Paz Itzhaki-Weinberger, 2004 Paz's Basic Startup Manual Or: Where to check for malicious Startup Programs 1. Check the user's Auto-start folder 2. Check the "load=" and "run=" sections in win.ini file. Note: These sections may actually reside in the registry if system does not have these sections in the win.ini file. 3. Check the "Shell=" section of system.ini. 4. Check for a winstart.bat file in windows directory. 5. Check the following registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices 6. Check for a wininit.ini file in Windows directory. 7. Check to see if there is an autoexec.bat file on C drive. 8. Check the following registry keys to make sure that their value is "%1 %*" and not something else like "trojan.exe %1 %*" (known as the Unknown Starting Method): HKEY_CLASSES_ROOT\exefile\shell\open\command HKEY_CLASSES_ROOT\comfile\shell\open\command HKEY_CLASSES_ROOT\batfile\shell\open\command HKEY_CLASSES_ROOT\htafile\shell\open\command HKEY_CLASSES_ROOT\piffile\shell\open\command HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\shell\open\Command HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command 9. If PC has ICQ installed, check: HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ to see what applications ICQ launches when it detects an Internet connection 10. Look for *.pif files in Windows, System, and Windows\Command directories. It is strongly recommended to extract info from them (doing it manually is right clickin on these files in Windows Explorer, choosing Properties, clicking on the Program Tab, and clicking on the "Advanced" button to see what autoexec and config files the pif file uses). Then, we should check the contents of the autoexec and config files to make sure they don't run any hacker programs. That covers most of the things I know regarding where to Startup applications in Windows.