How to Remove Malicious Startup Entries on Windows

What Causes This?

Malicious startup entries are usually added by malware, bundled software, or unwanted browser extensions that configure themselves to launch every time Windows starts. These entries can be stored in several places, including the Startup folder, Task Manager’s Startup tab, the Windows Registry, scheduled tasks, and services. Once there, they can relaunch harmful files automatically, making the infection harder to remove.

Common Symptoms

• Unknown apps open when Windows starts
• Slow boot times or high CPU/disk usage right after sign-in
• Pop-ups, browser redirects, or fake security warnings
• Suspicious entries in Startup apps, Task Scheduler, or Services
• A program keeps coming back after you uninstall it

How to Fix It Manually

1. Disconnect from the internet if you suspect active malware

   • Turn off Wi-Fi or unplug Ethernet before making changes.
   • This can stop the malicious program from downloading more files or reconnecting to a remote server.

2. Check and disable suspicious startup apps in Task Manager

   • Open Task Manager with Ctrl+Shift+Esc.
   • Click More details if needed, then open the Startup apps tab.
   • Look for unknown items, apps with no publisher, or entries with unusual names.
   • Right-click any suspicious item and choose Disable.
   • Note the app name and publisher before disabling it so you can trace it later.

3. Inspect the Startup folders

   • Press Win+R, type shell:startup, and press Enter.
   • Delete shortcuts you do not recognize.
   • Then press Win+R, type shell:common startup, and press Enter.
   • Remove suspicious shortcuts there too. Be careful not to delete entries for software you trust.

4. Check Task Scheduler for persistence

   • Press Win+S, type Task Scheduler, and open it.
   • Click Task Scheduler Library.
   • Review tasks that run At log on, At startup, or on a schedule you did not create.
   • Double-click a suspicious task and check the Actions tab to see what file it launches.
   • If it points to an unknown .exe, script, or file in a temp or AppData folder, right-click the task and choose Disable or Delete.

5. Review common Registry startup locations

   • Press Win+R, type regedit, and press Enter.
   • Check these keys:
     • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
     • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   • Look for values that launch unknown files, especially from AppData, Temp, or random-looking folders.
   • Before deleting anything, use File > Export to back up the key.
   • Then remove only entries you are confident are malicious.

6. Find and remove the related file

   • In Task Manager, Task Scheduler, or Registry, note the full file path of the suspicious item.
   • Open File Explorer and browse to that location.
   • If the file is clearly malicious, delete it and empty the Recycle Bin.
   • If Windows will not let you delete it, restart into Safe Mode and try again.

7. Run a Windows Security scan

   • Open Settings > Privacy & security > Windows Security > Virus & threat protection.
   • Click Scan options and run a Full scan.
   • If the problem is severe, run a Microsoft Defender Offline scan to catch threats that hide during normal startup.

Fix It Automatically with Kudu

Checking every startup location manually takes time, and it is easy to miss hidden entries tied to junk files or leftover malware components. Kudu helps by identifying suspicious startup items, cleaning related files, and removing clutter that can let unwanted programs keep coming back.

Download Kudu Free →