of Trend Micro's PC-Cillan Anti-Virus
>>>* Do you have both PC-Cillan and McAfee installed?
>>>********************************************************************
>>>
>>>
>>>
>>>Unknown Title
>>>DLHelperEXE.exe
>>>DLHelper Module
>>>Version: 6, 0, 0, 3
>>>Copyright 2001
>>>Location: Windows Startup Group
>>>Path: C:\Documents and Settings\linda\Start
>>>Menu\Programs\Startup\DLHelperEXE.exe
>>>********************************************************************
>>>* Probably part of CasinoOnNet adware.
>>>* If that's what it is, the Ad-Aware SAFE MODE scan probably
>>>* removed it. If not, try disabling it in WinPatrol.
>>>* http://www3.ca.com/securityadvisor/pest/pest.aspx?id=45...
>>>********************************************************************
>>>
>>>
>>>
>>>VirusScan Online
>>>mcvsshld.exe
>>>McAfee VirusScan ActiveShield Resource
>>>Version: 8, 0, 0, 0
>>>Copyright © 1998-2003 Networks Associates Technology, Inc
>>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
>>>********************************************************************
>>>* Part of McAfee VirusScan On-Line
>>>* I recommend leaving it enabled.
>>>* http://startup.iamnotageek.com/srch-mcvsshld.exe.html
>>>********************************************************************
>>>
>>>
>>>
>>>VSOCheckTask
>>>mcmnhdlr.exe /checktask
>>>McAfee VirusScan Command Handler
>>>Version: 8, 0, 0, 0
>>>Copyright © 1998-2003 Networks Associates Technology, Inc
>>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
>>>********************************************************************
>>>* Part of McAfee's SecurityCenter and Virusscan Online.
>>>* I recommend leaving it enabled.
>>>* http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
>>>********************************************************************
>>>
>>>
>>>
>>>Web Offer
>>>EZPOPS~1.EXE
>>>eZstub Module
>>>Version: 1, 0, 0, 1
>>>Copyright 2000
>>>Location:
>>>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
>>>Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
>>>********************************************************************
>>>* Another component of EZula adware.
>>>* I search for specific information about this component -
>>>* http://www.google.com/search?q=EZPOPS%7E1.EXE
>>>* the information is pretty scant which indicates
>>>* this version of EZula is pretty new and most anti-spyware/
>>>* anti-adware programs probably won't remove it.
>>>* If the SAFE MODE Ad-Aware scan fails to remove this,
>>>* try disabling it in WinPatrol.
>>>* If it won't stay disabled, let me know - there are other
>>>* approaches to this problem.
>>>********************************************************************
>>>
>>>
>>>
>>>WinPatrol
>>>winpatrol.exe
>>>WinPatrol System Monitor
>>>Version: 8.1.2.0
>>>Copyright © 1997- 2004 BillP Studios
>>>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
>>>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
>>>********************************************************************
>>>* This is WinPatrol
>>>* It's safe and I recommend that you leave it in.
>>>* But you can't really know if that's good advice until
>>>* you research it.
>>>* http://www.google.com/search?q=winpatrol.exe
>>>********************************************************************
>>>
>>>
>>>
>>>Yahoo! Pager
>>>ypager.exe -quiet
>>>Yahoo! Messenger
>>>Version: 6,0,0,1750
>>>Copyright 1998-2004
>>>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
>>>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
>>>********************************************************************
>>>* Yahoo! Pager is an instant messenger application like
>>>* MSN Messenger. If you aren't using these, you should disable them.
>>>* If you're only using one of them, you should disable the one
>>>* you're not using.
>>>* If you're using both of them, you should think about switching
>>>* to Trillian, an open source freeware application that can connect
>>>* to many different types of instant messaging servers.
>>>* http://startup.iamnotageek.com/srch-ypager.exe.html
>>>********************************************************************
>>>
>>>
>>>--
>>>Bob Dietz
>>>
>>>linda wrote:
>>>
>>>>Hi Bob - this is what came up....thx for your help-prior to this when i ran
>>>>the lavasoft adware/spyware there was an item that came up that said if
>>>>affected the registry and i would select the cleanup/restore/delete for it,
>>>>it would say that the task was completed but if i ran the progam again it
>>>>showed exactly the same thing it said it had taken care of? thought i would
>>>>mention this in case it has anything to do with what's going on now....thx
>>>>again for helping...linda
>>>>
>>>
February 14, 2005 4:09:03 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

hi bob-just looked and saw your msg, didnt want u to think i was ignoring :) 
been busy and will try and look at it all tonight or tomarrow, since i just
scanned over it....want to be able to give it full attention.....linda

"Bob Dietz" wrote:

> Your thanks is appreciated. :) 
>
> Glad to hear that things are looking better for you, but don't think
> that you're done and stop now. There are still those other WinPatrol
> tabs to look at.
>
> IE Helpers
> IE Helpers are also know as BHO's (Browser Helper Objects).
> When attempting to identify items, I ussually start with "Name."
> If that doesn't net decent results, I move on to "Program."
> (Actually, I paid for WinPatrol Plus and seldom resort to google.)
> If you run into something that you cannot identify,
> you'll find WinPatrol is a bit anemic here -
> BHO's cannot be disabled, they can only be deleted.
> To temporarily disable one of these items, download another free
> progarm called Toolbar Cop. http://windowsxp.mvps.org/toolbarcop.htm
>
> Scheduled Tasks
> I have yet to run into any malware that utilizes Window task
> scheduler, so I have no special instructions. But you do want to
> know the purpose for any scheduled tasks.
>
> Services
> At minimum, you'll want to identify any non-microsoft services.
> As to the microsoft services, the WinPatrol Plus info is pretty
> light weight. Sources for info about Windows XP Services
> http://www.theeldergeek.com/services_guide.htm
> http://www.blackviper.com/WinXP/servicecfg.htm
>
> Active Tasks
> This corresponds to the Processes tab in Windows Task Manager.
> You really, really want to know about each of these items.
> The info in the Plus version of WinPatrol is fairly complete and
> is above average in quality. If you haven't paid for the plus version,
> start your investigation at http://www.answersthatwork.com and click
> on the "Task List" button. If you can't find the task listed there
> move on to google. If you can't find information there either, be
> suspicious. Click the "Info" button in WinPatrol and look at the
> full path to the executable file. Locate that executable file;
> right click on it an choose Properties. You're looking for clues.
>
> Before moving on it's worth noting that you can hold down the CTRL
> key and click on multiple "Active Tasks" and then "Kill Task" them
> all in one fell swoop. This is extreamly useful when some obnoxious
> malware has started multiple different processes that keep
> re-adding startup items and restart their companion processes
> should you stop one of them.
>
> * See below for more info about processes and their associated DLLs.
>
> Cookies
> I've never felt that cookies were worth worring about.
> WinPatrol has a cookie manager, but I don't use it and
> have no opinion.
>
> File Types
> "File type" determine what happens when you double click on
> a file with any given extesion. For instance, if a file is named
> "Critical Data.doc" the ".doc" at the end is the file extension
> and information in Windows registry determines the File Type and
> what will happen. On many/most systems ".doc" is associated with
> Microsoft Word and a double click will open "Critical Data.doc"
> in Microsoft Word. If you install a new word processor ABC on
> that system, the install routine may reassociate the ".doc" file
> extension so that a double click on "Critical Data.doc" no longer
> opens it in MS Word, but rather in the newly installed ABC.
> WinPatrol alerts you when such changes are made. If you install
> and test bunches of software (like I do), that's handy.
>
> Although I don't know of any malware currently using file types
> to keep itself wedged onto systems, I think it is only a matter
> of time. Imagine that malware XYZ has been installed on your
> system. One of its files is XYZwedge and XYZwedge is the current
> associaton with the ".doc" file type. Each time you double click
> on a ".doc" file, XYZwedge reinserts XYZ into your startup items
> and then it Opens the ".doc" file in MS Word. Everything seems
> normal to you, except that the system seems to run slower and
> there are those @#$% pop-ups again.
>
> ****************************************************************
>
> If you don't already have them, ad the following to your system's
> layered protection:
> Spyware Blaster - http://www.javacoolsoftware.com/spywareblaster.html
> IE Spyad - https://netfiles.uiuc.edu/ehowes/www/resource.htm
> An outbound firewall like Zone Alarm.
> http://www.zonelabs.com/store/content/company/products/...
> (The free for personal use version is at the bottom of the list.)
>
>
> ****************************************************************
>
> All your scans come up clean and all of the items on all of the
> WinPatrol tabs are accounted for and are suppose to be safe.
> But you still see a lot of pop-ups or the system still runs way too slow
> and/or there are many program crashes. What now?
>
> The technically inclined can download Process Viewer (prcview.exe)
> from http://www.xmlsp.com/pview/prcview.htm
> 1) Run Process Viewer and select "Module Useage" on the "View" menu.
> 2) Right click each module and choose "Copy Module Path."
> 3) Paste the copied path into a google search box;
> enclose it in double quotes and search.
> 4) Depending on what you found in step 3, search for just the
> file name and look for pages in the results that show the
> *.dll file in another path. eg.
> Windows KB article says that in Windows XP, abc.dll is found at
> C:\Windows\System32\abc.dll
> but the path on your system is
> C:\Windows\abc.dll
> The file on your system is spyware.
> Search google for instructions about how to remove it.
> If you can't find instructions, close the "Module Useage" window.
> Right click each process in the main Process viewer window and
> choose "Modules." Look for C:\Windows\abc.dll. Find ALL of the
> processes that use abc.dll with that full path, note the name
> of each such process. In WinPatrol, hold down the CTRL key and
> click each of those named processes. In a moment, you'll
> "Kill Task" them all at once. Before you do though, close out
> ALL other running programs! The evil malware .dll is probably
> attached to a vital system process and when you "Kill Task"
> the system will likely turn off about as fast as if you pulled
> the power cord out of the electic socket! If that happens, press
> the power button to boot the machine, otherwise reboot the machine.
> Double check that c:\windows\abc.dll is no longer a part of any
> running process.
>
> Otherwise, it's probably time to fdisk; format
> and re-install Windows from scratch. :( 
>
> --
> Bob Dietz
>
>
> linda wrote:
> > Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
> > alot less croweded than it did- also when I look at the task manager it now
> > shows 37 programs, (I have a few things running when it shows that amt) and
> > not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
> > on the winpatrol and had already disabled that, I thought it was funny seeing
> > 3 times, so I'm glad to know I was on the right track there. When I went
> > back to the winpatrol and disable the DLHelper program, a minute or so later
> > I got a pop up saying that a new program was wanting to be added to the start
> > up-and it was the DLHelper I had just disabled, so I said no on the ok to add
> > to start-up. Here's is what the list shows now: (pls read my add'l msg
> > after the winpatrol info)
> >
> > WinPatrol Startup Programs
> > Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
> > 2/11/2005
> >
> > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> > Browser: Microsoft® Windows® Operating System - Internet Explorer version
> > 6.00.2900.2180
> > Memory currently in use: 79%
> >
> > MSIE: Internet Explorer (6.00.2900.2180)
> >
> > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> > HKLM Default_Page_URL = http://www.emachines.com
> > HKCU Start Page = http://www.comcast.net/
> > HKLM Start Page = http://www.msn.com/
> >
> > WinLogon DefaultUserName=linda
> > WinLogon DefaultDomainName=LUCY
> > WinLogon Shell=Explorer.exe
> > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
> >
> >
> >
> > VSOCheckTask
> > mcmnhdlr.exe /checktask
> > McAfee VirusScan Command Handler
> > Version: 8, 0, 0, 0
> > Copyright © 1998-2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> > Click for Plus Info
> >
> >
> >
> > VirusScan Online
> > mcvsshld.exe
> > McAfee VirusScan ActiveShield Resource
> > Version: 8, 0, 0, 0
> > Copyright © 1998-2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> > Click for Plus Info
> >
> >
> >
> > MCAgentExe
> > mcagent.exe
> > McAfee SecurityCenter Agent
> > Version: 5, 0, 0, 0
> > Copyright © 2004 Networks Associates Technology, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> > Click for Plus Info
> >
> >
> >
> > MCUpdateExe
> > mcupdate.exe
> > McAfee SecurityCenter Update Engine
> > Version: 5, 0, 0, 0
> > Copyright © 2004 Networks Associates Technology, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> > Click for Plus Info
> >
> >
> >
> > pccguide.exe
> > pccguide.exe
> > PCCGuide
> > Version: 12.10.0
> > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> > Click for Plus Info
> >
> >
> >
> > WinPatrol
> > winpatrol.exe
> > WinPatrol System Monitor
> > Version: 8.1.2.0
> > Copyright © 1997- 2004 BillP Studios
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> > Click for Plus Info
> >
> >
> >
> > MPFExe
> > MpfTray.exe
> > McAfee Personal Firewall Tray Monitor
> > Version: 6.0.0.14
> > Copyright © 2000-2004 Networks Associates Technologies, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
> > Click for Plus Info
> >
> >
> >
> > McRegWiz
> > mcregwiz.exe /autorun
> > McRegWiz Module
> > Version: 1, 0, 0, 4
> > Copyright 2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
> > Click for Plus Info
> >
> >
> >
> > Microsoft Works Update Detection
> > WkDetect.exe
> > Microsoft® Works Update Detection
> > Version: 6.00.1828.1
> > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> > Location: * Disabled *
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Microsoft Works\WkDetect.exe
> > Click for Plus Info
> >
> >
> >
> > Yahoo! Pager
> > ypager.exe -quiet
> > Yahoo! Messenger
> > Version: 6,0,0,1750
> > Copyright 1998-2004
> > Location: * Disabled *
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> > Click for Plus Info
> >
> > I wanted to say THANK-YOU so much...not only do i appreciate you taking the
> > time to help me..and also the detail instructions,they were easy for me to
> > follow and understand, as I said in my original msg. Im relatively new at all
> > this so being able to follow/understand was great. I have only posted to
> > newgroups a few times and honestly I have gotten a few responses that just
> > leave me sitting there going "HUH". Again thanks very much for your help!!!
> > Linda
> >
> >
> >
> > "Bob Dietz" wrote:
> >
> >
> >>Hi Linda,
> >>
> >>I was pretty busy yesterday. Sorry it took so long to get back to you
> >>
> >>Before you start you might want to print this out on your printer.
> >>
> >>I see some adware/spyware listed that I would have expected Lavasoft
> >>Ad-aware to have successfully removed. Let's run through the steps that
> >>will allow Ad-Aware to do it's best work.
> >>
> >>1) Start Ad-Aware.
> >>2) Click "Check for updates now." (lower right corner)
> >>3) Connect and get any available updates.
> >> Verify that your version number matches the version number
> >> of the newest available Ad-Aware.
> >>4) Once you have the latest updates installed,
> >> close Ad-Aware and any other running programs.
> >>5) To make it easier for Ad-Aware to do it's job,
> >> we're going to run it in SAFE MODE.
> >> A) Restart the computer.
> >> B) While the computer is booting - before the first
> >> "Windows" screen appears, tap the F8 key.
> >> C) When the boot menu appears, choose SAFE MODE.
> >>6) Start Ad-aware.
> >>7) Click the "Start" button in the Ad-Aware window.
> >>8) Set "Select Scan Mode" to "Perform full system scan."
> >>9) Click the "Next" button to start the scan.
> >>10) When the scan finishes, click "Next."
> >>11) "Scan Results" defaults to the "Critical Objects" tab.
> >> Changing to the "Scan Summary" tab, will give you
> >> a much clearer picture of what has been found and may
> >> save you quite a few mouse clicks as well. Be sure there
> >> is a check mark beside everything you want to remove and
> >> click "Next."
> >> * No need to click the Quarantine button, Ad-aware
> >> * automatically quarantines everything it removes.
> >>
> >>When you're done, close Ad-Aware and restart the computer letting it
> >>boot normally.
> >>Open the WinPatrol window.
> >>Click the "Title" column heading so that programs are sorted by title in
> >>A-Z order.
> >>
> >>Below you'll find your report (slightly reformatted so that programs are
> >>in A-Z order by title.) Each item is followed by my comments which are
> >>marked by asterisks. Presumably Ad-Aware will have already have
> >>eliminated most of the evil ad-ware/spyware. If bad items still remain,
> >>we'll use the WinPatrol report to figure out how to remove those items.
> >>If you were doing this on your own, you'd -
> >> 1) Select the executable name with your mouse.
> >> 2) Right click on the selection and choose "Copy."
> >> 3) Open a new browse browser window and go to http://www.google.com
> >> 4) Right click in the Google search box and choose "Paste."
> >> 5) Click on the search button.
> >>Hint: If you install the Google toolbar ( http://toolbar.google.com ),
> >>you could select the executable name, right click and choose
> >>"Google Search."
> >>
> >>Use a little caution regarding the results of your search.
> >>Some of the sites providing the information about startup items are
> >>trying too hard to sell you something. For instance at least one site
> >>shows a very conspicuous warning "Internal IP Exposed!" This is a simple
> >> scam using javascript to display your IP in your browser on your
> >>computer. Nobody can see it how isn't sitting in front of your computer
> >>display.
> >>
> >>Here are some domains that I regard as above average. Look for these in
> >>the result of you Google spyware/adware searches.
> >>
> >>AnswersThatWork.com
> >>CastleCops.com
> >>Iamnotageek.com
> >>Neuber.com
> >>Sysinfo.org
> >>WinPatrol.com
> >>
> >>This Sysinfo.org page is worth putting in your favorites -
> >>http://www.sysinfo.org/startuplist.php
> >>
> >>
> >>*****************************************************************
> >>WinPatrol Startup Programs (Edited by Bob Dietz)
> >>
> >>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> >>Browser: Microsoft® Windows® Operating System - Internet Explorer
> >>version 6.00.2900.2180
> >>Memory currently in use: 91%
> >>********************************************************************
> >>* This memory currently in use number isn't critical, but
> >>* a lower value would be better. If you have less than 256Mb or RAM,
> >>* you should think about upgrading to more memory.
> >>********************************************************************
> >>
> >>
> >>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> >>HKLM Default_Page_URL = http://www.emachines.com
> >>HKCU Start Page = http://www.emachines.com/
> >>HKLM Start Page = http://www.msn.com/
> >>
> >>WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
> >>WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
> >>WinLogon Shell=Explorer.exe
> >>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
> >>
> >>
> >>
> >>CleanUp
> >>mcappins.exe /v=3 /cleanup
> >>McAfee Application Installer
> >>Version: 5, 0, 0, 0
> >>Copyright © 2004 Networks Associates Technology, Inc.
> >>Location:
> >>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
> >>********************************************************************
> >>* This is part of McAfee
> >>* I recommended that you leave it enabled. The site -
> >>* http://startup.iamnotageek.com/srch-mcappins.exe.html
> >>* describes it as
> >>* McAfee Application Installer. (What does it do and is it required?)
> >>* FWIW The Plus version of WinPatrol what it does and why it might
> >>* be required.
> >>********************************************************************
> >>
> >>
> >>
> >>eZstub
> >>eZstub.exe
> >>eZstub Module
> >>Version: 1, 0, 0, 1
> >>Copyright 2000
> >>Location:
> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> >>Path: Command /c del C:\WINDOWS\system32\eZstub.exe
> >>********************************************************************
> >>* This is an EZula component.
> >>* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
> >>* appears to be quite recent and I could find it mentioned on any
> >>* web pages. For that reason, Ad-Aware may have trouble removing
> >>* this even in SAFE MODE!
> >>* If Ad-Aware wasn't able to remove this, try using WinPatrol to
> >>* disable it. If it won't stay disabled, let me know and we'll
> >>* follow some additional steps.
> >>********************************************************************
> >>
> >>
> >>
> >>
> >>
> >>MCAgentExe
> >>mcagent.exe
> >>McAfee SecurityCenter Agent
> >>Version: 5, 0, 0, 0
> >>Copyright © 2004 Networks Associates Technology, Inc.
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> >>********************************************************************
> >>* This is part of McAfee
> >>* I recommended that you leave it enabled.
> >>* http://startup.iamnotageek.com/srch-mcagent.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>MCUpdateExe
> >>mcupdate.exe
> >>McAfee SecurityCenter Update Engine
> >>Version: 5, 0, 0, 0
> >>Copyright © 2004 Networks Associates Technology, Inc.
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> >>********************************************************************
> >>* This is part of McAfee
> >>* I recommended that you leave it enabled.
> >>* http://startup.iamnotageek.com/srch-mcupdate.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>Microsoft Works Update Detection
> >>WkDetect.exe
> >>Microsoft® Works Update Detection
> >>Version: 6.00.1828.1
> >>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\Microsoft Works\WkDetect.exe
> >>********************************************************************
> >>* This checks for updates to MS Works
> >>* Unless your computer has more memory than you know what
> >>* to do with, I'd recommend disabling this in WinPatrol.
> >>* Disabling is better than removal, because you can always
> >>* decide to turn it back on at a later date.
> >>* http://startup.iamnotageek.com/srch-wkdetect.exe.html
> >>********************************************************************
> >>
> >>
> >>msnmsgr
> >>msnmsgr.exe /background
> >>MSN Messenger
> >>Version: Version 6.2
> >>Copyright (c) Microsoft Corporation 1997-2004
> >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
> >>********************************************************************
> >>* Letting MSN Messenger run is a user choice.
> >>* If you aren't sure what MSN Messenger is, you're not using
> >>* it and there is no use to have it running constantly
> >>* using up precious RAM.
> >>* Later in this report, we see that Yahoo! Pager is also running.
> >>* If you're using both of these programs, you might want to
> >>* consider replacing the two of them with Trillian, which is
> >>* open source freeware and provides the services of both programs.
> >>* http://www.neuber.com/taskmanager/process/msnmsgr.exe.h...
> >>********************************************************************
> >>
> >>
> >>MyWebSearch Email Plugin
> >>MWSOEMON.EXE
> >>My Web Search Email Plugin
> >>Version: 2,0,1,0
> >>Copyright © 2003-2004 MyWebSearch.com
> >>Location: Windows Startup Group
> >>Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
> >>********************************************************************
> >>* This is spyware.
> >>* The fact that there are four apparently identical instances
> >>* in the original report gives a little concern. I suspect
> >>* this may be the culprit with regard to the 22 instances of
> >>* rundll32.exe.
> >>* If these are still in the list after the SAFE MODE Ad-Aware scan,
> >>* try to disable them using WinPatrol.
> >>* If they refuse to stay disabled, let me know and there are other
> >>* steps we can try.
> >>* FWIW Here are some pages with more info about MyWebSearch.
> >>* http://www.mac-net.com/445088.page
> >>* http://www.iamnotageek.com/a/mwsoemon.exe.php
> >>* http://www.winpatrol.com/db/freesample/mwsoemon.html
> >>********************************************************************
> >>
> >>
> >>pccguide.exe
> >>pccguide.exe
> >>PCCGuide
> >>Version: 12.10.0
> >>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> >>********************************************************************
> >>* Part of Trend Micro's PC-Cillan Anti-Virus
> >>* Do you have both PC-Cillan and McAfee installed?
> >>********************************************************************
> >>
> >>
> >>
> >>Unknown Title
> >>DLHelperEXE.exe
> >>DLHelper Module
> >>Version: 6, 0, 0, 3
> >>Copyright 2001
> >>Location: Windows Startup Group
> >>Path: C:\Documents and Settings\linda\Start
> >>Menu\Programs\Startup\DLHelperEXE.exe
> >>********************************************************************
> >>* Probably part of CasinoOnNet adware.
> >>* If that's what it is, the Ad-Aware SAFE MODE scan probably
> >>* removed it. If not, try disabling it in WinPatrol.
> >>* http://www3.ca.com/securityadvisor/pest/pest.aspx?id=45...
> >>********************************************************************
> >>
> >>
> >>
> >>VirusScan Online
> >>mcvsshld.exe
> >>McAfee VirusScan ActiveShield Resource
> >>Version: 8, 0, 0, 0
> >>Copyright © 1998-2003 Networks Associates Technology, Inc
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> >>********************************************************************
> >>* Part of McAfee VirusScan On-Line
> >>* I recommend leaving it enabled.
> >>* http://startup.iamnotageek.com/srch-mcvsshld.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>VSOCheckTask
> >>mcmnhdlr.exe /checktask
> >>McAfee VirusScan Command Handler
> >>Version: 8, 0, 0, 0
> >>Copyright © 1998-2003 Networks Associates Technology, Inc
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> >>********************************************************************
> >>* Part of McAfee's SecurityCenter and Virusscan Online.
> >>* I recommend leaving it enabled.
> >>* http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>Web Offer
> >>EZPOPS~1.EXE
> >>eZstub Module
> >>Version: 1, 0, 0, 1
> >>Copyright 2000
> >>Location:
> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> >>Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
> >>********************************************************************
> >>* Another component of EZula adware.
> >>* I search for specific information about this component -
> >>* http://www.google.com/search?q=EZPOPS%7E1.EXE
> >>* the information is pretty scant which indicates
> >>* this version of EZula is pretty new and most anti-spyware/
> >>* anti-adware programs probably won't remove it.
> >>* If the SAFE MODE Ad-Aware scan fails to remove this,
> >>* try disabling it in WinPatrol.
> >>* If it won't stay disabled, let me know - there are other
> >>* approaches to this problem.
> >>********************************************************************
> >>
> >>
> >>
> >>WinPatrol
> >>winpatrol.exe
> >>WinPatrol System Monitor
> >>Version: 8.1.2.0
> >>Copyright © 1997- 2004 BillP Studios
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> >>********************************************************************
> >>* This is WinPatrol
> >>* It's safe and I recommend that you leave it in.
> >>* But you can't really know if that's good advice until
> >>* you research it.
> >>* http://www.google.com/search?q=winpatrol.exe
> >>********************************************************************
> >>
> >>
> >>
> >>Yahoo! Pager
> >>ypager.exe -quiet
> >>Yahoo! Messenger
> >>Version: 6,0,0,1750
> >>Copyright 1998-2004
> >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> >>********************************************************************
> >>* Yahoo! Pager is an instant messenger application like
> >>* MSN Messenger. If you aren't using these, you should disable them.
> >>* If you're only using one of them, you should disable the one
> >>* you're not using.
> >>* If you're using both of them, you should think about switching
> >>* to Trillian, an open source freeware application that can connect
> >>* to many different types of instant messaging servers.
> >>* http://startup.iamnotageek.com/srch-ypager.exe.html
> >>********************************************************************
> >>
> >>
> >>--
> >>Bob Dietz
> >>
> >>linda wrote:
> >>
> >>>Hi Bob - this is what came up....thx for your help-prior to this when i ran
> >>>the lavasoft adware/spyware there was an item that came up that said if
> >>>affected the registry and i would select the cleanup/restore/delete for it,
> >>>it would say that the task was completed but if i ran the progam again it
> >>>showed exactly the same thing it said it had taken care of? thought i would
> >>>mention this in case it has anything to do with what's going on now....thx
> >>>again for helping...linda
> >>>
> >>
>
February 20, 2005 12:15:03 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

hi bob - i started going thur ur instructions, i have a couple things i
wanted to ask you. you mentioned that under the services tab...that i will
want to identify microsoft items, what do i do if i find other items? also i
downloaded the items you had listed (the ones that were'nt downloads i saved
the pages in my favorites) the first one i went to install "the toolbar cop"
i saved it to my desktop then scanned for any viruses, when i went to open
the zip file i rcvd the msg that it was a .exe file and did i really want to
open well i clicked yes i did, right after that my mcafee popped up and said
it was a suspicious script and what did i want to do? well i wasnt sure so i
stopped it. i dont know much about the "suspicious script" msgs and have only
rvcd a few of them and not knowing i always have stopped them..
continued in next msg......


..c"Bob Dietz" wrote:

> Your thanks is appreciated. :) 
>
> Glad to hear that things are looking better for you, but don't think
> that you're done and stop now. There are still those other WinPatrol
> tabs to look at.
>
> IE Helpers
> IE Helpers are also know as BHO's (Browser Helper Objects).
> When attempting to identify items, I ussually start with "Name."
> If that doesn't net decent results, I move on to "Program."
> (Actually, I paid for WinPatrol Plus and seldom resort to google.)
> If you run into something that you cannot identify,
> you'll find WinPatrol is a bit anemic here -
> BHO's cannot be disabled, they can only be deleted.
> To temporarily disable one of these items, download another free
> progarm called Toolbar Cop. http://windowsxp.mvps.org/toolbarcop.htm
>
> Scheduled Tasks
> I have yet to run into any malware that utilizes Window task
> scheduler, so I have no special instructions. But you do want to
> know the purpose for any scheduled tasks.
>
> Services
> At minimum, you'll want to identify any non-microsoft services.
> As to the microsoft services, the WinPatrol Plus info is pretty
> light weight. Sources for info about Windows XP Services
> http://www.theeldergeek.com/services_guide.htm
> http://www.blackviper.com/WinXP/servicecfg.htm
>
> Active Tasks
> This corresponds to the Processes tab in Windows Task Manager.
> You really, really want to know about each of these items.
> The info in the Plus version of WinPatrol is fairly complete and
> is above average in quality. If you haven't paid for the plus version,
> start your investigation at http://www.answersthatwork.com and click
> on the "Task List" button. If you can't find the task listed there
> move on to google. If you can't find information there either, be
> suspicious. Click the "Info" button in WinPatrol and look at the
> full path to the executable file. Locate that executable file;
> right click on it an choose Properties. You're looking for clues.
>
> Before moving on it's worth noting that you can hold down the CTRL
> key and click on multiple "Active Tasks" and then "Kill Task" them
> all in one fell swoop. This is extreamly useful when some obnoxious
> malware has started multiple different processes that keep
> re-adding startup items and restart their companion processes
> should you stop one of them.
>
> * See below for more info about processes and their associated DLLs.
>
> Cookies
> I've never felt that cookies were worth worring about.
> WinPatrol has a cookie manager, but I don't use it and
> have no opinion.
>
> File Types
> "File type" determine what happens when you double click on
> a file with any given extesion. For instance, if a file is named
> "Critical Data.doc" the ".doc" at the end is the file extension
> and information in Windows registry determines the File Type and
> what will happen. On many/most systems ".doc" is associated with
> Microsoft Word and a double click will open "Critical Data.doc"
> in Microsoft Word. If you install a new word processor ABC on
> that system, the install routine may reassociate the ".doc" file
> extension so that a double click on "Critical Data.doc" no longer
> opens it in MS Word, but rather in the newly installed ABC.
> WinPatrol alerts you when such changes are made. If you install
> and test bunches of software (like I do), that's handy.
>
> Although I don't know of any malware currently using file types
> to keep itself wedged onto systems, I think it is only a matter
> of time. Imagine that malware XYZ has been installed on your
> system. One of its files is XYZwedge and XYZwedge is the current
> associaton with the ".doc" file type. Each time you double click
> on a ".doc" file, XYZwedge reinserts XYZ into your startup items
> and then it Opens the ".doc" file in MS Word. Everything seems
> normal to you, except that the system seems to run slower and
> there are those @#$% pop-ups again.
>
> ****************************************************************
>
> If you don't already have them, ad the following to your system's
> layered protection:
> Spyware Blaster - http://www.javacoolsoftware.com/spywareblaster.html
> IE Spyad - https://netfiles.uiuc.edu/ehowes/www/resource.htm
> An outbound firewall like Zone Alarm.
> http://www.zonelabs.com/store/content/company/products/...
> (The free for personal use version is at the bottom of the list.)
>
>
> ****************************************************************
>
> All your scans come up clean and all of the items on all of the
> WinPatrol tabs are accounted for and are suppose to be safe.
> But you still see a lot of pop-ups or the system still runs way too slow
> and/or there are many program crashes. What now?
>
> The technically inclined can download Process Viewer (prcview.exe)
> from http://www.xmlsp.com/pview/prcview.htm
> 1) Run Process Viewer and select "Module Useage" on the "View" menu.
> 2) Right click each module and choose "Copy Module Path."
> 3) Paste the copied path into a google search box;
> enclose it in double quotes and search.
> 4) Depending on what you found in step 3, search for just the
> file name and look for pages in the results that show the
> *.dll file in another path. eg.
> Windows KB article says that in Windows XP, abc.dll is found at
> C:\Windows\System32\abc.dll
> but the path on your system is
> C:\Windows\abc.dll
> The file on your system is spyware.
> Search google for instructions about how to remove it.
> If you can't find instructions, close the "Module Useage" window.
> Right click each process in the main Process viewer window and
> choose "Modules." Look for C:\Windows\abc.dll. Find ALL of the
> processes that use abc.dll with that full path, note the name
> of each such process. In WinPatrol, hold down the CTRL key and
> click each of those named processes. In a moment, you'll
> "Kill Task" them all at once. Before you do though, close out
> ALL other running programs! The evil malware .dll is probably
> attached to a vital system process and when you "Kill Task"
> the system will likely turn off about as fast as if you pulled
> the power cord out of the electic socket! If that happens, press
> the power button to boot the machine, otherwise reboot the machine.
> Double check that c:\windows\abc.dll is no longer a part of any
> running process.
>
> Otherwise, it's probably time to fdisk; format
> and re-install Windows from scratch. :( 
>
> --
> Bob Dietz
>
>
> linda wrote:
> > Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
> > alot less croweded than it did- also when I look at the task manager it now
> > shows 37 programs, (I have a few things running when it shows that amt) and
> > not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
> > on the winpatrol and had already disabled that, I thought it was funny seeing
> > 3 times, so I'm glad to know I was on the right track there. When I went
> > back to the winpatrol and disable the DLHelper program, a minute or so later
> > I got a pop up saying that a new program was wanting to be added to the start
> > up-and it was the DLHelper I had just disabled, so I said no on the ok to add
> > to start-up. Here's is what the list shows now: (pls read my add'l msg
> > after the winpatrol info)
> >
> > WinPatrol Startup Programs
> > Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
> > 2/11/2005
> >
> > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> > Browser: Microsoft® Windows® Operating System - Internet Explorer version
> > 6.00.2900.2180
> > Memory currently in use: 79%
> >
> > MSIE: Internet Explorer (6.00.2900.2180)
> >
> > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> > HKLM Default_Page_URL = http://www.emachines.com
> > HKCU Start Page = http://www.comcast.net/
> > HKLM Start Page = http://www.msn.com/
> >
> > WinLogon DefaultUserName=linda
> > WinLogon DefaultDomainName=LUCY
> > WinLogon Shell=Explorer.exe
> > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
> >
> >
> >
> > VSOCheckTask
> > mcmnhdlr.exe /checktask
> > McAfee VirusScan Command Handler
> > Version: 8, 0, 0, 0
> > Copyright © 1998-2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> > Click for Plus Info
> >
> >
> >
> > VirusScan Online
> > mcvsshld.exe
> > McAfee VirusScan ActiveShield Resource
> > Version: 8, 0, 0, 0
> > Copyright © 1998-2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> > Click for Plus Info
> >
> >
> >
> > MCAgentExe
> > mcagent.exe
> > McAfee SecurityCenter Agent
> > Version: 5, 0, 0, 0
> > Copyright © 2004 Networks Associates Technology, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> > Click for Plus Info
> >
> >
> >
> > MCUpdateExe
> > mcupdate.exe
> > McAfee SecurityCenter Update Engine
> > Version: 5, 0, 0, 0
> > Copyright © 2004 Networks Associates Technology, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> > Click for Plus Info
> >
> >
> >
> > pccguide.exe
> > pccguide.exe
> > PCCGuide
> > Version: 12.10.0
> > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> > Click for Plus Info
> >
> >
> >
> > WinPatrol
> > winpatrol.exe
> > WinPatrol System Monitor
> > Version: 8.1.2.0
> > Copyright © 1997- 2004 BillP Studios
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> > Click for Plus Info
> >
> >
> >
> > MPFExe
> > MpfTray.exe
> > McAfee Personal Firewall Tray Monitor
> > Version: 6.0.0.14
> > Copyright © 2000-2004 Networks Associates Technologies, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
> > Click for Plus Info
> >
> >
> >
> > McRegWiz
> > mcregwiz.exe /autorun
> > McRegWiz Module
> > Version: 1, 0, 0, 4
> > Copyright 2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
> > Click for Plus Info
> >
> >
> >
> > Microsoft Works Update Detection
> > WkDetect.exe
> > Microsoft® Works Update Detection
> > Version: 6.00.1828.1
> > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> > Location: * Disabled *
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Microsoft Works\WkDetect.exe
> > Click for Plus Info
> >
> >
> >
> > Yahoo! Pager
> > ypager.exe -quiet
> > Yahoo! Messenger
> > Version: 6,0,0,1750
> > Copyright 1998-2004
> > Location: * Disabled *
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> > Click for Plus Info
> >
> > I wanted to say THANK-YOU so much...not only do i appreciate you taking the
> > time to help me..and also the detail instructions,they were easy for me to
> > follow and understand, as I said in my original msg. Im relatively new at all
> > this so being able to follow/understand was great. I have only posted to
> > newgroups a few times and honestly I have gotten a few responses that just
> > leave me sitting there going "HUH". Again thanks very much for your help!!!
> > Linda
> >
> >
> >
> > "Bob Dietz" wrote:
> >
> >
> >>Hi Linda,
> >>
> >>I was pretty busy yesterday. Sorry it took so long to get back to you
> >>
> >>Before you start you might want to print this out on your printer.
> >>
> >>I see some adware/spyware listed that I would have expected Lavasoft
> >>Ad-aware to have successfully removed. Let's run through the steps that
> >>will allow Ad-Aware to do it's best work.
> >>
> >>1) Start Ad-Aware.
> >>2) Click "Check for updates now." (lower right corner)
> >>3) Connect and get any available updates.
> >> Verify that your version number matches the version number
> >> of the newest available Ad-Aware.
> >>4) Once you have the latest updates installed,
> >> close Ad-Aware and any other running programs.
> >>5) To make it easier for Ad-Aware to do it's job,
> >> we're going to run it in SAFE MODE.
> >> A) Restart the computer.
> >> B) While the computer is booting - before the first
> >> "Windows" screen appears, tap the F8 key.
> >> C) When the boot menu appears, choose SAFE MODE.
> >>6) Start Ad-aware.
> >>7) Click the "Start" button in the Ad-Aware window.
> >>8) Set "Select Scan Mode" to "Perform full system scan."
> >>9) Click the "Next" button to start the scan.
> >>10) When the scan finishes, click "Next."
> >>11) "Scan Results" defaults to the "Critical Objects" tab.
> >> Changing to the "Scan Summary" tab, will give you
> >> a much clearer picture of what has been found and may
> >> save you quite a few mouse clicks as well. Be sure there
> >> is a check mark beside everything you want to remove and
> >> click "Next."
> >> * No need to click the Quarantine button, Ad-aware
> >> * automatically quarantines everything it removes.
> >>
> >>When you're done, close Ad-Aware and restart the computer letting it
> >>boot normally.
> >>Open the WinPatrol window.
> >>Click the "Title" column heading so that programs are sorted by title in
> >>A-Z order.
> >>
> >>Below you'll find your report (slightly reformatted so that programs are
> >>in A-Z order by title.) Each item is followed by my comments which are
> >>marked by asterisks. Presumably Ad-Aware will have already have
> >>eliminated most of the evil ad-ware/spyware. If bad items still remain,
> >>we'll use the WinPatrol report to figure out how to remove those items.
> >>If you were doing this on your own, you'd -
> >> 1) Select the executable name with your mouse.
> >> 2) Right click on the selection and choose "Copy."
> >> 3) Open a new browse browser window and go to http://www.google.com
> >> 4) Right click in the Google search box and choose "Paste."
> >> 5) Click on the search button.
> >>Hint: If you install the Google toolbar ( http://toolbar.google.com ),
> >>you could select the executable name, right click and choose
> >>"Google Search."
> >>
> >>Use a little caution regarding the results of your search.
> >>Some of the sites providing the information about startup items are
> >>trying too hard to sell you something. For instance at least one site
> >>shows a very conspicuous warning "Internal IP Exposed!" This is a simple
> >> scam using javascript to display your IP in your browser on your
> >>computer. Nobody can see it how isn't sitting in front of your computer
> >>display.
> >>
> >>Here are some domains that I regard as above average. Look for these in
> >>the result of you Google spyware/adware searches.
> >>
> >>AnswersThatWork.com
> >>CastleCops.com
> >>Iamnotageek.com
> >>Neuber.com
> >>Sysinfo.org
> >>WinPatrol.com
> >>
> >>This Sysinfo.org page is worth putting in your favorites -
> >>http://www.sysinfo.org/startuplist.php
> >>
> >>
> >>*****************************************************************
> >>WinPatrol Startup Programs (Edited by Bob Dietz)
> >>
> >>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> >>Browser: Microsoft® Windows® Operating System - Internet Explorer
> >>version 6.00.2900.2180
> >>Memory currently in use: 91%
> >>********************************************************************
> >>* This memory currently in use number isn't critical, but
> >>* a lower value would be better. If you have less than 256Mb or RAM,
> >>* you should think about upgrading to more memory.
> >>********************************************************************
> >>
> >>
> >>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> >>HKLM Default_Page_URL = http://www.emachines.com
> >>HKCU Start Page = http://www.emachines.com/
> >>HKLM Start Page = http://www.msn.com/
> >>
> >>WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
> >>WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
> >>WinLogon Shell=Explorer.exe
> >>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
> >>
> >>
> >>
> >>CleanUp
> >>mcappins.exe /v=3 /cleanup
> >>McAfee Application Installer
> >>Version: 5, 0, 0, 0
> >>Copyright © 2004 Networks Associates Technology, Inc.
> >>Location:
> >>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
> >>********************************************************************
> >>* This is part of McAfee
> >>* I recommended that you leave it enabled. The site -
> >>* http://startup.iamnotageek.com/srch-mcappins.exe.html
> >>* describes it as
> >>* McAfee Application Installer. (What does it do and is it required?)
> >>* FWIW The Plus version of WinPatrol what it does and why it might
> >>* be required.
> >>********************************************************************
> >>
> >>
> >>
> >>eZstub
> >>eZstub.exe
> >>eZstub Module
> >>Version: 1, 0, 0, 1
> >>Copyright 2000
> >>Location:
> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> >>Path: Command /c del C:\WINDOWS\system32\eZstub.exe
> >>********************************************************************
> >>* This is an EZula component.
> >>* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
> >>* appears to be quite recent and I could find it mentioned on any
> >>* web pages. For that reason, Ad-Aware may have trouble removing
> >>* this even in SAFE MODE!
> >>* If Ad-Aware wasn't able to remove this, try using WinPatrol to
> >>* disable it. If it won't stay disabled, let me know and we'll
> >>* follow some additional steps.
> >>********************************************************************
> >>
> >>
> >>
> >>
> >>
> >>MCAgentExe
> >>mcagent.exe
> >>McAfee SecurityCenter Agent
> >>Version: 5, 0, 0, 0
> >>Copyright © 2004 Networks Associates Technology, Inc.
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> >>********************************************************************
> >>* This is part of McAfee
> >>* I recommended that you leave it enabled.
> >>* http://startup.iamnotageek.com/srch-mcagent.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>MCUpdateExe
> >>mcupdate.exe
> >>McAfee SecurityCenter Update Engine
> >>Version: 5, 0, 0, 0
> >>Copyright © 2004 Networks Associates Technology, Inc.
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> >>********************************************************************
> >>* This is part of McAfee
> >>* I recommended that you leave it enabled.
> >>* http://startup.iamnotageek.com/srch-mcupdate.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>Microsoft Works Update Detection
> >>WkDetect.exe
> >>Microsoft® Works Update Detection
> >>Version: 6.00.1828.1
> >>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\Microsoft Works\WkDetect.exe
> >>********************************************************************
> >>* This checks for updates to MS Works
> >>* Unless your computer has more memory than you know what
> >>* to do with, I'd recommend disabling this in WinPatrol.
> >>* Disabling is better than removal, because you can always
> >>* decide to turn it back on at a later date.
> >>* http://startup.iamnotageek.com/srch-wkdetect.exe.html
> >>********************************************************************
> >>
> >>
> >>msnmsgr
> >>msnmsgr.exe /background
> >>MSN Messenger
> >>Version: Version 6.2
> >>Copyright (c) Microsoft Corporation 1997-2004
> >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
> >>********************************************************************
> >>* Letting MSN Messenger run is a user choice.
> >>* If you aren't sure what MSN Messenger is, you're not using
> >>* it and there is no use to have it running constantly
> >>* using up precious RAM.
> >>* Later in this report, we see that Yahoo! Pager is also running.
> >>* If you're using both of these programs, you might want to
> >>* consider replacing the two of them with Trillian, which is
> >>* open source freeware and provides the services of both programs.
> >>* http://www.neuber.com/taskmanager/process/msnmsgr.exe.h...
> >>********************************************************************
> >>
> >>
> >>MyWebSearch Email Plugin
> >>MWSOEMON.EXE
> >>My Web Search Email Plugin
> >>Version: 2,0,1,0
> >>Copyright © 2003-2004 MyWebSearch.com
> >>Location: Windows Startup Group
> >>Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
> >>********************************************************************
> >>* This is spyware.
> >>* The fact that there are four apparently identical instances
> >>* in the original report gives a little concern. I suspect
> >>* this may be the culprit with regard to the 22 instances of
> >>* rundll32.exe.
> >>* If these are still in the list after the SAFE MODE Ad-Aware scan,
> >>* try to disable them using WinPatrol.
> >>* If they refuse to stay disabled, let me know and there are other
> >>* steps we can try.
> >>* FWIW Here are some pages with more info about MyWebSearch.
> >>* http://www.mac-net.com/445088.page
> >>* http://www.iamnotageek.com/a/mwsoemon.exe.php
> >>* http://www.winpatrol.com/db/freesample/mwsoemon.html
> >>********************************************************************
> >>
> >>
> >>pccguide.exe
> >>pccguide.exe
> >>PCCGuide
> >>Version: 12.10.0
> >>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> >>********************************************************************
> >>* Part of Trend Micro's PC-Cillan Anti-Virus
> >>* Do you have both PC-Cillan and McAfee installed?
> >>********************************************************************
> >>
> >>
> >>
> >>Unknown Title
> >>DLHelperEXE.exe
> >>DLHelper Module
> >>Version: 6, 0, 0, 3
> >>Copyright 2001
> >>Location: Windows Startup Group
> >>Path: C:\Documents and Settings\linda\Start
> >>Menu\Programs\Startup\DLHelperEXE.exe
> >>********************************************************************
> >>* Probably part of CasinoOnNet adware.
> >>* If that's what it is, the Ad-Aware SAFE MODE scan probably
> >>* removed it. If not, try disabling it in WinPatrol.
> >>* http://www3.ca.com/securityadvisor/pest/pest.aspx?id=45...
> >>********************************************************************
> >>
> >>
> >>
> >>VirusScan Online
> >>mcvsshld.exe
> >>McAfee VirusScan ActiveShield Resource
> >>Version: 8, 0, 0, 0
> >>Copyright © 1998-2003 Networks Associates Technology, Inc
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> >>********************************************************************
> >>* Part of McAfee VirusScan On-Line
> >>* I recommend leaving it enabled.
> >>* http://startup.iamnotageek.com/srch-mcvsshld.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>VSOCheckTask
> >>mcmnhdlr.exe /checktask
> >>McAfee VirusScan Command Handler
> >>Version: 8, 0, 0, 0
> >>Copyright © 1998-2003 Networks Associates Technology, Inc
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> >>********************************************************************
> >>* Part of McAfee's SecurityCenter and Virusscan Online.
> >>* I recommend leaving it enabled.
> >>* http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>Web Offer
> >>EZPOPS~1.EXE
> >>eZstub Module
> >>Version: 1, 0, 0, 1
> >>Copyright 2000
> >>Location:
> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> >>Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
> >>********************************************************************
> >>* Another component of EZula adware.
> >>* I search for specific information about this component -
> >>* http://www.google.com/search?q=EZPOPS%7E1.EXE
> >>* the information is pretty scant which indicates
> >>* this version of EZula is pretty new and most anti-spyware/
> >>* anti-adware programs probably won't remove it.
> >>* If the SAFE MODE Ad-Aware scan fails to remove this,
> >>* try disabling it in WinPatrol.
> >>* If it won't stay disabled, let me know - there are other
> >>* approaches to this problem.
> >>********************************************************************
> >>
> >>
> >>
> >>WinPatrol
> >>winpatrol.exe
> >>WinPatrol System Monitor
> >>Version: 8.1.2.0
> >>Copyright © 1997- 2004 BillP Studios
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> >>********************************************************************
> >>* This is WinPatrol
> >>* It's safe and I recommend that you leave it in.
> >>* But you can't really know if that's good advice until
> >>* you research it.
> >>* http://www.google.com/search?q=winpatrol.exe
> >>********************************************************************
> >>
> >>
> >>
> >>Yahoo! Pager
> >>ypager.exe -quiet
> >>Yahoo! Messenger
> >>Version: 6,0,0,1750
> >>Copyright 1998-2004
> >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> >>********************************************************************
> >>* Yahoo! Pager is an instant messenger application like
> >>* MSN Messenger. If you aren't using these, you should disable them.
> >>* If you're only using one of them, you should disable the one
> >>* you're not using.
> >>* If you're using both of them, you should think about switching
> >>* to Trillian, an open source freeware application that can connect
> >>* to many different types of instant messaging servers.
> >>* http://startup.iamnotageek.com/srch-ypager.exe.html
> >>********************************************************************
> >>
> >>
> >>--
> >>Bob Dietz
> >>
> >>linda wrote:
> >>
> >>>Hi Bob - this is what came up....thx for your help-prior to this when i ran
> >>>the lavasoft adware/spyware there was an item that came up that said if
> >>>affected the registry and i would select the cleanup/restore/delete for it,
> >>>it would say that the task was completed but if i ran the progam again it
> >>>showed exactly the same thing it said it had taken care of? thought i would
> >>>mention this in case it has anything to do with what's going on now....thx
> >>>again for helping...linda
> >>>
> >>
>
February 20, 2005 12:19:04 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

i also downloaed the ie-spyad but am a little confused on how to tell if it
there/working/ ?? i read the text document and that didnt help me on the
confusion? i have never really messed around in anything having to do with
the registry due to the fact that i rcvd a msg one time saying basically if
you change things it could mess up your system (if you dont know what your
doing and i didnt/dont) so since then i have been shall we say afraid to go
there a do anything....

im still working on the items you had in your reply to me and once again
above and beyond the call of duty....you can probably tell i dont have a
vast amt of knowledge with all this (this is my first computer) i really
appreciate thou the way you explained the "doc file" scenerio and also the
registry changes, i could understand that, you seem to have alot of
knowledge/info and you explain things that a person learning is able to
understand. instead of the typical "techno jargon" that only exp people
understand. thx again for all the help.


"Bob Dietz" wrote:

> Your thanks is appreciated. :) 
>
> Glad to hear that things are looking better for you, but don't think
> that you're done and stop now. There are still those other WinPatrol
> tabs to look at.
>
> IE Helpers
> IE Helpers are also know as BHO's (Browser Helper Objects).
> When attempting to identify items, I ussually start with "Name."
> If that doesn't net decent results, I move on to "Program."
> (Actually, I paid for WinPatrol Plus and seldom resort to google.)
> If you run into something that you cannot identify,
> you'll find WinPatrol is a bit anemic here -
> BHO's cannot be disabled, they can only be deleted.
> To temporarily disable one of these items, download another free
> progarm called Toolbar Cop. http://windowsxp.mvps.org/toolbarcop.htm
>
> Scheduled Tasks
> I have yet to run into any malware that utilizes Window task
> scheduler, so I have no special instructions. But you do want to
> know the purpose for any scheduled tasks.
>
> Services
> At minimum, you'll want to identify any non-microsoft services.
> As to the microsoft services, the WinPatrol Plus info is pretty
> light weight. Sources for info about Windows XP Services
> http://www.theeldergeek.com/services_guide.htm
> http://www.blackviper.com/WinXP/servicecfg.htm
>
> Active Tasks
> This corresponds to the Processes tab in Windows Task Manager.
> You really, really want to know about each of these items.
> The info in the Plus version of WinPatrol is fairly complete and
> is above average in quality. If you haven't paid for the plus version,
> start your investigation at http://www.answersthatwork.com and click
> on the "Task List" button. If you can't find the task listed there
> move on to google. If you can't find information there either, be
> suspicious. Click the "Info" button in WinPatrol and look at the
> full path to the executable file. Locate that executable file;
> right click on it an choose Properties. You're looking for clues.
>
> Before moving on it's worth noting that you can hold down the CTRL
> key and click on multiple "Active Tasks" and then "Kill Task" them
> all in one fell swoop. This is extreamly useful when some obnoxious
> malware has started multiple different processes that keep
> re-adding startup items and restart their companion processes
> should you stop one of them.
>
> * See below for more info about processes and their associated DLLs.
>
> Cookies
> I've never felt that cookies were worth worring about.
> WinPatrol has a cookie manager, but I don't use it and
> have no opinion.
>
> File Types
> "File type" determine what happens when you double click on
> a file with any given extesion. For instance, if a file is named
> "Critical Data.doc" the ".doc" at the end is the file extension
> and information in Windows registry determines the File Type and
> what will happen. On many/most systems ".doc" is associated with
> Microsoft Word and a double click will open "Critical Data.doc"
> in Microsoft Word. If you install a new word processor ABC on
> that system, the install routine may reassociate the ".doc" file
> extension so that a double click on "Critical Data.doc" no longer
> opens it in MS Word, but rather in the newly installed ABC.
> WinPatrol alerts you when such changes are made. If you install
> and test bunches of software (like I do), that's handy.
>
> Although I don't know of any malware currently using file types
> to keep itself wedged onto systems, I think it is only a matter
> of time. Imagine that malware XYZ has been installed on your
> system. One of its files is XYZwedge and XYZwedge is the current
> associaton with the ".doc" file type. Each time you double click
> on a ".doc" file, XYZwedge reinserts XYZ into your startup items
> and then it Opens the ".doc" file in MS Word. Everything seems
> normal to you, except that the system seems to run slower and
> there are those @#$% pop-ups again.
>
> ****************************************************************
>
> If you don't already have them, ad the following to your system's
> layered protection:
> Spyware Blaster - http://www.javacoolsoftware.com/spywareblaster.html
> IE Spyad - https://netfiles.uiuc.edu/ehowes/www/resource.htm
> An outbound firewall like Zone Alarm.
> http://www.zonelabs.com/store/content/company/products/...
> (The free for personal use version is at the bottom of the list.)
>
>
> ****************************************************************
>
> All your scans come up clean and all of the items on all of the
> WinPatrol tabs are accounted for and are suppose to be safe.
> But you still see a lot of pop-ups or the system still runs way too slow
> and/or there are many program crashes. What now?
>
> The technically inclined can download Process Viewer (prcview.exe)
> from http://www.xmlsp.com/pview/prcview.htm
> 1) Run Process Viewer and select "Module Useage" on the "View" menu.
> 2) Right click each module and choose "Copy Module Path."
> 3) Paste the copied path into a google search box;
> enclose it in double quotes and search.
> 4) Depending on what you found in step 3, search for just the
> file name and look for pages in the results that show the
> *.dll file in another path. eg.
> Windows KB article says that in Windows XP, abc.dll is found at
> C:\Windows\System32\abc.dll
> but the path on your system is
> C:\Windows\abc.dll
> The file on your system is spyware.
> Search google for instructions about how to remove it.
> If you can't find instructions, close the "Module Useage" window.
> Right click each process in the main Process viewer window and
> choose "Modules." Look for C:\Windows\abc.dll. Find ALL of the
> processes that use abc.dll with that full path, note the name
> of each such process. In WinPatrol, hold down the CTRL key and
> click each of those named processes. In a moment, you'll
> "Kill Task" them all at once. Before you do though, close out
> ALL other running programs! The evil malware .dll is probably
> attached to a vital system process and when you "Kill Task"
> the system will likely turn off about as fast as if you pulled
> the power cord out of the electic socket! If that happens, press
> the power button to boot the machine, otherwise reboot the machine.
> Double check that c:\windows\abc.dll is no longer a part of any
> running process.
>
> Otherwise, it's probably time to fdisk; format
> and re-install Windows from scratch. :( 
>
> --
> Bob Dietz
>
>
> linda wrote:
> > Hi Bob- I copied what is know on my winpatrol startup. It definitely looks
> > alot less croweded than it did- also when I look at the task manager it now
> > shows 37 programs, (I have a few things running when it shows that amt) and
> > not a one "rundll...." ! I had seen that one "email plugin" listed 3 times
> > on the winpatrol and had already disabled that, I thought it was funny seeing
> > 3 times, so I'm glad to know I was on the right track there. When I went
> > back to the winpatrol and disable the DLHelper program, a minute or so later
> > I got a pop up saying that a new program was wanting to be added to the start
> > up-and it was the DLHelper I had just disabled, so I said no on the ok to add
> > to start-up. Here's is what the list shows now: (pls read my add'l msg
> > after the winpatrol info)
> >
> > WinPatrol Startup Programs
> > Report created by WinPatrol version 8.1.2.0:8.1.2.0 at 7:47:10 PM, on
> > 2/11/2005
> >
> > Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> > Browser: Microsoft® Windows® Operating System - Internet Explorer version
> > 6.00.2900.2180
> > Memory currently in use: 79%
> >
> > MSIE: Internet Explorer (6.00.2900.2180)
> >
> > HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> > HKLM Default_Page_URL = http://www.emachines.com
> > HKCU Start Page = http://www.comcast.net/
> > HKLM Start Page = http://www.msn.com/
> >
> > WinLogon DefaultUserName=linda
> > WinLogon DefaultDomainName=LUCY
> > WinLogon Shell=Explorer.exe
> > WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
> >
> >
> >
> > VSOCheckTask
> > mcmnhdlr.exe /checktask
> > McAfee VirusScan Command Handler
> > Version: 8, 0, 0, 0
> > Copyright © 1998-2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> > Click for Plus Info
> >
> >
> >
> > VirusScan Online
> > mcvsshld.exe
> > McAfee VirusScan ActiveShield Resource
> > Version: 8, 0, 0, 0
> > Copyright © 1998-2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> > Click for Plus Info
> >
> >
> >
> > MCAgentExe
> > mcagent.exe
> > McAfee SecurityCenter Agent
> > Version: 5, 0, 0, 0
> > Copyright © 2004 Networks Associates Technology, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> > Click for Plus Info
> >
> >
> >
> > MCUpdateExe
> > mcupdate.exe
> > McAfee SecurityCenter Update Engine
> > Version: 5, 0, 0, 0
> > Copyright © 2004 Networks Associates Technology, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> > Click for Plus Info
> >
> >
> >
> > pccguide.exe
> > pccguide.exe
> > PCCGuide
> > Version: 12.10.0
> > Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> > Click for Plus Info
> >
> >
> >
> > WinPatrol
> > winpatrol.exe
> > WinPatrol System Monitor
> > Version: 8.1.2.0
> > Copyright © 1997- 2004 BillP Studios
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> > Click for Plus Info
> >
> >
> >
> > MPFExe
> > MpfTray.exe
> > McAfee Personal Firewall Tray Monitor
> > Version: 6.0.0.14
> > Copyright © 2000-2004 Networks Associates Technologies, Inc.
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
> > Click for Plus Info
> >
> >
> >
> > McRegWiz
> > mcregwiz.exe /autorun
> > McRegWiz Module
> > Version: 1, 0, 0, 4
> > Copyright 2003 Networks Associates Technology, Inc
> > Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
> > Click for Plus Info
> >
> >
> >
> > Microsoft Works Update Detection
> > WkDetect.exe
> > Microsoft® Works Update Detection
> > Version: 6.00.1828.1
> > Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> > Location: * Disabled *
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Microsoft Works\WkDetect.exe
> > Click for Plus Info
> >
> >
> >
> > Yahoo! Pager
> > ypager.exe -quiet
> > Yahoo! Messenger
> > Version: 6,0,0,1750
> > Copyright 1998-2004
> > Location: * Disabled *
> > HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> > Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> > Click for Plus Info
> >
> > I wanted to say THANK-YOU so much...not only do i appreciate you taking the
> > time to help me..and also the detail instructions,they were easy for me to
> > follow and understand, as I said in my original msg. Im relatively new at all
> > this so being able to follow/understand was great. I have only posted to
> > newgroups a few times and honestly I have gotten a few responses that just
> > leave me sitting there going "HUH". Again thanks very much for your help!!!
> > Linda
> >
> >
> >
> > "Bob Dietz" wrote:
> >
> >
> >>Hi Linda,
> >>
> >>I was pretty busy yesterday. Sorry it took so long to get back to you
> >>
> >>Before you start you might want to print this out on your printer.
> >>
> >>I see some adware/spyware listed that I would have expected Lavasoft
> >>Ad-aware to have successfully removed. Let's run through the steps that
> >>will allow Ad-Aware to do it's best work.
> >>
> >>1) Start Ad-Aware.
> >>2) Click "Check for updates now." (lower right corner)
> >>3) Connect and get any available updates.
> >> Verify that your version number matches the version number
> >> of the newest available Ad-Aware.
> >>4) Once you have the latest updates installed,
> >> close Ad-Aware and any other running programs.
> >>5) To make it easier for Ad-Aware to do it's job,
> >> we're going to run it in SAFE MODE.
> >> A) Restart the computer.
> >> B) While the computer is booting - before the first
> >> "Windows" screen appears, tap the F8 key.
> >> C) When the boot menu appears, choose SAFE MODE.
> >>6) Start Ad-aware.
> >>7) Click the "Start" button in the Ad-Aware window.
> >>8) Set "Select Scan Mode" to "Perform full system scan."
> >>9) Click the "Next" button to start the scan.
> >>10) When the scan finishes, click "Next."
> >>11) "Scan Results" defaults to the "Critical Objects" tab.
> >> Changing to the "Scan Summary" tab, will give you
> >> a much clearer picture of what has been found and may
> >> save you quite a few mouse clicks as well. Be sure there
> >> is a check mark beside everything you want to remove and
> >> click "Next."
> >> * No need to click the Quarantine button, Ad-aware
> >> * automatically quarantines everything it removes.
> >>
> >>When you're done, close Ad-Aware and restart the computer letting it
> >>boot normally.
> >>Open the WinPatrol window.
> >>Click the "Title" column heading so that programs are sorted by title in
> >>A-Z order.
> >>
> >>Below you'll find your report (slightly reformatted so that programs are
> >>in A-Z order by title.) Each item is followed by my comments which are
> >>marked by asterisks. Presumably Ad-Aware will have already have
> >>eliminated most of the evil ad-ware/spyware. If bad items still remain,
> >>we'll use the WinPatrol report to figure out how to remove those items.
> >>If you were doing this on your own, you'd -
> >> 1) Select the executable name with your mouse.
> >> 2) Right click on the selection and choose "Copy."
> >> 3) Open a new browse browser window and go to http://www.google.com
> >> 4) Right click in the Google search box and choose "Paste."
> >> 5) Click on the search button.
> >>Hint: If you install the Google toolbar ( http://toolbar.google.com ),
> >>you could select the executable name, right click and choose
> >>"Google Search."
> >>
> >>Use a little caution regarding the results of your search.
> >>Some of the sites providing the information about startup items are
> >>trying too hard to sell you something. For instance at least one site
> >>shows a very conspicuous warning "Internal IP Exposed!" This is a simple
> >> scam using javascript to display your IP in your browser on your
> >>computer. Nobody can see it how isn't sitting in front of your computer
> >>display.
> >>
> >>Here are some domains that I regard as above average. Look for these in
> >>the result of you Google spyware/adware searches.
> >>
> >>AnswersThatWork.com
> >>CastleCops.com
> >>Iamnotageek.com
> >>Neuber.com
> >>Sysinfo.org
> >>WinPatrol.com
> >>
> >>This Sysinfo.org page is worth putting in your favorites -
> >>http://www.sysinfo.org/startuplist.php
> >>
> >>
> >>*****************************************************************
> >>WinPatrol Startup Programs (Edited by Bob Dietz)
> >>
> >>Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
> >>Browser: Microsoft® Windows® Operating System - Internet Explorer
> >>version 6.00.2900.2180
> >>Memory currently in use: 91%
> >>********************************************************************
> >>* This memory currently in use number isn't critical, but
> >>* a lower value would be better. If you have less than 256Mb or RAM,
> >>* you should think about upgrading to more memory.
> >>********************************************************************
> >>
> >>
> >>HKCU Window Title = Microsoft Internet Explorer provided by Comcast
> >>HKLM Default_Page_URL = http://www.emachines.com
> >>HKCU Start Page = http://www.emachines.com/
> >>HKLM Start Page = http://www.msn.com/
> >>
> >>WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
> >>WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
> >>WinLogon Shell=Explorer.exe
> >>WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
> >>
> >>
> >>
> >>CleanUp
> >>mcappins.exe /v=3 /cleanup
> >>McAfee Application Installer
> >>Version: 5, 0, 0, 0
> >>Copyright © 2004 Networks Associates Technology, Inc.
> >>Location:
> >>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
> >>********************************************************************
> >>* This is part of McAfee
> >>* I recommended that you leave it enabled. The site -
> >>* http://startup.iamnotageek.com/srch-mcappins.exe.html
> >>* describes it as
> >>* McAfee Application Installer. (What does it do and is it required?)
> >>* FWIW The Plus version of WinPatrol what it does and why it might
> >>* be required.
> >>********************************************************************
> >>
> >>
> >>
> >>eZstub
> >>eZstub.exe
> >>eZstub Module
> >>Version: 1, 0, 0, 1
> >>Copyright 2000
> >>Location:
> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> >>Path: Command /c del C:\WINDOWS\system32\eZstub.exe
> >>********************************************************************
> >>* This is an EZula component.
> >>* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
> >>* appears to be quite recent and I could find it mentioned on any
> >>* web pages. For that reason, Ad-Aware may have trouble removing
> >>* this even in SAFE MODE!
> >>* If Ad-Aware wasn't able to remove this, try using WinPatrol to
> >>* disable it. If it won't stay disabled, let me know and we'll
> >>* follow some additional steps.
> >>********************************************************************
> >>
> >>
> >>
> >>
> >>
> >>MCAgentExe
> >>mcagent.exe
> >>McAfee SecurityCenter Agent
> >>Version: 5, 0, 0, 0
> >>Copyright © 2004 Networks Associates Technology, Inc.
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
> >>********************************************************************
> >>* This is part of McAfee
> >>* I recommended that you leave it enabled.
> >>* http://startup.iamnotageek.com/srch-mcagent.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>MCUpdateExe
> >>mcupdate.exe
> >>McAfee SecurityCenter Update Engine
> >>Version: 5, 0, 0, 0
> >>Copyright © 2004 Networks Associates Technology, Inc.
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
> >>********************************************************************
> >>* This is part of McAfee
> >>* I recommended that you leave it enabled.
> >>* http://startup.iamnotageek.com/srch-mcupdate.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>Microsoft Works Update Detection
> >>WkDetect.exe
> >>Microsoft® Works Update Detection
> >>Version: 6.00.1828.1
> >>Copyright © Microsoft Corporation 1987-2000. All rights reserved.
> >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\Microsoft Works\WkDetect.exe
> >>********************************************************************
> >>* This checks for updates to MS Works
> >>* Unless your computer has more memory than you know what
> >>* to do with, I'd recommend disabling this in WinPatrol.
> >>* Disabling is better than removal, because you can always
> >>* decide to turn it back on at a later date.
> >>* http://startup.iamnotageek.com/srch-wkdetect.exe.html
> >>********************************************************************
> >>
> >>
> >>msnmsgr
> >>msnmsgr.exe /background
> >>MSN Messenger
> >>Version: Version 6.2
> >>Copyright (c) Microsoft Corporation 1997-2004
> >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
> >>********************************************************************
> >>* Letting MSN Messenger run is a user choice.
> >>* If you aren't sure what MSN Messenger is, you're not using
> >>* it and there is no use to have it running constantly
> >>* using up precious RAM.
> >>* Later in this report, we see that Yahoo! Pager is also running.
> >>* If you're using both of these programs, you might want to
> >>* consider replacing the two of them with Trillian, which is
> >>* open source freeware and provides the services of both programs.
> >>* http://www.neuber.com/taskmanager/process/msnmsgr.exe.h...
> >>********************************************************************
> >>
> >>
> >>MyWebSearch Email Plugin
> >>MWSOEMON.EXE
> >>My Web Search Email Plugin
> >>Version: 2,0,1,0
> >>Copyright © 2003-2004 MyWebSearch.com
> >>Location: Windows Startup Group
> >>Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
> >>********************************************************************
> >>* This is spyware.
> >>* The fact that there are four apparently identical instances
> >>* in the original report gives a little concern. I suspect
> >>* this may be the culprit with regard to the 22 instances of
> >>* rundll32.exe.
> >>* If these are still in the list after the SAFE MODE Ad-Aware scan,
> >>* try to disable them using WinPatrol.
> >>* If they refuse to stay disabled, let me know and there are other
> >>* steps we can try.
> >>* FWIW Here are some pages with more info about MyWebSearch.
> >>* http://www.mac-net.com/445088.page
> >>* http://www.iamnotageek.com/a/mwsoemon.exe.php
> >>* http://www.winpatrol.com/db/freesample/mwsoemon.html
> >>********************************************************************
> >>
> >>
> >>pccguide.exe
> >>pccguide.exe
> >>PCCGuide
> >>Version: 12.10.0
> >>Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
> >>********************************************************************
> >>* Part of Trend Micro's PC-Cillan Anti-Virus
> >>* Do you have both PC-Cillan and McAfee installed?
> >>********************************************************************
> >>
> >>
> >>
> >>Unknown Title
> >>DLHelperEXE.exe
> >>DLHelper Module
> >>Version: 6, 0, 0, 3
> >>Copyright 2001
> >>Location: Windows Startup Group
> >>Path: C:\Documents and Settings\linda\Start
> >>Menu\Programs\Startup\DLHelperEXE.exe
> >>********************************************************************
> >>* Probably part of CasinoOnNet adware.
> >>* If that's what it is, the Ad-Aware SAFE MODE scan probably
> >>* removed it. If not, try disabling it in WinPatrol.
> >>* http://www3.ca.com/securityadvisor/pest/pest.aspx?id=45...
> >>********************************************************************
> >>
> >>
> >>
> >>VirusScan Online
> >>mcvsshld.exe
> >>McAfee VirusScan ActiveShield Resource
> >>Version: 8, 0, 0, 0
> >>Copyright © 1998-2003 Networks Associates Technology, Inc
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
> >>********************************************************************
> >>* Part of McAfee VirusScan On-Line
> >>* I recommend leaving it enabled.
> >>* http://startup.iamnotageek.com/srch-mcvsshld.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>VSOCheckTask
> >>mcmnhdlr.exe /checktask
> >>McAfee VirusScan Command Handler
> >>Version: 8, 0, 0, 0
> >>Copyright © 1998-2003 Networks Associates Technology, Inc
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
> >>********************************************************************
> >>* Part of McAfee's SecurityCenter and Virusscan Online.
> >>* I recommend leaving it enabled.
> >>* http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
> >>********************************************************************
> >>
> >>
> >>
> >>Web Offer
> >>EZPOPS~1.EXE
> >>eZstub Module
> >>Version: 1, 0, 0, 1
> >>Copyright 2000
> >>Location:
> >>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
> >>Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
> >>********************************************************************
> >>* Another component of EZula adware.
> >>* I search for specific information about this component -
> >>* http://www.google.com/search?q=EZPOPS%7E1.EXE
> >>* the information is pretty scant which indicates
> >>* this version of EZula is pretty new and most anti-spyware/
> >>* anti-adware programs probably won't remove it.
> >>* If the SAFE MODE Ad-Aware scan fails to remove this,
> >>* try disabling it in WinPatrol.
> >>* If it won't stay disabled, let me know - there are other
> >>* approaches to this problem.
> >>********************************************************************
> >>
> >>
> >>
> >>WinPatrol
> >>winpatrol.exe
> >>WinPatrol System Monitor
> >>Version: 8.1.2.0
> >>Copyright © 1997- 2004 BillP Studios
> >>Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
> >>********************************************************************
> >>* This is WinPatrol
> >>* It's safe and I recommend that you leave it in.
> >>* But you can't really know if that's good advice until
> >>* you research it.
> >>* http://www.google.com/search?q=winpatrol.exe
> >>********************************************************************
> >>
> >>
> >>
> >>Yahoo! Pager
> >>ypager.exe -quiet
> >>Yahoo! Messenger
> >>Version: 6,0,0,1750
> >>Copyright 1998-2004
> >>Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> >>Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
> >>********************************************************************
> >>* Yahoo! Pager is an instant messenger application like
> >>* MSN Messenger. If you aren't using these, you should disable them.
> >>* If you're only using one of them, you should disable the one
> >>* you're not using.
> >>* If you're using both of them, you should think about switching
> >>* to Trillian, an open source freeware application that can connect
> >>* to many different types of instant messaging servers.
> >>* http://startup.iamnotageek.com/srch-ypager.exe.html
> >>********************************************************************
> >>
> >>
> >>--
> >>Bob Dietz
> >>
> >>linda wrote:
> >>
> >>>Hi Bob - this is what came up....thx for your help-prior to this when i ran
> >>>the lavasoft adware/spyware there was an item that came up that said if
> >>>affected the registry and i would select the cleanup/restore/delete for it,
> >>>it would say that the task was completed but if i ran the progam again it
> >>>showed exactly the same thing it said it had taken care of? thought i would
> >>>mention this in case it has anything to do with what's going on now....thx
> >>>again for helping...linda
> >>>
> >>
>
!