Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 45

Thread: File Download...

  1. #21
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    Ok, download has been updated today
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  2. #22
    Member
    Join Date
    Oct 2005
    Posts
    44

    Default

    Thank you for all the work you do. This is a great product...just like all your works are.

  3. #23
    Member
    Join Date
    Oct 2005
    Posts
    44

    Default

    First, thx for fixing the log 'save'.

    I curious and have a couple of questions about your plans;

    Do you plan to make the logs interactive much the same as in HJT(item deletion)?

    Will you be making the 'process list' interactive such as with the other tabs or as in a common process manager(delete, suspend, kill, priority, resource usage, etc)?

  4. #24
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    Item deletion is already available on most tabs, along with item toggling for those who're unsure about their actions
    Having the same options on the log page would be redundant, wouldn't it?

    And yes, the process list will grow in features surely. Priority (and CPUs used by a process), network connections, and all that stuff This program started to be for use on bootable WinPE disks, so processes haven't earn enough attention yet, I agree.

    First though I still have a bunch of other startup locations I still need to add.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  5. #25
    Junior Member
    Join Date
    Oct 2005
    Posts
    4

    Default Niiice

    Just snarfed up your updated installer. I think you can claim the x64 support as a first. I am just thrilled, as no one seems to take x64 seriously (although somewhat understandably).

    I have to say after using it for the past week or two, it really has helped me clean machines quite a bit faster. I'm also catching new stuff I'd never seen before.

    I'd love to see other things added, like being able to flip through IE settings (proxy, default pages), but I don't know if this is outside of what you're wanting to do. I understand it is Runalyzer, and these kinds of things aren't really "running" but you're so close to making HijackThis! and EZPCFix tools I only look back on using.

    As for stability/success rate, I'm amazed. Some times if I 'reg load' hives from a disk into bartpe's registry and 'reg unload' the changes back, my modifications don't stick. But letting Runalyzer self-manage the registry loading and such, I have a 100% success rate so far (cross my fingers). Whatever voodoo you have cooked up is potent.

    Is there anything we users can do to help?

  6. #26
    Member
    Join Date
    Oct 2005
    Posts
    44

    Default

    Thx for the heads up, Patrick. I was just trying to get a feel for where you were going since it was still beta and only available here. Again, great work. Thanks.

  7. #27
    Junior Member
    Join Date
    Dec 2005
    Posts
    2

    Default

    Very very cool tool!
    This is gonna be big :-)

    Suggestion: Some registry entries only show a CLSID value - maybe Runalyzer could follow up with that number and find the registry entry that shows the file/program/driver it is associated with. I have seen malware create random CLSIDs and then start itself from there.

    Hehe, the restricted domain list is quite big - this has got to be either Spybot's Immunize or SpywareBlaster :-)
    Nice to know what these programs actually do to protect us!

    Heck, I'll gladly send you my logs for this, as long as it helps make Runalyzer even better :-)

    I hope I can just copy the files that the installer creates (instead of installing it on every PC). I intend to use this new toy on client's PCs, but I don't want to have to install it on every PC in a company with 20 PCs hanging on a server when I can just run it from the server.

    If you need help analyzing some logs, I bet there's plenty of people here who would help (including me).

    I should probably mention that I have installed SPSD on 95% of all the PCs that I have touched in the last year, and it does an excellent job - I hardly ever get calls about malware from clients who have it (and update and run it, though, hehe).
    Cool stuff! And as salmo said:
    If there's anything we can do to help, just let us know!
    (I know from experience with my own little program how hard it can be to get feedback and help from users - well, here you have some who WILL help)
    Last edited by semmel; 2005-12-27 at 07:49.

  8. #28
    Esteemed Member
    Join Date
    Oct 2005
    Posts
    211

    Default

    A very nice tool. Presumably over time more entries will be classified as legit :-).
    I clicked the online analysis button, and after a lot of upload and download activity, I got the message that Teamspybot woud be analyzing it, but nothing else; I take it it's early days, but how is it planned that that option will function: will we get a report back in Runalyzer?

    I have a couple of questions about some of the entries in domains keys. In my case to the best of my knowledge these have all been added either by Spybot or by Spywareblaster.

    First, runalyzer does not seem to list those under CURRENT_USER, but does list those for .DEFAULT user: I don't think that is necessarily always the same list as for CURRENT_USER (if I delete an entry under .DEFAULT user that is in both, it does not get removed from CURRENT_USER, so it must be possible to have different entries in these)?

    Second, some entries in my domains list are of the form
    domain key, no * Dword
    subdomain key, *Dword =4 (restricted zone)
    example:

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\adult-host.org]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\adult-host.org\sexycat]
    "*"=dword:00000004

    Runalyzer shows the main key (in this example adult-host.org) with a (correct) blank entry under description, but does not show the sub key, sexycat, that is in the restricted zone.

    By deleting the corresponding key in CURRENT_USER, I found out it is put there by spywareblaster, I don't know how the domains list in .DEFAULT user comes about (spywareblaster does not put it back if I delete it there).

    Are those domain entries with subkeys not correctly formulated, or is it an oversight?

    I hope this feedback is welcome, if not please say so :-)
    Last edited by Rosenfeld; 2005-12-29 at 23:26.

  9. #29
    Junior Member
    Join Date
    Jan 2006
    Posts
    8

    Default

    Red means its a known badbuy or what?

  10. #30
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    We've been working hard to bring 64 bit to Spybot-S&D as well, so please forgive me if RunAlyzer took a short break We've got a new release of RunAlyzer ready for next week I think.

    @salmo:
    x64 is quite important to me - Apple has its consumer OS with 64 bit support for quite some time, and slowly you'll see new machines with 64 bit appearing. And it's better to support it now than to react when the first 64 bit malware really spreads

    With the new release, we have a bunch of new keys detected. In fact, the second tab "WinLogon" has now been renamed to "Advanced startups" and contains mostly things that are NT/2k/XP/etc. specific. It now lists more than 60 keys (of course, there are quite a few that appear for every user ), and there will be more. From the IE settings, both proxy and start/search pages may be interest as well, I agree. The pages are often misused to run malicious scripts (which then load stuff, so it's kind of "run").

    @semmel:
    A CLSID browser? Nice idea and something that has been on my list for a long time, but I never got quite around it (except internal testing implementations for our detectives).

    Please send in your logs, of course It's just the simple Online Analysis button with the "submit anonymous" checkbox checked!

    Yes, it's sufficient if you just copy over the files, or start it from a network drive. We tend to write all our tools in a way that they don't need something only the setup will create.

    @Rosenfeld:
    Well, we have a bit of a backlog because in the beginning, there were quite a lot of new legit entries
    It's planned that you do the online analysis a day or two later and should have updated entries. That depends on a bit on how much this grows of course - that's why we test this in a small area first. Allows us to get the bunch of legit entries done without people pressing :D

    Regarding HKEY_CURRENT_USER: HKCU is always just a link to the user currently logged in, who has a subkey under HKEY_USERS. Usually a real user has HKEY_USERS\S-1-5-XX-XXXXXXXXXXXXXXXXXXX (the smaller numbers are default system accounts). The default user key is a template that Windows will copy when you create new users. Spybot-S&D immunizes there as well.

    Regarding the keys - in same cases, I've tried to make things simpler and not really representing the registry structure completely. So it should show that sexycat entry under sexycat.adult-host.org, and not as a subkey of adult-host.org.

    @Tudds:
    yes. Red are the bad guys, green are legit entries, yellow entries we're not sure about, and white not yet classified entries.

    @all: Thanks for your offers of help! Filling the database with data is probably the most important thing during the alpha phase, to have a solid base when switching to beta
    When we're there and I've implemented all the keys I intend to do, more information on additional startup locations will be welcome as well (right now, I've still got a dozen that need some more research, and two dozen or so finished that'll be new in the next release).
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •