Jump to content

[FUTURE DAF FEATURE] TheNotifier


DjLizard

Recommended Posts

Posted

I'm working on a prototype program that will (eventually) help fight one type of spyware infection - it's called TheNotifier, and it targets Winlogon/Notify attacks.

Download: TheNotifier v0.0.0.33 (242KB, *.exe)

Changelog: DjLizard.net

I need everyone who uses Windows 2000 Professional, XP, Server 2003, or Vista to run this program. All it does (for now) is:

  • Lists all Winlogon/Notify entries
  • Lets you jump to a Winlogon/Notify registry entry
  • Allows you to filter out the “known-good” entries

  1. What I need people to do is:

  2. Click "Known-good".
  3. Reply to this thread and let me know the Key and the DLLName of anything that still shows up (unless someone has already mentioned yours)

Edit: if you get nothing, you don't have to post to say it :P

Thanks! :P

Posted

I agree with lokoike, that "Jump to key" button is cool.

I'm not gonna tell ya about not finding anything.

Posted

hurrrrr

<{POST_SNAPBACK}>

I'll use it on all of the PCs at work. I'm sure lots of stuff will show up. lmao

Posted

It's pretty rare that you'd see anything in AppInit_DLLs. There are only a few known legitimate entries for it, which I'll be building into the program shortly.

Posted

Hi all! :sick:

Nothing out of the ordinary here either.

... and may I suggest two other keys that would qualify for inclusion:

HKEY_LOCAL_MACHINE (and HKCU)\Software\Microsoft\Windows\Currentversion\Shellserviceobjectdelayload

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Sharedtaskscheduler

Posted

For now, I'm targeting things that can run even in safe mode. Do either of those keys pose a threat if you're in safe mode? I am considering lots more tabs :sick:

Posted

I rather think ShellServiceObjectDelayLoad works in Safe Mode; As Explorer.exe is the shell, it will start, loading all dlls registered under this key

SharedTaskScheduler I haven't tested. but possibly as well

What both (especially SSODL) have in common with Notify and AppInit_dlls is that all are used by legitimate apps as well as malware, making the, good candidates for your app, I would think :sick:

You familiar with my "Collection of Autostart Locations" ?

Posted

Ok, I should be more specific - which will run even within "Safe mode command prompt only"? :sick:

AppInit_DLLs and Winlogon both attack early, and will keep you infected even within S.M.C.P.O..

Since most programs can easily target and delete files that belong to all of the other autostart sections, I am not concerned unless there is a file that can't be deleted from within Safe mode w/command prompt. I have a Native API program on the way that is able to schedule the deletion of Winlogon/etc entries - this is going to beat the pants off having to delete the file from some other environment :lol:

edit: Winlogon\System is next.

Posted

Well I thought that for sure something would show up on one of the machines here, but no-go dude. I know that you didn't want want posts if nothing showed up, but I wanted to post anyway. :sick:

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...