windows - How to tell where a particular software is coming from

07
2014-07
  • esqew

    This question already has an answer here:

    • Answers
  • Trae Abell

    The problem exists between the keyboard and chair

    If you trace it all the way back you will find that the problem exists between the keyboard and chair

    --

    And the actual answer is No, unless you have ridiculous logging setup on the machine (prior to infection).


    • Related Question

    windows - What else besides a virus would keep turning on "Show Hidden Files" in WinXP
  • LachlanG

    I've got a couple of machines that definitely recently had viruses and very likely still do.

    I've run Norton AV, Radix RootKit remover, Sophos Rootkit remover, Spybot, Ad-Aware, CA Antivirus Plus, AVG, AntiVir, SysInternals Rootkit Revealer and none of them can find any more nasties on these machines.

    I've even taken out the hard drives, stuck them in a USB drive casing and scanned them from another virus free machine. Still nothing.

    The Windows "Show Hidden files/folders" setting however keeps turning itself on. You switch it off click OK and straight away it's back on again.

    I've monitored the registry key for the setting with SysInternals RegMon and that revealed that the setting was being reset by explorer.exe as soon as I change it manually.

    Like I said I'm fairly certain that there is still some sort of extra sneaky virus or root kit on these machines but I'm now investigating the remote possibility that the viruses are gone and something else is resetting the "Show hidden files" setting.

    Any suggestions? I'd really like to avoid a reformat of these machines.


    • Related Answers
  • John T

    You may also want to monitor these registry entries:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

    A little bit of research shows a lot of viruses which tamper with all 3 registry entries. It is very likely there is still something on your system. Personally I don't feel safe using an OS after it's been compromised, even if a scanner picks up a lot of viruses and successfully removes them, who knows what it's left behind? If it is an option (even though you prefer not to), I would suggest you do a clean install. Immediately after all of your must-have programs and drivers are installed, make a backup image with Acronis True Image or Norton Ghost that you can fall back on. I would also suggest updating said backups frequently.

  • JFV

    How many explorer.exe's are running? If there's more than one, then I'd be pretty certain that there's still something in the system.

    Even if there's only one Explorer.exe, try killing all the Explorer.exe's in Task Manager and start it up again. Then see if the same issue happens.

    -JFV