home | requirements | help | contact | scan now  
Hunter's Word

The Internet is filled with amazing amounts of information. There is so much to be explored and so much to learn. It would seem that this information is freely available to anyone. An informational garden of Eden.
This is not entirely the case. In this garden there are snakes at almost every click of the mouse, waiting to strike. There is always a new breed. One we did not recognize yesterday, disguised as something friendly, or necessary. Spyware and adware have moved from the shadows of software piracy and pornographic websites. I've infected computers installing
screensavers, games, listening to music, or even just browsing for information. It is not safe out there, unless someone is constantly keeping up with the newest infections and latest variants of known malicious software. We are doing just that to make sure our software is up to the task of removing the latest infections.
A Hunter's work is never done.


- 20060421 - Keyloggers
- 20060417 - VXGame
- 20060330 - Winsupdater
- 20060311 - Mailspam
- 20060228 - Hijackers
- 20060212 - Disabler
- 20060114 - INET
- 20060104 - Raze
- 20051219 - SpyAxe
- 20051205 - MsConfg
- 20051116 - NNNL
- 20051109 - KickOff

Hunter's Log: 20051116 130248

I have recently received several complaints from our customers regarding a Winfixer pop-up. Whenever the customer turned her computer on, a Winfixer pop-up would appear although Winfixer was removed by Spyware Nuker. It seems like Winfixer has implemented new tactics to maintain it's presence on a computer.

Nothing appears out of the ordinary after skimming through the customers diagnostic log files. The startup entries are clean and there are no suspicious browser helper objects or program files. Where is this pop-up hiding? Upon closer inspection of the log files, I discovered random, suspicious DLL files that were connected to the Windows Winlogon process. The Winlogon process is vital to Windows operation and if a file is "hooked" into this process, it is extremely difficult to detect and remove. Here is an example of what was found in one of the customer's logs:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnll

There is an added 'nnnll' extension to the Winlogon key as well as the nnnll.dll file. The 'nnnll' name is random and was different in each customer's log. This technique is used to make it difficult to detect and remove. I asked each customer to send us this random DLL file. After the files were received, we began in depth investigation.

I installed the suspicious file and several minutes later a pop-up appeared.

The DLL file made a silent connection to the internet and displayed this pop-up advertisement which looks similar to a Windows error message. Many end-users can mistakenly press the 'OK' button thinking it is an actual Windows error message. By pressing the 'OK' button, the end-user would have accepted the Winfixer 2005 installation. However, within minutes of running the suspicious file, Winfixer 2005 was fully installed without my consent. Winfixer 2005 claims to remove viruses and Trojans, yet it uses the same methods to install itself on an end-user's computer. How ironic.

Further investigation revealed that the DLL file did "hook" into the Winlogon process. It was found that the end-user could not manually delete the file in safe mode or even rename the file. Being connected to the Winlogon process has made this file nearly invincible. Nearly, but not completely invincible. The file was dissected and its binary contents were examined for an effective signature. This signature will allow for detection and removal of all similar files. This signature was then integrated into Spyware Nuker. Spyware Nuker was run against the infection and it was able to detect the infection, and successfully delete the infection on reboot. It was also able to detect and remove the Winfixer 2005 application. Our customers were thrilled to hear the good news.

Once again, Spyware Nuker has triumphed over wicked Spyware that plagues the internet.

End of Entry