0 Members and 1 Guest are viewing this topic.
1. Autostart folder Everything in here will restart. C:\windows\start menu\programs\startup {english} C:\windows\Menu Démarrer\Programmes\Démarrage {french} This Autostart Directory is saved in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Startup="C:\windows\start menu\programs\startup" 'So it could be easily changed by any program.2. Win.ini [windows] load=file.exe run=file.exe3. System.ini [boot] Shell=Explorer.exe file.exe4. c:\windows\winstart.bat 'Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts everytime5. Registry [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]6. c:\windows\wininit.ini 'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows Example: (content of wininit.ini) [Rename] NUL=c:\windows\picture.exe 'This example sends c:\windows\picture.exe to NUL, which means that it is deleted. This requires no interactivity with the user and runs totaly stealth.7. Autoexec.bat Starts everytime at Dos Level. 8. Registry Shell Spawning [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed. Known as Unkown Starting Method and is currently used by Subseven. 9. Icq Inet [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test] "Path"="test.exe" "Startup"="c:\\test" "Parameters"="" "Enable"="Yes" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.9. Misc Information [HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object" "NeverShowExt"="" The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including Explorer. Your registry should be full of NeverShowExt keys, simply delte the key to get the real extension to show up.
<Spacecow_> for that matter I have trouble believing bitches are made out of ribs<Gundilido> we are the revolutionary vanguard fighting for the peoples right to display sombrero dawning poultry<Spacecow> did they see your doodle?<~phage> Maybe <+Unresolved> its just not creative enough for me <+Unresolved> my imagination is to big to something so simple
