Hello! As the title of the thread indicates, I have a very confusing System Startup tool entry. It's the first one listed and it isn't colored (green, yellow or red). Under the Key column it says HK_LM:Run (Current system). There is nothing under the Value or Command Line columns. When I click on the information bar on the right side of the screen it seems to give me conflicting information. Here is what it says:
Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: system32.exe

Description
Added by the _AGOBOT-KU_ WORM! Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list
____________________

Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: pathex.exe

Description
Added by the _MKMOOSE-A_ WORM! Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list
____________________

Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: svchost.exe

Description
Added by the _DELF-UX_ TROJAN! Note - this is not the legitimate _svchost.exe_ process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list
____________________

Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: MSPF.EXE

Description
Added by a variant of the _SDBOT_ WORM! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list
____________________

Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: dllvirtual.exe

Description
Added by the _DADOBRA-IW_ TROJAN! Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list
____________________

Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: dllvirtual.dll

Description
Added by the _DADOBRA-IW_ TROJAN! Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list
____________________

Current filename:

Database status: Not required - virus, spyware, malware or other resource hog
Value:
Filename: dllvirtual.js

Description
Added by the _DADOBRA-IW_ TROJAN! Note - has a blank entry under the Startup Item/Name field

Source: Paul Collins Startup list
____________________


Is this entry ALL of these things or could it just be any one in particular? How do I know if this is malicious or just a resource hog? Or is it just a false positive? If I knew the path(s) of the culprit(s) it would be easier to decide if I should get rid of it or not.
I scanned my computer using Norton Antivirus 2005, Ad-Aware 2007, Spybot Search and Destroy 1.5.2.20 and ZoneAlarm Pro's spyware scanner. All came up clean. Except for ZoneAlarm Pro's built-in spyware scanner which detected something called Mozy Filter which I believe is a false positive for my MozyHome backup software. I also use SpywareBlaster 4.0.
I have Windows XP SP2 which is current with all the security updates.
If anyone can help me I will truly appreciate it! If more information is needed, please let me know!
Thanks!
Oh, one more thing. I noticed that my ZoneAlarm Pro firewall seems to be blocking svchost.exe. But based on the source and destination IP addresses it seems like this is the legit svchost.exe.

japandroid:

The startup entry that you you are looking at has a blank valuename. In addition the "Current filename" is blank:


Current filename:

The current filename does not match any of these:


...
Filename: system32.exe
...
Filename: pathex.exe
...
Filename: svchost.exe
...
Filename: MSPF.EXE
...
Filename: dllvirtual.exe
...
Filename: dllvirtual.dll
...
Filename: dllvirtual.js
...
Therefore none of the descriptions fit your case.

You have a blank startup entry. Just delete.

So it's not possible that a trojan or any other malicious threat would have a blank startup entry? All of the descriptions has:
Note - has a blank entry under the Startup Item/Name field
Or, in effect, is Spybot S&D just confused by a blank startup entry and just "spits out" these possible culprits? :scratch:

I don't (in my personal perspective) find Collin's list useful. I say this because it does not provide adequate information about the entry. I don't believe you are infected in any way by something malicious. One way to check what start-up programs run is to run "msconfig" without the quotes. This can be a good way to remove unncessary items... QuickTime for example... unless the user decides to keep it.

However, if you do not know what it is, it is better to leave it as it is.

'If it ain't broke, don't fix it'.

Safe surfing :cowboy:.

jaapandroid:


So it's not possible that a trojan or any other malicious threat would have a blank startup entry? All of the descriptions has:


Note - has a blank entry under the Startup Item/Name field

Or, in effect, is Spybot S&D just confused by a blank startup entry and just "spits out" these possible culprits? :scratch:



Note - has a blank entry under the Startup Item/Name field
Where the devil did that quote come from???


So it's not possible that a trojan or any other malicious threat would have a blank startup entry?
For the startup entry you are questioning all of the descriptions that you listed have a blank valuename entries and they can be threats. However a startup entry can not start anything or be a threat if is not pointing to something to start, "Current filename". The "Current filename" is blank in each of the listings you provided and does not match the "Filename" in the descriptions so the descriptions are not pertinent to the startup entry you have.

Well, I ran "msconfig" and there too it shows a startup entry that is blank. :rolleyes: I ran Windows Live OneCare's online safety scanner and it didn't find anything malicious. It did find a ton of obsolete and missing registry and startup entries, though. After I fixed everything (only one item couldn't be fixed for some reason) I checked Spybot S&D's System Startup tool again. It still lists the blank entry.

So, I'm just going to leave it as it is. After all the scanning I did and it didn't show anything bad than it should be A-OK! :D: As drragostea said:
'If it ain't broke, don't fix it'.

'If it ain't broke, don't fix it'.

Safe surfing :cowboy:.

This would be nice if it worked for the computing world. Although I am not making any claims that contradict anything else posted here, many malicious programs may not give any sign that something is broke (depending on your daily PC usage and power up) until it is far to late. I too have the blank startup entry and have it disabled for now, although I plan to take every action to delete it permantly. If it's not pointing to anything, then deleting it should not affect my system in any way, correct? :fear:

HyJax, the question about the "blank entry" seems foggy to me, but I'll give it my best shot to answer your question.

If you run msconfig you might come across a "blank" entry. You'll notice that there's a checkmark on the entry indicating the item is "enabled", however there's nothing in the Startup Item text, nor is there anything in Command.

My inference is that this entry is benign. Since there is no Command, there is nothing happening at startup (in other words it does not "point" to anywhere). You can safely leave it alone.

If you should disable it then it would literally be disabled, however, if you should remove the entry itself, then you'll not be able to recover that specific entry.

If you remove the tick for the item in question in Spybot's System start up listing, it will be disabled.

If that then causes a problem you can put back the tick and you're back where you started, but alternatively when you have satisfied yourself that not having it did not cause the end of the world to happen, or for that matter any other trauma, you can then simply delete it.

This is one of the handy features of Spybot.

HyJax, the question about the "blank entry" seems foggy to me, but I'll give it my best shot to answer your question.

If you run msconfig you might come across a "blank" entry. You'll notice that there's a checkmark on the entry indicating the item is "enabled", however there's nothing in the Startup Item text, nor is there anything in Command.

My inference is that this entry is benign. Since there is no Command, there is nothing happening at startup (in other words it does not "point" to anywhere). You can safely leave it alone.

If you should disable it then it would literally be disabled, however, if you should remove the entry itself, then you'll not be able to recover that specific entry.

Again, if it serves no purpose then deleting it should not affect anything. I did first disable it and once I seen things running smoothly, I ran CCleaner and it removed it and 15+ more entries just like it. My only guess is that when windows update it is an entry that it should have cleaned up but we all know how good MS is at making updates that clean up their mess. Anyhow, I really dont understand all this talk of leaving such an entry be...it will only bog down my resources as windows tries to figure out its particular use. Additionally, the reason I was checking is that I have had it happen once before yet not even spybot could delete the entry. It would just be back at startup...or maybe just another blank registry reference. Who knows, it is gone now and there are no blank "holes" in my registry which has GREATLY improved my performance.

Bottom line, this points to nothing, has absolutely no value, leaving it as something for windows to stress on until I clean my registry. It was said "If it ain't broke don't fix it" well in MS PC'ing world it should be "If it does nothing then make it nothing!!!" :flame: