Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Re the new Home Search Asst Tutorial-10/6


  • Please log in to reply
4 replies to this topic

#1 EdBee

EdBee

  • Members
  • 208 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 07 October 2004 - 01:44 PM

To me this Hijacker is the worst ever-Am I wrong? This tutorial spells quite well the order of attack--something up till now I wasn't sure of.

I have one problem/concern/misunderstanding:

In step 5 you outline the procedure to go find the bad.dll files and delete them. You also state that the names of the files will be random. For instance the file-
"C:\WINDOWS|System32\hghda.dll" will on my infected machine will be different
IE. "C:\WINDOWS\System32\gjkxa.dll. The name of the file will be different. Do I have this correct? So when I open up the System32 a whole page of icons appear-many of which are .dll files. And many of which look random to an untrained eye (even worsely untrained than mine-if possible). However, (on WINXP) placing the mouse pointer over the file icon, up pops a popup which shows a description of the file, the company and importantly the date created. I wonder, then what pops up when the pointer goes onto the the nasty little C...\hghda.dll file shown above? To me, an important thing is the date-presuming the HJ er has not the ability to falsify the date created?

Anyway, great tutorial-when I understand it completly I will certainly use it. Thanks! :thumbsup: :flowers: :trumpet:
EDBEE from NMUSA- RENOWNED MALWARE FIGHTER AND SWORN ENEMY OF ALL INTERNET HIJACKERS

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:38 AM

Posted 07 October 2004 - 11:31 PM

Unfortunately no info shows for this file...ut you will notice that one of the criteria when looking at the logs, is the entry name will be the same name of the file. For example:

O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe

See how the actual file name is the same name as the Run entry? That right there is a big tipoff that it is related to the infection. If you have the other symptoms, and see that, its almost 100% a file you want to get rid of

#3 EdBee

EdBee
  • Topic Starter

  • Members
  • 208 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 08 October 2004 - 09:31 AM

So I would conclude that in a sitiuation where the file has no indicators-discription-company name-date created etc--something is bad wrong--That the file name is the same as the run name I thought OK. Isn't the registery entry HKLM..Run..winl32.exe telling that program in the windows System32 directory to execute? I have never paid much attention to run entry vs the file name in the directory--I will be looking close from now on. Thanks very much!!
EDBEE from NMUSA- RENOWNED MALWARE FIGHTER AND SWORN ENEMY OF ALL INTERNET HIJACKERS

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:38 AM

Posted 08 October 2004 - 09:55 AM

You should not assume that because the developer did not put version or identification into the file, it is ncessarily bad.

As for the Run entry, lets disect one:

O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe

The O4 means its a Run entry of some sort in the registry. The HKLM\..\Run means that it is located in the path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If it said HKLM\..\RunOnce it would be located in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

If it said HKCU\..\Run it would be located in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


Now back to the entry example of :

O4 - HKLM\..\Run: [winnl32.exe] C:\WINDOWS\system32\winnl32.exe


We now know that the 04 means a run entry, the HKLM/HKCU part is where in the registry it is located. The next part between the [ and ] is the name of the entry in the registry. This particular example has the name of winnl32.exe and the value of that entry is C:\WINDOWS\system32\winnl32.exe.

As you can see the name of the entry is the same name as the file name. That is an earmark of this type of infection

#5 EdBee

EdBee
  • Topic Starter

  • Members
  • 208 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 09 October 2004 - 10:49 AM

Grinler, Thanks for that--I will begin to look at these entries now with a little more understanding that I had prior. :thumbsup: :flowers:
EDBEE from NMUSA- RENOWNED MALWARE FIGHTER AND SWORN ENEMY OF ALL INTERNET HIJACKERS




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users