hey guys, i was reading a post that talks about trojan, and some of the replies talked about some registry keys that you can check and see if you havetrojans or viruses etc. those are the most common reg files; howerver, i decided to include a few more. this might help you in your help against the viruses and spyware that infected your computer
1) Autostart folder
C:windowsstart menuprogramsstartup
you can find the location of this folder in here:
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders
Startup="C:windowsstart menuprogramsstartup"
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders
Startup="C:windowsstart menuprogramsstartup"
* HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorerUser Shell Folders
"Common Startup"="C:windowsstart menuprogramsstartup"
* HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorerShell Folders
"Common Startup"="C:windowsstart menuprogramsstartup"
"this key is the most famous one, whatever you put in there will be execute when you start up your computer"
2) check the file "Win.ini" and see what it has in these lines
windows
load=file.exe
run=file.exe
whatever you got in there will be also executed
3) This is another file "System.ini"
boot
Shell=Explorer.exe file.exe
4) c:windowswinstart.bat
It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer
5) Registry (these are the ones that are mentioned very often):
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
"Whatever"="c:runfolderprogram.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
"Whatever"="c:runfolderprogram.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
"Whatever"="c:runfolderprogram.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
"Whatever"="c:runfolderprogram.exe"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
"Whatever"="c:runfolderprogram.exe"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
"Whatever"="c:runfolderprogram.exe"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
"Whatever"="c:runfolderprogram.exe"
6) c:windowswininit.ini
"Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows"
Example content of wininit.ini :
Rename
NUL=c:windowspicture.exe
This will basically delete the picture.exe file when you start up your computer, it will do it without you even knowing about it
7) This is a classic one: "Autoexec.bat"
Thes reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by viruses and trojans such as Subseven
HKEY_CLASSES_ROOTexefileshellopencommand @=""%1" %*"
HKEY_CLASSES_ROOTcomfileshellopencommand @=""%1" %*"
HKEY_CLASSES_ROOTbatfileshellopencommand @=""%1" %*"
HKEY_CLASSES_ROOThtafileShellOpenCommand @=""%1" %*"
HKEY_CLASSES_ROOTpiffileshellopencommand @=""%1" %*"
HKEY_LOCAL_MACHINESoftwareCLASSESbatfileshellopencommand @=""%1" %*"
HKEY_LOCAL_MACHINESoftwareCLASSEScomfileshellopencommand @=""%1" %*"
HKEY_LOCAL_MACHINESoftwareCLASSESexefileshellopencommand @=""%1" %*"
HKEY_LOCAL_MACHINESoftwareCLASSEShtafileShellOpenCommand @=""%1" %*"
HKEY_LOCAL_MACHINESoftwareCLASSESpiffileshellopencommand @=""%1" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the
server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed.
9) This key is for people who likes to use ICQ
HKEY_CURRENT_USERSoftwareMirabilisICQAgentAppstest
"Path"="test.exe"
"Startup"="c:test"
"Parameters"=""
"Enable"="Yes"
HKEY_CURRENT_USERSoftwareMirabilisICQAgentApps
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.
10) Explorer start-up
The problem with these operating systems is that they look for a file called "explorer.exe" whenever you start up your computer, that file is basically the one that you see all the time but don;t realize it is there lol, if you go to your taskmaganer you can see it, you can even kill it and you will see that everything in your computer that belongs to microsoft will disappear, exept for the extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone.
As you can see this is dangerous because it also means that if somebody modify your explorer.exe file then your computer will be corrupted. In fact, to change the name of the start bottom, has to be done by modifing the explorer.exe file, so there is a clue of a small diference that can have an effect in your computer.
here is the key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
if a trojan changes that to a path of another "infected explorer.exe file" your computer will start up the file the trojan told it to and not the one used by microsoft.
10) Here is my favorite reg ket file "Active-X Component"
HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled ComponentsKeyName
StubPath=C:PathToFileFilename.exe
This key is great because it starts the program that it has in its path BEFORE the explorer.exe file and any other program starts in your computer, so if you can understand why your antivirus cant detect the virus when you boot up, it is maybe because your "virus" is taking care of it before it starts up. It could even kill your antivirus before your antivirus starts up
I hope this will be you a little bit, and any questions please ask. cya
/b
Topic Replies: 1
Read More...
[Source: Ozzu - Posted by Kishore Vengala]
Saturday, November 10, 2007
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment