New Way of Hijacking

[szeni]

I have just run into a new way that some recent Trojans use to get
themselves activated each time Windows starts.

They put registry entries into
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
which causes them to start up when Explorer starts up.

I've been using HijackThis to detect viruses beside just doing the
scans but I found that HijackThis does not check that part of the
registry.

Does anybody know an updated version of HijackThis that can detect
this?
I've been using version 1.99.1 and haven't found newer version yet.

Thanks for any help!

Laszlo

 

[szeni]

I just found the solution.

It's a great tool. Much more thorough than HijackThis! It's called
Autoruns by Sysinternals.
It can be downloaded from:
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

Laszlo

 

[Doc]

I just found the solution.

It's a great tool. Much more thorough than HijackThis! It's called
Autoruns by Sysinternals.
It can be downloaded from:
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

Laszlo

Sure, Autoruns will show it, but by the time you use Autoruns the trojan
will have done its damage. Surely it would be better to prevent anything
from changing or adding to that registry key without your approval.

System Safety Monitor works for me.

 

[Ramesh, MS-MVP]

See also:

Silent Runners - Launch & Hijack Points:
http://www.silentrunners.org/sr_launchpoints.html

--
Regards,

Ramesh Srinivasan, Microsoft MVP [Windows XP Shell/User]
Windows® XP Troubleshooting http://www.winhelponline.com


I just found the solution.

It's a great tool. Much more thorough than HijackThis! It's called
Autoruns by Sysinternals.
It can be downloaded from:
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

Laszlo

 

[myself]

I have just run into a new way that some recent Trojans use to get
themselves activated each time Windows starts.

They put registry entries into
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
which causes them to start up when Explorer starts up.

I've been using HijackThis to detect viruses beside just doing the
scans but I found that HijackThis does not check that part of the
registry.

Does anybody know an updated version of HijackThis that can detect
this?
I've been using version 1.99.1 and haven't found newer version yet.

Thanks for any help!

Laszlo

Have you contacted the people from Hijack This?
Let them know about this problem.

 

[Jbob]

I have just run into a new way that some recent Trojans use to get
themselves activated each time Windows starts.

They put registry entries into
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
which causes them to start up when Explorer starts up.

I do not have an \Explorer entry where you have suggested. Under \Policies
all I have is \NonEnum, \Ratings and \system, No Explorer. Are you sure you
typed the correct reg key or is this something that might be added as well,
as in not just a Run entry but the Explorer entry as well?

WinXP Pro.

 

[Doc]

I do not have an \Explorer entry where you have suggested. Under
\Policies all I have is \NonEnum, \Ratings and \system, No Explorer.
Are you sure you typed the correct reg key or is this something that
might be added as well, as in not just a Run entry but the Explorer
entry as well?

WinXP Pro.

That you don't have a 'Run' entry just means that nothing is yet set to run
with Explorer. Still worth monitoring this location in case anything does
try to install there.

My system *does* have the \Explorer branch, but not the \Run branch.

 

[Alan Edwards]

FWIW, (probably not a lot) I just tested with an entry in that key,
restarted and MS AntiSpyware picked up that a new Run entry had been
made and asked me to confirm.

....Alan