Posted June 22, 200618 yr I'm working on a prototype program that will (eventually) help fight one type of spyware infection - it's called TheNotifier, and it targets Winlogon/Notify attacks. Download: TheNotifier v0.0.0.33 (242KB, *.exe) Changelog: DjLizard.net I need everyone who uses Windows 2000 Professional, XP, Server 2003, or Vista to run this program. All it does (for now) is: Lists all Winlogon/Notify entries Lets you jump to a Winlogon/Notify registry entry Allows you to filter out the “known-good” entries What I need people to do is: Click "Known-good". Reply to this thread and let me know the Key and the DLLName of anything that still shows up (unless someone has already mentioned yours) Edit: if you get nothing, you don't have to post to say it Thanks!
June 23, 200618 yr Sorry, nothing on this end either. I will say that I like the "Jump to Key" button. Nifty lil' feature. :P
June 23, 200618 yr I agree with lokoike, that "Jump to key" button is cool. I'm not gonna tell ya about not finding anything.
June 25, 200618 yr hurrrrr <{POST_SNAPBACK}> I'll use it on all of the PCs at work. I'm sure lots of stuff will show up. lmao
June 26, 200618 yr Author Updated first post with a new version and the changelog link. Check it out! :sick:
June 26, 200618 yr Tried out the new version - found more nothing. Didn't find any AppInit_DLLs even with none hidden.
June 26, 200618 yr Author It's pretty rare that you'd see anything in AppInit_DLLs. There are only a few known legitimate entries for it, which I'll be building into the program shortly.
June 26, 200618 yr Hi all! Nothing out of the ordinary here either. ... and may I suggest two other keys that would qualify for inclusion: HKEY_LOCAL_MACHINE (and HKCU)\Software\Microsoft\Windows\Currentversion\Shellserviceobjectdelayload HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Sharedtaskscheduler
June 26, 200618 yr Author For now, I'm targeting things that can run even in safe mode. Do either of those keys pose a threat if you're in safe mode? I am considering lots more tabs :sick:
June 26, 200618 yr I rather think ShellServiceObjectDelayLoad works in Safe Mode; As Explorer.exe is the shell, it will start, loading all dlls registered under this key SharedTaskScheduler I haven't tested. but possibly as well What both (especially SSODL) have in common with Notify and AppInit_dlls is that all are used by legitimate apps as well as malware, making the, good candidates for your app, I would think You familiar with my "Collection of Autostart Locations" ?
June 26, 200618 yr Author Ok, I should be more specific - which will run even within "Safe mode command prompt only"? AppInit_DLLs and Winlogon both attack early, and will keep you infected even within S.M.C.P.O.. Since most programs can easily target and delete files that belong to all of the other autostart sections, I am not concerned unless there is a file that can't be deleted from within Safe mode w/command prompt. I have a Native API program on the way that is able to schedule the deletion of Winlogon/etc entries - this is going to beat the pants off having to delete the file from some other environment edit: Winlogon\System is next.
June 26, 200618 yr Did you get a chance of looking at Swandog46's Avenger? http://swandog46.geekstogo.com/avengernotes.htm It does a great job removing files that are notoriously difficult to get rid of any other way
June 27, 200618 yr Erm.. no, not particularly, other than to learn and to share. Have one yourself? :sick:
June 27, 200618 yr Well I thought that for sure something would show up on one of the machines here, but no-go dude. I know that you didn't want want posts if nothing showed up, but I wanted to post anyway. :sick:
June 27, 200618 yr Author A very large number of known entries has been whitelisted, so there's not even much left to find (except spyware )
June 27, 200618 yr (except spyware ) <{POST_SNAPBACK}> yeah...that's why I though something would show up here. :lol:
June 30, 200618 yr Author That's an actual infection. It seems to belong to Look2Me. http://www.atribune.org/content/view/28/
Archived
This topic is now archived and is closed to further replies.