ZHPDiag – Module O53 – ShareTools MSconfig StartupReg

MsConfig (Microsoft System Configuration Utility) is a program that is present in various versions of Windows to view and change the configuration of the Windows startup.

MsConfig allows, among other, to remove processes loaded at Windows startup or prevent the start-up of some programs When you start Windows. (Sources). Related to the SMSR module (ShareTools MSconfig StartupReg). It allows you to list the values and the startupreg registry key data.

Research is carried out in the basis of registers key «» HKLMsoftwaremicrosoftshared toolsmsconfigstartupreg..

Overview ZHPDiag

—\\ ShareTools MSconfig StartupReg (SMSR) (O53) v2.33.09
O53 – SMSR:HKLM…\startupregiTunesHelper – C:\Program FilesiTunesiTunesHelper.exe
O53 – SMSR:HKLM…\startupregmsnmsgr – C:\Program FilesMSN MessengerMsnMsgr.Exe /background

—\\ ShareTools MSconfig StartupReg (SMSR) (O53) v1.25.030
O53 – SMSR:HKLM…\startupregCloneDVD2 . (.Elaborate Bytes AG – CloneDVD Application.) – C:\Program FilesElaborate BytesCloneDVDCloneDVD2.exe

—\\ ShareTools MSconfig StartupReg (SMSR) (O53) v1.25.123
O53 – SMSR:HKLM…\startupregHPADVISOR [Key] . (.Hewlett-Packard – HP Advisor.) — C:\Program FilesHewlett-PackardHP AdvisorHPAdvisor.exe

Equivalence ComboFix

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregACTIVBOARD]

Example of detection

—\\ ShareTools MSconfig StartupReg (SMSR) (O53)
O53 – SMSR:HKLM…\startupregAntiMalware [Key] . (…) — C:\Program FilesAntiMalwareantimalware.exe =>SUP. ActiveSecurity)
O53 – SMSR:HKLM…\startupregfacemoods [Key] . (…) — C:\Program Files (x86)\facemoods.comfacemoods1.4.17.11facemoodssrv.exe

Action ZHPFix cas N°1

O53 – SMSR:HKLM…\startupreg {ValueName} . (..) — {FileName}

{key} : Registry key [HKLM\software\microsoft\shared tools\msconfig\startupreg]
{ValueName} : The key value {key}
{FileName} : The value data {ValueName}

1) The tool deletes the value {ValueName}.
2) The tool deletes the file {FileName}.

 

Action ZHPFix cas N°2

O53 – SMSR:HKLM…\startupreg {SubKey} [Key] . (..) — {FileName}

{keyName} : Registry key [HKLM\software\microsoft\shared tools\msconfig\startupreg]
{SubKey} : Subkey of the key {keyName}
{ValueName} : Value ‘Command "the key {SubKey}
{FileName} : The value data {ValueName}

1) The tool deletes the key {SubKey}
2) The tool deletes the file {FileName}.

Report ZHPFix (Example)

Lines entered :
O53 – SMSR:HKLM…\startupreg\DC6V_Check [Key] . (…) — C:\Program Files\Fichiers communs\SystemDoctor\usdrdc.exe
O53 – SMSR:HKLM…\startupreg\kamsoft [Key] . (…) — C:\WINDOWS\system32\ckvo.exe

Rapport de ZHPFix v1.12.3132 par Nicolas Coolman, Update of the 02/08/2010

= Key(s) the registry =.
O53 – SMSR:HKLM…\startupreg\DC6V_Check [Key] . (…) — C:\Program Files\Fichiers communs\SystemDoctor\usdrdc.exe => Key deleted successfully
O53 – SMSR:HKLM…\startupreg\kamsoft [Key] . (…) — C:\WINDOWS\system32\ckvo.exe => Key deleted successfully

= File(s) ==========
c:\program filesfichiers communssystemdoctorusdrdc.exe => Deleted and quarantined
C:\WINDOWS\system32\ckvo.exe => Deleted and quarantined

= Summary =.
2 : Key(s) the registry
2 : File(s)

Report ZHPFix (Optimization with the OPT command:)

It should be noted also that this command applies to lines with keys, values or data Base of records.

Example with these lines, only the value of Base of registers. Adobe Reader Speed Launcherr' and «» CTF Loader "are deleted, the processes are kept

Lines entered :
OPT:O53 – SMSR:HKLM…\startupregAdobe Reader Speed Launcher [Key] . (.Pas de propriétaire – Pas de description.) — C:\Program FilesAdobeReader 9.0ReaderReader_sl.exe
OPT:O53 – SMSR:HKLM…\startupregctfmon.exe [Key] . (.Microsoft Corporation – CTF Loader.) — C:\WINDOWSsystem32ctfmon.exe

Report of ZHPFix v1.12.3141 by Nicolas Coolman, Update of the 27/08/2010

= Key(s) the registry =.
O53 – SMSR:HKLM…\startupregAdobe Reader Speed Launcher [Key] . (.Pas de propriétaire – Pas de description.) — C:\Program FilesAdobeReader 9.0ReaderReader_sl.exe => Key deleted successfully
O53 – SMSR:HKLM…\startupregctfmon.exe [Key] . (.Microsoft Corporation – CTF Loader.) — C:\WINDOWSsystem32ctfmon.exe => Key deleted successfully

= Summary =.
2 : Key(s) the registry