Windows Shell Execute Hooks

[Guest]

I am running a Spy-Ware program which notifies me when a "Shell Execute Hook"
program or update attempts to install and run. It asks me if I want to Allow
or Block the process trying to take place. At present I am not knowledgeable
enough to safely know for sure what to do or how to distinguish whether the
"Explorer.exe" is legit or not. I would like to find out how to verify the
legitimacy of these programs when this occurs. The name of the latest
"Windows shell, Explorer.exe" is
{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}. Can anyone help me with this?

I would like to learn where to look and how to check these things out within
my PC when they occur. I am running "Windows XP Home", "IE 6.0", and also run
"FF 1.5.1" along with my security programs.

Anyones help would be greatly be appreciated!

 

[Don Varnau]

Hi,
Try a Google (or other search engine) search. For example: a Google search
on
091EB208-39DD-417D-A5DD-7E2C2D8FB9CB found a HijackThis log at
http://forums.spywareinfo.com/lofiversion/index.php/t69793.html
which contained this:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft
AntiMalware ShellExecuteHook"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll"
[MS]

You might have to search further on MpShHook.dll or Microsoft AntiMalware
ShellExecuteHook (for example) to insure that it's legitimate. The first
search doesn't always provide a definitive answer. ;-)

Starting at:
The CLSID / BHO List / Toolbar Master List:
http://castlecops.com/CLSID.html may save some time- you won't have to wade
through a page of Google results- but you won't find every CLSID listed.

Hope this helps,
Don
[MS MVP- IE]

 

[Guest]

Thanks Don!
After doing some checking and looking on my own PC I discovered this is an
update for the" MS Defender" anti-spyware and malware program.
Thanks for your help!

Greensman3!

Hi,
Try a Google (or other search engine) search. For example: a Google search
on
091EB208-39DD-417D-A5DD-7E2C2D8FB9CB found a HijackThis log at
http://forums.spywareinfo.com/lofiversion/index.php/t69793.html
which contained this:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft
AntiMalware ShellExecuteHook"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll"
[MS]

You might have to search further on MpShHook.dll or Microsoft AntiMalware
ShellExecuteHook (for example) to insure that it's legitimate. The first
search doesn't always provide a definitive answer. ;-)

Starting at:
The CLSID / BHO List / Toolbar Master List:
http://castlecops.com/CLSID.html may save some time- you won't have to wade
through a page of Google results- but you won't find every CLSID listed.

Hope this helps,
Don
[MS MVP- IE]

I am running a Spy-Ware program which notifies me when a "Shell Execute Hook"
program or update attempts to install and run. It asks me if I want to Allow
or Block the process trying to take place. At present I am not knowledgeable
enough to safely know for sure what to do or how to distinguish whether the
"Explorer.exe" is legit or not. I would like to find out how to verify the
legitimacy of these programs when this occurs. The name of the latest
"Windows shell, Explorer.exe" is
{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}. Can anyone help me with this?

I would like to learn where to look and how to check these things out within
my PC when they occur. I am running "Windows XP Home", "IE 6.0", and also run
"FF 1.5.1" along with my security programs.

Anyones help would be greatly be appreciated!