Lately, *I've seen a number of similar cases present itself regarding some trojan starting up from the System.ini, editing the Shell= line to read shell=explorer.exe openme.exe

We've been using StartLog by Rmbox (http://home.earthlink.net/~rmbox/Reticulated/Toys.html) as a very useful tool to troubleshoot startup problems and detecting trojans, but it only works with Win95, 98 and ME.

What about XP? *Anything much known about all the possible startup locations there?

And from where would this openme.exe thing start up in XP?
I've seen two cases of people running XP that had this trojan, and who were unable to determine from where it started up.

I'm running Win 98SE myself, so I'm really at a loss.

Anyone able to shed some light on this issue?

Tony,

Although not designed for XP, you might play around with TrojanCheck - a little but very nice freeware app we helped developping in the past. You can grab a copy from our downloads page:

www.wilders.org/downloads.htm

Some remarks:

- forget about the anti-trojan engine (outdated);
- it's been known to produce one false positive on XP:
*shadow.exe - *belonging to XP.

No guarantees here, since as stated it's not designed for XP. Nevertheless, it might come in very helpfull.

Keep us posted.

regards.

paul

Thanks Paul,

What I was really looking for, however, is a neat list of *all* possible startup locations in XP, *something like what has been done for Win98.

As a matter of fact I seem to remember one of your posts called something like "All Known Autostart Methods".

Do you still have a link to that one?

And is some of that appliccable to XP?

Thanks! *Tony

Apart from the usual registry keys under HKLM HKCU and HKUD -

Run
RunServices
RunOnce

It would start from the startup folder, or most likely the "marklord method"

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\<some key>\StubPath =

or

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders - <some folder>, Windows runs the files in this folder

Thank you, Gavin,

That's most helpful, and I think with this we may be able to help people with XP to get rid of this and possibly other trojans by checking these locations, in case they didn't get a chance to run an antitrojan.

Thanks again.


Cheers, *Tony

Tony - This may be the post from the old site that you were referring to: http://pub24.ezboard.com/fsecureyesecurityfrm2.showMessage?topicID=18.topic . Pete

Hi spy1,

That's the one I meant.

Thanks!

Cheers, *Tony

You're quite welcome. Pete

Meanwhile, we've been able to detect the trojan's startup location in Windows 2000:

Its the Shell= line in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\current version\Winlogon

The default value is "Shell"="Explorer.exe", *but the trojan modifies it.

Should be helpful for XP as well.

Thought I'd update this one.

Greetz, *Tony