How to remove start up items in Windows

Sometimes the manufacturer of your computer will pre-load worthless software.  Or perhaps over time, you'll find that software has "magically" installed itself, whether you did it unwittingly or if the software was a malicious virus or adware/spyware.

In any case, we have to get this garbage off the computer and restore our fast booting systems!  This advice should work with most recently versions of Windows, primarily Windows XP and Vista (and probably the server 2003 and 2008).

1) The Windows Start Up Folder

The first place to see what we have coming up on startup is the start up folder.  Click the Start button in XP

or Vista

And look for a a Startup folder in the list of Programs under All Programs.  Check to see if anything is in here.  If so, you can hover the mouse over the object, right click and choose Delete.  Only do this if you know it's something you can get away with deleting.  Some programs have something here to aid in faster data loading or to run background processes.

Each account has it's own Startup folder, so if someone else logs into this windows computer in their own accoung, they may have to do the same.

2) Registry start up items

Go back to the same start button.

In Vista, type MSCONFIG and hit ENTER key on the keyboard.  In XP, type the same but at the RUN entry line.

In XP, it should start right away.  In Vista, it will show you the name of the file that you have to then double click to start.  Vista may ask your permission to start it.  Click yes.

MSCONFIG has many configuration options.

You should get a window that looks a lot like this.  Click the Startup tab at the top:

Once you change to the Startup tab, you'll see the list of programs that launch on startup.

Some are vitally essential, others are a waste of system resources.  I would suggest that you do a google search on the name of each item you find to see if it is legit or not.  There are plenty of entries in google under every item in the world.

You can uncheck the check boxes next to each item to shut it off on the next reboot.  Selecting Okay will prompt you to restart the computer.  If everything is saved on the system, go right ahea.

3) Winlogon Notifiers

These are nasty ones.  These can be seen by opening registry edit.  Do the same thing as above to open the start button, and type in regedit and ENTER to start.

You'll be shown many main folders (HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG).  Clicking to expand the HKEY_LOCAL_MACHINE, then choose Software, then Microsoft, then Windows NT, then CurrentVersion, then WinLogon, then Notify.

You will have to click the + next to to Notify on the left pane to expand it.  You'll only see these folders on the left, not right. Once again, make a note of all entries and verify them in Google.  The really weird ones still show up as very unreadable.  The ones that look suspicious or unreadable, these are the ones I get rid of.  MAKE SURE YOU DOUBLE CHECK ON GOOGLE FIRST.

4) More malicious DLLs

I've found that my latest virus software sometimes won't get these guys, and many are locked from bootup, so we have to take a radical method of getting rid of them. Once again, go to the start button, and type in "cmd"  (without the quotes) at the command line.  This starts off an old-style DOS session in a manually typed box.

Change to the drive where you installed Windows (usually the C: drive... example:   C: then hit enter), and change to the Window directory (usually C:\windows).  Then go to the system32 directory (C:\windows\system32).

Now, list the DLL files in order of date:

dir  *.dll   /od

You should see a long list.  The ones at the end will be the newest.  Be on the lookout for several dll files that have unreadable names and similar/same sizes. Look them up on Google to see if they listed as malware.  Try to delete them.

Example:

If we found a file named HcwZeXL.dll, and we looked it up and couldn't find any info on it or listed as malware, try to erase it:

erase HcwZeXL.dll

---

(UPDATE!!!!!)  I just found out that some of these malicious dll files are set to be system and hidden files.  To

locate these, you'll need to use the attrib.exe program from the command line.  Here's how I did it:

from the command prompt at c:\windows\system32\ type this:

attrib *.dll   | more

this says to show each file and it's attribute settings if the file is a .dll file.  The second half is a vertical bar (which is found on most keyboards as the shifted "\".  What this 2nd part does is to say to redirect the output to the more.exe program.  This will list enough to fill the command window but stop when it is full in order to wait for you to hit a key to get the next set (usually I use the space bar).  What I did was watch for any files that have both "S" and "H" listed to the left of the file name, when I did, I wrote down that filename.  These would usually have nonsense names.  Be careful, there are some "S" only files that need to remain.  The ones that are "S" and "H" [shown as SH together] are probably bad files.

---

If it gives an error, saying it's in use, we can use Avenger to delete it on next startup:

http://swandog46.geekstogo.com

download, extract and run the single program, and in the text box, type:

files to delete:

followed by a blank line then the full path and filename:

c:\windows\system32\HcwZeXL.dll

Add a line for each suspicious dll entry.

Click automatically remove rootkit, hit okay and it will prompt a reboot which should clear out those files before they get locked.  If all went well, your machine should have those malicious DLLs removed.