ZHPDIAG – MODULE O4 (MARCH)

This module lists the & rsquo; all applications launched at system startup. Treatment is based on key Base De Run Records, RunOnce et RunServices.

Each of these keys is a series of values. These values ​​allow multiple entries coexist s & rsquo; crush mutually. The data value for a value is a command line.

Some special considerations must be taken into account for the third and fourth keys in the list, RunOnce key :

  • By default, the Run keys are ignored when the & rsquo; computer starts in Safe Mode. Under the RunOnce Keys, you can prefix a value name with an asterisk (*) to force the program associated with s & rsquo; run even in Safe Mode.
  • You can prefix the name of & rsquo; a RunOnce value with a point & rsquo; exclamation (!) to ensure that the removal of the value intervene after the & rsquo; execution of the order.
  • No point & rsquo; prefix exclamation, a RunOnce value is deleted before the & rsquo; execution of the order. Consequently, if a RunOnce operation s & rsquo; not run correctly, the associated program n & rsquo; s not called & rsquo; run the next time you start the & rsquo; computer. (Microsoft)

List of branches identified

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce]
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices]
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce]
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunServices]
[HKCUSOFTWAREMicrosoftWindows NTCurrentVersionRun] v1.28.315

Policies Explorer :
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
[HKUS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionpoliciesexplorerRun]
[HKUSS-1-5-XXSoftwareMicrosoftWindowsCurrentVersionpoliciesexplorerRun]

[HKUS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
[HKUS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
[HKUSS-1-5-XXSoftwareMicrosoftWindowsCurrentVersionRunOnce]

[HKUS {SID} \SoftwareMicrosoftWindowsCurrentVersionRun] v1.26.32
[HKUS {SID} \SoftwareMicrosoftWindowsCurrentVersionRunOnce] v1.26.32

Terminal Server :
[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
[HKCUSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]

THE 64 bit for Windows Vista :
[HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRun]
[HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRunOnce]

Overview ZHPDiag

—\\ Applications automatically started by register (O4)
O4 – HKLM..Run: [HFFSRV] – c:\windowshffexthffsrv.exe
O4 – HKUSS-1-5-19..Run: [Sidebar] – C:\Program FilesWindows SidebarSidebar.ex
e

—\\ Applications automatically started by register (O4) v1.25.02
O4 – HKLM..Run: [HFFSRV] . (.No owner – No description.) — c:\windowshffexthffsrv.exe
O4 – HKUSS-1-5-19..Run: [Sidebar] . (.Microsoft Corporation – Gadgets you Bureau Windows.) — C:\Program FilesWindows SidebarSidebar.exe

—\\ Applications automatically started by register (O4) v1.25.1436
O4 – HKLM..Wow6432NodeRun: [KBD] . (.Microsoft – Kbd Stub.) — C:\Program Files (x86)\Hewlett-PackardKBDKbdStub.exe

—\\ Applications automatically started by register (O4) v1.26.32
O4 – HKUSS-1-5-21-0123456789-012345678-012345678-1000..Run: [msnmsgr] C:\Program FilesWindows LiveMessengermsnmsgr.exe (.not file.)
O4 – HKUSS-1-5-21-0123456789-012345678-012345678-1000..Run: [DAEMON Tools Lite] C:\Program FilesDAEMON Tools LiteDTLite.exe

—\\ Applications automatically started by register (O4) v1.26.45
O4 – HKLM..Run: [QuickTime Task] key orphan
O4 – HKLM..Run: [QuickTime Task] Orphean Key

—\\ Applications automatically started by register (O4) v1.27.1848
O4 – HKLM..Terminal ServerRun: [NVIDIA driver monitor] c:\windowsnvsvc32.exe

Example # 1 (If d & rsquo; an unofficial nLite Windows version)

O4 – HKUSS-1-5-18..RunOnce: [nltide_2] regsvr32 / s / n / i:in shell32
O4 – HKUSS-1-5-18..RunOnce: [nltide_3] rundll32 advpack.dll,launchinfsectionex nlite.inf,c,,4,n
O4 – HKUSS-1-5-18..RunOnce: [nltide_2] regsvr32 / s / n / i:in shell32
O4 – HKUSS-1-5-18..RunOnce: [nltide_3] rundll32 advpack.dll,launchinfsectionex nlite.inf,c,,4,n
O4 – HKUSS-1-5-19..RunOnce: [nltide_2] regsvr32 / s / n / i:in shell32
O4 – HKUSS-1-5-19..RunOnce: [nltide_3] rundll32 advpack.dll,launchinfsectionex nlite.inf,c,,4,n
O4 – HKUSS-1-5-20..RunOnce: [nltide_2] regsvr32 / s / n / i:in shell32

Example # 2 (If d & rsquo; a pirated version of Windows)

O4 – HKUSS-1-5-18..RunOnce: [LSD_III] . (.No owner – No description.) — C:\WINDOWSLSDend.cmd
O4 – HKUSS-1-5-18..RunOnce: [LSD_III] . (.No owner – No description.) — C:\WINDOWSLSDend.cmd
O4 – HKUSS-1-5-20..RunOnce: [LSD_III] . (.No owner – No description.) — C:\WINDOWSLSDend.cmd

Example No. 3 (If d & rsquo; Infection)

– infection Trojan.FakeAlert :
[MD5.23E80FFD5F952C35F7687A0D544DF835] – (…) — C:\program filesgooglegoogle desktop searchgcdtmp1070googledesktop.exe [142336]
[MD5.23E80FFD5F952C35F7687A0D544DF835] – (…) — C:\documents and settings…\application datamsabaka6.exe [142336]
[MD5.23E80FFD5F952C35F7687A0D544DF835] – (…) — c:\program filesgooglegoogle desktop searchgcdtmp1077googledesktop.exe [142336]
[MD5.23E80FFD5F952C35F7687A0D544DF835] – (…) — c:\program files common files logitech qcdrv bin ptb logitechlcamwzrd.exe [142336]
O4 – HKLM..Run: [mscjaccelerator] . (…) — C:\documents and settings…\application datamsabaka7.exe
O4 – HKLM..Run: [allinoneSetup] . (…) — c:\program fileshpdigital imaging{5b79cfd1-6845-4158-9d7d-6be89df2c135}\hpzcdl01sdiutilities53075.exe
O4 – HKLM..Run: [LogitechLogitech] . (…) — c:\program filesfichiers communslogitechqcdrvwinallxprslvui2rclvcodec2.exe
O4 – HKLM..Run: [QuickCamLVUI2] . (…) — C:\program filesfichiers communslogitechqcdrvwinallxprslvui2rclvcodec2.exe
O4 – HKLM..Run: [mscjlaunch] . (…) — c:\documents and settingschristian.nom-eb85c523610.001application datamsabaka7.exe
O4 – HKLM..Run: [Google Google] . (…) — C:\program filesgooglegoogle desktop searchgcdtmp1070googledesktop.exe
O4 – HKLM..Run: [mscjQuick] . (…) — c:\documents and settingschristian.nom-eb85c523610.001application datamsabaka6.exe
O4 – HKLM..RunServices: [launchQuick] . (…) — C:\documents and settingschristian.nom-eb85c523610.001application datamsabaka7.exe
O4 – HKLM..RunServices: [DesktopDesktop] . (…) — c:\program filesgooglegoogle desktop searchgcdtmp1077googledesktop.exe
O4 – HKLM..RunServices: [GoogleDesktop5.7.802.22438] . (…) — c:\program filesgooglegoogle desktop searchgcdtmp1673googledesktop5.7.802.22438.exe
O4 – HKLM..RunServices: [LTroblAgQuickCam] . (…) — C:\Program Files Common Files Logitech qcdrv bin ptb logitechlcamwzrd.exe
O4 – HKLM..RunServices: [DesktopGoogle] . (…) — C:\program filesgooglegoogle desktop searchgcdtmp1070googledesktop.exe

O4 – HKUSS-1-5-21-2154023944-3558821995-1915564575-1000..Run: [XA5RJ9EADJ] . (…) — C:\Users…\AppDataLocalTempBjr.exe

Backdoor.Bot infection with usurpation of legitimate owner name
O4 – HKCU..Run: [GoogleApps] . (.Microsoft Inc. – Microsoft Component.) — C:\Documents and SettingsadrienMes documentsSystem324242.exe
O4 – HKUSS-1-5-21-3664331877-2587049494-2928149487-1005..Run: [GoogleApps] . (.Microsoft Inc. – Microsoft Component.) — C:\Documents and SettingsadrienMes documentsSystem324242.exe

Action ZHPFix

O4 – {Key}: [ {KeyValue} ] . (…) — {FileName}

{Key} : Registry for Key [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
{KeyValue} : Key value {Key}
{FileName} : Data Value {KeyValue}

1) L & rsquo; tool removes the value {KeyValue} the key {Key}
2) L & rsquo; tool deletes the file {FileName}

NB : In the case of & rsquo; d & rsquo a search; Optimization, check the order “OPT”

ZHPFix Report No. 1 (General case)

lines Foreclosures :
O4 – HKLM..RunServices: [LTroblAgQuickCam] . (…) — C:\Program FilesFichiers CommunsLogitechqcdrvinptblogitechlcamwzrd.exe
O4 – HKLM..Run: [eorezo] . (.EoRezo – EoRezo.) — C:\Program FilesEoRezoeorezo.exe
O4 – HKLM..RunOnce: [SoftwareHelper] . (.EoRezo – SoftwareHelper.) — C:\Users stéphane et agnès AppData Roaming eoRezo Software Update SoftwareUpdateHP.exe
O4 – Global Startup: Mozilla Firefox 3.6 beta 4.lnk . (.Mozilla Corporation – Firefox.) — C:\Program FilesMozilla Firefox 3.6 Beta 4firefox.exe

Report by Nicolas Coolman ZHPFix v1.12.3133, Update you 05/08/2010

========== memory Process ==========
C:\Users stéphane et agnès AppData Roaming eoRezo Software Update SoftwareUpdateHP.exe [368224] => Removed and quarantined
C:\Program FilesEoRezoeorezo.exe [667648] => Removed and quarantined

========== Value(s) Registry ==========
O4 – HKLM..Run: [LTroblAgQuickCam] . (…) — C:\Program FilesFichiers CommunsLogitechqcdrvinptblogitechlcamwzrd.exe => deleted successfully Value
O4 – HKLM..Run: [eorezo] . (.EoRezo – EoRezo.) — C:\Program FilesEoRezoeorezo.exe => deleted successfully Value
O4 – HKLM..RunOnce: [SoftwareHelper] . (.EoRezo – SoftwareHelper.) — C:\Users stéphane et agnès AppData Roaming eoRezo Software Update SoftwareUpdateHP.exe => deleted successfully Value

========== File(s) ==========
C:\Program FilesFichiers CommunsLogitechqcdrvinptblogitechlcamwzrd.exe => Deleted and put in quarantine
O4 – Global Startup: Mozilla Firefox 3.6 beta 4.lnk . (.Mozilla Corporation – Firefox.) — C:\Program FilesMozilla Firefox 3.6 Beta 4firefox.exe => Removed and quarantined

Summary ========== ==========
3 : Value(s) Registry
2 : File(s)

ZHPFix Report No. 2 (d & rsquo case; an orphan key)

line Seizure
O4 – HKLM..Run: [QuickTime Task] key orphan

Report by Nicolas Coolman ZHPFix v1.12.3133, Update you 05/08/2010

========== Value(s) Registry ==========
O4 – HKLM..Run: [QuickTime Task] orphan Key => deleted successfully Value

Summary ========== ==========
1 : Value(s) Registry

ZHPFix Report No. 3 (If d & rsquo; optimization)

line Seizure :
OPT:O4 – HKLM..Run: [Adobe Reader Speed Launcher] . (.Adobe Systems Incorporated – Adobe Acrobat SpeedLauncher.) — C:\Program FilesAdobeReader 8.0ReaderReader_sl.exe

Report by Nicolas Coolman ZHPFix v1.12.3137, Update you 23/08/2010

========== Value(s) Registry ==========
O4 – HKLM..Run: [Adobe Reader Speed Launcher] . (.Adobe Systems Incorporated – Adobe Acrobat SpeedLauncher.) — C:\Program FilesAdobeReader 8.0ReaderReader_sl.exe => deleted successfully Value

Summary ========== ==========
1 : Value(s) Registry

ZHPDiag – Module O4 (MARCH)
5 (100%) 1 vote[s]

Total views 1,247 (Today 4 )