Gonzalez Posted March 25, 2008 Report Share Posted March 25, 2008 Lista e buna pentru cei care fac RAT's sau programe care pornesc cu Windows-ul.Registry Autostart Locations1.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\All values in this key are executed.2.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce\All values in this key are executed, and then their autostart reference is deleted.3.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices\All values in this key are executed as services.4.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServicesOnce\All values in this key are executed as services, and then their autostart reference is deleted.5.HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\All values in this key are executed.6.HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce\All values in this key are executed, and then their autostart reference is deleted.7.HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce\Setup\Used only by Setup. Displays a progress dialog box as the keys are run one at a time.8.HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Run\Similar to the Run key from HKEY_CURRENT_USER.9.HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\RunOnce\Similar to the RunOnce key from HKEY_CURRENT_USER.10.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinlogonThe "Shell" value is monitored. This value is executed after you log in.11.HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\All subkeys are monitored, with special attention paid to the "StubPath" value in each subkey.12.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\VxD\All subkeys are monitored, with special attention paid to the "StaticVXD" value in each subkey.13.HKEY_CURRENT_USER\Control Panel\DesktopThe "SCRNSAVE.EXE" value is monitored. This value is launched when your screen saver activates.14.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session ManagerThe "BootExecute" value is monitored. Files listed here are Native Applications that are executed before Windows starts.15.HKEY_CLASSES_ROOT\vbsfile\shell\open\command\Executed whenever a .VBS file (Visual Basic Script) is run.16.HKEY_CLASSES_ROOT\vbefile\shell\open\command\Executed whenever a .VBE file (Encoded Visual Basic Script) is run.17.HKEY_CLASSES_ROOT\jsfile\shell\open\command\Executed whenever a .JS file (Javascript) is run.18.HKEY_CLASSES_ROOT\jsefile\shell\open\command\Executed whenever a .JSE file (Encoded Javascript) is run.19.HKEY_CLASSES_ROOT\wshfile\shell\open\command\Executed whenever a .WSH file (Windows Scripting Host) is run.20.HKEY_CLASSES_ROOT\wsffile\shell\open\command\Executed whenever a .WSF file (Windows Scripting File) is run.21.HKEY_CLASSES_ROOT\exefile\shell\open\command\Executed whenever a .EXE file (Executable) is run.22.HKEY_CLASSES_ROOT\comfile\shell\open\command\Executed whenever a .COM file (Command) is run.23.HKEY_CLASSES_ROOT\batfile\shell\open\command\Executed whenever a .BAT file (Batch Command) is run.24.HKEY_CLASSES_ROOT\scrfile\shell\open\command\Executed whenever a .SCR file (Screen Saver) is run.25.HKEY_CLASSES_ROOT\piffile\shell\open\command\Executed whenever a .PIF file (Portable Interchange Format) is run.26.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Services marked to startup automatically are executed before user login.27.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Winsock2\Parameters\Protocol_Catalog\Catalog_En tries\Layered Service Providers, executed before user login.28.HKEY_LOCAL_MACHINE\System\Control\WOW\cmdlineExecuted when a 16-bit Windows executable is executed.29.HKEY_LOCAL_MACHINE\System\Control\WOW\wowcmdlineExecuted when a 16-bit DOS application is executed.30.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserinitExecuted when a user logs in.31.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\Executed by explorer.exe as soon as it has loaded.32.HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\runExecuted when the user logs in.33.HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\loadExecuted when the user logs in.34.HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\run\Subvalues are executed when Explorer initialises.35.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\run\Subvalues are executed when Explorer initialises.Folder Autostart Locations1. windir\Start Menu\Programs\Startup\2. User\Startup\3. All Users\Startup\4. windir\system\iosubsys\5. windir\system\vmm32\6. windir\Tasks\File Autostart Locations1. c:\explorer.exe2. c:\autoexec.bat3. c:\config.sys4. windir\wininit.ini5. windir\winstart.bat6. windir\win.ini - [windows] "load"7. windir\win.ini - [windows] "run"8. windir\system.ini - [boot] "shell"9. windir\system.ini - [boot] "scrnsave.exe"10. windir\dosstart.bat11. windir\system\autoexec.nt12. windir\system\config.ntBafta!-Gonzalez Quote Link to comment Share on other sites More sharing options...
dabesteva Posted March 27, 2008 Report Share Posted March 27, 2008 ehmm,imi explici te rog ce program folosesti...? Quote Link to comment Share on other sites More sharing options...
loki Posted March 27, 2008 Report Share Posted March 27, 2008 Foarte util multumesc ( :oops: incep sa sun ca nou-venitii ).Lista este deosebit de importanta si in alt scop: spy-urile, wormii folosesc aceste metode pentru start-up si odata dezactivate in safe-mode ei sunt anihilati si pot fi stersi lejer mai tarziu.Ar fi utila o completare cu intrarile in registri folosite de browsere (search assistants, etc, cateva alte chestii utilizate in special de addwares). Quote Link to comment Share on other sites More sharing options...
-pK Posted January 17, 2009 Report Share Posted January 17, 2009 da numa shasa cai poti pune Quote Link to comment Share on other sites More sharing options...
