Solved: HKCU beehive/startup question

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

randyrayd

Thread Starter
Joined
Feb 4, 2003
Messages
236
This is a screenshot from a downloaded msconfig utility. I have Win2000Pro. Could anyone tell me what the "N" startup item is? Before I disabled it HKCU was preceeding the location extension, but I have searched (as well as I know how) the Current User beehive and can't find a thing. This shows up in no Start Menu/Startup folder, nor in Regcleaner startup list. Disabling has manifested no problems, but what the heck is it?




Thanks,
Randall
 
Joined
Feb 23, 2003
Messages
16,274
Did you follow the registry path to the run folder ? If so did you check the right pane for its path there to the executable ? Then if thats identifyable you can go to that folder and obtain more info.
 

randyrayd

Thread Starter
Joined
Feb 4, 2003
Messages
236
I've followed it to "current version" but find no "run". I apologize as I am a registry novice. It scares me and I've stayed out of it, except for regcleaner utilities that are reversable. Should I enable it? Since it's disabled.....it's not running, right?

rd
 
Joined
Dec 9, 2000
Messages
45,855
I can't read the full path from your screen shot, but you should be able to scroll the upper vertical slider bar to read it.

Is it this:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

In any case NOTHING out of the "NT" key should be seen in msconfig.

It's probably a corrupted malware entry.
 
Joined
Feb 23, 2003
Messages
16,274
PS. Microsoft office and Nero check can be shut down on startup as well
 

randyrayd

Thread Starter
Joined
Feb 4, 2003
Messages
236
It's NT\Current Version\Windows. Also, this is a downloaded utility of msconfig. I couldn't find msconfig when I got W2000. I've run Ad-Aware, my AV, M$ anti-spyware, everything comes up okay.

See anything here?:

 

randyrayd

Thread Starter
Joined
Feb 4, 2003
Messages
236
Here's the log. I'll bump tomorrow if need be. Thank you and everyone for your assistance.

Randall

Logfile of HijackThis v1.99.1
Scan saved at 9:31:49 PM, on 7/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\SYSTEM32\3cmlink.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\WINNT\SYSTEM32\3cshtdwn.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\WINNT\SYSTEM32\3cmlink.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/html/index.cfm?p=16&m=6
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Randall Ray Dugger\Desktop\msconfig.exe /auto
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus G\AirPlus.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.iwon. com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
 
Joined
Feb 23, 2003
Messages
16,274
I would remove this trusted zone entry

O15 - Trusted Zone: http://*.iwon. com

Then you can copy paste the msconfig utility to the system32 directory so it will act as other native tools do from the start run command.
 

randyrayd

Thread Starter
Joined
Feb 4, 2003
Messages
236
I frequent a tech board on iwon, but it's dying a slow death. I know about Alexa (sp?). I clear out cookies, temp net files (offline also) and cookies almost everynight before shutdown.

Then you can copy paste the msconfig utility to the system32 directory so it will act as other native tools do from the start run command.
Are you talking about F2? I can't read the logs.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top