How do I find out the identity of a startup command, so I can delete it once and for all?

[jakobkraft]

When I go to msconfig-->startup, I find two items checked that are blank. I keep unchecking them but it seems two or three restarts later they're there again!

Under 'Startup Item' there's nothing and under 'Command' there is also nothing. Under location is says-like it does for many of the startup commands - SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Is there a way to nail down what these are exactly and get rid of them?
I've already run Adware and Spybot, and neither of those apps found anything...

Any ideas would be greatly appreciated, thanks...

 

[imported_Hi]

one thing i do is i search for that item and see what it is


so if it was ATI i would go search that

Hpoe that helps

 

[jakobkraft]

Originally posted by: Hi
one thing i do is i search for that item and see what it is


so if it was ATI i would go search that

Hpoe that helps

I cannot search something that has NO NAME, there is simply a checkmark next to that row. There is no information except 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run' under 'Location.'
Hence, my original dilemma of how to identify...

 

[mechBgon]

1) do you have a current-generation antivirus software and is it up-to-date on its definitions? Run a scan yet?

2) how about post your HijackThis log: download here

 

[KB]

Look in the regsitry, both HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and see if you see the entry in either.

 

[jackschmittusa]

Here's a jim-dandy little free app that should help you find any running process.

 

[Lasthitlarry]

Hey mech, those programs are awesome, and I like your guide to building computers.

I quickly ran Hijackthis and StartupList and found some things I missed by using msconfig, and this will really help with the old and corrupted windows98 computers at work.

You don't have to reply, but I was wondering what are the best anti viruses and anti spyware program today? The computers at work have so many pop ups and search bars and the desktop icons "refresh" every 10 seconds or so.

Thanks!

 

[mechBgon]

Originally posted by: Lasthitlarry
Hey mech, those programs are awesome, and I like your guide to building computers.

I quickly ran Hijackthis and StartupList and found some things I missed by using msconfig, and this will really help with the old and corrupted windows98 computers at work.

You don't have to reply, but I was wondering what are the best anti viruses and anti spyware program today? The computers at work have so many pop ups and search bars and the desktop icons "refresh" every 10 seconds or so.

Thanks!

Yikes! :Q

1) Do you have pretty much all Win98 systems, or what's the mix like? If you have WinXP systems, specify Pro or Home, or some of each.

2) How many computers?

3) Do you guys have a domain?

4) What programs do the employees or computer users usually use?

5) Do you guys have any company/agency policies about what can and can't be installed on the computers?

6) Are the employees/users cooperative by nature, or are they oppositional-defiant?


With Win98, you can't do my favorite antispyware tactic, which is to make the user a Restricted User (called a "Limited" user on a standalone WinXP box). So at that point I would probably go to town on it with some of the suggestions in Schadenfroh's malware-prevention guide here until you can get rid of Win98/ME boxes.

Also consider getting a router that can arbitrarily block ActiveX and Java at the gateway, although that's a double-edged sword and you'll need to turn off the blocking sometimes (when running Windows Update for example). Lock all the ports on the router that you don't actually need open, to help put a crimp in the style of the typical SDbot/Spybot/Gaobot type of stuff that wants to "phone home" and/or run services on your machines. Ports you might need open:

20 and 21 for FTP (you could turn this on only as the need arises if you wanted)
25 for SMTP email if you use it
53 for DNS
80 for Web
110 for POP3 email if you use it
443 for secured Web (https)
and maybe some others if you have apps that need them open.

If you have a handful of systems then I would probably say get Kaspersky Antivirus Personal 5, as many copies as needed, and set the configuration up for Maximum detection on both real-time and on-demand scans. Set the "Configure Updater" to "From Internet, extended databases," and password-lock it so the users can't tamper with it. You can get trialware from them here. Its detection rates appear very good in tests and in real life, from what I've seen, and it can update from a Limited/Restricted account without problems. They release new updates as often as hourly, and you can password-protect the settings.

If it's more of a medium-to-big domain-based setup then I know I :heart: the McAfee Active VirusScan suite we use at work. Very configurable, with proactive protection capabilities and central deployment, tasking, reporting and updating. I have a bunch of commentary on it here. McAfee recently moved to daily updates rather than their previous weekly+emergency setup, that was nice.

BTW VS Enterprise 8.0i doesn't run on Win98, they have VirusScan Multiplatform 4.5.1 for that role.

 

[jakobkraft]

Originally posted by: mechBgon

how about post your HijackThis log: download here

Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 12:03:32 AM, on 4/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\Program Files\Creative\MediaSource\CTCMS.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
C:\Program Files\WordWeb\wwnotray.exe
C:\Program Files\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.access4less.net/portal.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.access4less.net/portal.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.access4less.net/portal.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.access4less.net/portal.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.access4less.net/portal.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Access4Less
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v...86/client/wuweb_site.cab?1110870612156
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe" -run bl -n PersonalPro -v 5.0.0.0 -ttsr 10000000 (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE



So, what's the diagnosis?

 

[mechBgon]

I plunked it into http://hijackthis.de but it doesn't look bad. The first two items that have a red ! in a yellow circle, you might try removing those. My speculation is that one of the Services down at the bottom makes those two mystery entries that you keep trying to remove, and that it's by design... you've got Creative on there Could try removing your Creative stuff and uninstall all their software as a fact-finding mission, if you felt like it.

Did Kaspersky find anything bad, or how about Microsoft AntiSpyware Beta?

 

[jakobkraft]

Originally posted by: mechBgon
I plunked it into http://hijackthis.de but it doesn't look bad. The first two items that have a red ! in a yellow circle, you might try removing those. My speculation is that one of the Services down at the bottom makes those two mystery entries that you keep trying to remove, and that it's by design... you've got Creative on there Could try removing your Creative stuff and uninstall all their software as a fact-finding mission, if you felt like it.

Did Kaspersky find anything bad, or how about Microsoft AntiSpyware Beta?

Microsoft nothing, Kaspersky did find one thing, removed it but those two entries were still there. But you know what, I think they MUST have something to do with my Creative software (even though if that's the case, they should have names attached to them dammit!). Their software blows but I have to have Mediasource installed for my remote to work with my other apps of choice, plus the EAX console makes it extremely easy to switch from headphone to speakers and back again.
But I did an experiment where I removed the 2 entries, restarted, ran msconfig, saw they were STILL unchecked, then made an addition to my list of apps that I want the remote to control. And sure enough, next time I restarted, the two entries were checked again.

But the remote rocks, I can control my PC from across my apt. so if I have to accept these two unidentified entries in my msconfig, then so be it.

Nice app, that HijackThis, btw. Will definitely use in the future should any more strangeness occur.

Thanks for all the help

 

[mechBgon]

What was the one thing Kaspersky found?

 

[jakobkraft]

It was something 'Trojan' which I know is some kind of browser hijack attempt...I generally use Netscape which prohibits all unrequested pop-ups, unlike IE with its bullsh-- low, medium, and high popup protection...but there are a few sites, online bill pay, etc. which I'm forced to use IE for-and when doing so I just need to be more cautious...