The following list contains most of the 'popular' virus startup locations. It is to be noted that just because something appears under any of these locations that does not make it a virus, in order to be able to identify the good from the bad you idealy need to have an idea of the programs your running and of the default programs XP installs. The full list of possible locations could be massive. I leave this (for now) down to the individual to discover for themselves (NOTE: Registry Manager can assist with identifying 'good' and 'bad' programs, right clicking on a file reference held in the registry and select 'Files'->'Properties' (if you do not have a 'files' option then either the file(s) specified cannot be found). From the properties dialog you can inspect the 'claimed' manufacturer of the component. If the component does not specify a manufacturer (see Version tab) or its manufacturer is not one you would expect to have installed an application on your system you might consider removing the item).
Under HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER:
\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | * (various) Any value data under any of these key paths will be run at least once on startup | ||
\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | |||
\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx | |||
\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices | |||
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run | |||
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects |
|
<GUID> |
|
|
|
The GUID sub-key found here refers to a COM automation or .dll server registered under HKEY_CLASSES_ROOT. |
|
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows |
AppInit_DLLs |
|
AppInit_DLLs are attatched to
any launched application.
|
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
UserInit
GinaDLL |
|
UserInit is executed just after logon to setup the user environment. GinaDLL specifies a replacement / alternative logon provider. |
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
|
CommonStartup or |
|
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
|
Startup |
|
\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
|
|
|
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
|
Various Startup Values |
|
\SOFTWARE\Microsoft\Active Setup\Installed Components\<GUID> |
|
KeyFileName |
|
\SYSTEM\CurrentControlSet\Services\<Services> |
|
|
|
There are many legitimate services so it takes good knowlegability to identify Spyware/Mal-ware here. Another common load location for malware is through VxD's specified under the VxD service. |
|
|
|
\SYSTEM\CurrentControlSet\Services\VXD\JAVASUP |
|
StaticVxD |
|
\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters : |
|
DataBasePath |
|
\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters |
|
|
|
|
|
|
|
\SYSTEM\CurrentControlSet\Control\Session Manager |
|
BootExecute |
|
|
|
|
|
\SYSTEM\CurrentControlSet\Control\Lsa |
|
Notification Packages, |
|
|
|
|
|
Under HKEY_CLASSES_ROOT (which is an alias of HKEY_LOCAL_MACHINE\Classes Key) :
\<type> |
\shell\open\command |
The shell\open\command sub-key of keys under HKEY_CLASSES_ROOT defines the application that will be launched when a particular type of file is double-clicked from the shell. This even includes executable files, folders, batch files and other critical file types. In more general terms, the shell will look up file extension under HKEY_CLASSES_ROOT. If the shell finds a matching sub-key (e.g. .reg) then it looks at the (Default Value) date under this sub-key and performs a lookup for a sub-key of that name (again under HKEY_CLASSES_ROOT). The shell then uses various values under this location to determin how it will deal with the file type. |
|||
types:\scrfile, \exefile, \comfile, \batfile, \htafile, \piffile, \cmdfile, \file, \batfile, \dllfile |
|||||
\Protocols\Filter\ | <MIME> | CLSID |
|
MIME type filter. MIME stands for Multi-purpose Internet Mail Extension. When email is sent it can be encoded in various ways, the type of encoding used is stored with the mail so it can be properly decoded. The simplest encoding is text/plain which is plain ASCII encoding. Each encoding type can be passed through a custom filter for third-party decoding or extended coding. The sub-keys under \Protocols\Filter\ are MIME names under each name is a CLSID entry which defines the COM object or DLL that will process the encoded file. | |
MIME: text/plain, application/octet-stream |
References: