Generating Startup Program List by HijackThis

Windows Security Tutorials - Herong's Tutorial Examples

∟HijackThis - Browser Hijacker Diagnosis Tool

∟Generating Startup Program List by HijackThis

This section provides a tutorial example on how to generate the startup program list by HijackThis to report all startup entries in the Registry and various Windows files on a Windows system.

HijackThis also offers a nice tool to generate a list of all startup programs that are configured at different places in the system:

1. Double click "C:\local\HijackThis\HijackThis.exe". You will see HijackThis started with its main menu:

2. Click the "Open the Misc Tools section" button. You will see the configuration screen with the "Misc Tools" tab open.

3. Click the "Generate StartupList log" button.

4. Click the "Yes" on the confirmation message box. HijackThis will create a report of all startup entries in the Registry and various Windows files. The report will be displayed in the Notepad editor:

StartupList version: 1.52.2

--------------------------------------------------
Listing of startup folders:

Shell folders Startup:
[C:\Users\herong\AppData\Roaming\Microsoft\Windows\Start Menu\...]
OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\...
OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\...

Shell folders Common Startup:
[C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
Bluetooth.lnk = ?
McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security ...
Monitor Apache Servers.lnk = C:\local\httpd\bin\ApacheMonitor.exe

--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\Windows\system32\userinit.exe,

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\Windows\system32\igfxtray.exe
HotKeysCmds = C:\Windows\system32\hkcmd.exe
...

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

OfficeSyncProcess = "C:\Program Files\Microsoft Office\Office14\..."
AdobeBridge = 
Skype = "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun

--------------------------------------------------
Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - (no file) - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL - {7285...}
(no name) - C:\Program Files\Java\jre7\bin\ssv.dll - {761497BB...}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows...
URLRedirectionBHO - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL - ...

--------------------------------------------------
Enumerating Task Scheduler jobs:
Adobe Flash Player Updater.job
GoogleUpdateTaskMachineCore.job
GoogleUpdateTaskMachineUA.job

--------------------------------------------------
Enumerating Download Program Files:
[GpcContainer Class]
InProcServer32 = C:\Windows\Downloaded Program Files\ieatgpc.dll
CODEBASE = https://netapp-meeting.webex.com/client/WBXclient-T27...

--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\Windows\system32\NLAapi.dll
NameSpace #2: C:\Windows\system32\napinsp.dll
NameSpace #3: C:\Windows\system32\pnrpnsp.dll
...

--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
WebCheck: *Registry key not found*