Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Most common registry key to check while dealing with Virus issue

Created: 18 Jun 2009 • Updated: 18 Jun 2009 | 7 comments
Language Translations
Saeed's picture
+7 7 Votes
Login to vote

1) StartUp

C:\windows\start menu\programs\startup

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

"Anything over here execute when you start up your computer"

2) Windows Scheduler:
Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt.

3) c:\windows\winstart.bat
'It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer

4) Registry :

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

5) "Autoexec.bat"

6) These reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by viruses and Trojans.

[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the

server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed.

7) Explorer start-up

The problem with these operating systems is that they look for a file called "explorer.exe" whenever you start up your computer, that file is basically the one that you see all the time but don’t realize it is there , if you go to your taskmaganer you can see it, you can even kill it and you will see that everything in your computer that belongs to Microsoft will disappear, except for the extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone.
As you can see this is dangerous because it also means that if somebody modify your explorer.exe file then your computer will be corrupted. In fact, to change the name of the start bottom, has to be done by modifying the explorer.exe file, so there is a clue of a small difference that can have an effect in your computer.

here is the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
if a Trojan changes that to a path of another "infected explorer.exe file" your computer will start up the file the Trojan told it to and not the one used by Microsoft.

8)"Active-X Component"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]
StubPath=C:\PathToFile\Filename.exe
This key is great because it starts the program that it has in its path BEFORE the explorer.exe file and any other program starts in your computer, so if you can understand why your antivirus can't detect the virus when you boot up, it is maybe because your "virus" is taking care of it before it starts up. It could even kill your antivirus before your antivirus starts up

Comments 7 CommentsJump to latest comment

Nel Ramos's picture

Thanks for the valuable information...
this really helps...

Nel Ramos

0
Login to vote
Jaisankar :o)'s picture

Thats a good tit bits like first aids everyone should know and understand its importants, thanks for bringing it.

0
Login to vote
vee_zza's picture

Thank you so  much

0
Login to vote
bartdave52's picture

Jonah - thanks much for the information which I believe to be very helpful, but I'm not educated enough for it to be more useful to me. I went to my c:\windows\start menu\programs\start up file, and found it empty. Is that in itself a red flag? You can see what a newbie I am, so I'm guessing I should begin at a more basic computer training course before proceeding further with ridding myself of this Trojan. Thanks for you help - which I hope soon to be able to put to use.     

0
Login to vote
EdT's picture

c:\windows\start menu\programs\start up  is actually a folder, and not a file. Any shortcuts to EXE files placed in this folder will be started up when you log in. If this folder is empty then that is perfectly OK,  as all it means is that you have no programs set to start up at login time.

If your issue has been solved, please use the "Mark as Solution" link on the most relevant thread.

0
Login to vote