[griffinspc]

Since we all ask for start up items people are running to help folks I debated putting this in the Win 98 forum but I guess it belongs here. (mod, what do you think?)

We all have had trouble with hidden apps, commands, etc., starting up at boot and there are only so many ways to find what's really running.

Here's a little FREE gem I found on Lurk's site: StartUpList v1.23

It's terrific. Gives you what's generally available in msconfig and task manager but adds all ini and registry starts in about 2 seconds in a plain text file that's well organized with the path and an explanation of the sections location and meaning.

If you run it in a "command" window you can even add command line options that dig really deep.

http://www.lurkhere.com/~nicefiles/index.html

Here's a small part sample from my machine:
________________________________

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
FmViewF9 = C:\FMVIEW\FMVIEW\fmviewf9.exe -l
NetMouse = C:\NETPRO95\gmnet.exe
TaskMonitor = C:\WINDOWS\taskmon.exe
F-STOPW.EXE = C:\Program Files\FSI\F-Prot\F-STOPW.EXE
FRISK FP-Scheduler = C:\Program Files\FSI\F-Prot\F-Sched.exe
AlertService = C:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.EXE
Pop-Up Stopper = "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
NDPS = C:\WINDOWS\SYSTEM\dpmw32.exe

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.
______________________________

[TonyKlein]

Yup!

And v 1.30 is available already.

[TonyKlein]

BTW, here's mine, run with the "complete" parameter:

StartupList report, 11-9-02, 18:30:55
Detected: Windows 98 SE (Win9x 4.10.2222A)
* Including empty and uninteresting sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NSCLEAN\BOCLEAN\BOCLEAN.EXE
C:\PROGRAM FILES\ESET\AMON.EXE
C:\PROGRAM FILES\ESET\POP3SCAN.EXE
C:\PROGRAM FILES\ESET\NOD32CC.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\REGPROT\REGPROT.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\PROGRAM FILES\NSCLEAN\BOCLEAN\BOCSEC.EXE
C:\PROGRAM FILES\CLIPMATE5\CLIPMT53.EXE
C:\PROGRAM FILES\SOFT4EVER\LOOKNSTOP\LOOKNSTOP.EXE
C:\PROGRAM FILES\TRANSPARENT\TRANSPARENTW.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MYTHICSOFT\AGENT RANSACK\AGENTRANSACK.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DLLHOST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\WINCMD\WINCMD32.EXE
C:\UNZIP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programma's\Opstarten]
Bronmeter.lnk = C:\WINDOWS\RSRCMTR.EXE
ClipMate5.lnk = C:\Program Files\ClipMate5\ClipMt53.exe
LooknStop.lnk = C:\Program Files\Soft4Ever\looknstop\looknstop.exe
Transparent.lnk = C:\Program Files\Transparent\TransparentW.exe

User shell folders Startup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
Dimension4 = C:\PROGRAM FILES\D4\D4.EXE
SystemTray = SysTray.Exe
BOCleanautostart = C:\PROGRA~1\NSCLEAN\BOCLEAN\BOCLEAN.EXE
Amon = "C:\PROGRAM FILES\ESET\AMON.EXE"
NOD32POP3 = "C:\PROGRAM FILES\ESET\POP3SCAN.EXE"
Nod32CC = "C:\Program Files\Eset\nod32cc.exe" -DONTSHOW
ScriptSentry = C:\PROGRAM FILES\SCRIPT SENTRY\SCRIPTSENTRY.exe /check
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
RegProt = c:\program files\regprot\regprot.exe /start

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

TClockEx = C:\PROGRAM FILES\TCLOCKEX\TCLOCKEX.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Enumerating RunOnceEx keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\*

*No subkeys found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\PROGRAM FILES\SCRIPT SENTRY\SCRIPTSENTRY.exe "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplay98.inf,PerUserStub

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{5A8D6EE0-3E18-11D0-821E-444553540000}]
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:

[rename]
NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

@ECHO OFF
smartdrv
SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\EXACTW2\BIN;%PATH%
mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
DELTREE /Y C:\WINDOWS\LOCALS~1\TIJDEL~1\*.* > NUL
DELTREE /Y C:\WINDOWS\RECENT\*.* > NUL
keyb br,,C:\WINDOWS\COMMAND\keyboard.sys

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

c:\sbpci\sbinit

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: not hidden
.shb: not hidden
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------
End of report, 10.042 bytes
Report generated in 0,434 seconds

StartupList version: 1.30.0
Started from: C:\UNZIP\STARTUPLIST.EXE

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[griffinspc]

Quote:

Originally posted by TonyKlein:
Yup!

And v 1.30 is available already.

Actually, I downloaded this version at about 1:00 Am last night (this morn) and it said 1.3 on the screen but the printout says 1.23. Is that a Hmmmm?

I didn't want to get to carried away in my praise but my dump found the Hidden SHS extension. I couldn't figue where or in what I might legit have that.
__________________________
Checking for superhidden extensions:

.lnk: HIDDEN!
.pif: HIDDEN!
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden

Some file extensions are always hidden, like .lnk (shortcut) and
.pif (shortcut to MS-DOS program). The Life_Stages virus was a .shs (Shell Scrap) file that had the extension hidden by default. This can be a security risk when a virus with a double-extension filename is on the loose, since the extension can be hidden even when 'Don't show extensions for known filetypes' is turned off.
______________________________

I went to Symantec and downloaded the removal file for Life_stages and ran it and thankfully no leftover worm doing damage, just the hidden file.

Pretty cool.

[TonyKlein]

FYI: if you want to "unhide" .shs, launch Regedit, go to HKEY_CLASSES_ROOT\ShellScrap, and delete the NeverShowExt value in the right hand window.

Cheers,

[griffinspc]

Thanks Tony, I did find what files, other than a possible worm were / have the .shs extensions. I saved off about a dozen individual Power Point slides to a holding folder the other day.

I found that though they show no extension they are "scrap" files with the .shs hidden extension. They come up if you use find / files *.shs.

I'll set your reg hack now too.

[aldiboronti]

These scrap files and hidden extensions are a little worrying. See here for further info.

http://www.pc-help.org/security/scrap.htm

[TonyKlein]

That's why it's included in the "list".

What you can do to eliminate the danger, is download Jason Levine's ScriptSentry.

It guards *.shs files as well.

Or just rename Shscrap.dll to Shscrap.bak.

That will eliminate the vulnerability as well.

[griffinspc]

aldiboronti,

Very good article. Thanks. Always enjoy learning something new. Luckily I created the scrap objects since it was my own ppt files but I printed out the article to ad to my collection of interest.

EDIT: Also thanks Tony for the tip about the "toolbox" site. I found it and it's one too bookmark for a further investigation and I did download ScriptSentry. I love tools.

[dbcoooper]

Hey, great little program there. Everything that MSConfig left out.

Here's another cool tool that shows some great basic system info, all the Windows updates you have applied, the license #'s of all your licensed software, the versions of all the software you have installed and the location of your programs (great for all us tool-freaks who classify into \Tools, \Utilities and so forth).
Security freaks may be a bit paranoid about how it gets your license info, but it's all there in your registry anyhow.
Great tool.