All Known Common Autostart Methods ================================== Courtesy of bernie 1. Autostart folder Everything in here will restart: (95/98/ME) C:\windows\start menu\programs\startup (2000/XP/2003) C:\Documents and Settings\[USER]\start menu\programs\startup C:\Documents and Settings\All Users\start menu\programs\startup This Autostart Directory is saved in HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Explorer\ShellFolders: Startup="C:\windows\start menu\programs\startup" (95/98) or: Startup="C:\docs and settings\[user]\start menu\programs\startup" (2000/XP) So it could be easily changed by any program. 2. Win.ini (It's there for 16-bit compatability) [windows] load=file.exe run=file.exe 3. System.ini (It's there for 16-bit compatability also) [boot] Shell=Explorer.exe file.exe (Your desktop could get hijacked) 4. c:\windows\winstart.bat (95/98) Note: behaves like a usual .BAT file. Used for copying and deleting. Autostarts everytime. 5. Registry [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] 6. c:\windows\wininit.ini Often Used by Setup-Programs - when the file exists it is run ONCE and then is deleted by windows. Example: (content of wininit.ini) [Rename] NUL=c:\windows\picture.exe This example sends c:\windows\picture.exe to NUL, which means that it is deleted. This requires no interactivity with the user and runs totally stealth. 7. Autoexec.bat (Not in 2000/XP) Starts everytime at Dos Level. 8. Registry Shell Spawning [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed. Known as Unknown Starting Method. 9. Miscellaneous [HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object" "NeverShowExt"="" The NeverShowExt key has the function to HIDE the real extension of the file (e.g.) SHS. This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including Explorer. PIF files can be disguised this way and can cause REAL damage. Your registry should be full of NeverShowExt keys, simply delte the key to get the real extension to show up. 10.AutoExNT This only works on 2000 and above when the autoexnt service has been installed and enabled. It is unlikely that your system has this service and you don't know about it. If it has, the contents of file %systemroot%\system32\autoexnt.bat will be executed at every boot-up before any user has logged on. This service is not installed on any Windows by default, so it is an unlikely backdoor. _____________________________________________________________________________________________