Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Startup List


  • Please log in to reply
8 replies to this topic

#1 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:40 AM

Posted 14 March 2010 - 06:34 PM

Hi,

I noticed that there are quite a few file names that are for legit Windows program, or other programs, that do not have the description for their legit purpose listed in the BC Startup List. It lists the file name, but only has the description for it if it is malware.

I cannot think of the names of the files that I have found that to be the case for, but there have been many of them. The only one I can think of right now is the one I just now checked and that is devldr32.exe. That is a legit file from Creative but the BC Startup List only has two descriptions for it, both malware. I realize that the malware descriptions need to be there, but it seems to me that it is just as important, if not more so, to have the legit description there, otherwise, undue panic might ensue and cause someone to needlessly remove a file which could mess up their computer.

Is there a reason that the legit files description is not listed in many cases?

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:40 AM

Posted 14 March 2010 - 06:45 PM

I disagree with this. Legit descriptions are always listed. If you could provide some samples, I could answer this better.

#3 Stang777

Stang777

    Just Hoping To Help

  • Topic Starter

  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:40 AM

Posted 14 March 2010 - 06:54 PM

I am sorry if I have just missed them, but I have noticed this on many files for quite some time. I am also sorry that I cannot think of the ones I have found this to be the case for, the only one I can think of right now is the one I mentioned above, which is devldr32.exe. Here is what that list has for that one....

Divx4 codec devldr32.exe X Added by an unidentfied VIRUS! Note - this is not the legitimate Creative Labs devldr32.exe file ... Read More

After clicking Read More, you get this...

This is an undesirable program.

This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

If the description states that it is a piece of malware, you should immediately run an antivirus and antispyware program. If that does not help, feel free to ask us for assistance in the forums.
Name: Divx4 codec
Filename: devldr32.exe
Command: Unknown at this time.
Description: Added by an unidentfied VIRUS! Note - this is not the legitimate Creative Labs devldr32.exe file
File Location: Unknown
Startup Type: Currently being identified.


The only other description listed is this....
Creative Devldr32 devldr32.exe X A variant of the IRCBot family of worms and IRC backdoors.

After clicking on it you get....

This is an undesirable program.

This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

If the description states that it is a piece of malware, you should immediately run an antivirus and antispyware program. If that does not help, feel free to ask us for assistance in the forums.
Name: Creative Devldr32
Filename: devldr32.exe
Command: devldr32.exe
Description: A variant of the IRCBot family of worms and IRC backdoors.
File Location: %WinDir%
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.



Even though the one does list it as Creative, and the other one does have a note that it is not the legit file, which makes one know there is a legit file named that, it still does not give the legit one a seperate description and the description shown has it as malware.

When the only two despriptions both have an X and show to be malware, it does lead one to believe that it isn't a legit one even though somewhere in the description for the malware one it does mention there is a legit one.

I guess all I am saying is that the legit one should have its own description listed and not just mentioned in the description for the malware one as once one reads, "Added by inidentified virus", it kind of gets lost. I hope that makes sense and you can see why it might be confusing when looking to see if it is legit or not.

lsass.exe is also only mention in this same way, in the description for the malware ones it says, "This infection should not be confused with the legitimate C:\Windows\System32\lsass.exe file." There is not a seperate description, that I could see, for that legit one and when mentioned in passing like that, it does not give the description for its legit use.

Same thing with winlogon.exe, smss.exe and csrss.exe. Some of the malware descriptions for those do tell what the legit one is, but still, there is no seperate description, that I can find, for the legit ones.

Edited by Stang777, 14 March 2010 - 07:28 PM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:40 AM

Posted 14 March 2010 - 07:30 PM

The reason there are not startup entries in the database for the legitimate entries are that they are not autorun programs. The database only lists programs that startup automatically. When a malware uses the same name as a legitimate file, that does not necessarily mean that the legitimate file is a startup program as well. I am just stating that they should not delete the legitimate file thinking its the malware.

#5 Stang777

Stang777

    Just Hoping To Help

  • Topic Starter

  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:40 AM

Posted 14 March 2010 - 07:35 PM

Thank you Grinler.

All 5 of the ones I have listed above, are ones that automatically run on my system. They are all listed in my taskmanager, always have been and I have never started them. According to the way my system runs, Malwarebytes, SuperAntiSpyware and ZoneAlarm, my system is not infected. It seems that even on an uninfected system, those do run automaticaly at startup.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:40 AM

Posted 15 March 2010 - 10:42 AM

Being listed in task manager does not make them an autorun. or at least one that we cover.

Some processes are started by other processes and therefore are not listed.

devldr32.exe - This is not a startup. Its started by something else and therefore not listed in the database though it is a legitimate process.

lsass.exe - I just added this.

smss.exe - Launched by the Windows kernel and thus not eligible for the Windows startup database.

winlogon.exe - not a normal startup that we cover. It's started by SMSS.

csrss.exe - not a normal startup that we cover. It's started by SMSS.

Some may be missed, but if its not loaded by a normal startup routine then we do not list it. I just went through, though, and added a few that should be there and were not.

#7 Stang777

Stang777

    Just Hoping To Help

  • Topic Starter

  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:40 AM

Posted 15 March 2010 - 05:58 PM

Thank you Grinler.

I thought that since those processes automatically start everytime I start my system, before I do anything at all on it, that they were startup items. Even though I don't understand why they are not considered to be, I guess they are not.

Thank you for checking into this and answering my questions

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:40 AM

Posted 15 March 2010 - 06:03 PM

They are starutp items as they startup automatically. It is just that they are not ones covered by our database.

#9 Stang777

Stang777

    Just Hoping To Help

  • Topic Starter

  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:40 AM

Posted 15 March 2010 - 06:42 PM

Thank you Grinler




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users