# [Resolved] Run dll as an App in Zone alarm list



## SuperGirl (Jan 2, 2003)

I have a problem with my ZA. Or possibly my computer. I have noticed when using Kazaa and/or Adobe, my computer freezes or reboots to restore my active desktop.

I noticed I have Rundll as an App as one of my programs....is this the cause of my system problems?


----------



## Rollin' Rog (Dec 9, 2000)

Welcome to TSG, Supergirl

Kazaa installs a lot of spy and adware garbage and that could be a problem. Let's see a post of your startups and running processes. Just get the StartupList application from the site below and unzip and run it. Then copy/paste the results to a reply.

http://www.lurkhere.com/~nicefiles/

We will probably have you install and run Spybot, but it's best for us to have a look at what's there first.

http://tomcoyote.com/SPYBOT/


----------



## SuperGirl (Jan 2, 2003)

StartupList report, 1/1/03, 7:47:47 PM
StartupList version: 1.50
Started from : C:\WINDOWS\DESKTOP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\TOTEM SHARED\UNINSTALL0001\UPD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE
C:\PROGRAM FILES\COMMON FILES\EACCELERATION\EANTHOLOGY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ACCELERATION SOFTWARE\VELOZDEFENDER\VELOZSYS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ACCELERATION SOFTWARE\VELOZDEFENDER\VELOZ.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\IPSECDIALER.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\WLMNOB2B\FIXYAHA[1].COM
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\DESKTOP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
EnsoniqMixer = starter.exe
LoadQM = loadqm.exe
MSN Messenger = C:\MY DOCUMENTS\MESSENGER SERVICE RECEIVED FILES\PIC1324(1)(1)(2).exe
CriticalUpdate = C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
mgavrtclexe = C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
AVG_CC = C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
DXM6Patch_981116 = C:\WINDOWS\p_981116.exe /Q:A
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
mdac_runonce = C:\WINDOWS\SYSTEM\runonce.exe
MoneyStartUp10.0 = "C:\Program Files\Microsoft Money\System\Activation.exe"
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
Client Access Service = "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
Client Access Help Update = "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
Client Access Check Version = "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
Client Access Express Welcome = "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
FSW = C:\Program Files\FSW\FSW.EXE
WebScan = C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
EanthologyApp = C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
LSPFix = C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal
eMailEncryption = C:\PROGRA~1\ACCELE~1\VELOZD~1\VELOZSYS.EXE runstart
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

mgavrtclexe = C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
minilog = C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.EXE -service
Client Access Start Incoming RC = ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
SchedulingAgent = mstask.exe
CVPND = "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

WEBCAMRT.EXE = 
QuickCamPro.exe = 
NVIEW = rundll32.exe nview.dll,nViewLoadHook
H/PC Connection Agent = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore]
StubPath = rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 1/1/2003, 8:5:54)

[rename]
NUL=C:\PROGRA~1\GRISOFT\AVG6\$AVGUPD$.BKP

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\PROGRA~1\CREATIVE\AUDIO\DOSDRV

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\setver.exe
device=c:\windows\emm386.exe NOEMS
FILES=65
BUFFERS=40
STACKS=64,512

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\WINDOWS\SETUPDS.EXE /S
C:\PROGRA~1\CREATIVE\AUDIO\DOSDRV\SBINIT

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

MSN smart tags - C:\PROGRA~1\MSN\SMARTTAG\MSNBHO.DLL - {9DD4258A-7138-49C4-8D34-587879A5C7A4}
(no name) - (no file) - {EF99BD32-C1FB-11D2-892F-0090271D4F88}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
(no name) - C:\WINDOWS\SYSTEM\NZDD.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Windows Critical Update Notification.job
Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[BtnMenu Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\BTNMENU.OCX
CODEBASE = http://activex.microsoft.com/activex/controls/iexplorer/x86/btnmenu.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.25.44/2439e27224d1b6be7b19/netzip/RdxIE.cab

[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IPIXX.OCX
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUPML.DLL
CODEBASE = http://ftp.hp.com/pub/automatic/player/isetupML.cab

[MS Investor Ticker]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TICKER9.OCX
CODEBASE = http://fdl.msn.com/public/investor/v9.5/ticker.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[McAfee.com Download+Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MCINSCTL.DLL
CODEBASE = http://download.mcafee.com/molbin/shared/mcinstall.cab

[compid Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GWCID.DLL
CODEBASE = http://www.gateway.com/support/contact/serial/gwCID.CAB

[CuWeb CuWebConf]
InProcServer32 = C:\WINDOWS\SYSTEM\CUWEB\CUWEB.DLL
CODEBASE = http://ic2.cuseeme.com/packages/cuweb.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MCINSCTL.DLL
CODEBASE = http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/3,0,0,27/mcinsctl.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

[Controller Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTRO~1.OCX
CODEBASE = http://www.blueocean.com/tiwebdemo/Downloads/controller.cab

[Track-It! WebAudit]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TRACKI~1.OCX
CODEBASE = http://www.blueocean.com/tiwebdemo/Downloads/TrackitWebAudit.cab

[WTHoster Class]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WTHOSTCTL.DLL
CODEBASE = http://www.wildtangent.com/install/wdriver/ddc/shockwave/blackhawkstriker/wtinst.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
CODEBASE = http://office.microsoft.com/ProductUpdates/content/opuc.cab

[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLAY365.DLL
CODEBASE = http://www.live365.com/players/play365.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805...com/audit/includes/ContentAuditControl_v3.cab

[{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
CODEBASE = http://205.252.89.9/Software_Plugin.exe

[{BD11A280-2E73-11CF-B6CF-00AA00A74DAF}]
CODEBASE = http://images.bonzi.com/freebuddy/wd/bbsetupad1.exe

[FunnyVoiceCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\FUNNYV~1.OCX
CODEBASE = http://www.kiddonet.com/kiddonet/cards/FunnyVoice.ocx

[KNCheckCtl Class]
InProcServer32 = C:\WINDOWS\SYSTEM\KNCHECK.OCX
CODEBASE = http://www.kiddonet.com/kiddonet/support/KNCheck.cab

[Gtek Print Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\GTEKPRT.OCX
CODEBASE = http://www.kiddonet.com/kiddonet/GtekPrt.ocx

[ColoringCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\COLORING.OCX
CODEBASE = http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx

[KaraokeComCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\KARAOKECOM.OCX
CODEBASE = http://www.kiddonet.com/lapware/actmenu/KaraokeAnim/karaokeCom.ocx

[MSN Chat Control 4.2]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT42.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

[RFXPlayer Class]
InProcServer32 = C:\PROGRAM FILES\COMMON FILES\RICHFX\NPVPG005.DLL
CODEBASE = http://download.richfx.com/player/mediaversion/005/latest/twophase.cab

[Fswinst.Application]
CODEBASE = http://www.newtopsites.com/media/fswinst.exe

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}]
CODEBASE = http://www.browserwise.com/search1/install/XupiterToolbarLoader.cab

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://pluginaccess.com/Browser_Plugin.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37599.240462963

[ExentInf Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EXENTCTL_0_0_0_0.OCX
CODEBASE = http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\WINDOWS\SYSTEM\asiclayer.dll
Protocol #2: C:\WINDOWS\SYSTEM\asiclayer.dll
Protocol #9: C:\WINDOWS\SYSTEM\asiclayer.dll

--------------------------------------------------
End of report, 15,073 bytes
Report generated in 5.339 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Rollin' Rog (Dec 9, 2000)

Yes you do have a lot of ad and spyware there. But the first thing I'm going to recommend you do is go to Add/Remove programs and remove anything for Eanthology and hopefully get rid of the following startup entries:

WebScan = C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k

EanthologyApp = C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup

LSPFix = C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal

eMailEncryption = C:\PROGRA~1\ACCELE~1\VELOZD~1\VELOZSYS.EXE runstart

Just stick with AVG, Eanthology is a know spyware outfit and their programs are just fronts for that.

>> Next, click Start>Run, and enter *regedit*

Navigate to the key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

>> With the Run folder highlighted on the left, Right click on and delete the following items in the Right pane:

1 -- mdac_runonce = C:\WINDOWS\SYSTEM\runonce.exe

2 -- Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer

3 -- FSW = C:\Program Files\FSW\FSW.EXE

4 -- MSN Messenger = C:\MY DOCUMENTS\MESSENGER SERVICE RECEIVED FILES\PIC1324(1)(1)(2).exe

(this last is known as the "annoying worm")

Close the Editor, reboot. Now if you haven't installed and updated Spybot, do that and run it. Have it "fix" all prechecked items.

Reboot and provide another startuplist. I'm sure I'll have more for you still.


----------



## SuperGirl (Jan 2, 2003)

Ok here it is....THANKS SO MUCH!! You are a great help!! I Love this site!!

StartupList report, 1/1/03, 8:42:19 PM
StartupList version: 1.50
Started from : C:\WINDOWS\DESKTOP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
EnsoniqMixer = starter.exe
LoadQM = loadqm.exe
CriticalUpdate = C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
mgavrtclexe = C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
AVG_CC = C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
DXM6Patch_981116 = C:\WINDOWS\p_981116.exe /Q:A
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
MoneyStartUp10.0 = "C:\Program Files\Microsoft Money\System\Activation.exe"
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
Client Access Service = "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
Client Access Help Update = "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
Client Access Check Version = "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
Client Access Express Welcome = "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

mgavrtclexe = C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
minilog = C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.EXE -service
Client Access Start Incoming RC = ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
SchedulingAgent = mstask.exe
CVPND = "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

WEBCAMRT.EXE = 
QuickCamPro.exe = 
NVIEW = rundll32.exe nview.dll,nViewLoadHook
H/PC Connection Agent = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore]
StubPath = rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 1/1/2003, 20:42:0)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 1/1/2003, 20:27:2)

[Rename]
NUL=C:\WINDOWS\TEMP\EACA382.TMP

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\PROGRA~1\CREATIVE\AUDIO\DOSDRV

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\setver.exe
device=c:\windows\emm386.exe NOEMS
FILES=65
BUFFERS=40
STACKS=64,512

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\WINDOWS\SETUPDS.EXE /S
C:\PROGRA~1\CREATIVE\AUDIO\DOSDRV\SBINIT

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

MSN smart tags - C:\PROGRA~1\MSN\SMARTTAG\MSNBHO.DLL - {9DD4258A-7138-49C4-8D34-587879A5C7A4}
(no name) - (no file) - {EF99BD32-C1FB-11D2-892F-0090271D4F88}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
(no name) - C:\WINDOWS\SYSTEM\NZDD.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Windows Critical Update Notification.job
Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[BtnMenu Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\BTNMENU.OCX
CODEBASE = http://activex.microsoft.com/activex/controls/iexplorer/x86/btnmenu.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.25.44/2439e27224d1b6be7b19/netzip/RdxIE.cab

[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IPIXX.OCX
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUPML.DLL
CODEBASE = http://ftp.hp.com/pub/automatic/player/isetupML.cab

[MS Investor Ticker]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TICKER9.OCX
CODEBASE = http://fdl.msn.com/public/investor/v9.5/ticker.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[McAfee.com Download+Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MCINSCTL.DLL
CODEBASE = http://download.mcafee.com/molbin/shared/mcinstall.cab

[compid Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GWCID.DLL
CODEBASE = http://www.gateway.com/support/contact/serial/gwCID.CAB

[CuWeb CuWebConf]
InProcServer32 = C:\WINDOWS\SYSTEM\CUWEB\CUWEB.DLL
CODEBASE = http://ic2.cuseeme.com/packages/cuweb.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MCINSCTL.DLL
CODEBASE = http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/3,0,0,27/mcinsctl.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

[Controller Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTRO~1.OCX
CODEBASE = http://www.blueocean.com/tiwebdemo/Downloads/controller.cab

[Track-It! WebAudit]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TRACKI~1.OCX
CODEBASE = http://www.blueocean.com/tiwebdemo/Downloads/TrackitWebAudit.cab

[WTHoster Class]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WTHOSTCTL.DLL
CODEBASE = http://www.wildtangent.com/install/wdriver/ddc/shockwave/blackhawkstriker/wtinst.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
CODEBASE = http://office.microsoft.com/ProductUpdates/content/opuc.cab

[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLAY365.DLL
CODEBASE = http://www.live365.com/players/play365.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805...com/audit/includes/ContentAuditControl_v3.cab

[{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
CODEBASE = http://205.252.89.9/Software_Plugin.exe

[{BD11A280-2E73-11CF-B6CF-00AA00A74DAF}]
CODEBASE = http://images.bonzi.com/freebuddy/wd/bbsetupad1.exe

[FunnyVoiceCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\FUNNYV~1.OCX
CODEBASE = http://www.kiddonet.com/kiddonet/cards/FunnyVoice.ocx

[KNCheckCtl Class]
InProcServer32 = C:\WINDOWS\SYSTEM\KNCHECK.OCX
CODEBASE = http://www.kiddonet.com/kiddonet/support/KNCheck.cab

[Gtek Print Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\GTEKPRT.OCX
CODEBASE = http://www.kiddonet.com/kiddonet/GtekPrt.ocx

[ColoringCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\COLORING.OCX
CODEBASE = http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx

[KaraokeComCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\KARAOKECOM.OCX
CODEBASE = http://www.kiddonet.com/lapware/actmenu/KaraokeAnim/karaokeCom.ocx

[MSN Chat Control 4.2]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT42.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

[RFXPlayer Class]
InProcServer32 = C:\PROGRAM FILES\COMMON FILES\RICHFX\NPVPG005.DLL
CODEBASE = http://download.richfx.com/player/mediaversion/005/latest/twophase.cab

[Fswinst.Application]
CODEBASE = http://www.newtopsites.com/media/fswinst.exe

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://pluginaccess.com/Browser_Plugin.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37599.240462963

[ExentInf Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EXENTCTL_0_0_0_0.OCX
CODEBASE = http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

--------------------------------------------------
End of report, 13,631 bytes
Report generated in 0.425 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Rollin' Rog (Dec 9, 2000)

Great progress, although I still see the rundll32.exe there. This might be coming from:

NVIEW = rundll32.exe nview.dll,nViewLoadHook

This is something associated with Nvidia drivers, but is unlikely to be a required file. I'd suggest you go to Start>Run, enter *msconfig* and uncheck it under the Startup tab. While you're there, also uncheck (cause they are unneeded and can cause problems):

LoadQM = loadqm.exe 
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE

You should also delete the file that was associated with the "annoying worm":

MSN Messenger = C:\MY DOCUMENTS\MESSENGER SERVICE RECEIVED FILES\*PIC1324(1)(1)(2).exe *

I'm not familiar with everything you have in your startups, but when you have the time, you might want to review what remains against the information and advice in this link. Msconfig can be used to disable anything not really needed without actually removing it.

http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM

Finally, under this category in your StartupList a lot of malware activex objects remain. They are not generally threats unless you visit a site that looks for them. But I would remove all that are not associated with major vendors such as Microsoft or Macromedia or Adobe.

This can be done by going to Internet Options > Settings > View Objects

You will have to right click on each to view their properties. You need have no fear of making a mistake there; anything really needed by a major vendor will be reinstalled via a prompted download when you visit their sites.

*edit* marking this 'resolved' per PM from SuperGirl:

I am so glad I found this site!!! I cleaned up as much as I can and the Rundll is not showing up in my ZA!!! YAY!!

Thank you again!! AND HAPPY NEW YEAR!!

SuperGirl!!!


----------

