This thread has become confused because we failed to separate these two lists:
[1] places where trojans can hide; this would be the list at http://www.governmentsecurity.org/articles /Placesthatvirusesandtrojanshideonstartup.php (one line above) plus all the XP items which are missing from that list, some mentioned by this writer, others mentioned by Sean. Note that the article linked to is not meant to be only about genuine startups; it is on a web site about security and trojans. That list should be as complete as possible. [2] places used by genuine non trojan programs for their startup links. That is a much smaller list. As an example of this confusion, people suggested various startup utilities, such as: Mike Lin's Startup control panel http://www.mlin.net/StartupCPL.shtml Starter from CodeStuff http://members.lycos.co.uk/codestuff/ "You do need to set a mode in the software so that some of the extra items are displayed. These are hidden by default for safety." Autoruns from SysInternals http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml and then someone complained: > Still doesn't include autoexec.bat, win.ini, winbatch.bat, > doesn't show .exe/bat/com associations and a couple other areas. > Will have to keep hunting! but .exe/bat/com associations are irrelevant if you only want to sort out your genuine startups - they never use those file associations, which are only a possible exploit for trojans. If you are looking for a startup utility which helps you juggle real startups between the registry and the \Startup\ folder, etc, you don't want it to show all the obscure places in list 1. They would only confuse the picture. It should only be expected to show the normal startup places in list 2. ----------------------------------------------------------- > Are there any stand-alone exe's out there that view all these different > locations? Currently I use Mike Lin's Startup control panel > http://www.mlin.net/StartupCPL.shtml but it only does the startup folders, > and HKLM and HKCU locations which usually get most stuff...but not effective > for virii using other locations for startup. Those ones require manual > lookup at all the locations I can think of at the time...not quite as > effective ;) None of the programs for controlling startups claims to show all the places that virii [or is the plural "viruses"?] can hide. That's not their aim - it would make the utility unwieldy and confusing for most users. If you are troubleshooting possible trojans/virii, you can start the job with a utility such as Sysinternals Autoruns, but then you need to run through a complete checklist (list 1) manually, to check the obscure places not shown by the startup util. And/or you could use an anti virus scanner. Unlike startup utils they are designed for this job. A good AV app will check most (all?) of those hiding places in the registry for suspicious links. Anyway, every harmful link must point to a real file on disk to be effective so if the AV app misses a link in the registry it should catch the file itself when checking your hard disks. ---------------------------------------------------------- In between genuine startups and seriously harmful virii are the nuisance apps such as those which fetch ads or track your web site visits. They don't only use the many trojan starting places in list 1, kindly provided by MS to help virus writers; they can use some other vulnerabilities also provided by MS, such as "browser helpers", cookies, etc. Again it would be unreasonable to expect a startup util to show all these. You can hunt for these with utils like AdAware and SpySubtract. In addition to looking for links in the registry, they also check your hard disks which, as mentioned above for trojans, helps to deal with well hidden links by finding the file itself. ------------------------------------------------------------ There have been a few other errors in this thread: DavidT wrote [re SysInternals Autoruns] D> Still doesn't include autoexec.bat, win.ini, winbatch.bat, doesn't show D> .exe/bat/com associations and a couple other areas. Will have to keep hunting! Sean> I think those ones are used only in 9x, so won't be shown in NT. Some of those ARE used by NT. The .exe/bat/com associations will surely have an effect in NT. Not sure about win.ini and winbatch.bat. There are several places like that which are not usually used in XP but which can still have an effect IF they are used. For example, there is an option in XP whether autoexec.bat should be executed at bootup. Remember the XP system retains a lot of old places such as system.ini and win.ini for use by old apps, even win3.1 apps which XP is still able to run. Therefore, if you are doing a serious trouble shoot looking for trojans in an XP system, you'd better check all the 95/98 places in addition to the XP places. We don't know for sure which old 95/98 places are definitely disabled in XP. --------------------------------------------------------------- Sean wrote: S> I'm afraid you're wrong here. S> Both the Run keys in "HKLM/HKCU" and the startup folder are S> controlled by the Explorer Shell. No Explorer Shell, no S> start of the proggies in these Keys/Folder. S> You may try without the explorer shell. Most people with "No Explorer Shell" are using an alternative shell such as LiteStep. Most alt shells do run your startups, from both the Run keys in HKLM and HKCU and the startup folder. Those items are not run if: - you have no shell at all, - or specifically set your alt shell's option to not run startup items, - or use an unusually poor alt shell which cannot run the startups. ------------------------ Yahoo! Groups Sponsor --------------------~--> $9.95 domain names from Yahoo!. Register anything. http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/JV_rlB/TM --------------------------------------------------------------------~-> Attention: PowerPro's Web site has moved: http://www.ppro.org Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/power-pro/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
