|
|
|
|
|
Spyware, virus and other malicious programs are always stealthily installed as auto start program. They automatically run when you start your computer. In most of cases, spyware is loaded in the way by which legitimate programs automatically start. It is therefore important to regularly check the start up places to prevent the potential spyware being added. In this article, the Windows program start-up places are discussed as well as the manner by which spyware is loaded.
1. START-UP FOLDER.
This is a very common start-up place. It is in Start -> Programs -> Start Up. Windows opens every item in this folder during logon process. There is a tricky thing here. Windows "opens" every item that is listed in the Start Up folder, not "run" it. This is an important difference. That means a program shortcut or a document associated with certain program presented in Start-up folder will make the program itself to run. For example, if you put a html in Start-Up folder, Windows will start IE browser to open the html document in Start-Up folder.
Same thing, a spyware shortcut or associated document listed in this folder will trigger spyware to run at logon. If you find a short cut pointing to a strange program or a file with an unknown file extension in the Start-up folder, you need to double check to ensure they are not spyware, backdoor to trojan horse.
2. REGISTRY
2.1 Run and RunOnce Key
class="r2indent">Windows executes instruction in the Run and RunOnce Key in Logon process. Each program needs to have a entry in the key for auto start.
1) [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
2) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
3) [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
4) [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]2.2 RunServices and RunServiceOnce Key
RunServices and RunServicesOnce Key are designed to start services when a computer boots up. These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE\...\RunOnce registry can start loading its programs.
Registry Keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices2.3 Additional Keys
In addition, Windows executes instruction in the following registry keys.
[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\" %*""\"%1" %*" is default value. If the value is modified to "\"spyware.exe %1\" %*\", spyware.exe will be auto started at bootup.
3. Initialization File
Windows executes instruction in some initialization files during start. Spyware, backdoor or worm can add an entry in these INI files to auto start themselves.
1) WIN.INI file
Location: \%System Directory\WIN.INI
Commands: "RUN=" "LOAD="2) system.ini
Location: \%System Directory\system.ini Commands:[boot]
shell=explorer.exe C:\windows\spyware.exespyware.exe will start when Windows starts.
%SystemDirectory = C:\WINNT (Windows 2000)
%SystemDirectory = C:\WINDOWS (Windows XP)
4. Fake explorer.exe
Normally, explorer.exe is located in %SystemDirectory. Windows launch Explorer during logon process. However, if C:\explorer.exe exists, Windows will run C:\explorer.exe instead of WIndows Explorere in %SystemDirectory. So malicious software can copy themselves to C:\explorer.exe to get started during logon process.