Spamware Plays Hide and Seek:

For the past month, the Intenet Storm Center (ISC) has been issuing a warning about very long registry key values which malware can hide on your system, making detection difficult, even for AdAware and HijackThis.

The ISC is now offering a free registry search tool called LVNSearch, which will locate hidden registry key values which are too long to be anything but malware. Here are two articles. The download is on the second:
http://isc.sans.org/diary.php?date=2005-08-24
http://isc.sans.org/diary.php?date=2005-08-25

Although the ISC says Autoruns from SysInternals will not catch all these long file names, it will catch some, and it will do other things. Autoruns and its command line partner, Autorunsc, works on Win XP systems, and is available for free download here:
http://www.sysinternals.com/utilities/autoruns.html

LVNSearch is in exe format and Autoruns is a zip file. They are both small, and download fast.

----

I downloaded this utility and ran it. I found some things I didn't know were loading. These are things that didn't show up in hijackthis. It works very well. I like it.

Well, what am I finding on that second page for the download?


Sorry. The page you requested could not be found.


So much for that then.

Christina,

Two thirds of the way down the page, just under:

FILE: (3584 bytes)

is the download link (the link ends in .exe)

I just checked the link - it's loading now. Must have been due to the storm or something - or maybe they have scumware they don't know about.. hehe

Howard

Hmmmm.... I'll try again then.

That's the one I was trying to get.



LOL! They had the link messed up with a
in it: http://isc.sans.org/LVNSearch.exe




Searching HKEY_CLASSES_ROOT
Searching HKEY_LOCAL_MACHINE
Searching HKEY_USERS
Searching HKEY_CURRENT_CONFIG
Found 0 problematic values
Done!


So I guess I'm clean then :D

So I guess I'm clean then
I got the same result. Good thing we don't surf much.

Howard

It (LVNsearch) found something on my lap top. Dont' know what it means! HELP!

Searching HKEY_CLASSES_ROOT
Searching HKEY_LOCAL_MACHINE
Searching HKEY_USERS
HKEY_USERS\S-1-5-21-102005887-3956953012-760838127-1007\Software\Bradbury\TopStyle\3.0\SavedCombo\Fin dText\Inventory,%20Purchasing%20and%20Procurement% 20Services%20and%20Solutions%20-%20Software%20for%20Small%20Businesses,%20by%20Out buy_files/taste7.jpg
<img src="Inventory,%20Purchasing%20and%20Procurement%20Serv ices%20and%20Solutions%20-%20Software%20for%20Small%20Businesses,%20by%20Out buy_files
Searching HKEY_CURRENT_CONFIG
Found 1 problematic value
Done!

OUTBUY? what is going on?

Well I opened regedit and surprisingly enough there are several entries there related to websites I have worked on in the past.

Now I am trying to figure out how to backup my reg files. Can I just delete those files from the registry?

NO, gosh NO,

I mean you can, but the registry entry you entered, doesn't seem to point to any programs.

I believe that each file, jpg, .exe .php etc. has a registry entry.

You can really damage you computer if your not careful with the registry. I have messed with mine in the past and have been successful, but be very,very careful.

Steve

P.S.

You can make a copy of the registry, and you should do so before doing any edits. Also, I can't remember right now on the how, but if you do edits and the computer doesn't restart correctly, there is a way to restore the registry automatically, with out the back-up copy.

But, a further note is that every single file on your computer is in the registry, all of your bookmarked pages are in there, all of your preferences, EVERYTHING is in that registry.

Just be careful if you mess with it as you can really trash programs, etc....


Steve

Now I am trying to figure out how to backup my reg files. Can I just delete those files from the registry?
To backup your registry open regedit then click on the registry button in the top menu. Choose export registry file and follow the directions.

You can delete that entry without hurting anything. You shouldn't have to do it in regedit, tho. The program should give you that option.

Sharron,

I agree with Steve about not tampering with your registry unless
you have a fail-safe means of restoring it if something goes wrong.

I use RegSeeker, and BackReg. I will try to look up the references
so you can download them if you want.

Also, the pages I posted links to above have instructions somewhere
for what to do if you have a problematic entry.

Entries that long (yours has 481 characters, 488 with spaces) are
considered suspicious by the LVNSearch program, because entries
should usually not need to be more than 455 characters. Yours isn't
much over that, but it registered as "problematic" or suspicious.
Usually code that is harmful would be longer than that.

Please be sure you have a backup of your registry if you decide to
do an edit. Make sure you can run the backup from a C:> prompt,
in case your computer won't boot. Backreg has a companion, Fixreg,
which runs from the C:> prompt. I have used it more than once (blush).
I can't find where I downloaded it from.

Regseeker is available here:
http://www.snapfiles.com/get/regseeker.html

Snapfiles has a registry backup tool here:
http://www.snapfiles.com/get/regkeybackup.html - I have not tried this
program out, so I can't recommend it.

Snapfiles has a number of free utilities and programs:
http://www.snapfiles.com/freeware/freeware.html

Aumha.org has two freeware pages I like to look at:
http://aumha.org/freeware/freeware.php
http://aumha.org/freeware/morefree.php

The only reference to backreg and fixreg I can find is this:
http://tacktech.net/display.cfm?ttid=100 - tacktech describes how
to make your own backreg.bat and fixreg.bat and lists this under
utilities for Win 9x.

Howard

Sharron, if you clear history and temporary files you should be able to get rid of a lot of those registry entries without doing other stuff - I think.

Hi all :)
If you use IE6 ( like most sensible people :D ) tools - internet options - settings - view files or view objects can prove to be enlightening also.

That's what I meant LOL! Too lazy to type up the whole thing :lol:

Me again :)

You can try easycleaner http://personal.inet.fi/business/toniarts/
( other useful stuff there too )

Just use it with caution, not singling easycleaner out, the same applies to any registry cleaning / optimising software.

RULE No. 1 - BACKUP 1st, mess around 2nd.

That registry entry is related to topstyle css editor - the publisher is bradury software