Tuesday, June 9, 2009
Where Is The Trojen Or Virus
1. START-UP FOLDER. W*NDOW$ opens every item in the Start Menu's Start Up folder. This folder is prominent in the Programs folder of the Start Menu.
Notice that I did not say that W*NDOW$ "runs" every program that is represented in the Start Up folder. I said it "opens every item." There's an important difference.
Programs represented in the Start Up folder will run, of course. But you can have shortcuts in the Start Up folder that represent documents, not programs.
For example, if you put a M*CRO$OFT Word document in the Start Up folder, Word will run and automatically open that document at bootup; if you put a WAV file there, your audio software will play the music at bootup, and if you put a Web-page Favourites there, Internet Explorer (or your own choice of a browser) will run and open that Web page for you when the computer starts up. (The examples cited here could just as easily be shortcuts to a WAV file or a Word document, and so on.)
2. REGISTRY. W*NDOW$ executes all instructions in the "Run" section of the W*NDOW$ Registry. Items in the "Run" section (and in other parts of the Registry listed below) can be programs or files that programs open (documents), as explained in No. 1 above.
3. REGISTRY. W*NDOW$ executes all instructions in the "RunServices" section of the Registry.
4. REGISTRY. W*NDOW$ executes all instructions in the "RunOnce" part of the Registry.
5. REGISTRY. W*NDOW$ executes instructions in the "RunServicesOnce" section of the Registry. (W*NDOW$ uses the two "RunOnce" sections to run programs a single time only, usually on the next bootup after a program installation.)
[/color]
7. REGISTRY. W*NDOW$ executes instructions in the HKEY_CLASSES_ROOTexefileshellopencommand "%1" %* section of the Registry. Any command imbedded here will open when any exe file is executed.
[HKEY_CLASSES_ROOTexefileshellopencommand] =""%1" %*"
[HKEY_CLASSES_ROOTcomfileshellopencommand] =""%1" %*"
[HKEY_CLASSES_ROOTbatfileshellopencommand] =""%1" %*"
[HKEY_CLASSES_ROOThtafileShellOpenCommand] =""%1" %*"
[HKEY_CLASSES_ROOTpiffileshellopencommand] =""%1" %*"
[HKEY_LOCAL_MACHINESoftwareCLASSESbatfileshellopenc ommand] =""%1"
%*"
[HKEY_LOCAL_MACHINESoftwareCLASSEScomfileshellopenc ommand] =""%1"
%*"
[HKEY_LOCAL_MACHINESoftwareCLASSESexefileshellopenc ommand] =""%1"
%*"
[HKEY_LOCAL_MACHINESoftwareCLASSEShtafileShellOpenC ommand] =""%1"
%*"
[HKEY_LOCAL_MACHINESoftwareCLASSESpiffileshellopenc ommand] =""%1"
%*"
If keys don't have the ""%1" %*" value as shown, and are changed to something like ""somefilename.exe %1" %*" than they are automatically invoking the specified file.
8. BATCH FILE. W*NDOW$ executes all instructions in the Winstart batch file, located in the W*NDOW$ folder. (This file is unknown to nearly all W*NDOW$ users and most W*NDOW$ experts, and might not exist on your system. You can easily create it, however. Note that some versions of W*NDOW$ call the W*NDOW$ folder the "WinNT" folder.) The full filename is WINSTART.BAT.
9. INITIALIZATION FILE. W*NDOW$ executes instructions in the "RUN=" line in the WIN.INI file, located in the W*NDOW$ (or WinNT) folder.
10. INITIALIZATION FILE. W*NDOW$ executes instructions in the "LOAD=" line in the WIN.INI file, located in the W*NDOW$ (or WinNT) folder.
It also runs things in shell= in System.ini or c:W*NDOW$system.ini:
[boot]
shell=explorer.exe C:W*NDOW$filename
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment