Please add the feature to check the shell values in all "Windows NT\CurrentVersion\Winlogon" keys.
Many new trojans add entries like shell="explorer.exe, %UserProfile%\AppData\Skype.dat"
need to figure out how to encrypt the reg entries to add more
Hi Frank, I checked this again and this specific key on exist under HKLM, so I do not see the need to check others HK since it only exist under HKLM and malware just modify this existing key.
Log in to post a comment.