DjLizard Posted June 22, 2006 Posted June 22, 2006 I'm working on a prototype program that will (eventually) help fight one type of spyware infection - it's called TheNotifier, and it targets Winlogon/Notify attacks. Download: TheNotifier v0.0.0.33 (242KB, *.exe) Changelog: DjLizard.net I need everyone who uses Windows 2000 Professional, XP, Server 2003, or Vista to run this program. All it does (for now) is: Lists all Winlogon/Notify entries Lets you jump to a Winlogon/Notify registry entry Allows you to filter out the “known-good” entries What I need people to do is: Click "Known-good". Reply to this thread and let me know the Key and the DLLName of anything that still shows up (unless someone has already mentioned yours) Edit: if you get nothing, you don't have to post to say it Thanks!
lokoike Posted June 23, 2006 Posted June 23, 2006 Sorry, nothing on this end either. I will say that I like the "Jump to Key" button. Nifty lil' feature. :P
greenknight Posted June 23, 2006 Posted June 23, 2006 I agree with lokoike, that "Jump to key" button is cool. I'm not gonna tell ya about not finding anything.
Capman Posted June 23, 2006 Posted June 23, 2006 I'm not gonna tell ya about not finding anything. <{POST_SNAPBACK}> Likewise. :P
krit86lr Posted June 25, 2006 Posted June 25, 2006 hurrrrr <{POST_SNAPBACK}> I'll use it on all of the PCs at work. I'm sure lots of stuff will show up. lmao
DjLizard Posted June 26, 2006 Author Posted June 26, 2006 Updated first post with a new version and the changelog link. Check it out! :sick:
greenknight Posted June 26, 2006 Posted June 26, 2006 Tried out the new version - found more nothing. Didn't find any AppInit_DLLs even with none hidden.
DjLizard Posted June 26, 2006 Author Posted June 26, 2006 It's pretty rare that you'd see anything in AppInit_DLLs. There are only a few known legitimate entries for it, which I'll be building into the program shortly.
TonyKlein Posted June 26, 2006 Posted June 26, 2006 Hi all! Nothing out of the ordinary here either. ... and may I suggest two other keys that would qualify for inclusion: HKEY_LOCAL_MACHINE (and HKCU)\Software\Microsoft\Windows\Currentversion\Shellserviceobjectdelayload HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Sharedtaskscheduler
DjLizard Posted June 26, 2006 Author Posted June 26, 2006 For now, I'm targeting things that can run even in safe mode. Do either of those keys pose a threat if you're in safe mode? I am considering lots more tabs :sick:
TonyKlein Posted June 26, 2006 Posted June 26, 2006 I rather think ShellServiceObjectDelayLoad works in Safe Mode; As Explorer.exe is the shell, it will start, loading all dlls registered under this key SharedTaskScheduler I haven't tested. but possibly as well What both (especially SSODL) have in common with Notify and AppInit_dlls is that all are used by legitimate apps as well as malware, making the, good candidates for your app, I would think You familiar with my "Collection of Autostart Locations" ?
DjLizard Posted June 26, 2006 Author Posted June 26, 2006 Ok, I should be more specific - which will run even within "Safe mode command prompt only"? AppInit_DLLs and Winlogon both attack early, and will keep you infected even within S.M.C.P.O.. Since most programs can easily target and delete files that belong to all of the other autostart sections, I am not concerned unless there is a file that can't be deleted from within Safe mode w/command prompt. I have a Native API program on the way that is able to schedule the deletion of Winlogon/etc entries - this is going to beat the pants off having to delete the file from some other environment edit: Winlogon\System is next.
TonyKlein Posted June 26, 2006 Posted June 26, 2006 Did you get a chance of looking at Swandog46's Avenger? http://swandog46.geekstogo.com/avengernotes.htm It does a great job removing files that are notoriously difficult to get rid of any other way
TonyKlein Posted June 27, 2006 Posted June 27, 2006 Erm.. no, not particularly, other than to learn and to share. Have one yourself? :sick:
krit86lr Posted June 27, 2006 Posted June 27, 2006 Well I thought that for sure something would show up on one of the machines here, but no-go dude. I know that you didn't want want posts if nothing showed up, but I wanted to post anyway. :sick:
DjLizard Posted June 27, 2006 Author Posted June 27, 2006 A very large number of known entries has been whitelisted, so there's not even much left to find (except spyware )
krit86lr Posted June 27, 2006 Posted June 27, 2006 (except spyware ) <{POST_SNAPBACK}> yeah...that's why I though something would show up here. :lol:
DjLizard Posted June 29, 2006 Author Posted June 29, 2006 TheNotifier is now v0.0.0.33. It is now fully Unicode.
Haze Posted June 30, 2006 Posted June 30, 2006 I got one dll which came up: App management - c:\windows\system32\nctevent.dll
DjLizard Posted June 30, 2006 Author Posted June 30, 2006 That's an actual infection. It seems to belong to Look2Me. http://www.atribune.org/content/view/28/
Recommended Posts
Archived
This topic is now archived and is closed to further replies.