1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

startuplist

Discussion in 'Earlier Versions of Windows' started by carole, Sep 29, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. carole

    carole Thread Starter

    Joined:
    Jan 30, 2003
    Messages:
    200
    I'm sending my startup list. Could you tell me if I have a worm and what I need to get rid of if StartupList report, 9/29/03, 7:44:31 PM
    StartupList version: 1.51
    Started from : C:\PROGRAM FILES\STARTUP LIST\STARTUPLIST.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\E_S10IC2.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOFFICE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\STARTUP LIST\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Msoffice.exe.lnk = C:\Program Files\Microsoft Office\Office10\MSOFFICE.EXE
    Event Reminder.lnk = D:\Broderbund\PrintMaster\pmremind.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    CriticalUpdate = C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    IncrediMail = C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    TaskMonitor = C:\WINDOWS\taskmon.exe
    EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    LoadQM = loadqm.exe
    EPSON Stylus C82 Series = C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
    Ink Monitor = C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    SchedulingAgent = mstask.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    EPSON Stylus C82 Series = C:\WINDOWS\SYSTEM\E_S10IC2.EXE /A "C:\WINDOWS\SYSTEM\E_S5134.TMP"
    msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 14/9/2003, 18:22:36)

    [rename]
    NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp
    NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    (no name) - c:\windows\googletoolbar_en_2.0.95-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job
    Norton AntiVirus - Scan my computer.job
    Disk Defragmenter.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job
    Windows Critical Update Notification.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37867.7503587963

    [OPUCatalog Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
    CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

    [{8AD9C840-044E-11D1-B3E9-00805F499D93}]

    [{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}]

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Download Class]
    InProcServer32 = C:\WINDOWS\ALL USERS\APPLICATION DATA\BRODERBUND SOFTWARE\PRINT\PRETZLDN.DLL
    CODEBASE = http://expressit.broderbund.com/plugin/Download.cab

    [OPUCatalog Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
    CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

    --------------------------------------------------
    End of report, 5,993 bytes
    Report generated in 0.941 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
    anything Thanks.
     
  2. Memory_Loss

    Memory_Loss

    Joined:
    Sep 29, 2003
    Messages:
    77
    I've seen nothing but bad things happen when IncrediMail is installed in a system.

    It may not be your problem, but that is where i would start.
     
  3. carole

    carole Thread Starter

    Joined:
    Jan 30, 2003
    Messages:
    200
    I have had incredimail for a long time. All I wanted to know is if I have a worm not if incredimail is any good or not.

    Would someone please answer my question. i appreciate your help, and if there is something in the list that should'nt be there could you please tell me how to remove it.
    Thanks.
    I have already run sybot.
     
  4. brindle

    brindle

    Joined:
    Jun 14, 2002
    Messages:
    3,520
    I have had incredimail for ever and it's a good program. many times we bash the program and it's other issues at fault.
    Opera 7.2
    IMHO
     
  5. carole

    carole Thread Starter

    Joined:
    Jan 30, 2003
    Messages:
    200
    I appreciate your rply regarding incredimail, but it still doesn't answer my question? Is it possible for you to tell if I have a worm through my startup list? Thanks again
     
  6. Memory_Loss

    Memory_Loss

    Joined:
    Sep 29, 2003
    Messages:
    77
    I appologize if i came across the wrong way, i was just stating what i've experienced, not bashing. Again, i appologize.


    I don't see one in what you posted.
     
  7. brindle

    brindle

    Joined:
    Jun 14, 2002
    Messages:
    3,520
    I don't see anything harmfull. wmiexe.exe is not a worm but read all of this and you might want to rename it or delete it.
     
  8. carole

    carole Thread Starter

    Joined:
    Jan 30, 2003
    Messages:
    200
    No problem memory loss. We all have our likes and dislikes.
    So you figure I don't have a worm? Is there anything in the list that should'nt be there?
    Thanks for your help.
     
  9. brindle

    brindle

    Joined:
    Jun 14, 2002
    Messages:
    3,520
    I'm no expert but I don't see anything unusual. If you think there's a worm on your computer have you run housecall ?
     
  10. Memory_Loss

    Memory_Loss

    Joined:
    Sep 29, 2003
    Messages:
    77

    I haven't quite figured these two out. I done a google search on them and got mixed results on what they are.

    I would try the link that brindle has in the previous post.
     
  11. brindle

    brindle

    Joined:
    Jun 14, 2002
    Messages:
    3,520
    I also questioned them and found really nothing on _iu14D2N.tmp and GLB1A2B.EXE is a renamed unwise.exe placed in the temp subdirectory.
    It is always a good idea to scan with housecall.
     
  12. kaspersky

    kaspersky

    Joined:
    Sep 10, 2003
    Messages:
    76
    NOTE:GLB1A2B.EXE

    Îò:Robin ([email protected])
    Çàãîëîâîê:Re: GLB1A2B.EXE virus
    View: Complete Thread (2 ñîîáùåíèé)
    Original Format
    Ãðóïïû íîâîñòåé:nz.comp
    ×èñëî:2002-03-18 20:38:30 PST


    Here,

    Details - This is a combo worm and virus - and is transmitted by e-
    mail that will include a file attachment that appears to be a text file.

    The file is - in fact - text, but is a Program Information File (which
    usually carries a .pif file extension). When executed it will dump a
    payload file into the \windows\temp directory (or whatever your
    default temp directory is!) with the file name GLB1A2B.EXE and
    then execute this program.

    To save you all the gory details - the short version is that GLB1A2B
    will add the files MTX_.EXE and IE_PACK.EXE to the windows
    directory, as well as a file titled WININIT.INI. Every time windows is
    started the WININIT file will load the other programs, and the
    computer will attempt to call home. If the programs fail to reach the
    author, they will repeat the attempt every two minutes until
    successful.

    GLB1A2B also fixes a hidden attribute to many of the files so that
    they are 'typically' invisible to the end user.

    Once MTX_ or IE_PACK run - as many as 60 other files can be
    infected - making the virus virtually impossible to remove manually

    Detection - Start Windows Explorer, click on View and then folder
    options. Click on the view tab, and then click on the radio button next
    to "show all files". Click on apply and then OK. Next click
    on Tools,
    Find Files and Folders. Conduct a search on Drive C for a tile titled
    MTX_.EXE and / or IE_PACK.EXE.

    If either of these files are located, disconnect the computer from it's
    internet access and obtain a copy of Mcafee's Anti-Virus program,
    including the update version 4094.

    Mcafee was the first company (and the only one I know of at this
    time) that has virus definitions for this one - the bug was discovered
    on 8/30/00. McAfee's antivirus program will rename and / or delete
    the infected files - but you may need to manually reinstall certain
    Windows programs such as REGEDIT, NOTEPAD, CALC, etc.

    Transmission - via e-mail manually, or via Microsoft e-mail programs
    in the same manner as the love-bug. There are several (as many as
    a hundred or so) different e-mail subject lines, most of which
    reference MP3 files, Napster, or pornographic image files.

    Closing information - we haven't figured out what information is sent
    back to the point of origin, or the exact point of origin, other than
    to
    say that it's in Germany somewhere! Additional information is
    available from

    www.mcafee.com

    as well as the latest virus definitions. One extremely interesting
    feature of the bug is that if you are infected, and you attempt to
    access mcafee.com or datafellows.com in an effort to obtain virus
    information or definitions etc. the bug will cause Internet Explorer
    (versions 4.X and 5.X at least) to crash. We haven't tested it with
    Netscape.








    Brigid wrote:
    >
    > Do any body know anything about this bloody thing. It does all sorta of
    > weird stuff similar to the bymer virus but it also interferes with IE
    > access...it blocks port 90. The bymer fixit fixes the problem until next
    > time I boot. And then I get a screen saying c:/windows.wininit.exe a line
    > and a half of heiroglyphics and "press any key to continue". Hitting any
    > key delivers " It's now safe to turn your computer off"" Tho this screen
    > appears by default after a minute even if I dont press any key. INitialy I
    > was just deleting winin.* from dos and this would allow windows to
    > load. Until next time I had to boot. And then with some help I discovered
    > that winint.exe executed this damn GLB1A2B.EXE.
    >
    > Something is regenerating it and it gets executed from wininit.exe. At the
    > moment its in my temp directory (where it put itself) renamed GLB1A2B.EX_.
    > Untill I format Im hoping that it wont be regenerated while it still appears
    > to be on my HD
    >
    > Any info on this thing would be verrrrrry gratefully received. I dont want
    > to hafto format at the moment. Ive got heaps of work files and assignments
    > and stuff. I dont want to take the time out to format and reset every
    > thing.
    >
    > tankee
    > Brigid





    :D :eek:
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168425

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice