Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help/Advice needed with Start Up Entry?.


  • Please log in to reply
3 replies to this topic

#1 bluesjunior

bluesjunior

  • Members
  • 761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 22 March 2011 - 04:19 AM

I have used Orbit Downloader for some time now, and when I have updated it with each newer version I just installed it over the top of the older one. However this morning I was informed that there was a new update and so decided to uninstall the previous one and go for a clean re-install with the latest version. I used Revo Uninstaller at the highest level and uninstalled the version I had been using. This went fine and in fact there were no entries to delete with the Revo extended scan other than the normal one. I did see a pop up about RUNDL.32 and RunOnce but thought that it was a part of the uninstall process. I then deleted the entries from Comodo using the Purge button and ran a scan with CCleaner for leftovers which found none, While in CCleaner I had a look at my start up entries where I saw that I had a new entry a program called DeleteGrabPro. Now this wasn't there prior to uninstalling Orbit but as GrabPro is a part of Orbit I couldn't understand why it had not been deleted along with Orbit. I ran a scan with AutoRuns and found it in the Microsoft and Windows entries. Now I have always been wary of messing with MSN or Windows files and so am not sure what this program is and would it be safe to delete it?. I did a Google search on it but all the results had it listed an entry as part of a Hijack but not apparently any source of infection. Can anyone tell me what this is and is it safe or dangerous?. The full path is as follows: HKCU\..\RunOnce: [DeleteGrabPro] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files (x86)\Orbitdownloader\GrabPro.dll"
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

BC AdBot (Login to Remove)

 


#2 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:11:37 PM

Posted 22 March 2011 - 04:43 AM

It appears that GrabPro is a product of the same people who make the Orbit Downloader. That startup item is in the "Run Once" startup location which, as its name suggests, is a place for things that are intended to run only once before they are removed from the startup queue. It is often used by uninstallers to have a cleanup program run after the next reboot to finish removing any files or registry entries their program had which for whatever reason couldn't be removed right away. So what you have there is basically an instruction left behind by the Orbit uninstaller that Windows will execute the next time you reboot.

The instruction that Orbit left behind is: rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files (x86)\Orbitdownloader\GrabPro.dll" Let's break it down:

rundll32.exe is a program by Microsoft which is included in every copy of Windows. It is used to execute specific functions found in DLL files (which are just libraries of useful functions.)

The DLL that is being invoked is advpack.dll, another Microsoft file. It has all sorts of useful functions for programmers to use.

DelNodeRunDLL32 is the particular function in AdvPack.dll that is being called upon. It deletes the file that is specified in the command: "C:\Program Files (x86)\Orbitdownloader\GrabPro.dll"


So basically what you have there is a fairly standard method used by many uninstallers to tell Windows to delete a file after the next reboot. It's neither malicious nor worth removing since it should be removed automatically by Windows on the next reboot.

Edited by Andrew, 22 March 2011 - 04:49 AM.


#3 bluesjunior

bluesjunior
  • Topic Starter

  • Members
  • 761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 22 March 2011 - 06:38 AM

Thank you Andrew, a very concise and clear explanation and that is exactly what happened. It disappeared on reboot. I also checked the System32 folder in Windows and the advpack.dll entry is listed there as it should be, again thanks.
Motherboard: Gigabyte GA-MA770T-UD3, CPU: AMD Athlon II X3 450 Processor, Memory: OCZ 4GB (2x2GB) DDR3 1333MHz,Graphics: PowerColor HD 5750 1GB GDDR5,
PSU: Corsair 430W CX PSU 4x SATA 1x PCI-E, Hard Drive:Samsung SpinPoint F3 500GB Hard Drive SATAII 7200rpm 16MB Cache.

#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:11:37 PM

Posted 22 March 2011 - 12:30 PM

:thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users