TechTalkz.com Logo Ask the Experts!

Go Back   TechTalkz.com Technology & Computer Troubleshooting Forums > Tech World > Computer Security

Places where viruses and trojans hide on start up

Computer Security

 
Reply
Thread Tools Display Modes
Unread 20-05-2007, 09:13 PM   #1
Newbie
Thread Starter
 
cedric_diggry's Avatar
 
Join Date: Dec 2006
Age: 31
Posts: 24
Thanks: 1
Thanked 1 Time in 1 Post
Rep Power: 155 cedric_diggry is on a distinguished road
Wink Places where viruses and trojans hide on start up

Quote:
1. START-UP FOLDER. Windows opens every item in the Start Menu's Start Up folder. This folder is prominent in the Programs folder of the Start Menu.

Notice that I did not say that Windows "runs" every program that is represented in the Start Up folder. I said it "opens every item." There's an important difference.

Programs represented in the Start Up folder will run, of course. But you can have shortcuts in the Start Up folder that represent documents, not programs.

For example, if you put a M*cro$oft Word document in the Start Up folder, Word will run and automatically open that document at bootup; if you put a WAV file there, your audio software will play the music at bootup, and if you put a Web-page Favourites there, Internet Explorer (or your own choice of a browser) will run and open that Web page for you when the computer starts up. (The examples cited here could just as easily be shortcuts to a WAV file or a Word document, and so on.)

2. REGISTRY. Windows executes all instructions in the "Run" section of the Windows Registry. Items in the "Run" section (and in other parts of the Registry listed below) can be programs or files that programs open (documents), as explained in No. 1 above.

3. REGISTRY. Windows executes all instructions in the "RunServices" section of the Registry.

4. REGISTRY. Windows executes all instructions in the "RunOnce" part of the Registry.

5. REGISTRY. Windows executes instructions in the "RunServicesOnce" section of the Registry. (Windows uses the two "RunOnce" sections to run programs a single time only, usually on the next bootup after a program installation.)

7. REGISTRY. Windows executes instructions in the HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of the Registry. Any command imbedded here will open when any exe file is executed.

Other possibles:

[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\ open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\ open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\ Open\Command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\ open\command] ="\"%1\"
%*"

If keys don't have the "\"%1\" %*" value as shown, and are changed to something like "\"somefilename.exe %1\" %*" than they are automatically invoking the specified file.

8. BATCH FILE. Windows executes all instructions in the Winstart batch file, located in the Windows folder. (This file is unknown to nearly all Windows users and most Windows experts, and might not exist on your system. You can easily create it, however. Note that some versions of Windows call the Windows folder the "WinNT" folder.) The full filename is WINSTART.BAT.

9. INITIALIZATION FILE. Windows executes instructions in the "RUN=" line in the WIN.INI file, located in the Windows (or WinNT) folder.

10. INITIALIZATION FILE. Windows executes instructions in the "LOAD=" line in the WIN.INI file, located in the Windows (or WinNT) folder.

It also runs things in shell= in System.ini or c:\windows\system.ini:

[boot]
shell=explorer.exe C:\windows\filename

The file name following explorer.exe will start whenever Windows starts.

As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will be seen. Normally, the full path of the file will be included in this entry. If not, check the \Windows directory


11. RELAUNCHING. Windows reruns programs that were running when Windows shut down. Windows cannot do this with most non-M*cro$oft programs, but it will do it easily with Internet Explorer and with Windows Explorer, the file-and-folder manager built into Windows. If you have Internet Explorer open when you shut Windows down, Windows will reopen IE with the same page open when you boot up again. (If this does not happen on your Windows PC, someone has turned that feature off. Use Tweak UI, the free M*cro$oft Windows user interface manager, to reactivate "Remember Explorer settings," or whatever it is called in your version of Windows.)

12. TASK SCHEDULER. Windows executes autorun instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the M*cro$oft Plus Pack was installed.

13. SECONDARY INSTRUCTIONS. Programs that Windows launches at startup are free to launch separate programs on their own. Technically, these are not programs that Windows launches, but they are often indistinguishable from ordinary auto-running programs if they are launched right after their "parent" programs run.

14. C:\EXPLORER.EXE METHOD.

C:\Explorer.exe

Windows loads explorer.exe (typically located in the Windows directory)during the boot process. However, if c:\explorer.exe exists, it will be executed instead of the Windows explorer.exe. If c:\explorer.exe is corrupt, the user will effectively be locked out of their system after they reboot.

If c:\explorer.exe is a trojan, it will be executed. Unlike all other autostart methods, there is no need for any file or registry changes - the file just simply has to be named c:\explorer.exe

15. ADDITIONAL METHODS.

Additional autostart methods. The first two are used by Trojan SubSeven 2.2.

HKEY_LOCAL_MACHINE\Software\M*cro$oft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\Software\M*cro$oft\Windows\Curr entversion\explorer\Usershell folders

Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\]
This key specifies that all applications will be executed if ICQNET Detects an Internet Connection.

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object"
"NeverShowExt"=""
This key changes your file's specified extension.



Original Source : Places that viruses and trojans hide on start up

Sponsored Links

Last edited by bakuryu; 21-05-2007 at 01:35 PM.. Reason: added original source
cedric_diggry is offline   Reply With Quote
Thanked Users:
patfoot (17-01-2009)
Unread 21-05-2007, 10:47 AM   #2
Senior Member (500+)
 
Hatrix's Avatar
 
Join Date: Jan 2007
Location: Tunisia
Posts: 934
Thanks: 50
Thanked 63 Times in 57 Posts
Rep Power: 1252 Hatrix has much to be proud ofHatrix has much to be proud ofHatrix has much to be proud ofHatrix has much to be proud ofHatrix has much to be proud ofHatrix has much to be proud ofHatrix has much to be proud ofHatrix has much to be proud ofHatrix has much to be proud of


Windows 98 / Windows ME Windows XP


Send a message via MSN to Hatrix Send a message via Yahoo to Hatrix
Re: Places where viruses and trojans hide on start up

good job, u'r doing well here
well also check using winrar to browse your drives ( c:\ or d:\ or.....)
if you find a file named autorun.inf open it to see where the virus is......
also if you c autoplay when you right click your drive

Last edited by Hatrix; 19-01-2008 at 05:52 PM..
Hatrix is offline   Reply With Quote
Unread 21-05-2007, 11:35 AM   #3
Elite Member (1000+)
 
Night_virus's Avatar
 
Join Date: Jul 2006
Location: Kolhapur, India
Age: 25
Posts: 1,122
Thanks: 70
Thanked 65 Times in 61 Posts
Rep Power: 660 Night_virus is a glorious beacon of lightNight_virus is a glorious beacon of lightNight_virus is a glorious beacon of lightNight_virus is a glorious beacon of lightNight_virus is a glorious beacon of lightNight_virus is a glorious beacon of light


Windows 98 / Windows ME Windows NT / Windows 2000 Windows XP Windows Server Windows Vista Windows 7 Linux Mac OS


Send a message via MSN to Night_virus Send a message via Yahoo to Night_virus
Re: Places where viruses and trojans hide on start up

awesome Job dude...
__________________
Reloaded, Reformed, Purely changed.. I'm no more Rocky_cool
Night_virus is offline   Reply With Quote
Unread 21-05-2007, 12:16 PM   #4
Elite Member (1000+)
 
Dark Star's Avatar
 
Join Date: May 2006
Location: /dev/had0
Age: 27
Posts: 1,627
Thanks: 97
Thanked 176 Times in 150 Posts
Rep Power: 2820 Dark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just Great


Linux


Re: Places where viruses and trojans hide on start up

Better u admit else receive a neg rep... :XXX: Plz tell me who is the gr8 staff who made this sticky...

ht tp://w w w.security-forums.com/viewtopic.php?t=3752

Copy pasted from here.. bad cheating other work and having ur .. Plz do google before giving views

Last edited by Strider; 28-11-2008 at 03:53 AM..
Dark Star is offline   Reply With Quote
Unread 21-05-2007, 12:26 PM   #5
Elite Member (1000+)
 
Night_virus's Avatar
 
Join Date: Jul 2006
Location: Kolhapur, India
Age: 25
Posts: 1,122
Thanks: 70
Thanked 65 Times in 61 Posts
Rep Power: 660 Night_virus is a glorious beacon of lightNight_virus is a glorious beacon of lightNight_virus is a glorious beacon of lightNight_virus is a glorious beacon of lightNight_virus is a glorious beacon of lightNight_virus is a glorious beacon of light


Windows 98 / Windows ME Windows NT / Windows 2000 Windows XP Windows Server Windows Vista Windows 7 Linux Mac OS


Send a message via MSN to Night_virus Send a message via Yahoo to Night_virus
Re: Places where viruses and trojans hide on start up

Quote:
Better u admit else receive a neg rep... :XXX: Plz tell me who is the gr8 staff who made this sticky...

Copy pasted from here.. bad cheating other work and having ur .. Plz do google before giving views
I Googled it, before replying, but didnt wanted to heart newbie.. LOL
__________________
Reloaded, Reformed, Purely changed.. I'm no more Rocky_cool

Last edited by Strider; 28-11-2008 at 03:53 AM..
Night_virus is offline   Reply With Quote
Unread 21-05-2007, 12:51 PM   #6
Newbie
 
firebob517's Avatar
 
Join Date: Dec 2006
Age: 54
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0 firebob517 is an unknown quantity at this point
Thumbs down Re: Places where viruses and trojans hide on start up

Here is the link where this came from..

SOURCE LINK

Last edited by Strider; 28-11-2008 at 03:52 AM..
firebob517 is offline   Reply With Quote
Unread 21-05-2007, 01:36 PM   #7
ƒ(ψ)=ΘΊΧφ
 
bakuryu's Avatar
 
Join Date: May 2006
Location: India
Age: 30
Posts: 6,620
Thanks: 19
Thanked 673 Times in 626 Posts
Rep Power: 2185 bakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant future


Windows XP Windows Vista Windows 7


Send a message via Yahoo to bakuryu
Re: Places where viruses and trojans hide on start up

I was the great staff who made this sticky .. and I don't think anywhere it is mentioned u cannot make copy pasted posts sticky
__________________
Please don't click here
bakuryu is offline   Reply With Quote
Unread 21-05-2007, 01:57 PM   #8
Ex-Moderator
 
X-Caliber's Avatar
 
Join Date: May 2006
Location: Latitude -
Age: 28
Posts: 1,242
Thanks: 48
Thanked 98 Times in 75 Posts
Rep Power: 1880 X-Caliber has a brilliant futureX-Caliber has a brilliant futureX-Caliber has a brilliant futureX-Caliber has a brilliant futureX-Caliber has a brilliant futureX-Caliber has a brilliant futureX-Caliber has a brilliant futureX-Caliber has a brilliant futureX-Caliber has a brilliant futureX-Caliber has a brilliant futureX-Caliber has a brilliant future


Windows XP Windows Vista


Send a message via MSN to X-Caliber Send a message via Yahoo to X-Caliber
Re: Places where viruses and trojans hide on start up

Quote:
Originally Posted by Bakuryu
I was the great staff who made this sticky .. and I don't think anywhere it is mentioned u cannot make copy pasted posts sticky
I will too share the laugh with you
__________________
Also Catch me on my Blog



igoY - The journey of Yogi
X-Caliber is offline   Reply With Quote
Unread 21-05-2007, 03:00 PM   #9
Elite Member (1000+)
 
Dark Star's Avatar
 
Join Date: May 2006
Location: /dev/had0
Age: 27
Posts: 1,627
Thanks: 97
Thanked 176 Times in 150 Posts
Rep Power: 2820 Dark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just GreatDark Star is just Great


Linux


Re: Places where viruses and trojans hide on start up

Quote:
Originally Posted by bakuryu View Post
I was the great staff who made this sticky .. and I don't think anywhere it is mentioned u cannot make copy pasted posts sticky
Quote:
Originally Posted by X-Caliber View Post
I will too share the laugh with you
Da mn never thought Baku will be so silly Well Mod decision Admin reply he tooo will be on his side I know but this ain't good
Dark Star is offline   Reply With Quote
Unread 21-05-2007, 03:09 PM   #10
ƒ(ψ)=ΘΊΧφ
 
bakuryu's Avatar
 
Join Date: May 2006
Location: India
Age: 30
Posts: 6,620
Thanks: 19
Thanked 673 Times in 626 Posts
Rep Power: 2185 bakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant futurebakuryu has a brilliant future


Windows XP Windows Vista Windows 7


Send a message via Yahoo to bakuryu
Re: Places where viruses and trojans hide on start up

Sponsored Links
plz .. explain why is this "so bad" ?? and one more thing, i really didn't need to google this time, cause i knew it was from somewhere .. u see seeing such a long post in a font different to that of the default font, pretty well tells the story

Sponsored Links
bakuryu is offline   Reply With Quote
Reply

Thread Tools
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
Trojans B.W. Windows Security 9 04-09-2007 11:00 AM
Trojans? Spy-ware? Oh my! Tim C. Windows Security 8 28-08-2007 06:22 AM
Hide/disable Start Menu from preschooler BaileyPark Windows Vista All 1 19-08-2007 05:15 AM
Trojans Sal Windows XP 6 16-08-2007 09:35 AM
Viruses - Worms - Trojans >>>> malware sree Guides 19 15-09-2006 11:58 AM


< Home - Windows Help - MS Office Help - Hardware Support >


New To Site? Need Help?

All times are GMT. The time now is 02:21 PM.


vBulletin, Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright © 2005-2016, TechTalkz.com. All Rights Reserved - Privacy Policy
Valid XHTML 1.0 Transitional