Microsoft Autoruns v13.2 released

[Xircal]

Autoruns is a handy tool to check every executable which runs on startup including malware which has been inadvertently installed on the machine.

Since it's a portable file, there's no need to install it. Just run it anytime you want. If you want to make changes to the PC, right click autoruns.exe and choose "Run as administrator".

When you run Autoruns the first time, I suggest you click "Options", go to "Scan Options" and then checkmark "VirusTotal.com" before you go any further. Then close the program and then reopen it as Administrator".

When Autoruns reopens again, you'll see an extra column called "VirusTotal" appear. Initially, it will read "Hash submitted", but gradually, these will change to a link with a number of digits. These represent the number of scanners the file was submitted to and the result. For example. "0/57" means the file was scanned by 57 anti-virus scanners and none of them found anything suspicious.

Sometimes, you'll see 1/57 where a single AV scanner seems to think the file might be infected, or that it's malware. To check further, click the link which will take you to the results. Usually, you'll find that the AV scanner which detected the file as being malicious is some obscure scanner from Albania or somewhere like that and can be safely ignored.

If Autoruns detects an entry as suspicious, it will be flagged with a pink background. To check any of these you see, right click the entry and choose "Check online". That will launch whichever browser and search engine you use and pinpoint that particular entry after which you can investigate further. Generally speaking, I tend to use Bleeping Computer if it appears in the search engine list since it provides the most comprehensive information available. Here's an example of one I found today: http://www.bleepingcomputer.com/startups/igfxtray.exe-2147.html

To prevent a program from loading on startup, remove the checkmark to the left of its entry in Autoruns.

Entries for which the executable cannot be found are marked with a light green background. These are generally applications which have been uninstalled, but which have left their registry entries intact. If you decide to delete those, I would advise you to first of all remove the checkmark in Autoruns and then reboot the computer. If everything continues to function normally, you can safely delete the Registry entry (right click, go to "Jump to entry".) Personally though, I prefer to just leave these unchecked in Autoruns.

Right click an entry and choose "Jump to image" to take you to the file you're looking at in Autoruns. I mention this because some files may be identified online as malicious when in fact, they're just part of the application which is installed. A good indicator is the case. For example "UPDATER.EXE" is a virus while "updater.exe" is an genuine executable installed with Acer laptops. Looking at the "Properties" for the file can usually point to whether it's suspicious or not. You can also check that from within Autoruns by using the same context menu.

Download Autoruns from here: https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx?f=255&MSPPError=-2147217396

The download includes autorunssc.exe. This is the command line version of the same tool. Most users won't need it though.

[Chicog]

They released a new version of EMET too.

[Xircal]

They released a new version of EMET too.

Are you using it yourself?

[Chicog]

I've installed it on Win 10 using defaults. Needs testing before I roll it out to a couple of thousand desktops though!

[Xircal]

You might want to forget about then. There's an exploit on the web which bypasses even v5.2

[Chicog]

You might want to forget about then. There's an exploit on the web which bypasses even v5.2

Bloody hell they're crap aren't they.

Does it need local access though?

[MikeWill]

When Autoruns reopens again, you'll see an extra column called "VirusTotal" appear. Initially, it will read "Hash submitted", but gradually, these will change to a link with a number of digits. These represent the number of scanners the file was submitted to and the result. For example. "0/57" means the file was scanned by 57 anti-virus scanners and none of them found anything suspicious.

Virus Total shows first "Hash submitted" and then "The operation timed out".

Also my background colors are: violet, pink and yellow.

Yellow background indicates that the File not found. I unchecked them (and will see what happens).

I'm not sure what are others colors for. Registry entries are colored Violet.