Windows Security Tutorials - Herong's Tutorial Examples - v3.01, by Dr. Herong Yang
Generating Startup Program List by HijackThis
This section provides a tutorial example on how to generate the startup program list by HijackThis to report all startup entries in the Registry and various Windows files on a Windows system.
HijackThis also offers a nice tool to generate a list of all startup programs that are configured at different places in the system:
1. Double click "C:\local\HijackThis\HijackThis.exe". You will see HijackThis started with its main menu:
2. Click the "Open the Misc Tools section" button. You will see the configuration screen with the "Misc Tools" tab open.
3. Click the "Generate StartupList log" button.
4. Click the "Yes" on the confirmation message box. HijackThis will create a report of all startup entries in the Registry and various Windows files. The report will be displayed in the Notepad editor:
StartupList version: 1.52.2 -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Users\herong\AppData\Roaming\Microsoft\Windows\Start Menu\...] OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\... OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\... Shell folders Common Startup: [C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup] Bluetooth.lnk = ? McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security ... Monitor Apache Servers.lnk = C:\local\httpd\bin\ApacheMonitor.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\Windows\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run IgfxTray = C:\Windows\system32\igfxtray.exe HotKeysCmds = C:\Windows\system32\hkcmd.exe ... -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OfficeSyncProcess = "C:\Program Files\Microsoft Office\Office14\..." AdobeBridge = Skype = "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun -------------------------------------------------- Shell & screensaver key from C:\Windows\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - (no file) - {02478D38-C3F9-4efb-9B51-7695ECA05670} (no name) - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL - {7285...} (no name) - C:\Program Files\Java\jre7\bin\ssv.dll - {761497BB...} (no name) - C:\Program Files\Common Files\Microsoft Shared\Windows... URLRedirectionBHO - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL - ... -------------------------------------------------- Enumerating Task Scheduler jobs: Adobe Flash Player Updater.job GoogleUpdateTaskMachineCore.job GoogleUpdateTaskMachineUA.job -------------------------------------------------- Enumerating Download Program Files: [GpcContainer Class] InProcServer32 = C:\Windows\Downloaded Program Files\ieatgpc.dll CODEBASE = https://netapp-meeting.webex.com/client/WBXclient-T27... -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\Windows\system32\NLAapi.dll NameSpace #2: C:\Windows\system32\napinsp.dll NameSpace #3: C:\Windows\system32\pnrpnsp.dll ... -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: *Registry key not found*
5. Click the "File > Save as" file on Notepad to save a copy of the StartupList report.
6. Review every entry in the report.
The picture below shows the Startup List generated by HijackThis to report all startup entries in the Registry and various Windows files:
Table of Contents
About This Windows Security Book
Windows 8: System Security Review
Windows 8: System Security Protection
Windows 8 Defender for Real-Time Protection
Windows 7: System Security Review
Windows 7: System Security Protection
Windows 7 Forefront Client Security
Norton Power Eraser - Anti-Virus Scan Tool
McAfee Virus and Malware Protection Tools
Spybot - Spyware Blocker, Detection and Removal
Keeping IE (Internet Explorer) Secure
Malware (Adware, Spyware, Trojan, Worm, and Virus)
►HijackThis - Browser Hijacker Diagnosis Tool
Downloading and Installing HijackThis
Scan Report Generated by HijackThis
HijackThis Log File Entry Types
Building "ignorelist" for HijackThis
Fixing Settings Reported by HijackThis
►Generating Startup Program List by HijackThis
Listing Processes and DLL Files with HijackThis
Listing Installed Programs with HijackThis
HijackThis Configuration Settings
IE Add-on Program Listing and Removal
"Conduit Search" - Malware Detection and Removal
"Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware
Malware Manual Removal Experience
Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
PWS (Password Stealer) Trojan Infection Removal