last week a friend of me was infected by spooner.trojan
the trojan redirects to ntsearch.com

with help from google i found some tips to remove this malware and start coding a small tool to remove the malware...

since i never infected myself with such a hijacker im now thinking about a way to stop this shit.

as you know from my older posts, im only a beginner without much time.
but many fun using asm and not delphi or vb.

so i want to ask all you proffessional coder if it is possible within windows to know what programm use the registry.
like regmon from sysinternals.com

do they make a file/open hook on user.dat ?

or is there some other way to know that ?
like in firewalls, what filename try to open ports...

so one or me can programm a small tool, block all request from filenames not equal to regedit.exe.
better a pop up if user wish to take the new settings to the registry.

what do you think ?
any idea what i must learn to programm this ?

thanks !
Posted on 2004-01-12 08:19:30 by xanthos
Afaik the source to regmon used to be available... effectively blocking access to the registry will required coding a KMD. Filemon.sys is 40k in the version of filemon I have, so in case the license and/or your country doesn't forbid it, it should be a managable Reverse Engineering project.

Other than that, NTDDK and various articles at and linked to from sysinternals.com should be your friends, I guess :)
Posted on 2004-01-12 08:27:54 by f0dder
Reverse engineering of Regmon .sys file and understand the source is not easy.
Like f0dder said, you will need to write a KMD for NT, 2k or XP.

Some very useful links:

Hooking Windows NT System Services
Windows NT System Service Table Hooking

IMHO, you need reverse engineering an application only if you can?t do the same by yourself.
There is no substitute for experience.



:alright: Good luck !
Posted on 2004-01-12 09:10:43 by Opcode
thank you for your answers.
sounds heavy to me, but not undoable :)

many windows versions later and microsoft never build a function that ask the user for permission, like when you open a 'xyz.reg* file.

in this case it sound much easy for a beginner like me, to watch first some registry keys for changes.
like the autostart page.

then i think hooking is something i learn not in a week, so better code firszt something easy and then i have enough time to make my tool better and better.

ha thats the cool thing behind this board !
some little question and possible i dont need hours of searching.

btw. if you are infected by spooner, look for a handle 'sp' and remove it.
next remove sp.exe from windows folder and the key from autostart.

cheers
Posted on 2004-01-12 10:19:06 by xanthos

many windows versions later and microsoft never build a function that ask the user for permission, like when you open a 'xyz.reg* file.

This can actually be done via user policies on NT. I dunno how it affects the registry API, but you can lock down regedit.exe and thus importing of .reg files. Also, home users really ought to be running a less-privileged account than adminstrator, and by doing so apps cannot write to HKLM.
Posted on 2004-01-12 10:28:06 by f0dder