Besides HK_Local ... Run, what other vectors do viruses use to launch from?

[GaryH]

A virus originates from a file that gets executed sometime during your
session on the PC.
I know to look in the Run section of the registry to see if it is being
lauched from there, but
if it's not there, where else might I look. Might it still be in the
registry but
hidden the same way you can turn on the hidden attribute of a file?

 

[Steve]

A virus originates from a file that gets executed sometime during your
session on the PC.
I know to look in the Run section of the registry to see if it is
being lauched from there, but
if it's not there, where else might I look. Might it still be in the
registry but
hidden the same way you can turn on the hidden attribute of a file?

GaryH:

Get a copy of StartupList from:

http://www.spywareinfo.com/~merijn/downloads.html

and run it in verbose mode. It will give you a very good idea of the
various places in and out of the Registry for where files are launched from.
Note that this product is also included with HijackThis.

Steve

 

[Locke Nash Cole]

skrew startup list, get a copy of Systernals autoruns, and make sure you go
to the
View menu and check all the Show items.

http://www.sysinternals.com/

-L

 

[Roger Wilco]

A virus originates from a file that gets executed sometime during your
session on the PC.
I know to look in the Run section of the registry to see if it is being
lauched from there, but
if it's not there, where else might I look.

If you are trying to find all possible places that malware can use to ensure it runs again when the computer is rebooted,
then maybe this will help.

http://www.governmentsecurity.org/articles/Placesthatvirusesandtrojanshideonstartup.php

Might it still be in the
registry but
hidden the same way you can turn on the hidden attribute of a file?

The registry editor that you use may be compromised, or a rootkit could intercept requested information before
it gets to the editor. Some recent malwares have opted to modify "Media Player" so that whenever the user tries
to play a media file the malware is started again. If you eliminate all of the startup axis points of interest, and you
remove all of the malware executables that were obvious to you, you could assume you were malware free until
you play any media file and the trojanized "player" reinstalls the malware again.

Are you experiencing a specific problem, or just trying to learn more about security?

 

[GaryH]

No specific problem on my machine but friends & co-workers often ask me to
help them out. Just thought I'd bone up on my anti-virus trouble shooting
skills. Thanks for your suggestions.

If you are trying to find all possible places that malware can use to

ensure it runs again when the computer is rebooted,

then maybe this will help.

http://www.governmentsecurity.org/articles/Placesthatvirusesandtrojanshideonstartup.php

The registry editor that you use may be compromised, or a rootkit could

intercept requested information before

it gets to the editor. Some recent malwares have opted to modify "Media

Player" so that whenever the user tries

to play a media file the malware is started again. If you eliminate all of

the startup axis points of interest, and you

remove all of the malware executables that were obvious to you, you could

assume you were malware free until