Malware is normally programmed to stay infected on the system as long as possible in order to steal more information from the computer through keylogging, to continue spreading and infecting other computers on the network, or to be a part of a botnet waiting for their master to command them to launch a DDoS attack. In order to stay infected, other than being undetected, it has to automatically run when Windows is booted up. One of the ways to discover an infection in Windows is by checking on the startup places for any suspicious entries.
The most basic method to check for startup items is by using the built-in System Configuration (msconfig.exe) tool in Windows but unfortunately the points being checked are not complete, can be easily disabled through a simple registry hack and MSConfig doesn’t tell you which entries are unsafe. HijackThis used to be a popular tool to analyze a malware infected computer that includes startup entries on the scan result but unfortunately it’s been superseded by most other tools of the same type.
Here are 6 free tools that you can use to analyze the startup items including the tricky locations that aren’t listed in msconfig.
HiJackFree is a free system analysis tool offered by Emsisoft, the maker of the popular Anti-Malware software for advanced users to detect malwares and remove them from the computer. To check for startup entries, click on the Autoruns at the left sidebar where it lists the items being started up based on the different methods. What we really liked about HiJackFree is it will try to automatically determine if the entries are safe or unsafe and labels them with color coding for easier identification.
If you have an activate Internet connection, you can click on the refresh icon located at the top right that says “Refresh data online automatically” when your mouse cursor is hovering it. This will check the startup items with the latest data to provide a more accurate and up to date analysis. You can temporarily disable the item from starting up by unchecking the checkbox, edit, delete and even adding new startup entries. The Services tab is also worth checking because it is another startup method that the program can run even before the user is logged in to Windows.
Other than analyzing startup areas, HiJackFree can also show detailed information about the running processes, ports that are opened by process, Explorer addons, LSP, HOSTS file entries and installed ActiveX on a Windows system. If you would like to obtain a report of the HiJackFree analysis, you can click on the Online Analysis button located at the top right where a logfile will be generated and automatically uploaded to Emsisoft’s website for analysis. Once the analysis is completed, the details webpage will open using your default web browser.
Runscanner is a free and portable startup analyzer that comes in two modes which is the beginner and expert. Basically the beginner mode is meant to just scan and create a log and “run” file to be reviewed by a malware specialist. As for the Expert mode, that is where you can view all the startup items and also fix them if you find the suspicious. Instead of just listing every single startup items, Runscanner makes it easy by listing only the entries that are not in their whitelist. The listed items does not necessarily indicate that they are unsafe but just require extra attention to make sure that you know where it comes from.
To delete a startup item, double click on the entry to place a check. Then go to the Item fixer tab where can review the items that you want to delete. To confirm deleting the items, click the Fix selected items button. You can also double click on an entry at the Item fixer tab to remove the item from the list. Any startup items that are deleted from Runscanner can be restored back from the Extra stuff > History/backups tab.
Runscanner also comes with additional functions to research on the loaded modules, process killer with the ability to delete at next reboot and uploading the files to VirusTotal to scan with over 40 different antivirus programs.
Autoruns is one of the most popular portable tool used to analyze startup programs in Windows created by Sysinternals and is acquired by Microsoft. This tool is more for advanced users because it does not come with the ability to recognize unsafe or dangerous items. It does uses color codings for some items such as yellow for files that are not found and red for items that does not have file property information.
You can temporary disable the startup entry by unchecking the checkbox. When you find that the changes made is safe, you can permanently delete the entry using the right click context menu. By default it also hide the Windows entries to prevent you from wrongly disabling an important startup entry that will cause Windows not to boot up because restoring back the changes by editing the registry without booting in Windows can be quite a challenge.
4. Online Solutions Autorun Manager
Online Solutions Autorun Manager, short for OSAM is another startup analyzer that comes with the ability to scan the startup entries using their Online Malware Scanner. OSAM’s online malware scanner basically takes the processes hashes and compares it with their database. After scanning, a risk level is added to the analysis so you can ignore the ones that are safe and only pay attention to the unknown ones. There are also items labeled as “Up-to-you” which can be either removed or left untouched as it does not pose any security risk.
Color coding also being used in Online Solutions Autorun Manager where blue means file not found and yellow for files without property information. Unchecking the checkbox will disable the item from starting up. For some unknown reasons we were unable to permanently delete the startup items because the “Delete from storage” option from the right click context menu is always grayed out. OSAM is available in both installation and portable versions.
5. Silent Runners
Silent Runners is actually a VBScript that simply generates a log file containing startup items on the system. There is no graphical user interface nor options and running the file itself will output the log file at the same directory as the script. Startup items that belongs to Windows are not included in the listed and you should take note of the lines containing <<!>> because the launch point is commonly being used by malware.
Obviously Silent Runners is not meant to be used by basic users or to remove dubious startup entries. This VBScript proves to be useful when you are being restricted from running executable files.
FreeFixer is a general removal tool that scans not only a number of startup locations but also several other areas of the system where malware could hide itself. Over 40 different locations are scanned in total, including Browser Helper Objects, Mozilla Firefox/Internet Explorer toolbars and extensions, Autostart shortcuts, Registry Startups, Scheduled Tasks, Hidden processes, the HOSTS file, System Policies, Drivers, Services, TCP/IP settings, UserInits, shortcuts, Recently created or modified files, Svchost.exe/Explorer.exe modules and many more.
Although the program uses whitelisting to reduce the number of fully legitimate entries appearing in the results list, it does make clear that you still need an amount knowledge to understand what you want to keep and want could be malicious and needs removing. As the scanning is more comprehensive, the time to complete the operation could take 10 minutes or more, so a little patience is needed. Simply download the setup installer or portable version, run it and press Start Scan.
If there are still entries you don’t understand while reviewing the results, the “more info” link will take you to the online library on the FreeFixer website where more detailed information can hopefully give a better idea what the item is. Tick what you want to remove and then click Fix. There are extra settings to schedule a background scan and upload files to FreeFixer when you click on “more info”, a file nuker and System File Checker can be found in the Tools window. Windows 2000 to 8.1 is supported.
Editor’s Note: Although these 6 tools that we introduced can list and delete startup entries creates by third party programs, it is still not fool proof because there are more advanced type of malware such as rootkit that requires an anti-rootkit program to detect its presence. Moreover we have seen a really smart keylogger that only adds the startup entry just before the program is terminated when Windows is shutting down and then automatically removes the startup entry again after it is launched during Windows startup. This method effectively bypasses detection on any of the 5 tools that we’ve mentioned above.