Hi John,
I cleaned this up some and added comments or info about what something is
inside the [[ ]].
Nothing jumps out at me.
Jeez, you have a bunch of things that start at boot. McAfee sure adds a
bunch of crap.
------
What you're going to have to do is get rid of startup items one at a time
and keep rebooting until you find the offending entry.
Or uncheck the first half of the startup items, reboot and see if you still
get the error message. If you don't get the error message, then you have
narrowed it down to the second half. If you still get the error message,
recheck the first half of the items and then uncheck the last half of the
items, reboot and see if you get the error message.
You can keep narrowing it down until you find one offending startup item.
Make sure that you unplug the phone line to your modem while troubleshooting
as you will be disabling McAfee, your antivirus.
Open the System Configuration Utility...
Start | Run | Type: msconfig | Click OK |
Click the Startup tab.
UNCheck the first half of everything that's listed
Click the Apply button.
Click the Close button.
You will see this message...
[[You must restart your computer for some of the changes made by
System Configuration to take effect.]]
Click the Restart button.
Your machine will then reboot.
After your machine reboots, you will get the MSCONFIG Reminder Message...
[[You have used the System Configuration Utility to change the way Windows
starts.
The System Configuration Utility is currently in Diagnostic or Selective
Startup mode, causing this message to be displayed and the utility to run
every time Windows starts.
Choose the Normal Startup mode on the General tab to start Windows normally
and undo the changes you made using the System Configuration Utility.]]
Check: "Don't show this message or launch the System Configuration Utility
when Windows starts" and click OK.
You'll have to keep doing this until the guilty item is found. Since you
have a boatload of startup items, this will take a while.
Another way to troubleshoot this is, first make sure that you unplug the
phone line to your modem while troubleshooting as you will be disabling
McAfee, your antivirus. Then start killing off processes one at time with
the Task Manager and open the Control Panel after you kill each process.
When you stop getting the error message you should know what process you
killed. That is the guilty party.
---------
Startup Programs
CTFMON.EXE c:\windows\system32\ctfmon.exe
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[ctfmon.exe = CTF Loader. Part of Microsoft Office. It activates
the Alternative User Input Text Input Processor (TIP) and the Microsoft
Office XP Language Bar.]]
msnmsgr "c:\program files\msn messenger\msnmsgr.exe"/background
HKU\S-1-5-21-2472243092-1981300170-3414494143-1006\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run
[[msnmsgr.exe is the main executable for MSN Messenger, which is bundled
with Windows and Microsoft Office. It provides online chat, an file sharing
capabilities.]]
MSMSGS "c:\program files\messenger\msmsgs.exe" /background
HKU\S-1-5-21-2472243092-1981300170-3414494143-1006\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run
[[msmsgs.exe is the main process relating to the MSN Messenger Internet chat
tool installed by default on most Windows computers. A tray bar is also
installed alongside this process for easy access to its features which
include Internet chat, file sharing and audio/video conferencing. This is a
non-essential process. Disabling or enabling this is down to user
preference.
Note: msmsgs.exe is a process which is registered as the W32.Alcarys.B@mm
worm. This virus is distributed via the Internet through e-mail and comes in
the form of an e-mail message, in the hopes that you open its hostile
attachment. The worm has it’s own SMTP engine which means it gathers E-mails
from your local computer and re-distributes itself. In worst cases this worm
can allow attackers to access your computer, stealing passwords and personal
data. It is a registered security risk and should be removed immediately.]]
CTFMON.EXE c:\windows\system32\ctfmon.exe
..DEFAULT HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Why is CTFMON.EXE listed twice???
WinZip Quick Pick c:\progra~1\winzip\wzqkpick.exe
Common Startup (This is Start button | All Programs | Startup)
[[Wzqkpick.exe is the tray bar process for WinZip. The process is used to
access WinZip from the tray bar. To save resources this process can safely
be removed. ]]
VSOCheckTask "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[mcmnhdlr.exe is vital process for McAfee SecurityCenter and Virusscan
Online. Removing this process will dissable the automatic scanning.]]
VirusScan Online c:\program files\mcafee.com\vso\mcvsshld.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[mcvsshld.exe is an important executable belonging to McAfee's Internet
security suite. This program is important for the stable and secure running
of your computer and should not be terminated.]]
VirusScan c:\progra~1\mcafee.com\vso\mcvsshld.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Why is mcvsshld.exe listed twice???
UpdateManager "c:\program files\common files\sonic\update
manager\sgtray.exe" /r
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[If you are running Veritas or Stomp Backup MyPC, then the sgrtray.exe is
the Veritas Update Manager. You can easily remove it by going through
Add/Remove Programs. It will be listed as the Veritas Update Manager.]]
SunJavaUpdateSched c:\program files\java\j2re1.4.2_03\bin\jusched.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[jusched.exe is a process installed alongside Sun Microsystem's Java2 suite
and checks for/installs Java updates.]]
RealTray c:\program files\real\realplayer\realplay.exe
systemboothideplayer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
realplay.exe
[[System Tray icon for RealPlayer. If you subsequently start RealPlayer
manually it adds itself back to the start-up list. You can stop this from
happening by right-clicking on the tray icon and disabling SmartCenter via
Preferences]]
PCMService "c:\program files\dell\media experience\pcmservice.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[PCMService.exe is a part of the Dell media experience software. This is a
multimedia product, and program is non-essential process to the running of
the system]]
OASClnt c:\program files\mcafee.com\vso\oasclnt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[oasclnt.exe is a process associated with the McAfee VirusScan software. It
is an scan client service and should not be removed to ensure that your
AntiVirus application keeps you protected.]]
MPFExe c:\progra~1\mcafee.com\person~1\mpftray.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[mpftray.exe is a process associated with McAfee Internet Security suite.
It creates a icon on the desktop tray for easy access. This program is a
non-essential system process, and is installed for ease of use]]
MessengerPlus3 "c:\program files\messengerplus! 3\msgplus.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[msgplus.exe is distributed as a third party MSN extension. However is also
spyware if installed with the sponsor program it offers to install. If this
optional sponsor program was installed, this process monitors your browsing
habits and distributes the data back to the author's servers for analysis.
This also prompts advertising popups.]]
MCUpdateExe c:\progra~1\mcafee.com\agent\mcupdate.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[mcupdate.exe is a process associated with McAfee Internet Security Suite.
This process ensures the computer's virus definations are up to date by
connectign to McAfee's server on the Internet. This program is important for
the stable and secure running of your computer and should not be
terminated.]]
MCAgentExe c:\progra~1\mcafee.com\agent\mcagent.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[mcagent.exe is a process associated with McAfee Internet Security Suite.
This process ensures the computer's virus definations are up to date by
communicating with the McAfee VirusScan server on the network. This program
is important for the stable and secure running of your computer and should
not be terminated.]]
IntelMeM c:\program files\intel\modem event monitor\intelmem.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[IntelMEM.exe is a process which assists Intel chipset based modems. This
program is non-essential process to the running of the system]]
IgfxTray c:\windows\system32\igfxtray.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[igfxtray.exe is a process which allows you to access access the Intel
Graphics configuration and diagnostic application for the Intel 810 series
graphics chipset. This program is a non-essential system process, and is
installed for ease of use via the desktop tray. ]]
HotKeysCmds c:\windows\system32\hkcmd.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[hkcmd.exe is installed alongside Intel multimedia devices and allows
configuration and diagnostic options for these devices. This program is
non-essential process to the running of the system]]
DVDLauncher "c:\program files\cyberlink\powerdvd\dvdlauncher.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[dvdlauncher.exe is a process belonging to the Cyberlink PowerCinema video
viewing software which allows you to play DVDs on insertation. This program
is a non-essential process, and is installed for ease of use. ]]
dla c:\windows\system32\dla\tfswctrl.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[tfswctrl.exe is an essential process for HP's packet writing software
which burns data to CD's using Microsoft Windows explorer. This program is a
non-essential system process]]
Dell AIO Printer A920 "c:\program files\dell aio printer a920\dlbkbmgr.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[dlbkbmgr.exe is a process which is installed alongside your Dell printer
and offers additional diagnostics and configuration for the Dell range of
printers. This program is non-essential process to the running of the
system]]
BTopenworld "c:\program files\bt yahoo! internet\dialbtyahoo.exe"
/reinstallautodial
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[[Connection for BTYahoo?????????]]
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In
ronashill said:
Hi Wesley
I searched for both rundll.exe and rundll32.exe but only found the latter
(3 times in CI386, SYSTEM32 and Service PackFiles/i386)
Error messages cite either. So far as I can tell just rundll on start up
and rundll32 in the Control Panel. Should I follow the instructions on
the sites you refer to?
Thanks
John
Wesley Vogel said:
Hi John,
This will show what programs are started when you boot your machine.
Open System Information...
Start | Run | Type: msinfo32 | Click OK |
Click the [+] next to Software Environment |
Click on Startup Programs |
This will save the startup information to Startup.txt to your Desktop.
On the top toolbar, click on File | Click on Export | When the Export As
window opens, click on the Desktop icon | Use Startup for filename |
Click the Save button | Close System Information
Now go to your Desktop and locate Startup.txt, open it, right click and
select Select All, right click and select Copy.
Now paste what you just copied into a message and post back.
-----
rundll.exe is a Windows System process belonging to the Windows 95, 98
and ME.
rundll32.exe is what's in Windows XP. If rundll.exe exists on your
machine it is part of LOXOSCAM or Backdoor.SchoolBus.B trojans.
Backdoor.SchoolBus.B
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.schoolbus.b.html
Backdoor.LoxoScam
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.loxoscam.html
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In ronashill <
[email protected]> hunted and pecked:
No luck! The error has been on my system for a while but not been a
problem until now as I can just close it and carry on with most tasks.
Any other ideas?
Thanks
John
: