[Alduin]

Whats the point of a software/malware adding something like this?

 

AppInit_DLLs: C:\Program Files => C:\Program Files [0 2017-07-20] ()

 

http://www.geekstogo...th-ransomeware/

Edited by Alduin, 25 July 2017 - 09:51 AM.

[Advertisements]

Hello,

I saw that it's an odd looking entry because there is no malware file or any file except the programs files folder.


The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded. As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded also.

The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.


Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs


There are very few legitimate programs that use this Registry key, but you should proceed with caution when deleting files that are listed here.

Usually we see something like this:

AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll

[zep516]

Hello,

I saw that it's an odd looking entry because there is no malware file or any file except the programs files folder.


The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded. As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded also.

The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.


Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs


There are very few legitimate programs that use this Registry key, but you should proceed with caution when deleting files that are listed here.

Usually we see something like this:

AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll

[Alduin]

Hello,

I saw that it's an odd looking entry because there is no malware file or any file except the programs files folder.


The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded. As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded also.

The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.


Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs


There are very few legitimate programs that use this Registry key, but you should proceed with caution when deleting files that are listed here.

Usually we see something like this:

AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll

 

Thank you for your high-quality answer zep! , I was thinking that Maybe it could have been some AM/AV software that Modified that key if that's even possible or perhaps the malware/software didn't execute properly or perhaps he could have done something wrong while he was coding his application/malware. Thanks again zep!

Edited by Alduin, 25 July 2017 - 01:43 PM.