Results 1 to 10 of 10

Thread: Confusing System Startup Tool Entry!

  1. #1
    Junior Member japandroid's Avatar
    Join Date
    Jun 2008
    Posts
    4

    Exclamation Confusing System Startup Tool Entry!

    Hello! As the title of the thread indicates, I have a very confusing System Startup tool entry. It's the first one listed and it isn't colored (green, yellow or red). Under the Key column it says HK_LM:Run (Current system). There is nothing under the Value or Command Line columns. When I click on the information bar on the right side of the screen it seems to give me conflicting information. Here is what it says:
    Current filename:

    Database status: Not required - virus, spyware, malware or other resource hog
    Value:
    Filename: system32.exe

    Description
    Added by the _AGOBOT-KU_ WORM! Note - has a blank entry under the Startup Item/Name field

    Source: Paul Collins Startup list
    ____________________

    Current filename:

    Database status: Not required - virus, spyware, malware or other resource hog
    Value:
    Filename: pathex.exe

    Description
    Added by the _MKMOOSE-A_ WORM! Note - has a blank entry under the Startup Item/Name field

    Source: Paul Collins Startup list
    ____________________

    Current filename:

    Database status: Not required - virus, spyware, malware or other resource hog
    Value:
    Filename: svchost.exe

    Description
    Added by the _DELF-UX_ TROJAN! Note - this is not the legitimate _svchost.exe_ process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field

    Source: Paul Collins Startup list
    ____________________

    Current filename:

    Database status: Not required - virus, spyware, malware or other resource hog
    Value:
    Filename: MSPF.EXE

    Description
    Added by a variant of the _SDBOT_ WORM! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field

    Source: Paul Collins Startup list
    ____________________

    Current filename:

    Database status: Not required - virus, spyware, malware or other resource hog
    Value:
    Filename: dllvirtual.exe

    Description
    Added by the _DADOBRA-IW_ TROJAN! Note - has a blank entry under the Startup Item/Name field

    Source: Paul Collins Startup list
    ____________________

    Current filename:

    Database status: Not required - virus, spyware, malware or other resource hog
    Value:
    Filename: dllvirtual.dll

    Description
    Added by the _DADOBRA-IW_ TROJAN! Note - has a blank entry under the Startup Item/Name field

    Source: Paul Collins Startup list
    ____________________

    Current filename:

    Database status: Not required - virus, spyware, malware or other resource hog
    Value:
    Filename: dllvirtual.js

    Description
    Added by the _DADOBRA-IW_ TROJAN! Note - has a blank entry under the Startup Item/Name field

    Source: Paul Collins Startup list
    ____________________


    Is this entry ALL of these things or could it just be any one in particular? How do I know if this is malicious or just a resource hog? Or is it just a false positive? If I knew the path(s) of the culprit(s) it would be easier to decide if I should get rid of it or not.
    I scanned my computer using Norton Antivirus 2005, Ad-Aware 2007, Spybot Search and Destroy 1.5.2.20 and ZoneAlarm Pro's spyware scanner. All came up clean. Except for ZoneAlarm Pro's built-in spyware scanner which detected something called Mozy Filter which I believe is a false positive for my MozyHome backup software. I also use SpywareBlaster 4.0.
    I have Windows XP SP2 which is current with all the security updates.
    If anyone can help me I will truly appreciate it! If more information is needed, please let me know!
    Thanks!
    Oh, one more thing. I noticed that my ZoneAlarm Pro firewall seems to be blocking svchost.exe. But based on the source and destination IP addresses it seems like this is the legit svchost.exe.

  2. #2
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    japandroid:

    The startup entry that you you are looking at has a blank valuename. In addition the "Current filename" is blank:

    Current filename:
    The current filename does not match any of these:

    ...
    Filename: system32.exe
    ...
    Filename: pathex.exe
    ...
    Filename: svchost.exe
    ...
    Filename: MSPF.EXE
    ...
    Filename: dllvirtual.exe
    ...
    Filename: dllvirtual.dll
    ...
    Filename: dllvirtual.js
    ...
    Therefore none of the descriptions fit your case.

    You have a blank startup entry. Just delete.
    Last edited by md usa spybot fan; 2008-06-25 at 05:54.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  3. #3
    Junior Member japandroid's Avatar
    Join Date
    Jun 2008
    Posts
    4

    Default

    So it's not possible that a trojan or any other malicious threat would have a blank startup entry? All of the descriptions has:
    Note - has a blank entry under the Startup Item/Name field
    Or, in effect, is Spybot S&D just confused by a blank startup entry and just "spits out" these possible culprits?

  4. #4
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    I don't (in my personal perspective) find Collin's list useful. I say this because it does not provide adequate information about the entry. I don't believe you are infected in any way by something malicious. One way to check what start-up programs run is to run "msconfig" without the quotes. This can be a good way to remove unncessary items... QuickTime for example... unless the user decides to keep it.

    However, if you do not know what it is, it is better to leave it as it is.

    'If it ain't broke, don't fix it'.

    Safe surfing .

  5. #5
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    jaapandroid:

    Quote Originally Posted by japandroid View Post
    So it's not possible that a trojan or any other malicious threat would have a blank startup entry? All of the descriptions has:
    Note - has a blank entry under the Startup Item/Name field
    Or, in effect, is Spybot S&D just confused by a blank startup entry and just "spits out" these possible culprits?
    Note - has a blank entry under the Startup Item/Name field
    Where the devil did that quote come from???

    Quote Originally Posted by japandroid View Post
    So it's not possible that a trojan or any other malicious threat would have a blank startup entry?
    For the startup entry you are questioning all of the descriptions that you listed have a blank valuename entries and they can be threats. However a startup entry can not start anything or be a threat if is not pointing to something to start, "Current filename". The "Current filename" is blank in each of the listings you provided and does not match the "Filename" in the descriptions so the descriptions are not pertinent to the startup entry you have.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  6. #6
    Junior Member japandroid's Avatar
    Join Date
    Jun 2008
    Posts
    4

    Default

    Well, I ran "msconfig" and there too it shows a startup entry that is blank. I ran Windows Live OneCare's online safety scanner and it didn't find anything malicious. It did find a ton of obsolete and missing registry and startup entries, though. After I fixed everything (only one item couldn't be fixed for some reason) I checked Spybot S&D's System Startup tool again. It still lists the blank entry.

    So, I'm just going to leave it as it is. After all the scanning I did and it didn't show anything bad than it should be A-OK! As drragostea said:
    'If it ain't broke, don't fix it'.

  7. #7
    Junior Member
    Join Date
    Apr 2007
    Posts
    3

    Default

    Quote Originally Posted by drragostea View Post

    'If it ain't broke, don't fix it'.

    Safe surfing .
    This would be nice if it worked for the computing world. Although I am not making any claims that contradict anything else posted here, many malicious programs may not give any sign that something is broke (depending on your daily PC usage and power up) until it is far to late. I too have the blank startup entry and have it disabled for now, although I plan to take every action to delete it permantly. If it's not pointing to anything, then deleting it should not affect my system in any way, correct?

  8. #8
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    HyJax, the question about the "blank entry" seems foggy to me, but I'll give it my best shot to answer your question.

    If you run msconfig you might come across a "blank" entry. You'll notice that there's a checkmark on the entry indicating the item is "enabled", however there's nothing in the Startup Item text, nor is there anything in Command.

    My inference is that this entry is benign. Since there is no Command, there is nothing happening at startup (in other words it does not "point" to anywhere). You can safely leave it alone.

    If you should disable it then it would literally be disabled, however, if you should remove the entry itself, then you'll not be able to recover that specific entry.

  9. #9
    Senior Member
    Join Date
    Jan 2008
    Posts
    586

    Smile

    If you remove the tick for the item in question in Spybot's System start up listing, it will be disabled.

    If that then causes a problem you can put back the tick and you're back where you started, but alternatively when you have satisfied yourself that not having it did not cause the end of the world to happen, or for that matter any other trauma, you can then simply delete it.

    This is one of the handy features of Spybot.

  10. #10
    Junior Member
    Join Date
    Apr 2007
    Posts
    3

    Talking

    Quote Originally Posted by drragostea View Post
    HyJax, the question about the "blank entry" seems foggy to me, but I'll give it my best shot to answer your question.

    If you run msconfig you might come across a "blank" entry. You'll notice that there's a checkmark on the entry indicating the item is "enabled", however there's nothing in the Startup Item text, nor is there anything in Command.

    My inference is that this entry is benign. Since there is no Command, there is nothing happening at startup (in other words it does not "point" to anywhere). You can safely leave it alone.

    If you should disable it then it would literally be disabled, however, if you should remove the entry itself, then you'll not be able to recover that specific entry.
    Again, if it serves no purpose then deleting it should not affect anything. I did first disable it and once I seen things running smoothly, I ran CCleaner and it removed it and 15+ more entries just like it. My only guess is that when windows update it is an entry that it should have cleaned up but we all know how good MS is at making updates that clean up their mess. Anyhow, I really dont understand all this talk of leaving such an entry be...it will only bog down my resources as windows tries to figure out its particular use. Additionally, the reason I was checking is that I have had it happen once before yet not even spybot could delete the entry. It would just be back at startup...or maybe just another blank registry reference. Who knows, it is gone now and there are no blank "holes" in my registry which has GREATLY improved my performance.

    Bottom line, this points to nothing, has absolutely no value, leaving it as something for windows to stress on until I clean my registry. It was said "If it ain't broke don't fix it" well in MS PC'ing world it should be "If it does nothing then make it nothing!!!"

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •