BleepingComputer.com: Re the new Home Search Asst Tutorial-10/6

To me this Hijacker is the worst ever-Am I wrong? This tutorial spells quite well the order of attack--something up till now I wasn't sure of.

I have one problem/concern/misunderstanding:

In step 5 you outline the procedure to go find the bad.dll files and delete them. You also state that the names of the files will be random. For instance the file-
"C:\WINDOWS|System32\hghda.dll" will on my infected machine will be different
IE. "C:\WINDOWS\System32\gjkxa.dll. The name of the file will be different. Do I have this correct? So when I open up the System32 a whole page of icons appear-many of which are .dll files. And many of which look random to an untrained eye (even worsely untrained than mine-if possible). However, (on WINXP) placing the mouse pointer over the file icon, up pops a popup which shows a description of the file, the company and importantly the date created. I wonder, then what pops up when the pointer goes onto the the nasty little C...\hghda.dll file shown above? To me, an important thing is the date-presuming the HJ er has not the ability to falsify the date created?

Anyway, great tutorial-when I understand it completly I will certainly use it. Thanks!

Unfortunately no info shows for this file...ut you will notice that one of the criteria when looking at the logs, is the entry name will be the same name of the file. For example:

O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe

See how the actual file name is the same name as the Run entry? That right there is a big tipoff that it is related to the infection. If you have the other symptoms, and see that, its almost 100% a file you want to get rid of

So I would conclude that in a sitiuation where the file has no indicators-discription-company name-date created etc--something is bad wrong--That the file name is the same as the run name I thought OK. Isn't the registery entry HKLM..Run..winl32.exe telling that program in the windows System32 directory to execute? I have never paid much attention to run entry vs the file name in the directory--I will be looking close from now on. Thanks very much!!

You should not assume that because the developer did not put version or identification into the file, it is ncessarily bad.

As for the Run entry, lets disect one:

O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe

The O4 means its a Run entry of some sort in the registry. The HKLM\..\Run means that it is located in the path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If it said HKLM\..\RunOnce it would be located in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

If it said HKCU\..\Run it would be located in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


Now back to the entry example of :

O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe


We now know that the 04 means a run entry, the HKLM/HKCU part is where in the registry it is located. The next part between the [ and ] is the name of the entry in the registry. This particular example has the name of winnl32.exe and the value of that entry is C:\WINDOWS\system32\winnl32.exe.

As you can see the name of the entry is the same name as the file name. That is an earmark of this type of infection

Grinler, Thanks for that--I will begin to look at these entries now with a little more understanding that I had prior.