StartupList report, 3/06/04, 4:08:07 PM StartupList version: 1.52 Started from : C:\AARON\STARTUPLIST.EXE Detected: Windows 98 SE (Win9x 4.10.2222A) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using verbose mode * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE C:\PROGRAM FILES\ESET\NOD32KRN.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\ESET\NOD32KUI.EXE C:\PROGRAM FILES\PYRENEAN\EDEXTER\EDEXTER.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\AARON\MIRC\MIRC.EXE C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE C:\PROGRAM FILES\MYIE2\MYIE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMAN.EXE C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\AD MUNCHER\ADMUNCH.EXE C:\AARON\STARTUPLIST.EXE This lists all processes running in memory, which are all active programs and some non-exe system components. -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\WINDOWS\Start Menu\Programs\StartUp] eDexter.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe User shell folders Startup: *Folder not found* Shell folders Common Startup: [C:\WINDOWS\All Users\Start Menu\Programs\StartUp] *No files* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* This lists all programs or shortcuts in folders marked by Windows as 'Autostart folder', which means any files within these folders are launched when Windows is started. The Windows standard is that only shortcuts (*.lnk, *.pif) should be present in these folders. The location of these folders is set in the Registry. -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ScanRegistry = C:\WINDOWS\scanregw.exe /autorun TaskMonitor = C:\WINDOWS\taskmon.exe SystemTray = SysTray.Exe StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE hf = C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE /s Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme LoadQM = loadqm.exe Outpost Firewall = C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE /waitservice nod32kui = "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE Ad Muncher = C:\PROGRAM FILES\AD MUNCHER\ADMUNCH.EXE /bt QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime This lists programs that run Registry keys marked by Windows as 'Autostart key'. To the left are values that are used to clarify what program they belong to, to the right the program file that is started. -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* This lists programs that run Registry keys marked by Windows as 'Autostart key'. To the left are values that are used to clarify what program they belong to, to the right the program file that is started. The values in the 'RunOnce', 'RunOnceEx' and 'RunServicesOnce' keys are run once and then deleted by Windows. -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No values found* This lists programs that run Registry keys marked by Windows as 'Autostart key'. To the left are values that are used to clarify what program they belong to, to the right the program file that is started. -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme Outpost Firewall = C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE /service MessengerPlus3 = "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" NOD32kernel = "C:\Program Files\Eset\nod32krn.exe" This lists programs that run Registry keys marked by Windows as 'Autostart key'. To the left are values that are used to clarify what program they belong to, to the right the program file that is started. -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *No values found* This lists programs that run Registry keys marked by Windows as 'Autostart key'. To the left are values that are used to clarify what program they belong to, to the right the program file that is started. The values in the 'RunOnce', 'RunOnceEx' and 'RunServicesOnce' keys are run once and then deleted by Windows. -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe This lists programs that run Registry keys marked by Windows as 'Autostart key'. To the left are values that are used to clarify what program they belong to, to the right the program file that is started. -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* This lists programs that run Registry keys marked by Windows as 'Autostart key'. To the left are values that are used to clarify what program they belong to, to the right the program file that is started. The values in the 'RunOnce', 'RunOnceEx' and 'RunServicesOnce' keys are run once and then deleted by Windows. -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* This lists programs that run Registry keys marked by Windows as 'Autostart key'. To the left are values that are used to clarify what program they belong to, to the right the program file that is started. -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *No values found* This lists programs that run Registry keys marked by Windows as 'Autostart key'. To the left are values that are used to clarify what program they belong to, to the right the program file that is started. -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *No values found* This lists programs that run Registry keys marked by Windows as 'Autostart key'. To the left are values that are used to clarify what program they belong to, to the right the program file that is started. The values in the 'RunOnce', 'RunOnceEx' and 'RunServicesOnce' keys are run once and then deleted by Windows. -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [OptionalComponents] *No values found* This lists a special format of autorun Registry key, from which both programs and functions within DLLs can be launched without RUNDLL32.EXE. This autorun key is used very rarely. -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* This lists a special format of autorun Registry key, from which both programs and functions within DLLs can be launched without RUNDLL32.EXE. This autorun key is used very rarely. -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No subkeys found* This lists a special format of autorun Registry key, from which both programs and functions within DLLs can be launched without RUNDLL32.EXE. This autorun key is used very rarely. -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *No subkeys found* This lists a special format of autorun Registry key, from which both programs and functions within DLLs can be launched without RUNDLL32.EXE. This autorun key is used very rarely. -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *No subkeys found* This lists a special format of autorun Registry key, from which both programs and functions within DLLs can be launched without RUNDLL32.EXE. This autorun key is used very rarely. -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* This lists a special format of autorun Registry key, from which both programs and functions within DLLs can be launched without RUNDLL32.EXE. This autorun key is used very rarely. -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* This lists a special format of autorun Registry key, from which both programs and functions within DLLs can be launched without RUNDLL32.EXE. This autorun key is used very rarely. -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* This lists a special format of autorun Registry key, from which both programs and functions within DLLs can be launched without RUNDLL32.EXE. This autorun key is used very rarely. -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *No subkeys found* This lists a special format of autorun Registry key, from which both programs and functions within DLLs can be launched without RUNDLL32.EXE. This autorun key is used very rarely. -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *No subkeys found* This lists a special format of autorun Registry key, from which both programs and functions within DLLs can be launched without RUNDLL32.EXE. This autorun key is used very rarely. -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* This lists a special format of autorun Registry key, from which both programs and functions within DLLs can be launched without RUNDLL32.EXE. This autorun key is used very rarely. -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* This lists a special format of autorun Registry key, from which both programs and functions within DLLs can be launched without RUNDLL32.EXE. This autorun key is used very rarely. -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* This Registry value determines how Windows runs files (in this case .EXE files). If this file is executable, it should read "%1" %*. ("%1" /S for screensavers, .SCR files.) If it needs to be opened with some other program, it should read program.exe "%1" %*. File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR. File types that are not executable are types like .DOC, .LNK, .BMP, .JPEG, .SHS, .VBS, .HTA etc. -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* This Registry value determines how Windows runs files (in this case .COM files). If this file is executable, it should read "%1" %*. ("%1" /S for screensavers, .SCR files.) If it needs to be opened with some other program, it should read program.exe "%1" %*. File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR. File types that are not executable are types like .DOC, .LNK, .BMP, .JPEG, .SHS, .VBS, .HTA etc. -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* This Registry value determines how Windows runs files (in this case .BAT files). If this file is executable, it should read "%1" %*. ("%1" /S for screensavers, .SCR files.) If it needs to be opened with some other program, it should read program.exe "%1" %*. File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR. File types that are not executable are types like .DOC, .LNK, .BMP, .JPEG, .SHS, .VBS, .HTA etc. -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* This Registry value determines how Windows runs files (in this case .PIF files). If this file is executable, it should read "%1" %*. ("%1" /S for screensavers, .SCR files.) If it needs to be opened with some other program, it should read program.exe "%1" %*. File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR. File types that are not executable are types like .DOC, .LNK, .BMP, .JPEG, .SHS, .VBS, .HTA etc. -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command (Default) = "%1" /S This Registry value determines how Windows runs files (in this case .SCR files). If this file is executable, it should read "%1" %*. ("%1" /S for screensavers, .SCR files.) If it needs to be opened with some other program, it should read program.exe "%1" %*. File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR. File types that are not executable are types like .DOC, .LNK, .BMP, .JPEG, .SHS, .VBS, .HTA etc. -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %* This Registry value determines how Windows runs files (in this case .HTA files). If this file is executable, it should read "%1" %*. ("%1" /S for screensavers, .SCR files.) If it needs to be opened with some other program, it should read program.exe "%1" %*. File types that are executable are .EXE, .COM, .PIF, .BAT, .SCR. File types that are not executable are types like .DOC, .LNK, .BMP, .JPEG, .SHS, .VBS, .HTA etc. -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [SetupcPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf [AppletsPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf [FontsPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf [{5A8D6EE0-3E18-11D0-821E-444553540000}] * StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36 [PerUser_ICW_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383} [{89820200-ECBD-11cf-8B85-00AA005B4395}] * StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36 [>PerUser_MSN_Clean] * StubPath = C:\WINDOWS\msnmgsr1.exe [{CA0A4247-44BE-11d1-A005-00805F8ABE06}] * StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf [PerUser_Msinfo] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf [PerUser_Msinfo2] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf [MotownMmsysPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf [MotownAvivideoPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf [MotownMPlayPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf [PerUser_Base] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf [ShellPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf [Shell2PerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf [PerUser_winbase_Links] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf [PerUser_winapps_Links] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf [PerUser_LinkBar_URLs] * StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L [TapiPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf [PerUserOldLinks] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf [MmoptRegisterPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf [OlsPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf [OlsMsnPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf [PerUser_Paint_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf [PerUser_Calc_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf [MotownRecPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf [PerUser_Vol] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf [PerUser_MSWordPad_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf [PerUser_RNA_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf [PerUser_Wingames_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf [PerUser_CharMap_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\WINDOWS\INF\appletpp.inf [PerUser_ClipBrd_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 C:\WINDOWS\INF\clip.inf [PerUser_CDPlayer_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf [{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95 [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C} [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02} [OlsAolPerUser] StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf [OlsAttPerUser] StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf [OlsCompuservePerUser] StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUserRemove 64 C:\WINDOWS\INF\ols.inf [OlsProdigyPerUser] StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] * StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie5x86.inf,PerUserStub [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] * StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP Programs listed here are components of the Windows Setup that were only ran when Windows started for the first time. To prevent them from running multiple times, Windows checks for a key with the same name at the HKCU root. If it's not found, the component at the HKLM root is ran, and a matching key is created at the HKCU root so the component is not ran again next time. Most entries involve either RUNDLL.EXE or RUNDLL32.EXE, so a suspicious key is not hard to find. -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* The chat program ICQ includes an ICQ Agent that can be configured to launch one or multiple browsers when an Internet connection is detected. To configure it, open the ICQ Preferences menu and check under 'Connection' for a button labelled 'Edit Launch List'. -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load= run= These two entries in WIN.INI are leftover from Windows 3.x, which used them as values denoting programs that should be started up with Windows. Since Windows 95 and higher uses the Registry to store locations of autostart folders, these two entries in WIN.INI are redundant, and are rarely used. -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\JET-GE~1.SCR drivers=mmsystem.dll power.drv The Shell key from SYSTEM.INI tells Windows what file handles the Windows shell, i.e. creates the taskbar, desktop icons etc. If programs are added to this line, they are all ran at startup. The SCRNSAVE.EXE line tells Windows what is the default screensaver file. This is also a leftover from Windows 3.x and should not be used. (Since Windows 95 and higher stores this setting in the Registry.) The 'drivers' line loads non-standard DLLs or programs. -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present Due to a bug in Windows 9x, it mistakenly uses C:\Explorer.exe and other instances (if present) when searching for Explorer.exe. Explorer.exe should only exists in the Windows folder. Windows NT is vulnerable to this as well, but only if the 'Shell' Registry value from the previous section is just 'Explorer.exe' instead of the full path. Additionally, presence of \WINDOWS\Explorer\Explorer.exe indicates infection with the W32@Trojan.Dlder virus. -------------------------------------------------- C:\WINDOWS\WININIT.INI listing: (Created 3/6/2004, 14:2:14) WININIT.INI is a settings file for WININIT.EXE, which updates files at startup that are normally in use when Windows is running. It is mostly used when installing programs or patches that need the computer to be restarted to complete the install. After such a reboot, WININIT.INI is renamed to WININIT.BAK. -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 2/6/2004, 18:12:10) [rename] NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp WININIT.INI is a settings file for WININIT.EXE, which updates files at startup that are normally in use when Windows is running. It is mostly used when installing programs or patches that need the computer to be restarted to complete the install. After such a reboot, WININIT.INI is renamed to WININIT.BAK. -------------------------------------------------- C:\AUTOEXEC.BAT listing: *File is empty* Autoexec.bat is the very first file to autostart when the computer starts, it is a leftover from DOS and older Windows versions. Windows NT, Windows ME, Windows 2000 and Windows XP don't use this file. It is generally used by virusscanners to scan files before Windows starts. -------------------------------------------------- C:\CONFIG.SYS listing: *File is empty* Config.sys loads device drivers for DOS, and is rarely used in Windows versions newer than Windows 95. Originally it loaded drivers for legacy sound cards and such. -------------------------------------------------- C:\WINDOWS\WINSTART.BAT listing: *File not found* Winstart.bat loads just before the Windows shell, and is used for starting things like soundcard drivers, mouse drivers. Rarely used. -------------------------------------------------- C:\WINDOWS\DOSSTART.BAT listing: *File not found* Dosstart.bat loads if you select 'MS-DOS Prompt' from the Startup menu when the computer is starting, or if you select 'Restart in MS-DOS Mode' from the Shutdown menu in Windows. Mostly used for DOS-only drivers, like sound or mouse drivers. -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden Some file extensions are always hidden, like .lnk (shortcut) and .pif (shortcut to MS-DOS program). The Life_Stages virus was a .shs (Shell Scrap) file that had the extension hidden by default. This can be a security risk when a virus with a double-extension filename is on the loose, since the extension can be hidden even when 'Don't show extensions for known filetypes' is turned off. The shortcut overlay acts as a reminder that the file is just a shortcut. If the shortcut overlay is removed, the difference between a file and a shortcut is invisible. -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINDOWS - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename OK: 'REGEDIT.EXE' - File description: 'Registry Editor' Registry check passed Regedit.exe is the Windows Registry Editor. Without it, you cannot access the Registry or merge Registry scripts into the Registry. Several viruses/trojans mess with this important system file, e.g. moving it somewhere else or replacing it with a copy of the trojan. Above checks will ensure that Regedit.exe is in the correct place and that it really is Regedit. If you have ScriptSentry installed, the .reg command is altered and you fail the check. Don't worry about this. -------------------------------------------------- Enumerating Browser Helper Objects: IDM Helper - C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMIECC.DLL - {0055C089-8582-441B-A0BF-17B458C2A3A8} MSIE features Browser Helper Objects (BHO) that plug into MSIE and can do virtually anything on your system. Benevolant examples are the Google Toolbar and the Acrobat Reader plugin. More often though, BHO's are installed by spyware and serve you to a neverending flow of popups and ads as well as tracking your browser habits, claiming they 'enhance your browsing experience'. -------------------------------------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job The Windows Task Scheduler can run programs at a certain time, automatically. Though very unlikely, this can be exploited by making a job that runs a virus or trojan. -------------------------------------------------- Enumerating Download Program Files: [Microsoft XML Parser for Java] CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd [DirectAnimation Java Classes] CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd [Internet Explorer Classes for Java] CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [Yahoo! Chat] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Chat.osd [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab [MSN Chat Control 4.5] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT45.OCX CODEBASE = http://chat.msn.com/bin/msnchat45.cab [HouseCall Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX CODEBASE = http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab [MSN Photo Upload Tool] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNPUPLD.DLL CODEBASE = http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab [Update Class] InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38093.2044328704 [{556DDE35-E955-11D0-A707-000000521957}] CODEBASE = http://www.xblock.com/download/xclean_micro.exe [HushEncryptionEngine] CODEBASE = https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab OSD = C:\WINDOWS\Downloaded Program Files\HushEncryptionEngine.osd The items in Download Program Files are programs you downloaded and automatically installed themselves in MSIE. Most of these are Java classes Media Player codecs and the likes. Some items are only visible from the Registry and may not show up in the folder. -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll Protocol #1: imon.dll (file MISSING) Protocol #2: imon.dll (file MISSING) Protocol #3: imon.dll (file MISSING) Protocol #4: imon.dll (file MISSING) Protocol #5: imon.dll (file MISSING) Protocol #6: C:\WINDOWS\SYSTEM\mswsosp.dll Protocol #7: C:\WINDOWS\SYSTEM\msafd.dll Protocol #8: C:\WINDOWS\SYSTEM\msafd.dll Protocol #9: C:\WINDOWS\SYSTEM\msafd.dll Protocol #10: C:\WINDOWS\SYSTEM\rsvpsp.dll Protocol #11: C:\WINDOWS\SYSTEM\rsvpsp.dll Protocol #12: imon.dll (file MISSING) The Windows Socket system (Winsock) connects your system to the Internet. Part of this task is resolving domain names (www.server.com) to IP addresses (12.23.34.45) which is handler by several system files, called Layered Service Providers (LSPs), which work as a chain: if one LSP is gone, the chain is broken and Winsock cannot resolve domain names - which means no program on your system can access the Internet. -------------------------------------------------- Enumerating Win9x VxD services: NDIS: ndis.vxd,ndis2sup.vxd JAVASUP: JAVASUP.VXD CONFIGMG: *CONFIGMG NTKern: *NTKERN VWIN32: *VWIN32 VFBACKUP: *VFBACKUP VCOMM: *VCOMM COMBUFF: *COMBUFF IFSMGR: *IFSMGR IOS: *IOS MTRR: *mtrr SPOOLER: *SPOOLER UDF: *UDF VFAT: *VFAT VCACHE: *VCACHE VCOND: *VCOND VCDFSD: *VCDFSD VXDLDR: *VXDLDR VDEF: *VDEF VPICD: *VPICD VTD: *VTD REBOOT: *REBOOT VDMAD: *VDMAD VSD: *VSD V86MMGR: *V86MMGR PAGESWAP: *PAGESWAP DOSMGR: *DOSMGR VMPOLL: *VMPOLL SHELL: *SHELL PARITY: *PARITY BIOSXLAT: *BIOSXLAT VMCPD: *VMCPD VTDAPI: *VTDAPI PERF: *PERF VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386 VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd VNETBIOS: vnetbios.vxd AMON: C:\PROGRA~1\ESET\AMON.VXD Windows NT4/2000/XP launches several dozen of 'services' when your system starts that range in importance from system- critical (like RPCSS) to redundant (Remote Registry Editor), or even dangerous (Universal Plug & Play). Though very little malicious programs use this type of startup, it is included here for completeness. Windows 9x/ME launches system-critical files in a similar way at system startup, but unlike Windows NT services, the Windows 9x VxD services are all important, and much less in number. Practically the only non-Microsoft programs starting from here are software firewalls. -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL This Registry key lists several system components are loaded at system startup. Not much is known about this key since it is virtually undocumented and only used by programs like the Volume Control, IE Webcheck and Power Management icons. However, a virus/trojan in the form of a DLL can also load from this key. The Hitcap trojan is an example of this. -------------------------------------------------- End of report, 36,128 bytes Report generated in 2.715 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only