All malwares have common characteristics.
Firstly, they should leave a copy on your computer.
Secondly, they are added to Startup.
Thirdly, they are staying in the process and at first glance does not bother me. But we know that they are spying on you and send useful information to the owner of a virus or trojan. It could be passwords, numbers of credit cards, mail and more other things.
Here I will list the disk space where most malware leave their copy.
At the root of C:\ drive
In the system folders:
C:\Windows\
C:\Windows\System\
C:\Windows\System32\
C:\Windows\System32\drivers\
C:\Program Files\
C:\Documents and Settings\All Users\
C:\Documents and Settings\All Users\Application Data\
C:\Documents and Settings\<UserName>\Application Data\
C:\Documents and Settings\<UserName>\Local Settings\Application Data\
C:\Documents and Settings\<UserName>\Local Settings\Application Data\Temp\
C:\Documents and Settings\<UserName>\Local Settings\Temp\
C:\Documents and Settings\<UserName>\Local Settings\Temporary Internet Files\
They can also create shortcuts on the desktop, Start menu, Start menu - Programs, Start menu - Programs - Startup.
Next I will list how to add programs to autostart.
Some worms make a copy of your disk space and is an additional file autorun.inf in the root of all drives. It provides a malicious program to run in the opening drive. Autorun.inf file is responsible for the startup disk drives, not only the CD DVD, but the hard drive and flash drives. So if you find such a file in the root of any drive - delete it immediately.
The second way - it is adding a file or shortcut in the Start menu - Programs - Startup.
The third method, and the most popular - adding to the register.
Now I will list the registry key to viruses and Trojans that might be specified at boot time operating system be automatically run.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
These branches are the keys which is prescribed path to the program.
Does it look like this:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
lsssass = "%AppData%\Install\lsssass.exe"
Where lsssass - the key name which contains the path to the program.
%AppData% - a signature of hard disk space: C:\Documents and Settings\<UserName>\Local Settings\Application Data\
WARNING! Be careful editing the registry so as not to harm your computer. If you are not confident in your abilities, better ask the one who is more versed in operating systems.
No comments:
Post a Comment