ZHPDiag – Module O40 (ASIC)
Active Setup is a mechanism for executing user commands at the start of a connection. Live Setup is used by some operating system components like Internet Explorer to set up an initial setup for users logging in for the first time.
Active Setup is a mechanism for executing user commands at the start of a connection. Live Setup is used by some operating system components like Internet Explorer to set up an initial setup for users logging in for the first time.Active installation is also used in some companies' software distribution systems to create an initial custom user environment.
Origin
– The O40 module (ASIC) was created on August 24, 2008.
Features
– Linked to the ASIC (ActiveSetup Installed Components) module. It allows you to list all Active Setup components listed in the Registry.
– The search is carried out in the Registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components].
– Added file owner and designation. v1.25.03
ZHPDiag Overview
—\\ Installed Components (ActiveSetup Installed Components) (040)
O40 – ASIC: Windows Media Player – {22d6f312-b0f6-11d0-94ab-0080c74c7e95} – C:\WINDOWS\inf\unregmp2.exe /ShowWMP
O40 – ASIC: Internet Explorer – {26923b43-4d38-484f-9b9e-de460746276c} – C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
O40 – ASIC: Browser Customization – {60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS – RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
—\\ ActiveSetup Installed Components (O40) v1.25.03
O40 – ASIC: Browser Customizations – >{60B49E34-C7CC-11D0-8953-00A0C90347FF} . (.Microsoft Corporation – Customizing IEAK.) — C:\Windows\System32\iedkcs32.dll
O40 – ASIC: Java (Sun) – {08B0E5C0-4FCB-11CF-AAA5-00401C608500} – (not file)
MBAM equivalence
Infected Registry key(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5hm52028-f2or-6862-7xhe-1t5y373ho523} (Generic.Bot.H)
Example of infection
O40 – ASIC: (no name) – {VYUB2383-G80U-N0Y5-U671-073O66S8110I} . (.No owner – No description.) — C:\WINDOWS\system32\windows\Updat.exe => Infection Bot (Malware.Bot)
O40 – ASIC: (no name) – {FFA0BBAD-2EAC-6CE2-C2BB-ECF43EBA6DCC} . (.No owner – No description.) — C:\WINDOWS\system32\winserv.exe => Miscellaneous Infection (Malware.Bot)
Worm:Win32/Hamweq.C
Presence of the following registry modification:
Under key: HKLM\Software\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}\
Adds value: StubPath
With data: “c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe"
ZHPFix action
O40 – ASIC: {Startup} – {CLSIDKey} – {FileName}
{Key}: Registry Key [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components]
{CLSIDKey}: CLSID subkey of the Key {Key}
{Startup} : Default value of {CLSIDKey}
{FileName}: Key default value data [HKLM\SOFTWARE\Classes\CLSID\{CLSIDKey}\InProcServer32]
1) The tool deletes the key [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Component\CLSIDKey}]
2) The tool deletes the key [HKLM\SOFTWARE\Classes\CLSID\{CLSIDKey}]
3) The tool deletes the key [HKEY_CLASSES_ROOT\CLSID\{CLSIDKey}]
4) The tool deletes the file {FileName}
ZHPFix Report (Example)
Line entered:
O40 – ASIC: (no name) – {VYUB2383-G80U-N0Y5-U671-073O66S8110I} . (…) — C:\WINDOWS\system32\windows\Updat.exe
Report of ZHPFix v1.12.3133 by Nicolas Coolman, Update of 02/08/2010
========== Registry Key(s) ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{VYUB2383-G80U-N0Y5-U671-073O66S8110I}] => Key deleted successfully
[HKEY_CLASSES_ROOT\CLSID\{VYUB2383-G80U-N0Y5-U671-073O66S8110I}] => Key deleted successfully
O40 – ASIC: (no name) – {VYUB2383-G80U-N0Y5-U671-073O66S8110I} . (…) — C:\WINDOWS\system32\windows\Updat.exe => Key deleted successfully
========== File(s) ==========
C:\WINDOWS\system32\windows\Updat.exe => Deleted and quarantined
========== Summary ==========
3: Registry key(s)
1: File(s)
