# startuplist



## carole (Jan 30, 2003)

I'm sending my startup list. Could you tell me if I have a worm and what I need to get rid of if StartupList report, 9/29/03, 7:44:31 PM
StartupList version: 1.51
Started from : C:\PROGRAM FILES\STARTUP LIST\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\STARTUP LIST\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Msoffice.exe.lnk = C:\Program Files\Microsoft Office\Office10\MSOFFICE.EXE
Event Reminder.lnk = D:\Broderbund\PrintMaster\pmremind.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
CriticalUpdate = C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
IncrediMail = C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
TaskMonitor = C:\WINDOWS\taskmon.exe
EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
LoadQM = loadqm.exe
EPSON Stylus C82 Series = C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
Ink Monitor = C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

EPSON Stylus C82 Series = C:\WINDOWS\SYSTEM\E_S10IC2.EXE /A "C:\WINDOWS\SYSTEM\E_S5134.TMP"
msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 14/9/2003, 18:22:36)

[rename]
NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - c:\windows\googletoolbar_en_2.0.95-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job
Disk Defragmenter.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37867.7503587963

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]

[{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}]

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Download Class]
InProcServer32 = C:\WINDOWS\ALL USERS\APPLICATION DATA\BRODERBUND SOFTWARE\PRINT\PRETZLDN.DLL
CODEBASE = http://expressit.broderbund.com/plugin/Download.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

--------------------------------------------------
End of report, 5,993 bytes
Report generated in 0.941 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
anything Thanks.


----------



## Memory_Loss (Sep 30, 2003)

I've seen nothing but bad things happen when IncrediMail is installed in a system.

It may not be your problem, but that is where i would start.


----------



## carole (Jan 30, 2003)

I have had incredimail for a long time. All I wanted to know is if I have a worm not if incredimail is any good or not.

Would someone please answer my question. i appreciate your help, and if there is something in the list that should'nt be there could you please tell me how to remove it. 
Thanks.
I have already run sybot.


----------



## brindle (Jun 14, 2002)

I have had incredimail for ever and it's a good program. many times we bash the program and it's other issues at fault.
Opera 7.2
IMHO


----------



## carole (Jan 30, 2003)

I appreciate your rply regarding incredimail, but it still doesn't answer my question? Is it possible for you to tell if I have a worm through my startup list? Thanks again


----------



## Memory_Loss (Sep 30, 2003)

I appologize if i came across the wrong way, i was just stating what i've experienced, not bashing. Again, i appologize.


I don't see one in what you posted.


----------



## brindle (Jun 14, 2002)

I don't see anything harmfull. wmiexe.exe is not a worm but read all of  this  and you might want to rename it or delete it.


----------



## carole (Jan 30, 2003)

No problem memory loss. We all have our likes and dislikes.
So you figure I don't have a worm? Is there anything in the list that should'nt be there?
Thanks for your help.


----------



## brindle (Jun 14, 2002)

I'm no expert but I don't see anything unusual. If you think there's a worm on your computer have you run  housecall ?


----------



## Memory_Loss (Sep 30, 2003)

> C:\WINDOWS\WININIT.BAK listing:
> (Created 14/9/2003, 18:22:36)
> 
> [rename]
> ...


I haven't quite figured these two out. I done a google search on them and got mixed results on what they are.

I would try the link that brindle has in the previous post.


----------



## brindle (Jun 14, 2002)

I also questioned them and found really nothing on _iu14D2N.tmp and GLB1A2B.EXE is a renamed unwise.exe placed in the temp subdirectory.
It is always a good idea to scan with housecall.


----------



## kaspersky (Sep 10, 2003)

NOTE:GLB1A2B.EXE

Îò:Robin ([email protected])
Çàãîëîâîê:Re: GLB1A2B.EXE virus 
View: Complete Thread (2 ñîîáùåíèé) 
Original Format 
Ãðóïïû íîâîñòåé:nz.comp
×èñëî:2002-03-18 20:38:30 PST

Here,

Details - This is a combo worm and virus - and is transmitted by e-
mail that will include a file attachment that appears to be a text file.

The file is - in fact - text, but is a Program Information File (which
usually carries a .pif file extension). When executed it will dump a
payload file into the \windows\temp directory (or whatever your
default temp directory is!) with the file name GLB1A2B.EXE and
then execute this program.

To save you all the gory details - the short version is that GLB1A2B
will add the files MTX_.EXE and IE_PACK.EXE to the windows
directory, as well as a file titled WININIT.INI. Every time windows is
started the WININIT file will load the other programs, and the
computer will attempt to call home. If the programs fail to reach the
author, they will repeat the attempt every two minutes until
successful.

GLB1A2B also fixes a hidden attribute to many of the files so that
they are 'typically' invisible to the end user.

Once MTX_ or IE_PACK run - as many as 60 other files can be
infected - making the virus virtually impossible to remove manually

Detection - Start Windows Explorer, click on View and then folder
options. Click on the view tab, and then click on the radio button next
to "show all files". Click on apply and then OK. Next click
on Tools,
Find Files and Folders. Conduct a search on Drive C for a tile titled
MTX_.EXE and / or IE_PACK.EXE.

If either of these files are located, disconnect the computer from it's
internet access and obtain a copy of Mcafee's Anti-Virus program,
including the update version 4094.

Mcafee was the first company (and the only one I know of at this
time) that has virus definitions for this one - the bug was discovered
on 8/30/00. McAfee's antivirus program will rename and / or delete
the infected files - but you may need to manually reinstall certain
Windows programs such as REGEDIT, NOTEPAD, CALC, etc.

Transmission - via e-mail manually, or via Microsoft e-mail programs
in the same manner as the love-bug. There are several (as many as
a hundred or so) different e-mail subject lines, most of which
reference MP3 files, Napster, or pornographic image files.

Closing information - we haven't figured out what information is sent
back to the point of origin, or the exact point of origin, other than
to
say that it's in Germany somewhere! Additional information is
available from

www.mcafee.com

as well as the latest virus definitions. One extremely interesting
feature of the bug is that if you are infected, and you attempt to
access mcafee.com or datafellows.com in an effort to obtain virus
information or definitions etc. the bug will cause Internet Explorer
(versions 4.X and 5.X at least) to crash. We haven't tested it with
Netscape.


Brigid wrote:
> 
> Do any body know anything about this bloody thing. It does all sorta of
> weird stuff similar to the bymer virus but it also interferes with IE
> access...it blocks port 90. The bymer fixit fixes the problem until next
> time I boot. And then I get a screen saying c:/windows.wininit.exe a line
> and a half of heiroglyphics and "press any key to continue". Hitting any
> key delivers " It's now safe to turn your computer off"" Tho this screen
> appears by default after a minute even if I dont press any key. INitialy I
> was just deleting winin.* from dos and this would allow windows to
> load. Until next time I had to boot. And then with some help I discovered
> that winint.exe executed this damn GLB1A2B.EXE.
> 
> Something is regenerating it and it gets executed from wininit.exe. At the
> moment its in my temp directory (where it put itself) renamed GLB1A2B.EX_.
> Untill I format Im hoping that it wont be regenerated while it still appears
> to be on my HD
> 
> Any info on this thing would be verrrrrry gratefully received. I dont want
> to hafto format at the moment. Ive got heaps of work files and assignments
> and stuff. I dont want to take the time out to format and reset every
> thing.
> 
> tankee
> Brigid


----------

