You suspect that you have a virus, worm or Trojan horse program loading every time Windows starts, but you cannot determine from where it is loading. You would like some tips for tracking down the loading point of the virus, worm, or Trojan horse.
Many viruses, worms, and Trojans load at startup and a few actually write back to these startup points during shut down, such as BUDDYLIST.EXE. The following items are the most common loading points for viruses, worms, and Trojans.
System files You can open system files using the System Editor. To start the System Editor, click Start, and then click Run. Type
sysedit then click OK.
Autoexec.bat Programs can load from anywhere in this file. Be especially suspicious of files that name themselves similar to legitimate DOS or Windows file names. For example, Command.bat and Explore.exe. The Autoexec.bat file is not commonly used to load viruses, worms, and Trojans.
Programs loading from the WIN.INI file will generally be loaded from the LOAD= or RUN= lines in the [WINDOWS] section. Beware of files that load from here but are off at the end of the line. The line may be very long and can scroll off the right edge of the screen. Be on the lookout for scroll bars at the bottom of the window. This indicates that there is something off the edge of the field of view. Scroll to the right and make sure there is nothing there.
On the shell= line in the [boot] section of the System.ini file there can be up to two entries. Therefore, it is possible to throw a second executable file on this line and have it load up with the shell. Other things to look for here are a scroll bar on the bottom (implying that there is more text off to the right that you are not able to see) and a second executable name, such as Trojan.exe.
Winstart.bat Programs can be loaded at any location in this file. On startup, the system will look through the entire path for the Winstart.bat file. If it exists, it will be run just like any other batch file.
Note: This file does not exist on all systems and very often there will not be one.
StartUp folder This folder resides under the "\Windows\Start Menu\Programs" folder. To access this folder, right-click the Start button, click Open, and then double-click the Programs folder. Here you will find the StartUp folder. Anything in this folder automatically runs when Windows starts after user logon.
We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please request the document titled
How to Back Up the Windows 95/98/NT Registry before proceeding.
There are several places that files can load from the registry. Some of the most common ones are listed here:
These keys are all used by legitimate applications, but they may also hold values designed to load viruses, worms, and Trojan horse programs. Be sure that you do not delete any legitimate keys and always make a backup so that you can restore them afterwards, if necessary.
Browser Helper Object (BHO) Looking for suspicious entries that may have been added as a BHO is much more complex than looking at the values of the keys shown above, as most BHOs are legitimate. Also, this requires you to look at two different areas in the registry.
Directly under that key, in the left pane, look for any CLSID subkeys.
They will look similar to this example:
Write down each of the strings that you find (or copy and paste it into Notepad.)
Browse to and expand the subkey:
is what you wrote down in step 3.
Under the expanded subkey, select the InProcServer32 key.
In the right pane, in the Name and Data columns--including the (Default) value--look for any file name that look suspicious.
Search either the hard drive or the Web—or both—to either confirm or deny these suspicions. Only if you can confirm that the file name is linked to a malevolent file should you delete the value.
Other things to check
The following types of files all have their place within the Windows environment and they should not be seen as completely suspect. Many files of the named types can be helpful to the user, but they can also be used for malicious ends. It is not recommended that these types of files be deleted unless you know exactly what they are being used for.
Wininit.ini This file is run by the Wininit.exe file during the Windows boot process and can rename files before they are loaded by Windows (including useful .dll and .exe files which can then be replaced with bad versions of the same).
.shs files These files are Windows "scrap" files and are actually OLE files that can hold anything, including executable code, although most people do not know about them.
.bat files These are batch (script) files and can even be called from other batch files. These can easily be altered to fit many malicious purposes.