 Re the new Home Search Asst Tutorial-10/6 |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.| Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post. - BleepingComputer Management |
  |
 Oct 7 2004, 01:44 PM
Post
#1
|
|
 Forum Regular  Group: Members Posts: 208 Joined: 13-July 04 Member No.: 1,385  |
I have one problem/concern/misunderstanding: In step 5 you outline the procedure to go find the bad.dll files and delete them. You also state that the names of the files will be random. For instance the file- "C:\WINDOWS|System32\hghda.dll" will on my infected machine will be different IE. "C:\WINDOWS\System32\gjkxa.dll. The name of the file will be different. Do I have this correct? So when I open up the System32 a whole page of icons appear-many of which are .dll files. And many of which look random to an untrained eye (even worsely untrained than mine-if possible). However, (on WINXP) placing the mouse pointer over the file icon, up pops a popup which shows a description of the file, the company and importantly the date created. I wonder, then what pops up when the pointer goes onto the the nasty little C...\hghda.dll file shown above? To me, an important thing is the date-presuming the HJ er has not the ability to falsify the date created? Anyway, great tutorial-when I understand it completly I will certainly use it. Thanks! 
-------------------- EDBEE from NMUSA- RENOWNED MALWARE FIGHTER AND SWORN ENEMY OF ALL INTERNET HIJACKERS
|
 |
 
|
|
Oct 7 2004, 11:31 PM
Post
#2
|
|
 Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
Unfortunately no info shows for this file...ut you will notice that one of the criteria when looking at the logs, is the entry name will be the same name of the file. For example:
O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe See how the actual file name is the same name as the Run entry? That right there is a big tipoff that it is related to the infection. If you have the other symptoms, and see that, its almost 100% a file you want to get rid of -------------------- Lawrence
|
|
|
|
|
Oct 8 2004, 09:31 AM
Post
#3
|
|
|
Forum Regular Group: Members Posts: 208 Joined: 13-July 04 Member No.: 1,385 |
So I would conclude that in a sitiuation where the file has no indicators-discription-company name-date created etc--something is bad wrong--That the file name is the same as the run name I thought OK. Isn't the registery entry HKLM..Run..winl32.exe telling that program in the windows System32 directory to execute? I have never paid much attention to run entry vs the file name in the directory--I will be looking close from now on. Thanks very much!!
-------------------- EDBEE from NMUSA- RENOWNED MALWARE FIGHTER AND SWORN ENEMY OF ALL INTERNET HIJACKERS
|
|
|
|
|
Oct 8 2004, 09:55 AM
Post
#4
|
|
|
Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
You should not assume that because the developer did not put version or identification into the file, it is ncessarily bad.
As for the Run entry, lets disect one: O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe The O4 means its a Run entry of some sort in the registry. The HKLM\..\Run means that it is located in the path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run If it said HKLM\..\RunOnce it would be located in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce If it said HKCU\..\Run it would be located in: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Now back to the entry example of : O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe We now know that the 04 means a run entry, the HKLM/HKCU part is where in the registry it is located. The next part between the [ and ] is the name of the entry in the registry. This particular example has the name of winnl32.exe and the value of that entry is C:\WINDOWS\system32\winnl32.exe. As you can see the name of the entry is the same name as the file name. That is an earmark of this type of infection -------------------- Lawrence
|
|
|
|
|
Oct 9 2004, 10:49 AM
Post
#5
|
|
|
Forum Regular Group: Members Posts: 208 Joined: 13-July 04 Member No.: 1,385 |
Grinler, Thanks for that--I will begin to look at these entries now with a little more understanding that I had prior.
-------------------- EDBEE from NMUSA- RENOWNED MALWARE FIGHTER AND SWORN ENEMY OF ALL INTERNET HIJACKERS
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 22nd November 2008 - 07:02 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.