Hi Linda,
I was pretty busy yesterday. Sorry it took so long to get back to you
Before you start you might want to print this out on your printer.
I see some adware/spyware listed that I would have expected Lavasoft
Ad-aware to have successfully removed. Let's run through the steps that
will allow Ad-Aware to do it's best work.
1) Start Ad-Aware.
2) Click "Check for updates now." (lower right corner)
3) Connect and get any available updates.
Verify that your version number matches the version number
of the newest available Ad-Aware.
4) Once you have the latest updates installed,
close Ad-Aware and any other running programs.
5) To make it easier for Ad-Aware to do it's job,
we're going to run it in SAFE MODE.
A) Restart the computer.
B) While the computer is booting - before the first
"Windows" screen appears, tap the F8 key.
C) When the boot menu appears, choose SAFE MODE.
6) Start Ad-aware.
7) Click the "Start" button in the Ad-Aware window.
8) Set "Select Scan Mode" to "Perform full system scan."
9) Click the "Next" button to start the scan.
10) When the scan finishes, click "Next."
11) "Scan Results" defaults to the "Critical Objects" tab.
Changing to the "Scan Summary" tab, will give you
a much clearer picture of what has been found and may
save you quite a few mouse clicks as well. Be sure there
is a check mark beside everything you want to remove and
click "Next."
* No need to click the Quarantine button, Ad-aware
* automatically quarantines everything it removes.
When you're done, close Ad-Aware and restart the computer letting it
boot normally.
Open the WinPatrol window.
Click the "Title" column heading so that programs are sorted by title in
A-Z order.
Below you'll find your report (slightly reformatted so that programs are
in A-Z order by title.) Each item is followed by my comments which are
marked by asterisks. Presumably Ad-Aware will have already have
eliminated most of the evil ad-ware/spyware. If bad items still remain,
we'll use the WinPatrol report to figure out how to remove those items.
If you were doing this on your own, you'd -
1) Select the executable name with your mouse.
2) Right click on the selection and choose "Copy."
3) Open a new browse browser window and go to
http://www.google.com
4) Right click in the Google search box and choose "Paste."
5) Click on the search button.
Hint: If you install the Google toolbar (
http://toolbar.google.com ),
you could select the executable name, right click and choose
"Google Search."
Use a little caution regarding the results of your search.
Some of the sites providing the information about startup items are
trying too hard to sell you something. For instance at least one site
shows a very conspicuous warning "Internal IP Exposed!" This is a simple
scam using javascript to display your IP in your browser on your
computer. Nobody can see it how isn't sitting in front of your computer
display.
Here are some domains that I regard as above average. Look for these in
the result of you Google spyware/adware searches.
AnswersThatWork.com
CastleCops.com
Iamnotageek.com
Neuber.com
Sysinfo.org
WinPatrol.com
This Sysinfo.org page is worth putting in your favorites -
http://www.sysinfo.org/startuplist.php
*****************************************************************
WinPatrol Startup Programs (Edited by Bob Dietz)
Platform: Windows XP Home Edition Service Pack 2 (Build 2600)
Browser: Microsoft® Windows® Operating System - Internet Explorer
version 6.00.2900.2180
Memory currently in use: 91%
********************************************************************
* This memory currently in use number isn't critical, but
* a lower value would be better. If you have less than 256Mb or RAM,
* you should think about upgrading to more memory.
********************************************************************
HKCU Window Title = Microsoft Internet Explorer provided by Comcast
HKLM Default_Page_URL =
http://www.emachines.com
HKCU Start Page =
http://www.emachines.com/
HKLM Start Page =
http://www.msn.com/
WinLogon DefaultUserName=XXXXXXXXXXXXXXXXXX
WinLogon DefaultDomainName=XXXXXXXXXXXXXXXX
WinLogon Shell=Explorer.exe
WinLogon UserInit=C:\WINDOWS\system32\userinit.exe,
CleanUp
mcappins.exe /v=3 /cleanup
McAfee Application Installer
Version: 5, 0, 0, 0
Copyright © 2004 Networks Associates Technology, Inc.
Location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
********************************************************************
* This is part of McAfee
* I recommended that you leave it enabled. The site -
*
http://startup.iamnotageek.com/srch-mcappins.exe.html
* describes it as
* McAfee Application Installer. (What does it do and is it required?)
* FWIW The Plus version of WinPatrol what it does and why it might
* be required.
********************************************************************
eZstub
eZstub.exe
eZstub Module
Version: 1, 0, 0, 1
Copyright 2000
Location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Path: Command /c del C:\WINDOWS\system32\eZstub.exe
********************************************************************
* This is an EZula component.
* The other EZula component in this list - Web Offers - EZPOPS~1.EXE
* appears to be quite recent and I could find it mentioned on any
* web pages. For that reason, Ad-Aware may have trouble removing
* this even in SAFE MODE!
* If Ad-Aware wasn't able to remove this, try using WinPatrol to
* disable it. If it won't stay disabled, let me know and we'll
* follow some additional steps.
********************************************************************
MCAgentExe
mcagent.exe
McAfee SecurityCenter Agent
Version: 5, 0, 0, 0
Copyright © 2004 Networks Associates Technology, Inc.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\Program Files\McAfee.com\Agent\mcagent.exe
********************************************************************
* This is part of McAfee
* I recommended that you leave it enabled.
*
http://startup.iamnotageek.com/srch-mcagent.exe.html
********************************************************************
MCUpdateExe
mcupdate.exe
McAfee SecurityCenter Update Engine
Version: 5, 0, 0, 0
Copyright © 2004 Networks Associates Technology, Inc.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\McAfee.com\Agent\mcupdate.exe
********************************************************************
* This is part of McAfee
* I recommended that you leave it enabled.
*
http://startup.iamnotageek.com/srch-mcupdate.exe.html
********************************************************************
Microsoft Works Update Detection
WkDetect.exe
Microsoft® Works Update Detection
Version: 6.00.1828.1
Copyright © Microsoft Corporation 1987-2000. All rights reserved.
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Microsoft Works\WkDetect.exe
********************************************************************
* This checks for updates to MS Works
* Unless your computer has more memory than you know what
* to do with, I'd recommend disabling this in WinPatrol.
* Disabling is better than removal, because you can always
* decide to turn it back on at a later date.
*
http://startup.iamnotageek.com/srch-wkdetect.exe.html
********************************************************************
msnmsgr
msnmsgr.exe /background
MSN Messenger
Version: Version 6.2
Copyright (c) Microsoft Corporation 1997-2004
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\MSN Messenger\msnmsgr.exe /background
********************************************************************
* Letting MSN Messenger run is a user choice.
* If you aren't sure what MSN Messenger is, you're not using
* it and there is no use to have it running constantly
* using up precious RAM.
* Later in this report, we see that Yahoo! Pager is also running.
* If you're using both of these programs, you might want to
* consider replacing the two of them with Trillian, which is
* open source freeware and provides the services of both programs.
*
http://www.neuber.com/taskmanager/process/msnmsgr.exe.html
********************************************************************
MyWebSearch Email Plugin
MWSOEMON.EXE
My Web Search Email Plugin
Version: 2,0,1,0
Copyright © 2003-2004 MyWebSearch.com
Location: Windows Startup Group
Path: C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
********************************************************************
* This is spyware.
* The fact that there are four apparently identical instances
* in the original report gives a little concern. I suspect
* this may be the culprit with regard to the 22 instances of
* rundll32.exe.
* If these are still in the list after the SAFE MODE Ad-Aware scan,
* try to disable them using WinPatrol.
* If they refuse to stay disabled, let me know and there are other
* steps we can try.
* FWIW Here are some pages with more info about MyWebSearch.
*
http://www.mac-net.com/445088.page
*
http://www.iamnotageek.com/a/mwsoemon.exe.php
*
http://www.winpatrol.com/db/freesample/mwsoemon.html
********************************************************************
pccguide.exe
pccguide.exe
PCCGuide
Version: 12.10.0
Copyright (C) 1995-2004 Trend Micro Incorporated. All rights reserved.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
********************************************************************
* Part of Trend Micro's PC-Cillan Anti-Virus
* Do you have both PC-Cillan and McAfee installed?
********************************************************************
Unknown Title
DLHelperEXE.exe
DLHelper Module
Version: 6, 0, 0, 3
Copyright 2001
Location: Windows Startup Group
Path: C:\Documents and Settings\linda\Start
Menu\Programs\Startup\DLHelperEXE.exe
********************************************************************
* Probably part of CasinoOnNet adware.
* If that's what it is, the Ad-Aware SAFE MODE scan probably
* removed it. If not, try disabling it in WinPatrol.
*
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453073208
********************************************************************
VirusScan Online
mcvsshld.exe
McAfee VirusScan ActiveShield Resource
Version: 8, 0, 0, 0
Copyright © 1998-2003 Networks Associates Technology, Inc
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\Program Files\McAfee.com\VSO\mcvsshld.exe
********************************************************************
* Part of McAfee VirusScan On-Line
* I recommend leaving it enabled.
*
http://startup.iamnotageek.com/srch-mcvsshld.exe.html
********************************************************************
VSOCheckTask
mcmnhdlr.exe /checktask
McAfee VirusScan Command Handler
Version: 8, 0, 0, 0
Copyright © 1998-2003 Networks Associates Technology, Inc
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe /checktask
********************************************************************
* Part of McAfee's SecurityCenter and Virusscan Online.
* I recommend leaving it enabled.
*
http://startup.iamnotageek.com/srch-mcmnhdlr.exe.html
********************************************************************
Web Offer
EZPOPS~1.EXE
eZstub Module
Version: 1, 0, 0, 1
Copyright 2000
Location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Path: Command /c del C:\WINDOWS\system32\EZPOPS~1.EXE
********************************************************************
* Another component of EZula adware.
* I search for specific information about this component -
*
http://www.google.com/search?q=EZPOPS~1.EXE
* the information is pretty scant which indicates
* this version of EZula is pretty new and most anti-spyware/
* anti-adware programs probably won't remove it.
* If the SAFE MODE Ad-Aware scan fails to remove this,
* try disabling it in WinPatrol.
* If it won't stay disabled, let me know - there are other
* approaches to this problem.
********************************************************************
WinPatrol
winpatrol.exe
WinPatrol System Monitor
Version: 8.1.2.0
Copyright © 1997- 2004 BillP Studios
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
********************************************************************
* This is WinPatrol
* It's safe and I recommend that you leave it in.
* But you can't really know if that's good advice until
* you research it.
*
http://www.google.com/search?q=winpatrol.exe
********************************************************************
Yahoo! Pager
ypager.exe -quiet
Yahoo! Messenger
Version: 6,0,0,1750
Copyright 1998-2004
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
********************************************************************
* Yahoo! Pager is an instant messenger application like
* MSN Messenger. If you aren't using these, you should disable them.
* If you're only using one of them, you should disable the one
* you're not using.
* If you're using both of them, you should think about switching
* to Trillian, an open source freeware application that can connect
* to many different types of instant messaging servers.
*
http://startup.iamnotageek.com/srch-ypager.exe.html
********************************************************************