1) StartUp C:\windows\start menu\programs\startup * [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] Startup="C:\windows\start menu\programs\startup" * [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders] Startup="C:\windows\start menu\programs\startup" * [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders] "Common Startup"="C:\windows\start menu\programs\startup" * [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders] "Common Startup"="C:\windows\start menu\programs\startup" "Anything over here execute when you start up your computer" 2) Windows Scheduler: Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt. 3) c:\windows\winstart.bat 'It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer 4) Registry : [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] "Whatever"="c:\runfolder\program.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] "Whatever"="c:\runfolder\program.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Whatever"="c:\runfolder\program.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Whatever"="c:\runfolder\program.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Whatever"="c:\runfolder\program.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Whatever"="c:\runfolder\program.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] "Whatever"="c:\runfolder\program.exe" 5) "Autoexec.bat" 6) These reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by viruses and Trojans. [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed. 7) Explorer start-up The problem with these operating systems is that they look for a file called "explorer.exe" whenever you start up your computer, that file is basically the one that you see all the time but don’t realize it is there , if you go to your taskmaganer you can see it, you can even kill it and you will see that everything in your computer that belongs to Microsoft will disappear, except for the extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone. As you can see this is dangerous because it also means that if somebody modify your explorer.exe file then your computer will be corrupted. In fact, to change the name of the start bottom, has to be done by modifying the explorer.exe file, so there is a clue of a small difference that can have an effect in your computer. here is the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell if a Trojan changes that to a path of another "infected explorer.exe file" your computer will start up the file the Trojan told it to and not the one used by Microsoft. 8)"Active-X Component" [HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName] StubPath=C:\PathToFile\Filename.exe This key is great because it starts the program that it has in its path BEFORE the explorer.exe file and any other program starts in your computer, so if you can understand why your antivirus can't detect the virus when you boot up, it is maybe because your "virus" is taking care of it before it starts up. It could even kill your antivirus before your antivirus starts up
Thanks a lot..........
c:\windows\start menu\programs\start up is actually a folder, and not a file. Any shortcuts to EXE files placed in this folder will be started up when you log in. If this folder is empty then that is perfectly OK, as all it means is that you have no programs set to start up at login time.
Jonah - thanks much for the information which I believe to be very helpful, but I'm not educated enough for it to be more useful to me. I went to my c:\windows\start menu\programs\start up file, and found it empty. Is that in itself a red flag? You can see what a newbie I am, so I'm guessing I should begin at a more basic computer training course before proceeding further with ridding myself of this Trojan. Thanks for you help - which I hope soon to be able to put to use.
Very Useful, Thanks