SEARCH

How-To Geek

Lesson 6: Using Autoruns to Deal with Startup Processes and Malware

Logon

This tab checks all of the “normal” locations in Windows for things to automatically be loaded, including the Registry’s Run and RunOnce keys, the Start Menu… and a lot of other places. As it turns out, there are 43 different “normal” places that software can insert itself to start up automatically at logon or logoff. No wonder there are such huge malware, crapware, and spyware problems in Windows!

Our advice: liberally uncheck everything  you don’t need. You can always re-enable it if you want.

Explorer

This tab lists all of the add-on components that can load themselves into Windows Explorer. Since we didn’t have any to illustrate on our test system, we won’t show you a screenshot, but these will largely be context menu add-ons and other things like that.

If you are experiencing slow performance when browsing files, using the context menu, or just all around Windows, this is a likely culprit. You can disable anything you feel like here, though you might lose some functionality for certain applications.

Internet Explorer

This tab is immensely useful when working on other people’s computers, since they are much more likely to be using Internet Explorer than our readers are. This tab lists out all of the browser extensions, toolbars, and browser helper objects that are usually used by malware to either spy on you or show you ads. We’d recommend unchecking just about every single thing you see.

Scheduled Tasks

This is one of the trickiest ways that malware is hiding itself these days. Rather than hide using any of the places that people know to look for, the malware creates a scheduled task to reinstall itself, show ads, or do all sorts of nefarious things. The problem is compounded by how confusing the Task Scheduler can be, so most people would never even know to look here. Thankfully Autoruns makes this one easy.

We’d recommend removing almost everything that you don’t recognize and definitely isn’t from Microsoft. This is one example where using the Verify Code Signatures option is really useful.

Services

After tasks, one of the most common and insidious places that malware is hiding itself these days is by registering a Service in Windows, or in some cases, by creating a service that helps make sure that the other malware processes are still running.

You’ll want to be a little more careful when disabling things on this tab, as some things may be legit and necessary. In the screenshot below, you’ll see some Google, Microsoft, and Mozilla services that are just fine. While it wouldn’t be a big deal if we disabled them, it is still worth doing some extra research before disabling things, unless you have identified it as crapware or malware already.

Drivers

Believe it or not, but some crapware and malware makers have actually created device drivers that contained malware or very sketchy components that spy on you. After our test machine was infected with a bunch of crapware, we noticed that this driver showed up attached to one of them. We’re still not quite sure what it does, but given how it got there, it probably isn’t anything good.

You’ll definitely want to be much more careful on this screen. Disabling the wrong drivers can break your computer, so do your research, right-click on each of them and search online, and only disable something if it is most likely tied to spyware. In the example below, we had already identified the folder in the Image Path for the highlighted row as being crapware, so it was logical to disable it.

Codecs

These are libraries of code that are used to handle media playback for videos or audio, and unfortunately they have been abused by malware as a way to automatically start on the computer. You can disable them here if necessary.

Boot Execute

This one you probably won’t have to deal with, but it is used for things that start up during system boot, like when you schedule a hard drive check to happen at boot time since it can’t happen while Windows is actually loaded.

Image Hijack

If you read our second lesson about Process Explorer, you would have learned that you can replace Task Manager with Process Explorer, but you probably had no idea how this actually happens, much less that malware can and does use the same technique to hijack applications on your computer.

You can  set a number of  settings in the registry that control how  things are loaded, including hijacking all executables and running them through another process, or even assigning a “debugger” to any executable — even if that application is not a debugger.

Essentially, you can assign values in the registry so that if you try to load notepad.exe, it will load calc.exe instead. Or any application can be swapped out and replaced with another application. This is one of the ways that malware blocks you from loading MalwareBytes or other anti-malware tools.

You can see it for yourself — on the left-hand side is the name of the executable, and on the right-hand side the “Debugger” key is set to the instance of Process Explorer that is running off my desktop. But you can change that to anything you want on either side and it will work. It would probably make a great prank that almost nobody would ever be able to figure out.

If you see anything in the Image Hijacks tab other than the values for Process Explorer, you should immediately disable them.

AppInit 

In yet another example of why Windows has so much crapware and spyware, the AppInit_dlls entries in the registry are surprising and amazing. At some point Microsoft wrote a feature into Windows that loads all DLL files listed in a particular registry key… into every single process that starts.

Well, technically, whenever an application loads the Windows user32.dll library, it checks the value of the registry key and then loads any of the DLLs found in the list into the process, allowing every application to be hijacked by malware.

In Windows Vista and later versions, they finally decided to lock this down a little bit by requiring that the DLLs be digitally signed… unless the RequireSignedAppInit_DLLs key is set to 0, which makes Windows still load them anyway. As you can imagine, malware has taken advantage of this, as you can see in the example below.

Remember back in lesson 3 when we showed you how Conduit was hijacking and inserting its DLL files into your browser’s processes? This is how that was done. You can see the spvc64loader.dll in the screenshot above, which was then used to load up the SPVC64.dll file into the browser.

Evil.

KnownDLLs

This key makes sure that Windows uses a particular version of a DLL file. For the most part you won’t need to worry about it unless malware has messed with this list — the primary goal of using this tab is just to make sure that everything listed there is really a verified Windows component, which is pretty easy.

Winlogon, Winsock Providers, Print Monitors, LSA Providers, Network Providers

You shouldn’t usually have to worry about these tabs, as they simply contain add-ons that extend various aspects of Windows – the Winlogon and LSA tap into the logon and authentication system, Winsock and Network handle networking, and Print Monitors are third-party applications that deal with your printer.

If you do have values in these tabs, it is worthwhile to investigate before disabling them. It is certainly possible for malware to hijack these things.

Sidebar Gadgets

If you have any sidebar gadgets in Vista or Windows 7, you will see them here, and you can disable them if you’d like.

Next Lesson

That’s it for Autoruns, but stay tuned tomorrow when we teach you about Bginfo and displaying system information on your desktop.

    Continue Reading »
  • Prev
  • 1
  • 2

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 03/31/14

Enter Your Email Here to Get Access for Free:

Go check your email!