• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Unidentified app/process running at startup

K

Ken90630

Golden Member
Last week I did a reformat and fresh Windows installation (XP Pro, SP2) on a friend's PC. After installing a slew of Windows Updates and then loading additional software (WordPerfect, Adobe Reader, F-Secure A-V, FilZip, QuickTime, etc.), I went into msconfig to shut down unnecessary apps from loading at start-up.

There's something running that simply has a checkbox next to it but no written description. That field is just blank. The file path is HKCU\Software\Microsoft\Windows\Current Version\Run. (I assume that's something in the registry?)

I didn't have the machine connected to the Web until after Windows and SP2 were installed and the firewall was on, so I don't see how malware could have gotten in so soon after a fresh Windows installation (and I ran an F-Secure virus scan just for the heck of it).

I de-selected the box, and now when I reboot and go back into msconfig, that entry has disappeared completely -- as opposed to still being there but just with the checkbox unchecked, like other apps you turn off with msconfig. The machine seems to take an awfully long time to boot up (several minutes), but other than that seems to work fine. (CPU is an Athlon XP 2800+ and it has 512GB of RAM.)

Any of you guys ever seen this before and have any advice?
 
Originally posted by: Ken90630
I didn't have the machine connected to the Web until after Windows and SP2 were installed and the firewall was on, so I don't see how malware could have gotten in...
Click to expand...

Please!?!?!

Think about what you just said... 😉

If firewalls were 'The Answer', do you really *think* you're the first person that's thought of it?

Hell, I'm not a betting man, but I'd be willing to wager that you're still running in admin mode, right?

n/m
 
Originally posted by: VinDSL
Originally posted by: Ken90630
I didn't have the machine connected to the Web until after Windows and SP2 were installed and the firewall was on, so I don't see how malware could have gotten in...
Click to expand...

Please!?!?!

Think about what you just said... 😉

If firewalls were 'The Answer', do you really *think* you're the first person that's thought of it?

Hell, I'm not a betting man, but I'd be willing to wager that you're still running in admin mode, right?

n/m
Click to expand...

Not sure what you're chastising me here for. The setup order was as follows.

While disconnected from the Web:

Windows XP Pro
SP2 (from CD)
Motherboard drivers
ATI vid card drivers
Wireless keyboard & mouse drivers
HP f2304 monitor software
WordPerfect 11 Suite
HP Office Jet 7310 printer software


Then I connected to the Web, behind a Netgear router, for the rest:

Windows Updates (>100)
F-Secure Anti-Virus 2008 and signature updates
IE7
Adobe Acrobat Reader & Flash Player
QuickTime for Windows
FilZip

So where do you see a security weakness here that could have allowed malware in? 😕 The Windows Firewall has not been disabled, incidentally (that was the first thing I checked).
 
Originally posted by: VinDSL
Originally posted by: Ken90630
I didn't have the machine connected to the Web until after Windows and SP2 were installed and the firewall was on, so I don't see how malware could have gotten in...
Click to expand...

Please!?!?!

Think about what you just said... 😉

If firewalls were 'The Answer', do you really *think* you're the first person that's thought of it?

Hell, I'm not a betting man, but I'd be willing to wager that you're still running in admin mode, right?

n/m
Click to expand...

I know this guy, and it's not very likely that the system was compromised if he was doing the work. Ken90630, are there any informative entries in Event Viewer that would shed light on the slow boot-up?

 
Originally posted by: Ken90630
Not sure what you're chastising me here for...

So where do you see a security weakness here that could have allowed malware in? 😕
Click to expand...

Didn't mean to scold you, but are you running in admin mode or not?

That's a question... and an answer... 🙂
 
Originally posted by: mechBgon
I know this guy, and it's not very likely that the system was compromised if he was doing the work...
Click to expand...

Sorry, but I hardly know anybody in this forum, so I'll take your word for it...

The reason I'm over here is because one of the mods (maybe even you) hijacked my Vista SP1 RC1 thread, and moved it from the 'Laptop Forum' - a fish out of water, so to speak...

Sometimes you have to be careful what you wish for, you know? 😀
 
No worries, but to install & update Windows and other software, one does have to be running as an Admin 😉 Or so I've found.

(no, I didn't heist your SP1 thread 😀)
 
Originally posted by: VinDSL
Originally posted by: Ken90630
Not sure what you're chastising me here for...

So where do you see a security weakness here that could have allowed malware in? 😕
Click to expand...

Didn't mean to scold you, but are you running in admin mode or not?

That's a question... and an answer... 🙂
Click to expand...

Yes, the machine is running an Admin account, not a Limited one. I performed the entire Windows re-installation with the Admin. account. Since a Limited account would, by definition, not allow new software installation, I don't see how I could have set the machine up any other way (unless I'm missing something here). Further, no e-mail was received, and I didn't visit any Web sites other than Microsoft.com, Adobe.com, F-Secure.com, Apple.com and Filzip.com during setup, so other than a firewall breach I don't see any possible entry point for malware.

 
Originally posted by: mechBgon
Originally posted by: VinDSL
Originally posted by: Ken90630
I didn't have the machine connected to the Web until after Windows and SP2 were installed and the firewall was on, so I don't see how malware could have gotten in...
Click to expand...

Please!?!?!

Think about what you just said... 😉

If firewalls were 'The Answer', do you really *think* you're the first person that's thought of it?

Hell, I'm not a betting man, but I'd be willing to wager that you're still running in admin mode, right?

n/m
Click to expand...

I know this guy, and it's not very likely that the system was compromised if he was doing the work. Ken90630, are there any informative entries in Event Viewer that would shed light on the slow boot-up?
Click to expand...

I didn't think to check Event Viewer, and I'm at home right now. I will be heading back over to her house sometime this week, so I'll look at it then and post back here.

Thanks.
 
Originally posted by: Ken90630
That looks interesting. I didn't know it existed. Thanks.
Click to expand...

My pleasure! 😉

SYSINTERNALS makes a LOT of great apps... been using them for years!

For a little history...


The Sysinternals web site was created in 1996 by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information.

Microsoft acquired Sysinternals in July, 2006.

Whether you?re an IT Pro or a developer, you?ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.
Click to expand...

EDIT

Here's a snappy of my AUTORUNS LOGON screen...
 
Originally posted by: Ken90630
Thanks.
Click to expand...

LoL! Isn't life funny?!?!?

Now I owe you one... 😀

When I was looking at the snappy above, I realized my 'HWSetup' app wasn't being found at Logon.

Turned out to be a bad path in reg - which I just fixed...

Here's the AMENDED SNAPPY

Thanks, bro! 🙂
 
Originally posted by: VinDSL
Originally posted by: Ken90630
Thanks.
Click to expand...

Now I owe you one... 😀

When I was looking at the snappy above, I realized my 'HWSetup' app wasn't being found at Logon.

Turned out to be a bad path in reg - which I just fixed...

Here's the AMENDED SNAPPY

Thanks, bro! 🙂
Click to expand...

Heh heh ... it was nothing. Glad to help. 😀

Before I de-selected that 'mystery' process in the msconfig startup list, I had the presence of mind to create a System Restore point. I think I might send the machine back to that time & see if that mystery process returns to the list ... and then run AutoRuns and see what it says. Otherwise, the only info I have on that unnamed process is the file path to the registry, which doesn't tell me much. Like mech suggested, I guess I need to get a look at the Event Viewer too.
 
Originally posted by: Ken90630
I think I might send the machine back to that time & see if that mystery process returns to the list ... and then run AutoRuns and see what it says...
Click to expand...

Funny you should mention that - that's exactly what happened to me!

I made the mistake of installing Logitech SetPoint on this machine, the first week I owned it.

The only difference between Logitech SetPoint and a virus is... a virus works every time!

Purging my machine of this %$#! software has been a protracted battle. One of the last remnants has been a startup utility named 'KHALMNPR.EXE' - a Logitech mouse program that messes with my ALPS touchpad setting.

It came back the other night, when I uninstalled Vista SP1 RC1 and installed 'Refresh'. :|

AutoRuns (elevated to admin) allows me to easily get rid of it in reg, so...

You're probably in for a similar experience, when you use the 'wayback machine'! 😀

EDIT

Here's yet ANOTHER SNAPPY with the Logitech SetPoint Kernel and Hardware Abstraction Layer missing... 😉
 
Purging my machine of this %$#! software has been a protracted battle. One of the last remnants has been a startup utility named 'KHALMNPR.EXE' - a Logitech mouse program that messes with my ALPS touchpad setting.
Click to expand...

I wish I could understand why some of these software companies either can't or won't allow their entire application -- including Program Files, registry entries, etc. -- to be removed in one fell swoop by using the Add/Remove Programs utility in Windows. Many companies' products do uninstall completely with Add/Remove Programs, so obviously it can be done. To have to go to some Web site and download an uninstallation utility (like with F-Secure), or manually remove a number of registry folders (like with Norton) or Program Files folders (like McAfee), after supposedly removing the app via Add/Remove Programs, shouldn't be necessary. :frown:

I'll be going back over to those folks' house sometime on Thursday. I'll post back here as soon as I've had a chance to check out the Event Viewer and a few other things.
 
Ken, great question and it boggles my mind. It's as if they spend all this time developing the software and the installer and then slap together an uninstall routine at the end without checking or putting in any time and effort.

It reminds me of how many cars are designed by engineers in front of computers with NO THOUGHT at all about the poor mechanic who has to open the good and take apart the engine. Screws placed in impossible to reach places, filters that can't be accessed without removing heavy and expensive parts and my favorite, from some Chrysler models -- the battery can only be removed by removing one of the front TIRES!
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top