Start Up List.

[lufbra]

Hey AnnMarie, I saw your post here about running the Start Up List, the zip file. So I gave it a whirl, here's the results from mine, do you see anything wrong?

StartupList report, 10/3/2002, 5:55:09 PM
StartupList version: 1.33.0
Started from: D:\zgtemp\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\WINDOWS\system32\crypserv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft Hardware\Keyboard\type32.exe
D:\WINDOWS\System32\devldr32.exe
D:\Program Files\ZipGenius\zipgenius.exe
D:\zgtemp\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IntelliType = "D:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
AVG_CC = D:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
WebInstall2 = D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ins82.tmp /R /A
Outpost Firewall = D:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

BlockAds =
Tweak-XP =
TransparentIcons =

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
*Registry key not found*

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = D:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Checking for EXPLORER.EXE instances:

D:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
D:\WINDOWS\Explorer\Explorer.exe: not present
D:\WINDOWS\System\Explorer.exe: not present
D:\WINDOWS\System32\Explorer.exe: not present
D:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: NO!)
.pif: HIDDEN! (arrow overlay: NO!)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: *Registry key not found*
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll - {206E52E0-D52E-11D4-AD54-0000E86C26F6}

--------------------------------------------------

Enumerating Download Program Files:

[sys Class]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\PCPitStop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Shockwave ActiveX Control]
InProcServer32 = D:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/s...irector/sw.cab

[YInstStarter Class]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[{34805D32-AD89-469E-8503-A5666AEE4333}]
CODEBASE = http://207.188.7.150/083f59a6f57c754...tzip/RdxIE.cab

[{69FD62B1-0216-4C31-8D55-840ED86B7C8F}]
CODEBASE = http://a875.g.akamai.net/f/875/7804/...ams/hotbar.cab

[HouseCall Control]
InProcServer32 = D:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

[Java Plug-in 1.3.1]
InProcServer32 = D:\Program Files\JavaSoft\JRE\1.3.1\bin\npjava131.dll
CODEBASE = http://java.sun.com/products/plugin/...ll-131-win.cab

[Update Class]
InProcServer32 = D:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.co...418.7804166667

[WONWebLauncher Class]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\WONWebLauncherControl.ocx
CODEBASE = http://www.virtualvegas.com/cab/WONW...herControl.cab

[IntraLaunch.MainControl]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\INTRALAUNCH.OCX
CODEBASE = file://E:\SuperCD\IntraLaunch.CAB

[Java Plug-in 1.3.1]
InProcServer32 = D:\Program Files\JavaSoft\JRE\1.3.1\bin\npjava131.dll
CODEBASE = http://java.sun.com/products/plugin/...ll-131-win.cab

[{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}]

[ContentAuditX Control]
InProcServer32 = D:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805/...ditControl.cab

[Shockwave Flash Object]
InProcServer32 = D:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------
End of report, 7,625 bytes
Report generated in 0.101 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[AnnMarie]

Hi Dave - there are a few entries that you can do without. See below.

WebInstall2 = D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ins82.tmp /R /A


Go to Control Panel > Add/Remove Programs and look for Downloadware. If present uninstall it and restart your computer. Run a Search for folders named Movienetworks and MedCh. If you find these folders, its OK to delete them. Now run a search for ins82.tmp and if you find it, delete it.

Go to Start > Run and type regedit. Now go to Edit > Find and enter 'downloadware' make sure to search for keys, data, and values. Click find next, if it finds it right click the folder(key) it finds and select delete, click yes to delete, then press f3 to keep searching, keep doing that until you get 'finished searching the registry' or 'not found'. then scroll back to the top and click on my computer (in regedit) and search the following words in the same manner (without the quotes)

'mediacharger'
'movienetworks'
'webinstall'

Delete any entries that you find. N.B. Always back up your registry before making any changes.

Would you please go to your Downloaded Program Files folder in D:\Windows and for each of the below controls, right click and select properties and paste the information back here.


[YInstStarter Class]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[{34805D32-AD89-469E-8503-A5666AEE4333}]
CODEBASE = http://207.188.7.150/083f59a6f57c75...etzip/RdxIE.cab

[{69FD62B1-0216-4C31-8D55-840ED86B7C8F}]
CODEBASE = http://a875.g.akamai.net/f/875/7804...rams/hotbar.cab

[IntraLaunch.MainControl]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\INTRALAUNCH.OCX
CODEBASE = file://E:\SuperCD\IntraLaunch.CAB

[ContentAuditX Control]
InProcServer32 = D:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805...uditControl.cab

[lufbra]

Thank you AnnMarie, I've just printed all this and will give it a go tomorrow morning, no doubt when you'll be snoring ya head off!!!

Dave.

[AnnMarie]

LOL....ladies dont snore Dave

[lufbra]

Who mentioned ladies!!!!

Dave.

*scrambling under desktop fast*

[AnnMarie]

[tb525]

Quote:

Would you please go to your Downloaded Program Files folder in D:\Windows and for each of the below controls, right click and select properties and paste the information back here.

Hi AnnMarie!

He may not find some of them in the Downloaded Program Files folder. Some are only registry entries. They should be the subkeys under:

HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units

The only one that I see that is malware is "Hotbar".

[AnnMarie]

Hi tb525

Quote:

He may not find some of them in the Downloaded Program Files folder. Some are only registry entries

Yep, you are right. I've looked at so many Startup Lists in the past couple of days, I'm going crosseyed.

Quote:

The only one that I see that is malware is "Hotbar".

You are probably right tb525. It was just that I couldnt find any (or inconclusive) info on the others when I ran a search.

[lufbra]

Thanks guys!!

I was hoping to get this all checked out this morning before going to work, but all I had chance to do was run the searches that AnnMarie suggested doing, not one of them was found!!!

I'll go through with the rest over this weekend, and will post back results.

The hotbar file was something that I stupidly opened from an e-mail I received, it immediately added stuff to my computer, and though I thought I had got rid of it all, obviously I hadn't!!!

Dave.

[lufbra]

Okay, I know this one's taken a while, but I have just done the "regedit" suggestion, and went here....

HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units

But I see nothing related to Hotbar!!!

Now listen up AnnMarie and TB, after the past few days, you might get the idea that this darn blimmin' machine sitting in front of me, is far from perfect, that's why I have a large hammer next to me at all times (for smashing the computer, and anyone trying to get close to me beer stash!!)

So, are we ready for another post marathon?

Oy, don't you dare run away, I ain't finished wiv ya yet!!!

Dave.

[tb525]

Hi Dave, It will not be listed as "Hotbar". The listing is :

{69FD62B1-0216-4C31-8D55-840ED86B7C8F}


** snags a beer while Dave is messing with regedit!


If you uninstalled Hotbar, don't worry about it. It is just an abandoned registry entry. It won't hurt anything to let it there.

[lufbra]

Oy, get ya mitts off me beer!!!!

Okay, I'll leave it there, and I guess all the other files that showed in the "start up" list are abandoned files, since I can't find them anywhere!!!

Dave.