Ken said:
Recently, several programs had begun running at startup. I've tried several
times to delete them, but every time I delete them they just come back. I
can't get rid of them. I've never seen anything like it. One of the programs
that runs all the time is system restore. There doesn't seem to be any
relationship that I can tell between the programs that are are now starting
up. I have Norton Antivirus, and that hasn't detected anything over the past
several weeks.
Knowing how programs start automatically is perhaps one of the most
important things to learn about Windows (except for extremely isolated
computers), since XP is so vulnerable. Almost all trojans/viruses
exploit this. And NAV is not a perfect solution.
You need to know how to learn what is installed, of course, and then you
need to know how to remove them.
Here are the minimal necessary things to master (some of these things
may be obvious to people here; to novices, they may not be). Oh, and I'm
saying to do these things in order to fix your particular problem, I am
saying that understanding these things will enable you to fix things
yourself.
1. Add/Remove Programs
An obvious starting point which should examined by every user. Every
user should look over the list of items and figure out whether or not
they are what they purport to be. Some will be obvious, some not. But if
you want to gain control over XP is it required to understand what shows
up here.
All legitimate programs that show up here (and all should) can be
removed this way (most even will have an uninstall entry in the start
menu).
Even some nefarious programs like Browser hijackers actually have
working un-installs. Some, during un-install will redirect you to a
website (spawning IE) and ask for more information. Spyware does this
all the time.
2. MSCONFIG
Start -> Run -> MSCONFIG
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q310560&ID=KB;EN-US;q310560
Some will say to not use this. However, it works about 90% of the time
to stop programs from automatically starting that do not have entries in
Add/Remove Programs. Idiots device MFGs do this for things like sound
cards and video cards.
3. HIJACKTHIS
One of the BEST helper programs there is. A must have program for all
Windows users. Like MSCONFIG but better. Once one understands the first
two steps above, figuring out Hijackthis is easy. Well, easier. There
are several things that Hijackthis can do to disable a system!
(For example, on a Windows 200 system a couple of years ago I ignorantly
stopped a program called USERINIT.EXE from running by deleting a
registry key -- not this I DELETED ONE REGISTRY KEY. I think it was
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit or
something. Well, if you do this Windows WILL NOT LET YOU LOGON. How's
that for a vulnerability. Later versions of HJT does not let this happen
I believe although I have actually not needed to run it on W2K for quite
some time.)
(Oh yeah, HJT causes of millions of people to expose how horrible the XP
start up processes are on most XP computers! See also this link for a
definition of the term, Craputer:
http://www.cexx.org/craputer.htm)
4. AUTORUNS
Another great tool to fix and tweak XP. Has HJT features and more.
(I'll just mention a little about these utilities. Perhaps more later, huh?)
5. FILEMON.EXE, REGMON.EXE
These are two invaluable programs to watch what programs are doing.
These are a must have for process hacking.
Well, that's enough talking for now. There is obvious much more to say.
In the mean time, if you can, keep your eye on Mark's Sysinternals Blog
http://www.sysinternals.com/Blog/
Here is a fascinating story:
http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.htm
P.S.
As always, understand what you are doing before messing with registry
entries that can prevent Windows from loading properly! There are many
of them!