[FUTURE DAF FEATURE] TheNotifier

[DjLizard]

I'm working on a prototype program that will (eventually) help fight one type of spyware infection - it's called TheNotifier, and it targets Winlogon/Notify attacks.

Download: TheNotifier v0.0.0.33 (242KB, *.exe)

Changelog: DjLizard.net

I need everyone who uses Windows 2000 Professional, XP, Server 2003, or Vista to run this program. All it does (for now) is:

• Lists all Winlogon/Notify entries
• Lets you jump to a Winlogon/Notify registry entry
• Allows you to filter out the “known-good” entries

1. What I need people to do is:


2. Click "Known-good".
3. Reply to this thread and let me know the Key and the DLLName of anything that still shows up (unless someone has already mentioned yours)

Edit: if you get nothing, you don't have to post to say it

Thanks!

[Monkey Proof]

nothing showed on my end.

[Tarun]

All clear here.

[lokoike]

Sorry, nothing on this end either.

I will say that I like the "Jump to Key" button. Nifty lil' feature. :P

[MrT]

EDIT

[greenknight]

I agree with lokoike, that "Jump to key" button is cool.

I'm not gonna tell ya about not finding anything.

[Capman]

I'm not gonna tell ya about not finding anything.

<{POST_SNAPBACK}>

Likewise. :P

[DjLizard]

hurrrrr

[krit86lr]

hurrrrr

<{POST_SNAPBACK}>

I'll use it on all of the PCs at work. I'm sure lots of stuff will show up. lmao

[DjLizard]

Updated first post with a new version and the changelog link.

Check it out! :sick:

[greenknight]

Tried out the new version - found more nothing. Didn't find any AppInit_DLLs even with none hidden.

[DjLizard]

It's pretty rare that you'd see anything in AppInit_DLLs. There are only a few known legitimate entries for it, which I'll be building into the program shortly.

[TonyKlein]

Hi all!

Nothing out of the ordinary here either.

... and may I suggest two other keys that would qualify for inclusion:

HKEY_LOCAL_MACHINE (and HKCU)\Software\Microsoft\Windows\Currentversion\Shellserviceobjectdelayload

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Sharedtaskscheduler

[DjLizard]

For now, I'm targeting things that can run even in safe mode. Do either of those keys pose a threat if you're in safe mode? I am considering lots more tabs :sick:

[TonyKlein]

I rather think ShellServiceObjectDelayLoad works in Safe Mode; As Explorer.exe is the shell, it will start, loading all dlls registered under this key

SharedTaskScheduler I haven't tested. but possibly as well

What both (especially SSODL) have in common with Notify and AppInit_dlls is that all are used by legitimate apps as well as malware, making the, good candidates for your app, I would think

You familiar with my "Collection of Autostart Locations" ?

[DjLizard]

Ok, I should be more specific - which will run even within "Safe mode command prompt only"?

AppInit_DLLs and Winlogon both attack early, and will keep you infected even within S.M.C.P.O..

Since most programs can easily target and delete files that belong to all of the other autostart sections, I am not concerned unless there is a file that can't be deleted from within Safe mode w/command prompt. I have a Native API program on the way that is able to schedule the deletion of Winlogon/etc entries - this is going to beat the pants off having to delete the file from some other environment

edit: Winlogon\System is next.

[TonyKlein]

Did you get a chance of looking at Swandog46's Avenger?

http://swandog46.geekstogo.com/avengernotes.htm

It does a great job removing files that are notoriously difficult to get rid of any other way

[MrT]

any mission sir?

[TonyKlein]

Erm.. no, not particularly, other than to learn and to share.

Have one yourself? :sick:

[krit86lr]

Well I thought that for sure something would show up on one of the machines here, but no-go dude. I know that you didn't want want posts if nothing showed up, but I wanted to post anyway. :sick:

[DjLizard]

A very large number of known entries has been whitelisted, so there's not even much left to find (except spyware )

[krit86lr]

(except spyware )

<{POST_SNAPBACK}>

yeah...that's why I though something would show up here. :lol:

[DjLizard]

TheNotifier is now v0.0.0.33. It is now fully Unicode.

 

[Haze]

I got one dll which came up:

App management - c:\windows\system32\nctevent.dll

[DjLizard]

That's an actual infection. It seems to belong to Look2Me.

http://www.atribune.org/content/view/28/