Does anyone see a problem in this startup laise Please

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

bassetman

Thread Starter
Moderator (deceased) - Gone but never forgotten
Joined
Jun 7, 2001
Messages
47,973
I had some weird stuff happen on a website and had to re-boot.
I would like to make sure nothing got installed that shouldn't have (despite SpyGuard).

Thanks
John


StartupList report, 01/30/2003, 12:55:17 PM
StartupList version: 1.34.0
Started from : C:\STARTUP LIST\STARTUPLIST134\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARDCP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\PROGRAM FILES\SPYWAREBLASTER\SPYWAREBLASTER.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\STARTUP LIST\STARTUPLIST134\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
SpywareGuard Control Panel.lnk = C:\Program Files\SpywareGuard\spywareguardcp.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
SystemTray = SysTray.Exe
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
SpyBlocker = C:\PROGRAM FILES\SPYBLOCKER SOFTWARE\spyblocker.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Start WingMan Profiler =

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScript\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\IE4UINIT.EXE

[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 10/1/2003, 12:58:46)

[rename]
NUL=C:\WINDOWS\DOWNLO~1\IEGATOR.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

@ECHO OFF
SET BLASTER=A220 I7 D1 H5 P330 T6
SET CTSYN=C:\WINDOWS
C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
rem
rem *** DO NOT EDIT THIS FILE! ***
rem
rem This file was created by the System Configuration Utility as
rem a placeholder for your AUTOEXEC.BAT file. Your actual
rem AUTOEXEC.BAT file has been saved under the name AUTOEXEC.TSH.
rem

--------------------------------------------------

C:\CONFIG.SYS listing:

REM [Header]
REM [CD-ROM Drive]
rem device=c:\realmode\oakcdrom.sys /D:mscd001
rem device=c:\realmode\btdosm.sys
rem device=c:\realmode\flashpt.sys
rem device=c:\realmode\btcdrom.sys /D:mscd001
rem device=c:\realmode\aspi2dos.sys
rem device=c:\realmode\aspi8dos.sys
rem device=c:\realmode\aspi4dos.sys
rem device=c:\realmode\aspi8u2.sys
rem device=c:\realmode\aspicd.sys /D:mscd001
[common]
dos=high,umb
buffers=40
device=c:\windows\himem.sys /testmem:eek:ff
DEVICE=C:\WINDOWS\EMM386.EXE
REM ------------------
REM [Miscellaneous]
REM [SCSI Controllers]
REM [Display]
REM [Sound, MIDI, or Video Capture Card]
REM [Mouse]
REM ------------------
REM ******** CDROM DEVICE DRIVER *******************
DEVICE = C:\CDROM\CDROM.SYS /D:MSCD001 /V

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
@echo off
REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.
REM MSCDEX.EXE /D:OEMCD001 /l:d
REM REM REM MOUSE.EXE
REM REM C:\PROGRA~1\LOGITECH\MOUSEW~1\MOUSE.EXE
c:\windows\COMMAND\MSCDEX.EXE /D:MSCD001 /V
REM C:\PROGRA~1\LOGITECH\MOUSEW~1\MOUSE.EXE
C:\PROGRA~1\LOGITECH\MOUSEW~1\MOUSE.EXE

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\URL ORGANIZER\URLORGIE.DLL - {C6CEAC32-D45C-11D4-94AF-0050BABD5FD6}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Windows Critical Update Notification.job
Norton AntiVirus Weekly Scan.job
Run LiveUpdate (for Norton AntiVirus).job
Run LiveUpdate (for Norton AntiVirus)(2).job

--------------------------------------------------

Enumerating Download Program Files:

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab

[sys Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37612.4500231482

--------------------------------------------------
End of report, 10,198 bytes
Report generated in 5.190 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Nov 22, 2002
Messages
193
im no expert and i wouldnt guarantee my advice is right so dont panic but

StubPath = c:\windows\msnmgsr1.exe

looks like a virus but i could be mistaken

and you may have gator

NUL=C:\WINDOWS\DOWNLO~1\IEGATOR.DLL

im no expert so i should wait until someone who know exactly what they are doing to tell you how to get rid of these
 
Joined
Nov 22, 2002
Messages
193
bassetman do you know wether the msnmgsr1.exe is a valid file as is is present in windows me but not '98 which your start up list tells me you have
 

bassetman

Thread Starter
Moderator (deceased) - Gone but never forgotten
Joined
Jun 7, 2001
Messages
47,973
Thanks Guys!

I DL'ed the new startup list, think its worth re-running it?

John

UKboy, I'm not sure, I do know I have msn messenger disabled in startup.
 
Joined
Oct 9, 2001
Messages
9,396
bassetman.....run a spybot check.
the iegator.dll wants removing.

and ..StubPath = c:\windows\msnmgsr1.exe


is not a virus.

;)
 
Joined
Apr 26, 2002
Messages
2,538
Say Bassetman,

I'd also say to run Spybot Search & Destroy to be on the safe side. Won't hurt none either. Get it at the Lurkhere site as well, after install do the update and then run it.

FJ
 

bassetman

Thread Starter
Moderator (deceased) - Gone but never forgotten
Joined
Jun 7, 2001
Messages
47,973
I forgot to mention that I tried to update spybot and it said the program couldn't DL the update I had to do it manually. I coudn't find the update from the site :(

Oops, above referred to a different prog ;(

John

Thanks $teve. I'll look more carefully for that.
 

bassetman

Thread Starter
Moderator (deceased) - Gone but never forgotten
Joined
Jun 7, 2001
Messages
47,973
Find files or folders didn't find that DLL file either.
So found it manually in the BAK file.

C:\WINDOWS\WININIT.BAK listing:
(Created 10/1/2003, 12:58:46)

[rename]
NUL=C:\WINDOWS\DOWNLO~1\IEGATOR.DLL

Should I delete it there for sure?

John
 

WhitPhil

Gone but never forgotten
Trusted Advisor
Joined
Oct 4, 2000
Messages
8,684
msnmgsr1 is MSN Messenger and I have not seen any reports of it having anything to do with SpyWare.
And, you do not want to remove the Stubpath entry.

The IEGATOR.DLL reference is in the Wininit.bak file which means that it originated in the Wininit.INI file, was processed by Wininit.exe at boot time and then change to a BAK file.

The NUL in the line "NUL=C:\WINDOWS\DOWNLO~1\IEGATOR.DLL" indicates to delete the file.

Again, there is no need to do anything with this file.

There is nothing else suspicious in the list.

Which doesn't mean that a new virus did not sneak in, or you were hit with some other IE exploit as a result of not being current on security updates (for example).
 

bassetman

Thread Starter
Moderator (deceased) - Gone but never forgotten
Joined
Jun 7, 2001
Messages
47,973
Thanks

Here is exactly what the file showed!

[rename]
NUL=C:\WINDOWS\DOWNLO~1\IEGATOR.DLL

John

Edit

I just noticed my bad spelling! Maybe that helped to get people to look! ;)

Thanks all anyways!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Top