5 / 5 - (2 votes)

.

ZHPDiag – Module O4 GS (Global Startup)

The ZHPDiag O4 GS (Global Startup) module lists all the application shortcuts placed in certain Windows startup folders.

Many malware places shortcuts in the “Windows\Start Menu\Programs” folder. This is particularly the case for certain superfluous software such as “SecurityTool“. Legitimate software can also place a shortcut in this folder, for exampleanalog Clock from Opera Software. Even if it is not strictly speaking a link “Global Startup“, it is however interesting to have the list in this module.

Added search in other user folders in order to list a larger number of links like those placed on the “Office” and those launched in “Quick Launch” by Microsoft Internet Explorer. These shortcut folders are often used by some software like “AntiMalwareDoctor“. For these specific lines, a new header has been created under the name “Other user links“. In case the link file does not point to a file, the mention “Orphan key” is added.

Some unwanted applications, such as browser hijackers, modify the shortcut argument of all your browsers in order to redirect search and browsing to their own servers.

O4 – GS\Quicklaunch [Administrator]: Google Chrome.lnk. (.Google Inc. – Google Chrome.) C:\Program Files\Google\Chrome\Application\chrome.exe https://pop.yeawindows.com
O4 – GS\TaskBar [Administrator]: Google Chrome.lnk. (.Google Inc. – Google Chrome.) C:\Program Files\Google\Chrome\Application\chrome.exe https://pop.yeawindows.com
O4 – GS\TaskBar [Administrator]: Mozilla Firefox.lnk. (.Mozilla Corporation – Firefox.) C:\Program Files\Mozilla Firefox\firefox.exe https://pop.yeawindows.com

Some files listed

C:\Documents and Settings\{UserName}\Start Menu\Programs\Startup\
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
C:\Users\All Users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
(From Vista)
C:\Users\All Users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ (From Vista)
C:\Users\{Username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ (From Vista)
C:\Users\{Username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar (From Vista)
C:\Users\{Username}\Desktop\ (From Vista)

ZHPDiag Overview

—\\ Global Startup Shortcuts (8) – 1s

O4 – GS\TaskBar: CDBurnerXP.lnk. (.Canneverbe Limited.) — C:\Program Files (x86)\CDBurnerXP\cdbxpp.exe
O4 – GS\TaskBar: Google Chrome.lnk. (.Google Inc..) — C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O4 – GS\Programs: Internet Explorer (64-bit).lnk. (.Microsoft Corporation.) — C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 – GS\Programs: Internet Explorer.lnk. (.Microsoft Corporation.) — C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 – GS\Desktop: iexplore.exe.lnk. (.Microsoft Corporation.) — C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 – GS\Desktop: Microsoft Visual C++ 2010 Express.lnk. (.Microsoft Corporation.) — C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\VCExpress.exe
O4 – GS\QuickLaunch: Google Chrome.lnk. (.Google Inc..) — C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O4 – GS\QuickLaunch: Launch Internet Explorer Browser.lnk. (.Microsoft Corporation.) — C:\Program Files (x86)\Internet Explorer\iexplore.exe

Examples of detection

—\\ Global Startup Shortcuts (5) – 1s
O4 – GS\Quicklaunch [Administrator]: Google Chrome.lnk. (.Google Inc. – Google Chrome.) C:\Program Files\Google\Chrome\Application\chrome.exe %SNP% –disable-quic
O4 – GS\TaskBar [Administrator]: Google Chrome.lnk. (.Google Inc. – Google Chrome.) C:\Program Files\Google\Chrome\Application\chrome.exe %SNP% –disable-quic
O4 – GS\Quicklaunch [Coolman]: Google Chrome.lnk. (.Google Inc. – Google Chrome.) C:\Program Files\Google\Chrome\Application\chrome.exe %SNP% –disable-quic

ZHPFix action

O4 – Global Startup: {LinkName}.lnk.(…). — {FileName}

{FileName}: File name.
{LinkName}: Name of the shortcut to which the file {FileName} points.

1) The tool deletes the shortcut file {LinkName]
2) The tool deletes the file {FileName]

Action ZHPFix (Case of an orphan key)

O4 – Global Startup: {LinkName}.lnk – Orphan key

{FileName}: File name.

The tool deletes the {LinkName] shortcut file

About the Author

Back to top