Registry Location:

HKLM

Key Location:

\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Startup

Description:

..................................................................................................................................................

Registry Location:

HKCU

Key Location:

\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup

Description:

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\Software\Microsoft\Windows\CurrentVersion\App Paths

Description:

Each subkey contains the path to the specific application; paths and the actual executables should be verified, as legitimate apps may be set in other autostart locations, and the linked-to application subverted or trojaned.

..................................................................................................................................................

Registry Location:

HKLM

Key Location:

\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Description:

This Registry location is used to designate a debugger for an application. Testing shows that it's an excellent redirection facility. For example, adding notepad.exe as a key, and then adding a "Debugger" value of cmd.exe will cause the command prompt to be opened whenever Notepad is launched. File binding utilities will allow an attacker to bind a backdoor to a legitimate program, and then redirect that legit program to the Trojaned one.

..................................................................................................................................................

Triage LHF module reports on this key