Board logo

subject: How to use Autoruns to Manually Clean an Infected PC [print this page]


How to use Autoruns to Manually Clean an Infected PC

How to use Autoruns to Manually Clean an Infected PC

Autoruns is used to display the Windows startup or login procedures run automatically, and allows the user to selectively disable or remove them, such as those in the "Startup" folder and registry keys related to the program. In addition, Autoruns also changes include: Windows Explorer Shell extension (such as the right pop-up menu), IE browser plug-ins (such as a toolbar extension), system services and device drivers, scheduled tasks and many different procedures from the start .Autoruns, from SysInternals (recently acquired by Microsoft), is indispensable when removing malware manually.

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys.

You may need to remove viruses and spyware manually for those reasons::
How to use Autoruns to Manually Clean an Infected PC


1. You might need to clean your mom's computer (or someone else who doesn't understand that a big flashing sign on a website that says "Your computer is infected with a virus click HERE to remove it" is not a message that can necessarily be trusted)

2. Part of your geek credo is the belief that anti-spyware utilities are for wimps

3. The malware is so aggressive that it resists all attempts to automatically remove it, or won't even allow you to install anti-malware software

4. Perhaps you can't abide running resource-hungry and invasive anti-malware programs on your PC

Autoruns is a standalone utility that does not need to be installed on your computer. It can be simply downloaded, unzipped and run (link below). This makes is ideally suited for adding to your portable utility collection on your flash drive.

Autoruns is an invaluable addition to any geek's software toolkit. It allows you to track and control all programs (and program components) that start automatically with Windows (or with Internet Explorer). Virtually all malware is designed to start automatically, so there's a very strong chance that it can be detected and removed with the help of Autoruns.

When you start Autoruns for the first time on a computer, you are presented with the license agreement:

After agreeing to the terms, the main Autoruns window opens, showing you the complete list of all software that will run when your computer starts, when you log in, or when you open Internet Explorer:

To temporarily disable a program from launching, uncheck the box next to it's entry. Note: This does not terminate the program if it is running at the time it merely prevents it from starting next time. To permanently prevent a program from launching, delete the entry altogether (use the Delete key, or right-click and choose Delete from the context-menu)). Note: This does not remove the program from your computer to remove it completely you need to uninstall the program (or otherwise delete it from your hard disk).

Removing the Malware

Once you've identified the entries you believe to be suspicious, you now need to decide what you want to do with them. Your choices include:

1. Locate the running process (using Task Manager or similar) and terminating it

2. Permanently delete the Autorun entry

3. Temporarily disable the Autorun entry

4. Delete the EXE or DLL file from your disk (or at least move it to a folder where it won't be automatically started)

or all of the above, depending upon how certain you are that the program is malware.

To see if your changes succeeded, you will need to reboot your machine, and check any or all of the following:

1. Task Manager (or similar) to see if the program was started again after the reboot

2. Autoruns to see if the entry has returned

3. Check the behavior that led you to believe that your PC was infected in the first place. If it's no longer happening, chances are that your PC is now clean

Suspicious Software

It can take a fair bit of experience (read "trial and error") to become adept at identifying what is malware and what is not. Most of the entries presented in Autoruns are legitimate programs, even if their names are unfamiliar to you. Here are some tips to help you differentiate the malware from the legitimate software:

1. If you recognize the software's name, then it's usually okay. Note that occasionally malware will "impersonate" legitimate software, but adopting a name that's identical or similar to software you're familiar with (e.g. "AcrobatLauncher" or "PhotoshopBrowser"). Also, be aware that many malware programs adopt generic or innocuous-sounding names, such as "Diskfix" or "SearchHelper" (both mentioned below).

2. If an entry is digitally signed by a software publisher (i.e. there's an entry in the Publisher column) or has a "Description", then there's a good chance that it's legitimate

3. Malware often only has a generic icon (to the left of the name of the entry)

4. If you open up the folder that contains the EXE or DLL file (more on this below), an examine the "last modified" date, the dates are often from the last few days (assuming that your infection is fairly recent)

5. Malware is often located in the C:Windows folder or the C:WindowsSystem32 folder

6. Malware entries usually appear on the Logon tab of Autoruns (but not always!)

The list below shows two suspicious looking entries: Diskfix and SearchHelper

These entries, highlighted above, are fairly typical of malware infections:

1. The files are located in C:WindowsSystem32

2. They have generic names

3. If you look in the C:WindowsSystem32 folder and locate the files, you'll see that they are some of the most recently modified files in the folder (see below)

4. They have neither descriptions nor publishers

5. The filenames are random strings of characters

6. They have generic icons

Double-clicking on the items will take you to their corresponding registry keys:

Conclusion

Keep in mind that some malware is harder to remove than others. Sometimes you need several iterations of the steps above, with each iteration requiring you to look more carefully at each Autorun entry. Sometimes the instant that you remove the Autorun entry, the malware that is running replaces the entry. When this happens, we need to become more aggressive in our assassination of the malware, including terminating programs (even legitimate programs like Explorer.exe) that are infected with malware DLLs.

This solution isn't for everyone and is most likely geared to advanced users. Usually using a quality Antivirus application does the trick, but if not Autoruns is a valuable tool in your Anti-Malware kit.
How to use Autoruns to Manually Clean an Infected PC


You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows.

If you also have some questions after you read this article , you can visit the original article from:

http://www.pcwatch.com/Windows-7-tips/How-to-use-Autoruns-to-Manually-Clean-an-Infected-PC.html

Welcome to http://www.pcwatch.com to read the information of reviews on software, games and top tech products.




welcome to Insurances.net (https://www.insurances.net) Powered by Discuz! 5.5.0   (php7, mysql8 recode on 2018)