To check run key locations which are often abused by malware (eg. Trojan.Poweliks, they are trying to maintain their foothold that is), you can use this code in cmd (nothing new but still). You'll be surprised how much stuff it can find. PTFM: Purple Team Field Manual by Tim Bryant reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /s reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders" reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Shell Folders" reg query HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\Userinit reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\shellServiceObjectDelayLoad reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks" /s reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f AppInit_DLLs WARNING (this one might break stuff like software installs that rely on RunOnce) disable runonce: reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce /t REG_DWORD /d 1 /f will expand on it later
