Encrypting might be the way to go.
I actually gave this a try and my web page is still concealed. Give it a try. Type in my site here and try to view the sourcecode.
I tested this out myself. I even downloaded the HTML file and tried to open it in a HTML editor, but nothing shows up The program I recommend using is HTML Cipher. It can disable right click if you wish also. This program has a lot of security features which may interest you. For my purposes, I want to allow the users to right click and copy, but they can't see the source code. You can disable both, so no one can copy the source or the contents, at least not in a simple fashion. I mean they could rewrite the whole web page themselves, but that would be crazy
HTML source code is always visible. I obtained this in under 10 seconds.
The code is not really encripted, a symbols and spaces are given their ¿html? equivilent (sp?)
<HTML>
<HEAD>
<!--@2005 Kevin's Resource Center - [url=http://www.greyknight17.com-->]http://www.greyknight17.com-->[/url]
<META content="No-Cache" http-equiv="pragma"/>
<META content="True" name="MSSmartTagsPreventParsing"/>
<META content="No" http-equiv="ImageToolbar"/>
<META content="NoIndex" name="Robots"/>
<META content="StartDreck Tutorial, StartDreck Guide, StartDreck Analysis" name="Keywords"/>
<META
content="This tutorial will be discussing what each of the sections mean in a StartDreck log and how to handle ones that needs fixing." name="Description"/>
<META content="blendTrans(Duration=1)" http-equiv="Page-Enter"/>
<LINK href="http://www.greyknight17.com/favicon.ico" rel="SHORTCUT ICON"/>
<LINK href="./krc.css" type="text/css" rel="stylesheet"/>
<TITLE>
KRC StartDreck Quick Guide </TITLE>
<script src="./navigation/sniffer.js" language="javascript" type="text/javascript"/>
<script src="./navigation/custom.js" language="javascript1.2" type="text/javascript"/>
<script src="./navigation/style.js" language="javascript1.2" type="text/javascript"/>
<STYLE type="text/css">
<!--.mTD,.mTD A:Link,.mTD A:Visited {color:#990033}.mTD,.mTD A {white-space:nowrap;color:#990033;font-weight:normal;}.mTD,.mTD A:Active,.mTD A:Link,.mTD A:Visited,.mTD A:Hover{font-weight:normal;font-size:10px;font-family:arial,sans-serif;text-decoration:none;position:relative;}.SUBmTD,.SUBmTD A {white-space:nowrap;color:#3333aa;font-weight:normal;}.SUBmTD,.SUBmTD A:Link,.SUBmTD A:Visited {color:#3333aa}.SUBmTD,.SUBmTD A:Active,.SUBmTD A:Link,.SUBmTD A:Visited,.SUBmTD A:Hover{font-weight:normal;font-size:10px;font-family:comic sans ms,arial,sans-serif;text-decoration:none;}//--> </STYLE>
<STYLE media="print" type="text/css">
.printhide {display:none;} </STYLE>
<script type="text/javascript">
<!--
document.write(unescape("%3Cbody%3E%0D%0A%3Cdiv class%3D%22DARK_BLUE_TITLE%22%3EKRC StartDreck Quick Guide%3C/div%3E%0D%0A%3Cdiv%3E %0D%0A %3Cdiv align%3D%22center%22%3E%0D%0A %3Cp%3E%26nbsp%3B%3C/p%3E%0D%0A %3Cp%3E%26nbsp%3B %3C/p%3E%0D%0A%3C/div%3E%0D%0A%3C/div%3E%0D%0A%3Cp%3E%3Cstrong%3E%3Cem%3EDate Created%3A May 29%2C 2005%3C/em%3E%3C/strong%3E%3C/p%3E%0D%0A%3Cp%3EHere is a quick guide on analyzing StartDreck logs. I will try to break it down and list what each section %0D%0A is for. No expert here myself%2C so if I make a mistake%2C feel free to contact %0D%0A me and I will correct it. You should be able to read these logs with more comfort %0D%0A once you see how it%27s broken down. Quite simple when seen as smaller parts. %0D%0A %3A-%29 %3C/p%3E%0D%0A%3Cp%3EThe log I%27m using is %3Cstrong%3Enot%3C/strong%3E the full log with %3Cstrong%3Eeverything %0D%0A %3C/strong%3Echecked in the configurations. If everything was checked%2C the log itself %0D%0A can be quite large%2C especially if the user is using a modified hosts file. So %0D%0A keep that in mind. It should cover most of the entries here nevertheless since %0D%0A they have headings for everything here. You just won%27t see the actual entries.%3C/p%3E%0D%0A%3Cp%3EThis log is usually requested by analysts if they want to take a deeper look %0D%0A and HijackThis is coming up clean. The speech that is used by me will list most %0D%0A of the sections except for mainly the NT Services and the Process Modules since %0D%0A they can take up quite a lot of space.%3C/p%3E%0D%0A%3Cp%3E%3Cstrong%3ECanned Speech%3A%3C/strong%3E%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3EDownload StartDreck http%3A//www.greyknight17.com/spy/StartDreck.zip%3Cbr%3E%0D%0A %3Cbr%3E%0D%0A Unzip to its own folder and start the program%3A%3Cbr%3E%0D%0A Press %27Config%27%3Cbr%3E%0D%0A Press %27mark all%27%3Cbr%3E%0D%0A %3Cbr%3E%0D%0A Uncheck the following boxes only%3A%3Cbr%3E%0D%0A System/Running Process -%26gt%3B List Modules%3Cbr%3E%0D%0A System/Drivers -%26gt%3B NT Services%3Cbr%3E%0D%0A System/Drivers -%26gt%3B NT Kernel- and FS-drivers%3Cbr%3E%0D%0A Press %27OK%27%3Cbr%3E%0D%0A %3Cbr%3E%0D%0A Press %27Save%27 and select the location to save the log file %28default is the same %0D%0A folder as the application%29%3Cbr%3E%0D%0A %3Cbr%3E%0D%0A Post the log in this thread.%3C/font%3E%3C/p%3E%0D%0A%3Cp%3E%3Cstrong%3EHeader Information%3A%3C/strong%3E%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cspan title%3D%22StartDreck version and the time this log was created.%22%3E%3Cfont size%3D%22-1%22%3EStartDreck %0D%0A %28build 2.1.7 public stable%29 - 2005-04-03 @ 23%3A33%3A12 %28GMT -04%3A00%29%3C/font%3E%3C/span%3E%3Cfont size%3D%22-1%22%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Windows version and any Service Packs that are installed.%22%3EPlatform%3A %0D%0A Windows XP %28Win NT 5.1.2600 Service Pack 1%29%3C/span%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Internet Explorer version and any updates it has.%22%3EInternet Explorer%3A %0D%0A 6.0.2800.1106%3C/span%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Name of the user and computer %28in this case%2C they are edited out here%29.%22%3ELogged %0D%0A in as some_username at some_computername%3C/span%3E%3C/font%3E%3C/p%3E%0D%0A%3Cp%3E%3Cfont size%3D%22-1%22%3EThe header information should be self-explanatory. If more %0D%0A details are needed%2C just hover your mouse over each line.%3C/font%3E%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E %3Cspan title%3D%22The Registry %3A-%29%22%3E%3Cstrong%3E%26raquo%3BRegistry%3C/strong%3E%3C/span%3E%3Cstrong%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Programs that run at startup.%22%3E%26raquo%3BRun Keys%3C/span%3E%3C/strong%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Run keys for the current user.%22%3E%26raquo%3BCurrent User%3C/span%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Programs that run on every startup for the current user.%22 href%3D%22%22%3E%26raquo%3BRun%3Cbr%3E%0D%0A *MSMSGS%3D%26quot%3BC%3A%5CProgram Files%5CMessenger%5Cmsmsgs.exe%26quot%3B /background%3Cbr%3E%0D%0A *SpySweeper%3D%26quot%3BC%3A%5CProgram Files%5CWebRoot%5CSpy Sweeper%5CSpySweeper.exe%26quot%3B %0D%0A /0%3C/span%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Programs that only runs once after a reboot for the current user.%22%3E%26raquo%3BRunOnce%3C/span%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Run keys for the Default User.%22%3E%26raquo%3BDefault User%3C/span%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Programs that run on every startup for the default user.%22%3E%26raquo%3BRun%3Cbr%3E%0D%0A *Symantec NetDriver Warning%3DC%3A%5CPROGRA%7E1%5CSYMNET%7E1%5CSNDWarn.exe%3C/span%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Programs that runs only once after a reboot for the default user.%22%3E%26raquo%3BRunOnce%3Cbr%3E%0D%0A *SRUUninstall%3D%26quot%3BC%3A%5CWINDOWS%5CSystem32%5Cmsiexec.exe%26quot%3B /L*v C%3A%5CWINDOWS%5CTEMP%5CSND532unin.txt %0D%0A /x %7B6AF90EF6-F7F9-466C-99F4-1774826FBB40%7D /qn REBOOT%3DReallySuppress%3C/span%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Run keys for all users.%22%3E%26raquo%3BLocal Machine%3C/span%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Programs that run on every startup for all users.%22%3E%26raquo%3BRun%3Cbr%3E%0D%0A *WorksFUD%3DC%3A%5CProgram Files%5CMicrosoft Works%5Cwkfud.exe%3Cbr%3E%0D%0A *Microsoft Works Portfolio%3DC%3A%5CProgram Files%5CMicrosoft Works%5CWksSb.exe /AllUsers%3Cbr%3E%0D%0A *Microsoft Works Update Detection%3DC%3A%5CProgram Files%5CCommon Files%5CMicrosoft Shared%5CWorks %0D%0A Shared%5CWkUFind.exe%3Cbr%3E%0D%0A *Camera Detector%3DC%3A%5CPROGRA%7E1%5CACDSYS%7E1%5CDEVDET%7E1%5CDEVDET%7E1.EXE -autorun%3Cbr%3E%0D%0A *NvCplDaemon%3DRUNDLL32.EXE NvQTwk%2CNvCplDaemon initialize%3Cbr%3E%0D%0A *Apoint%3DC%3A%5CProgram Files%5CApoint%5CApoint.exe%3Cbr%3E%0D%0A *DadApp%3DC%3A%5CProgram Files%5CDell%5CAccessDirect%5Cdadapp.exe%3Cbr%3E%0D%0A *QuickTime Task%3D%26quot%3BC%3A%5CProgram Files%5CQuickTime%5Cqttask.exe%26quot%3B -atboottime%3Cbr%3E%0D%0A *DIGStream%3DC%3A%5CProgram Files%5CDIGStream%5Cdigstream.exe%3Cbr%3E%0D%0A *iTunesHelper%3DC%3A%5CProgram Files%5CiTunes%5CiTunesHelper.exe%3Cbr%3E%0D%0A *SSC_UserPrompt%3DC%3A%5CProgram Files%5CCommon Files%5CSymantec Shared%5CSecurity Center%5CUsrPrmpt.exe%3Cbr%3E%0D%0A *IntelliPoint%3D%26quot%3BC%3A%5CProgram Files%5CMicrosoft IntelliPoint%5Cpoint32.exe%26quot%3B%3Cbr%3E%0D%0A *gcasServ%3D%26quot%3BC%3A%5CProgram Files%5CMicrosoft AntiSpyware%5CgcasServ.exe%26quot%3B%3C/span%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Not sure what these are%2C but if you know%2C email me.%22%3E+OptionalComponents%3Cbr%3E%0D%0A +MSFS%3Cbr%3E%0D%0A *Installed%3D1%3Cbr%3E%0D%0A +MAPI%3Cbr%3E%0D%0A *Installed%3D1%3Cbr%3E%0D%0A *NoChange%3D1%3Cbr%3E%0D%0A +MAPI%3Cbr%3E%0D%0A *Installed%3D1%3Cbr%3E%0D%0A *NoChange%3D1%3C/span%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Programs that runs only once after a reboot for all users.%22%3E%26raquo%3BRunOnce%3C/span%3E%3Cbr%3E%0D%0A %3Cspan title%3D%22Program services that run at startup%3F%22%3E%26raquo%3BRunServices%3Cbr%3E%0D%0A %26raquo%3BRunServicesOnce%3Cbr%3E%0D%0A %26raquo%3BRunOnceEx%3Cbr%3E%0D%0A %26raquo%3BRunServicesOnceEx%3C/span%3E%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EThe above are just the programs that run at startup. Hover over the corresponding %0D%0A entries for a little more detail. Malware programs may be found here.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BFile Associations %28CR%29%3C/strong%3E%3Cbr%3E%0D%0A +.bat%3Cbr%3E%0D%0A *batfile%3D%26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A +.com%3Cbr%3E%0D%0A *comfile%3D%26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A +.disabled%3Cbr%3E%0D%0A *SpybotSD.DisabledFile%3D%26quot%3BC%3A%5CProgram Files%5CSpybot - Search %26amp%3B Destroy%5Cblindman.exe%26quot%3B %0D%0A %26quot%3B%251%26quot%3B%3Cbr%3E%0D%0A +.exe%3Cbr%3E%0D%0A *exefile%3D%26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A +.hta%3Cbr%3E%0D%0A *htafile%3DC%3A%5CWINDOWS%5CSystem32%5Cmshta.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A +.htm%3Cbr%3E%0D%0A *FirefoxHTML%3DC%3A%5CPROGRA%7E1%5CMOZILL%7E1%5CFIREFOX.EXE -url %26quot%3B%251%26quot%3B%3Cbr%3E%0D%0A +.html%3Cbr%3E%0D%0A *FirefoxHTML%3DC%3A%5CPROGRA%7E1%5CMOZILL%7E1%5CFIREFOX.EXE -url %26quot%3B%251%26quot%3B%3Cbr%3E%0D%0A +.js%3Cbr%3E%0D%0A *JSFile%3D%25SystemRoot%25%5CSystem32%5CWScript.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A +.jse%3Cbr%3E%0D%0A *JSEFile%3D%25SystemRoot%25%5CSystem32%5CWScript.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A +.pif%3Cbr%3E%0D%0A *piffile%3D%26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A +.reg%3Cbr%3E%0D%0A *regfile%3Dregedit.exe %26quot%3B%251%26quot%3B%3Cbr%3E%0D%0A +.scr%3Cbr%3E%0D%0A *scrfile%3D%26quot%3B%251%26quot%3B /S%3Cbr%3E%0D%0A +.txt%3Cbr%3E%0D%0A *txtfile%3D%25SystemRoot%25%5Csystem32%5CNOTEPAD.EXE %251%3Cbr%3E%0D%0A +.vbs%3Cbr%3E%0D%0A *VBSFile%3D%25SystemRoot%25%5CSystem32%5CWScript.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A +.vbe%3Cbr%3E%0D%0A *VBEFile%3D%25SystemRoot%25%5CSystem32%5CWScript.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A +.wsh%3Cbr%3E%0D%0A *WSHFile%3D%25SystemRoot%25%5CSystem32%5CWScript.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A +.wsf%3Cbr%3E%0D%0A *WSFFile%3D%25SystemRoot%25%5CSystem32%5CWScript.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A +.lnk%3Cbr%3E%0D%0A %60lnkfile%3D %5Bkey or value does not exist%5D%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EAs far as I know%2C just some file extensions. I don%27t recall seeing any harmful %0D%0A entries showing in this section.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BActive Setup %28LM%29%3C/strong%3E%3Cbr%3E%0D%0A +Windows Media Player/%26gt%3B%7B22d6f312-b0f6-11d0-94ab-0080c74c7e95%7D%3Cbr%3E%0D%0A *StubPath%3DC%3A%5CWINDOWS%5Cinf%5Cunregmp2.exe /ShowWMP%3Cbr%3E%0D%0A +Internet Explorer/%26gt%3B%7B26923b43-4d38-484f-9b9e-de460746276c%7D%3Cbr%3E%0D%0A *StubPath%3D%25systemroot%25%5Csystem32%5Cshmgrate.exe OCInstallUserConfigIE%3Cbr%3E%0D%0A +Browser Customizations/%26gt%3B%7B60B49E34-C7CC-11D0-8953-00A0C90347FF%7DMICROS%3Cbr%3E%0D%0A *StubPath%3DRunDLL32 IEDKCS32.DLL%2CBrandIE4 SIGNUP%3Cbr%3E%0D%0A +Outlook Express/%26gt%3B%7B881dd1c5-3dcf-431b-b061-f3f88e8be88a%7D%3Cbr%3E%0D%0A *StubPath%3D%25systemroot%25%5Csystem32%5Cshmgrate.exe OCInstallUserConfigOE%3Cbr%3E%0D%0A +Microsoft Windows Media Player 6.4/%7B22d6f312-b0f6-11d0-94ab-0080c74c7e95%7D%3Cbr%3E%0D%0A *StubPath%3Drundll32.exe advpack.dll%2CLaunchINFSection C%3A%5CWINDOWS%5CINF%5Cmswmp.inf%2CPerUserStub%3Cbr%3E%0D%0A +Themes Setup/%7B2C7339CF-2B09-4501-B3F3-F3508C9228ED%7D%3Cbr%3E%0D%0A *StubPath%3D%25SystemRoot%25%5Csystem32%5Cregsvr32.exe /s /n /i%3A/UserInstall %25SystemRoot%25%5Csystem32%5Cthemeui.dll%3Cbr%3E%0D%0A +Microsoft Outlook Express 6/%7B44BBA840-CC51-11CF-AAFA-00AA00B6015C%7D%3Cbr%3E%0D%0A *StubPath%3D%26quot%3B%25ProgramFiles%25%5COutlook Express%5Csetup50.exe%26quot%3B /APP%3AOE /CALLER%3AWINNT %0D%0A /user /install%3Cbr%3E%0D%0A +NetMeeting 3.01/%7B44BBA842-CC51-11CF-AAFA-00AA00B6015B%7D%3Cbr%3E%0D%0A *StubPath%3Drundll32.exe advpack.dll%2CLaunchINFSection C%3A%5CWINDOWS%5CINF%5Cmsnetmtg.inf%2CNetMtg.Install.PerUser.NT%3Cbr%3E%0D%0A +Windows Messenger/%7B5945c046-1e7d-11d1-bc44-00c04fd912be%7D%3Cbr%3E%0D%0A *StubPath%3Drundll32.exe advpack.dll%2CLaunchINFSection C%3A%5CWINDOWS%5CINF%5Cmsmsgs.inf%2CBLC.Install.PerUser%3Cbr%3E%0D%0A +Microsoft Windows Media Player/%7B6BF52A52-394A-11d3-B153-00C04F79FAA6%7D%3Cbr%3E%0D%0A *StubPath%3Drundll32.exe advpack.dll%2CLaunchINFSection C%3A%5CWINDOWS%5CINF%5Cwmp10.inf%2CPerUserStub%3Cbr%3E%0D%0A +Address Book 6/%7B7790769C-0471-11d2-AF11-00C04FA35D02%7D%3Cbr%3E%0D%0A *StubPath%3D%26quot%3B%25ProgramFiles%25%5COutlook Express%5Csetup50.exe%26quot%3B /APP%3AWAB /CALLER%3AWINNT %0D%0A /user /install%3Cbr%3E%0D%0A +Windows Desktop Update/%7B89820200-ECBD-11cf-8B85-00AA005B4340%7D%3Cbr%3E%0D%0A *StubPath%3Dregsvr32.exe /s /n /i%3AU shell32.dll%3Cbr%3E%0D%0A +Internet Explorer 6/%7B89820200-ECBD-11cf-8B85-00AA005B4383%7D%3Cbr%3E%0D%0A *StubPath%3D%25SystemRoot%25%5Csystem32%5Cie4uinit.exe%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EQuote from Microsoft%3A %22The Active Setup Control allows .cab files to be downloaded to a user%27s computer as part of the installation process for software updates.%22 I remember seeing one entry here that%27s bad. I think it%27s MarketPlace.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BBrowser Helper Objects %28LM%29%3C/strong%3E%3Cbr%3E%0D%0A *AcroIEHelper.AcroIEHlprObj.1/%7B06849E9F-C8D7-4D59-B87D-784B7D6BE0B3%7D%3Cbr%3E%0D%0A %60InprocServer32%3DC%3A%5CProgram Files%5CAdobe%5CAcrobat 6.0%5CReader%5CActiveX%5CAcroIEHelper.dll%3Cbr%3E%0D%0A *Google Toolbar Helper/%7BAA58ED58-01DD-4d91-8333-CF10577473F7%7D%3Cbr%3E%0D%0A %60InprocServer32%3Dc%3A%5Cprogram files%5Cgoogle%5Cgoogletoolbar2.dll%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EThe Browser Helper Objects %28BHO%29 are the toolbars or icons that you see in %0D%0A Internet Explorer. Many spyware programs use this to their advantage and install %0D%0A some kind of search bar there without the user%27s consent in a lot of cases. %0D%0A So if any bad BHO%27s are found here%2C you may delete the entry using StartDreck.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BInternet Explorer%3C/strong%3E%3Cbr%3E%0D%0A %26raquo%3BCurrent User%3Cbr%3E%0D%0A *Local Page%3DC%3A%5CWINDOWS%5CSystem32%5Cblank.htm%3Cbr%3E%0D%0A *Search Bar%3Dhttp%3A//home.microsoft.com/search/lobby/search.asp%3Cbr%3E%0D%0A *Search Page%3Dwww.google.com%3Cbr%3E%0D%0A *Start Page%3Dwww.gmail.com%3Cbr%3E%0D%0A +SearchUrl%3Cbr%3E%0D%0A *provider%3D%3Cbr%3E%0D%0A *%3Dwww.google.com%3Cbr%3E%0D%0A %26raquo%3BDefault User%3Cbr%3E%0D%0A %26raquo%3BLocal Machine%3Cbr%3E%0D%0A *Default_Page_URL%3Dhttp%3A//www.google.com%3Cbr%3E%0D%0A *Local Page%3DC%3A%5CWINDOWS%5CSystem32%5Cblank.htm%3Cbr%3E%0D%0A *Search Bar%3Dhttp%3A//home.microsoft.com/search/lobby/search.asp%3Cbr%3E%0D%0A *Search Page%3Dwww.google.com%3Cbr%3E%0D%0A *Start Page%3Dhttp%3A//www.google.com%3Cbr%3E%0D%0A *CustomizeSearch%3Dhttp%3A//ie.search.msn.com/%7BSUB_RFC1766%7D/srchasst/srchcust.htm%3Cbr%3E%0D%0A *SearchAssistant%3Dhttp%3A//ie.search.msn.com/%7BSUB_RFC1766%7D/srchasst/srchasst.htm%3Cbr%3E%0D%0A +SearchUrl%3Cbr%3E%0D%0A *%3Dwww.google.com%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EThese are the settings in Internet Explorer. Mostly what we look for is the %0D%0A hijackings for the homepage. If there is a homepage hijack%2C you should be able %0D%0A to recognize it. The above entries are all valid.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BShellServiceObjectDelayLoad %0D%0A %28LM%29%3C/strong%3E%3Cbr%3E%0D%0A *PostBootReminder%3D%7B7849596a-48ea-486e-8937-a2a3009f31a9%7D%3Cbr%3E%0D%0A %60InprocServer32%3D%25SystemRoot%25%5Csystem32%5CSHELL32.dll%3Cbr%3E%0D%0A *CDBurn%3D%7Bfbeb8a05-beee-4442-804e-409d6c4515e9%7D%3Cbr%3E%0D%0A %60InprocServer32%3D%25SystemRoot%25%5Csystem32%5CSHELL32.dll%3Cbr%3E%0D%0A *WebCheck%3D%7BE6FB5E20-DE35-11CF-9C87-00AA005127ED%7D%3Cbr%3E%0D%0A %60InprocServer32%3D%25SystemRoot%25%5CSystem32%5Cwebcheck.dll%3Cbr%3E%0D%0A *SysTray%3D%7B35CEC8A3-2BE6-11D2-8773-92E220524153%7D%3Cbr%3E%0D%0A %60InprocServer32%3DC%3A%5CWINDOWS%5CSystem32%5Cstobject.dll%3C/font%3E%3C/p%3E%0D%0A%3Cp%3ENot exactly sure what the above is for. If anyone has information on these%2C %0D%0A you may email me and I will update it.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BSpecial NT Values%3C/strong%3E%3Cbr%3E%0D%0A %26raquo%3BCurrent User%3Cbr%3E%0D%0A *Load%3D%3Cbr%3E%0D%0A *Run%3D%3Cbr%3E%0D%0A *Programs%3Dcom exe bat pif cmd%3Cbr%3E%0D%0A *SHELL%3D%3Cbr%3E%0D%0A %26raquo%3BDefault User%3Cbr%3E%0D%0A *Load%3D%3Cbr%3E%0D%0A *Run%3D%3Cbr%3E%0D%0A *Programs%3Dcom exe bat pif cmd%3Cbr%3E%0D%0A *SHELL%3D%3Cbr%3E%0D%0A %26raquo%3BLocal Machine%3Cbr%3E%0D%0A *AppInit_DLLs%3D%3Cbr%3E%0D%0A %3Cspan class%3D%22HighlightTextRed%22%3E*SHELL%3DExplorer.exe%3C/span%3E%3Cbr%3E%0D%0A %3Cspan class%3D%22HighlightTextGreen%22%3E*Userinit%3DC%3A%5CWINDOWS%5Csystem32%5Cuserinit.exe%2C%3C/span%3E%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EIf I%27m correct%2C these are the programs that load up when Windows starts. Mostly %0D%0A not important%2C except for one entry %28maybe two%29 up there. The SHELL entry is %0D%0A what you see %28the desktop%2C icons%2C start menu%2C and everything else%29 when you %0D%0A login. I forgot which one %28maybe both entries highlighted there%29%2C but a possible %0D%0A trojan can also make itself load up here. An example could be something like %0D%0A %3Cfont size%3D%22-1%22%3E%3Cstrong%3E*Userinit%3DC%3A%5CWINDOWS%5Csystem32%5Cuserinit.exe%2C msmsgs.exe%3C/strong%3E%3C/font%3E%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BFiles%3Cbr%3E%0D%0A %26raquo%3BAutostart Folders%3C/strong%3E%3Cbr%3E%0D%0A %26raquo%3BCurrent User%3Cbr%3E%0D%0A *C%3A%5CDocuments and Settings%5Csome_username%5CStart Menu%5CPrograms%5CStartup%5Cdesktop.ini%3Cbr%3E%0D%0A *C%3A%5CDocuments and Settings%5Csome_username%5CStart Menu%5CPrograms%5CStartup%5COpenOffice.org %0D%0A 1.1.1.lnk%3Cbr%3E%0D%0A %26raquo%3BDefault User%3Cbr%3E%0D%0A *C%3A%5CWINDOWS%5Csystem32%5Cconfig%5Csystemprofile%5CStart Menu%5CPrograms%5CStartup%5Cdesktop.ini%3Cbr%3E%0D%0A %26raquo%3BLocal Machine%3Cbr%3E%0D%0A *C%3A%5CDocuments and Settings%5CAll Users%5CStart Menu%5CPrograms%5CStartup%5Cdesktop.ini%3Cbr%3E%0D%0A *C%3A%5CDocuments and Settings%5CAll Users%5CStart Menu%5CPrograms%5CStartup%5CInterVideo %0D%0A WinCinema Manager.lnk%3Cbr%3E%0D%0A *C%3A%5CDocuments and Settings%5CAll Users%5CStart Menu%5CPrograms%5CStartup%5CMicrosoft Office.lnk%3Cbr%3E%0D%0A *C%3A%5CDocuments and Settings%5CAll Users%5CStart Menu%5CPrograms%5CStartup%5CMicrosoft Works %0D%0A Calendar Reminders.lnk%3C/font%3E%3C/p%3E%0D%0A%3Cp%3ERelated to startup programs%2C but this is for other files. I think the LNK files %0D%0A trigger the actual EXE files to launch at startup. If someone can confirm this%2C %0D%0A that would be great.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BINI-Files%3C/strong%3E%3Cbr%3E%0D%0A %26raquo%3BWIN.INI%5C%5Bwindows%5D%3Cbr%3E%0D%0A *LOAD%3D%3Cbr%3E%0D%0A *RUN%3D%3Cbr%3E%0D%0A %26raquo%3BSYSTEM.INI%5C%5Bboot%5D%3Cbr%3E%0D%0A *SHELL%3DExplorer.exe%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EThese files are used by some programs to store their information like program %0D%0A names%2C registration information%2C etc. Nothing much interesting here%2C unless %0D%0A you see an entry for a bad file.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BText Files%3C/strong%3E%3Cbr%3E%0D%0A *C%3A%5Cboot.ini%3Cbr%3E%0D%0A %60%5Bboot loader%5D%3Cbr%3E%0D%0A %60timeout%3D30%3Cbr%3E%0D%0A %60default%3Dmulti%280%29disk%280%29rdisk%280%29partition%281%29%5CWINDOWS%3Cbr%3E%0D%0A %60%5Boperating systems%5D%3Cbr%3E%0D%0A %60multi%280%29disk%280%29rdisk%280%29partition%281%29%5CWINDOWS%3D%26quot%3BMicrosoft Windows XP Home %0D%0A Edition%26quot%3B /fastdetect%3Cbr%3E%0D%0A *C%3A%5Cmsdos.sys%3Cbr%3E%0D%0A *C%3A%5Cconfig.sys%3Cbr%3E%0D%0A *C%3A%5CWINDOWS%5CSystem32%5Cconfig.nt%3Cbr%3E%0D%0A %60dos%3Dhigh%2C umb%3Cbr%3E%0D%0A %60device%3D%25SystemRoot%25%5Csystem32%5Chimem.sys%3Cbr%3E%0D%0A %60files%3D40%3Cbr%3E%0D%0A *C%3A%5Cautoexec.bat%3Cbr%3E%0D%0A *C%3A%5CWINDOWS%5CSystem32%5Cautoexec.nt%3Cbr%3E%0D%0A %60@echo off%3Cbr%3E%0D%0A %60lh %25SystemRoot%25%5Csystem32%5Cmscdexnt.exe%3Cbr%3E%0D%0A %60lh %25SystemRoot%25%5Csystem32%5Credir%3Cbr%3E%0D%0A %60lh %25SystemRoot%25%5Csystem32%5Cdosx%3Cbr%3E%0D%0A %60SET BLASTER%3DA220 I5 D1 P330 T3%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EShows various system configuration files. Nothing much here.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BProgram Files%3C/strong%3E%3Cbr%3E%0D%0A *C%3A%5Cntldr%3Cbr%3E%0D%0A *C%3A%5Cntdetect.com%3Cbr%3E%0D%0A *C%3A%5Cio.sys%3Cbr%3E%0D%0A *C%3A%5CWINDOWS%5CSystem32%5Cwin.com%3Cbr%3E%0D%0A *C%3A%5CWINDOWS%5Cexplorer.exe%3Cbr%3E%0D%0A %26raquo%3B%25PATH%25 Companion Files%3Cbr%3E%0D%0A +C%3A%5CWINDOWS%5CSystem32%5Cnotepad.exe%3Cbr%3E%0D%0A *C%3A%5CWINDOWS%5CNOTEPAD.EXE%3Cbr%3E%0D%0A +C%3A%5CWINDOWS%5CSystem32%5Ctaskman.exe%3Cbr%3E%0D%0A *C%3A%5CWINDOWS%5CTASKMAN.EXE%3Cbr%3E%0D%0A +C%3A%5CWINDOWS%5CSystem32%5Cwinhlp32.exe%3Cbr%3E%0D%0A *C%3A%5CWINDOWS%5Cwinhlp32.exe%3C/font%3E%3C/p%3E%0D%0A%3Cp%3ENot really sure what these are. I mean%2C I know what they are%2C but don%27t know %0D%0A why it%27s being detected and put under the Program Files section. Any help on %0D%0A this would be appreciated.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E %3Cstrong%3E%26raquo%3BRunning Processes%3C/strong%3E%3Cbr%3E%0D%0A +0%3D%26lt%3Bidle%26gt%3B%3Cbr%3E%0D%0A +4%3D%26lt%3Bsystem%26gt%3B%3Cbr%3E%0D%0A +492%3D%5CSystemRoot%5CSystem32%5Csmss.exe%3Cbr%3E%0D%0A +552%3D%5C%3F%3F%5CC%3A%5CWINDOWS%5Csystem32%5Ccsrss.exe%3Cbr%3E%0D%0A +576%3D%5C%3F%3F%5CC%3A%5CWINDOWS%5Csystem32%5Cwinlogon.exe%3Cbr%3E%0D%0A +620%3DC%3A%5CWINDOWS%5Csystem32%5Cservices.exe%3Cbr%3E%0D%0A +632%3DC%3A%5CWINDOWS%5Csystem32%5Clsass.exe%3Cbr%3E%0D%0A +796%3DC%3A%5CWINDOWS%5Csystem32%5Csvchost.exe%3Cbr%3E%0D%0A +820%3DC%3A%5CWINDOWS%5CSystem32%5Csvchost.exe%3Cbr%3E%0D%0A +932%3DC%3A%5CWINDOWS%5CSystem32%5Csvchost.exe%3Cbr%3E%0D%0A +992%3DC%3A%5CWINDOWS%5CSystem32%5Csvchost.exe%3Cbr%3E%0D%0A +1156%3DC%3A%5CWINDOWS%5Csystem32%5Cspoolsv.exe%3Cbr%3E%0D%0A +1256%3DC%3A%5CPROGRA%7E1%5CSYMANT%7E1%5CSYMANT%7E1%5CDefWatch.exe%3Cbr%3E%0D%0A +1312%3DC%3A%5CPROGRA%7E1%5CSYMANT%7E1%5CSYMANT%7E1%5CRtvscan.exe%3Cbr%3E%0D%0A +1336%3DC%3A%5CWINDOWS%5CSystem32%5Cnvsvc32.exe%3Cbr%3E%0D%0A +1392%3DC%3A%5CWINDOWS%5CSystem32%5Cwdfmgr.exe%3Cbr%3E%0D%0A +1936%3DC%3A%5CWINDOWS%5CExplorer.EXE%3Cbr%3E%0D%0A +192%3DC%3A%5CProgram Files%5CCommon Files%5CMicrosoft Shared%5CWorks Shared%5CWkUFind.exe%3Cbr%3E%0D%0A +200%3DC%3A%5CPROGRA%7E1%5CACDSYS%7E1%5CDEVDET%7E1%5CDEVDET%7E1.EXE%3Cbr%3E%0D%0A +184%3DC%3A%5CWINDOWS%5CSystem32%5CRUNDLL32.EXE%3Cbr%3E%0D%0A +240%3DC%3A%5CProgram Files%5CDell%5CAccessDirect%5Cdadapp.exe%3Cbr%3E%0D%0A +252%3DC%3A%5CProgram Files%5CQuickTime%5Cqttask.exe%3Cbr%3E%0D%0A +296%3DC%3A%5CProgram Files%5CDIGStream%5Cdigstream.exe%3Cbr%3E%0D%0A +304%3DC%3A%5CProgram Files%5CiTunes%5CiTunesHelper.exe%3Cbr%3E%0D%0A +332%3DC%3A%5CProgram Files%5CMicrosoft IntelliPoint%5Cpoint32.exe%3Cbr%3E%0D%0A +340%3DC%3A%5CProgram Files%5CMicrosoft AntiSpyware%5CgcasServ.exe%3Cbr%3E%0D%0A +348%3DC%3A%5CProgram Files%5CDell%5CAccessDirect%5CDadTray.exe%3Cbr%3E%0D%0A +372%3DC%3A%5CProgram Files%5CMessenger%5Cmsmsgs.exe%3Cbr%3E%0D%0A +384%3DC%3A%5CProgram Files%5CWebRoot%5CSpy Sweeper%5CSpySweeper.exe%3Cbr%3E%0D%0A +536%3DC%3A%5CProgram Files%5CInterVideo%5CCommon%5CBin%5CWinCinemaMgr.exe%3Cbr%3E%0D%0A +636%3DC%3A%5CProgram Files%5CiPod%5Cbin%5CiPodService.exe%3Cbr%3E%0D%0A +896%3DC%3A%5CProgram Files%5CCommon Files%5CMicrosoft Shared%5CWorks Shared%5Cwkcalrem.exe%3Cbr%3E%0D%0A +1008%3DC%3A%5CProgram Files%5COpenOffice.org1.1.1%5Cprogram%5Csoffice.exe%3Cbr%3E%0D%0A +1600%3DC%3A%5CProgram Files%5CMicrosoft AntiSpyware%5CgcasDtServ.exe%3Cbr%3E%0D%0A +1768%3DC%3A%5CWINDOWS%5Csystem32%5CNOTEPAD.EXE%3Cbr%3E%0D%0A +1184%3DC%3A%5CHJT%5CHijackThis.exe%3Cbr%3E%0D%0A +2288%3DC%3A%5CHJT%5CHijackThis.exe%3Cbr%3E%0D%0A +2484%3DC%3A%5CWINDOWS%5CSystem32%5Cwuauclt.exe%3Cbr%3E%0D%0A +2644%3DC%3A%5CWINDOWS%5Csystem32%5CNOTEPAD.EXE%3Cbr%3E%0D%0A +4076%3DC%3A%5CWINDOWS%5Csystem32%5CNOTEPAD.EXE%3Cbr%3E%0D%0A +1296%3DC%3A%5CProgram Files%5CMozilla Firefox%5Cfirefox.exe%3Cbr%3E%0D%0A +3192%3DC%3A%5CDocuments and Settings%5Csome_username%5CDesktop%5Cstartdreck%5CStartDreck%5CStartDreck.exe%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EPhew. Finally%2C an easy one. This is a list of processes that are currently %0D%0A running.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%26raquo%3BVMM32Files %28LM%29%3Cbr%3E%0D%0A %26raquo%3B%25System%25%5CVMM32%3Cbr%3E%0D%0A %26raquo%3B%25System%25%5CIOSUBSYS%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EStuck again. Anyone with information on the above may email me with any information %0D%0A they have so that I can update it.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BApplication specific%3C/strong%3E%3Cbr%3E%0D%0A %26raquo%3BMS Office 97/8.0 STARTUP-PATH%3Cbr%3E%0D%0A %26raquo%3BCurrent User%3Cbr%3E%0D%0A %26raquo%3BDefault User%3Cbr%3E%0D%0A %26raquo%3BLocal Machine%3Cbr%3E%0D%0A %26raquo%3BICQ NetDetect%3Cbr%3E%0D%0A %26raquo%3BCurrent User%3Cbr%3E%0D%0A %26raquo%3BDefault User %3C/font%3E%3C/p%3E%0D%0A%3Cp%3ENothing much here. Don%27t know what it%27s really here for%2C but I don%27t recall %0D%0A seeing any dangerous activity here.%3C/p%3E%0D%0A%3Cp%3EJust so you know%2C the log that was broken up above is a clean log. As you can %0D%0A see%2C it%27s not easy to decipher what%27s what there%2C but these are usually the %0D%0A main parts where you should focus more on%3A%3C/p%3E%0D%0A%3Cul%3E%0D%0A %3Cli%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%3Cspan title%3D%22Programs that run at startup.%22%3E%26raquo%3BRun %0D%0A Keys%3C/span%3E%3C/strong%3E%3C/font%3E%3C/li%3E%0D%0A %3Cli%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BBrowser Helper Objects %28LM%29%3C/strong%3E%3C/font%3E%3C/li%3E%0D%0A %3Cli%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BInternet Explorer%3C/strong%3E%3C/font%3E%3C/li%3E%0D%0A%3C/ul%3E%0D%0A%3Cp%3EI%27m not saying that the other sections are not important%2C but I usually see %0D%0A those sections listed being attacked most. For those entries that are malware %0D%0A related%2C you may click on the entry and then hit the Delete button in StartDreck %0D%0A to get rid of it. Then make sure to delete the file/folder if there is any.%3C/p%3E%0D%0A%3Cp%3EAgain%2C if anyone can fill me in on what the other areas that I%27m not sure of %0D%0A are for%2C that would be great. Or if you find a error on my part%2C email me and %0D%0A I will correct the issue.%3C/p%3E%0D%0A%3Cp align%3D%22center%22%3E%3Cfont size%3D%22-2%22%3ECopyright %26copy%3B 2003-2005 %3Ca href%3D%22http%3A//www.greyknight17.com%22%3EKRC%3C/a%3E%3Cbr%3E%0D%0A All Rights Reserved%3Cbr%3E%0D%0A %3Ca href%3D%22../disclaimer.htm%22%3EDisclaimer%3C/a%3E%3C/font%3E%3C/p%3E%0D%0A %0D%0A%3Cp align%3D%22center%22%3E%3Ca href%3D%22../../donate.htm%22%3E%3Cimg src%3D%22../../images/paypal.gif%22 width%3D%2262%22 height%3D%2231%22 border%3D%220%22%3E%3C/a%3E %0D%0A %3Cscript type%3D%22text/javascript%22 language%3D%22javascript1.2%22 src%3D%22./navigation/menu.js%22%3E%3C/script%3E%0D%0A%3C/body%3E%0D%0A"));
//--> </SCRIPT>
</HEAD>
<NOSCRIPT>
You need to have JavaScript enabled in order to view this page correctly! </NOSCRIPT>
<BODY>
<DIV class="DARK_BLUE_TITLE">
KRC StartDreck Quick Guide </DIV>
<DIV>
<DIV align="center">
<P>
</P>
<P>
</P>
</DIV>
</DIV>
<P>
<STRONG>
<EM>
Date Created: May 29, 2005 </EM>
</STRONG>
</P>
<P>
Here is a quick guide on analyzing StartDreck logs. I will try to break it down and list what each section
is for. No expert here myself, so if I make a mistake, feel free to contact
me and I will correct it. You should be able to read these logs with more comfort
once you see how it's broken down. Quite simple when seen as smaller parts.
:-) </P>
<P>
The log I'm using is <STRONG>
not </STRONG>
the full log with <STRONG>
everything
</STRONG>
checked in the configurations. If everything was checked, the log itself
can be quite large, especially if the user is using a modified hosts file. So
keep that in mind. It should cover most of the entries here nevertheless since
they have headings for everything here. You just won't see the actual entries. </P>
<P>
This log is usually requested by analysts if they want to take a deeper look
and HijackThis is coming up clean. The speech that is used by me will list most
of the sections except for mainly the NT Services and the Process Modules since
they can take up quite a lot of space. </P>
<P>
<STRONG>
Canned Speech: </STRONG>
</P>
<P class="ColoredBox">
<FONT size="-1">
Download StartDreck [url=http://www.greyknight17.com/spy/StartDreck.zip]http://www.greyknight17.com/spy/StartDreck.zip[/url] <BR/>
<BR/>
Unzip to its own folder and start the program: <BR/>
Press 'Config' <BR/>
Press 'mark all' <BR/>
<BR/>
Uncheck the following boxes only: <BR/>
System/Running Process -> List Modules <BR/>
System/Drivers -> NT Services <BR/>
System/Drivers -> NT Kernel- and FS-drivers <BR/>
Press 'OK' <BR/>
<BR/>
Press 'Save' and select the location to save the log file (default is the same
folder as the application) <BR/>
<BR/>
Post the log in this thread. </FONT>
</P>
<P>
<STRONG>
Header Information: </STRONG>
</P>
<P class="ColoredBox">
<SPAN title="StartDreck version and the time this log was created.">
<FONT size="-1">
StartDreck
(build 2.1.7 public stable) - 2005-04-03 @ 23:33:12 (GMT -04:00) </FONT>
</SPAN>
<FONT size="-1">
<BR/>
<SPAN title="Windows version and any Service Packs that are installed.">
Platform:
Windows XP (Win NT 5.1.2600 Service Pack 1) </SPAN>
<BR/>
<SPAN title="Internet Explorer version and any updates it has.">
Internet Explorer:
6.0.2800.1106 </SPAN>
<BR/>
<SPAN title="Name of the user and computer (in this case, they are edited out here).">
Logged
in as some_username at some_computername </SPAN>
</FONT>
</P>
<P>
<FONT size="-1">
The header information should be self-explanatory. If more
details are needed, just hover your mouse over each line. </FONT>
</P>
<P class="ColoredBox">
<FONT size="-1">
<SPAN title="The Registry :-)">
<STRONG>
»Registry </STRONG>
</SPAN>
<STRONG>
<BR/>
<SPAN title="Programs that run at startup.">
»Run Keys </SPAN>
</STRONG>
<BR/>
<SPAN title="Run keys for the current user.">
»Current User </SPAN>
<BR/>
<SPAN href="" title="Programs that run on every startup for the current user.">
»Run <BR/>
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background <BR/>
*SpySweeper="C:\Program Files\WebRoot\Spy Sweeper\SpySweeper.exe"
/0 </SPAN>
<BR/>
<SPAN title="Programs that only runs once after a reboot for the current user.">
»RunOnce </SPAN>
<BR/>
<SPAN title="Run keys for the Default User.">
»Default User </SPAN>
<BR/>
<SPAN title="Programs that run on every startup for the default user.">
»Run <BR/>
*Symantec NetDriver Warning=C:\PROGRA~1\SYMNET~1\SNDWarn.exe </SPAN>
<BR/>
<SPAN title="Programs that runs only once after a reboot for the default user.">
»RunOnce <BR/>
*SRUUninstall="C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt
/x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress </SPAN>
<BR/>
<SPAN title="Run keys for all users.">
»Local Machine </SPAN>
<BR/>
<SPAN title="Programs that run on every startup for all users.">
»Run <BR/>
*WorksFUD=C:\Program Files\Microsoft Works\wkfud.exe <BR/>
*Microsoft Works Portfolio=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers <BR/>
*Microsoft Works Update Detection=C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe <BR/>
*Camera Detector=C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun <BR/>
*NvCplDaemon=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize <BR/>
*Apoint=C:\Program Files\Apoint\Apoint.exe <BR/>
*DadApp=C:\Program Files\Dell\AccessDirect\dadapp.exe <BR/>
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime <BR/>
*DIGStream=C:\Program Files\DIGStream\digstream.exe <BR/>
*iTunesHelper=C:\Program Files\iTunes\iTunesHelper.exe <BR/>
*SSC_UserPrompt=C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe <BR/>
*IntelliPoint="C:\Program Files\Microsoft IntelliPoint\point32.exe" <BR/>
*gcasServ="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" </SPAN>
<BR/>
<SPAN title="Not sure what these are, but if you know, email me.">
+OptionalComponents <BR/>
+MSFS <BR/>
*Installed=1 <BR/>
+MAPI <BR/>
*Installed=1 <BR/>
*NoChange=1 <BR/>
+MAPI <BR/>
*Installed=1 <BR/>
*NoChange=1 </SPAN>
<BR/>
<SPAN title="Programs that runs only once after a reboot for all users.">
»RunOnce </SPAN>
<BR/>
<SPAN title="Program services that run at startup?">
»RunServices <BR/>
»RunServicesOnce <BR/>
»RunOnceEx <BR/>
»RunServicesOnceEx </SPAN>
</FONT>
</P>
<P>
The above are just the programs that run at startup. Hover over the corresponding
entries for a little more detail. Malware programs may be found here. </P>
<P class="ColoredBox">
<FONT size="-1">
<STRONG>
»File Associations (CR) </STRONG>
<BR/>
+.bat <BR/>
*batfile="%1" %* <BR/>
+.com <BR/>
*comfile="%1" %* <BR/>
+.disabled <BR/>
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe"
"%1" <BR/>
+.exe <BR/>
*exefile="%1" %* <BR/>
+.hta <BR/>
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %* <BR/>
+.htm <BR/>
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" <BR/>
+.html <BR/>
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1" <BR/>
+.js <BR/>
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %* <BR/>
+.jse <BR/>
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* <BR/>
+.pif <BR/>
*piffile="%1" %* <BR/>
+.reg <BR/>
*regfile=regedit.exe "%1" <BR/>
+.scr <BR/>
*scrfile="%1" /S <BR/>
+.txt <BR/>
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 <BR/>
+.vbs <BR/>
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* <BR/>
+.vbe <BR/>
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* <BR/>
+.wsh <BR/>
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* <BR/>
+.wsf <BR/>
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* <BR/>
+.lnk <BR/>
`lnkfile= [key or value does not exist] </FONT>
</P>
<P>
As far as I know, just some file extensions. I don't recall seeing any harmful
entries showing in this section. </P>
<P class="ColoredBox">
<FONT size="-1">
<STRONG>
»Active Setup (LM) </STRONG>
<BR/>
+Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} <BR/>
*StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP <BR/>
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} <BR/>
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE <BR/>
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS <BR/>
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP <BR/>
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} <BR/>
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE <BR/>
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95} <BR/>
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub <BR/>
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} <BR/>
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll <BR/>
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} <BR/>
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT
/user /install <BR/>
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} <BR/>
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT <BR/>
+Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be} <BR/>
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser <BR/>
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} <BR/>
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub <BR/>
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} <BR/>
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT
/user /install <BR/>
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} <BR/>
*StubPath=regsvr32.exe /s /n /i:U shell32.dll <BR/>
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} <BR/>
*StubPath=%SystemRoot%\system32\ie4uinit.exe </FONT>
</P>
<P>
Quote from Microsoft: "The Active Setup Control allows .cab files to be downloaded to a user's computer as part of the installation process for software updates." I remember seeing one entry here that's bad. I think it's MarketPlace. </P>
<P class="ColoredBox">
<FONT size="-1">
<STRONG>
»Browser Helper Objects (LM) </STRONG>
<BR/>
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <BR/>
`InprocServer32=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll <BR/>
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7} <BR/>
`InprocServer32=c:\program files\google\googletoolbar2.dll </FONT>
</P>
<P>
The Browser Helper Objects (BHO) are the toolbars or icons that you see in
Internet Explorer. Many spyware programs use this to their advantage and install
some kind of search bar there without the user's consent in a lot of cases.
So if any bad BHO's are found here, you may delete the entry using StartDreck. </P>
<P class="ColoredBox">
<FONT size="-1">
<STRONG>
»Internet Explorer </STRONG>
<BR/>
»Current User <BR/>
*Local Page=C:\WINDOWS\System32\blank.htm <BR/>
*Search Bar=http://home.microsoft.com/search/lobby/search.asp <BR/>
*Search Page=www.google.com <BR/>
*Start Page=www.gmail.com <BR/>
+SearchUrl <BR/>
*provider= <BR/>
*=www.google.com <BR/>
»Default User <BR/>
»Local Machine <BR/>
*Default_Page_URL=http://www.google.com <BR/>
*Local Page=C:\WINDOWS\System32\blank.htm <BR/>
*Search Bar=http://home.microsoft.com/search/lobby/search.asp <BR/>
*Search Page=www.google.com <BR/>
*Start Page=http://www.google.com <BR/>
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm <BR/>
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm <BR/>
+SearchUrl <BR/>
*=www.google.com </FONT>
</P>
<P>
These are the settings in Internet Explorer. Mostly what we look for is the
hijackings for the homepage. If there is a homepage hijack, you should be able
to recognize it. The above entries are all valid. </P>
<P class="ColoredBox">
<FONT size="-1">
<STRONG>
»ShellServiceObjectDelayLoad
(LM) </STRONG>
<BR/>
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} <BR/>
`InprocServer32=%SystemRoot%\system32\SHELL32.dll <BR/>
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} <BR/>
`InprocServer32=%SystemRoot%\system32\SHELL32.dll <BR/>
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} <BR/>
`InprocServer32=%SystemRoot%\System32\webcheck.dll <BR/>
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} <BR/>
`InprocServer32=C:\WINDOWS\System32\stobject.dll </FONT>
</P>
<P>
Not exactly sure what the above is for. If anyone has information on these,
you may email me and I will update it. </P>
<P class="ColoredBox">
<FONT size="-1">
<STRONG>
»Special NT Values </STRONG>
<BR/>
»Current User <BR/>
*Load= <BR/>
*Run= <BR/>
*Programs=com exe bat pif cmd <BR/>
*SHELL= <BR/>
»Default User <BR/>
*Load= <BR/>
*Run= <BR/>
*Programs=com exe bat pif cmd <BR/>
*SHELL= <BR/>
»Local Machine <BR/>
*AppInit_DLLs= <BR/>
<SPAN class="HighlightTextRed">
*SHELL=Explorer.exe </SPAN>
<BR/>
<SPAN class="HighlightTextGreen">
*Userinit=C:\WINDOWS\system32\userinit.exe, </SPAN>
</FONT>
</P>
<P>
If I'm correct, these are the programs that load up when Windows starts. Mostly
not imp
Edited by RicRogue, 09 June 2005 - 11:33 AM.