Malware Removal Information

Hoofdmenu

Home
Malware info
- Malware - Securitysuites
- Waarom?
Scanners
Infecties
- Archief 0 - E
- Archief F - N
- Archief O - S
- Archief T - Z
- CLB rootkit
- DNS-hijackers
- Haxdoor - Goldun
- Sinowal
- TDL3
- TDL4
- Virut
- Vundo
- Whistler
Tools
- Hijackthis
  - Hijackthis
  - Hijackthis handleiding
- Rootkitscanners
- ComBoFix
- HaxFix
- LSPFix
- Reglooks
- Roguescanfix
- SmitfraudFix
Informatie
Preventie
- De computer is malware vrij
- Infecties voorkomen

Reglooks

Tools

Reglooks is an analysing tool.

Shows an export of the following registry keys with associated files, standard keys or values are not shown (using a whitelist):
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

Shows an export of the following registry keys, with associated files:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : System
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders : securityproviders
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager : Bootexecute
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers

If present, reglooks shows an export of the following registry keys / values, with the associated files:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager : PendingFileRenameOperations
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor : AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor : AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows : run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows : load
HKEY_CURRENT_USER\Control Panel\Desktop : scrnsave.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW : cmdline
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW : wowcmdline

Shows the services, associated file, service displayname and the status:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Shows the presence of the value "Debugger" and associated file:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Shows an export of this registrykeys:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks

Shows an export of the following registry keys, empty values are ignored:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters : "NameServer"=
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random_CLSID} : NameServer"

Shows the file associations for:
.BAT, .COM, .EXE, .HLP, .INF, .INI, .JS, .PIF, .REG, .SCR, .TXT, .VBS

Shows the task scheduler jobs.

Shows the files in Startup folders:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders : Startup
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders : Common Startup

Shows the new files and directories added the last 15 days.

Shows the files modified in the last 3 months.

How to use reglooks:
Download reglooks. Save it to your desktop.
Doubleclick on reglooks.exe and wait until a logfile appears.
The log will be called result.txt.