What for?
This is a very effective tool detecting "masked" Trojans.
These Trojans use the same names as the legitimate programs, but are located in different folders. As a result a user does not suspect deception.
For example: "explorer.exe" is always located in the Windows folder.
The dangerous program can use the full names "c:\windows\system\explorer.exe".
Do you want to know more?
You see: "explorer.exe" in the Windows startup. You have two files with "explorer.exe" name. One in the Windows folder and other in the root of drive C.
Which file will be executed? You would be surprised but sometimes the first will be "c:\explorer.exe". This error was fixed in the later Windows versions. But you should be sure that you launch a file that you want to execute.
How it works?
Substitution Detector uses information about the right location of the often-attacked filenames. It compares the real path to the executed file with the stored file path. If they are not equal the user is notified.
How to remove Trojan?
A user has an option to fix the problem. The fixing changes the path of the startup file to right path. Restart the computer is required.
The Trojan program will not be launched at the next Windows startup.
Problems?
If the Trojan program is running it can detect the changes in Windows startup and come back again.
Click on "More Info" button to check if a process is running.
Click on the "Stop it" button to kill a process.
After that you can delete the Trojan by Windows Explorer and fix the substitution problem.
Click on the "Fix it!" button.