Where does Trojans and Viruses hide?
There are many other places on a Windows system that Trojans can add scripts and shortcuts to startup Trojan processes:
Note: For the following registry keys, the key value should be exactly "%1 %*" . Any programs that are added to the key value will get executed every time a binary file (.exe, .com) is executed, i.e."Trojan.exe %1 %*".
- Startup folder: to go to this folder, click on Start->Programs->Startup, and right click on Startup and select "Open" from the menu. Check every file in this folder and make sure you know what they are. These files will startup automatically every time you login to your systems.
- Windows Scheduler - check if any programs are scheduled to startup at any specific time. Some Trojans use scheduler as a mean for program execution.
- For Windows NT, 2000 and XP systems, use AT command to verify. Go to command prompt and type "at" and if there is any scheduled tasks, it will display "Status, ID, Day of execution, Time of execution, and Command line to be executed"
- For Windows 9x/ME systems, use Windows Explorer and go to Task Scheduler, which is under My Computer.
- Win.ini (load=Trojan.exe or run=Trojan.exe)
- system.ini (Shell=Explorer.exe trojan.exe)
- autoexec.bat - look for added Trojan files, may be in the following file extensions: .exe, .scr, .pif, .com, .bat
- config.sys - look for added Trojan files
- Any suspicious or new batch files (.BAT), which might call the actual Trojan.
In addition, watch out for social engineering. Don’t be fooled by processes or programs with similar and/or exactly the same filename as the legitimate Windows system programs. Many known Trojans have included programs with exact same name as Windows system programs, but put them into different folders.