Scott J said:
I recently ran Adaware to check for spyware, etc. and it discovered the
following vulnerability:
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\Currentversion\Winlogon\shell 'Explorer.exe,
C:\WINDOWS\system32\doecp.exe
If I try to edit this it just reverts back to what it is above. How do I
fix this permanently and what value shoud be there ?
Thanks.
As noted, this is probably malware. If the entry keeps being added back
in, it's usually because something *else* is running and is maintaining the
entry, and you just haven't found the cuplrit yet. Identifying the loader
can be more difficult.
Locate the file in Explorer, and right-click on it to choose Properties.
If it has no listed author, particularly Microsoft, suspcicions increase.
You should also use HiJack This to try to see what else is running and what
shouldn't be there. Note that this is not a beginner's tool, and needs to
be used with caution; research every entry that you think is suspect.
A useful tactic is to run a command prompt at the WIndows and
windows\system32 folders, and issue this command:
dir /ah
this will show you files and folders with the Hidden attribute set. There
should be some, but you should check anything that looks out of place,
particularly files that appear to have randomly-generated names. These
will often also be marked as SYstem, so to gain access to them, you need to
use hte Attrib command:
attrib filename.ext -s -h
which removes the System and Hidden attributes. Once this is done, if the
files are not being held open they can be deleted or renamed (which should
let you delete them after a restart). I usually rename to "filename.BAD"
so it's easy to find them again. But you need to be sure that these files
are not actually needed.
HTH
-pk
