Malware Modified/Infected Registry Keys

[Vicenarian]

I want to compile a list of registry branches/keys often modified/placed by malware. Of course, there are the autorun/startup locations in the registry, but there are others like the winlogin key which defines that entry. The reason I post this is, sometimes you can't log into the infected machine and edit the registry, or even run software like Autoruns. In such a case, it might make sense to edit the machine's registry offline using a PE based solution or something like that. In such a case, having a list of registry keys to look at would be highly valuable.

Anybody care to help me make a list?

Here are just some:

RunServicesOnce:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce


RunServices:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices


RunOnce Local Machine Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx


Run:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key


All Users Startup Folder:
Windows XP C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Windows NT C:\wont\Profiles\All Users\Start Menu\Programs\Startup
Windows 2000 C:\Documents and Settings\All Users\Start Menu\Programs\Startup


User Profile Startup Folder:
Win 9X, ME c:\windows\start menu\programs\startup
Windows XP C:\Documents and Settings\LoginName\Start Menu\Programs\Startup


RunOnce Current User Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce


Explorer Run:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

UserInit Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Example of Infected Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=C:\windows\system32\userinit.exe,c:\windows\badprogram.exe.


Load Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load


Notify Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify


AppInit DLLs:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows


ShellServiceObjectDelayLoad:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad


Shared Task Scheduler:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler



Files that configure Windows Autostarts:
1. c:\autoexec.bat
2. c:\config.sys
3 . windir\wininit.ini - Usually used by setup programs to have a file run once and then get deleted.
4. windir\winstart.bat
5. windir\win.ini - [windows] "load"
6. windir\win.ini - [windows] "run"
7. windir\system.ini - [boot] "shell"
8 . windir\system.ini - [boot] "scrnsave.exe"
9. windir\dosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.
10. windir\system\autoexec.nt
11. windir\system\config.nt

From: http://www.bleepingcomputer.com/tutorials/tutorial44.html

Does anybody have any additions to this?

 

[iptech]

It's easier and safer to use Autoruns to scan an offline system. It's never a good idea to edit the registry directly if it can at all be avoided, especially when you are hunting down malware infections which can place hooks all over the registry and it's all too easy to make a catastrophic mistake.

 

[Vicenarian]

I see, yeah that makes sense, and now that I now autoruns can load remote profiles, that just makes it that much easier. Thanks again.

Btw, dumb question, but what's a registry "hook"

 

[iptech]

I see, yeah that makes sense, and now that I now autoruns can load remote profiles, that just makes it that much easier. Thanks again.

Btw, dumb question, but what's a registry "hook"

It's a registry key that 'hooks' into another process, these can be legitimate software such as program & explorer add-ins, but it's also a stealth way for malware writers to infect an otherwise legitimate process.

 

[Vicenarian]

It's a registry key that 'hooks' into another process, these can be legitimate software such as program & explorer add-ins, but it's also a stealth way for malware writers to infect an otherwise legitimate process.

ah ok, I understand now. Thanks for clearing that up.

 

[RegEdit]

I had one change Shell from "Explorer.exe" which prevented a boot to the desktop.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\Shell

Delete temp files. A lot of browser hijacks hide as temp files.

 

[iisjman07]

Wherever the policies keys are; I seem to find they like to disable regedit

 

[RegEdit]

Wherever the policies keys are; I seem to find they like to disable regedit

Is there an actual key called "DisableRegEdit"?

 

[iptech]

Is there an actual key called "DisableRegEdit"?

Somewhat ironic someone calling himself RegEdit doesn't know this!

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\System

Change the value: DisableRegistryTools - 0 to allow regedit, 1 to disable regedit

 

[iisjman07]

It's 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools', and it's also in the HKCU hive aswell

 

[Vicenarian]

Keep them coming! This thread is proving very useful.