Always the malware, trojans, spyware, adware try to add an entry to run at system bootup, and all the malware are programmed to do so. There is a lot of ways to run an application at boot time and even if some AntiViruses claims to control 100% programs autostart, very often they miss some places. The most comprehensive knowledge of auto-starting locations are shown by Autoruns by Sysinternals.com. This little utility is far better than MsConfig utility or any other system tool.
Autostart locations displayed by Autoruns include logon entries, Explorer add-ons, Internet Explorer add-ons including Browser Helper Objects (BHOs), Appinit DLLs, image hijacks, boot execute images, Winlogon notification DLLs, Windows Services and Winsock Layered Service Providers. You can disable or delete any of the auto-start entries by unchecking its check box, you can hide Microsoft signed programs, remaining the third party auto-starting images that have been added to your system and you can find out also what is controlling these entries. With a little knowledge about Windows files or searching with Googles for the files names founded in the list, you can identify if an auto-start entry is legitime or malicious.
Compatible with: Windows all
Download it or read more here.
Process Explorer from Sysinternals.com is a powerful replacement for Task Manager, it shows you detailed informations about what processes are running, module or DLLs loaded(mapped) in memory by any process. It’s very useful when we deal with an malware injection in a legitime process. The most targeted applications to be injected are default browser and explorer.exe. Sometimes also live messengers executable are injected. This utility shows us what module are loaded by a process, and if we found something suspicious–again Google can help us with the files names, we can find the exact location of that module and delete it after unloading. If it’s locked, there is anotehr application, Unlocker what can help us.
Read more and download Process Explorer from here.
TCPView for Windows v2.54
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows.
When you start TCPView it will enumerate all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions. You can use a toolbar button or menu item to toggle the display of resolved names. On Windows XP systems, TCPView shows the name of the process that owns each endpoint.
TIP : If the process is labeled as <non-existent> but you can see his estabilished connections, then is about a rootkit which can hide his own process
By default, TCPView updates every second, but you can use the Options|Refresh Rate menu item to change the rate. Endpoints that change state from one update to the next are highlighted in yellow; those that are deleted are shown in red, and new endpoints are shown in green.
You can close established TCP/IP connections (those labeled with a state of ESTABLISHED) by selecting File|Close Connections, or by right-clicking on a connection and choosing Close Connections from the resulting context menu.
Read more and download it here.
These are the most used tools but maybe you want to check out ALL the tools by Sysinternals, here are.
There you can find for example a RootkitRevealer, an advanced rootkit detection utility, Process Monitor an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity, combining the features of two other sysinternals.com utilities, RegMon and FileMon.