Your Ad Here

Saturday, November 10, 2007

Registry keys used by many viruses and spyware

hey guys, i was reading a post that talks about trojan, and some of the replies talked about some registry keys that you can check and see if you havetrojans or viruses etc. those are the most common reg files; howerver, i decided to include a few more. this might help you in your help against the viruses and spyware that infected your computer

1) Autostart folder

C:windowsstart menuprogramsstartup

you can find the location of this folder in here:

* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders
Startup="C:windowsstart menuprogramsstartup"

* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders
Startup="C:windowsstart menuprogramsstartup"

* HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorerUser Shell Folders
"Common Startup"="C:windowsstart menuprogramsstartup"

* HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorerShell Folders
"Common Startup"="C:windowsstart menuprogramsstartup"

"this key is the most famous one, whatever you put in there will be execute when you start up your computer"


2) check the file "Win.ini" and see what it has in these lines
windows
load=file.exe
run=file.exe

whatever you got in there will be also executed

3) This is another file "System.ini"
boot
Shell=Explorer.exe file.exe

4) c:windowswinstart.bat
It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer

5) Registry (these are the ones that are mentioned very often):

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
"Whatever"="c:runfolderprogram.exe"

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
"Whatever"="c:runfolderprogram.exe"

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
"Whatever"="c:runfolderprogram.exe"

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
"Whatever"="c:runfolderprogram.exe"

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
"Whatever"="c:runfolderprogram.exe"

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
"Whatever"="c:runfolderprogram.exe"

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
"Whatever"="c:runfolderprogram.exe"


6) c:windowswininit.ini

"Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows"
Example content of wininit.ini :
Rename
NUL=c:windowspicture.exe
This will basically delete the picture.exe file when you start up your computer, it will do it without you even knowing about it

7) This is a classic one: "Autoexec.bat"


Cool Thes reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by viruses and trojans such as Subseven

HKEY_CLASSES_ROOTexefileshellopencommand @=""%1" %*"
HKEY_CLASSES_ROOTcomfileshellopencommand @=""%1" %*"
HKEY_CLASSES_ROOTbatfileshellopencommand @=""%1" %*"
HKEY_CLASSES_ROOThtafileShellOpenCommand @=""%1" %*"
HKEY_CLASSES_ROOTpiffileshellopencommand @=""%1" %*"
HKEY_LOCAL_MACHINESoftwareCLASSESbatfileshellopencommand @=""%1" %*"
HKEY_LOCAL_MACHINESoftwareCLASSEScomfileshellopencommand @=""%1" %*"
HKEY_LOCAL_MACHINESoftwareCLASSESexefileshellopencommand @=""%1" %*"
HKEY_LOCAL_MACHINESoftwareCLASSEShtafileShellOpenCommand @=""%1" %*"
HKEY_LOCAL_MACHINESoftwareCLASSESpiffileshellopencommand @=""%1" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the

server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed.

9) This key is for people who likes to use ICQ
HKEY_CURRENT_USERSoftwareMirabilisICQAgentAppstest
"Path"="test.exe"
"Startup"="c:test"
"Parameters"=""
"Enable"="Yes"
HKEY_CURRENT_USERSoftwareMirabilisICQAgentApps
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

10) Explorer start-up

The problem with these operating systems is that they look for a file called "explorer.exe" whenever you start up your computer, that file is basically the one that you see all the time but don;t realize it is there lol, if you go to your taskmaganer you can see it, you can even kill it and you will see that everything in your computer that belongs to microsoft will disappear, exept for the extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone.
As you can see this is dangerous because it also means that if somebody modify your explorer.exe file then your computer will be corrupted. In fact, to change the name of the start bottom, has to be done by modifing the explorer.exe file, so there is a clue of a small diference that can have an effect in your computer.

here is the key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
if a trojan changes that to a path of another "infected explorer.exe file" your computer will start up the file the trojan told it to and not the one used by microsoft.


10) Here is my favorite reg ket file "Active-X Component"

HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled ComponentsKeyName
StubPath=C:PathToFileFilename.exe
This key is great because it starts the program that it has in its path BEFORE the explorer.exe file and any other program starts in your computer, so if you can understand why your antivirus cant detect the virus when you boot up, it is maybe because your "virus" is taking care of it before it starts up. It could even kill your antivirus before your antivirus starts up

I hope this will be you a little bit, and any questions please ask. cya


Very Happy /b

Topic Replies: 1

Read More...

[Source: Ozzu - Posted by Kishore Vengala]
Your Ad Here
Posted by Kishore Vengala at 11:55 PM 0 comments

FreeHoxt.com: Free Hosting - 7 GB WebSpace, 7 TB BandWith

THE BEST FREE HOSTING PROVIDER!

- 7 GB Webspace (+ 7000 MB!)
- 7 TB Monthly Data Transfer (+ 7000000 MB!)
- PhP and MySQL Supported
- FTP Supported
- Subdomain (http://yourname.freehoxt.com)
- Powerful Control Panel
- Pre-installed Sripts
- Free Web Statics
- Add your own domain
- Host your blogs / forums
- Incredible support
- 99.9% Uptime
- and so much more!

100% FREE! Sign Up Now!

Website Link: freehoxt.com

Topic Replies: 0

Read More...

[Source: Ozzu - Posted byKishore Vengala]
Your Ad Here
Posted by Kishore Vengala at 11:55 PM 0 comments

SITE REVIEW: Watch Anime Episodes Online

http://animecinema.net/

Hi, my website is a site where I gather anime episodes hosted on various video sharing sites and organise them in a blog. I havent really done much with the appearance (the default template), other than the banner (I didnt make it) and the footer, as well as making the page wider. Ive also tweaked a few things here and there. So pretty much Im interested in what you think of its usability and also the adsense placement.

I know there are a few technical issues currently (such as the email not working) and the xhtml is not exactly valid (Ill get to that eventually).

Pretty much the only criticism I have gotten so far is that I should add pictures to the posts.

Ive gotten pretty decent traffic in the first week and a bit (Awstats), but Id like to improve my page rank. I here web directories help.

Thanks.

Topic Replies: 0

Read More...

[Source: Ozzu - Posted by FreeAutoBlogger]
Your Ad Here
Posted by Kishore Vengala at 11:55 PM 0 comments

JOB OFFER: Digital Art, Hire

Greetings!
Im looking for someone who can do some medieval cool paintings. I will need a few and might hire you sometime in the future as well. I would like to see your portfolio before you start working with me.
You dont have to be a real professional, because I think they charge pretty much.

If you do believe that you could do this for me, please contact me trough MSN or E-mail! Msn and E-mail: SimonVargo@hotmail.com.

You could also be in the team if we think that you are really good and quite young, since we all are 15 and 16, that will try to make some money in the future.
So even if you dont think that you are good enough, please write to me anyway! I appreciate any application!
More instructions will be sent later.

Thanks in advance

Simon

Topic Replies: 0

Read More...

[Source: Ozzu - Posted by Kishore Vengala]
Your Ad Here
Posted by Kishore Vengala at 11:55 PM 0 comments

Drop Down

Hi to all of you,
about 5 consecutive days, my post was on the
top 3 when i search it on the google.. and why is it
now, i cant see my site?

Topic Replies: 1

Read More...

[Source: Ozzu - Posted by FreeAutoBlogger]
Your Ad Here
Posted by Kishore Vengala at 11:55 PM 0 comments

Membership log-in

I need help creating a log-in script and protecting some features on every page from nonmembers and making other pages members only and even other pages for administrator only... any help?

I know that Ill need sessions and all of that fun stuff, but I need help in creating one.

Topic Replies: 3

Read More...

[Source: Ozzu - Posted by Kishore Vengala]
Your Ad Here
Posted by Kishore Vengala at 11:54 PM 0 comments
Subscribe to: Posts (Atom)