^=^ §Æng Hoµng H¶i ^=^
–
Tips for Win XP All rights reserved by Rosea
HD080905004
58
2) For "per machine" restriction, go to Computer Configuration, Administrative Templates,
Windows Components, Windows Messenger

For "per user" restriction, go to User Configuration, Administrative Templates, Windows
Components, Windows Messenger

3) You can now modify whether it starts initially and/or whether its to run at all.

Note: Outlook and Outlook Express will take longer to open, unless you turn off Messenger
Support.

In Outlook Express its in Tools, Options, General tab. In Outlook its in Tools, Options, Other.

If you prefer to remove Windows Messenger manually, click Start, Run and enter the following
command:

RunDll32 advpack.dll,LaunchINFSection %windir%\inf\msmsgs.inf,BLC.Remove

Note: This will prevent a long delay when opening Outlook Express if you have the Contacts pane
enabled.

To prevent this, click Start, Run and enter REGEDIT Go to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express

Right click in the right pane and select New, Dword value. Give it the name Hide Messenger

59
SHIFT+F1 Activate context-sensitive Help mode (What's This?).

SHIFT+F10 Display pop-up menu. (Or use "MENU" button.)

SPACEBAR Select (same as mouse button 1 click).

ESC Cancel

ALT Activate or inactivate menu bar mode (then press letter for that item).

ALT+TAB Display next primary window (or application).

ALT+ESC Display next window.

ALT+SPACEBAR Display pop-up menu for the window.

ALT+ENTER Display property sheet for current selection.

ALT+F4 Close active window.

ALT+F6 Switch to next window within application (between modeless secondary windows and
their primary window).

ALT+PRINT SCREEN Capture active window image to the Clipboard.

PRINT SCREEN Capture desktop image to the Clipboard.

CTRL+ESC Access Start button in taskbar.


methods that Windows is using everytime you reboot. The aim of this article is actually giving out
the Autostart Methods so that you can find out a bit by yourself how the trojans are working
after you run them and also for to let you find the unknown ones. Because as you all know after
running a scan on our system with a known Antivirus, we can detect most of the known
virii/trojans/bots/etc with them. But as i said before, the aim for this article is to detect the
unknown trojans by manually.
I guess that's enough, i'm bored too ..here we go guys ..enjoy :)

So whatever you do, do it at your own risk. I've explained everything in detail so everything is
clear. If you do something wrong, that is your problem. Startup Methods

%windir%\Start Menu\Programs\StartUp {English}
%windir%\All Users\Start Menu\Programs\StartUp {English}
%windir%\Menu Démarrer\Programmes\Démarrage {French}
%windir%\All Users\Menu Iniciar\Programas\Iniciar { Portuguese, Brasilian }

Any file in Start Up directory copied or linked, will start when Windows is booted.So deleteing
unknown/suspicious files from that location will be a good idea.

This Autostart Directory is saved in :

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Shell Folders]
Startup="%windir%\Start menu\programs\startup"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\User Shell
Folders]
Startup="%windir%\Start menu\programs\startup"


Well, that's same with 'load='. So if you see anthing in here to, delete it.*

* In some cases the file next to the 'load=' and the 'run=' lines, could be placed there by any
program that you use, or that could be a driver file of your hardware, but that's rare.

The following keys are the most common start up methods for Windows OS's such as :
Microsoft Windows 98 / SE
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows Millennium Edition
Microsoft Windows XP

DISCLAIMER
Modifying the registry can cause serious problems that may require you to reinstall your
operating system. We cannot guarantee that problems resulting from modifications to the
registry can be solved. Use the information provided at your own risk. As a detail, the file name you see in the Right Pane like, "whatever"="C:\Windows\Zip.exe",
will run each time your windows reboots. That's an old trick too which trojan authors used for
years but it is still in use by most trojans around.So you need to be sure that you know every
string and what it is in the Right Panel.

What Is The Registry ?

The Registry is a hierarchical database within later versions of Windows (95/98/NT4/NT5) where
all the system settings are stored. It has replaced all of the .ini files that were present in
Windows 3.x. The data from system.ini, win.ini, control.ini, are all contained within it now, along

InstallLocationsMRU: Contains the paths for the Startup folder programs.
Keyboard layout: Specifies current keyboard layout.
Network: Network connection information.
RemoteAccess: Current log-on location information, if using Dial-Up Networking.
Software: Software configuration settings for the currently logged-on user.

HKEY_LOCAL_MACHINE: Contains information about the hardware and software settings that are
generic to all users of this particular computer.
Config: Configuration information/settings.
Enum: Hardware device information/settings.
Hardware: Serial communication port(s) information/settings.
Network: Information about network(s) the user is currently logged on to.
Security: Network security settings.
Software: Software specific information/settings.
System: System startup and device driver information and operating system settings.

HKEY_USERS: Contains information about desktop and user settings for each user that logs on to
the same Windows 95 system. Each user will have a subkey under this heading. If there is only
one user, the subkey is ".default".

HKEY_CURRENT_CONFIG: Contains information about the current hardware configuration,
pointing to HKEY_LOCAL_MACHINE.

HKEY_DYN_DATA: Contains dynamic information about the plug-and-play devices installed on
the system. The data here changes if devices are added or removed on-the-fly.

Hkey_Local_Machine\Software\Microsoft\Windows\Curr entVersion\Run
"Blah Blah"="The_Location_Of_The_Trojan"

Hkey_Local_Machine\Software\Microsoft\Windows\Curr entVersion\RunOnce

Subkeys (Static VxDs) under Hkey_Local_Machine\System\CurrentControlSet\Servic es\VxD\ The [386enh] section of %windir%\system.ini (this includes the scrnsave.exe= line in system.ini
which can be used to run things on your system.

The [boot] section of %windir%\system.ini (this includes the scrnsave.exe= line in system.ini
which can be used to run things on your system

The IOSUBSYS folder (drivers load automatically)
That's easy huh ? That means anything in that folder will run in each time ur windows reboots.

The VMM32 folder (drivers that take precedence over those built into vmm32.vxd)

config.sys

autoexec.bat
Starts everytime at Dos Level.

winstart.bat
Note behaves like an usual BAT file. Used for copying/deleting specific files. Autostarts everytime
you reboot.

wininit.ini
* Bonus item - files can be [runonce,] deleted or renamed from the wininit.ini file.

'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by
windows
Example content of wininit.ini :



With such registry entries, the trojan.exe is executed each time an *.bat is executed.

[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_CLASSES_ROOT\htafile\shell\open\command] @="\"trojan.exe %1\" %*"

With such registry entries, the trojan.exe is executed each time an *.hta is executed. [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"trojan.exe %1\" %*"

With such registry entries, the trojan.exe is executed each time an *.pif is executed.

[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\ open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\ open\command] @="\"trojan.exe
%1\" %*"

With such registry entries, the trojan.exe is executed each time an *.bat is executed.

[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\ open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\ open\command] @="\"trojan.exe


With such registry entries, the trojan.exe is executed each time an *.pif is executed. [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

The following two are used by Sub7 2.2
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName
stubPath=C:\PathToFile\Filename.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entversion\explorer\User shell folders
This does start filename.exe BEFORE the shell and any other Program normaly started over the
Run Keys.

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object" "NeverShowExt"=""
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This
means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including
Explorer.
Your registry should be full of NeverShowExt keys, simply delete the key to get the real extension
to show up.