Professional Documents
Culture Documents
7 Votes
0 0
(http://en-us.reddit.com/submit?url=http://www.symantec.com/connect/articles/most-
common-registry-key-check-while-dealing-virus-issue)
(/connect/forward?path=node/876071) Like 0
1) StartUp
C:\windows\start menu\programs\startup
* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"
* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell
Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
2) Windows Scheduler:
Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt.
3) c:\windows\winstart.bat
'It basically behaves like a normal batch le, then only di erence is that it can be used to delete
les when you start up your computer
4) Registry :
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"
5) "Autoexec.bat"
6) These reg keys will basically spawn your programs, as you can see this is very dangerous
because these keys are very used by viruses and Trojans.
7) Explorer start-up
The problem with these operating systems is that they look for a le called "explorer.exe"
whenever you start up your computer, that le is basically the one that you see all the time but
don’t realize it is there , if you go to your taskmaganer you can see it, you can even kill it and you
will see that everything in your computer that belongs to Microsoft will disappear, except for the
extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone.
As you can see this is dangerous because it also means that if somebody modify your explorer.exe
le then your computer will be corrupted. In fact, to change the name of the start bottom, has to
be done by modifying the explorer.exe le, so there is a clue of a small di erence that can have an
e ect in your computer.
8)"Active-X Component"
Subscriptions (0)
(/connect/user/saeed)
Saeed (/connect/user/saeed)
Status update...
20 AUG 2013
View Pro le (/connect/user/saeed)
Nel Ramos
(/connect/user/jaisankar-o)
Jaisankar :o) (/connect/user/jaisankar-o)
Thats a good tit bits like rst aids everyone should know and understand its importants,
thanks for bringing it.
(/connect/user/veezza)
vee_zza (/connect/user/veezza) PARTNER ACCREDITED
(/connect/user/louis-clark)
Louis Clark (/connect/user/louis-clark)
(/connect/user/bartdave52)
bartdave52 (/connect/user/bartdave52)
Jonah - thanks much for the information which I believe to be very helpful, but I'm not
educated enough for it to be more useful to me. I went to my c:\windows\start
menu\programs\start up le, and found it empty. Is that in itself a red ag? You can see what a
newbie I am, so I'm guessing I should begin at a more basic computer training course before
proceeding further with ridding myself of this Trojan. Thanks for you help - which I hope soon
to be able to put to use.
(/connect/user/edt)
EdT (/connect/user/edt) TRUSTED ADVISOR
c:\windows\start menu\programs\start up is actually a folder, and not a le. Any shortcuts to
EXE les placed in this folder will be started up when you log in. If this folder is empty then that
is perfectly OK, as all it means is that you have no programs set to start up at login time.
If your issue has been solved, please use the "Mark as Solution" link on the most relevant
thread.
(/connect/user/shri1)
shri1 (/connect/user/shri1)
Thanks a lot..........
The Security Community covers many di erent security products from Symantec and provides
valuable technical information for each.
Please feel free to contact me via private message with any questions you may have.
I look forward to hearing from you and answering any questions about the Community.
(https://www.linkedin.com/company/symantec)