To perform dynamic analysis, you run a clean OS with tools running that measure the system state, and then you infect it with malware. You measure the real changes made on the system as the malware infects it.
This technique is easy and fast, but it has some disadvantages:
Open a browser and go to http://technet.microsoft.com/en-us/sysinternals/bb896645
Download Process Monitor onto your desktop, and unzip it. The executable should appear in a folder, as shown below:
Open a browser and go to http://sourceforge.net/projects/regshot/
Download RegShot and unzip it. A folder opens with several files, as shown below:
If you are using a 32-bit system, which is likely, you will use the regshot.exe file.
You should see a "Download Now" button on the right side of the window, as shown below. DO NOT CLICK IT YET!
Leave the Internet Explorer window open.
If a Security Warning box pops up, allow the software to run.
Agree to the license.
You should see Process Monitor, with a lot of processes visible, as shown below:
If a Security Warning box pops up, allow the software to run.
Regshot opens, as shown below:
Click the "1st shot" button. In the pop-up menu, click Shot.
You can see the progress as numbers count up in the lower portion of the Regshot window. When the shot is complete, the numbers will stop changing and the "2nd shot" button will stop being grayed out, as shown below:
In Process Monitor, right-click the name of one of the visible processes, such as lsass, and click "exclude 'lsass.exe'", as shown below:
Wait while the event filter is applied.
Right-click a remaining process, such as "svchost.exe" and exclude it too.
Repeat the process until all current processes are hidden, as shown below. When I did it, the remaining processes to exclude were csrss.exe, explorer.exe, services.exe, vmtoolsd.exe, iexplore.exe, VMwareTray.exe, verclsid.exe, winlogon.exe, wmiprvse.exe, wuauclt.exe, regshot.exe, spoolsv.exe, alg.exe, rundll.exe, WMIADAP.EXE, GoogleUpdate.exe, GoogleCrashHandler.exe, chromeinstaller.exe, and setup.exe.
Make sure the empty "Process Monitor" window is visible.
Save this image with the filename Proj X13a from YOUR NAME
When you are done, Internet Explorer will show the new toolbar, as shown below:
In Regshot, click the "2nd shot" button. In the pop-up menu, click Shot.
When the snapshot is complete, click the Compare button.
You will see a report, showing a number of added keys -- 511 when I did it, as shown below:
Scroll down until you find a key installing Yahoo\Companion, as shown below:
Highlight Yahoo\Companion so it's easy to see.
Save this image with the filename Proj X13b from YOUR NAME
Highlight "yahoo_toolbar_install_helper" so it's easy to see.
Save this image with the filename Proj X13c from YOUR NAME