Checking startup files for trojans
This feature was motivated by
All Known and Unknown Autostarting Methods used for executing files by
TLSecurity.net and ANTH®ªX
A virus or trojan may install itself on your machine
so that it "auto-starts" every time you restart or
login to your machine. InternetPeriscope helps
you check these startup mechanisms to see
which programs are automatically launched when
you login or restart your program.
To check your startup files, click on the Hosts menu, move your mouse over the "This Host" menu item, and click on "Check Startup Files for Trojans..." as shown in the figure.
After a few moments, the following dialog will appear.
InternetPeriscope checks the following auto-start
mechanisms, displaying any that are used on
- It finds any files that are located in the logged in user's Autostart folder.
- It checks the "load=" and "run=" sections in your win.ini file. Note to Techies: These sections may actually reside in the registry if your system does not have these sections in the win.ini file. InternetPeriscope should find them wherever they are.
- It checks the "Shell=" section of system.ini.
- It checks for a winstart.bat file in your windows directory.
- It checks the following registry keys:
- It checks for a wininit.ini file in your Windows directory.
- It checks to see if there is an autoexec.bat file on your C drive.
- It checks the following registry keys to make sure
that their value is "%1 %*" and not something
else like "trojan.exe %1 %*" (known as the Unknown Starting Method).
- If you have ICQ installed, it checks HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ to see what applications ICQ launches
when it detects an Internet connection.
- It looks in your Windows, System, and Windows\Command directories
for .pif files. It is strongly recommended that you right click on these
files in Explorer, choose Properties, click on the Program Tab, and
click on the "Advanced" button to see what autoexec and config files
your pif file uses. Then, you should check the contents of the autoexec
and config files to make sure they don't run any hacker programs.
Note to techies: If more than one user logs into this machine,
it is recommended that you have each user log into the machine,
and then check their startup files, as each user will have a different
profile, and will run different startup files.