Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

What is in YOUR hidden autorun Windows registry SSODL key?

728 views
Skip to first unread message

Bill Davies

unread,
Dec 11, 2008, 12:38:03 AM12/11/08
to
What hidden autoruns are listed in your SSODL Windows registry key?
HKLM\SOFTWARE\Microswoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

In looking up freeware for snooping on my kids, using HijackThis freeware
and google, I learned about the SSODL hidden autorun key and then noticed I
had a half dozen entries of my own.

(Default) REG_SZ (value not set)
CDBurn REG_SZ {fbeb8a05-beee-4442-804e-409d6c4415e9}
PostBootReminder REG_SZ {7649596a-48ea-486e-8937-a2a3004f31a9}
SysTray REG_SZ {35CEC8A3-26E6-11D2-8773-92E220544153}
WebCheck REG_SZ {E6FB5E20-DE65-11CF-9C87-00AA005427ED}
WPDShServiceObj REG_SZ {AAA2886A-9A4C-45B0-95D7-94D544869DB5}

Is it normal to have these half-dozen items in the hidden autorun key?

What is in YOUR hidden autorun registry key?

Bill Davies

unread,
Dec 11, 2008, 5:47:31 AM12/11/08
to
On Thu, 11 Dec 2008 01:12:37 -0600, Guy wrote:

> Why do you say it is hidden? Those 6 entries are normal.

This is an undocumented autorun method used by malware to hide nastigrams.
http://forums.majorgeeks.com/showthread.php?t=38752

Many of the nasty autoruns hidden in the SSODL are listed here
http://www.castlecops.com/O21.html

--------------------------------------------------------------------------
O21 - ShellServiceObjectDelayLoad Registry key autorun

What it looks like:
O21 - SSODL - AUHOOK - {11566B38-955B-4549-930F-7B7482668782} -
C:\WINDOWS\System\auhook.dll
What to do:
This is an undocumented autorun method, normally used by a few Windows
system components. Items listed at

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad

are loaded by Explorer when Windows starts. HijackThis uses a whitelist
of several very common SSODL items, so whenever an item is displayed in
the log it is unknown and possibly malicious. Treat with extreme care.
--------------------------------------------------------------------------

Bill Davies

unread,
Dec 11, 2008, 5:56:58 AM12/11/08
to
On Thu, 11 Dec 2008 02:23:25 -0800, John Corliss wrote:
>> Is it normal to have these half-dozen items in the hidden autorun key?
> The first one doesn't do anything and the others are normal.

The reason I asked is HiJackThis said this about the Shell Service Object
Delay Load registry key.

HiJackThis: ShellServiceObjectDelayLoad
021 - SSODL: WPDShServiceObj - {AAA2999BA-9A4C-45B0-95D7-94D524869DB5}
C:\WINDOWS\system32\WPDShServiceObj.dll

Detailed information on item 021:
This is an undocumented Registry key that contains a list of references to
CLSIDs, which in turn reference .dll files that are then loaded by
Explorer.exe at system startup. The .dll files stay in memory until
Explorer.exe quits, which is achieved either by shutting down the system or
killing the shell process.

(Action taken: Registry value is deleted, CLSID key is deleted.)

Bill Davies

unread,
Dec 11, 2008, 6:08:25 AM12/11/08
to
On Thu, 11 Dec 2008 08:53:50 GMT, oldfa...@bigpond.com wrote:

>> What is in YOUR hidden autorun registry key?
>

> I only have 1 entry (web check)??? don't know what it is for.

I don't know either. Here's what castle cops had to say about it
http://www.aumha.org/a/hjttutor.php

O21 - ShellServiceObjectDelayLoad (SSODL) autorun

What it looks like:
O21 - SSODL - AUHOOK - {11566B38-955B-4549-930F-7B7482668782} -
C:\WINDOWS\System\auhook.dll

What to do:
If you don’t directly recognize an O21 item, use the CastleCops
ShellServiceObjectDelayLoad List to find it. In the list, ‘X’ means spyware
and ‘L’ means safe. (See the Key at the top of the page for explanations of
the other status codes.)

ShellServiceObjectDelayLoad is an undocumented autorun method, normally


used by a few Windows system components. Items listed at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
are loaded by Explorer when Windows starts. HijackThis uses a whitelist of
several very common SSODL items, so whenever an item is displayed in the
log it is unknown and possibly malicious. Treat with extreme care.

[Need more details? Check the O21 help on BleepingComputer.com. – Mr. E.]
http://www.castlecops.com/O21.html

O21 Section


This section corresponds to files being loaded through the
ShellServiceObjectDelayLoad registry key.

This Registry contains values in a similar way as the Run key does. The
difference is that instead of pointing to the file itself, it points to the
CLSID's InProcServer, which contains the information about the particular
DLL file that is being used.

The files under this key are loaded automatically by Explorer.exe when your
computer starts. Because Explorer.exe is the shell for your computer, it
will always start, thus always loading the files under this key. These
files are therefore loaded early in the startup process before any human
intervention occurs.

A hijacker that uses the method can be recognized by the following entries:
Example Listing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
C:\WINDOWS\secure.html

Registry Key:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Example Listing O21 - SSODL: System -
{3CE8EED5-112D-4E37-B671-74326D12971E} - C:\WINDOWS\system32\system32.dll

HijackThis uses an internal white list to not show common legitimate
entries under this key. If you do see a listing for this, then it is not a
standard one and should be considered suspicious. Use our Bleeping Computer
Startup Database or SystemLookup.com to help verify files.

When you fix these types of entries, HijackThis not delete the offending
file listed. It is recommended that you reboot into safe mode and delete
the offending file.

http://www.bleepingcomputer.com/startups/
http://www.systemlookup.com/lists.php

Bill Davies

unread,
Dec 11, 2008, 6:15:21 AM12/11/08
to
I found this lookup for the hijackthis log line:
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
C:\WINDOWS\system32\WPDShServiceObj.dll

http://www.systemlookup.com/O21/236-WPDShServiceObj_dll.html

which agrees that this one is "normal".

O21 List
ShellServiceObjectDelayLoad

This entry is classified as legitimate.

It is either part of a legitimate program or the operating system itself.
Removal is not needed.

Item Details
CLSID: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name: WPDShServiceObj
Filename: WPDShServiceObj.dll
Description: Windows Portable Device Shell Service Object

Bill Davies

unread,
Dec 11, 2008, 6:16:35 AM12/11/08
to
On Thu, 11 Dec 2008 08:53:50 GMT, oldfa...@bigpond.com wrote:

> WebCheck

http://www.systemlookup.com/O21/222-SYSDIR_webcheck_dll.html

Bill Davies

unread,
Dec 11, 2008, 6:22:53 AM12/11/08
to
Thanks to your help, I found out more

(Default) REG_SZ (value not set)

CDBurn REG_SZ {fbeb8a05-beee-4442-804e-409d6c4515e9}
http://www.systemlookup.com/O21/242-SystemRoot_system32_SHELL32_dll.html

PostBootReminder REG_SZ {7849596a-48ea-486e-8937-a2a3009f31a9}
http://www.systemlookup.com/O21/241-SystemRoot_system32_SHELL32_dll.html

SysTray REG_SZ {35CEC8A3-2BE6-11D2-8773-92E220524153}
http://www.systemlookup.com/O21/194-SYSDIR_stobject_dll.html

WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
http://www.systemlookup.com/O21/222-SYSDIR_webcheck_dll.html

WPDShServiceObj REG_SZ {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
http://www.systemlookup.com/O21/236-WPDShServiceObj_dll.html

Alan Edwards

unread,
Dec 12, 2008, 3:37:50 PM12/12/08
to
Operating system?
Mine has the same 5 entries as yours in XP SP3 and I consider it
normal. I have checked these items out.

...Alan
--
Alan Edwards, MS MVP Windows - Internet Explorer
http://dts-l.com/index.htm

0 new messages