•  Greatis •  AppDatabase •  Utilities •  Delphi/CB •  Visual Basic • .NET •  just4fun
RegRun Security Suite
Not an antivirus. Detects and removes rootkits/malware/adware that your antivirus could not.

Warrior CD...


Shortcut Antivirus

Stuxnet Remover

Startup Monitor...

Bootlog Analyser...

Advanced MSConfig...

Know more?
TDL4 Removal Video

TDL3 Removal Video



On-line manual

Print PDF

One-click purchase
RegRun Suite Platinum
Download trial
RegRun Suite Platinum
Blogs & Forum
Malware Analysis and Removal blog

Newest viruses and malware

System Software Research

Greatis Forum

Thank you!

Download Russian

Download Ukrainian

Join our localization team

Home Download Order Support   Newsletter Your shopping cart ?
Windows Explorer Redirection DLLS is a new dangerous Windows startup hole

History of the problem:

Recently Greatis security team tested the W32/Almanahe.c virus.
The detailed description of the virus described can be found here:

The virus uses the different ways of auto starting with Windows boot:

  •  Driver;
  •  Autorun.inf on the hard drive;
  •  File infection.
But we found that the virus uses a new Windows startup hole, not detected by RegRun/UnHackMe.
Virus creates the file "linkinfo.dll" and puts the file into the Windows folder.
The normal "linkinfo.dll" was made by Microsoft is stored in the Windows\System32 folder.

Why the Windows shell "explorer.exe" loads the "linkinfo.dll" from non-standard place?

Good question!
We researched the file and registry changes made by the virus and found nothing.
After that we put the virus file "linkinfo.dll" into the Windows folder on a clean computer and found that explorer.exe loads infected version of the "linkinfo.dll".
We tried to copy "linkinfo.dll" from the System32 folder to the Windows folder and we see that the Windows Explorer.exe uses "linkinfo.dll" from Windows folder again.

Why it is dangerous?

The computer may be infected by simply copying virus file to the Window folder without making changes in the system settings (registry or configuration files) or changing the Windows system files.
A Trojan software need to get the write right in the Windows folder. But usually it's not a problem. Power users and administrators have full rights to the Windows folder.
Windows File Protection does not help you.

Affected Systems

 Windows 2000, XP(SP1,SP2,SP3), 2003, Vista(SP1), 2008 Server.
Vista UAC prevents a user from creating files in the Windows folder but it may be easily skipped.

Technical Details

Microsoft MSDN information:

"The standard DLL search order:
  1. The directory from which the application loaded.
  2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path."

We can see that the first place where "Explorer.exe" searches the DLLs is the directory from which the application loaded.
But the explorer.exe is stored in the Windows folder.
It is a source of the problem!

Explorer.exe searches the DLL in its current folder: Windows folder.
Is not a local problem with linkinfo.dll only!

We investigated the DLLs loaded by explorer.exe at the Windows boot and found that 20 DLLs under Windows XP and 46 DLLs under Windows Vista may be redirected.
We do not publish the list of the affected DLLs but anyone can easy get it using own investigation.


RegRun 5.8 and UnHackMe 4.8 automatically detects redirected DLLs and allows to remove it from your computer during executing of "Scan for Viruses".


The perfect way is a fixing security hole in the explorer.exe by the developers of the Windows.

We offer a workaround.

The Windows registry key
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
contains the list of the DLLs "known" to the system.

The DllDirectory value contains the path to the folder where the DLLs are stored. It's a Windows\System32 folder by default.

If we add the redirected DLL names to the KnownDLLs registry key, the Windows "explorer.exe" will load DLLs from the right place.

The Raymond Chen from Microsoft wrote an article "The Known DLLs Balancing Act". He warns against changing the KnownDLLs registry key, because it may change the system performance.

We tested the performance in Windows 2000/XP/Vista  after adding investigated DLL names to the KnownDLLs and we found no problems with system boot and performance.
But you shoould know that if you use that protection method at your own risk.

How to setup protection?

  1. Open RegRun Start Control or Reanimator.
  2. Open "Reanimator" in the main menu and choose the "Protect" item.
  3. Click on the Protect button.
RegRun automatically make backup of current KnownDLLs registry key to the:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs-

To restore from backup you need open "Protect" window as described above and click on the "Unprotect" button.
Otherwise, you may use your registry editor for restore backup key.


Download RegRun Reanimator (free of charge, no ads):

Suggest you to use RegRun Platinum Edition to be sure that you are clean!

Good luck!

Dmitry Sokolov

What's new?

June 5 2013

Released RegRun Security Suite
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator - free software for detecting and removing rootkits & malware.

April 19 2013

Released RegRun Security Suite
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator - free software for detecting and removing rootkits & malware.

March 6 2013

Released RegRun Security Suite
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator - free software for detecting and removing rootkits & malware.

September 10 2012

BootRescue - free software for Master BootRecord (MBR)/Volume Boot Record (VBR) backup/recovery.

All News

RegRun is able to remove TDL 4 rootkit (MBR infector) on the Windows 32 and 64 bit!

Released Shortcut Antivirus is a free of charge software for protecting against Microsoft LNK vulnerability.

Released Stuxnet Remover is a free of charge tool for Stuxnet/Tmphider rootkit removal

Added detection and removal of Stuxnet Rootkit(mrxnet.sys, mrxcls.sys).

Resolve "Google search redirect problem". Remove TDL3+ rootkit now!

How to resolve the "msls52.dll not found" problem.
New attack against UXTHEME.DLL...

How to resolve the "themed32.dll not found" problem...

Use RegRun Warrior for rootkit removal
Rootkit detection and removal takes 10 minutes with one computer reboot!

Be careful! The QVOD player installer may be a Trojan...

New! Examiner reveals hidden rootkits and infected system drivers!

New Porno banner Troan Oficla removal instructions

TDSS/Alureon removal instructions

Resolving problem with Google redirect MAX++/TDSS rootkit (win32k.sys:1, win3k.sys:2).

Video Lesson how to remove WinLocker Trojan

Malware Removal Lesson

Windows Explorer Redirection DLLS is a new dangerous Windows startup hole...

RegRun has been reviewed by Software Directory: RegRun Security Suite is an excellent tool that will reliably protect your computer from a plethora of existing and emerging threats and will keep malware at bay.

Removing Medichi Rootkit

Removal of Noskrnl.exe and Noskrnl.sys Rootkit (Spooldr clone)

Removal Baidu rootkit (cnprov.sys)

Removal Spooldr(ecard.exe) rootkit

Fixing BSOD
in Winlogon Process

Removal Areses Trojan

Virus Feebs rootkit removal story

What's this? Rthdcpl.exe - Illegal System DLL Relocation...

Warning! Rootkit Unhooker

Read our article about Unreal rootkit...

Released free Rustock Rootkit(lzx32.sys) removal tool

A#######.sys is a rootkit?

Rootkit Removal instructions: ntsystem.exe

What is BDGuard.sys?

Virus or not? SPTD####.sys

What is mc21.tmp, mc22.tmp, mc23.tmp?

ICQCHK.exe, MSX.DLL free remover...

Ask Computer Guys

Windows startup programs

Using Registry Tracer...

RegRun against Trojans and Viruses

Specify an order for startup programs

RunGuard prevents a launch...

Using Bootlog Analyser...

They say
"RegRun Security Suite is one of those very rare tool kits that no one who is serious about protecting their PC should ever be without. This toolkit covers all the bases when it comes to eradicating the attempted security threats from malware that we all face - daily. The near real time tech support, direct from Greatis, is nothing sort of superb, something that can be rarely said these days! I have no hesitation in recommending this suite to anyone."

Miles Pearson

Wilders.ORG. Security advisors recommend...

You guys are awesome!!!!

Bob Schmulian:
Absolutely love it and have recommended to many people!

Ian Robinson:
It is FANTASTIC! It has saved my life on more than one occasion since I purchased it less than 6 months ago. I now would not run my system without it... it's worth many times the cost! The service and support are terrific. Helpful - friendly - and accommodating; and generally a reply is received within 12 hours. Just great.

Theodore Soucie:
Since RegRun was installed my system is more stable. I use to experience freezeup daily. I have not had a crash.

Paul's Picks
Shareware Winner  


Greatis Software Greatis | Security | AppDatabase | Utilities | Delphi/CB | Visual Basic | .NET | just4fun

Contacts | Add to Favorites | Recommend to a Friend | Privacy Policy | Copyright © 1998-2013 Greatis Software

hit counter for tumblr