Clean Infected PC with Autoruns - Manual Removal Guide
Manual Malware Removal with Autoruns
Numerous anti-malware solutions are available to cleanse a compromised system. However, situations arise where utilizing such programs isn't feasible. In these instances, Autoruns, a utility from SysInternals – now a part of Microsoft – proves essential for manual malware eradication.
Why Manual Removal?
There are several reasons why manually removing viruses and spyware might be necessary. These can include situations where the malware interferes with anti-malware software operation, or when a system is severely compromised and standard tools are ineffective.
Understanding Autoruns
Autoruns is a crucial component for any technically proficient user’s software arsenal. It provides the ability to monitor and manage all programs, and their associated components, that automatically launch upon Windows startup, or when Internet Explorer is initiated.
Given that the vast majority of malware is engineered to initiate automatically, Autoruns offers a strong likelihood of detecting and eliminating such threats. A previous article detailed how to effectively use Autoruns; reviewing it is recommended for those unfamiliar with the program.
This is a standalone application, requiring no installation. Simply download, extract the files, and execute it. This portability makes it ideal for inclusion in a flash drive-based utility collection.
Upon the initial launch of Autoruns, a license agreement is presented. Accepting the terms grants access to the main window, displaying a comprehensive list of software configured to run during system startup, user login, or Internet Explorer’s launch.
Disabling and Deleting Entries
To temporarily prevent a program from launching, simply deselect the checkbox adjacent to its entry. It’s important to note that this action does not terminate a program if it is already running; it only prevents its automatic startup on subsequent boots.
For permanent prevention, delete the entry entirely using the Delete key or by right-clicking and selecting Delete from the context menu. Deleting an entry does not uninstall the program from your computer; a separate uninstall process or direct file deletion is required for complete removal.
Identifying Suspicious Software
Determining which entries represent malware requires experience. Most entries within Autoruns are legitimate, even if their names are unfamiliar. Here are some guidelines to help distinguish malicious software:
- Search Online: When in doubt, right-click an entry and select Search Online... to research its purpose.
The following entries, Diskfix and SearchHelper, appear potentially suspicious.
These entries often characterize malware infections.
Double-clicking on these items navigates to their corresponding registry keys.
Removing Identified Malware
After identifying potentially malicious entries, you have several options:
- Disable the entry.
- Delete the entry.
- Investigate further before taking action.
To verify the success of your changes, reboot your system and check the following:
- Event Viewer for errors.
- System performance for improvements.
- The Autoruns list for re-appearing entries.
Conclusion
This method is best suited for advanced users. While a robust antivirus application is typically sufficient, Autoruns serves as a valuable addition to your anti-malware toolkit when other solutions fail.
Be aware that some malware is particularly resilient. Multiple iterations of the outlined steps may be necessary, requiring careful examination of each Autorun entry. Malware may also attempt to recreate deleted entries. In such cases, more aggressive measures, including terminating infected processes, may be required.
A future article will detail how to identify, locate, and terminate processes running infected DLLs, enabling their subsequent deletion. Download Autoruns from SysInternals.