0
COMMON LOCATIONS AND AUTO START ENTRY POINTS(ASEP) OF VIRUS
System Registry Run Keys
• System Registry Run Keys - Certain registry keys may contain values used to load applications (including malware) when Windows is started. The values to examine are located in subkeys Run, RunOnce, RunServices, and RunServicesOnce, located in either of the following registry keys:
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Startup Folder
• The Windows Startup folder can include shortcuts, documents, executables, or other types of files and programs to be launched when Windows is started. The current logged on user can view startup folder inclusions through the Start menu:
• Start | Programs | Startup
• The common startup folder, applicable to all users, correlates to:
• %ALLUSERSPROFILE%\Start Menu\Programs\Startup
Winlogon
• Winlogon is responsible for supporting the DLL responsible for managing the interactive logon when Windows starts. Pre-Vista, that DLL provides a customizable user interface and authentication process.
• Malware that hooks into Winlogon can be particularly difficult to remove, as even booting into Safe Mode will not deactivate it. The string values that customize the Winlogon process are located in the following registry key:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
ASEP Loading Sequence
The order in which Windows processes the autostart entry points is as follows:
• RunServices / RunServicesOnce - HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER RunServices/RunServicesOnce will be launched concurrently. In the event of a conflict, precedent is given to HKEY_LOCAL_MACHINE. These ASEPS may continue loading during and after the login dialog.
• Login Dialog (Winlogon)
• RunOnce / Run for HKEY_LOCAL_MACHINE hive
• Run key in HKEY_CURRENT_USER hive
• Startup Folder
• RunOnce in HKEY_CURRENT_USER hive
Some Advanced Loading points which are identified recently with rootkit enabled malwares
• C:\Documents and Settings\
• C:\Documents and Settings\
• C:\Documents and Settings\
• C:\Documents and Settings\Default User\Local Settings\Temporary internet Files\Content.IE5
• C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
• C:\Windows\Temp
• C:\WINDOWS\system32\config\ systemprofile
Startup and Winlogon
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
• HKEY_CLASSES_ROOT\comfile\shell\open\command
• HKEY_CLASSES_ROOT\piffile\shell\open\command
• HKEY_CLASSES_ROOT\exefile\shell\open\command
• HKEY_CLASSES_ROOT\txtfile\shell\open\command
Services
• HKLM\SYSTEM\CurrentControlSet\Services\
• Active Setup Stub Keys (These are disabled if there is a twin in HKCU)
• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
• ICQ Agent Autostart
• HKCU\Software\Mirabilis\ICQ\Agent\Apps
• If you suspect that a system is infected, then examine each of these keys. Determine whether Value Name or Value Data, including the (Default) value, refers to a suspicious file.
Internet Explorer (To check for IE threats)
• HKLM\Software\Microsoft\Internet Explorer\Main, Start Page
• HKCU\Software\Microsoft\Internet Explorer\Main: Start Page
• HKLM\Software\Microsoft\Internet Explorer\Main: Default_Page_URL
• HKCU\Software\Microsoft\Internet Explorer\Main: Default_Page_URL
• HKLM\Software\Microsoft\Internet Explorer\Main: Search Page
• HKCU\Software\Microsoft\Internet Explorer\Main: Search Page
• HKCU\Software\Microsoft\Internet Explorer\SearchURL: (Default)
• HKCU\Software\Microsoft\Internet Explorer\Main: Window Title
• HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: ProxyOverride
• HKCU\Software\Microsoft\Internet Connection Wizard: ShellNext
• HKCU\Software\Microsoft\Internet Explorer\Main: Search Bar
• HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks
• HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch =
• HKCU\Software\Microsoft\Internet Explorer\Search, CustomizeSearch
Identify Rootkit Infections
- MSconfig -> Boot.ini tab -> Check /BOOTLOG
- Restart the computer.
- Go to c:\windows and open the file c:\windows\ntbtlog.txt
Check for any suspicious entries.
Program Removal
• Click on start->control panel->add/remove programs icon.
• Discuss with customer about any new program which is installed. If customer does not know about a particular program, follow the steps below -
o Click on start->My computer->Local drive C:-> Program files.
o Right click on the particular program folder-click on properties and check date created. Repeat the same to all new programs and close the program window.
Physical Location
• c:\program files
• c:\program files\common files
• C:\documents & Settings\User\Application Data
Registry
• H_Key_Local_Machine\Software
• H_Key_Current_User\Software
• H_Key_Local_Machine\Software\Microsoft\Windows\Current Version\Uninstall
File Removal GUI Mode
• Delete - Right click -> Delete or Higlight the file and hit the Delete button on the keyboard
• Rename - Right click -> Rename or Highlight the file -> Press F2 -> Type a new name -> Hit enter
• Move - Right click->Cut->Right click and paste it on the desire location
• Removing Permissions - Right click on file ->Go to properties ->Click on Security Tab ->Click Advanced -> Uncheck the box "Inherit from parent control…." -> Click Remove ->Click OK
Wiki User
∙ 13y ago
Add your answer:
Earn +20 pts
How do you connect a tachometer for a 1989 Honda civic?
* * * * i hope that this ans has helped.
How do you connect amf panel to generator?
amf panel ciruite
What is the connect between John Hancock a diamond and timesascent?
i know the answer, but in exchange tell me first ans of 1 ques (AXIS VNIT)
What value is assigned to the type int variable ans in this statement if the value of p is 100 and q is 50?
It is not possible to answer this question without knowing the actual expression used in the assignment statement. The following are merely example expressions showing some of the values that could be assigned to ans: int ans, p=100, q=50; ans = p + q; // ans = 150 ans = p * q; // ans = 5000 ans = p - q; // ans = -50 ans = p / q; // ans = 2 ans = p % q; // ans = 0
How to Connect Epson ET-2760 to WiFi Network?
Please let me know that how to connect Epson ET-2760 to wifi network. I bought this printer before some time but now facing some issues while printing. Help me. com on this site tell me the ans printerstechnicalsupport
I have girls clothes from France size 6 ans. What does ans mean?
Ans means "Years" in French.
How do you say 'I am 11 yrs old' in french?
J'ai douze ans.
How do you say 'I am 56 years old' in french?
J'ai cinquante-deux ans.
What is ans mean in french?
"ans" means "years"
How do you say you are 11 in French?
you are eleven years (old) - tu as onze ans.
When was ANS fashions created?
ANS fashions was created in 1974.
When was Ans Westra born?
Ans Westra was born in 1936.
