Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Windows Explorer Extensions

Status
Not open for further replies.
jimp56

jimp56

IS-IT--Management
Oct 4, 2004
545
US
Hi All-
I have a laptop infested with some nasty malware. I have removed just about all of it, however I still cant find a Windows Explorer (not IE) hook that downloads two trojans.. Luckily the AV catches that, but-- they always download on opening explorer during the first instance - regardless of user.

Is there a utility where you can view explorer hooks, or alternately, where in the registry are windows explorer hooks located? Or any other way of finding where this downloader reg hook may be hiding? I ran at least 5 scan utils and none have found it.

Thanks
 
Sort by date Sort by votes
thanks, i am going to post on the malware forum also, but i was hoping someone could answer the question regarding where registry hooks are located that allow code to be executed or files called when using windows explorer, which is an OS issue, not related to malware.
 
Upvote 0 Downvote
I'm not into Hooks except when I go fishing but what line do you have here in the Registry?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

for the value Shell does the data read Explorer.exe or is there more there for the Shell value?

While your in that area have a look at the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

and check out for strange unknown entries for the data of its subkeys.

Another key to look at is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs and see if there is anything there.


Might I also suggest you head over to

and have a look at TDS-3 and Process Guard. At least try the trial of TDS-3 with the latest definitions (Radius.TD3) and run a scan with that.
 
Upvote 0 Downvote
linney-
thanks for the suggestions - the winlogon\notify key did contain strange entries (i.e. -- "addll=\~temp folder~\lldda.dat") and I got rid of those - but none of the DAT files existed in the users profile temp folder, so those werent the "magic" entries.

the two same trojans continue to download on first instance of explorer after a reboot, after deleting the key entries in question. i will try the scanner, but in the meantime, any other reg possibilities you can think of?

i may just reimage the pc, but i would really like to find the location/reason of this sneaky behavior for future use before I do.
 
Upvote 0 Downvote
i will close this thread. thanks for the help. tds-3 is helpful, appreciate the tip. i will reimage the pc.

the malware responsible, just for the record, is virtumondo and i know now the explorer entries are part of the removal process but there are other very well hidden trojans - so i was "barking up the wrong tree" regarding explorer. i still cant get rid of it but at this point reimaging is a better use of time rather than chasing this bug.

thanks again.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

VicM
  • Locked
  • Question
Problem updating Windows Explorer
Replies
1
Views
976
Nancycaf
Nancycaf
K
  • Locked
  • Question
Recover Data Windows 10 1
Replies
2
Views
4K
Rick998
Rick998
pjw001
  • Locked
  • Question
Latest Windows Update - End of Service
Replies
2
Views
3K
pjw001
pjw001
pjw001
  • Locked
  • Question
Windows 11 Screen Colours have changed (slightly) 3
Replies
14
Views
8K
pjw001
pjw001
pjw001
  • Locked
  • Question
Windows 11 File Explorer Preview Pane for PDF files
Replies
2
Views
565
pjw001
pjw001

Part and Inventory Search

Sponsor

Back
Top