Generating Startup Program List by HijackThis

This section provides a tutorial example on how to generate the startup program list by HijackThis to report all startup entries in the Registry and various Windows files on a Windows system.

HijackThis also offers a nice tool to generate a list of all startup programs that are configured at different places in the system:

1. Double click "C:\local\HijackThis\HijackThis.exe". You will see HijackThis started with its main menu:

2. Click the "Open the Misc Tools section" button. You will see the configuration screen with the "Misc Tools" tab open.

3. Click the "Generate StartupList log" button.

4. Click the "Yes" on the confirmation message box. HijackThis will create a report of all startup entries in the Registry and various Windows files. The report will be displayed in the Notepad editor:

StartupList version: 1.52.2

--------------------------------------------------
Listing of startup folders:

Shell folders Startup:
[C:\Users\herong\AppData\Roaming\Microsoft\Windows\Start Menu\...]
OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\...
OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\...

Shell folders Common Startup:
[C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
Bluetooth.lnk = ?
McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security ...
Monitor Apache Servers.lnk = C:\local\httpd\bin\ApacheMonitor.exe

--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\Windows\system32\userinit.exe,

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\Windows\system32\igfxtray.exe
HotKeysCmds = C:\Windows\system32\hkcmd.exe
...

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

OfficeSyncProcess = "C:\Program Files\Microsoft Office\Office14\..."
AdobeBridge = 
Skype = "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun

--------------------------------------------------
Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - (no file) - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL - {7285...}
(no name) - C:\Program Files\Java\jre7\bin\ssv.dll - {761497BB...}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows...
URLRedirectionBHO - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL - ...

--------------------------------------------------
Enumerating Task Scheduler jobs:
Adobe Flash Player Updater.job
GoogleUpdateTaskMachineCore.job
GoogleUpdateTaskMachineUA.job

--------------------------------------------------
Enumerating Download Program Files:
[GpcContainer Class]
InProcServer32 = C:\Windows\Downloaded Program Files\ieatgpc.dll
CODEBASE = https://netapp-meeting.webex.com/client/WBXclient-T27...

--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\Windows\system32\NLAapi.dll
NameSpace #2: C:\Windows\system32\napinsp.dll
NameSpace #3: C:\Windows\system32\pnrpnsp.dll
...

--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
WebCheck: *Registry key not found*

5. Click the "File > Save as" file on Notepad to save a copy of the StartupList report.

6. Review every entry in the report.

The picture below shows the Startup List generated by HijackThis to report all startup entries in the Registry and various Windows files:

HijackThis Generating Startup List
HijackThis Generating Startup List

Table of Contents

 About This Windows Security Book

 Windows 8: System Security Review

 Windows 8: System Security Protection

 Windows 8 System Recovery

 Windows 8 Defender for Real-Time Protection

 Windows 7: System Security Review

 Windows 7: System Security Protection

 Windows 7 System Recovery

 Windows 7 Forefront Client Security

 Norton Power Eraser - Anti-Virus Scan Tool

 McAfee Virus and Malware Protection Tools

 Spybot - Spyware Blocker, Detection and Removal

 Keeping Firefox Secure

 Keeping IE (Internet Explorer) Secure

 Malware (Adware, Spyware, Trojan, Worm, and Virus)

HijackThis - Browser Hijacker Diagnosis Tool

 Downloading and Installing HijackThis

 Scan Report Generated by HijackThis

 HijackThis Log File Entry Types

 Building "ignorelist" for HijackThis

 Fixing Settings Reported by HijackThis

Generating Startup Program List by HijackThis

 Listing Processes and DLL Files with HijackThis

 Listing Installed Programs with HijackThis

 HijackThis Configuration Settings

 IE Add-on Program Listing and Removal

 "Conduit Search" - Malware Detection and Removal

 "Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware

 Malware Manual Removal Experience

 Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

 Trojan and Malware "Puper" Description and Removal

 VSToolbar (VSAdd-in.dll) - Description and Removal

 PWS (Password Stealer) Trojan Infection Removal

 MS08-001 Vulnerability on Windows Systems

 Antivirus System PRO

 References

 Full Version in PDF/ePUB