Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HIDING HTML source code?


  • Please log in to reply

#16
scicatur

scicatur

    Member

  • Member
  • PipPip
  • 16 posts
If you really have this must to hide the html source code then you can try to do the following:

You write your own web server called "translator" with java,c++ ...etc language you normally use.

Your translator server, when it gets a page request passes on the request to your actual web server which is hidden in your local network. When translator gets the web page it turns the whole page to an image (png or jpg or...) Hyperlinks translated as hotspots in the image.

Your translator sends the image inside the minimum html required. Of course the filesize become quite monstrous and no javascripts or animations will work but.... at least the original html source is not there.
  • 0

Advertisements


#17
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts

What part are you trying to hide? Just downloaded into my editor and a lot of your page's code comes up fine. Didn't bother to pick up style sheet, *.js files and other stuff that would make it display better, but I can see the code and have no problem reading it.

BTW, your page is missing the required HTML tags for <body> and <html> in case you wanted to know.

I was using the simple encryption on that one.

OK, if you want a tough one, take a look here. Just go to File->Save and save it somewhere. Now open it up to view the source. Ignore the CSS and other top parts. It's fully encrypted as far as I know.

The body and html tags are in there. Although the body is encrypted. The html and other headers are left alone.
  • 0

#18
Major Payne

Major Payne

    Retired Staff

  • Retired Staff
  • 5,307 posts

OK, if you want a tough one, take a look here.


Much, much better. I decoded some but got tired. :tazz: How much has doing your page this way affected your page rank?

Ron
  • 0

#19
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Ron, I guess that did the trick? :tazz:

I'm not saying it's 100% encrypted and all, but hey it's a good start ;)

I'm actually not sure about the page rank. The site (I think) says that it shouldn't affect it. I guess you can leave out the meta tags on top if you wish. My site get's lots of hits per hour (I think over 2000, good or bad, I don't know ;)).

I think this program should work best for most users. Just make sure to do your own backup before using this program. I know it creates a .bak file but if you inadvertently encrypted it again, you will lose the backup file.
  • 0

#20
o0MattE0o

o0MattE0o

    Member

  • Member
  • PipPip
  • 29 posts
learn XML & CSS that will stop people seeing your styling... but not the basic html but most of it


ow that site "http://greyknight17....jtTutorial.htm" is not that good can be easyly decoded with a little bit of work, use XML for content and CSS for styleing and it will be harder to take the coding or just use PHP

Edited by o0MattE0o, 03 June 2005 - 07:55 AM.

  • 0

#21
RicRogue

RicRogue

    New Member

  • Member
  • Pip
  • 1 posts

Encrypting might be the way to go.
I actually gave this a try and my web page is still concealed.  Give it a try.  Type in my site here and try to view the sourcecode.

I tested this out myself.  I even downloaded the HTML file and tried to open it in a HTML editor, but nothing shows up :tazz:  The program I recommend using is HTML Cipher.  It can disable right click if you wish also.  This program has a lot of security features which may interest you.  For my purposes, I want to allow the users to right click and copy, but they can't see the source code.  You can disable both, so no one can copy the source or the contents, at least not in a simple fashion.  I mean they could rewrite the whole web page themselves, but that would be crazy ;)

View Post



HTML source code is always visible. I obtained this in under 10 seconds.

The code is not really encripted, a symbols and spaces are given their ¿html? equivilent (sp?)

<HTML>
  <HEAD>
    <![email protected] Kevin's Resource Center - [url=http://www.greyknight17.com-->]http://www.greyknight17.com-->[/url]
    <META content="No-Cache" http-equiv="pragma"/>
    <META content="True" name="MSSmartTagsPreventParsing"/>
    <META content="No" http-equiv="ImageToolbar"/>
    <META content="NoIndex" name="Robots"/>
    <META content="StartDreck Tutorial, StartDreck Guide, StartDreck Analysis" name="Keywords"/>

    <META
          content="This tutorial will be discussing what each of the sections mean in a StartDreck log and how to handle ones that needs fixing." name="Description"/>

    <META content="blendTrans(Duration=1)" http-equiv="Page-Enter"/>

    <LINK href="http://www.greyknight17.com/favicon.ico" rel="SHORTCUT ICON"/>
 
    <LINK href="./krc.css" type="text/css" rel="stylesheet"/>
    <TITLE>
KRC StartDreck Quick Guide    </TITLE>




     <script src="./navigation/sniffer.js" language="javascript" type="text/javascript"/>

     <script src="./navigation/custom.js" language="javascript1.2" type="text/javascript"/>

     <script src="./navigation/style.js" language="javascript1.2" type="text/javascript"/>
    <STYLE type="text/css">
&lt;!--.mTD,.mTD A:Link,.mTD A:Visited {color:#990033}.mTD,.mTD A {white-space:nowrap;color:#990033;font-weight:normal;}.mTD,.mTD A:Active,.mTD A:Link,.mTD A:Visited,.mTD A:Hover{font-weight:normal;font-size:10px;font-family:arial,sans-serif;text-decoration:none;position:relative;}.SUBmTD,.SUBmTD A {white-space:nowrap;color:#3333aa;font-weight:normal;}.SUBmTD,.SUBmTD A:Link,.SUBmTD A:Visited {color:#3333aa}.SUBmTD,.SUBmTD A:Active,.SUBmTD A:Link,.SUBmTD A:Visited,.SUBmTD A:Hover{font-weight:normal;font-size:10px;font-family:comic sans ms,arial,sans-serif;text-decoration:none;}//--&gt;    </STYLE>
    <STYLE media="print" type="text/css">
.printhide {display:none;}    </STYLE>

    <script type="text/javascript">
&lt;!--
document.write(unescape(&quot;%3Cbody%3E%0D%0A%3Cdiv class%3D%22DARK_BLUE_TITLE%22%3EKRC StartDreck Quick Guide%3C/div%3E%0D%0A%3Cdiv%3E %0D%0A  %3Cdiv align%3D%22center%22%3E%0D%0A    %3Cp%3E%26nbsp%3B%3C/p%3E%0D%0A    %3Cp%3E%26nbsp%3B %3C/p%3E%0D%0A%3C/div%3E%0D%0A%3C/div%3E%0D%0A%3Cp%3E%3Cstrong%3E%3Cem%3EDate Created%3A May 29%2C 2005%3C/em%3E%3C/strong%3E%3C/p%3E%0D%0A%3Cp%3EHere is a quick guide on analyzing StartDreck logs. I will try to break it down and list what each section %0D%0A  is for. No expert here myself%2C so if I make a mistake%2C feel free to contact %0D%0A  me and I will correct it. You should be able to read these logs with more comfort %0D%0A  once you see how it%27s broken down. Quite simple when seen as smaller parts. %0D%0A  %3A-%29 %3C/p%3E%0D%0A%3Cp%3EThe log I%27m using is %3Cstrong%3Enot%3C/strong%3E the full log with %3Cstrong%3Eeverything %0D%0A  %3C/strong%3Echecked in the configurations. If everything was checked%2C the log itself %0D%0A  can be quite large%2C especially if the user is using a modified hosts file. So %0D%0A  keep that in mind. It should cover most of the entries here nevertheless since %0D%0A  they have headings for everything here. You just won%27t see the actual entries.%3C/p%3E%0D%0A%3Cp%3EThis log is usually requested by analysts if they want to take a deeper look %0D%0A  and HijackThis is coming up clean. The speech that is used by me will list most %0D%0A  of the sections except for mainly the NT Services and the Process Modules since %0D%0A  they can take up quite a lot of space.%3C/p%3E%0D%0A%3Cp%3E%3Cstrong%3ECanned Speech%3A%3C/strong%3E%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3EDownload StartDreck http%3A//www.greyknight17.com/spy/StartDreck.zip%3Cbr%3E%0D%0A  %3Cbr%3E%0D%0A  Unzip to its own folder and start the program%3A%3Cbr%3E%0D%0A  Press %27Config%27%3Cbr%3E%0D%0A  Press %27mark all%27%3Cbr%3E%0D%0A  %3Cbr%3E%0D%0A  Uncheck the following boxes only%3A%3Cbr%3E%0D%0A  System/Running Process -%26gt%3B List Modules%3Cbr%3E%0D%0A  System/Drivers -%26gt%3B NT Services%3Cbr%3E%0D%0A  System/Drivers -%26gt%3B NT Kernel- and FS-drivers%3Cbr%3E%0D%0A  Press %27OK%27%3Cbr%3E%0D%0A  %3Cbr%3E%0D%0A  Press %27Save%27 and select the location to save the log file %28default is the same %0D%0A  folder as the application%29%3Cbr%3E%0D%0A  %3Cbr%3E%0D%0A  Post the log in this thread.%3C/font%3E%3C/p%3E%0D%0A%3Cp%3E%3Cstrong%3EHeader Information%3A%3C/strong%3E%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cspan title%3D%22StartDreck version and the time this log was created.%22%3E%3Cfont size%3D%22-1%22%3EStartDreck %0D%0A  %28build 2.1.7 public stable%29 - 2005-04-03 @ 23%3A33%3A12 %28GMT -04%3A00%29%3C/font%3E%3C/span%3E%3Cfont size%3D%22-1%22%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Windows version and any Service Packs that are installed.%22%3EPlatform%3A %0D%0A  Windows XP %28Win NT 5.1.2600 Service Pack 1%29%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Internet Explorer version and any updates it has.%22%3EInternet Explorer%3A %0D%0A  6.0.2800.1106%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Name of the user and computer %28in this case%2C they are edited out here%29.%22%3ELogged %0D%0A  in as some_username at some_computername%3C/span%3E%3C/font%3E%3C/p%3E%0D%0A%3Cp%3E%3Cfont size%3D%22-1%22%3EThe header information should be self-explanatory. If more %0D%0A  details are needed%2C just hover your mouse over each line.%3C/font%3E%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E %3Cspan title%3D%22The Registry %3A-%29%22%3E%3Cstrong%3E%26raquo%3BRegistry%3C/strong%3E%3C/span%3E%3Cstrong%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Programs that run at startup.%22%3E%26raquo%3BRun Keys%3C/span%3E%3C/strong%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Run keys for the current user.%22%3E%26raquo%3BCurrent User%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Programs that run on every startup for the current user.%22 href%3D%22%22%3E%26raquo%3BRun%3Cbr%3E%0D%0A  *MSMSGS%3D%26quot%3BC%3A%5CProgram Files%5CMessenger%5Cmsmsgs.exe%26quot%3B /background%3Cbr%3E%0D%0A  *SpySweeper%3D%26quot%3BC%3A%5CProgram Files%5CWebRoot%5CSpy Sweeper%5CSpySweeper.exe%26quot%3B %0D%0A  /0%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Programs that only runs once after a reboot for the current user.%22%3E%26raquo%3BRunOnce%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Run keys for the Default User.%22%3E%26raquo%3BDefault User%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Programs that run on every startup for the default user.%22%3E%26raquo%3BRun%3Cbr%3E%0D%0A  *Symantec NetDriver Warning%3DC%3A%5CPROGRA%7E1%5CSYMNET%7E1%5CSNDWarn.exe%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Programs that runs only once after a reboot for the default user.%22%3E%26raquo%3BRunOnce%3Cbr%3E%0D%0A  *SRUUninstall%3D%26quot%3BC%3A%5CWINDOWS%5CSystem32%5Cmsiexec.exe%26quot%3B /L*v C%3A%5CWINDOWS%5CTEMP%5CSND532unin.txt %0D%0A  /x %7B6AF90EF6-F7F9-466C-99F4-1774826FBB40%7D /qn REBOOT%3DReallySuppress%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Run keys for all users.%22%3E%26raquo%3BLocal Machine%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Programs that run on every startup for all users.%22%3E%26raquo%3BRun%3Cbr%3E%0D%0A  *WorksFUD%3DC%3A%5CProgram Files%5CMicrosoft Works%5Cwkfud.exe%3Cbr%3E%0D%0A  *Microsoft Works Portfolio%3DC%3A%5CProgram Files%5CMicrosoft Works%5CWksSb.exe /AllUsers%3Cbr%3E%0D%0A  *Microsoft Works Update Detection%3DC%3A%5CProgram Files%5CCommon Files%5CMicrosoft Shared%5CWorks %0D%0A  Shared%5CWkUFind.exe%3Cbr%3E%0D%0A  *Camera Detector%3DC%3A%5CPROGRA%7E1%5CACDSYS%7E1%5CDEVDET%7E1%5CDEVDET%7E1.EXE -autorun%3Cbr%3E%0D%0A  *NvCplDaemon%3DRUNDLL32.EXE NvQTwk%2CNvCplDaemon initialize%3Cbr%3E%0D%0A  *Apoint%3DC%3A%5CProgram Files%5CApoint%5CApoint.exe%3Cbr%3E%0D%0A  *DadApp%3DC%3A%5CProgram Files%5CDell%5CAccessDirect%5Cdadapp.exe%3Cbr%3E%0D%0A  *QuickTime Task%3D%26quot%3BC%3A%5CProgram Files%5CQuickTime%5Cqttask.exe%26quot%3B -atboottime%3Cbr%3E%0D%0A  *DIGStream%3DC%3A%5CProgram Files%5CDIGStream%5Cdigstream.exe%3Cbr%3E%0D%0A  *iTunesHelper%3DC%3A%5CProgram Files%5CiTunes%5CiTunesHelper.exe%3Cbr%3E%0D%0A  *SSC_UserPrompt%3DC%3A%5CProgram Files%5CCommon Files%5CSymantec Shared%5CSecurity Center%5CUsrPrmpt.exe%3Cbr%3E%0D%0A  *IntelliPoint%3D%26quot%3BC%3A%5CProgram Files%5CMicrosoft IntelliPoint%5Cpoint32.exe%26quot%3B%3Cbr%3E%0D%0A  *gcasServ%3D%26quot%3BC%3A%5CProgram Files%5CMicrosoft AntiSpyware%5CgcasServ.exe%26quot%3B%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Not sure what these are%2C but if you know%2C email me.%22%3E+OptionalComponents%3Cbr%3E%0D%0A  +MSFS%3Cbr%3E%0D%0A  *Installed%3D1%3Cbr%3E%0D%0A  +MAPI%3Cbr%3E%0D%0A  *Installed%3D1%3Cbr%3E%0D%0A  *NoChange%3D1%3Cbr%3E%0D%0A  +MAPI%3Cbr%3E%0D%0A  *Installed%3D1%3Cbr%3E%0D%0A  *NoChange%3D1%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Programs that runs only once after a reboot for all users.%22%3E%26raquo%3BRunOnce%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan title%3D%22Program services that run at startup%3F%22%3E%26raquo%3BRunServices%3Cbr%3E%0D%0A  %26raquo%3BRunServicesOnce%3Cbr%3E%0D%0A  %26raquo%3BRunOnceEx%3Cbr%3E%0D%0A  %26raquo%3BRunServicesOnceEx%3C/span%3E%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EThe above are just the programs that run at startup. Hover over the corresponding %0D%0A  entries for a little more detail. Malware programs may be found here.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BFile Associations %28CR%29%3C/strong%3E%3Cbr%3E%0D%0A  +.bat%3Cbr%3E%0D%0A  *batfile%3D%26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A  +.com%3Cbr%3E%0D%0A  *comfile%3D%26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A  +.disabled%3Cbr%3E%0D%0A  *SpybotSD.DisabledFile%3D%26quot%3BC%3A%5CProgram Files%5CSpybot - Search %26amp%3B Destroy%5Cblindman.exe%26quot%3B %0D%0A  %26quot%3B%251%26quot%3B%3Cbr%3E%0D%0A  +.exe%3Cbr%3E%0D%0A  *exefile%3D%26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A  +.hta%3Cbr%3E%0D%0A  *htafile%3DC%3A%5CWINDOWS%5CSystem32%5Cmshta.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A  +.htm%3Cbr%3E%0D%0A  *FirefoxHTML%3DC%3A%5CPROGRA%7E1%5CMOZILL%7E1%5CFIREFOX.EXE -url %26quot%3B%251%26quot%3B%3Cbr%3E%0D%0A  +.html%3Cbr%3E%0D%0A  *FirefoxHTML%3DC%3A%5CPROGRA%7E1%5CMOZILL%7E1%5CFIREFOX.EXE -url %26quot%3B%251%26quot%3B%3Cbr%3E%0D%0A  +.js%3Cbr%3E%0D%0A  *JSFile%3D%25SystemRoot%25%5CSystem32%5CWScript.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A  +.jse%3Cbr%3E%0D%0A  *JSEFile%3D%25SystemRoot%25%5CSystem32%5CWScript.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A  +.pif%3Cbr%3E%0D%0A  *piffile%3D%26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A  +.reg%3Cbr%3E%0D%0A  *regfile%3Dregedit.exe %26quot%3B%251%26quot%3B%3Cbr%3E%0D%0A  +.scr%3Cbr%3E%0D%0A  *scrfile%3D%26quot%3B%251%26quot%3B /S%3Cbr%3E%0D%0A  +.txt%3Cbr%3E%0D%0A  *txtfile%3D%25SystemRoot%25%5Csystem32%5CNOTEPAD.EXE %251%3Cbr%3E%0D%0A  +.vbs%3Cbr%3E%0D%0A  *VBSFile%3D%25SystemRoot%25%5CSystem32%5CWScript.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A  +.vbe%3Cbr%3E%0D%0A  *VBEFile%3D%25SystemRoot%25%5CSystem32%5CWScript.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A  +.wsh%3Cbr%3E%0D%0A  *WSHFile%3D%25SystemRoot%25%5CSystem32%5CWScript.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A  +.wsf%3Cbr%3E%0D%0A  *WSFFile%3D%25SystemRoot%25%5CSystem32%5CWScript.exe %26quot%3B%251%26quot%3B %25*%3Cbr%3E%0D%0A  +.lnk%3Cbr%3E%0D%0A  %60lnkfile%3D %5Bkey or value does not exist%5D%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EAs far as I know%2C just some file extensions. I don%27t recall seeing any harmful %0D%0A  entries showing in this section.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BActive Setup %28LM%29%3C/strong%3E%3Cbr%3E%0D%0A  +Windows Media Player/%26gt%3B%7B22d6f312-b0f6-11d0-94ab-0080c74c7e95%7D%3Cbr%3E%0D%0A  *StubPath%3DC%3A%5CWINDOWS%5Cinf%5Cunregmp2.exe /ShowWMP%3Cbr%3E%0D%0A  +Internet Explorer/%26gt%3B%7B26923b43-4d38-484f-9b9e-de460746276c%7D%3Cbr%3E%0D%0A  *StubPath%3D%25systemroot%25%5Csystem32%5Cshmgrate.exe OCInstallUserConfigIE%3Cbr%3E%0D%0A  +Browser Customizations/%26gt%3B%7B60B49E34-C7CC-11D0-8953-00A0C90347FF%7DMICROS%3Cbr%3E%0D%0A  *StubPath%3DRunDLL32 IEDKCS32.DLL%2CBrandIE4 SIGNUP%3Cbr%3E%0D%0A  +Outlook Express/%26gt%3B%7B881dd1c5-3dcf-431b-b061-f3f88e8be88a%7D%3Cbr%3E%0D%0A  *StubPath%3D%25systemroot%25%5Csystem32%5Cshmgrate.exe OCInstallUserConfigOE%3Cbr%3E%0D%0A  +Microsoft Windows Media Player 6.4/%7B22d6f312-b0f6-11d0-94ab-0080c74c7e95%7D%3Cbr%3E%0D%0A  *StubPath%3Drundll32.exe advpack.dll%2CLaunchINFSection C%3A%5CWINDOWS%5CINF%5Cmswmp.inf%2CPerUserStub%3Cbr%3E%0D%0A  +Themes Setup/%7B2C7339CF-2B09-4501-B3F3-F3508C9228ED%7D%3Cbr%3E%0D%0A  *StubPath%3D%25SystemRoot%25%5Csystem32%5Cregsvr32.exe /s /n /i%3A/UserInstall %25SystemRoot%25%5Csystem32%5Cthemeui.dll%3Cbr%3E%0D%0A  +Microsoft Outlook Express 6/%7B44BBA840-CC51-11CF-AAFA-00AA00B6015C%7D%3Cbr%3E%0D%0A  *StubPath%3D%26quot%3B%25ProgramFiles%25%5COutlook Express%5Csetup50.exe%26quot%3B /APP%3AOE /CALLER%3AWINNT %0D%0A  /user /install%3Cbr%3E%0D%0A  +NetMeeting 3.01/%7B44BBA842-CC51-11CF-AAFA-00AA00B6015B%7D%3Cbr%3E%0D%0A  *StubPath%3Drundll32.exe advpack.dll%2CLaunchINFSection C%3A%5CWINDOWS%5CINF%5Cmsnetmtg.inf%2CNetMtg.Install.PerUser.NT%3Cbr%3E%0D%0A  +Windows Messenger/%7B5945c046-1e7d-11d1-bc44-00c04fd912be%7D%3Cbr%3E%0D%0A  *StubPath%3Drundll32.exe advpack.dll%2CLaunchINFSection C%3A%5CWINDOWS%5CINF%5Cmsmsgs.inf%2CBLC.Install.PerUser%3Cbr%3E%0D%0A  +Microsoft Windows Media Player/%7B6BF52A52-394A-11d3-B153-00C04F79FAA6%7D%3Cbr%3E%0D%0A  *StubPath%3Drundll32.exe advpack.dll%2CLaunchINFSection C%3A%5CWINDOWS%5CINF%5Cwmp10.inf%2CPerUserStub%3Cbr%3E%0D%0A  +Address Book 6/%7B7790769C-0471-11d2-AF11-00C04FA35D02%7D%3Cbr%3E%0D%0A  *StubPath%3D%26quot%3B%25ProgramFiles%25%5COutlook Express%5Csetup50.exe%26quot%3B /APP%3AWAB /CALLER%3AWINNT %0D%0A  /user /install%3Cbr%3E%0D%0A  +Windows Desktop Update/%7B89820200-ECBD-11cf-8B85-00AA005B4340%7D%3Cbr%3E%0D%0A  *StubPath%3Dregsvr32.exe /s /n /i%3AU shell32.dll%3Cbr%3E%0D%0A  +Internet Explorer 6/%7B89820200-ECBD-11cf-8B85-00AA005B4383%7D%3Cbr%3E%0D%0A  *StubPath%3D%25SystemRoot%25%5Csystem32%5Cie4uinit.exe%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EQuote from Microsoft%3A %22The Active Setup Control allows .cab files to be downloaded to a user%27s computer as part of the installation process for software updates.%22 I remember seeing one entry here that%27s bad. I think it%27s MarketPlace.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BBrowser Helper Objects %28LM%29%3C/strong%3E%3Cbr%3E%0D%0A  *AcroIEHelper.AcroIEHlprObj.1/%7B06849E9F-C8D7-4D59-B87D-784B7D6BE0B3%7D%3Cbr%3E%0D%0A  %60InprocServer32%3DC%3A%5CProgram Files%5CAdobe%5CAcrobat 6.0%5CReader%5CActiveX%5CAcroIEHelper.dll%3Cbr%3E%0D%0A  *Google Toolbar Helper/%7BAA58ED58-01DD-4d91-8333-CF10577473F7%7D%3Cbr%3E%0D%0A  %60InprocServer32%3Dc%3A%5Cprogram files%5Cgoogle%5Cgoogletoolbar2.dll%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EThe Browser Helper Objects %28BHO%29 are the toolbars or icons that you see in %0D%0A  Internet Explorer. Many spyware programs use this to their advantage and install %0D%0A  some kind of search bar there without the user%27s consent in a lot of cases. %0D%0A  So if any bad BHO%27s are found here%2C you may delete the entry using StartDreck.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BInternet Explorer%3C/strong%3E%3Cbr%3E%0D%0A  %26raquo%3BCurrent User%3Cbr%3E%0D%0A  *Local Page%3DC%3A%5CWINDOWS%5CSystem32%5Cblank.htm%3Cbr%3E%0D%0A  *Search Bar%3Dhttp%3A//home.microsoft.com/search/lobby/search.asp%3Cbr%3E%0D%0A  *Search Page%3Dwww.google.com%3Cbr%3E%0D%0A  *Start Page%3Dwww.gmail.com%3Cbr%3E%0D%0A  +SearchUrl%3Cbr%3E%0D%0A  *provider%3D%3Cbr%3E%0D%0A  *%3Dwww.google.com%3Cbr%3E%0D%0A  %26raquo%3BDefault User%3Cbr%3E%0D%0A  %26raquo%3BLocal Machine%3Cbr%3E%0D%0A  *Default_Page_URL%3Dhttp%3A//www.google.com%3Cbr%3E%0D%0A  *Local Page%3DC%3A%5CWINDOWS%5CSystem32%5Cblank.htm%3Cbr%3E%0D%0A  *Search Bar%3Dhttp%3A//home.microsoft.com/search/lobby/search.asp%3Cbr%3E%0D%0A  *Search Page%3Dwww.google.com%3Cbr%3E%0D%0A  *Start Page%3Dhttp%3A//www.google.com%3Cbr%3E%0D%0A  *CustomizeSearch%3Dhttp%3A//ie.search.msn.com/%7BSUB_RFC1766%7D/srchasst/srchcust.htm%3Cbr%3E%0D%0A  *SearchAssistant%3Dhttp%3A//ie.search.msn.com/%7BSUB_RFC1766%7D/srchasst/srchasst.htm%3Cbr%3E%0D%0A  +SearchUrl%3Cbr%3E%0D%0A  *%3Dwww.google.com%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EThese are the settings in Internet Explorer. Mostly what we look for is the %0D%0A  hijackings for the homepage. If there is a homepage hijack%2C you should be able %0D%0A  to recognize it. The above entries are all valid.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BShellServiceObjectDelayLoad %0D%0A  %28LM%29%3C/strong%3E%3Cbr%3E%0D%0A  *PostBootReminder%3D%7B7849596a-48ea-486e-8937-a2a3009f31a9%7D%3Cbr%3E%0D%0A  %60InprocServer32%3D%25SystemRoot%25%5Csystem32%5CSHELL32.dll%3Cbr%3E%0D%0A  *CDBurn%3D%7Bfbeb8a05-beee-4442-804e-409d6c4515e9%7D%3Cbr%3E%0D%0A  %60InprocServer32%3D%25SystemRoot%25%5Csystem32%5CSHELL32.dll%3Cbr%3E%0D%0A  *WebCheck%3D%7BE6FB5E20-DE35-11CF-9C87-00AA005127ED%7D%3Cbr%3E%0D%0A  %60InprocServer32%3D%25SystemRoot%25%5CSystem32%5Cwebcheck.dll%3Cbr%3E%0D%0A  *SysTray%3D%7B35CEC8A3-2BE6-11D2-8773-92E220524153%7D%3Cbr%3E%0D%0A  %60InprocServer32%3DC%3A%5CWINDOWS%5CSystem32%5Cstobject.dll%3C/font%3E%3C/p%3E%0D%0A%3Cp%3ENot exactly sure what the above is for. If anyone has information on these%2C %0D%0A  you may email me and I will update it.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BSpecial NT Values%3C/strong%3E%3Cbr%3E%0D%0A  %26raquo%3BCurrent User%3Cbr%3E%0D%0A  *Load%3D%3Cbr%3E%0D%0A  *Run%3D%3Cbr%3E%0D%0A  *Programs%3Dcom exe bat pif cmd%3Cbr%3E%0D%0A  *SHELL%3D%3Cbr%3E%0D%0A  %26raquo%3BDefault User%3Cbr%3E%0D%0A  *Load%3D%3Cbr%3E%0D%0A  *Run%3D%3Cbr%3E%0D%0A  *Programs%3Dcom exe bat pif cmd%3Cbr%3E%0D%0A  *SHELL%3D%3Cbr%3E%0D%0A  %26raquo%3BLocal Machine%3Cbr%3E%0D%0A  *AppInit_DLLs%3D%3Cbr%3E%0D%0A  %3Cspan class%3D%22HighlightTextRed%22%3E*SHELL%3DExplorer.exe%3C/span%3E%3Cbr%3E%0D%0A  %3Cspan class%3D%22HighlightTextGreen%22%3E*Userinit%3DC%3A%5CWINDOWS%5Csystem32%5Cuserinit.exe%2C%3C/span%3E%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EIf I%27m correct%2C these are the programs that load up when Windows starts. Mostly %0D%0A  not important%2C except for one entry %28maybe two%29 up there. The SHELL entry is %0D%0A  what you see %28the desktop%2C icons%2C start menu%2C and everything else%29 when you %0D%0A  login. I forgot which one %28maybe both entries highlighted there%29%2C but a possible %0D%0A  trojan can also make itself load up here. An example could be something like %0D%0A  %3Cfont size%3D%22-1%22%3E%3Cstrong%3E*Userinit%3DC%3A%5CWINDOWS%5Csystem32%5Cuserinit.exe%2C msmsgs.exe%3C/strong%3E%3C/font%3E%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BFiles%3Cbr%3E%0D%0A  %26raquo%3BAutostart Folders%3C/strong%3E%3Cbr%3E%0D%0A  %26raquo%3BCurrent User%3Cbr%3E%0D%0A  *C%3A%5CDocuments and Settings%5Csome_username%5CStart Menu%5CPrograms%5CStartup%5Cdesktop.ini%3Cbr%3E%0D%0A  *C%3A%5CDocuments and Settings%5Csome_username%5CStart Menu%5CPrograms%5CStartup%5COpenOffice.org %0D%0A  1.1.1.lnk%3Cbr%3E%0D%0A  %26raquo%3BDefault User%3Cbr%3E%0D%0A  *C%3A%5CWINDOWS%5Csystem32%5Cconfig%5Csystemprofile%5CStart Menu%5CPrograms%5CStartup%5Cdesktop.ini%3Cbr%3E%0D%0A  %26raquo%3BLocal Machine%3Cbr%3E%0D%0A  *C%3A%5CDocuments and Settings%5CAll Users%5CStart Menu%5CPrograms%5CStartup%5Cdesktop.ini%3Cbr%3E%0D%0A  *C%3A%5CDocuments and Settings%5CAll Users%5CStart Menu%5CPrograms%5CStartup%5CInterVideo %0D%0A  WinCinema Manager.lnk%3Cbr%3E%0D%0A  *C%3A%5CDocuments and Settings%5CAll Users%5CStart Menu%5CPrograms%5CStartup%5CMicrosoft Office.lnk%3Cbr%3E%0D%0A  *C%3A%5CDocuments and Settings%5CAll Users%5CStart Menu%5CPrograms%5CStartup%5CMicrosoft Works %0D%0A  Calendar Reminders.lnk%3C/font%3E%3C/p%3E%0D%0A%3Cp%3ERelated to startup programs%2C but this is for other files. I think the LNK files %0D%0A  trigger the actual EXE files to launch at startup. If someone can confirm this%2C %0D%0A  that would be great.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BINI-Files%3C/strong%3E%3Cbr%3E%0D%0A  %26raquo%3BWIN.INI%5C%5Bwindows%5D%3Cbr%3E%0D%0A  *LOAD%3D%3Cbr%3E%0D%0A  *RUN%3D%3Cbr%3E%0D%0A  %26raquo%3BSYSTEM.INI%5C%5Bboot%5D%3Cbr%3E%0D%0A  *SHELL%3DExplorer.exe%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EThese files are used by some programs to store their information like program %0D%0A  names%2C registration information%2C etc. Nothing much interesting here%2C unless %0D%0A  you see an entry for a bad file.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BText Files%3C/strong%3E%3Cbr%3E%0D%0A  *C%3A%5Cboot.ini%3Cbr%3E%0D%0A  %60%5Bboot loader%5D%3Cbr%3E%0D%0A  %60timeout%3D30%3Cbr%3E%0D%0A  %60default%3Dmulti%280%29disk%280%29rdisk%280%29partition%281%29%5CWINDOWS%3Cbr%3E%0D%0A  %60%5Boperating systems%5D%3Cbr%3E%0D%0A  %60multi%280%29disk%280%29rdisk%280%29partition%281%29%5CWINDOWS%3D%26quot%3BMicrosoft Windows XP Home %0D%0A  Edition%26quot%3B /fastdetect%3Cbr%3E%0D%0A  *C%3A%5Cmsdos.sys%3Cbr%3E%0D%0A  *C%3A%5Cconfig.sys%3Cbr%3E%0D%0A  *C%3A%5CWINDOWS%5CSystem32%5Cconfig.nt%3Cbr%3E%0D%0A  %60dos%3Dhigh%2C umb%3Cbr%3E%0D%0A  %60device%3D%25SystemRoot%25%5Csystem32%5Chimem.sys%3Cbr%3E%0D%0A  %60files%3D40%3Cbr%3E%0D%0A  *C%3A%5Cautoexec.bat%3Cbr%3E%0D%0A  *C%3A%5CWINDOWS%5CSystem32%5Cautoexec.nt%3Cbr%3E%0D%0A  %[email protected] off%3Cbr%3E%0D%0A  %60lh %25SystemRoot%25%5Csystem32%5Cmscdexnt.exe%3Cbr%3E%0D%0A  %60lh %25SystemRoot%25%5Csystem32%5Credir%3Cbr%3E%0D%0A  %60lh %25SystemRoot%25%5Csystem32%5Cdosx%3Cbr%3E%0D%0A  %60SET BLASTER%3DA220 I5 D1 P330 T3%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EShows various system configuration files. Nothing much here.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BProgram Files%3C/strong%3E%3Cbr%3E%0D%0A  *C%3A%5Cntldr%3Cbr%3E%0D%0A  *C%3A%5Cntdetect.com%3Cbr%3E%0D%0A  *C%3A%5Cio.sys%3Cbr%3E%0D%0A  *C%3A%5CWINDOWS%5CSystem32%5Cwin.com%3Cbr%3E%0D%0A  *C%3A%5CWINDOWS%5Cexplorer.exe%3Cbr%3E%0D%0A  %26raquo%3B%25PATH%25 Companion Files%3Cbr%3E%0D%0A  +C%3A%5CWINDOWS%5CSystem32%5Cnotepad.exe%3Cbr%3E%0D%0A  *C%3A%5CWINDOWS%5CNOTEPAD.EXE%3Cbr%3E%0D%0A  +C%3A%5CWINDOWS%5CSystem32%5Ctaskman.exe%3Cbr%3E%0D%0A  *C%3A%5CWINDOWS%5CTASKMAN.EXE%3Cbr%3E%0D%0A  +C%3A%5CWINDOWS%5CSystem32%5Cwinhlp32.exe%3Cbr%3E%0D%0A  *C%3A%5CWINDOWS%5Cwinhlp32.exe%3C/font%3E%3C/p%3E%0D%0A%3Cp%3ENot really sure what these are. I mean%2C I know what they are%2C but don%27t know %0D%0A  why it%27s being detected and put under the Program Files section. Any help on %0D%0A  this would be appreciated.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E %3Cstrong%3E%26raquo%3BRunning Processes%3C/strong%3E%3Cbr%3E%0D%0A  +0%3D%26lt%3Bidle%26gt%3B%3Cbr%3E%0D%0A  +4%3D%26lt%3Bsystem%26gt%3B%3Cbr%3E%0D%0A  +492%3D%5CSystemRoot%5CSystem32%5Csmss.exe%3Cbr%3E%0D%0A  +552%3D%5C%3F%3F%5CC%3A%5CWINDOWS%5Csystem32%5Ccsrss.exe%3Cbr%3E%0D%0A  +576%3D%5C%3F%3F%5CC%3A%5CWINDOWS%5Csystem32%5Cwinlogon.exe%3Cbr%3E%0D%0A  +620%3DC%3A%5CWINDOWS%5Csystem32%5Cservices.exe%3Cbr%3E%0D%0A  +632%3DC%3A%5CWINDOWS%5Csystem32%5Clsass.exe%3Cbr%3E%0D%0A  +796%3DC%3A%5CWINDOWS%5Csystem32%5Csvchost.exe%3Cbr%3E%0D%0A  +820%3DC%3A%5CWINDOWS%5CSystem32%5Csvchost.exe%3Cbr%3E%0D%0A  +932%3DC%3A%5CWINDOWS%5CSystem32%5Csvchost.exe%3Cbr%3E%0D%0A  +992%3DC%3A%5CWINDOWS%5CSystem32%5Csvchost.exe%3Cbr%3E%0D%0A  +1156%3DC%3A%5CWINDOWS%5Csystem32%5Cspoolsv.exe%3Cbr%3E%0D%0A  +1256%3DC%3A%5CPROGRA%7E1%5CSYMANT%7E1%5CSYMANT%7E1%5CDefWatch.exe%3Cbr%3E%0D%0A  +1312%3DC%3A%5CPROGRA%7E1%5CSYMANT%7E1%5CSYMANT%7E1%5CRtvscan.exe%3Cbr%3E%0D%0A  +1336%3DC%3A%5CWINDOWS%5CSystem32%5Cnvsvc32.exe%3Cbr%3E%0D%0A  +1392%3DC%3A%5CWINDOWS%5CSystem32%5Cwdfmgr.exe%3Cbr%3E%0D%0A  +1936%3DC%3A%5CWINDOWS%5CExplorer.EXE%3Cbr%3E%0D%0A  +192%3DC%3A%5CProgram Files%5CCommon Files%5CMicrosoft Shared%5CWorks Shared%5CWkUFind.exe%3Cbr%3E%0D%0A  +200%3DC%3A%5CPROGRA%7E1%5CACDSYS%7E1%5CDEVDET%7E1%5CDEVDET%7E1.EXE%3Cbr%3E%0D%0A  +184%3DC%3A%5CWINDOWS%5CSystem32%5CRUNDLL32.EXE%3Cbr%3E%0D%0A  +240%3DC%3A%5CProgram Files%5CDell%5CAccessDirect%5Cdadapp.exe%3Cbr%3E%0D%0A  +252%3DC%3A%5CProgram Files%5CQuickTime%5Cqttask.exe%3Cbr%3E%0D%0A  +296%3DC%3A%5CProgram Files%5CDIGStream%5Cdigstream.exe%3Cbr%3E%0D%0A  +304%3DC%3A%5CProgram Files%5CiTunes%5CiTunesHelper.exe%3Cbr%3E%0D%0A  +332%3DC%3A%5CProgram Files%5CMicrosoft IntelliPoint%5Cpoint32.exe%3Cbr%3E%0D%0A  +340%3DC%3A%5CProgram Files%5CMicrosoft AntiSpyware%5CgcasServ.exe%3Cbr%3E%0D%0A  +348%3DC%3A%5CProgram Files%5CDell%5CAccessDirect%5CDadTray.exe%3Cbr%3E%0D%0A  +372%3DC%3A%5CProgram Files%5CMessenger%5Cmsmsgs.exe%3Cbr%3E%0D%0A  +384%3DC%3A%5CProgram Files%5CWebRoot%5CSpy Sweeper%5CSpySweeper.exe%3Cbr%3E%0D%0A  +536%3DC%3A%5CProgram Files%5CInterVideo%5CCommon%5CBin%5CWinCinemaMgr.exe%3Cbr%3E%0D%0A  +636%3DC%3A%5CProgram Files%5CiPod%5Cbin%5CiPodService.exe%3Cbr%3E%0D%0A  +896%3DC%3A%5CProgram Files%5CCommon Files%5CMicrosoft Shared%5CWorks Shared%5Cwkcalrem.exe%3Cbr%3E%0D%0A  +1008%3DC%3A%5CProgram Files%5COpenOffice.org1.1.1%5Cprogram%5Csoffice.exe%3Cbr%3E%0D%0A  +1600%3DC%3A%5CProgram Files%5CMicrosoft AntiSpyware%5CgcasDtServ.exe%3Cbr%3E%0D%0A  +1768%3DC%3A%5CWINDOWS%5Csystem32%5CNOTEPAD.EXE%3Cbr%3E%0D%0A  +1184%3DC%3A%5CHJT%5CHijackThis.exe%3Cbr%3E%0D%0A  +2288%3DC%3A%5CHJT%5CHijackThis.exe%3Cbr%3E%0D%0A  +2484%3DC%3A%5CWINDOWS%5CSystem32%5Cwuauclt.exe%3Cbr%3E%0D%0A  +2644%3DC%3A%5CWINDOWS%5Csystem32%5CNOTEPAD.EXE%3Cbr%3E%0D%0A  +4076%3DC%3A%5CWINDOWS%5Csystem32%5CNOTEPAD.EXE%3Cbr%3E%0D%0A  +1296%3DC%3A%5CProgram Files%5CMozilla Firefox%5Cfirefox.exe%3Cbr%3E%0D%0A  +3192%3DC%3A%5CDocuments and Settings%5Csome_username%5CDesktop%5Cstartdreck%5CStartDreck%5CStartDreck.exe%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EPhew. Finally%2C an easy one. This is a list of processes that are currently %0D%0A  running.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%26raquo%3BVMM32Files %28LM%29%3Cbr%3E%0D%0A  %26raquo%3B%25System%25%5CVMM32%3Cbr%3E%0D%0A  %26raquo%3B%25System%25%5CIOSUBSYS%3C/font%3E%3C/p%3E%0D%0A%3Cp%3EStuck again. Anyone with information on the above may email me with any information %0D%0A  they have so that I can update it.%3C/p%3E%0D%0A%3Cp class%3D%22ColoredBox%22%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BApplication specific%3C/strong%3E%3Cbr%3E%0D%0A  %26raquo%3BMS Office 97/8.0 STARTUP-PATH%3Cbr%3E%0D%0A  %26raquo%3BCurrent User%3Cbr%3E%0D%0A  %26raquo%3BDefault User%3Cbr%3E%0D%0A  %26raquo%3BLocal Machine%3Cbr%3E%0D%0A  %26raquo%3BICQ NetDetect%3Cbr%3E%0D%0A  %26raquo%3BCurrent User%3Cbr%3E%0D%0A  %26raquo%3BDefault User %3C/font%3E%3C/p%3E%0D%0A%3Cp%3ENothing much here. Don%27t know what it%27s really here for%2C but I don%27t recall %0D%0A  seeing any dangerous activity here.%3C/p%3E%0D%0A%3Cp%3EJust so you know%2C the log that was broken up above is a clean log. As you can %0D%0A  see%2C it%27s not easy to decipher what%27s what there%2C but these are usually the %0D%0A  main parts where you should focus more on%3A%3C/p%3E%0D%0A%3Cul%3E%0D%0A  %3Cli%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%3Cspan title%3D%22Programs that run at startup.%22%3E%26raquo%3BRun %0D%0A    Keys%3C/span%3E%3C/strong%3E%3C/font%3E%3C/li%3E%0D%0A  %3Cli%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BBrowser Helper Objects %28LM%29%3C/strong%3E%3C/font%3E%3C/li%3E%0D%0A  %3Cli%3E%3Cfont size%3D%22-1%22%3E%3Cstrong%3E%26raquo%3BInternet Explorer%3C/strong%3E%3C/font%3E%3C/li%3E%0D%0A%3C/ul%3E%0D%0A%3Cp%3EI%27m not saying that the other sections are not important%2C but I usually see %0D%0A  those sections listed being attacked most. For those entries that are malware %0D%0A  related%2C you may click on the entry and then hit the Delete button in StartDreck %0D%0A  to get rid of it. Then make sure to delete the file/folder if there is any.%3C/p%3E%0D%0A%3Cp%3EAgain%2C if anyone can fill me in on what the other areas that I%27m not sure of %0D%0A  are for%2C that would be great. Or if you find a error on my part%2C email me and %0D%0A  I will correct the issue.%3C/p%3E%0D%0A%3Cp align%3D%22center%22%3E%3Cfont size%3D%22-2%22%3ECopyright %26copy%3B 2003-2005 %3Ca href%3D%22http%3A//www.greyknight17.com%22%3EKRC%3C/a%3E%3Cbr%3E%0D%0A    All Rights Reserved%3Cbr%3E%0D%0A    %3Ca href%3D%22../disclaimer.htm%22%3EDisclaimer%3C/a%3E%3C/font%3E%3C/p%3E%0D%0A  %0D%0A%3Cp align%3D%22center%22%3E%3Ca href%3D%22../../donate.htm%22%3E%3Cimg src%3D%22../../images/paypal.gif%22 width%3D%2262%22 height%3D%2231%22 border%3D%220%22%3E%3C/a%3E %0D%0A  %3Cscript type%3D%22text/javascript%22 language%3D%22javascript1.2%22 src%3D%22./navigation/menu.js%22%3E%3C/script%3E%0D%0A%3C/body%3E%0D%0A&quot;));
//--&gt;    </SCRIPT>
  </HEAD>
  <NOSCRIPT>
You need to have JavaScript enabled in order to view this page correctly!  </NOSCRIPT>

  <BODY>

    <DIV class="DARK_BLUE_TITLE">
KRC StartDreck Quick Guide    </DIV>

    <DIV>
 
        <DIV align="center">

            <P>
&nbsp;        </P>

            <P>
&nbsp;         </P>

      </DIV>

    </DIV>

    <P>
      <STRONG>
        <EM>
Date Created: May 29, 2005        </EM>
      </STRONG>
    </P>

    <P>
Here is a quick guide on analyzing StartDreck logs. I will try to break it down and list what each section 
  is for. No expert here myself, so if I make a mistake, feel free to contact 
  me and I will correct it. You should be able to read these logs with more comfort 
  once you see how it's broken down. Quite simple when seen as smaller parts. 
  :-)     </P>

    <P>
The log I'm using is       <STRONG>
not      </STRONG>
 the full log with       <STRONG>
everything 
        </STRONG>
checked in the configurations. If everything was checked, the log itself 
  can be quite large, especially if the user is using a modified hosts file. So 
  keep that in mind. It should cover most of the entries here nevertheless since 
  they have headings for everything here. You just won't see the actual entries.    </P>

    <P>
This log is usually requested by analysts if they want to take a deeper look 
  and HijackThis is coming up clean. The speech that is used by me will list most 
  of the sections except for mainly the NT Services and the Process Modules since 
  they can take up quite a lot of space.    </P>

    <P>
      <STRONG>
Canned Speech:      </STRONG>
    </P>

    <P class="ColoredBox">
      <FONT size="-1">
Download StartDreck [url=http://www.greyknight17.com/spy/StartDreck.zip]http://www.greyknight17.com/spy/StartDreck.zip[/url]        <BR/>

          <BR/>

  Unzip to its own folder and start the program:        <BR/>

  Press 'Config'        <BR/>

  Press 'mark all'        <BR/>

          <BR/>

  Uncheck the following boxes only:        <BR/>

  System/Running Process -&gt; List Modules        <BR/>

  System/Drivers -&gt; NT Services        <BR/>

  System/Drivers -&gt; NT Kernel- and FS-drivers        <BR/>

  Press 'OK'        <BR/>

          <BR/>

  Press 'Save' and select the location to save the log file (default is the same 
  folder as the application)        <BR/>

          <BR/>

  Post the log in this thread.      </FONT>
    </P>

    <P>
      <STRONG>
Header Information:      </STRONG>
    </P>

    <P class="ColoredBox">
      <SPAN title="StartDreck version and the time this log was created.">
        <FONT size="-1">
StartDreck 
  (build 2.1.7 public stable) - 2005-04-03 @ 23:33:12 (GMT -04:00)        </FONT>
      </SPAN>
      <FONT size="-1">
        <BR/>

          <SPAN title="Windows version and any Service Packs that are installed.">
Platform: 
  Windows XP (Win NT 5.1.2600 Service Pack 1)        </SPAN>
        <BR/>

          <SPAN title="Internet Explorer version and any updates it has.">
Internet Explorer: 
  6.0.2800.1106        </SPAN>
        <BR/>

          <SPAN title="Name of the user and computer (in this case, they are edited out here).">
Logged 
  in as some_username at some_computername        </SPAN>
      </FONT>
    </P>

    <P>
      <FONT size="-1">
The header information should be self-explanatory. If more 
  details are needed, just hover your mouse over each line.      </FONT>
    </P>

    <P class="ColoredBox">
      <FONT size="-1">
         <SPAN title="The Registry :-)">
          <STRONG>
&raquo;Registry          </STRONG>
        </SPAN>
        <STRONG>
          <BR/>

            <SPAN title="Programs that run at startup.">
&raquo;Run Keys          </SPAN>
        </STRONG>
        <BR/>

          <SPAN title="Run keys for the current user.">
&raquo;Current User        </SPAN>
        <BR/>

          <SPAN href="" title="Programs that run on every startup for the current user.">
&raquo;Run          <BR/>

  *MSMSGS=&quot;C:\Program Files\Messenger\msmsgs.exe&quot; /background          <BR/>

  *SpySweeper=&quot;C:\Program Files\WebRoot\Spy Sweeper\SpySweeper.exe&quot; 
  /0        </SPAN>
        <BR/>

          <SPAN title="Programs that only runs once after a reboot for the current user.">
&raquo;RunOnce        </SPAN>
        <BR/>

          <SPAN title="Run keys for the Default User.">
&raquo;Default User        </SPAN>
        <BR/>

          <SPAN title="Programs that run on every startup for the default user.">
&raquo;Run          <BR/>

  *Symantec NetDriver Warning=C:\PROGRA~1\SYMNET~1\SNDWarn.exe        </SPAN>
        <BR/>

          <SPAN title="Programs that runs only once after a reboot for the default user.">
&raquo;RunOnce          <BR/>

  *SRUUninstall=&quot;C:\WINDOWS\System32\msiexec.exe&quot; /L*v C:\WINDOWS\TEMP\SND532unin.txt 
  /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress        </SPAN>
        <BR/>

          <SPAN title="Run keys for all users.">
&raquo;Local Machine        </SPAN>
        <BR/>

          <SPAN title="Programs that run on every startup for all users.">
&raquo;Run          <BR/>

  *WorksFUD=C:\Program Files\Microsoft Works\wkfud.exe          <BR/>

  *Microsoft Works Portfolio=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers          <BR/>

  *Microsoft Works Update Detection=C:\Program Files\Common Files\Microsoft Shared\Works 
  Shared\WkUFind.exe          <BR/>

  *Camera Detector=C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun          <BR/>

  *NvCplDaemon=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize          <BR/>

  *Apoint=C:\Program Files\Apoint\Apoint.exe          <BR/>

  *DadApp=C:\Program Files\Dell\AccessDirect\dadapp.exe          <BR/>

  *QuickTime Task=&quot;C:\Program Files\QuickTime\qttask.exe&quot; -atboottime          <BR/>

  *DIGStream=C:\Program Files\DIGStream\digstream.exe          <BR/>

  *iTunesHelper=C:\Program Files\iTunes\iTunesHelper.exe          <BR/>

  *SSC_UserPrompt=C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe          <BR/>

  *IntelliPoint=&quot;C:\Program Files\Microsoft IntelliPoint\point32.exe&quot;          <BR/>

  *gcasServ=&quot;C:\Program Files\Microsoft AntiSpyware\gcasServ.exe&quot;        </SPAN>
        <BR/>

          <SPAN title="Not sure what these are, but if you know, email me.">
+OptionalComponents          <BR/>

  +MSFS          <BR/>

  *Installed=1          <BR/>

  +MAPI          <BR/>

  *Installed=1          <BR/>

  *NoChange=1          <BR/>

  +MAPI          <BR/>

  *Installed=1          <BR/>

  *NoChange=1        </SPAN>
        <BR/>

          <SPAN title="Programs that runs only once after a reboot for all users.">
&raquo;RunOnce        </SPAN>
        <BR/>

          <SPAN title="Program services that run at startup?">
&raquo;RunServices          <BR/>

  &raquo;RunServicesOnce          <BR/>

  &raquo;RunOnceEx          <BR/>

  &raquo;RunServicesOnceEx        </SPAN>
      </FONT>
    </P>

    <P>
The above are just the programs that run at startup. Hover over the corresponding 
  entries for a little more detail. Malware programs may be found here.    </P>

    <P class="ColoredBox">
      <FONT size="-1">
        <STRONG>
&raquo;File Associations (CR)        </STRONG>
        <BR/>

  +.bat        <BR/>

  *batfile=&quot;%1&quot; %*        <BR/>

  +.com        <BR/>

  *comfile=&quot;%1&quot; %*        <BR/>

  +.disabled        <BR/>

  *SpybotSD.DisabledFile=&quot;C:\Program Files\Spybot - Search &amp; Destroy\blindman.exe&quot; 
  &quot;%1&quot;        <BR/>

  +.exe        <BR/>

  *exefile=&quot;%1&quot; %*        <BR/>

  +.hta        <BR/>

  *htafile=C:\WINDOWS\System32\mshta.exe &quot;%1&quot; %*        <BR/>

  +.htm        <BR/>

  *FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url &quot;%1&quot;        <BR/>

  +.html        <BR/>

  *FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url &quot;%1&quot;        <BR/>

  +.js        <BR/>

  *JSFile=%SystemRoot%\System32\WScript.exe &quot;%1&quot; %*        <BR/>

  +.jse        <BR/>

  *JSEFile=%SystemRoot%\System32\WScript.exe &quot;%1&quot; %*        <BR/>

  +.pif        <BR/>

  *piffile=&quot;%1&quot; %*        <BR/>

  +.reg        <BR/>

  *regfile=regedit.exe &quot;%1&quot;        <BR/>

  +.scr        <BR/>

  *scrfile=&quot;%1&quot; /S        <BR/>

  +.txt        <BR/>

  *txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1        <BR/>

  +.vbs        <BR/>

  *VBSFile=%SystemRoot%\System32\WScript.exe &quot;%1&quot; %*        <BR/>

  +.vbe        <BR/>

  *VBEFile=%SystemRoot%\System32\WScript.exe &quot;%1&quot; %*        <BR/>

  +.wsh        <BR/>

  *WSHFile=%SystemRoot%\System32\WScript.exe &quot;%1&quot; %*        <BR/>

  +.wsf        <BR/>

  *WSFFile=%SystemRoot%\System32\WScript.exe &quot;%1&quot; %*        <BR/>

  +.lnk        <BR/>

  `lnkfile= [key or value does not exist]      </FONT>
    </P>

    <P>
As far as I know, just some file extensions. I don't recall seeing any harmful 
  entries showing in this section.    </P>

    <P class="ColoredBox">
      <FONT size="-1">
        <STRONG>
&raquo;Active Setup (LM)        </STRONG>
        <BR/>

  +Windows Media Player/&gt;{22d6f312-b0f6-11d0-94ab-0080c74c7e95}        <BR/>

  *StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP        <BR/>

  +Internet Explorer/&gt;{26923b43-4d38-484f-9b9e-de460746276c}        <BR/>

  *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE        <BR/>

  +Browser Customizations/&gt;{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS        <BR/>

  *StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP        <BR/>

  +Outlook Express/&gt;{881dd1c5-3dcf-431b-b061-f3f88e8be88a}        <BR/>

  *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE        <BR/>

  +Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}        <BR/>

  *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub        <BR/>

  +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}        <BR/>

  *StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll        <BR/>

  +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}        <BR/>

  *StubPath=&quot;%ProgramFiles%\Outlook Express\setup50.exe&quot; /APP:OE /CALLER:WINNT 
  /user /install        <BR/>

  +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}        <BR/>

  *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT        <BR/>

  +Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be}        <BR/>

  *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser        <BR/>

  +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}        <BR/>

  *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub        <BR/>

  +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}        <BR/>

  *StubPath=&quot;%ProgramFiles%\Outlook Express\setup50.exe&quot; /APP:WAB /CALLER:WINNT 
  /user /install        <BR/>

  +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}        <BR/>

  *StubPath=regsvr32.exe /s /n /i:U shell32.dll        <BR/>

  +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}        <BR/>

  *StubPath=%SystemRoot%\system32\ie4uinit.exe      </FONT>
    </P>

    <P>
Quote from Microsoft: &quot;The Active Setup Control allows .cab files to be downloaded to a user's computer as part of the installation process for software updates.&quot; I remember seeing one entry here that's bad. I think it's MarketPlace.    </P>

    <P class="ColoredBox">
      <FONT size="-1">
        <STRONG>
&raquo;Browser Helper Objects (LM)        </STRONG>
        <BR/>

  *AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}        <BR/>

  `InprocServer32=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll        <BR/>

  *Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}        <BR/>

  `InprocServer32=c:\program files\google\googletoolbar2.dll      </FONT>
    </P>

    <P>
The Browser Helper Objects (BHO) are the toolbars or icons that you see in 
  Internet Explorer. Many spyware programs use this to their advantage and install 
  some kind of search bar there without the user's consent in a lot of cases. 
  So if any bad BHO's are found here, you may delete the entry using StartDreck.    </P>

    <P class="ColoredBox">
      <FONT size="-1">
        <STRONG>
&raquo;Internet Explorer        </STRONG>
        <BR/>

  &raquo;Current User        <BR/>

  *Local Page=C:\WINDOWS\System32\blank.htm        <BR/>

  *Search Bar=http://home.microsoft.com/search/lobby/search.asp        <BR/>

  *Search Page=www.google.com        <BR/>

  *Start Page=www.gmail.com        <BR/>

  +SearchUrl        <BR/>

  *provider=        <BR/>

  *=www.google.com        <BR/>

  &raquo;Default User        <BR/>

  &raquo;Local Machine        <BR/>

  *Default_Page_URL=http://www.google.com        <BR/>

  *Local Page=C:\WINDOWS\System32\blank.htm        <BR/>

  *Search Bar=http://home.microsoft.com/search/lobby/search.asp        <BR/>

  *Search Page=www.google.com        <BR/>

  *Start Page=http://www.google.com        <BR/>

  *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm        <BR/>

  *SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm        <BR/>

  +SearchUrl        <BR/>

  *=www.google.com      </FONT>
    </P>

    <P>
These are the settings in Internet Explorer. Mostly what we look for is the 
  hijackings for the homepage. If there is a homepage hijack, you should be able 
  to recognize it. The above entries are all valid.    </P>

    <P class="ColoredBox">
      <FONT size="-1">
        <STRONG>
&raquo;ShellServiceObjectDelayLoad 
  (LM)        </STRONG>
        <BR/>

  *PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}        <BR/>

  `InprocServer32=%SystemRoot%\system32\SHELL32.dll        <BR/>

  *CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}        <BR/>

  `InprocServer32=%SystemRoot%\system32\SHELL32.dll        <BR/>

  *WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}        <BR/>

  `InprocServer32=%SystemRoot%\System32\webcheck.dll        <BR/>

  *SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}        <BR/>

  `InprocServer32=C:\WINDOWS\System32\stobject.dll      </FONT>
    </P>

    <P>
Not exactly sure what the above is for. If anyone has information on these, 
  you may email me and I will update it.    </P>

    <P class="ColoredBox">
      <FONT size="-1">
        <STRONG>
&raquo;Special NT Values        </STRONG>
        <BR/>

  &raquo;Current User        <BR/>

  *Load=        <BR/>

  *Run=        <BR/>

  *Programs=com exe bat pif cmd        <BR/>

  *SHELL=        <BR/>

  &raquo;Default User        <BR/>

  *Load=        <BR/>

  *Run=        <BR/>

  *Programs=com exe bat pif cmd        <BR/>

  *SHELL=        <BR/>

  &raquo;Local Machine        <BR/>

  *AppInit_DLLs=        <BR/>

          <SPAN class="HighlightTextRed">
*SHELL=Explorer.exe        </SPAN>
        <BR/>

          <SPAN class="HighlightTextGreen">
*Userinit=C:\WINDOWS\system32\userinit.exe,        </SPAN>
      </FONT>
    </P>

    <P>
If I'm correct, these are the programs that load up when Windows starts. Mostly 
  not imp

Edited by RicRogue, 09 June 2005 - 11:33 AM.

  • 0

#22
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
:tazz: That was quick ;)

I guess I have to agree with others here. PHP is probably the way to go then.
  • 0

#23
Ojoshiro

Ojoshiro

    Member

  • Member
  • PipPipPip
  • 146 posts
*shrug*
And so you got it on your screen. PRTSCRN->OCR and we have text again.
(another way would be to set a javascript loose to dig for the right 'document' and start dumping the content)
If I don't want my money taken, I don't leave it in a public place open for everyone to grab.

Put it on a secure site, hand out accounts only to people who signed a contract
in which they state that if they leak information from your site, you get their car, their 16 year old daughter, the family dog, their left testicle/ovary and their immortal soul. :tazz:

The web simply isn't a place to hide secrets.
No matter how smart the tricks you can come up with, someone smarter will defuse them in no time.
It was cool to see some tricks shown here. Some I would never have thought of.
But the bottom line to me remains the same.

The worldwide grapevine has no secrets ;)

Success ;)
Ojo
  • 0

#24
mpfeif101

mpfeif101

    Member 1K

  • Retired Staff
  • 1,411 posts
Using PHP doesn't stop people from seeing your HTML source, they just don't see the PHP code.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP