ZHPDiag – Module ø22 – SharedTaskScheduler

This module identifies the CLSID of the SharedTaskScheduler registry key value. These elements are launched at the start of the system and are often the result of an infection by the rogues.

S "searches on the following Base of registry key values :
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler]

– The following legitimate lines of Windows are not displayed :
Ø22 – SharedTaskScheduler: Pre-loader Browseui – {…}
Ø22 – SharedTaskScheduler: Component categories cache daemon – {…}

The SharedTaskScheduler detections have almost disappeared today, also Windows 10 does more reference this registry key.

Overview ZHPDiag

—\\ SharedTaskScheduler (Ø22)
Ø22 – SharedTaskScheduler: Pre-loader Browseui – {438755C2-A8BA-11D1-B96B-00A0C90312E1} – C:\WINDOWSSystem32browseui.dll
Ø22 – SharedTaskScheduler: Component categories cache daemon – {8C7461EF - 2B 13 - 11d2 - BE35 - 3078302C2030} – C:\WINDOWSSystem32browseui.dll

—\\ SharedTaskScheduler (Ø22) v1.25.04
Ø22 – SharedTaskScheduler: (name no.) – {8C7461EF - 2B 13 - 11d2 - BE35 - 3078302C2030} . (.Microsoft Corporation – Library of the user interface of the.) — C:\WINDOWSsystem32browseui.dll

Equivalence OTL

Ø22 – SharedTaskScheduler: {8C7461EF - 2B 13 - 11d2 - BE35 - 3078302C2030} – Component Categories cache daemon – C:\WindowsSystem32browseui.dll (Microsoft Corporation)

Action ZHPFix

Ø22 – SharedTaskScheduler: {Startup} – {CLSIDValue} – {FileName}

{Key} : Registry key[HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler]
{Startup} : The value data {CLSIDValue}
{CLSIDValue} : CLSID of the key value {Key}
{FileName} : The default value of the key data [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{CLSIDValue}\InProcServer32]

1) The tool deletes the value de key {CLSIDValue}
2) The tool deletes the key [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{CLSIDValue}]
3) The tool deletes the key [HKEY_CLASSES_ROOTCLSID{CLSIDValue}]
4) The tool deletes the file {FileName}

Example of detection

Ø22 – SharedTaskScheduler: coexpire – {d4c4bc43-0974-4dec-a669-9f7bfcb3503d} – (.Microsoft Corp. – Multiple Interface User) — C:\WINDOWSsystem32vmlwp.dll =>Trojan.FakeAlert
Ø22 – SharedTaskScheduler: andropogon – {655560A9 - 3 ca 8-4509-9632-6abbef21426b} – (.Microsoft Corp. – Multiple Interface User) — C:\WINDOWSsystem32lgaac.dll =>Trojan.FakeAlert
Ø22 – SharedTaskScheduler: Bund – {27882a9f-8937-4ae4-87ab-ed669c8b6d7a} – (.Microsoft Corp. – Multiple Interface User) — C:\WINDOWSsystem32iheuv.dll =>Trojan.FakeAlert