Code Forums - View Single Post

DJMaze · 03-16-2006, 08:03 AM

Start -> Run -> regedit

In the registry editor tree browse to:

HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows -> CurrentVersion -> Run

Look in there for strange entries.
Also check RunOnce and RunOnceEx

Other pesky spy/trojan stuff even gets more integrated thru (Internet) Explorer.
Thanks to the integration of IE inside Windows OS it made it easier for virusses, trojans and spyware to infect the machine and stay infected.

For example "ActiveDesktop" can be manipulated to force and stay active thru an registry entry named "ForceActiveDesktopOn" in:
HKEY_USERS\S-x-x-xx-xxxxxxx-xxxxxxx-xxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer
(xxxx is random number)
That in combination with other registry entries (like about:home manipulation, etc.) it will make your OS a real spam system.

As you can see the windows registry is the most important thing to execute this stuff so to remove trojans and stuff you must delete the executables but also fix the registry.

To check this all manualy you must know your system very well or you're screwed.
A good thing to start with is to have the taskmanager open (Ctrl+Shift+Esc) to see if there are unknown processes. When you have no clue compare the list with the list of a uninfected system. That way you can see which unknown exe's are running from c:\, c:\windows, or c:\windows\system32

03-16-2006, 08:03 AM	#4 (permalink)
DJMaze Senior Contributor Join Date: Mar 2005 Posts: 676	Start -> Run -> regedit In the registry editor tree browse to: HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows -> CurrentVersion -> Run Look in there for strange entries. Also check RunOnce and RunOnceEx Other pesky spy/trojan stuff even gets more integrated thru (Internet) Explorer. Thanks to the integration of IE inside Windows OS it made it easier for virusses, trojans and spyware to infect the machine and stay infected. For example "ActiveDesktop" can be manipulated to force and stay active thru an registry entry named "ForceActiveDesktopOn" in: HKEY_USERS\S-x-x-xx-xxxxxxx-xxxxxxx-xxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer (xxxx is random number) That in combination with other registry entries (like about:home manipulation, etc.) it will make your OS a real spam system. As you can see the windows registry is the most important thing to execute this stuff so to remove trojans and stuff you must delete the executables but also fix the registry. To check this all manualy you must know your system very well or you're screwed. A good thing to start with is to have the taskmanager open (Ctrl+Shift+Esc) to see if there are unknown processes. When you have no clue compare the list with the list of a uninfected system. That way you can see which unknown exe's are running from c:\, c:\windows, or c:\windows\system32