Here are the 33 start up places from which a TROJAN, VIRUS, WORM, can run. 1) %windir%\Start Menu\Programs\StartUp 2) %windir%\All Users\Start Menu\Programs\StartUp 3-4) the load= and run = lines in win.ini 5-9) the Run, RunOnce, RunOnceEx, RunServices and RunServicesOnce keys under Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion 10-11) the Run and RunOnce keys under Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion 12) subkeys (Static VxDs) under Hkey_Local_Machine\System\CurrentControlSet\Services\VxD\ 13-14) the [386enh] and [boot] sections of system.ini (this includes the scrnsave.exe= line in system.ini which can be used to run things on your system (like the infamous McafeeScreenScan)) 15) the IOSUBSYS folder (drivers load automatically) 16) the VMM32 folder (drivers that take precedence over those built into vmm32.vxd) 17) config.sys 18) autoexec.bat 19) winstart.bat Bonus item - files can be deleted or renamed from the wininit.ini file. 20] [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" 21] [HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*" 22] [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*" 23] [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*" 24] [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*" 25] [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*" 26] [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*" 27] [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" 28] [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*" 29] [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" The key should have a value of Value "%1 %*". Backdoor example: [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"trojan.exe%1\" %*" With such registry entries, the trojan.exe is executed each time an exe/pif/com/bat/hta is executed. 30] system.ini [boot] Shell=Explorer.exe trojan.exe 31] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] 32] [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test] "Path"="test.exe" "Startup"="c:\\test" "Parameters"="" "Enable"="Yes" 33] [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\ This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection. Think this might help anyone with Trojans all the best and cheers, murve

And/or download and run the Startuplog from http://home.earthlink.net/~rmbox/Reticulated/Toys.html It will list all these locations and others.

Uhh, I was looking @ my registry (W2k/sp2) my hkey reg. keys reflect the following value "%1" %* rather than "%1 %*" Do I have a problem.......Paul

murve, Thanks for the info... I will add it to my list of stuff... Tank863

hi tank glad to be of service cheers, murve