+7

7 Votes

Most common registry key to check while dealing with Virus

issue
By: Saeed (/connect/user/saeed)

Created 18 Jun 2009  7 Comments

 0  0 
 (http://en-us.reddit.com/submit?url=http://www.symantec.com/connect/articles/most-
common-registry-key-check-while-dealing-virus-issue)
 (/connect/forward?path=node/876071) Like 0

1) StartUp

C:\windows\start menu\programs\startup

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]

Startup="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell
Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

"Anything over here execute when you start up your computer"

2) Windows Scheduler:
Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt.

3) c:\windows\winstart.bat
'It basically behaves like a normal batch le, then only di erence is that it can be used to delete
les when you start up your computer
4) Registry :

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

5) "Autoexec.bat"

6) These reg keys will basically spawn your programs, as you can see this is very dangerous
because these keys are very used by viruses and Trojans.

[HKEY_CLASSES_ROOT\exe le\shell\open\command] @="\"%1\" %*"

[HKEY_CLASSES_ROOT\com le\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\bat le\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\hta le\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\pi le\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\bat le\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\com le\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exe le\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\hta le\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\pi le\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the

server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed.

7) Explorer start-up
The problem with these operating systems is that they look for a le called "explorer.exe"
whenever you start up your computer, that le is basically the one that you see all the time but
don’t realize it is there , if you go to your taskmaganer you can see it, you can even kill it and you
will see that everything in your computer that belongs to Microsoft will disappear, except for the
extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone.
As you can see this is dangerous because it also means that if somebody modify your explorer.exe
le then your computer will be corrupted. In fact, to change the name of the start bottom, has to
be done by modifying the explorer.exe le, so there is a clue of a small di erence that can have an
e ect in your computer.

here is the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Shell
if a Trojan changes that to a path of another "infected explorer.exe le" your computer will start up
the le the Trojan told it to and not the one used by Microsoft.

8)"Active-X Component"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]

StubPath=C:\PathToFile\Filename.exe
This key is great because it starts the program that it has in its path BEFORE the explorer.exe le
and any other program starts in your computer, so if you can understand why your antivirus can't
detect the virus when you boot up, it is maybe because your "virus" is taking care of it before it
starts up. It could even kill your antivirus before your antivirus starts up

 Tags: Security (/connect/search? lters=im_vid_31:691), Endpoint Protection - 10.x (/connect/product/endpoint-

protection-vdi), Endpoint Protection - 11.x (/connect/product/endpoint-protection-vdi), Endpoint Protection - 9.x and
Earlier (/connect/product/endpoint-protection-vdi), Endpoint Protection (/connect/product/endpoint-protection-vdi),
Enterprise Security Manager (/connect/product/enterprise-security-manager), Basics (/connect/search?
lters=im_vid_4:993), Security Risks (/connect/search? lters=im_vid_4:1243)

 Subscriptions (0)

(/connect/user/saeed)
Saeed (/connect/user/saeed)
Status update...
20 AUG 2013
 View Pro le (/connect/user/saeed)

 Jump to latest comment

 7 Comments
 (/connect/user/nel-ramos)
Nel Ramos (/connect/user/nel-ramos)

Thanks for the valuable information...

this really helps...

Nel Ramos

Login (/connect/user/login?destination=node%2F876071) or Register (/connect/user/register?

destination=node%2F876071) to post comments.
 23 Jun 2009 (/connect/articles/most-common-registry-key-check-while-dealing-virus-issue#comment-2609281)

(/connect/user/jaisankar-o)
Jaisankar :o) (/connect/user/jaisankar-o)

Thats a good tit bits like rst aids everyone should know and understand its importants,
thanks for bringing it.

Login (/connect/user/login?destination=node%2F876071) or Register (/connect/user/register?

destination=node%2F876071) to post comments.
 27 Jul 2009 (/connect/articles/most-common-registry-key-check-while-dealing-virus-issue#comment-2765381)

(/connect/user/veezza)
vee_zza (/connect/user/veezza) PARTNER ACCREDITED

Thank you so  much

Login (/connect/user/login?destination=node%2F876071) or Register (/connect/user/register?

destination=node%2F876071) to post comments.
 04 Oct 2009 (/connect/articles/most-common-registry-key-check-while-dealing-virus-issue#comment-3065431)

(/connect/user/louis-clark)
Louis Clark (/connect/user/louis-clark)

Very Useful, Thanks

Login (/connect/user/login?destination=node%2F876071) or Register (/connect/user/register?

destination=node%2F876071) to post comments.
  28 Apr 2010 (/connect/articles/most-common-registry-key-check-while-dealing-virus-issue#comment-3896591)

(/connect/user/bartdave52)
bartdave52 (/connect/user/bartdave52)

Jonah - thanks much for the information which I believe to be very helpful, but I'm not
educated enough for it to be more useful to me. I went to my c:\windows\start
menu\programs\start up le, and found it empty. Is that in itself a red ag? You can see what a
newbie I am, so I'm guessing I should begin at a more basic computer training course before
proceeding further with ridding myself of this Trojan. Thanks for you help - which I hope soon
to be able to put to use.     

Login (/connect/user/login?destination=node%2F876071) or Register (/connect/user/register?

destination=node%2F876071) to post comments.
 13 Nov 2010 (/connect/articles/most-common-registry-key-check-while-dealing-virus-issue#comment-4794141)

(/connect/user/edt)
EdT (/connect/user/edt) TRUSTED ADVISOR

c:\windows\start menu\programs\start up  is actually a folder, and not a le. Any shortcuts to
EXE les placed in this folder will be started up when you log in. If this folder is empty then that
is perfectly OK,  as all it means is that you have no programs set to start up at login time.

If your issue has been solved, please use the "Mark as Solution" link on the most relevant
thread.

Login (/connect/user/login?destination=node%2F876071) or Register (/connect/user/register?

destination=node%2F876071) to post comments.
 13 Nov 2010 (/connect/articles/most-common-registry-key-check-while-dealing-virus-issue#comment-4794281)

(/connect/user/shri1)
shri1 (/connect/user/shri1)

Thanks a lot..........

Login (/connect/user/login?destination=node%2F876071) or Register (/connect/user/register?

destination=node%2F876071) to post comments.
 13 Nov 2010 (/connect/articles/most-common-registry-key-check-while-dealing-virus-issue#comment-4794291)
Login (/connect/user/login?destination=node%2F876071) or Register
(/connect/user/register?destination=node%2F876071) to post comments.

 About Your Community

A Message From Your Community Manager: RGMDonaldson (/connect/user/rgmdonaldson)

(/connect/user/rgmdonaldson)

Welcome to the Security Community on Symantec Connect.

The Security Community covers many di erent security products from Symantec and provides
valuable technical information for each.

Please feel free to contact me via private message with any questions you may have.

I look forward to hearing from you and answering any questions about the Community.

 Send a private message to the Community Manager (/connect/messages/new/4100651?

destination=user%2F4100651)

Top 5 Contributors: All Time

MEMBER REWARD POINTS

(/connect/user/riai) ℬrίαη (/connect/user/riai) 129501

(/connect/user/vikram-kumar-sav-sep) Vikram Kumar-SAV to SEP (/connect/user/vikram-kumar-

sav-sep) 77376

(/connect/user/mithun-sanghavi) Mithun Sanghavi (/connect/user/mithun-sanghavi) 74094

(/connect/user/rafeeq) Rafeeq (/connect/user/rafeeq) 67639

(/connect/user/pk-1) P_K_ (/connect/user/pk-1) 53536

Top 5 Contributors: Last 30 Days

MEMBER REWARD POINTS

(/connect/user/riai) ℬrίαη (/connect/user/riai) 725

(/connect/user/morgado) Morgado (/connect/user/morgado) 300

(/connect/user/brycenm) BrycenM (/connect/user/brycenm) 200

(/connect/user/symiant) Sym_Ian_T (/connect/user/symiant) 200

(/connect/user/aravind-ghosh) Aravind Ghosh (/connect/user/aravind-ghosh) 175

 Trusted Advisors
MEMBER ARTICLES SOLVED

(/connect/user/mithun-sanghavi) Mithun Sanghavi (/connect/user/mithun-sanghavi) 1

61
(/connect/user/smlatcst) SMLatCST (/connect/user/smlatcst) 1 438

(/connect/user/jjesse) jjesse (/connect/user/jjesse) 24 108

(/connect/user/stephane chet) stephane. chet (/connect/user/stephane chet) 7 151

(/connect/user/riai) ℬrίαη (/connect/user/riai) 25 2

Contact Us (/connect/contact) Privacy Policy (http://www.symantec.com/about/pro le/policies/privacy.jsp) Earn

Rewards (/connect/points) Rewards Terms and Conditions (/connect/blogs/symantec-connect-rewards-program-terms-
and-conditions)
© 2017 Symantec Corporation
 (https://twitter.com/symantec)  (https://www.facebook.com/Symantec) 

(https://www.linkedin.com/company/symantec)