Jump to content
Sniktbub

Probable rootkit activity - "AppInit_Dlls".

Recommended Posts

Hello,

Whenever I launch Malwarebytes Anti-Rootkit BETA on my XP machine (32-bit), I get the following message - I'm attaching the screenshot.

Since I'm not very tech-savvy, I always press the "No" button and proceed. The tool never crashes or terminates.

I'd like to know more about the subject. Do I risk harming my computer in any way if I press the "Yes" button by an accident?

Most recent scans showed no sign of infections, including custom MBAM 3.5.1 scans (Legacy version for XP, found it on this forum, thank you), Adwcleaner 6.047 or Junkware Removal Tool 8.1.4.

Anti-Rootkit BETA (database v2019.02.08.08), once done scanning its targets (drivers, sectors and system), doesn't detect anything, either.

RA-marbeta.PNG

Share this post


Link to post
Share on other sites

Greetings,

If you would, please do the following and I can most likely tell you what, if anything, is installed in the AppInit_Dlls keys on your system (and you can check yourself by viewing the AppInit tab in Autoruns):

Create an Autoruns Log:

Please download Sysinternals Autoruns from here and save it to your desktop.

Note: If using Windows VistaWindows 7Windows 8/8.1 or Windows 10 then you also need to do the following:

Right-click on Autoruns.exe and select Properties
Click on the Compatibility tab
Under Privilege Level check the box next to Run this program as an administrator
Click on Apply then click OK

  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

Hide empty locations
Hide Windows entries

  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

Verify code signatures
Check VirusTotal.com

  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply

Share this post


Link to post
Share on other sites

Hello exile360,

Thank you for your reply.

I hope I did everything correctly - I'm attaching the .zip folder you requested.

There is one entry in the AppInit tab.

PS. I've found an old thread (to which you contributed) on the subject - not sure if its information is still relevant:
 



I do own an Nvidia graphic card.

attachment1.zip

Share this post


Link to post
Share on other sites

Yep, you did it correctly.  It looks like in your case it's a part of Google Desktop Search.  It's nothing malicious so you can safely ignore the warnings from Malwarebytes Anti-Rootkit.

By the way, just in case you were curious, the reasons that this warning shows up is because this type of startup entry (using the AppInit_Dlls key in the registry) isn't a common practice these days because Microsoft has pretty much deprecated it in modern Windows versions (in fact, such entries won't even load on boot by default in Windows Vista and newer operating systems, though there is a setting to reactivate it) and because we've seen rootkits use it in the past to prevent Malwarebytes from being able to load/scan.

In this case, the entry is a legitimate startup that is part of Google Desktop Search so you have nothing to worry about.

Share this post


Link to post
Share on other sites

Just a quick update (I hope bumping is allowed on this forum) - I've unistalled Google Desktop Search. I realize it's not a malicious program, but I haven't used it a long a while.

Malwarebytes Anti-Rootkit BETA is no longer showing the warning message, so it was indeed the thing responsible for that AppInit value.

Huge thanks to exile360, again. I believe the thread can be closed now, if necessary.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.