Checking startup files for trojans


This feature was motivated by All Known and Unknown Autostarting Methods used for executing files by TLSecurity.net and ANTH®ªX
A virus or trojan may install itself on your machine so that it "auto-starts" every time you restart or login to your machine. InternetPeriscope helps you check these startup mechanisms to see which programs are automatically launched when you login or restart your program.
To check your startup files, click on the Hosts menu, move your mouse over the "This Host" menu item, and click on "Check Startup Files for Trojans..." as shown in the figure. Hosts Menu
After a few moments, the following dialog will appear. Dialog

InternetPeriscope checks the following auto-start mechanisms, displaying any that are used on your system:
  • It finds any files that are located in the logged in user's Autostart folder.
  • It checks the "load=" and "run=" sections in your win.ini file. Note to Techies: These sections may actually reside in the registry if your system does not have these sections in the win.ini file. InternetPeriscope should find them wherever they are.
  • It checks the "Shell=" section of system.ini.
  • It checks for a winstart.bat file in your windows directory.
  • It checks the following registry keys:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
  • It checks for a wininit.ini file in your Windows directory.
  • It checks to see if there is an autoexec.bat file on your C drive.
  • It checks the following registry keys to make sure that their value is "%1 %*" and not something else like "trojan.exe %1 %*" (known as the Unknown Starting Method).
    • HKEY_CLASSES_ROOT\exefile\shell\open\command
    • HKEY_CLASSES_ROOT\comfile\shell\open\command
    • HKEY_CLASSES_ROOT\batfile\shell\open\command
    • HKEY_CLASSES_ROOT\htafile\shell\open\command
    • HKEY_CLASSES_ROOT\piffile\shell\open\command
    • HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
    • HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
    • HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
    • HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\shell\open\Command
    • HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command
  • If you have ICQ installed, it checks HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ to see what applications ICQ launches when it detects an Internet connection.
  • It looks in your Windows, System, and Windows\Command directories for .pif files. It is strongly recommended that you right click on these files in Explorer, choose Properties, click on the Program Tab, and click on the "Advanced" button to see what autoexec and config files your pif file uses. Then, you should check the contents of the autoexec and config files to make sure they don't run any hacker programs.


Note to techies: If more than one user logs into this machine, it is recommended that you have each user log into the machine, and then check their startup files, as each user will have a different profile, and will run different startup files.

Problems, Comments, Suggestions? Click here to contact Greg Thatcher

Please read my Disclaimer





Copyright (c) 2013 Thatcher Development Software, LLC. All rights reserved. No claim to original U.S. Gov't works.