Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Question AppInit_DLLs


  • Please log in to reply

#1
Alduin

Alduin

    Banned

  • Banned
  • PipPip
  • 55 posts

Whats the point of a software/malware adding something like this?

 

AppInit_DLLs: C:\Program Files => C:\Program Files [0 2017-07-20] ()

 

http://www.geekstogo...th-ransomeware/


Edited by Alduin, 25 July 2017 - 09:51 AM.

  • 0

Advertisements


#2
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hello,

I saw that it's an odd looking entry because there is no malware file or any file except the programs files folder.


The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded. As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded also.

The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.


Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs


There are very few legitimate programs that use this Registry key, but you should proceed with caution when deleting files that are listed here.

Usually we see something like this:

AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
  • 1

#3
Alduin

Alduin

    Banned

  • Topic Starter
  • Banned
  • PipPip
  • 55 posts

Hello,

I saw that it's an odd looking entry because there is no malware file or any file except the programs files folder.


The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded. As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded also.

The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.


Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs


There are very few legitimate programs that use this Registry key, but you should proceed with caution when deleting files that are listed here.

Usually we see something like this:

AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll

 

Thank you for your high-quality answer zep! :), I was thinking that Maybe it could have been some AM/AV software that Modified that key if that's even possible or perhaps the malware/software didn't execute properly or perhaps he could have done something wrong while he was coding his application/malware. Thanks again zep!


Edited by Alduin, 25 July 2017 - 01:43 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP