Internet explorer running invisibly on boot up

[Guest]

I have recently discovered via windows task manager that on boot up there is
an Internet Explorer process [IEXPLORE.EXE] which immediately starts running
invisibly.
I only noticed this due to the local area connection icon flashing in the
task bar.
I have run MS Antispyware Beta, Spybot search and destroy and Adware spy, I
run Norton antivirus and firewall and between all these I have removed every
single malware that they have found.

Ending the process tree stops the apparent data transfer with no ill effects
on anything eles on the machine.

But still this instance of IEXPLORE.EXE reappears on every boot up.
If I disable the local area network connection the IEXPLORE.EXE file
instantly takes processor usage up to 98%

I am sure that this a recent occurrence and would like to hear any ideas as
to what's causing this and whether people think there's still a malware
problem here somewhere.

 

[Alan Edwards]

Check in Msconfig for any oddities.
(Start-Run-MSCONFIG-Startup tab)
If you cannot see anything in Msconfig then:

Start-Run-msinfo32
Click the + beside Software Environment to expand.
Click Startup Programs
Ctrl+A to Select All, Ctrl+C to Copy.
Paste that information in your message.

....Alan

 

[Guest]

Hi Alan.
Thanks for your reply
As per your instructions below is the msinfo32 copy.
For more info I checked today and it is definitely IEXPLORE.EXE running and
not the spyware iexplorer.exe.

AGRSMMSG agrsmmsg.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru
Acme.PCHButton c:\progra~1\presar~1\presario\xphwwrs4\plugin\bin\pchbutton.exe COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed
Launch c:\progra~1\adobe\acroba~2.0\reader\reader~1.exe All Users Common
Startup
AlcxMonitor alcxmntr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\LOCAL
SERVICE HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\NETWORK
SERVICE HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camera Detector c:\progra~1\acdsys~1\acdsee\camdet~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camio Viewer camio viewer.lnk NT AUTHORITY\SYSTEM Startup
Camio
Viewer c:\progra~1\sierra~1\imagee~1\ixapplet.exe COMPAQSR1129\Owner Startup
Camio Viewer camio viewer.lnk .DEFAULT Startup
EPSON Stylus C62
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23 "epson
stylus c62 series" /o6 "usb002" /m "stylus c62" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C82
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23 "epson
stylus c82 series" /o6 "usb001" /m "stylus c82" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
H/PC Connection Agent "c:\program files\microsoft
activesync\wcescomm.exe" COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds c:\windows\system32\hkcmd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
InstantAccess c:\progra~1\textbr~1.0\bin\instan~1.exe /h All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KBD c:\hp\kbd\kbd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru
LDM \program\ COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMS c:\program files\common files\logitech\qcdriver3\lvcoms.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMSX c:\windows\system32\lvcomsx.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechGalleryRepair c:\program files\logitech\imagestudio\isstart.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechImageStudioTray c:\program
files\logitech\imagestudio\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechSoftwareUpdate "c:\program files\logitech\video\manifestengine.exe"
boot COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoRepair c:\program files\logitech\video\isstart.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoTray c:\program files\logitech\video\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Find Fast c:\progra~1\micros~3\office\findfast.exe All
Users Common Startup
Microsoft Office c:\progra~1\micros~3\office\osa9.exe -b -l All Users Common
Startup
Microsoft Office Shortcut Bar c:\progra~1\micros~3\office\msoffice.exe All
Users Common Startup
NAV CfgWiz c:\program files\common files\symantec shared\cfgwiz.exe /guid
nav /cmdline "reboot" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nosign_DUCAM nosign temram All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Office Startup c:\progra~1\micros~3\office\osa.exe -b All Users Common Startup
Opware12 "c:\program files\scansoft\omnipagepro12.0\opware12.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PPWebCap c:\program
files\visioneer\paperport\ppwebcap.exe COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PS2 c:\windows\system32\ps2.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PaperPort PTD c:\progra~1\vision~1\paperp~1\pptd40nt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard c:\windows\sminst\recguard.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RecordNow! Ÿ&Ÿ&gram\ COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegisterDropHandler c:\progra~1\textbr~1.0\bin\regist~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt c:\program files\common files\symantec shared\security
center\usrprmpt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched c:\program files\java\j2re1.4.2_03\bin\jusched.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor c:\progra~1\symnet~1\sndmon.exe /consumer All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Televibe
Chat c:\docume~1\owner\locals~1\temp\wzse2.tmp\ COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common files\real\update_ob\realsched.exe"
-osboot All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateManager "c:\program files\common files\sonic\update
manager\sgtray.exe" /r All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VTTimer vttimer.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
atwtusb atwtusb.exe beta All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec shared\ccapp.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini COMPAQSR1129\Owner Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
gcasServ "c:\program files\microsoft antispyware\gcasserv.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hpsysdrv c:\windows\system\hpsysdrv.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper c:\program files\itunes\ituneshelper.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
yaemu.exe c:\windows\system32\yaemu.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Check in Msconfig for any oddities.
(Start-Run-MSCONFIG-Startup tab)
If you cannot see anything in Msconfig then:

Start-Run-msinfo32
Click the + beside Software Environment to expand.
Click Startup Programs
Ctrl+A to Select All, Ctrl+C to Copy.
Paste that information in your message.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html

On Wed, 21 Sep 2005 15:59:02 -0700, "Master Ice" <Master

I have recently discovered via windows task manager that on boot up there is
an Internet Explorer process [IEXPLORE.EXE] which immediately starts running
invisibly.
I only noticed this due to the local area connection icon flashing in the
task bar.
I have run MS Antispyware Beta, Spybot search and destroy and Adware spy, I
run Norton antivirus and firewall and between all these I have removed every
single malware that they have found.

Ending the process tree stops the apparent data transfer with no ill effects
on anything eles on the machine.

But still this instance of IEXPLORE.EXE reappears on every boot up.
If I disable the local area network connection the IEXPLORE.EXE file
instantly takes processor usage up to 98%

I am sure that this a recent occurrence and would like to hear any ideas as
to what's causing this and whether people think there's still a malware
problem here somewhere.

 

[Alan Edwards]

Get rid of yaemu
It looks like it is a Trojan.
Kill the process and get rid of the startup item.

You have an incredible list of startup items that may not all be
needed, but see if removing yaemu helps first.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html

Hi Alan.
Thanks for your reply
As per your instructions below is the msinfo32 copy.
For more info I checked today and it is definitely IEXPLORE.EXE running and
not the spyware iexplorer.exe.

AGRSMMSG agrsmmsg.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Acme.PCHButton c:\progra~1\presar~1\presario\xphwwrs4\plugin\bin\pchbutton.exe COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed
Launch c:\progra~1\adobe\acroba~2.0\reader\reader~1.exe All Users Common
Startup
AlcxMonitor alcxmntr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\LOCAL
SERVICE HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\NETWORK
SERVICE HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camera Detector c:\progra~1\acdsys~1\acdsee\camdet~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camio Viewer camio viewer.lnk NT AUTHORITY\SYSTEM Startup
Camio
Viewer c:\progra~1\sierra~1\imagee~1\ixapplet.exe COMPAQSR1129\Owner Startup
Camio Viewer camio viewer.lnk .DEFAULT Startup
EPSON Stylus C62
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23 "epson
stylus c62 series" /o6 "usb002" /m "stylus c62" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C82
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23 "epson
stylus c82 series" /o6 "usb001" /m "stylus c82" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
H/PC Connection Agent "c:\program files\microsoft
activesync\wcescomm.exe" COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds c:\windows\system32\hkcmd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
InstantAccess c:\progra~1\textbr~1.0\bin\instan~1.exe /h All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KBD c:\hp\kbd\kbd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LDM \program\ COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMS c:\program files\common files\logitech\qcdriver3\lvcoms.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMSX c:\windows\system32\lvcomsx.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechGalleryRepair c:\program files\logitech\imagestudio\isstart.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechImageStudioTray c:\program
files\logitech\imagestudio\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechSoftwareUpdate "c:\program files\logitech\video\manifestengine.exe"
boot COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoRepair c:\program files\logitech\video\isstart.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoTray c:\program files\logitech\video\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Find Fast c:\progra~1\micros~3\office\findfast.exe All
Users Common Startup
Microsoft Office c:\progra~1\micros~3\office\osa9.exe -b -l All Users Common
Startup
Microsoft Office Shortcut Bar c:\progra~1\micros~3\office\msoffice.exe All
Users Common Startup
NAV CfgWiz c:\program files\common files\symantec shared\cfgwiz.exe /guid
nav /cmdline "reboot" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nosign_DUCAM nosign temram All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Office Startup c:\progra~1\micros~3\office\osa.exe -b All Users Common Startup
Opware12 "c:\program files\scansoft\omnipagepro12.0\opware12.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PPWebCap c:\program
files\visioneer\paperport\ppwebcap.exe COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PS2 c:\windows\system32\ps2.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PaperPort PTD c:\progra~1\vision~1\paperp~1\pptd40nt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard c:\windows\sminst\recguard.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RecordNow! Ÿ&Ÿ&gram\ COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegisterDropHandler c:\progra~1\textbr~1.0\bin\regist~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt c:\program files\common files\symantec shared\security
center\usrprmpt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched c:\program files\java\j2re1.4.2_03\bin\jusched.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor c:\progra~1\symnet~1\sndmon.exe /consumer All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Televibe
Chat c:\docume~1\owner\locals~1\temp\wzse2.tmp\ COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common files\real\update_ob\realsched.exe"
-osboot All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateManager "c:\program files\common files\sonic\update
manager\sgtray.exe" /r All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VTTimer vttimer.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
atwtusb atwtusb.exe beta All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec shared\ccapp.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini COMPAQSR1129\Owner Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
gcasServ "c:\program files\microsoft antispyware\gcasserv.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hpsysdrv c:\windows\system\hpsysdrv.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper c:\program files\itunes\ituneshelper.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
yaemu.exe c:\windows\system32\yaemu.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Check in Msconfig for any oddities.
(Start-Run-MSCONFIG-Startup tab)
If you cannot see anything in Msconfig then:

Start-Run-msinfo32
Click the + beside Software Environment to expand.
Click Startup Programs
Ctrl+A to Select All, Ctrl+C to Copy.
Paste that information in your message.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html

On Wed, 21 Sep 2005 15:59:02 -0700, "Master Ice" <Master

I have recently discovered via windows task manager that on boot up there is
an Internet Explorer process [IEXPLORE.EXE] which immediately starts running
invisibly.
I only noticed this due to the local area connection icon flashing in the
task bar.
I have run MS Antispyware Beta, Spybot search and destroy and Adware spy, I
run Norton antivirus and firewall and between all these I have removed every
single malware that they have found.

Ending the process tree stops the apparent data transfer with no ill effects
on anything eles on the machine.

But still this instance of IEXPLORE.EXE reappears on every boot up.
If I disable the local area network connection the IEXPLORE.EXE file
instantly takes processor usage up to 98%

I am sure that this a recent occurrence and would like to hear any ideas as
to what's causing this and whether people think there's still a malware
problem here somewhere.

 

[Guest]

Hi again Alan.
yaemu.exe was the one I was suspicious of . What I found odd was that no
spyware, even MSASW found it. So I was loathe to strip it until I'd had some
learned advice !
I stripped it from the start up and removed the executable and (after a reg
backup and restore point set) rebooted the machine - and it's all ok.
So thanks very much for your help.
As for the other stuff in start up, masses were on there when I bought the
compaq from new and most still refer to regularly used stuff.
But thanks again for your help and the speed of your assistance.
All the best
Slim (masterice)

Get rid of yaemu
It looks like it is a Trojan.
Kill the process and get rid of the startup item.

You have an incredible list of startup items that may not all be
needed, but see if removing yaemu helps first.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html

Hi Alan.
Thanks for your reply
As per your instructions below is the msinfo32 copy.
For more info I checked today and it is definitely IEXPLORE.EXE running and
not the spyware iexplorer.exe.

AGRSMMSG agrsmmsg.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Acme.PCHButton c:\progra~1\presar~1\presario\xphwwrs4\plugin\bin\pchbutton.exe COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed
Launch c:\progra~1\adobe\acroba~2.0\reader\reader~1.exe All Users Common
Startup
AlcxMonitor alcxmntr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\LOCAL
SERVICE HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\NETWORK
SERVICE HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camera Detector c:\progra~1\acdsys~1\acdsee\camdet~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camio Viewer camio viewer.lnk NT AUTHORITY\SYSTEM Startup
Camio
Viewer c:\progra~1\sierra~1\imagee~1\ixapplet.exe COMPAQSR1129\Owner Startup
Camio Viewer camio viewer.lnk .DEFAULT Startup
EPSON Stylus C62
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23 "epson
stylus c62 series" /o6 "usb002" /m "stylus c62" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C82
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23 "epson
stylus c82 series" /o6 "usb001" /m "stylus c82" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
H/PC Connection Agent "c:\program files\microsoft
activesync\wcescomm.exe" COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds c:\windows\system32\hkcmd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
InstantAccess c:\progra~1\textbr~1.0\bin\instan~1.exe /h All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KBD c:\hp\kbd\kbd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LDM \program\ COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMS c:\program files\common files\logitech\qcdriver3\lvcoms.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMSX c:\windows\system32\lvcomsx.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechGalleryRepair c:\program files\logitech\imagestudio\isstart.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechImageStudioTray c:\program
files\logitech\imagestudio\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechSoftwareUpdate "c:\program files\logitech\video\manifestengine.exe"
boot COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoRepair c:\program files\logitech\video\isstart.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoTray c:\program files\logitech\video\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Find Fast c:\progra~1\micros~3\office\findfast.exe All
Users Common Startup
Microsoft Office c:\progra~1\micros~3\office\osa9.exe -b -l All Users Common
Startup
Microsoft Office Shortcut Bar c:\progra~1\micros~3\office\msoffice.exe All
Users Common Startup
NAV CfgWiz c:\program files\common files\symantec shared\cfgwiz.exe /guid
nav /cmdline "reboot" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nosign_DUCAM nosign temram All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Office Startup c:\progra~1\micros~3\office\osa.exe -b All Users Common Startup
Opware12 "c:\program files\scansoft\omnipagepro12.0\opware12.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PPWebCap c:\program
files\visioneer\paperport\ppwebcap.exe COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PS2 c:\windows\system32\ps2.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PaperPort PTD c:\progra~1\vision~1\paperp~1\pptd40nt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard c:\windows\sminst\recguard.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RecordNow! Ÿ&Ÿ&gram\ COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegisterDropHandler c:\progra~1\textbr~1.0\bin\regist~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt c:\program files\common files\symantec shared\security
center\usrprmpt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched c:\program files\java\j2re1.4.2_03\bin\jusched.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor c:\progra~1\symnet~1\sndmon.exe /consumer All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Televibe
Chat c:\docume~1\owner\locals~1\temp\wzse2.tmp\ COMPAQSR1129\Owner HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common files\real\update_ob\realsched.exe"
-osboot All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateManager "c:\program files\common files\sonic\update
manager\sgtray.exe" /r All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VTTimer vttimer.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
atwtusb atwtusb.exe beta All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec shared\ccapp.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini COMPAQSR1129\Owner Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
gcasServ "c:\program files\microsoft antispyware\gcasserv.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hpsysdrv c:\windows\system\hpsysdrv.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper c:\program files\itunes\ituneshelper.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
yaemu.exe c:\windows\system32\yaemu.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Check in Msconfig for any oddities.
(Start-Run-MSCONFIG-Startup tab)
If you cannot see anything in Msconfig then:

Start-Run-msinfo32
Click the + beside Software Environment to expand.
Click Startup Programs
Ctrl+A to Select All, Ctrl+C to Copy.
Paste that information in your message.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html

I have recently discovered via windows task manager that on boot up there is
an Internet Explorer process [IEXPLORE.EXE] which immediately starts running
invisibly.
I only noticed this due to the local area connection icon flashing in the
task bar.
I have run MS Antispyware Beta, Spybot search and destroy and Adware spy, I
run Norton antivirus and firewall and between all these I have removed every
single malware that they have found.

Ending the process tree stops the apparent data transfer with no ill effects
on anything eles on the machine.

But still this instance of IEXPLORE.EXE reappears on every boot up.
If I disable the local area network connection the IEXPLORE.EXE file
instantly takes processor usage up to 98%

I am sure that this a recent occurrence and would like to hear any ideas as
to what's causing this and whether people think there's still a malware
problem here somewhere.

 

[Quaoar]

Hi again Alan.
yaemu.exe was the one I was suspicious of . What I found odd was that
no spyware, even MSASW found it. So I was loathe to strip it until
I'd had some learned advice !
I stripped it from the start up and removed the executable and (after
a reg backup and restore point set) rebooted the machine - and it's
all ok.
So thanks very much for your help.
As for the other stuff in start up, masses were on there when I
bought the compaq from new and most still refer to regularly used
stuff.
But thanks again for your help and the speed of your assistance.
All the best
Slim (masterice)

Get rid of yaemu
It looks like it is a Trojan.
Kill the process and get rid of the startup item.

You have an incredible list of startup items that may not all be
needed, but see if removing yaemu helps first.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html

Hi Alan.
Thanks for your reply
As per your instructions below is the msinfo32 copy.
For more info I checked today and it is definitely IEXPLORE.EXE
running and
not the spyware iexplorer.exe.

AGRSMMSG agrsmmsg.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Acme.PCHButton
c:\progra~1\presar~1\presario\xphwwrs4\plugin\bin\pchbutton.exe
COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed
Launch c:\progra~1\adobe\acroba~2.0\reader\reader~1.exe All Users
Common
Startup
AlcxMonitor alcxmntr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\LOCAL
SERVICE HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\NETWORK
SERVICE HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camera Detector c:\progra~1\acdsys~1\acdsee\camdet~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camio Viewer camio viewer.lnk NT AUTHORITY\SYSTEM Startup
Camio
Viewer c:\progra~1\sierra~1\imagee~1\ixapplet.exe
COMPAQSR1129\Owner Startup
Camio Viewer camio viewer.lnk .DEFAULT Startup
EPSON Stylus C62
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23
"epson
stylus c62 series" /o6 "usb002" /m "stylus c62" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C82
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23
"epson
stylus c82 series" /o6 "usb001" /m "stylus c82" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
H/PC Connection Agent "c:\program files\microsoft
activesync\wcescomm.exe" COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds c:\windows\system32\hkcmd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
InstantAccess c:\progra~1\textbr~1.0\bin\instan~1.exe /h All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KBD c:\hp\kbd\kbd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LDM \program\ COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMS c:\program files\common files\logitech\qcdriver3\lvcoms.exe
All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMSX c:\windows\system32\lvcomsx.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechGalleryRepair c:\program
files\logitech\imagestudio\isstart.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechImageStudioTray c:\program
files\logitech\imagestudio\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechSoftwareUpdate "c:\program
files\logitech\video\manifestengine.exe"
boot COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoRepair c:\program files\logitech\video\isstart.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoTray c:\program files\logitech\video\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Find Fast c:\progra~1\micros~3\office\findfast.exe All
Users Common Startup
Microsoft Office c:\progra~1\micros~3\office\osa9.exe -b -l All
Users Common
Startup
Microsoft Office Shortcut Bar
c:\progra~1\micros~3\office\msoffice.exe All
Users Common Startup
NAV CfgWiz c:\program files\common files\symantec shared\cfgwiz.exe
/guid
nav /cmdline "reboot" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nosign_DUCAM nosign temram All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Office Startup c:\progra~1\micros~3\office\osa.exe -b All Users
Common Startup
Opware12 "c:\program files\scansoft\omnipagepro12.0\opware12.exe"
All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PPWebCap c:\program
files\visioneer\paperport\ppwebcap.exe COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PS2 c:\windows\system32\ps2.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PaperPort PTD c:\progra~1\vision~1\paperp~1\pptd40nt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime
All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard c:\windows\sminst\recguard.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RecordNow! Y&Y&gram\ COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegisterDropHandler c:\progra~1\textbr~1.0\bin\regist~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt c:\program files\common files\symantec
shared\security
center\usrprmpt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched c:\program
files\java\j2re1.4.2_03\bin\jusched.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor c:\progra~1\symnet~1\sndmon.exe
/consumer All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Televibe
Chat c:\docume~1\owner\locals~1\temp\wzse2.tmp\ COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common
files\real\update_ob\realsched.exe" -osboot All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateManager "c:\program files\common files\sonic\update
manager\sgtray.exe" /r All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VTTimer vttimer.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
atwtusb atwtusb.exe beta All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec shared\ccapp.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini COMPAQSR1129\Owner Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
gcasServ "c:\program files\microsoft antispyware\gcasserv.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hpsysdrv c:\windows\system\hpsysdrv.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper c:\program files\itunes\ituneshelper.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
yaemu.exe c:\windows\system32\yaemu.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


:

Check in Msconfig for any oddities.
(Start-Run-MSCONFIG-Startup tab)
If you cannot see anything in Msconfig then:

Start-Run-msinfo32
Click the + beside Software Environment to expand.
Click Startup Programs
Ctrl+A to Select All, Ctrl+C to Copy.
Paste that information in your message.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html

I have recently discovered via windows task manager that on boot
up there is an Internet Explorer process [IEXPLORE.EXE] which
immediately starts running invisibly.
I only noticed this due to the local area connection icon
flashing in the task bar.
I have run MS Antispyware Beta, Spybot search and destroy and
Adware spy, I run Norton antivirus and firewall and between all
these I have removed every single malware that they have found.

Ending the process tree stops the apparent data transfer with no
ill effects on anything eles on the machine.

But still this instance of IEXPLORE.EXE reappears on every boot
up.
If I disable the local area network connection the IEXPLORE.EXE
file instantly takes processor usage up to 98%

I am sure that this a recent occurrence and would like to hear
any ideas as to what's causing this and whether people think
there's still a malware problem here somewhere.

I don't know your computing philosophy, but I am amazed with all of the
utilities that load on startup. From what I see, almost none of these
are required for the functioning of the host programs, and the Office
Startup and Office Bar, and Findfast are especially notorious wastes of
time and effort and RAM. None of the Epson printer interfaces are
necessary for the proper function of the printers AFIK. All of these
startups accomplish nothing for the computer except to consume valuable
resources (assuming Win9x, ME as the OS). I suspect that if the bulk of
these startups are eliminated that your computer will look like it has
suddenly been upgraded.

This site has information on what many of these startups do and how to
disable them. http://www.pacs-portal.co.uk/startup_content.php

Q

 

[Guest]

Hi again Alan.
yaemu.exe was the one I was suspicious of . What I found odd was that
no spyware, even MSASW found it. So I was loathe to strip it until
I'd had some learned advice !
I stripped it from the start up and removed the executable and (after
a reg backup and restore point set) rebooted the machine - and it's
all ok.
So thanks very much for your help.
As for the other stuff in start up, masses were on there when I
bought the compaq from new and most still refer to regularly used
stuff.
But thanks again for your help and the speed of your assistance.
All the best
Slim (masterice)

Get rid of yaemu
It looks like it is a Trojan.
Kill the process and get rid of the startup item.

You have an incredible list of startup items that may not all be
needed, but see if removing yaemu helps first.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html


On Thu, 22 Sep 2005 01:07:02 -0700, "Master Ice"

Hi Alan.
Thanks for your reply
As per your instructions below is the msinfo32 copy.
For more info I checked today and it is definitely IEXPLORE.EXE
running and
not the spyware iexplorer.exe.

AGRSMMSG agrsmmsg.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Acme.PCHButton
c:\progra~1\presar~1\presario\xphwwrs4\plugin\bin\pchbutton.exe
COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed
Launch c:\progra~1\adobe\acroba~2.0\reader\reader~1.exe All Users
Common
Startup
AlcxMonitor alcxmntr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\LOCAL
SERVICE HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\NETWORK
SERVICE HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camera Detector c:\progra~1\acdsys~1\acdsee\camdet~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camio Viewer camio viewer.lnk NT AUTHORITY\SYSTEM Startup
Camio
Viewer c:\progra~1\sierra~1\imagee~1\ixapplet.exe
COMPAQSR1129\Owner Startup
Camio Viewer camio viewer.lnk .DEFAULT Startup
EPSON Stylus C62
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23
"epson
stylus c62 series" /o6 "usb002" /m "stylus c62" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C82
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23
"epson
stylus c82 series" /o6 "usb001" /m "stylus c82" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
H/PC Connection Agent "c:\program files\microsoft
activesync\wcescomm.exe" COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds c:\windows\system32\hkcmd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
InstantAccess c:\progra~1\textbr~1.0\bin\instan~1.exe /h All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KBD c:\hp\kbd\kbd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LDM \program\ COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMS c:\program files\common files\logitech\qcdriver3\lvcoms.exe
All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMSX c:\windows\system32\lvcomsx.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechGalleryRepair c:\program
files\logitech\imagestudio\isstart.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechImageStudioTray c:\program
files\logitech\imagestudio\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechSoftwareUpdate "c:\program
files\logitech\video\manifestengine.exe"
boot COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoRepair c:\program files\logitech\video\isstart.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoTray c:\program files\logitech\video\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Find Fast c:\progra~1\micros~3\office\findfast.exe All
Users Common Startup
Microsoft Office c:\progra~1\micros~3\office\osa9.exe -b -l All
Users Common
Startup
Microsoft Office Shortcut Bar
c:\progra~1\micros~3\office\msoffice.exe All
Users Common Startup
NAV CfgWiz c:\program files\common files\symantec shared\cfgwiz.exe
/guid
nav /cmdline "reboot" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nosign_DUCAM nosign temram All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Office Startup c:\progra~1\micros~3\office\osa.exe -b All Users
Common Startup
Opware12 "c:\program files\scansoft\omnipagepro12.0\opware12.exe"
All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PPWebCap c:\program
files\visioneer\paperport\ppwebcap.exe COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PS2 c:\windows\system32\ps2.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PaperPort PTD c:\progra~1\vision~1\paperp~1\pptd40nt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime
All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard c:\windows\sminst\recguard.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RecordNow! Y&Y&gram\ COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegisterDropHandler c:\progra~1\textbr~1.0\bin\regist~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt c:\program files\common files\symantec
shared\security
center\usrprmpt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched c:\program
files\java\j2re1.4.2_03\bin\jusched.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor c:\progra~1\symnet~1\sndmon.exe
/consumer All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Televibe
Chat c:\docume~1\owner\locals~1\temp\wzse2.tmp\ COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common
files\real\update_ob\realsched.exe" -osboot All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateManager "c:\program files\common files\sonic\update
manager\sgtray.exe" /r All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VTTimer vttimer.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
atwtusb atwtusb.exe beta All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec shared\ccapp.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini COMPAQSR1129\Owner Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
gcasServ "c:\program files\microsoft antispyware\gcasserv.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hpsysdrv c:\windows\system\hpsysdrv.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper c:\program files\itunes\ituneshelper.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
yaemu.exe c:\windows\system32\yaemu.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


:

Check in Msconfig for any oddities.
(Start-Run-MSCONFIG-Startup tab)
If you cannot see anything in Msconfig then:

Start-Run-msinfo32
Click the + beside Software Environment to expand.
Click Startup Programs
Ctrl+A to Select All, Ctrl+C to Copy.
Paste that information in your message.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html

I have recently discovered via windows task manager that on boot
up there is an Internet Explorer process [IEXPLORE.EXE] which
immediately starts running invisibly.
I only noticed this due to the local area connection icon
flashing in the task bar.
I have run MS Antispyware Beta, Spybot search and destroy and
Adware spy, I run Norton antivirus and firewall and between all
these I have removed every single malware that they have found.

Ending the process tree stops the apparent data transfer with no
ill effects on anything eles on the machine.

But still this instance of IEXPLORE.EXE reappears on every boot
up.
If I disable the local area network connection the IEXPLORE.EXE
file instantly takes processor usage up to 98%

I am sure that this a recent occurrence and would like to hear
any ideas as to what's causing this and whether people think
there's still a malware problem here somewhere.

I don't know your computing philosophy, but I am amazed with all of the
utilities that load on startup. From what I see, almost none of these
are required for the functioning of the host programs, and the Office
Startup and Office Bar, and Findfast are especially notorious wastes of
time and effort and RAM. None of the Epson printer interfaces are
necessary for the proper function of the printers AFIK. All of these
startups accomplish nothing for the computer except to consume valuable
resources (assuming Win9x, ME as the OS). I suspect that if the bulk of
these startups are eliminated that your computer will look like it has
suddenly been upgraded.

This site has information on what many of these startups do and how to
disable them. http://www.pacs-portal.co.uk/startup_content.php

Q

Well my attitude as a long time electronics engineer has always been "If it aint broke - don't fix it".

Since I have never had a problem with this PC's speed (especially since I
never play games on any PC I own and that sadly seems to be the main reason
that most users have fast machines) I've never needed to query the start up.
I started removing the prefetch files on the basis that I was told they'd
give me a marked increase in speed and I never noticed a thing.
So I'll take a look at the link you posted and see what happens but most of
the time this machine happily ambles along at about 2% cpu usage sometimes
going up to the occasional 20 or 30 if working with graphics and maybe 90% if
I'm doing anything with video.

As an aside, I have been amazed since Alans advice, how many other
incidences of the yaemu.exe have been cropping up in other peoples start up
lists. And I still dont understand why none of the spyware, malware and
adware searches ever found it and flagged it as dangerous.

 

[SeaMaid]

If all is running well now, you should purge all previous system restore
points because some of them probably contain the trojan and malware that you
have removed. Disable system restore on all drives by going to Control
Panel - System - System Restore. Then reboot and re-enable System Restore.
It will monitor all drives by default.

If there are some drives you do not want System Restore to monitor, you need
to turn off monitoring by rightclicking on the drives you do not want
monitored.

Hi again Alan.
yaemu.exe was the one I was suspicious of . What I found odd was that no
spyware, even MSASW found it. So I was loathe to strip it until I'd had
some
learned advice !
I stripped it from the start up and removed the executable and (after a
reg
backup and restore point set) rebooted the machine - and it's all ok.
So thanks very much for your help.
As for the other stuff in start up, masses were on there when I bought the
compaq from new and most still refer to regularly used stuff.
But thanks again for your help and the speed of your assistance.
All the best
Slim (masterice)

Get rid of yaemu
It looks like it is a Trojan.
Kill the process and get rid of the startup item.

You have an incredible list of startup items that may not all be
needed, but see if removing yaemu helps first.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html

Hi Alan.
Thanks for your reply
As per your instructions below is the msinfo32 copy.
For more info I checked today and it is definitely IEXPLORE.EXE running
and
not the spyware iexplorer.exe.

AGRSMMSG agrsmmsg.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Acme.PCHButton
c:\progra~1\presar~1\presario\xphwwrs4\plugin\bin\pchbutton.exe
COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed
Launch c:\progra~1\adobe\acroba~2.0\reader\reader~1.exe All Users Common
Startup
AlcxMonitor alcxmntr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\LOCAL
SERVICE HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\NETWORK
SERVICE HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camera Detector c:\progra~1\acdsys~1\acdsee\camdet~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camio Viewer camio viewer.lnk NT AUTHORITY\SYSTEM Startup
Camio
Viewer c:\progra~1\sierra~1\imagee~1\ixapplet.exe COMPAQSR1129\Owner
Startup
Camio Viewer camio viewer.lnk .DEFAULT Startup
EPSON Stylus C62
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23
"epson
stylus c62 series" /o6 "usb002" /m "stylus c62" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C82
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23
"epson
stylus c82 series" /o6 "usb001" /m "stylus c82" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
H/PC Connection Agent "c:\program files\microsoft
activesync\wcescomm.exe" COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds c:\windows\system32\hkcmd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
InstantAccess c:\progra~1\textbr~1.0\bin\instan~1.exe /h All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KBD c:\hp\kbd\kbd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LDM \program\ COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMS c:\program files\common files\logitech\qcdriver3\lvcoms.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMSX c:\windows\system32\lvcomsx.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechGalleryRepair c:\program files\logitech\imagestudio\isstart.exe
All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechImageStudioTray c:\program
files\logitech\imagestudio\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechSoftwareUpdate "c:\program
files\logitech\video\manifestengine.exe"
boot COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoRepair c:\program files\logitech\video\isstart.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoTray c:\program files\logitech\video\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Find Fast c:\progra~1\micros~3\office\findfast.exe All
Users Common Startup
Microsoft Office c:\progra~1\micros~3\office\osa9.exe -b -l All Users
Common
Startup
Microsoft Office Shortcut Bar c:\progra~1\micros~3\office\msoffice.exe
All
Users Common Startup
NAV CfgWiz c:\program files\common files\symantec shared\cfgwiz.exe
/guid
nav /cmdline "reboot" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nosign_DUCAM nosign temram All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Office Startup c:\progra~1\micros~3\office\osa.exe -b All Users Common
Startup
Opware12 "c:\program files\scansoft\omnipagepro12.0\opware12.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PPWebCap c:\program
files\visioneer\paperport\ppwebcap.exe COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PS2 c:\windows\system32\ps2.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PaperPort PTD c:\progra~1\vision~1\paperp~1\pptd40nt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard c:\windows\sminst\recguard.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RecordNow! Y&Y&gram\ COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegisterDropHandler c:\progra~1\textbr~1.0\bin\regist~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt c:\program files\common files\symantec shared\security
center\usrprmpt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched c:\program files\java\j2re1.4.2_03\bin\jusched.exe
All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor c:\progra~1\symnet~1\sndmon.exe /consumer All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Televibe
Chat c:\docume~1\owner\locals~1\temp\wzse2.tmp\ COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common files\real\update_ob\realsched.exe"
-osboot All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateManager "c:\program files\common files\sonic\update
manager\sgtray.exe" /r All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VTTimer vttimer.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
atwtusb atwtusb.exe beta All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec shared\ccapp.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini COMPAQSR1129\Owner Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
gcasServ "c:\program files\microsoft antispyware\gcasserv.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hpsysdrv c:\windows\system\hpsysdrv.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper c:\program files\itunes\ituneshelper.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
yaemu.exe c:\windows\system32\yaemu.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


:

Check in Msconfig for any oddities.
(Start-Run-MSCONFIG-Startup tab)
If you cannot see anything in Msconfig then:

Start-Run-msinfo32
Click the + beside Software Environment to expand.
Click Startup Programs
Ctrl+A to Select All, Ctrl+C to Copy.
Paste that information in your message.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html

I have recently discovered via windows task manager that on boot up
there is
an Internet Explorer process [IEXPLORE.EXE] which immediately starts
running
invisibly.
I only noticed this due to the local area connection icon flashing in
the
task bar.
I have run MS Antispyware Beta, Spybot search and destroy and Adware
spy, I
run Norton antivirus and firewall and between all these I have
removed every
single malware that they have found.

Ending the process tree stops the apparent data transfer with no ill
effects
on anything eles on the machine.

But still this instance of IEXPLORE.EXE reappears on every boot up.
If I disable the local area network connection the IEXPLORE.EXE file
instantly takes processor usage up to 98%

I am sure that this a recent occurrence and would like to hear any
ideas as
to what's causing this and whether people think there's still a
malware
problem here somewhere.

 

[Guest]

Hi there.
yes thanks for that I have already done that and then backed up the new
registry settings and created a post correction restore point

If all is running well now, you should purge all previous system restore
points because some of them probably contain the trojan and malware that you
have removed. Disable system restore on all drives by going to Control
Panel - System - System Restore. Then reboot and re-enable System Restore.
It will monitor all drives by default.

If there are some drives you do not want System Restore to monitor, you need
to turn off monitoring by rightclicking on the drives you do not want
monitored.

Hi again Alan.
yaemu.exe was the one I was suspicious of . What I found odd was that no
spyware, even MSASW found it. So I was loathe to strip it until I'd had
some
learned advice !
I stripped it from the start up and removed the executable and (after a
reg
backup and restore point set) rebooted the machine - and it's all ok.
So thanks very much for your help.
As for the other stuff in start up, masses were on there when I bought the
compaq from new and most still refer to regularly used stuff.
But thanks again for your help and the speed of your assistance.
All the best
Slim (masterice)

Get rid of yaemu
It looks like it is a Trojan.
Kill the process and get rid of the startup item.

You have an incredible list of startup items that may not all be
needed, but see if removing yaemu helps first.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html


On Thu, 22 Sep 2005 01:07:02 -0700, "Master Ice"

Hi Alan.
Thanks for your reply
As per your instructions below is the msinfo32 copy.
For more info I checked today and it is definitely IEXPLORE.EXE running
and
not the spyware iexplorer.exe.

AGRSMMSG agrsmmsg.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Acme.PCHButton
c:\progra~1\presar~1\presario\xphwwrs4\plugin\bin\pchbutton.exe
COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Speed
Launch c:\progra~1\adobe\acroba~2.0\reader\reader~1.exe All Users Common
Startup
AlcxMonitor alcxmntr.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\LOCAL
SERVICE HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE c:\windows\system32\ctfmon.exe NT AUTHORITY\NETWORK
SERVICE HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camera Detector c:\progra~1\acdsys~1\acdsee\camdet~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Camio Viewer camio viewer.lnk NT AUTHORITY\SYSTEM Startup
Camio
Viewer c:\progra~1\sierra~1\imagee~1\ixapplet.exe COMPAQSR1129\Owner
Startup
Camio Viewer camio viewer.lnk .DEFAULT Startup
EPSON Stylus C62
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23
"epson
stylus c62 series" /o6 "usb002" /m "stylus c62" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C82
Series c:\windows\system32\spool\drivers\w32x86\3\e_s10ic2.exe /p23
"epson
stylus c82 series" /o6 "usb001" /m "stylus c82" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
H/PC Connection Agent "c:\program files\microsoft
activesync\wcescomm.exe" COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds c:\windows\system32\hkcmd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
InstantAccess c:\progra~1\textbr~1.0\bin\instan~1.exe /h All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KBD c:\hp\kbd\kbd.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LDM \program\ COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMS c:\program files\common files\logitech\qcdriver3\lvcoms.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMSX c:\windows\system32\lvcomsx.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechGalleryRepair c:\program files\logitech\imagestudio\isstart.exe
All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechImageStudioTray c:\program
files\logitech\imagestudio\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechSoftwareUpdate "c:\program
files\logitech\video\manifestengine.exe"
boot COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoRepair c:\program files\logitech\video\isstart.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LogitechVideoTray c:\program files\logitech\video\logitray.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Find Fast c:\progra~1\micros~3\office\findfast.exe All
Users Common Startup
Microsoft Office c:\progra~1\micros~3\office\osa9.exe -b -l All Users
Common
Startup
Microsoft Office Shortcut Bar c:\progra~1\micros~3\office\msoffice.exe
All
Users Common Startup
NAV CfgWiz c:\program files\common files\symantec shared\cfgwiz.exe
/guid
nav /cmdline "reboot" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nosign_DUCAM nosign temram All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Office Startup c:\progra~1\micros~3\office\osa.exe -b All Users Common
Startup
Opware12 "c:\program files\scansoft\omnipagepro12.0\opware12.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PPWebCap c:\program
files\visioneer\paperport\ppwebcap.exe COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PS2 c:\windows\system32\ps2.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PaperPort PTD c:\progra~1\vision~1\paperp~1\pptd40nt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard c:\windows\sminst\recguard.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RecordNow! Y&Y&gram\ COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegisterDropHandler c:\progra~1\textbr~1.0\bin\regist~1.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SSC_UserPrompt c:\program files\common files\symantec shared\security
center\usrprmpt.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched c:\program files\java\j2re1.4.2_03\bin\jusched.exe
All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Symantec NetDriver Monitor c:\progra~1\symnet~1\sndmon.exe /consumer All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Televibe
Chat c:\docume~1\owner\locals~1\temp\wzse2.tmp\ COMPAQSR1129\Owner
HKU\S-1-5-21-231110364-3380571675-1176715318-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common files\real\update_ob\realsched.exe"
-osboot All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdateManager "c:\program files\common files\sonic\update
manager\sgtray.exe" /r All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VTTimer vttimer.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
atwtusb atwtusb.exe beta All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec shared\ccapp.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop desktop.ini NT AUTHORITY\SYSTEM Startup
desktop desktop.ini COMPAQSR1129\Owner Startup
desktop desktop.ini .DEFAULT Startup
desktop desktop.ini All Users Common Startup
gcasServ "c:\program files\microsoft antispyware\gcasserv.exe" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hpsysdrv c:\windows\system\hpsysdrv.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper c:\program files\itunes\ituneshelper.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
yaemu.exe c:\windows\system32\yaemu.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


:

Check in Msconfig for any oddities.
(Start-Run-MSCONFIG-Startup tab)
If you cannot see anything in Msconfig then:

Start-Run-msinfo32
Click the + beside Software Environment to expand.
Click Startup Programs
Ctrl+A to Select All, Ctrl+C to Copy.
Paste that information in your message.

....Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.org/index.html

I have recently discovered via windows task manager that on boot up
there is
an Internet Explorer process [IEXPLORE.EXE] which immediately starts
running
invisibly.
I only noticed this due to the local area connection icon flashing in
the
task bar.
I have run MS Antispyware Beta, Spybot search and destroy and Adware
spy, I
run Norton antivirus and firewall and between all these I have
removed every
single malware that they have found.

Ending the process tree stops the apparent data transfer with no ill
effects
on anything eles on the machine.

But still this instance of IEXPLORE.EXE reappears on every boot up.
If I disable the local area network connection the IEXPLORE.EXE file
instantly takes processor usage up to 98%

I am sure that this a recent occurrence and would like to hear any
ideas as
to what's causing this and whether people think there's still a
malware
problem here somewhere.

 

[Guest]

Same thing is happening to me, and I go through my startup list frequently.
It's driving me nuts! It started about a week ago, and I can't figure out
how IE is starting without being in MSCONFIG or MSCONFIG's registry entry.
Can you tell by my list what could be doing this? I also have no idea about
a lot of the entries I'm seeing; good Lord, what is all this stuff? I can't
even put all my information in this post; I ran WAY over the limit! What can
I eliminate from the msinfo32 report?

 

[Robert Aldwinckle]

Same thing is happening to me, and I go through my startup list frequently.
It's driving me nuts! It started about a week ago, and I can't figure out
how IE is starting without being in MSCONFIG or MSCONFIG's registry entry.

One thing that does that is Sun's Java Update utility, jusched.exe
I disable it using msconfig to solve that problem.

More generally you could test anything else in your Startup like that
which was questionable and see if your symptoms changed by disabling it.


Good luck

Robert Aldwinckle
---