# mmtask



## BLAZIN GUNZ (Dec 1, 2002)

mmtask caused error in wd maud.drv was what the window poped up with. have any clue to what this is and how to fix it?
i was playing yahoo pool when this came up.


----------



## flavallee (May 12, 2002)

Go into the MSCONFIG startup tab, uncheck and disable MMTASK, click Apply - OK, then reboot. You don't need it to be running in the background.

Frank's Windows 95/98 Tips


----------



## BLAZIN GUNZ (Dec 1, 2002)

where is msconfig start up tab?


----------



## flavallee (May 12, 2002)

Click Start - Run, type in MSCONFIG, then click OK - Startup(tab).

Note: Make it a habit of going to and examining it from time to time to see what is checked and running in the background, especially if you install a lot of programs. You can wind up with a bloated startup load real quick, which tends to contribute to one problem or another.

Frank's Windows 95/98 Tips


----------



## BLAZIN GUNZ (Dec 1, 2002)

i did go to that, but the only thing it has is task monitor, is this it. just wanted to make sure befor i shut something off i needed


----------



## flavallee (May 12, 2002)

This is how they should be listed in MSCONFIG:

TaskMonitor - Taskmon.exe

SchedulingAgent - Mstask.exe

By the way, you can uncheck and disable them both, if you run maintenance manually and don't schedule them to run when you're away from your computer.

If you ever uncheck and disable that you decide that you do want to run in the background, all you have to do is go back and recheck it.

Frank's Windows 95/98 Tips


----------



## IMM (Feb 1, 2002)

The Task Monitor (taskmon.exe) that you're seeing in msconfig is not the same as mmtask.
mmtask.tsk belongs to the background Windows internal system and you won't even see it using CAD (though you can from something like Process Explorer).
mmtask handles multimedia background tasks and a problem there likely indicates some problem or instablility in the sound drivers.
Are you running 98SE or 98FE etc? Has this happened often? Your sound drivers appear to be WDM ? Are you loading the 16 bit DOS drivers as well?


----------



## IMM (Feb 1, 2002)

*flavalee* - If you have an mmtask.exe starting - it's probably a disguised wingate used as a trojan. Perhaps you should start a post and post your startups?

See http://vil.nai.com/vil/content/v_98693.htm for example or
http://www3.ca.com/virusinfo/Virus.asp?ID=9739


----------



## flavallee (May 12, 2002)

Thanks, IMM. I'm aware that Mmtask has nothing to do with TaskMonitor and SchedulingAgent. I was just advising him that he can disable these 2, if he wants to. I'm a firm believer in keeping the startup load as small as possible.

I don't have mmtask.exe, just mmtask.tsk. I think what threw you was that I typed "mmtask.exe" instead of "mstask.exe" in my previous message. I've caught and corrected it.

I'm off work today and got up too early. It's time for another cup of coffee

Frank's Windows 95/98 Tips


----------



## pvc9 (Jul 7, 2002)

You've lots of adware/spyware installed...

Do this -

Start->Run->msconfig [enter]

Click on the Startup tab and uncheck the following -

GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe 
LoadQM = loadqm.exe 
XupiterStartup = C:\Program Files\Xupiter\XupiterStartup.exe 
XupiterCfgLoader = C:\Program Files\Xupiter\XTCfgLoader.exe 
msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

Did you run both the programs Adaware and Spybot?

If not, then download the two programs, install both of them.

Click Here To Download Spybot

Click Here To Download Adaware

Also download the RefUpdate file for Ad-Aware and update the Adaware program.

Click Here To Download RefUpdate For Adaware


----------



## BLAZIN GUNZ (Dec 1, 2002)

sorry, i downlaoded spybot last night and ran it, i just used an old strtuplist notepad heres after spybot.

StartupList report, 12/2/2002, 3:30:39 PM
StartupList version: 1.40
Started from : C:\UNZIPPED\STARTUPLIST14\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0600)
* Using default options
* Using verbose mode
* Including empty and uninteresting sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SCARDSVR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\ONTRACK\FIX-IT\MXTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\UNZIPPED\STARTUPLIST14\STARTUPLIST.EXE

This lists all processes running in memory, which are all active
programs and some non-exe system components.

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Fix-It.lnk = C:\Program Files\Ontrack\Fix-It\mxtask.exe

User shell folders Startup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

This lists all programs or shortcuts in folders marked by Windows as
'Autostart folder', which means any files within these folders are
launched when Windows is started. The Windows standard is that only
shortcuts (*.lnk, *.pif) should be present in these folders.
The location of these folders is set in the Registry.

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Hidserv = Hidserv.exe run
CpqBootPerfDb = C:\Cpqs\Scom\CpqBootPerfDb.exe
LoadQM = loadqm.exe
Fix-It AV = C:\PROGRA~1\ONTRACK\FIX-IT\MEMCHECK.EXE
Pop-Up Stopper = "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
MSConfigReminder = C:\WINDOWS\SYSTEM\msconfig.exe /reminder

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
The values in the 'RunOnce', 'RunOnceEx' and 'RunServicesOnce' keys
are run once and then deleted by Windows.

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
ScardSvr = C:\WINDOWS\SYSTEM\ScardSvr.exe
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
The values in the 'RunOnce', 'RunOnceEx' and 'RunServicesOnce' keys
are run once and then deleted by Windows.

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
The values in the 'RunOnce', 'RunOnceEx' and 'RunServicesOnce' keys
are run once and then deleted by Windows.

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
The values in the 'RunOnce', 'RunOnceEx' and 'RunServicesOnce' keys
are run once and then deleted by Windows.

--------------------------------------------------

Enumerating RunOnceEx keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*

*No subkeys found*

This lists a special autorun Registry key, from which both programs
and functions within DLLs can be launched without RUNDLL32.EXE. The
format for running a DLL function is
"DllFile.dll|FunctionName|CommandLineArguments", the format for
running a program is "||Program.exe CommandLineArguments".
This autorun key is used very rarely.

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

This Registry value determines how Windows runs files (in this case
.EXE files). If this file is executable, it should read "%1" %*.
("%1" /S for screensavers, .SCR files.) If it needs to be opened
with some other program, it should read program.exe "%1" %*.
File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR.
File types that are not executable are types like .DOC, .LNK, .BMP,
.JPEG, .SHS, .VBS, .HTA etc.

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

This Registry value determines how Windows runs files (in this case
.COM files). If this file is executable, it should read "%1" %*.
("%1" /S for screensavers, .SCR files.) If it needs to be opened
with some other program, it should read program.exe "%1" %*.
File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR.
File types that are not executable are types like .DOC, .LNK, .BMP,
.JPEG, .SHS, .VBS, .HTA etc.

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

This Registry value determines how Windows runs files (in this case
.BAT files). If this file is executable, it should read "%1" %*.
("%1" /S for screensavers, .SCR files.) If it needs to be opened
with some other program, it should read program.exe "%1" %*.
File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR.
File types that are not executable are types like .DOC, .LNK, .BMP,
.JPEG, .SHS, .VBS, .HTA etc.

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

This Registry value determines how Windows runs files (in this case
.PIF files). If this file is executable, it should read "%1" %*.
("%1" /S for screensavers, .SCR files.) If it needs to be opened
with some other program, it should read program.exe "%1" %*.
File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR.
File types that are not executable are types like .DOC, .LNK, .BMP,
.JPEG, .SHS, .VBS, .HTA etc.

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S "%3"

This Registry value determines how Windows runs files (in this case
.SCR files). If this file is executable, it should read "%1" %*.
("%1" /S for screensavers, .SCR files.) If it needs to be opened
with some other program, it should read program.exe "%1" %*.
File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR.
File types that are not executable are types like .DOC, .LNK, .BMP,
.JPEG, .SHS, .VBS, .HTA etc.

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

This Registry value determines how Windows runs files (in this case
.HTA files). If this file is executable, it should read "%1" %*.
("%1" /S for screensavers, .SCR files.) If it needs to be opened
with some other program, it should read program.exe "%1" %*.
File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR.
File types that are not executable are types like .DOC, .LNK, .BMP,
.JPEG, .SHS, .VBS, .HTA etc.

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[PerUser_CVT_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[PerUser_HNW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\WINDOWS\INF\ICS.inf

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[PerUser_moviemaker] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\WINDOWS\INF\moviemk.inf

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[SamplerPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SamplerPerUser 64 C:\WINDOWS\INF\sampler.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_PCHealth] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\WINDOWS\INF\pchealth.inf

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Enable_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 C:\WINDOWS\INF\enable.inf

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\games.inf

[PerUser_ZoneGame_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Inis 64 C:\WINDOWS\INF\games.inf

[PerUser_PBGame_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Inis 64 C:\WINDOWS\INF\games.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_CharMap_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[MmoptMusicaPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\WINDOWS\INF\mmopt.inf

[MmoptJunglePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\WINDOWS\INF\mmopt.inf

[MmoptRobotzPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\WINDOWS\INF\mmopt.inf

[MmoptUtopiaPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[OlsAolPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsEarthlinkPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUser 64 C:\WINDOWS\INF\ols.inf

[Shell3PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf

[PerUser_Preptool] *
StubPath = rundll.exe Setupx.dll,InstallHinfSection Install 64 C:\WINDOWS\INF\RUNLAST.INF

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

Programs listed here are components of the Windows Setup that were
only ran when Windows started for the first time. To prevent them
from running multiple times, Windows checks for a key with the same
name at the HKCU root. If it's not found, the component at the HKLM
root is ran, and a matching key is created at the HKCU root so the
component is not ran again next time. Most entries involve either
RUNDLL.EXE or RUNDLL32.EXE, so a suspicious key is not hard to find.

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

The chat program ICQ includes an ICQ Agent that can be configured to
launch one or multiple browsers when an Internet connection is
detected. To configure it, open the ICQ Preferences menu and check
under 'Connection' for a button labelled 'Edit Launch List'.

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

These two entries in WIN.INI are leftover from Windows 3.x, which
used them as values denoting programs that should be started up
with Windows. Since Windows 95 and higher uses the Registry to
store locations of autostart folders, these two entries in WIN.INI
are redundant, and are rarely used.

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLOW~1.SCR
drivers=mmsystem.dll power.drv

The Shell key from SYSTEM.INI tells Windows what file handles
the Windows shell, i.e. creates the taskbar, desktop icons etc. If
programs are added to this line, they are all ran at startup.
The SCRNSAVE.EXE line tells Windows what is the default screensaver
file. This is also a leftover from Windows 3.x and should not be used.
(Since Windows 95 and higher stores this setting in the Registry.)
The 'drivers' line loads non-standard DLLs or programs.

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

Due to a bug in Windows 9x, it mistakenly uses C:\Explorer.exe and
other instances (if present) when searching for Explorer.exe.
Explorer.exe should only exists in the Windows folder.
Windows NT is vulnerable to this as well, but only if the 
'Shell' Registry value from the previous section 
is just 'Explorer.exe' instead of the full path.
Additionally, presence of \WINDOWS\Explorer\Explorer.exe indicates
infection with the [email protected]r virus.

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

WININIT.INI is a settings file for WININIT.EXE, which updates files
at startup that are normally in use when Windows is running. It is
mostly used when installing programs or patches that need the
computer to be restarted to complete the install. After such a reboot,
WININIT.INI is renamed to WININIT.BAK.

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 2/12/2002, 5:50:54)

[Rename]
C:\WINDOWS\USER.BAK=C:\WINDOWS\USER.DAT
C:\WINDOWS\USER.DAT=C:\WINDOWS\USER.DFG

WININIT.INI is a settings file for WININIT.EXE, which updates files
at startup that are normally in use when Windows is running. It is
mostly used when installing programs or patches that need the
computer to be restarted to complete the install. After such a reboot,
WININIT.INI is renamed to WININIT.BAK.

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

Autoexec.bat is the very first file to autostart when the computer
starts, it is a leftover from DOS and older Windows versions.
Windows NT, Windows ME, Windows 2000 and Windows XP don't use this
file. It is generally used by virusscanners to scan files before
Windows starts.

--------------------------------------------------

C:\CONFIG.SYS listing:

*File is empty*

Config.sys loads device drivers for DOS, and is rarely used in
Windows versions newer than Windows 95. Originally it loaded
drivers for legacy sound cards and such.

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

Winstart.bat loads just before the Windows shell, and is used for
starting things like soundcard drivers, mouse drivers. Rarely used.

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

@echo off

Dosstart.bat loads if you select 'MS-DOS Prompt' from the Startup
menu when the computer is starting, or if you select 'Restart in
MS-DOS Mode' from the Shutdown menu in Windows. Mostly used for
DOS-only drivers, like sound or mouse drivers.

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

Some file extensions are always hidden, like .lnk (shortcut) and
.pif (shortcut to MS-DOS program). The Life_Stages virus was a .shs
(Shell Scrap) file that had the extension hidden by default. This can
be a security risk when a virus with a double-extension filename is
on the loose, since the extension can be hidden even when 'Don't show
extensions for known filetypes' is turned off.
The shortcut overlay acts as a reminder that the file is just a shortcut.
If the shortcut overlay is removed, the difference between a file and
a shortcut is invisible.

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

Regedit.exe is the Windows Registry Editor. Without it, you cannot
access the Registry or merge Registry scripts into the Registry.
Several viruses/trojans mess with this important system file, e.g.
moving it somewhere else or replacing it with a copy of the trojan.
Above checks will ensure that Regedit.exe is in the correct place
and that it really is Regedit.
If you have ScriptSentry installed, the .reg command
is altered and you fail the check. Don't worry
about this.

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

MSIE features Browser Helper Objects (BHO) that plug into MSIE and
can do virtually anything on your system. Benevolant examples are
the Google Toolbar and the Acrobat Reader plugin. More often though, 
BHO's are installed by spyware and serve you to a neverending flow
of popups and ads as well as tracking your browser habits, claiming
they 'enhance your browsing experience'.

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Registration reminder 3.job
Symantec NetDetect.job
Check E-mail.job
Synchronize Time.job

The Windows Task Scheduler can run programs at a certain time,
automatically. Though very unlikely, this can be exploited by
making a job that runs a virus or trojan.

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[Yahoo! Audio Conferencing]
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab

[MSN Chat Control 4.2]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT42.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

[Java Plug-in 1.3.1_04]
InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
CODEBASE = http://java.sun.com/products/plugin/1.3.1/jinstall-131_04-win.cab

[Java Plug-in 1.3.1_04]
InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
CODEBASE = http://java.sun.com/products/plugin/1.3.1/jinstall-131_04-win.cab

[SurroundVideoCtrl Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSSURVID.OCX
CODEBASE = http://encarta.msn.com/encnet/external/MSSurVid.cab

[iPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IPIXX.OCX
CODEBASE = http://www.ipix.com/download/ipixx.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Yahoo! Pool 2]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.games.yahoo.com/games/clients/y/potb_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Pool 2.osd

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX
CODEBASE = http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[LEGO Stormrunner]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://mindstorms.lego.com/stormrunner/stormrunner1-1-0.cab
OSD = C:\WINDOWS\Downloaded Program Files\LEGO Stormrunner.osd

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\HRTBEAT.OCX
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37578.2904282407

The items in Download Program Files are programs you downloaded and
automatically installed themselves in MSIE. Most of these are Java
classes Media Player codecs and the likes. Some items are only
visible from the Registry and may not show up in the folder.

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #4: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll

The Windows Socket system (Winsock) connects your system to the
Internet. Part of this task is resolving domain names (www.server.com)
to IP addresses (12.23.34.45) which is handler by several system
files, called Layered Service Providers (LSPs), which work as a
chain: if one LSP is gone, the chain is broken and Winsock cannot
resolve domain names - which means no program on your system can
access the Internet.

--------------------------------------------------
End of report, 31,783 bytes
Report generated in 0.520 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------

