Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Questions With Startup Entires


  • Please log in to reply
1 reply to this topic

#1 alove

alove

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 01 December 2007 - 11:03 AM

I am a newbee at this, but have tried to follow the correct steps. My computer is running slow so I have been following bleepingcomputers advice. I just finished the step of running autoruns. I have searched every entry in the database and taken note of the "harmful" ones. Before taking the next step I wanted to make sure I have correctly identified the entry with the ones on your database. Also, when searching for an entry on the database there seems to be several entries listing a differenet status. Which one do I trust? Here is the list of entries I have found with the information given to me by autoruns.

Thanks

Name: Quick Time Task
Filename: qttask.exe
Location: c:\program files\quicktime\qttask.exe

Name: SunJavaUpdate
Filename: jusched.exe
Location: c:\program files\java\jre1.5.0_11\bin\jusched.exe

Name: MSMSGS, Windows Messenger
Filename: msmsgs.exe
Location: c:\program files\messenger\msmsgs.exe

The filename and location are the same for this entry , but it appears in several differnet names
Name: text/webviewhtml, CDBurn, PostBootReminder, shell32.dll, Taskbar and Start Menu, {0D2E74C4-3C34-11d2-A27E-00C04FC30871}, {24F14F01-7B1C-11d1-838f-0000F80461CF}, {24F14F02-7B1C-11d1-838f-0000F80461CF}, {66742402-F9B9-11D1-A202-0000F81FEDEE}
Filename: shell32.dll
Location: c:\windows\system32\shell32.dll

The filename and location are the same for this entry , but it appears in several differnet names
Name: Microsoft Web Publishing Wizard 1.52, NewMeeting 3.01, Windows Messenger 4.7
Filename: advpack.dll
Location: c:\windows\system32\advpack.dll

The filename and location are the same for this entry , but it appears in several differnet names
Name: Themes Setup, Windows Desk Update
Filename: regsvr32.exe
Location: c:\windows\system32\regsvr32.exe

Name: Sendmail service
Filename: sendmail.dll
Location: c:\windows\system32\sendmail.dll

Name: Kernel32
Filename: kernel32.dll
Location: c:\windows\system32\kernel32.dll

Name: wininet
Filename: wininet.dll
Location: c:\windows\system32\wininet.dll

Name: logonui.exe
Filename: logonui.exe
Location: c:\windows\system32\logonui.exe


I have also found several entries that may match one on your database, i usually see a few maybe several that match, however one entry will note " This infection should not be confused with the legitimate file found at C:\Windows\System32\userinit.exe." If it seems to be the legitimate file do I ignore it? Here are a few listed this way.

Name: C:\WINDOWS\system32\userinit.exe
Filename: userinit.exe
Location: c:\windows\system32\userinit.exe

Name: Explorer.exe
Filename: explorer.exe
Location: c:\windows\explorer.exe

Name: ctfmon.exe
Filename: ctfmon.exe
Location: c:\windows\system32\ctfmon.exe

Name: Eventlog
Filename: services.exe
Location: c:\windows\system32\services.exe

If I do need to handel these would the nest step be disableing and deleting them in safe mode?
Thanks

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:29 PM

Posted 02 December 2007 - 01:31 PM

These are all legit. You not only need to compare the names and filenames, but where the file is located.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users