Jump to content

[FUTURE DAF FEATURE] TheNotifier


DjLizard

Recommended Posts

I'm working on a prototype program that will (eventually) help fight one type of spyware infection - it's called TheNotifier, and it targets Winlogon/Notify attacks.

Download: TheNotifier v0.0.0.33 (242KB, *.exe)

Changelog: DjLizard.net

I need everyone who uses Windows 2000 Professional, XP, Server 2003, or Vista to run this program. All it does (for now) is:

  • Lists all Winlogon/Notify entries
  • Lets you jump to a Winlogon/Notify registry entry
  • Allows you to filter out the “known-good” entries

  1. What I need people to do is:

  2. Click "Known-good".
  3. Reply to this thread and let me know the Key and the DLLName of anything that still shows up (unless someone has already mentioned yours)

Edit: if you get nothing, you don't have to post to say it :P

Thanks! :P

Link to comment
Share on other sites

Hi all! :sick:

Nothing out of the ordinary here either.

... and may I suggest two other keys that would qualify for inclusion:

HKEY_LOCAL_MACHINE (and HKCU)\Software\Microsoft\Windows\Currentversion\Shellserviceobjectdelayload

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Sharedtaskscheduler

Link to comment
Share on other sites

I rather think ShellServiceObjectDelayLoad works in Safe Mode; As Explorer.exe is the shell, it will start, loading all dlls registered under this key

SharedTaskScheduler I haven't tested. but possibly as well

What both (especially SSODL) have in common with Notify and AppInit_dlls is that all are used by legitimate apps as well as malware, making the, good candidates for your app, I would think :sick:

You familiar with my "Collection of Autostart Locations" ?

Link to comment
Share on other sites

Ok, I should be more specific - which will run even within "Safe mode command prompt only"? :sick:

AppInit_DLLs and Winlogon both attack early, and will keep you infected even within S.M.C.P.O..

Since most programs can easily target and delete files that belong to all of the other autostart sections, I am not concerned unless there is a file that can't be deleted from within Safe mode w/command prompt. I have a Native API program on the way that is able to schedule the deletion of Winlogon/etc entries - this is going to beat the pants off having to delete the file from some other environment :lol:

edit: Winlogon\System is next.

Link to comment
Share on other sites

Well I thought that for sure something would show up on one of the machines here, but no-go dude. I know that you didn't want want posts if nothing showed up, but I wanted to post anyway. :sick:

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...