Source : http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/#O4Diag
Using Regedit - Registry Tweak
O4 Section
This section corresponds to certain registry keys and startup folders
that are used to automatically start an application when Windows starts.
O4 keys are the HJT entries that the majority of programs use to
autostart, so particular care must be used when examining these keys.
The O4 Registry keys and directory locations are listed below and apply,
for the most part, to all versions of Windows.
As of HijackThis version 2.0, HijackThis will also list entries for
other users that are actively logged into a computer at the time of the
scan by reading the information from the HKEY_USERS registry key. If a
user is not logged on at the time of the scan, their user key will not
be loaded, and therefore HijackThis will not list their autoruns. When
working on HijackThis logs it is not advised to use HijackThis to fix
entries in a person's log when the user has multiple accounts logged in.
We advise this because the other user's processes may conflict with the
fixes we are having the user run.
The current locations that O4 entries are listed from are:
Directory Locations:
User's Startup Folder: Any files located in a user's Start Menu Startup folder will be listed as a O4 - Startup. This location, for the newer versions of Windows, are C:\Documents and Settings\USERNAME\Start
Menu\Programs\Startup or under C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu in Vista. These entries will be executed when the particular user logs onto the computer.
All Users Startup Folder: These items refer to applications that load
by having them in the All Users profile Start Menu Startup Folder and will be listed as O4 - Global Startup. This location, for the newer versions of Windows, are C:\Documents and Settings\All Users\Start
Menu\Programs\Startup or under C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup in Vista. These entries will be executed when any user logs onto the computer.
Startup Registry Keys: O4 entries that utilize
registry keys will start with the abbreviated registry key in the entry
listing. Examples and their descriptions can be seen below. For all of
the keys below, if the key is located under HKCU, then that means the
program will only be launched when that particular user logs on to the
computer. If the entry is located under HKLM, then the program will be
launched for all users that log on to the computer.
Note: In the listing below, HKLM stands for HKEY_LOCAL_MACHINE and HKCU stands for HKEY_CURRENT_USER.
The
Run keys are used to launch a program automatically when a user, or all users, logs on to the machine.
| Run keys: |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Run |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
The
RunOnce keys are used to launch a service or
background process whenever a user, or all users, logs on to the
computer.
Once the program is successfully launched for the first time its entry
will be removed from the Registry so it does not run again on
subsequent logons.
| RunOnce keys: |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
| HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
The
RunServices keys are used to launch a service or background process whenever a user, or all users, logs on to the computer.
| RunServices keys: |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices |
| HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices |
The
RunServicesOnce keys are used to launch a
service or background process whenever a user, or all users, logs on to
the computer. Unlike the RunServices keys, when a program is launched
from the RunServicesOnce key its entry will be removed from the
Registry so it does not run again on subsequent logons.
| RunServicesOnce keys: |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce |
| HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce |
The
RunOnceEx keys are used to launch a program once
and then remove itself from the Registry. This particular key is
typically used by installation or update programs.
| RunOnceEx key: |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
|
The
Policies\Explorer\Run keys are used by network
administrator's to set a group policy settings that has a program
automatically launch when a user, or all users, logs on to the computer.
Under the Policies\Explorer\Run key are a series of values, which have a
program name as their data. When a user, or all users, logs on to the
computer each of the values under the Run key is executed and the
corresponding programs are launched.
| Policies\Explorer\Run keys: |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
A complete listing of other startup locations that are not necessarily included in HijackThis can be found here :
Windows
Program Automatic Startup Locations
A sample of the type of O4 listings that you can see in HijackThis can be seen below:
| Example Listings: |
04 - HKLM\..\Run: [nwiz] nwiz.exe /install |
| O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe |
| O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe |
| O4 - S-1-5-21-1222272861-2000431354-1005 Startup: numlock.vbs (User 'BleepingComputer.com') |
| O4 - HKUS\S-1-5-21-1229272821-2000478354--1005\..\Run: [Windows
Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide (User
'BleepingComputer.com') |
Looking at the examples above, we see 5 different startup entries,
with 2 of them being for users who are logged on in the background. If
an entry starts with a long series of numbers and contains a username
surrounded by parenthesis at the end, then this is a O4 entry for a user
logged on in the background. Let's break down the examples one by one.
- 04 - HKLM\..\Run: [nwiz] nwiz.exe /install - This entry corresponds to a startup launching from HKLM\Software\Microsoft\Windows\CurrentVersion\Run for the currently logged in user. The name of the Registry value is nwiz and when the entry is started it will launch the nwiz.exe /install command.
- O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe - This entry corresponds to a program started by the All Users Startup Folder located at C:\Documents and Settings\All Users\Start
Menu\Programs\Startup.
- O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe - This entry corresponds to a value located under the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run key. The name of the Registry value is user32.dll and its data is C:\Program Files\Video ActiveX Access\iesmn.exe. This particular example happens to be malware related.
- O4 - S-1-5-21-1222272861-2000431354-1005 Startup: numlock.vbs (User 'BleepingComputer.com') - This
particular entry is a little different. As you can see there is a long
series of numbers before and it states at the end of the entry the user
it belongs to. Those numbers in the beginning are the user's SID, or
security identifier, and is a number that is unique to each user on your
computer. This SID translates to the BleepingComputer.com Windows user
as shown at the end of the entry. The rest of the entry is the same as a
normal one, with the program being launched from a user's Start Menu
Startup folder and the program being launched is numlock.vbs.
- O4 - HKUS\S-1-5-21-1222272861-2000431354-1005\..\Run:
[Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
(User 'BleepingComputer.com') - This type of entry is similar
to the first example, except that it belongs to the
BleepingComputer.com user. This is just another example of HijackThis
listing other logged in user's autostart entries.
Now that we know how to interpret the entries, let's learn how to fix them.
When you fix O4 entries, Hijackthis will not delete the files associated with
the entry. Instead, you must delete these manually afterwards, usually by having
the user first reboot into safe mode. The Global Startup and Startup entries
work a little differently. HijackThis will delete the shortcuts found in these
entries, but not the file they are pointing to. If an actual executable resides
in the Global Startup or Startup directories then the offending file
WILL
be deleted.
When examining O4 entries and trying to determine what they are for you should consult one of the following lists:
Bleeping Computer Startup Database
Answers
that work
Greatis Startup Application Database
Pacman's Startup Programs List
Pacman's
Startup Lists for Offline Reading
Kephyr File Database
Wintasks
Process Library
Windows Startup Online
Database
