If I could choose only one MS Windows program to deal with malware - viruses and trojans - autoruns would be it. Mark Russinovich, the principal author, has been stirring the entrails of Microsoft Windows since it arrived on the world's desktops and is arguably the world's leading expert on Windows internals.

Mark sold out to Microsoft and joined their staff after holding Microsoft's feet to the fire for years by exposing unpatched vulnerabilities in Windows and Internet Explorer. Although the voice crying in the wilderness has grown silent, to his credit and Microsoft's, he continues to improve the tools he gave Windows users.

If you are a Windows user of any vintage, go to http://www.filehippo.com/download_autoruns/ and download and install the latest version. Run the program by double clicking on autoruns.exe and wait patiently for the scan to finish. Click Options and make sure Verify Code Signatures and Hide Microsoft Signed Entries are checked. Press F5 to refresh.

You will now have a list of code segments which come sources other than Microsoft. Click File, Save as and choose an name incorporating todays date. I use the ISO format yyyymmdd because it sorts properly and I can easily compare changes. Unchecking an item disables its startup and you can delete the item completely if you desire. It this regard it is like MSConfig but much more comprehensive.

To get an idea of a minimal list, this one comes from a recently reloaded and mildly tuned machine:

Entry Location,Entry,Enabled,Description,Publisher,Image Path,Launch String,...
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,IgfxTray,...
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,HotKeysCmds,...
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,PRONoMgr.exe,...
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SunJavaUpdateSched,...

Now comes the hard part. Some of these are useful. For example: igfxTray gives me access to onboard video configuration, PRONotifyMgr access to the onboard NIC, HotKeysCmd access to special key combinations and SunJavaUpdateSched polls Sun for updates. Frankly I don't need any of them. If your list is long and after study and searching (which autoruns will help you do) you cannot justify the existence of some or all of the entries, you may start disabling and eventually removing items but only after backing up.

On a recent badly infected machine, I disabled everything except the anti-virus program after which the machine would not boot normally nor in safe mode. Using the F8 menu, I choose "Use the last known good configuration" and the machine booted normally. At this point Avira Antivir could remove all detected malware. SpyBot removed all but one item in the registry and removed that on reboot with the Internet connection disabled (cable unplugged).

It should be noted that anti-virus and malware programs are generally per user programs. They have to be run for each user on the system. One "special administrative user should be established and all "normal" users changed to a "limited" account type.

You are welcome to post questions and logs to the LSNet forum (free) and call for help ($).