58

I have reason to believe that I may have malware on my system in the form of an Explorer extension. I suspect this because Procmon shows that Explorer.exe keeps re-writing a certain Registry key that is intended to run a certain EXE at startup.

How do I find out what Explorer extensions are installed, and how do I remove them?

Timwi
  • 2,013

5 Answers5

68

My personal favorite is Autoruns from Sysinternals (Microsoft). It goes well beyond just shell extensions and covers tons of areas where third party code can run.

Assuming you've done a virus scan and it didn't catch it, you might want to watch this excellent video from Mark Russinovich on advanced malware cleaning techniques.

mceda
  • 123
Josh
  • 976
23

ShellMenuView is a small utility that display the list of static menu items that appeared in the context menu when you right-click a file/folder on Windows Explorer, and allows you to easily disable unwanted menu items

2

Shell Extensions are in-process COM objects which extends the abilities of Windows operating system. Most shell extensions are automatically installed by the operating system, but there are also many other applications that install additional shell extension components. For example: If you install WinZip on your computer, you'll see a special WinZip menu when you right-click on a Zip file. This menu is created by adding a shell extension to the system.

The ShellExView utility displays the details of shell extensions installed on your computer, and allows you to easily disable and enable each shell extension.

4

Community
  • 1
therube
  • 1,476
6

CCleaner also has a feature to clean up the context menu.

It's found under Tools -> Startup -> Context Menu

Community
  • 1
David d C e Freitas
  • 5,000
3

Check this location in the registry and see if there is a sub-key called 'Blocked'. I found my sharing tabs disappeared because the CLSID was located there:

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked

I suppose if you want to block a shell extension, that's a good place to do it since it's pretty darned effective and pretty unknown it seems. Only one of my machines had that sub-key and I had never heard of it before.

Worthwelle
  • 4,816
Steve Sybesma
  • 85
1
  1. Get Process Explorer.
  2. Use Process Explorer to suspend any suspect processes to stop them from writing to registery.
  3. Get Auto Runs.
  4. Use the Autoruns to look at everything that gets loaded at start up, into Explorer and Internet Explorer and shut down any suspect services (non-Microsoft).
  5. Find Google Updater, Adobe Updater and Flash Utils processes and rename and stop them from running.
Worthwelle
  • 4,816
jimjim
  • 552