There are many anti-malware programs out there that will clean your system of nasties, but what happens if you’re not able to use such a program? Autoruns, from SysInternals (recently acquired by Microsoft), is indispensable when removing malware manually.
There are a few reasons why you may need to remove viruses and spyware manually:
- Perhaps you can’t abide running resource-hungry and invasive anti-malware programs on your PC
- You might need to clean your mom’s computer (or someone else who doesn’t understand that a big flashing sign on a website that says “Your computer is infected with a virus – click HERE to remove it” is not a message that can necessarily be trusted)
- The malware is so aggressive that it resists all attempts to automatically remove it, or won’t even allow you to install anti-malware software
- Part of your geek credo is the belief that anti-spyware utilities are for wimps
Autoruns is an invaluable addition to any geek’s software toolkit. It allows you to track and control all programs (and program components) that start automatically with Windows (or with Internet Explorer). Virtually all malware is designed to start automatically, so there’s a very strong chance that it can be detected and removed with the help of Autoruns.
We have covered how to use Autoruns in an earlier article, which you should read if you need to first familiarize yourself with the program.
Autoruns is a standalone utility that does not need to be installed on your computer. It can be simply downloaded, unzipped and run (link below). This makes is ideally suited for adding to your portable utility collection on your flash drive.
When you start Autoruns for the first time on a computer, you are presented with the license agreement:
After agreeing to the terms, the main Autoruns window opens, showing you the complete list of all software that will run when your computer starts, when you log in, or when you open Internet Explorer:
To temporarily disable a program from launching, uncheck the box next to it’s entry. Note: This does not terminate the program if it is running at the time – it merely prevents it from starting next time. To permanently prevent a program from launching, delete the entry altogether (use the Delete key, or right-click and choose Delete from the context-menu)). Note: This does not remove the program from your computer – to remove it completely you need to uninstall the program (or otherwise delete it from your hard disk).
It can take a fair bit of experience (read “trial and error”) to become adept at identifying what is malware and what is not. Most of the entries presented in Autoruns are legitimate programs, even if their names are unfamiliar to you. Here are some tips to help you differentiate the malware from the legitimate software:
- If an entry is digitally signed by a software publisher (i.e. there’s an entry in the Publisher column) or has a “Description”, then there’s a good chance that it’s legitimate
- If you recognize the software’s name, then it’s usually okay. Note that occasionally malware will “impersonate” legitimate software, but adopting a name that’s identical or similar to software you’re familiar with (e.g. “AcrobatLauncher” or “PhotoshopBrowser”). Also, be aware that many malware programs adopt generic or innocuous-sounding names, such as “Diskfix” or “SearchHelper” (both mentioned below).
- Malware entries usually appear on the Logon tab of Autoruns (but not always!)
- If you open up the folder that contains the EXE or DLL file (more on this below), an examine the “last modified” date, the dates are often from the last few days (assuming that your infection is fairly recent)
- Malware is often located in the C:\Windows folder or the C:\Windows\System32 folder
- Malware often only has a generic icon (to the left of the name of the entry)
If in doubt, right-click the entry and select Search Online…
The list below shows two suspicious looking entries: Diskfix and SearchHelper
These entries, highlighted above, are fairly typical of malware infections:
- They have neither descriptions nor publishers
- They have generic names
- The files are located in C:\Windows\System32
- They have generic icons
- The filenames are random strings of characters
- If you look in the C:\Windows\System32 folder and locate the files, you’ll see that they are some of the most recently modified files in the folder (see below)
Double-clicking on the items will take you to their corresponding registry keys:
Removing the Malware
Once you’ve identified the entries you believe to be suspicious, you now need to decide what you want to do with them. Your choices include:
- Temporarily disable the Autorun entry
- Permanently delete the Autorun entry
- Locate the running process (using Task Manager or similar) and terminating it
- Delete the EXE or DLL file from your disk (or at least move it to a folder where it won’t be automatically started)
or all of the above, depending upon how certain you are that the program is malware.
To see if your changes succeeded, you will need to reboot your machine, and check any or all of the following:
- Autoruns – to see if the entry has returned
- Task Manager (or similar) – to see if the program was started again after the reboot
- Check the behavior that led you to believe that your PC was infected in the first place. If it’s no longer happening, chances are that your PC is now clean
This solution isn’t for everyone and is most likely geared to advanced users. Usually using a quality Antivirus application does the trick, but if not Autoruns is a valuable tool in your Anti-Malware kit.
Keep in mind that some malware is harder to remove than others. Sometimes you need several iterations of the steps above, with each iteration requiring you to look more carefully at each Autorun entry. Sometimes the instant that you remove the Autorun entry, the malware that is running replaces the entry. When this happens, we need to become more aggressive in our assassination of the malware, including terminating programs (even legitimate programs like Explorer.exe) that are infected with malware DLLs.
Shortly we will be publishing an article on how to identify, locate and terminate processes that represent legitimate programs but are running infected DLLs, in order that those DLLs can be deleted from the system.
- Published 03/15/10