Alan Sugano writes an article on checking a server for the Backdoor.Beasty Virus and details checking various autorun locations in the registry – the last one I wouldn’t have checked (and neither did he first time round).
HKLM\SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
HKCU\Software\ Microsoft\ Windows\ CurrentVersion\ Run
If the machine is running Windows Server 2003, Windows XP, Win2K, or Windows NT, you should also check
HKLM\SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\ Run