SEARCH

How-To Geek

Use Autoruns to Manually Clean an Infected PC

There are many anti-malware programs out there that will clean your system of nasties, but what happens if you’re not able to use such a program?  Autoruns, from SysInternals (recently acquired by Microsoft), is indispensable when removing malware manually.

There are a few reasons why you may need to remove viruses and spyware manually:

  • Perhaps you can’t abide running resource-hungry and invasive anti-malware programs on your PC
  • You might need to clean your mom’s computer (or someone else who doesn’t understand that a big flashing sign on a website that says “Your computer is infected with a virus – click HERE to remove it” is not a message that can necessarily be trusted)
  • The malware is so aggressive that it resists all attempts to automatically remove it, or won’t even allow you to install anti-malware software
  • Part of your geek credo is the belief that anti-spyware utilities are for wimps

Autoruns is an invaluable addition to any geek’s software toolkit.  It allows you to track and control all programs (and program components) that start automatically with Windows (or with Internet Explorer).  Virtually all malware is designed to start automatically, so there’s a very strong chance that it can be detected and removed with the help of Autoruns.

We have covered how to use Autoruns in an earlier article, which you should read if you need to first familiarize yourself with the program.

Autoruns is a standalone utility that does not need to be installed on your computer.  It can be simply downloaded, unzipped and run (link below).  This makes is ideally suited for adding to your portable utility collection on your flash drive.

When you start Autoruns for the first time on a computer, you are presented with the license agreement:

Sysinternal License Terms

After agreeing to the terms, the main Autoruns window opens, showing you the complete list of all software that will run when your computer starts, when you log in, or when you open Internet Explorer:

Autoruns window

To temporarily disable a program from launching, uncheck the box next to it’s entry.  Note:  This does not terminate the program if it is running at the time – it merely prevents it from starting next time.  To permanently prevent a program from launching, delete the entry altogether (use the Delete key, or right-click and choose Delete from the context-menu)).  Note:  This does not remove the program from your computer – to remove it completely you need to uninstall the program (or otherwise delete it from your hard disk).

Suspicious Software

It can take a fair bit of experience (read “trial and error”) to become adept at identifying what is malware and what is not.  Most of the entries presented in Autoruns are legitimate programs, even if their names are unfamiliar to you.  Here are some tips to help you differentiate the malware from the legitimate software:

  • If an entry is digitally signed by a software publisher (i.e. there’s an entry in the Publisher column) or has a “Description”, then there’s a good chance that it’s legitimate
  • If you recognize the software’s name, then it’s usually okay.  Note that occasionally malware will “impersonate” legitimate software, but adopting a name that’s identical or similar to software you’re familiar with (e.g. “AcrobatLauncher” or “PhotoshopBrowser”).  Also, be aware that many malware programs adopt generic or innocuous-sounding names, such as “Diskfix” or “SearchHelper” (both mentioned below).
  • Malware entries usually appear on the Logon tab of Autoruns (but not always!)
  • If you open up the folder that contains the EXE or DLL file (more on this below), an examine the “last modified” date, the dates are often from the last few days (assuming that your infection is fairly recent)
  • Malware is often located in the C:\Windows folder or the C:\Windows\System32 folder
  • Malware often only has a generic icon (to the left of the name of the entry)

If in doubt, right-click the entry and select Search Online…

The list below shows two suspicious looking entries:  Diskfix and SearchHelper

ar_entries

These entries, highlighted above, are fairly typical of malware infections:

  • They have neither descriptions nor publishers
  • They have generic names
  • The files are located in C:\Windows\System32
  • They have generic icons
  • The filenames are random strings of characters
  • If you look in the C:\Windows\System32 folder and locate the files, you’ll see that they are some of the most recently modified files in the folder (see below)

Suspicious entries in System32 folder

Double-clicking on the items will take you to their corresponding registry keys:

Suspicious entries in Registry

Removing the Malware

Once you’ve identified the entries you believe to be suspicious, you now need to decide what you want to do with them.  Your choices include:

  • Temporarily disable the Autorun entry
  • Permanently delete the Autorun entry
  • Locate the running process (using Task Manager or similar) and terminating it
  • Delete the EXE or DLL file from your disk (or at least move it to a folder where it won’t be automatically started)

or all of the above, depending upon how certain you are that the program is malware.

To see if your changes succeeded, you will need to reboot your machine, and check any or all of the following:

  • Autoruns – to see if the entry has returned
  • Task Manager (or similar) – to see if the program was started again after the reboot
  • Check the behavior that led you to believe that your PC was infected in the first place.  If it’s no longer happening, chances are that your PC is now clean

Conclusion

This solution isn’t for everyone and is most likely geared to advanced users. Usually using a quality Antivirus application does the trick, but if not Autoruns is a valuable tool in your Anti-Malware kit.

Keep in mind that some malware is harder to remove than others.  Sometimes you need several iterations of the steps above, with each iteration requiring you to look more carefully at each Autorun entry.  Sometimes the instant that you remove the Autorun entry, the malware that is running replaces the entry.  When this happens, we need to become more aggressive in our assassination of the malware, including terminating programs (even legitimate programs like Explorer.exe) that are infected with malware DLLs.

Shortly we will be publishing an article on how to identify, locate and terminate processes that represent legitimate programs but are running infected DLLs, in order that those DLLs can be deleted from the system.

Download Autoruns from SysInternals

Web2.0 programmer by day, singer by night, Aussie geek Mark Virtue keeps the How-To Geek flag flying Down Under.

  • Published 03/15/10

Comments (12)

  1. Mile

    This is great! I love articles like this!

  2. TheUnspoken

    Great info! As always keep it up Geek

  3. Keith

    I love to learn, and to share what I know, outside the Geek arena with those not so savvy. Thanks for todays tip; I have friends/family who get those “you are Infected” messages and infect themselves. When I use a live CD to boot I look for the unknown/suspicious entries on the system drive. My method is called zFile. I try to rename the file with a z in front. It then drops to the bottom of the list. If it turns out to be legit I can remove the z and it goes right back where it belongs. Thanks for the daily tips :)

  4. Andy

    ” SysInternals (recently acquired by Microsoft)” — Recently? Sysinternals were acquired by Microsoft in 2006!

    Anyway…good advice, autoruns is great for clearing up malware!

    Probably worth mentioning though that Autoruns is best used in safe mode. If the malware exhibits rootkit behaviour and hides itself then it won’t show up in the list whereas it’s more likely to in safe mode (though rootkits can still hide in safemode!)

  5. Me

    Why download something else when you already have MSCONFIG. Just go to the startup tab and uncheck the items that were discussed in this article.

  6. Mark Virtue

    Thanks “Me”. Autoruns detects many more programs and DLLs that are set to automatically start than MSCONFIG.

  7. Camilo Martin

    That’s why it’s better to keep files in different drives/partitions and then FORMAT C:\

    lol

  8. Zoli Idt

    Last time I cured an infected machine with CCleaner.
    It has been infected with Personal Security rogue antivirus, and it was so aggressive it didn’t allow me to run nothing. No cmd, msconfig, taskmgr, folder options, taskkill, nothing and nothing at all. Just internet explorer, and the native processes which start with windows (it took me a time before I realised that).

    What I did was download ccleaner portable, renamed the executable to explorer.exe, and start it like that, I deleted psecurity.exe from the startup list, restarted the machine and it worked :) Then I cleaned that computer from viruses.

  9. Camilo Martin

    @Zoli
    Very smart idea to rename the program!

  10. Hawk

    The great problem is Conficker virus/worm/whatever. His occult you in services and use names very identical of OS.

  11. Hawk

    The big problem is with the virus Conficker. He lurks in the system services by using names very similar to the OS.

  12. Kevin

    @zoli:

    I just did something similar last night, when my father’s computer got hit by av security suite. I already had CCleaner on there, and the computer was really slow(It’s 6 years old), so it took a couple of minutes for the virus to activate. So I went into CCleaner, and disabled (what I thought was) the startup key, rebooted in safe mode, and then used MalwareBytes to hammer it flat. I then told him that it’s time for a new computer, since this is about the tenth time this has happened.

Enter Your Email Here to Get Access for Free:

Go check your email!