Jump to content

Recommended Posts

Hi John. This is a legit entry.

AppInit_DLLs= C:\Windows\SysWOW64\nvinit.dll

NVIDIA Compatible NVIDIA shim initialization dll

Though programmers have been discouraged by Microsoft from using this registry value, many still do and Microsoft still allows it to be used.

http://support.microsoft.com/kb/197571

 

We do not recommend that applications use this feature or rely on this feature. There are other techniques that can be used to achieve similar results.

You can click safely No as the MBAR message states to do if you're unsure.

Link to post
Share on other sites
  • 3 weeks later...

I just ran Malwarebytes Anti-Rootkit Beta for the first time and got the same warning.  However, there is no AppInit_DLLs entry in C:\Windows\SysWOW64\nvinit.dll on my machine running Win 7 Ultimate, nor does AppInit show up when conducting a search.  I know I'm confused, but should I also be concerned?

Link to post
Share on other sites

@Turtleman

 

If you're having issue running the program or feel that you're system might be infected then it might be best to have a trained Expert assist you further.

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thanks

Link to post
Share on other sites

AdvancedSetup:  Thanks for your feedback, but I have no reason to think my computer's infected or have any issues running the program.  It's just that I received the same popup message that Johnf25 mentioned in the first post on this topic.  The subsequent post by tetonbob identifies this as a legit entry in location C:\Windows\SysWOW64\nvinit.dll   But being unable to locate that entry, and from conflicted info about Appinit_DLLs on the Web, I don't know what to think.  I'm very reluctant to try removing Appinit_DLLs if I don't know what it is, where it is, what might happen if it's removed, or how to restore it.

Link to post
Share on other sites

Further information on the AppInit_DLLs registry entry.

32-bit DLL on x86 32-bit, and 64-bit DLL on x64  64-bit Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

32-bit DLL on x64  64-bit Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows

 

 

Working with the AppInit_DLLs registry value

Article ID: 197571 - Last Review: November 21, 2006 - Revision: 4.1

APPLIES TO

        Microsoft Win32 Application Programming Interface, when used with:

        Microsoft Windows NT 4.0

        Microsoft Windows 2000 Standard Edition

        the operating system: Microsoft Windows XP

AppInit_DLLs in Windows 7 and Windows Server 2008 R2

 

Description

AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Microsoft is modifying the AppInit DLLs facility in Windows 7 and Windows Server 2008 R2 to add a new code-signing requirement. This will help improve the system reliability and performance, as well as improve visibility into the origin of software.

Windows 7

All DLLs that are loaded by the AppInit_DLLs infrastructure should be code-signed. In the interests of application compatibility, the Windows 7 Operating System will load all AppInit DLLs. However, Microsoft recommends that all application developers code-sign their DLLs to help improve the reliability of Windows and prepare for code-signing enforcement in future versions of Windows. The RequireSignedAppInit_DLLs registry key controls this behavior and its value on Windows 7 is set to 0 by default.

Windows Server 2008 R2

All DLLs that are loaded by the AppInit_DLLs infrastructure must be code-signed. The RequireSignedAppInit_DLLs registry key controls this behavior and its value on Windows Server 2008 R2 is set to 1 by default.

You can open REGEDIT.EXE and browse to the listed keys to see what is found or you can run the following code from a Command prompt to see what is listed there.

32-bit and 64-bit query

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs"
Query on 64-bit for a 32-bit DLL

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs"
Link to post
Share on other sites

AdvancedSetup:  Thanks for the additional info, and I located the two keys you supplied.  Just for giggles, I installed and ran the anti-rootkit on another Win 7 computer here that uses the same motherboard and operating system, and the popup warning in the first post did NOT appear!  Of course, there are a zillion differences in software from one machine to another. 

 

The first key entry has nothing beside it, while the only data associated with the second key reads "value not set."  I'm afraid I don't understand exactly what "code-signed" means, nor why the keys only show only one computer, but it doesn't sound too ominous to me. 

 

Should I try backing up the registry and deleting the entry when the anti-rootkit popup appears or just continue to ignore it?  Thanks again for all your help!

Link to post
Share on other sites

Turtleman, please click on No if the message appears again. There is only one reason to click on Yes, and that is if after clicking No, MBAR will not run. Some malware hijacks this entry and prevents security programs from running.

Link to post
Share on other sites

tetonbob:  Thanks – I'll continue clicking "No", but would sure like to understand why the popup message even appears.  I thought that removing the entry would eliminate the popup and anything sinister that might be associated with it.  Very confusing!

Link to post
Share on other sites

Tetonbob:  I've only clicked "No" and won't even think about clicking "Remove" unless suggested and I understand what might happen.

Yes, usually it's not needed, however there are cases where it is. If the entry was created by a certain rootkit, it can render Malwarebytes Anti-Rootkit useless unless it is removed. If you do not believe you are infected and are just scanning to test out the beta, then you don't need to click "Yes".
Link to post
Share on other sites

To add:

There should be an entry present if MBAR is detecting it. Would you mind running the DDS tool which Johnf25 ran?

 

Download DDS and save it to your desktop from here
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.
It will automatically run; all you will see is a small message saying DDS is running in silent mode, then a message saying 2 logs shall be created on your Desktop.
• When done, DDS will have saved 2 logs to your desktop
  1. DDS.txt
  2. Attach.txt
• Attach both logs in reply

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.