Autoruns..How to Disable Startups??

[feverfive]

I DL'd this utility from sysinternals, & when I start it, it shows all startup programs. BUT, when I uncheck the box to disable something (IntelWireless LogonNotify DLL under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify), then close Autoruns, the box doesn't stay unchecked;--when I re-open Auoruns, the box is checked again. I tried a "save as" but that just creates a .txt file (I store it in a sub folder under the same directory where the Autoruns.exe is stored). What am I missing? My OS is XP SP2.....

 

[mosin]

Maybe I'm the one who is missing something, but if I understand correctly, you want to prevent a program from running automatically at startup? If so, there are a bunch of freeware programs that will fix that. I have never had either of these to fail.



http://www.mlin.net/StartupCPL.shtml

http://www.ccleaner.com/ccdownload.asp

 

[TranquilRed]

Try running MSConfig...

 

[feverfive]

Maybe I'm the one who is missing something, but if I understand correctly, you want to prevent a program from running automatically at startup? If so, there are a bunch of freeware programs that will fix that. I have never had either of these to fail.



http://www.mlin.net/StartupCPL.shtml

http://www.ccleaner.com/ccdownload.asp

Thanks, I also have mlin's utility installed, but it doesn't show the number of startups (including the one referenced in the OP) that Autoruns does..... CCleaner doesn't show this startup app either.

 

[feverfive]

Try running MSConfig...

Doesn't show up in msconfig. And I know I could disable it via a registry edit, but not being able to disable w/ Autoruns (which I've read is so good), is making me question why.

 

[Ice Czar]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify.

that key is a favorite with malware
and the key value could be named almost anything
I wouldnt necessarilly think its legitimate


http://www.google.com/search?q=HKLM...ient=firefox&rls=org.mozilla:en-US:unofficial

whenever a key cant be deleted and reappears my first thoughts are malware
use regedit if it comes back then your probably infected

is it this ?
http://castlecops.com/o20list-91.html
that would be legit (LgNotify.dll)

whereas LogonNotify.dll could be a trojan poser

 

[feverfive]

that key is a favorite with malware
and the key value could be named almost anything
I wouldnt necessarilly think its legitimate


http://www.google.com/search?q=HKLM%5CSOFTWARE%5CMicrosoft%5CWindows+NT%5CCurrentVersion%5CWinlogon%5CNotify&start=0&start=0&ie=utf-8&oe=utf-8&client=firefox&rls=org.mozilla:en-US:unofficial

whenever a key cant be deleted and reappears my first thoughts are malware
use regedit if it comes back then your probably infected

is it this ?
http://castlecops.com/o20list-91.html
that would be legit (LgNotify.dll)

whereas LogonNotify.dll could be a trojan poser

Thanks--Autoruns has it listed Under the "Autorun Entry" Cloumn header as "IntelWireless"; under the Description cloumn header, it lists "LogonNotify DLL"--"Logon" is not abbreviated. Hmm, I've run Ewido (trojan scanner) & it's not picking up anything. I'm using this on the rig in my sig (Intel wireless comes as part of the Centrino package). I don't use wireless--I am hardwired for internet; that's why I just decided to disable this startup...

EDIT: Just tried unchecking another startup, shutdown then restarted Autoruns, & that one still has the box checked also....Disabling things in Autoruns by unchecking the box is not working for me..

 

[Ice Czar]

still might be legit
do an XP search for both .ddl


then Id rename the dll (but not delete it) and see what happens
it could be reinjecting to "ensure" functionality

ripping out embedded software and deleting keys can sometimes work
other times it leads to even more annoying error messages and entries in the event log
by renaming files and directories, you can attempt to disable them and if the effects arent livable you can then rename them back

as far as the infalibility of your scanner goes
if it is malware, a rootkit could easily hide it from the scanner
and they are becoming depressingly common

 

[feverfive]

Well, I just opened regedit, & this is what I have--I don't like seeing the word "Impersonate" in there....

 

[feverfive]

BTW, I had to open IE to paste my image shack image url into the message frame, this is the only forum where I can't copy & paste a link into a thread reply using Firefox...i.e. "paste" doesn't show in my context menu when trying to right-click paste..

 

[Ice Czar]

but the actual file location looks legit and the .dll has the right name
impersonate could mean???

a little research would be required
it could be a proxy related setting or something
most users generally dont see the actual hive
clever haxor would likely name it something more mundane

 

[feverfive]

O.K. Thanks, I'll research that issue more, but what about why I can't seem to get Autoruns to disable anything by unchecking a box next to the corresponding programs/process??

 

[Ice Czar]

anything

anything at all?

try adding something that autoruns
and then stop it

Id use mike lins startup control panel linked above
largely because it lists the registry keys you deleting from so its easy to start regedit and verify

 

[SJConsultant]

In regards to Autoruns, have you tried highlighting the entry you do not want to run and simply deleting it?

 

[Rembrandt]

Do you an Administrative control of the folder that it is in? If you do, try running it is Safe Mode.