Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to use autoruns


  • Please log in to reply
27 replies to this topic

#1 jmk909er

jmk909er

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego
  • Local time:10:59 PM

Posted 26 February 2015 - 11:15 AM

Hi I have downloaded autoruns but I am not sure what to do with it. On the webpage it refers to letter flags which I don't see any in the utility. I do see items highlighted in yellow and red but I cannot find any explanation what this means.

 

Should I unchech everything that is yellow and red?

 

Any more info about how to use this is appreciated, thanks!


Edited by hamluis, 26 February 2015 - 11:35 AM.
Moved from Win 7 to All Other Apps - Hamluis.


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:06:59 AM

Posted 26 February 2015 - 11:19 AM

Hello there,

Lawrence Abrams aka Grinler has an explanation on how to use Sysinternals' Autoruns alongside the Bleeping Computer File Database here.

Regards,
Alex

#3 mikey11

mikey11

  • Members
  • 1,535 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Psychiatric Ward @ Beelitz-Heilstatten Hospital, Beelitz, Germany
  • Local time:06:59 AM

Posted 26 February 2015 - 11:20 AM

please use extreme caution while using autoruns, it really is not a program for your average user,

 

one wrong move and you can severely mess up your computer....big time



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 26 February 2015 - 11:26 AM

Hi jmk909er :)

Under Autoruns, red/pink entries means that the file associated with these entries is "unsigned", it doesn't means that it's malicious however. As for the yellow entries, it means that the file is "missing" (not at the current location shown in the entry). I wouldn't touch any entries there unless you know exactly what you're doing. If you want me to check your Autoruns file, follow the instructions below.

Start-up Entries - Autoruns
Follow the instructions below to give me an Autoruns log containing your start-up entries:
  • Download Autoruns.zip from the Sysinternals Suite webpage;
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator;
  • Accept the EULA on opening, then wait for all the entries to load;
  • Click on File then Save and save the file to a location easily accessible;
  • Go on ge.tt and upload the Autoruns file you saved;
  • Once done, post the download URL of your uploaded file in your next reply;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 jmk909er

jmk909er
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego
  • Local time:10:59 PM

Posted 26 February 2015 - 11:59 AM

Hi jmk909er :)

Under Autoruns, red/pink entries means that the file associated with these entries is "unsigned", it doesn't means that it's malicious however. As for the yellow entries, it means that the file is "missing" (not at the current location shown in the entry). I wouldn't touch any entries there unless you know exactly what you're doing. If you want me to check your Autoruns file, follow the instructions below.

Start-up Entries - Autoruns
Follow the instructions below to give me an Autoruns log containing your start-up entries:

  • Download Autoruns.zip from the Sysinternals Suite webpage;
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator;
  • Accept the EULA on opening, then wait for all the entries to load;
  • Click on File then Save and save the file to a location easily accessible;
  • Go on ge.tt and upload the Autoruns file you saved;
  • Once done, post the download URL of your uploaded file in your next reply;

 

Thanks here is the link: http://ge.tt/5Gji0FB2/v/0?c

Also want to let you know that I see a couple of things related to ASUS this is related for my router so I probably need to leave these.



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 26 February 2015 - 12:00 PM

Alright let me eat (lunch time) and I'll check this out once I get back to my desk :)
 
Everything looks good to me except for this line:

yyfeapq File not found: System32\drivers\bdhj.sys

It looks like both names were randomly generated, this driver could be a Rootkit. Althought it's not present on your system anymore, it doesn't mean that when it was, it didn't drop something else. I think that you should get checked by the malware removal team here just in case.

Well it looks like you already have a thread opened on Tweaking.com.

https://www.tweaking.com/forums/index.php?topic=2818.15

Edited by Aura., 26 February 2015 - 12:31 PM.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 6,110 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:59 PM

Posted 26 February 2015 - 06:43 PM

Credit : quietman7, Global Moderator
 
Do not take short cuts with Autoruns....READ the 6 links which quietman7 has provided at the bottom of this post.
 
Just so you know...it is not uncommon to encounter errors or issues with programs attempting to open when booting into Windows after a related file that was set to run at startup or as a scheduled task in the registry has been deleted. Windows will try to load that file but cannot locate it since the file may have been removed inadvertently, during the uninstallation of a program or after performing a scan with security tools. However, an associated orphaned registry entry (remnant) still exists and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message.

You need to remove this registry entry or scheduled task so Windows stops searching for the file when it loads. Phantom010 provided one way to do that.

If you're going to keep Autoruns (which I recommend), be careful using it and be sure to read:.
-- Note: AutoRuns is a tool for advanced users since it does not have the ability to recognize unsafe or dangerous items...it only displays what it finds.

Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:59 AM

Posted 27 February 2015 - 07:48 PM

For startup items, in most cases "File not found" indicates orphan registry entries still present, but the executables are gone so you can safely delete them. That is not the case for "System 32 Drivers Not Found"...see FAQ: Common Autoruns Issues - #12 Autoruns: System 32 Drivers Not Found which provides information in regards to these "File not found" entries.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 jmk909er

jmk909er
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego
  • Local time:10:59 PM

Posted 27 February 2015 - 08:03 PM

For startup items, in most cases "File not found" indicates orphan registry entries still present, but the executables are gone so you can safely delete them. That is not the case for "System 32 Drivers Not Found"...see FAQ: Common Autoruns Issues - #12 Autoruns: System 32 Drivers Not Found which provides information in regards to these "File not found" entries.

Thanks quietman7, I will delete those in the registry and leave the "System 32 Drivers Not Found alone

 

What about the one that says "Internet Explorer - File not found? Should I delete or leave alone?

 

What about the 2 that say file not found for the itunes? Should I delete or leave alone?

 

Thanks, Joe



#10 Phantom010

Phantom010

  • Members
  • 1,022 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cyberspace
  • Local time:01:59 AM

Posted 27 February 2015 - 08:40 PM

If you're not having any trouble or error messages specifically caused by those missing files, I wouldn't touch anything. It might do more harm than good.



#11 jmk909er

jmk909er
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego
  • Local time:10:59 PM

Posted 27 February 2015 - 09:01 PM

If you're not having any trouble or error messages specifically caused by those missing files, I wouldn't touch anything. It might do more harm than good.

I have made a backup of the registry so I can always restore it, right?



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:59 AM

Posted 27 February 2015 - 09:04 PM

I cannot access your log so I cannot see the full description or color code of entries.

Yellow: Indicates "File not found" in the expected location (Image Path). Meaning the startup entry is there, but the file or job it points to doesn’t exist anymore. This coding is not always reliable if the full path is not in Windows Registry entry and even then you should check any subkeys. In most cases these entries are harmless leftovers (remnants) from uninstalled applications...many program uninstallers do not perform an adequate job of completely removing them.

I generally ignore them so I agree with Phantom010. If you are insistent, leave the Internet Explorer entry alone. The two entries for ITunes can be removed after creating a new restore point/backing up the registry. If something goes awry you can always use System Restore or just reinstall ITunes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 AM

Posted 27 February 2015 - 10:08 PM

quietman, your opinion on this orphean entry?

yyfeapq File not found: System32\drivers\bdhj.sys

Looks like a randomly named start-up entry. Althought it's missing, it could be part of a past infection that might be still present on the system.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:59 AM

Posted 27 February 2015 - 10:48 PM

It's possible especially it was something malicious from a past infection since a search yields no definitive results. Several McAfee detections (i.e. Generic.dx!bdhj) are the closest hits but bdhj.sys is not mentioned in the characteristics...only bdhj as part of the name. All other search results look like bogus information from scammy removal sites.

Since we are only looking at a registry entry where the physical file has been removed, it can't be uploaded to confirm anything. Whatever it was, a prior security scan most likely removed it at some point so the orphaned entry is harmless.

For example, TDL4/Max++ Rootkit removal can leave TDLFS file system entries which if found at a later time indicate it was present on the system at some point but the detection is a harmless remnant. The infection was neutralized and no longer a threat since there no longer is a loading point.

I would only recommend further investigation if jmk909er advised he was showing symptoms/signs of infection and that would be to ascertain if anything else is lurking on the system.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 jmk909er

jmk909er
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Diego
  • Local time:10:59 PM

Posted 27 February 2015 - 11:00 PM

I tried to restore my registry from the backup I made and it said it could not complete because something was open. Do I need to do it in safe mode?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users