Startup Programs: From Where?

[Bongmaster]

This spyware stuff has gotten out of control. We have a mid-sized office with about 80 users and without fail some of these guys wind up with spyware. I can cope with that in general but lately I’ve seen some really nasty stuff that simply won’t go away. My general questions are:

1. From where do these programs load? The only places I know that can launch an application at startup come from the start menu (Start, Programs, Startup) or the registry (HKEY_LOCAL MACHINE, WINDOWS, RUN etc).

2. How does an application that has been disabled through MSCONFIG become enabled again after restarting windows?

[Q.E.D]

1. Additionally, programs can load from AUTOEXEC.BAT, WIN.INI, SYSTEM.INI and the RunOnce key in the Registry. There may be others I overlooked. Some of the more clever ones simply disguise themselves as an authorized program and get launched as a normal part of startup.

2. When this happens, there’s usually another program being launched that checks to see if the main program has been disabled and “fixes” it if it has. Often this watchdog program has some random name.

[RealityChuck]

Some browser hijackers load as BHOs when you open Internet Explorer. In addition, some others use ActiveX objects; they, too, will load when you get online.

In addition, there’s are these methods:

• User style sheet hijack
• AppInit_DLLs Registry value autorun
• ShellServiceObjectDelayLoad (SSODL) autorun Registry key
• SharedTaskScheduler autorun

All are very difficult to track down unless you use hijackthis to identify them.

If you’re going to do this with your company, I’d suggest you learn to use hijackthis. It can identify the culprits very easily. There’s a tutorial at http://aumha.org/a/hjttutor.php. Your best bet when starting out with this is to go to http://www.sysinfo.org to search for the BHO and programs that might be spyware. If they don’t show up, google them: if there’s no matches, it’s a random filename and needs to be removed. If there are matches, see what others are saying about them.

[yoyodyne]

Silent Runners is a script that lists startup programs from every known location.

[GorillaMan]

For this specific problem, Autoruns is perhaps a better start than Hijackthis, simply because it doesn’t list as much information!

[Bongmaster]

Awesome replys, thanks all. I’ve been doing computer support for years now but never comprehensively knew every startup option out there. I’ll check out the links and info, thanks again!

[Musicat]

Q.E.D.:

2. When this happens, there’s usually another program being launched that checks to see if the main program has been disabled and “fixes” it if it has. Often this watchdog program has some random name.

I saw one that went one step further – I spotted two bogus programs running on a system. When each was disabled, it popped up again a few seconds later, since I could only kill one at a time. So one was watching the execution of the other in real time, not just a check at startup.

Cute, but I got that sucker in the end. I have to admire the ingenuity of the authors, though.

[Bongmaster]

Musicat:

I saw one that went one step further – I spotted two bogus programs running on a system. When each was disabled, it popped up again a few seconds later, since I could only kill one at a time. So one was watching the execution of the other in real time, not just a check at startup.

Cute, but I got that sucker in the end. I have to admire the ingenuity of the authors, though.

I find myself in that situation often, it sucks. Thats what prompted this thread…I hated not knowing all the ways a program could launch/repair itself.

Kudos to the posters who included links to those utilities…they work great and gave me an excellent understanding of how this kind of thing happens.