Malware Removal Information

Ga naar de inhoud

Hoofdmenu

Reglooks

Tools

Reglooks is an analysing tool.

Shows an export of the following registry keys with associated files, standard keys or values are not shown (using a whitelist):

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

Shows an export of the following registry keys, with associated files:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : System
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders : securityproviders
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager : Bootexecute
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers

If present, reglooks shows an export of the following registry keys / values, with the associated files:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager : PendingFileRenameOperations
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor : AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor : AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows : run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows : load
HKEY_CURRENT_USER\Control Panel\Desktop : scrnsave.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW : cmdline
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW : wowcmdline

Shows the services, associated file, service displayname and the status:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Shows the presence of the value "Debugger" and associated file:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Shows an export of this registrykeys:

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks

Shows an export of the following registry keys, empty values are ignored:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters : "NameServer"=
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random_CLSID} : NameServer"

Shows the file associations for:

.BAT, .COM, .EXE, .HLP, .INF, .INI, .JS, .PIF, .REG, .SCR, .TXT, .VBS

Shows the task scheduler jobs.


Shows the files in Startup folders:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders : Startup
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders : Common Startup

Shows the new files and directories added the last 15 days.

Shows the files modified in the last 3 months.



How to use reglooks:

Download reglooks
. Save it to your desktop.
Doubleclick on reglooks.exe and wait until a logfile appears.
The log will be called result.txt.

Terug naar de inhoud | Terug naar het hoofdmenu