[Resolved] startuplist {DW.exe error}

[mrbeans]

StartupList report, 2/3/03, 11:38:16 AM
StartupList version: 1.51
Started from : C:\UNZIPPED\STARTUPLIST151[1]\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\R_SERVER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\COMPAQ\COMPAQ EAB SOFTWARE\CPQEK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SAVENOW\SAVENOW.EXE
C:\PROGRAM FILES\DELFIN\PROMULGATE\PGMONITR.EXE
C:\WINDOWS\SYSTEM\XL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.EXE
C:\PROGRAM FILES\LAPLINK PROFESSIONAL\TSISCHED.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\SYMANTEC1\WINFAX\WFXCTL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\SYMANTEC1\WINFAX\WFXMOD32.EXE
C:\PROXYN44\PROXOMITRON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\STARTUPLIST151[1]\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Scheduler.lnk = C:\Program Files\LapLink Professional\Tsisched.exe
Acrobat Assistant.lnk = ?
CTI Tray Icon.lnk = SYMANTEC\WINFAX\Ctitrayi.exe
Controller.LNK = SYMANTEC1\WINFAX\WFXCTL32.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
IrMon = IrMon.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
cpqek = C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
LoadQM = loadqm.exe
SaveNow = C:\Program Files\SaveNow\SaveNow.exe
MediaLoads Installer = "C:\Program Files\DownloadWare\dw.exe" /H
PromulGate = "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
XtreamLok License Manager = C:\WINDOWS\SYSTEM\xl.exe start
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
CriticalUpdate = C:\WINDOWS\SYSTEM\wucrtupd.exe -startup

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
r_server = C:\WINDOWS\SYSTEM\R_SERVER.EXE /service
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
Desktop Weather = C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.exe

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 3/2/2003, 11:28:44)

[Rename]
NUL=C:\PROGRA~1\NEWDOT~1\UNINST~1.EXE
NUL=C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - c:\windows\googletoolbar.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job
Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37637.3064930556

[{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
CODEBASE = http://toolbar.google.com/data/GoogleActivate.cab

--------------------------------------------------
End of report, 5,516 bytes
Report generated in 1.061 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Rollin' Rog]

mrbeans the link I gave you previously for Spybot has been changed. It is now:

http://tomcoyote.org/SPYBOT/

You should be able to follow the directions there for installing, updating and running it. You will want to accept all updates except for PGP and Language Tools.

It might also help a little if you went to Add/Remove programs and removed SaveNow first and then rebooted.

Spybot really should be run twice to ensure complete removal of applications. Reboot after each run. You only need remove the items which are pre-selected (checked) after running.

Post another startup list after you are done.

And can you provide a little information on these two programs you have running, so we know they are intentionally installed:

1 -- r_server = C:\WINDOWS\SYSTEM\R_SERVER.EXE /service

2 -- XtreamLok License Manager = C:\WINDOWS\SYSTEM\xl.exe start

 

[mrbeans]

Thank you again for helping. But I seem to have a problem with the spybot download. The only option to download is in German and that is a class I failed to take.

Please direct me if there is one in English or the steps to follow for the download.

Thankyou,

mrbeans.

 

[mViOkPe]

You can get a copy at our official mirror and I assure you that the default is in English with options for a couple dozen other langs. http://www.lurkhere.com/~nicefiles/index.html

Edited

 

[mrbeans]

StartupList report, 2/3/03, 3:04:20 PM
StartupList version: 1.51
Started from : C:\UNZIPPED\STARTUPLIST151[1]\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\R_SERVER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\COMPAQ\COMPAQ EAB SOFTWARE\CPQEK.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\XL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.EXE
C:\PROGRAM FILES\LAPLINK PROFESSIONAL\TSISCHED.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\SYMANTEC\WINFAX\CTITRAYI.EXE
C:\PROGRAM FILES\SYMANTEC1\WINFAX\WFXCTL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROXYN44\PROXOMITRON.EXE
C:\PROGRAM FILES\SYMANTEC1\WINFAX\WFXMOD32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\STARTUPLIST151[1]\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Scheduler.lnk = C:\Program Files\LapLink Professional\Tsisched.exe
Acrobat Assistant.lnk = ?
Controller.LNK = SYMANTEC1\WINFAX\WFXCTL32.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
IrMon = IrMon.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
cpqek = C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
LoadQM = loadqm.exe
XtreamLok License Manager = C:\WINDOWS\SYSTEM\xl.exe start
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
CriticalUpdate = C:\WINDOWS\SYSTEM\wucrtupd.exe -startup

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
r_server = C:\WINDOWS\SYSTEM\R_SERVER.EXE /service
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
Desktop Weather = C:\PROGRAM FILES\THE WEATHER CHANNEL\THE WEATHER CHANNEL.exe

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 3/2/2003, 14:5:12)

[rename]
NUL=C:\WINDOWS\TEMP\UNINST.EXE

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - c:\windows\googletoolbar.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job
Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37637.3064930556

[{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
CODEBASE = http://toolbar.google.com/data/GoogleActivate.cab

--------------------------------------------------
End of report, 5,199 bytes
Report generated in 0.876 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Rollin' Rog]

Well it looks like a "clean" startup -- you shouldn't be getting any more DW.exe errors.

My only question would be regarding the two files I mentioned, in particular the first one -- which is a remote administration server. Such applications can represent security vulnerabilities by allowing others to take control of your computer if they know the IP address and have the corresponding software.

edit: I also see this as a running process, but no "startup" for it:

C:\PROXYN44\PROXOMITRON.EXE

How is it getting launched?

 

[mrbeans]

The remote administration server. I believe is the remote application I have to do exactly what you mentioned. But I still do not have configured it. And do not know how yet. I am interested in doing so. But I just have not had the time to read through the manuals or had some help from someone that is familiar.
But you are right about the vulerability. To avoid that I just turn off the computer so I don't take chances. While I am not on the computer.
I would appreciate it if you could teach me or instruct me on how to do so.

About the proxy it is activated manually by me. There is no internet access unless I activate it. That is kinda another security I have just in case. It might not be much but in my limited knowledge of computers, it's the best I came up with. Why do you ask about it? Is there something wrong?

By the way thanks a million for the help. I could have not done it with you guys. I know love computers but all I have learned, is from people like yourselves that are willing to lend a hand.

 

[Rollin' Rog]

You're certainly welcome for the help and I will mark this particular thread "resolved". Unfortunately I have no experience with programs like radmin and am not really even sure what special security precautions you would be advised to take with it. I imagine it's a little like "PC Anywhere". If you do a Google search on it you will probably find some FAQs and help sites like this one:

http://www.antivirus.com.au/radmin/faq.html

You might try posting a separate topic for it to see if anyone around has used it. If you post in this forum and don't get any detailed responses we could move the thread to "all other software".

The only reason I asked about the proxy is because I am used to seeing an automatic startup for anything in "running processes" and it's good practice to determine whether the user is actually running the program or there is another program callling it. I understand the program is an ad-blocker, but otherwise I would be suspicious of anything with "proxy" in the name as it could be redirecting your internet connection through a server other than your normal ISPs.

 

[mrbeans]

How would I know if the proxy is going somewhere and everything is being copied or something like that?
Because the proxy was installed by the computer guy at the office. But he set something with some numbers. Is it possible that he could be copying all my stuff??
How can I change it to a different and secure place?

 

[Rollin' Rog]

PROXYN44\PROXOMITRON.EXE

Is an ad blocking program from what I can see. And evidently it does not run unless you run it. It is not a "hijacking" type of proxy so I wouldn't worry about that. However if you have any unusual problems connecting to sites, I would suspect it of causing a problem and not run it.

Radmin is another issue and I'm just not sure of the vulnerabilities it presents. The question is what do you want it for? Are you trying to set up a configuration where you can access this computer from another one and control it? If not, it serves no purpose.

If the "office guy" installed radmin -- you bet he could be copying your stuff. Why did he install it? Was it to help you with something? If you don't trust him, I'd suggest you uninstall it. If you don't want to uninstall it, click Start>Run and enter msconfig and then click on the Startup tab. You will see an entry there for:

r_server = C:\WINDOWS\SYSTEM\R_SERVER.EXE /service

Just uncheck it and that will keep it from running.

 

[mrbeans]

The office tech, on my request installed the proxy. The remote application was just there. And I did ask him to install it, if the laptop did not have it. Because yes, I am interested in eventually accesing my computer Desktop from my laptop. As a matter a fact I wanted to have the same connection for a desktop I have at my parents house. But then again I have no idea how to do it. I was thinking of installing pcanywhere or reachout. But they are not what I am looking for. The remote application instead I have seen it work and is almost exactly what I want to have. But do not know how to use it yet. Besides I would need to login to the server so he could see me on, right??

But you did concern me with the proxy. I know it's to block adds, etc. But he configured something with a four digit number. I do not remember what it was for. But he said something about access.

 

[Balzac]

I wouldn't be concerned about Proxomitron. It's phenomal--I couldn't get along without it. He probably configured your browser to use Proxomitron on port 8080 as a proxy server--as designed.

Some features of Proxomitron:


Stop windows that pop-up, pop-under, or pop-over
Stop those un-closable endless banner chains
Stop pop-up JavaScript message boxes
Remove web-branding and other scripts tacked on by "free" web providers.
Convert most ads and banner pictures into simple text links
Freeze all animated gifs
Make blinking text appear as bold instead
Remove slow web counters
Stop web pages from "auto-refreshing"
Prevent pages from changing fonts
Get rid of or replace web page background images
Protect against getting "trapped" inside someone else's frames!
Make all frames resizable
Close top or bottom frame banner windows
Protect against getting "trapped" inside someone else's frames!
Make background MIDI songs play only when you choose.
Remove status bar scroll-texts
Remove "dynamic" HTML from pages
Disguise your browser's identity and version from JavaScripts
Remove style sheets
Un-hide URLs when the mouse is over a link
Disable frames or tables altogether
Change or delete cookies
Change your browser's user-agent and other identifying fields
Hide where you've been previously from inquisitive web servers


What's amazing about it is you can change any web page to your liking. Css, Javascript, forms.........anything. Did I mention it's free?

 

[mrbeans]

You are right in the port 8080. and all you mentioned is true. I like the program. He told me that it was the better out their and free.