On Thu, 11 Dec 2008 08:53:50 GMT, oldfart464@bigpond.com wrote:
>> What is in YOUR hidden autorun registry key?
>
> I only have 1 entry (web check)??? don't know what it is for.
I don't know either. Here's what castle cops had to say about it
http://www.aumha.org/a/hjttutor.php
O21 - ShellServiceObjectDelayLoad (SSODL) autorun
What it looks like:
O21 - SSODL - AUHOOK - {11566B38-955B-4549-930F-7B7482668782} -
C:\WINDOWS\System\auhook.dll
What to do:
If you don¡¦t directly recognize an O21 item, use the CastleCops
ShellServiceObjectDelayLoad List to find it. In the list, ¡¥X¡¦ means spyware
and ¡¥L¡¦ means safe. (See the Key at the top of the page for explanations of
the other status codes.)
ShellServiceObjectDelayLoad is an undocumented autorun method, normally
used by a few Windows system components. Items listed at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad
are loaded by Explorer when Windows starts. HijackThis uses a whitelist of
several very common SSODL items, so whenever an item is displayed in the
log it is unknown and possibly malicious. Treat with extreme care.
[Need more details? Check the O21 help on BleepingComputer.com. ¡V Mr. E.]
http://www.castlecops.com/O21.html
O21 Section
This section corresponds to files being loaded through the
ShellServiceObjectDelayLoad registry key.
This Registry contains values in a similar way as the Run key does. The
difference is that instead of pointing to the file itself, it points to the
CLSID's InProcServer, which contains the information about the particular
DLL file that is being used.
The files under this key are loaded automatically by Explorer.exe when your
computer starts. Because Explorer.exe is the shell for your computer, it
will always start, thus always loading the files under this key. These
files are therefore loaded early in the startup process before any human
intervention occurs.
A hijacker that uses the method can be recognized by the following entries:
Example Listing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
C:\WINDOWS\secure.html
Registry Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad
Example Listing O21 - SSODL: System -
{3CE8EED5-112D-4E37-B671-74326D12971E} - C:\WINDOWS\system32\system32.dll
HijackThis uses an internal white list to not show common legitimate
entries under this key. If you do see a listing for this, then it is not a
standard one and should be considered suspicious. Use our Bleeping Computer
Startup Database or SystemLookup.com to help verify files.
When you fix these types of entries, HijackThis not delete the offending
file listed. It is recommended that you reboot into safe mode and delete
the offending file.
http://www.bleepingcomputer.com/startups/
http://www.systemlookup.com/lists.php
Reply With Quote