ZHPDIAG – MODULE O4 (ADAR)

This module lists the set of applications launched at system startup. The treatment is done from the Base of registers Run keys, RunOnce and RunServices.

Each of these keys has a set of values. These values allow multiple entries to coexist without crashing each other. The data value for a value is a command line.

Some special items must be taken into account for the third and the fourth key of the list, the RunOnce keys :

  • By default, Run keys are ignored when the computer starts in safe mode. Under the RunOnce keys, You can prefix a value name with an asterisk (*) to force the associated program to run even in safe mode.
  • You can prefix the name with a RunOnce value with an exclamation point (!) to ensure that the removal of the value to intervene after the execution of the order.
  • Without exclamation point prefix, a RunOnce value is deleted before executing the command. As a result, If a RunOnce operation does not run correctly, the associated program is not called to run the next time that you start the computer. (Microsoft)

List identified branches

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce]
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices]
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce]
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunServices]
[HKCUSOFTWAREMicrosoftWindows NTCurrentVersionRun] v1.28.315

Policies Explorer :
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
[HKUS. DEFAULTSoftwareMicrosoftWindowsCurrentVersionpoliciesexplorerRun]
[HKUSS-1-5-XXSoftwareMicrosoftWindowsCurrentVersionpoliciesexplorerRun]

[HKUS. DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
[HKUS. DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
[HKUSS-1-5-XXSoftwareMicrosoftWindowsCurrentVersionRunOnce]

[HKUS {SID} \SoftwareMicrosoftWindowsCurrentVersionRun] v1.26.32
[HKUS {SID} \SoftwareMicrosoftWindowsCurrentVersionRunOnce] v1.26.32

Terminal Server :
[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
[HKCUSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]

OS 64 bits for Windows Vista :
[HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRun]
[HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRunOnce]

Overview ZHPDiag

—\\ Applications started automatically by the registry (O4)
O4 – HKLM.. Run: [HFFSRV] – c:\windowshffexthffsrv.exe
O4 – HKUSS-1-5-19... Run: [Sidebar] – C:\Program FilesWindows SidebarSidebar.ex
e

—\\ Applications started automatically by the registry (O4) v1.25.02
O4 – HKLM.. Run: [HFFSRV] . (.Pas de propriétaire – Pas de description.) — c:\windowshffexthffsrv.exe
O4 – HKUSS-1-5-19... Run: [Sidebar] . (.Microsoft Corporation – Gadgets du Bureau Windows.) — C:\Program FilesWindows SidebarSidebar.exe

—\\ Applications started automatically by the registry (O4) v1.25.1436
O4 – HKLM.. Wow6432NodeRun: [KBD] . (.Microsoft – Kbd Stub.) — C:\Program Files (x86)\Hewlett-PackardKBDKbdStub.exe

—\\ Applications started automatically by the registry (O4) v1.26.32
O4 – HKUSS-1-5-21-0123456789-012345678-012345678-1000.. Run: [msnmsgr] C:\Program FilesWindows LiveMessengermsnmsgr.exe (.not give.)
O4 – HKUSS-1-5-21-0123456789-012345678-012345678-1000.. Run: [DAEMON Tools Lite] C:\Program FilesDAEMON Tools LiteDTLite.exe

—\\ Applications started automatically by the registry (O4) v1.26.45
O4 – HKLM.. Run: [QuickTime Task] An orphan key
O4 – HKLM.. Run: [QuickTime Task] Orphean Key

—\\ Applications started automatically by the registry (O4) v1.27.1848
O4 – HKLM.. Terminal ServerRun: [NVIDIA driver monitor] c:\windowsnvsvc32.exe

Exemple N°1 (Cas d’une version nLite Windows non officielle)

O4 – HKUSS-1-5-18... RunOnce: [nltide_2] regsvr32 /s /n /i:u shell32
O4 – HKUSS-1-5-18... RunOnce: [nltide_3] rundll32 advpack.dll,launchinfsectionex nlite.inf,c,,4,n
O4 – HKUSS-1-5-18... RunOnce: [nltide_2] regsvr32 /s /n /i:u shell32
O4 – HKUSS-1-5-18... RunOnce: [nltide_3] rundll32 advpack.dll,launchinfsectionex nlite.inf,c,,4,n
O4 – HKUSS-1-5-19.. RunOnce: [nltide_2] regsvr32 /s /n /i:u shell32
O4 – HKUSS-1-5-19.. RunOnce: [nltide_3] rundll32 advpack.dll,launchinfsectionex nlite.inf,c,,4,n
O4 – HKUSS-1-5-20.. RunOnce: [nltide_2] regsvr32 /s /n /i:u shell32

Exemple N°2 (Cas d’une version pirate de Windows)

O4 – HKUSS-1-5-18... RunOnce: [LSD_III] . (.Pas de propriétaire – Pas de description.) — C:\WINDOWSLSDend.cmd
O4 – HKUSS-1-5-18... RunOnce: [LSD_III] . (.Pas de propriétaire – Pas de description.) — C:\WINDOWSLSDend.cmd
O4 – HKUSS-1-5-20.. RunOnce: [LSD_III] . (.Pas de propriétaire – Pas de description.) — C:\WINDOWSLSDend.cmd

Exemple N°3 (Cas d’une Infection)

– Infection Trojan.FakeAlert :
[MD5.23E80FFD5F952C35F7687A0D544DF835] – (…) — C:\program filesgooglegoogle desktop searchgcdtmp1070googledesktop.exe [142336]
[MD5.23E80FFD5F952C35F7687A0D544DF835] – (…) — C:\documents and settings…\application datamsabaka6.exe [142336]
[MD5.23E80FFD5F952C35F7687A0D544DF835] – (…) — c:\program filesgooglegoogle desktop searchgcdtmp1077googledesktop.exe [142336]
[MD5.23E80FFD5F952C35F7687A0D544DF835] – (…) — c:\program filesfichiers communslogitechqcdrvbinptblogitechlcamwzrd.exe [142336]
O4 – HKLM.. Run: [mscjaccelerator] . (…) — C:\documents and settings…\application datamsabaka7.exe
O4 – HKLM.. Run: [allinoneSetup] . (…) — c:\program fileshpdigital imaging{5b79cfd1-6845-4158-9d7d-6be89df2c135}\hpzcdl01sdiutilities53075.exe
O4 – HKLM.. Run: [LogitechLogitech] . (…) — c:\program filesfichiers communslogitechqcdrvwinallxprslvui2rclvcodec2.exe
O4 – HKLM.. Run: [QuickCamLVUI2] . (…) — C:\program filesfichiers communslogitechqcdrvwinallxprslvui2rclvcodec2.exe
O4 – HKLM.. Run: [mscjlaunch] . (…) — c:\documents and settingschristian.nom-eb85c523610.001application datamsabaka7.exe
O4 – HKLM.. Run: [GoogleGoogle] . (…) — C:\program filesgooglegoogle desktop searchgcdtmp1070googledesktop.exe
O4 – HKLM.. Run: [mscjQuick] . (…) — c:\documents and settingschristian.nom-eb85c523610.001application datamsabaka6.exe
O4 – HKLM.. RunServices: [launchQuick] . (…) — C:\documents and settingschristian.nom-eb85c523610.001application datamsabaka7.exe
O4 – HKLM.. RunServices: [DesktopDesktop] . (…) — c:\program filesgooglegoogle desktop searchgcdtmp1077googledesktop.exe
O4 – HKLM.. RunServices: [GoogleDesktop5.7.802.22438] . (…) — c:\program filesgooglegoogle desktop searchgcdtmp1673googledesktop5.7.802.22438.exe
O4 – HKLM.. RunServices: [LTroblAgQuickCam] . (…) — C:\Program FilesFichiers Communslogitechqcdrvbinptblogitechlcamwzrd.exe
O4 – HKLM.. RunServices: [DesktopGoogle] . (…) — C:\program filesgooglegoogle desktop searchgcdtmp1070googledesktop.exe

O4 – HKUSS-1-5-21-2154023944-3558821995-1915564575-1000.. Run: [XA5RJ9EADJ] . (…) — C:\Users…\AppDataLocalTempBjr.exe

Infection Backdoor.Bot with owner name spoofing legitimate
O4 – HKCU.. Run: [GoogleApps] . (.Microsoft Inc.. – Microsoft Component.) — C:\Documents and SettingsadrienMes documentsSystem324242.exe
O4 – HKUSS-1-5-21-3664331877-2587049494-2928149487-1005.. Run: [GoogleApps] . (.Microsoft Inc.. – Microsoft Component.) — C:\Documents and SettingsadrienMes documentsSystem324242.exe

Action ZHPFix

O4 – {Key}: [ {KeyValue} ] . (…) — {FileName}

{Key} : Registry key [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
{KeyValue} : The key value {Key}
{FileName} : The value data {KeyValue}

1) The tool deletes the value {KeyValue} of the key {Key}
2) The tool deletes the file {FileName}

NB : In the case of a search optimization, see the command 'OPT '.

ZHPFix report N ° 1 (General case)

Lines seizures :
O4 – HKLM.. RunServices: [LTroblAgQuickCam] . (…) — C:\Program FilesFichiers CommunsLogitechqcdrvinptblogitechlcamwzrd.exe
O4 – HKLM.. Run: [eorezo] . (.EoRezo – EoRezo.) — C:\Program FilesEoRezoeorezo.exe
O4 – HKLM.. RunOnce: [SoftwareHelper] . (.EoRezo – SoftwareHelper.) — C:\Usersstephane and agnèsAppDataRoamingeoRezoSoftwareUpdateSoftwareUpdateHP.exe
O4 – Global Startup: Mozilla Firefox 3.6 Beta 4.lnk . (.Mozilla Corporation – Firefox.) — C:\Program FilesMozilla Firefox 3.6 Beta 4firefox.exe

Report of ZHPFix v1.12.3133 by Nicolas Coolman, Update of the 05/08/2010

= Process memory =.
C:\Usersstephane and agnèsAppDataRoamingeoRezoSoftwareUpdateSoftwareUpdateHP.exe [368224] => Deleted and quarantined
C:\Program FilesEoRezoeorezo.exe [667648] => Deleted and quarantined

= Value(s) the registry =.
O4 – HKLM.. Run: [LTroblAgQuickCam] . (…) — C:\Program FilesFichiers CommunsLogitechqcdrvinptblogitechlcamwzrd.exe => Value deleted successfully
O4 – HKLM.. Run: [eorezo] . (.EoRezo – EoRezo.) — C:\FilesEoRezoeorezo.exe = program> Value deleted successfully
O4 – HKLM.. RunOnce: [SoftwareHelper] . (.EoRezo – SoftwareHelper.) — C:\Usersstephane and agnèsAppDataRoamingeoRezoSoftwareUpdateSoftwareUpdateHP.exe => Value deleted successfully

= File(s) ==========
C:\Program FilesFichiers CommunsLogitechqcdrvinptblogitechlcamwzrd.exe => Removed and put in quarantine
O4 – Global Startup: Mozilla Firefox 3.6 Beta 4.lnk . (.Mozilla Corporation – Firefox.) — C:\Program FilesMozilla Firefox 3.6 4firefox.exe = beta> Deleted and quarantined

= Summary =.
3 : Value(s) the registry
2 : File(s)

ZHPFix report N ° 2 (Case of an orphan key)

Line seizure
O4 – HKLM.. Run: [QuickTime Task] An orphan key

Report of ZHPFix v1.12.3133 by Nicolas Coolman, Update of the 05/08/2010

= Value(s) the registry =.
O4 – HKLM.. Run: [QuickTime Task] An orphan key => Value deleted successfully

= Summary =.
1 : Value(s) the registry

ZHPFix report N ° 3 (Case of an optimization)

Line seizure :
OPT:O4 – HKLM.. Run: [Adobe Reader Speed Launcher] . (.Adobe Systems Incorporated – Adobe Acrobat SpeedLauncher.) — C:\Program FilesAdobeReader 8.0 ReaderReader_sl.exe

Report the ZHPFix v 1.12.3137 par Nicolas Campos, Update of the 23/08/2010

= Value(s) the registry =.
O4 – HKLM.. Run: [Adobe Reader Speed Launcher] . (.Adobe Systems Incorporated – Adobe Acrobat SpeedLauncher.) — C:\Program FilesAdobeReader 8.0 ReaderReader_sl.exe = > Value deleted successfully

= Summary =.
1 : Value(s) the registry


Total views 1 461 (Today 1 )