There are plenty of ways trojans and other malware can hide when they startup. But they have to startup somehow. Lets take a look about WHAT and WHERE do startup programs appear on WindowsXP Pro atleast... Please, give more tips if you know other places where programs can be launched during startup!

- At registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\load
HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows\run
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Install Components\
HKEY_CLASSES_ROOT\exefile\shell\open\command (so that whenever and .exe files is run, also the trojan is run)

- At startmenu (other users startup menu should also be checked)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

- At services the ones that are "manual" or "automatic"
Go to "Start menu\Administrator tools\services"

- At login/logoff script.
Run "gpedit.msc" and go to "Local computer policy - User Configuration - Windows Settings - Scripts (Logon/Logoff)

- At "win.ini" and "boot.ini" files by adding command like "load = trojan.exe" or "Run= trojan.exe" or "Shell=Explorer.exe trojan.exe".

- By adding itself to existing .exe files such as Explorer.exe so that when that file is launched as normally it is, so will the trojan be too... Or attaching itself to the .dll files so that when some program uses those .dll files, trojan gets loaded to memory.

The only way keep in touch about what is starting up in your system (actually, what files there are in your system and have they been tampered with) is to use tool like "NISfilecheck" that creates SHA-1 hashes from wanted files so that if trojan attaches itself to those file, NISfilecheck will discover it easily when you next run it. Ofcourse, you must specify all files that need to be checked. I have set my NISfilecheck to check all files that have .exe .dll .ocx .vxd .sys .bat .scr .ini .com .cmd .dat .reg .drv .vbs .inf .msi .wsc .386 .pif extension. To protect registry against trojans you need program like "Active Registry Monitor". To prevent unknown .exe and .dll files to be executed on your system you need program like "Abtrusion Protect"...To put it simple, if you are running "Abtrusion Protect", there is practicly NO WAY of you getting infected with trojan accidently since it prevents all .exe and .dll files to be executed that you have not specificly allowed to execute...naturally, trojan cant disable it because trojan cant even execute in the first place. Programs like "What's Happening" make it possible to monitor already running processes and .dll files, where "Active Ports" will tell you about what program is using your network.

And here is one excellent site about what does what entry or file being starting up mean and what it is
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm

actions · 2003-Apr-27 10:42 pm ·

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

MVM

2003-Apr-27 11:01 pm

There is a nice startup listing program here.

I thought there used to be another really good, complete listing of startup items at www.sysinternals.com -- AutoRuns -- but I don't see it there now. Hmmmm...
________

Ah. I found it, finally, here.

[text was edited by author 2003-04-27 23:03:46]

actions · 2003-Apr-27 11:01 pm ·

LowWaterMark
Premium Member
join:2002-05-16
Wallingford, CT

1 recommendation

LowWaterMark to jansson_mark

Premium Member

2003-Apr-27 11:01 pm

to jansson_mark

I have said before that I think the best way to know what is going on with your PC is to know what it is running - be familiar with all the startups and what is normally running in the background so that you can notice when something changes.

I believe a good tool will help those who wish to take the time, to better understand their systems. Something like StartupList from: »www.lurkhere.com/~nicefiles/ will help users to better understand their systems. Watching changes to the list of startup locations and running processes over a period of time is key to this understanding.

For myself, I believe sandbox technology is a huge benefit in regards to what you are talking about, and I use TTT for that purpose, but, Abtrusion Protect or SSM will do the job, too.

actions · 2003-Apr-27 11:01 pm ·

jansson_mark
Markus Jansson
Premium Member
join:2001-08-05
Finland

jansson_mark

Premium Member

2003-Apr-27 11:19 pm

said by LowWaterMark:
Something like StartupList from: »www.lurkhere.com/~nicefiles/ will help users to better understand their systems.

WOW! Great program!
I guess I wanted to do it all in the hard way...all you have to do with that program is to run it...

Oh well...

actions · 2003-Apr-27 11:19 pm ·

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

MVM

2003-Apr-27 11:32 pm

Yep. That is the same program I linked to above. Saves a lot of time.

If you want a Windows interface to view the results, AutoRuns is very complete -- maybe even more so than StartupList...

The image displays all the Startup places investigated by AutoRuns. Hard to beat...
[text was edited by author 2003-04-27 23:44:01]

actions · 2003-Apr-27 11:32 pm ·

Wildcatboy
Invisible
Mod
join:2000-10-30
Toronto, ON

1 recommendation

Wildcatboy to jansson_mark

Mod

2003-Apr-27 11:49 pm

to jansson_mark

said by davidovv:
quote:
1. Autostart folder

C:\windows\start menu\programs\startup {english}
C:\windows\Menu Démarrer\Programmes\Démarrage {french}
C:\windows\All Users\Menu Iniciar\Programas\Iniciar { Portuguese, Brasilian }

This Autostart Directory is saved in :

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
By setting it to anything other then C:\windows\start menu\programs\startup will lead to execution of ALL and EVERY executable inside set directory.

Addendum : as of 10/03/2001 Subseven 2.2 now uses this method.

2. Win.ini

[windows]
load=file.exe
run=file.exe

3. System.ini

[boot]
Shell=Explorer.exe file.exe

4. c:\windows\winstart.bat

'Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts everytime.

5. Registry

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\000x]
"RunMyApp"="||notepad.exe"
The format is: "DllFileName|FunctionName|CommandLineArguements" -or- "||command parameters"

Microsoft Windows 98 Microsoft
Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows Millennium Edition

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

6. c:\windows\wininit.ini

'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example content of wininit.ini :

[Rename]
NUL=c:\windows\picture.exe

' This example sends c:\windows\picture.exe to NUL, which means that it is being deleted. This requires no interactivity with the user and runs totaly stealth.

7. Autoexec.bat

Starts everytime at Dos Level.

8. Registry Shell Spawning

[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="%1" %* [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="%1" %*

[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @= "%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="%1" %*

The key should have a value of Value , if this is changed to , the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.

Known as Unkown Starting Method and is currently used by Subseven.

9. Icq Inet

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

10. Explorer start-up

Windows 95,98,ME
Explorer.exe ist started through a system.ini entry, the entry itself contains no path information so if c:\explorer.exe exist it will be started instead of c:\$winpath\explorer.exe.

Windows NT/2000
The Windows Shell is the familiar desktop that's used for interacting with Windows. During system startup, Windows NT 4.0 and Windows 2000 consult the "Shell" registry entry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, to determine the name of the executable that should be loaded as the Shell.
By default, this value specifies Explorer.exe.

The problem has to do with the search order that occurs when system startup is in process. Whenever a registry entry specifies the name of a code module, but does it using a relative path, Windows initiates a search process to find the code. The search order is as follows:

Search the current directory.
If the code isn't found, search the directories specified in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path, in the order in which they are specified.
If the code isn't found, search the directories specified in HKEY_CURRENT_USER\Environment\Path, in the order in which they are specified.

General :
If a trojan installs itself as c:\explorer no run keys or other start-up entries are needed. If c:\explorer.exe is a corrupted file the user will be locked out of the system. Affects all windows version as of today.

10. Active-X Component

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName
StubPath=C:\PathToFile\Filename.exe
Believe it or not, this does start filename.exe BEFORE the shell and any other Program normaly started over the Run Keys.

11. Autorun.inf

Misc Information

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object"
"NeverShowExt"=""

The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including Explorer.
Your registry should be full of NeverShowExt keys, simply delete the key to get the real extension to show up.

actions · 2003-Apr-27 11:49 pm ·

psloss
Premium Member
join:2002-02-24

1 recommendation

psloss to jansson_mark

Premium Member

2003-Apr-28 12:22 am

to jansson_mark

Re: other auto-loaders

In the NT architecture, there are also auto-loaded DLLs that are stored in the Registry. (OK, their paths or file names are stored in the Registry.) Some of these are also initialized inside the trusted computing base. A couple are the Winlogon GINA and LSA authentication packages. (Winlogon also has notification "plugins" beginning with Windows 2000.)

There's also the AppInit_DLLs value in HKLM/MS/WinNT/CurVer which is loaded into every user mode process, I believe.

There's probably a few more; the GINA and AppInit_DLLs values have been exploited by a few malicious programs in the past.

And for EXE startups, if an NT-based system has unprotected or poorly protected file sharing, there's always PSEXEC.

All of these things can be protected against proactively or detected reactively with the tools that have been discussed in previous posts.

Philip Sloss

actions · 2003-Apr-28 12:22 am ·

Khaine
join:2003-03-03
Australia

Khaine to jansson_mark

Member

2003-Apr-28 2:17 am

to jansson_mark

Re: Lets take a look at startups for malware!

Great Post Markus

Hopefully this will help people who are new to security

actions · 2003-Apr-28 2:17 am ·

locke108
Premium Member
join:2002-03-13
India

locke108 to jansson_mark

Premium Member

2003-Apr-28 9:08 am

to jansson_mark

I am surfing from a public system.
I ran hijackthis utility.
It gave me the following results.
What can I remove from the listed entries?

code:


Logfile of HijackThis v1.93.0
Scan saved at 6:05:48 AM, on 4/28/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://searchbar.findthewebsiteyouneed.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WIN98\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_7.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN98\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WIN98\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_7.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WIN98\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WIN98\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WIN98\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WIN98\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [N2PDialr] C:\PROGRA~1\CALTIG~1\N2PDialr.exe -auto
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: YapPhone.lnk = C:\Program Files\YapPhone\YapPhone.exe
O4 - Startup: FOLDER.HTT
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: FOLDER.HTT
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/in ··· inst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/ ··· lash.cab
O16 - DPF: Yahoo! Chat 1.3 - »cs8.chat.sc5.yahoo.com/c ··· chat.cab
O16 - DPF: DigiChat Applet - »host9.digichat.com/DigiC ··· t_IE.cab
O16 - DPF: Yahoo! Chat - »us.chat1.yimg.com/us.yim ··· chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/ac ··· inst.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - »204.177.92.201/quickdl/p ··· pd9x.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - »us.dl1.yimg.com/download ··· _2_7.cab

d00by

actions · 2003-Apr-28 9:08 am ·

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2 to Wildcatboy

MVM

2003-Apr-28 9:20 am

to Wildcatboy

said by davidovv thru WCB:
1. Autostart folder

C:\windows\start menu\programs\startup {english}
C:\windows\Menu Démarrer\Programmes\Démarrage {french}
C:\windows\All Users\Menu Iniciar\Programas\Iniciar { Portuguese, Brasilian }

That neglects the fact that there IS an "All USers" Autostart folder on 'English' (and likely other) versions. There are ALWAYS two Autostart folders -- at least as early as Win95:

C:\Windows\Start Menu\Programs\StartUp
C:\Windows\All Users\Start Menu\Programs\StartUp

Of course, we ALL know the second folder exists and works -- because that is where ZoneAlarm starts.

Davidovv also does not include any of the "Policies" registry keys, the ShellServiceObjectDelayLoad key, nor the Windows NT Run, Load, and Userinit keys. Are these important? Don/t know.

actions · 2003-Apr-28 9:20 am ·

TonyKlein
Premium Member
join:2001-07-02
Netherlands

TonyKlein

Premium Member

2003-Apr-28 11:59 am

Here's what I have collected. Not every startup location is valid for every operationg system, of course.

1. Autostart folder

C:\windows\start menu\programs\startup {english}
C:\windows\Menu Démarrer\Programmes\Démarrage {french}
C:\windows\All Users\Menu Iniciar\Programas\Iniciar { Portuguese, Brasilian }

This Autostart Directory is saved in :

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
By setting it to anything other then C:\windows\start menu\programs\startup will lead to execution of ALL and EVERY executable inside set directory.

Addendum : as of 10/03/2001 Subseven 2.2 now uses this method.

2. Win.ini

[windows]
load=file.exe
run=file.exe

3. System.ini
[boot]
Shell=Explorer.exe file.exe

4. c:\windows\winstart.bat
'Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts everytime.

5. Registry

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\000x]
"RunMyApp"="||notepad.exe"
The format is: "DllFileName|FunctionName|CommandLineArguements" -or- "||command parameters"

Microsoft Windows 98 Microsoft
Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows Millennium Edition

support.microsoft.com/sup...2/5/09.ASP

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

6. c:\windows\wininit.ini
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example content of wininit.ini :

[Rename]
NUL=c:\windows\picture.exe

' This example sends c:\windows\picture.exe to NUL, which means that it is being deleted. This requires no interactivity with the user and runs totaly stealth.

7. Autoexec.bat
Starts everytime at Dos Level.

8. Registry Shell Spawning

[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="%1" %* [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="%1" %*

[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @= "%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="%1" %*

The key should have a value of Value , if this is changed to , the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.

Known as Unkown Starting Method and is currently used by Subseven.

9. Icq Inet

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

10. Explorer start-up

Windows 95,98,ME
Explorer.exe ist started through a system.ini entry, the entry itself contains no path information so if c:\explorer.exe exist it will be started instead of c:\$winpath\explorer.exe.

Windows NT/2000
The Windows Shell is the familiar desktop that's used for interacting with Windows. During system startup, Windows NT 4.0 and Windows 2000 consult the "Shell" registry entry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, to determine the name of the executable that should be loaded as the Shell.
By default, this value specifies Explorer.exe.

The problem has to do with the search order that occurs when system startup is in process. Whenever a registry entry specifies the name of a code module, but does it using a relative path, Windows initiates a search process to find the code. The search order is as follows:

Search the current directory.
If the code isn't found, search the directories specified in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path, in the order in which they are specified.
If the code isn't found, search the directories specified in HKEY_CURRENT_USER\Environment\Path, in the order in which they are specified.
More info : www.microsoft.com/technet...00-052.asp
Patch : www.microsoft.com/technet...?ID=269049
General :
If a trojan installs itself as c:\explorer no run keys or other start-up entries are needed. If c:\explorer.exe is a corrupted file the user will be locked out of the system. Affects all windows version as of today.

10. Active-X Component
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName
StubPath=C:\PathToFile\Filename.exe
Believe it or not, this does start filename.exe BEFORE the shell and any other Program normaly started over the Run Keys.

Misc Information

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object"
"NeverShowExt"=""

The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including Explorer.
Your registry should be full of NeverShowExt keys, simply delete the key to get the real extension to show up.

11. Win.ini Load= and Run= in NT/XP:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run"=""
"load"=""

Programs Automatically Start When User Logs on to Windows

Here's some further information of the use of HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

Common loading points of threats in Windows NT/2000/XP

And from Frank Kiechel's site:

"System : NT, 2K
Key : HKCU \Software \Microsoft \Windows NT \CurrentVersion \Windows
This key contains the 2 REG_SZ entries run and load which also execute programs at startup. Win.ini and System.ini may contain a run/load section too which can be deleted to prevent some programs from being executed : if Windows finds sections in .ini files which are not present in the registry, those sections will automatically be registered. "

12. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="F:\WINDOWS\system32\userinit.exe,

You can add a path to a program after the comma.

13. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

http://www.avp.ch/avpve/newexe/win32/highway.stm

http://vil.mcafee.com/dispVirus.asp?virus_k=99238

14. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup
String Value some program or file

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup
String Value some program or file

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

String Value some program or file

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

15. Windows XP does not use Wininit.ini. Instead it uses this Registry Key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
" PendingFileRenameOperations"

Another Possible Multi-String Value here to look at is: ExcludeFromKnownDlls

The reason is this. The known dll's key lists dll's which can only be run from the System Folder. If the same file is located in a program's folder it will not be run. The version in System32 will be run.
Here 's a complete explanation
http://support.microsoft.com/default.aspx?scid=KB;en-us;q164501

16. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

The layout of the values in that key is somewhat like the one in the Run key, only it points to the InProcServer for the CLSID instead of pointing to a file.
---------------------------------------------------------------------------------- -------- --------------------------------

actions · 2003-Apr-28 11:59 am ·

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

MVM

2003-Apr-28 12:15 pm

Now THAT is a complete list -- it has many of the things WCB's list left off.

But... it still seems to neglect the "AllUsers" AutoStart folder used by ZoneAlarm!!:(

Why is that overlooked by so many?? Don't know. It CERTAINLY works.

I forgot about wininit.ini. That is used by WindowsUpdate from time to time to replace new DLL's (for example the recent JScript update used this method).

Replacing files using wininit.ini certainly could be dangerous. This is usually "RunOnce" and then itself is renamed 'wininit.bak' (if I remember correctly).

Silly typo corrected! (winini.ini -> wininit.ini). Thank you, Tony.
[text was edited by author 2003-04-28 14:13:52]

actions · 2003-Apr-28 12:15 pm ·

TonyKlein
Premium Member
join:2001-07-02
Netherlands

TonyKlein

Premium Member

2003-Apr-28 12:27 pm

I only just noticed that the begining of my list quotes the same source as Davidovv's...

From point 11 it contains additional startup locations.

Yup, The All Users Startup folder seems to have been omitted.

There's nothing particularly mysterious about it, nor is it very well hidden, but it does need to be added.

And it's Wininit. ini (with a 't'), which in turn is a settings file for wininit.exe, which updates files at startup that are normally in use when windows is running.
It is mostly used when installing programs or patches that need the computer to be restarted to complete the install.
After such a reboot, wininit.ini is indeed renamed to wininit.bak.

actions · 2003-Apr-28 12:27 pm ·

TonyKlein

TonyKlein to locke108

Premium Member

2003-Apr-28 12:31 pm

to locke108

said by locke108:
I am surfing from a public system.
I ran hijackthis utility.
It gave me the following results.
What can I remove from the listed entries?

Well, you have some spyware, notably lots of Gator.

Do this:

Download Spybot - Search & Destroy

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

NOTE: SSD will sometimes not be able to remove all active components in the first 'run'.
In that case you will get a dialog asking you to run SSD at next start.
Click yes and reboot.
Subsequently SSD will come up before the system puts these components 'in use', and it will then be able to 'fix' the rest.

Aside from that, you'll want to have HT fix this item:

O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - »204.177.92.201/quickdl/proclaim/NSupd9..[?]

Cheers,

actions · 2003-Apr-28 12:31 pm ·

psloss
Premium Member
join:2002-02-24

psloss to TonyKlein

Premium Member

2003-Apr-28 1:28 pm

to TonyKlein

said by TonyKlein:
Here's what I have collected. Not every startup location is valid for every operationg system, of course.

Another approach to a comprehensive Registry key/value list -- on a per OS basis -- would be to use SysInternals' Regmon to log activity during boot-up to the login screen and then a login...and then wade through the output...

It might be useful to log Registry "I/O" during other kinds of O/S activities, such as screen saver activation, the "Secure Attention Sequence," etc.

Philip Sloss

actions · 2003-Apr-28 1:28 pm ·

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2 to TonyKlein

MVM

2003-Apr-28 2:19 pm

to TonyKlein

Thanks for catching my typo. I agree with everything you said.

One other off the cuff note. Both your list and davidovv's list make a point of listing ten (10) different keys in "8. Registry Shell Spawning". But that is not really correct. There are only five keys presented -- the HKCR keys are simply mirrors of the ones below in HKLM. There is no point to listing them twice -- they are all duplicates.

For visual simplicity I would delete the HKLM keys from that list.

actions · 2003-Apr-28 2:19 pm ·

R2 to psloss

MVM

2003-Apr-28 2:21 pm

to psloss

Question: does RegMon run in a DOS mode (Win9x) and can it actually be started first in the Startup axis?

actions · 2003-Apr-28 2:21 pm ·

psloss
Premium Member
join:2002-02-24

psloss

Premium Member

2003-Apr-28 2:30 pm

This is what I was referring to...

Hope that helps,

Philip Sloss

actions · 2003-Apr-28 2:30 pm ·

Tuulilapsi
Kenosis
join:2002-07-29
Finland

Tuulilapsi

Member

2003-Apr-28 2:41 pm

What version of RegMon is that, psloss? A commercial one? I don't have such an option in my old free RegMon v. 4.34.

actions · 2003-Apr-28 2:41 pm ·

upieper
join:2001-12-23

upieper to jansson_mark

Member

2003-Apr-28 3:22 pm

to jansson_mark

I'm using Startupmanager. Very nice program. The advantage is that you can directly disable/enable the entries:

»www.pc-magazin.de/common ··· 8ce561d6

Max

actions · 2003-Apr-28 3:22 pm ·

psloss
Premium Member
join:2002-02-24

psloss to Tuulilapsi

Premium Member

2003-Apr-28 3:58 pm

to Tuulilapsi

said by Tuulilapsi:
What version of RegMon is that, psloss? A commercial one? I don't have such an option in my old free RegMon v. 4.34.

The screen grab is from the latest free version (I think 6.03) -- I just downloaded it and ran it on this test XP Home installation. (I can't afford to pay for very much software right now with money, anyway.) But the "Log Boot" option has been around for a while. I have v4.34 on another system and it's there -- they've just moved the menu item from the Edit menu in v4.34 to the Options menu in the latest. At least that's the case on my systems.

Philip Sloss

actions · 2003-Apr-28 3:58 pm ·

Tuulilapsi
Kenosis
join:2002-07-29
Finland

Tuulilapsi

Member

2003-Apr-28 4:08 pm

Apparently it's an NT only thing, so no wonder I didn't see it on my Win ME.

actions · 2003-Apr-28 4:08 pm ·

psloss
Premium Member
join:2002-02-24

psloss

Premium Member

2003-Apr-28 4:20 pm

said by Tuulilapsi:
Apparently it's an NT only thing, so no wonder I didn't see it on my Win ME.

There you go.

(9x, ME, NT4, and XP...and the new Win2K3 Server are "lab" configurations for me)

actions · 2003-Apr-28 4:20 pm ·

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

MVM

2003-Apr-28 4:39 pm

Yep -- doesn't exist on my Win98SE version...

Of note, this registy key as defined above is not correct -- and part of the problem:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

This is where the "All Users" Startup folder is defined in the registry. The key should be:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\explorer\Shell Folders]
"Common Startup"="C:\windows\All Users\start menu\programs\startup"

actions · 2003-Apr-28 4:39 pm ·

Wildcatboy
Invisible
Mod
join:2000-10-30
Toronto, ON

Wildcatboy to jansson_mark

Mod

2003-Apr-28 5:13 pm

to jansson_mark

This is great. It appears that up to now Tony's list is the most comprehensive one. I think we should now get the additional suggestions and put everything together in an even more comprehensive list.

Would someone please make a post and include all the items that need to be added to Tony's list (or perhaps the corrections needed) in one place? It's hard to jump from post to post. (Call me lazy

) If I have them in one place, I'll either edit Tony's list or I'll create a new list at the bottom of this thread for future reference and we can also add it to the Security FAQ.

actions · 2003-Apr-28 5:13 pm ·

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

1 recommendation

MVM

2003-Apr-28 5:15 pm

said by Wildcatboy:
I think we should now get the additional suggestions and put everything together in an even more comprehensive list.

I am in the process of doing that as we speak. I am also looking for things that have not been mentioned in this thread...

actions · 2003-Apr-28 5:15 pm ·

MVM

2003-Apr-28 5:32 pm

I am intrigued by this type of information:

Several shell open keys are modified to run the trojan whenever .BAT, .COM, .DOC, .DOT, .EXE, .GIF, .HTM, .HTML, .JPG, .PIF, .RTF, or .TXT files are opened. The list below is a partial list as the keys changed vary with custom extension/file associations.

HKEY_CLASSES_ROOT\batfile\shell\open\command
"(Default)" = %Trojan path% /exec:"%1" %*
HKEY_CLASSES_ROOT\comfile\shell\open\command
"(Default)" = %Trojan path% /exec:"%1" %*
HKEY_CLASSES_ROOT\exefile\shell\open\command
"(Default)" = %Trojan path% /exec:"%1" %*
HKEY_CLASSES_ROOT\giffile\shell\open\command
"(Default)" = %Trojan path% /exec:%interpreter%"
HKEY_CLASSES_ROOT\htmlfile\shell\open\command
"(Default)" = %Trojan path% /exec:%interpreter%
HKEY_CLASSES_ROOT\jpegfile\shell\open\command
"(Default)" = %Trojan path% /exec:%interpreter%
HKEY_CLASSES_ROOT\piffile\shell\open\command
"(Default)" = %Trojan path% /exec:"%1" %*
HKEY_CLASSES_ROOT\txtfile\shell\open\command
"(Default)" = %Trojan path% /exec:%interpreter%
HKEY_CLASSES_ROOT\Word.Document.8\shell\open\command
"(Default)" = %Trojan path% /exec:%interpreter%
HKEY_CLASSES_ROOT\WordPad.Document.1\shell\open\command
"(Default)" = %Trojan path% /exec:%interpreter%

Where "%interpreter%" = the program associated with the file type prior to infection.

Why is this limited to JUST these file types?? Could not this be done for ANY file type? Don't know.
[text was edited by author 2003-04-28 17:33:23]

actions · 2003-Apr-28 5:32 pm ·

Wildcatboy
Invisible
Mod
join:2000-10-30
Toronto, ON

Wildcatboy

Mod

2003-Apr-28 5:37 pm

I don't think it's limited to a particular type of file, those are just the files the author of this particular Trojan chose to use.

actions · 2003-Apr-28 5:37 pm ·

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

MVM

2003-Apr-28 9:20 pm

Well, then that means ANY file type in HKEY_CLASSES_ROOT could be used -- doesn't it?

I have had less time today than I had hoped for... still trying to piece this together.

actions · 2003-Apr-28 9:20 pm ·

Gladiator_AV
Premium Member
join:2002-10-20

Gladiator_AV to Wildcatboy

Premium Member

2003-Apr-28 9:32 pm

to Wildcatboy

said by Wildcatboy:

I don't think it's limited to a particular type of file, those are just the files the author of this particular Trojan chose to use.

Yes this is right. You can even create new types by your self and link them to what you want.

For instance you could this also do for all PNG-files.

Michael

actions · 2003-Apr-28 9:32 pm ·

Forums → Software and Operating Systems → Security	« Counting, Counting... • How to Disable McAfee 7.0 Firewall »
page: 1 · 2 · next