StartupList

A handy dandy tool that can peek into the startup processes of Windows.  It shows all autoloading software (that can be placed on a few places) on your PC.  Very useful for finding trojans, viruses, and spyware. Although this tool does not fix anything it gives you a much more comprehensive list of startup programs than for example MSConfig. Very useful when used in conjunction with spybot, adaware etc. 

Very simple program - when launch it create a list of all startup entries in the Registry and various Windows files and display them in a Notepad window.  The entire process takes only a few seconds even on the slowest PC.

Download StartupList.zip (55KB - small)

Following is an example of a good startuplist.

StartupList report
StartupList version: 1.52
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Windows\System32\msdtc.exe
C:\windows\Explorer.EXE
C:\windows\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\StartupList.exe

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   MSPY2002 = C:\Windows\System32\IME\PINTLGNT\ImScInst.exe /SYNC
   PHIME2002ASync = C:\Windows\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
   PHIME2002A = C:\Windows\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   ctfmon.exe = C:\windows\System32\ctfmon.exe
   MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

Shell & screensaver key from C:\windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\Windows\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\windows\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38166.9750115741

[Shockwave Flash Object]
InProcServer32 = C:\Windows\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[SDKInstall Class]
InProcServer32 = C:\Windows\sdkinst.dll
CODEBASE = http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

Windows NT checkdisk command:

BootExecute = autocheck autochk *

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\windows\system32\SHELL32.dll
CDBurn: C:\windows\system32\SHELL32.dll
WebCheck: C:\windows\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll