Je ferais une version française pour la fiche sur site.
Bêta actuellement - uniquement des tests !
________________________________________________________________________
This paper is for cross references of our evaluations and others observations, remarks, warning if it is necessary.
We, at Assiste.com, observe and evaluate since 1 month the various test versions of a new software which appears very promising.
RunScanner
A new tool to analyze all autostart locations
A replacement for HijackThis / Autoruns...
state : beta
- Site : http://www.runscanner.net/
- Forum : http://forum.runscanner.net/
- Download : http://www.runscanner.net/runscanner.zip (always latest version)
All versions of Windows beginning at Windows 2000
What does it do ?
- Do a log of (at that time) 73 autostart locations
- Do an on line analysis of the log
- Very easy to read and comfortable
- Ability to fix
- Use hashes (ie : official from Microsoft and an internal DB)
- And the best for us (helpers and experts)
- A user can save the .run file
- A user can send the .run file to an expert - (We can receive a .run file)
- We can analyze the .run file with RunScanner
- We can mark items that need fixing
- We can send the .run file back to the user with items marked
- The user re-open the .run file with his RunScanner and fix what we check
- Check to see if user has administrator rights
- Lookup at google.com to maingrid
- Process killer : Start explorer (if all your explorers are killed)
- Kill process popup menu
- - Kill and rename of process
- - Kill and delete of process
- - Delete at next reboot of process file
- - Copy to clipboard
- - Open location
- - Show file properties
- Many ways for marking of items (space, doubleclick, popupmenu)
- Whitelist
- Importing of .run files directly from internet links
- Possibility to save text .log files. (to post in forums, ...)
- Service information (enabled, disabled, automatic)
- Driver infromation (kernel, IO, enabled, disabled, automatic)
- Username/Domain in the process killer list
- Regedit jump jumps to values
000 Items in the header of the log- General info:
- Runscanner Version
- Time of scan
- Type of scan (full, quick)
- Productname
- Service Pack
- Version Build
- Language
- Internet explorer version
- Windir
001 Running processes
002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
004 current user startup
005 common startup
006 %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
007 %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
008 .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
009 System user\Software\Microsoft\Windows\CurrentVersion\Run (+subkeys)
010 installed services
011 installed drivers
030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
032 HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
033 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
034 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
035 HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
036 HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
037 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
038 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
040 HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
041 HKLM\Software\Microsoft\Internet Explorer\Toolbar
041 HKCU\Software\Microsoft\Internet Explorer\Toolbar
042 HKLM\Software\Microsoft\Internet Explorer\Extensions
043 HKCU\Software\Microsoft\Internet Explorer\Extensions
044 HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
047 Trusted zones Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
048 ESC Trusted zones Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ESCDomains
050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
051 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
060 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
061 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
062 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
064 HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
065 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
066 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
068 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\' + Current_Protocol_Catalog
069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
070 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
071 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
072 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
073 %windir%\Tasks
074 %windir%\System32\Tasks
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_CURRENT_USER, 'Start Page'
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_LOCAL_MACHINE, 'Start Page
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_CURRENT_USER, 'Search Page'
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_LOCAL_MACHINE, 'Search Page'
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_CURRENT_USER, 'Default_Page_URL'
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_LOCAL_MACHINE, 'Default_Page_URL'
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_CURRENT_USER, 'Default_Search_URL'
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Main', HKEY_LOCAL_MACHINE, 'Default_Search_URL'
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Search', HKEY_CURRENT_USER, 'SearchAssistant'
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Search', HKEY_LOCAL_MACHINE, 'SearchAssistant'
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Search', HKEY_CURRENT_USER, 'CustomizeSearch'
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\Search', HKEY_LOCAL_MACHINE, 'CustomizeSearch'
100 Internet Explorer settings', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings', HKEY_CURRENT_USER, 'ProxyServer'
100 Internet Explorer settings', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings', HKEY_LOCAL_MACHINE, 'ProxyServer'
100 Internet Explorer settings', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings', HKEY_CURRENT_USER, 'ProxyOverride'
100 Internet Explorer settings', 'Software\Microsoft\Windows\CurrentVersion\Internet Settings', HKEY_LOCAL_MACHINE, 'ProxyOverride'
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\SearchUrl', HKEY_CURRENT_USER, '', 'SearchUrl HKCU'
100 Internet Explorer settings', 'Software\Microsoft\Internet Explorer\SearchUrl', HKEY_LOCAL_MACHINE, '', 'SearchUrl HKLM'
100 Internet Explorer settings', 'Software\Microsoft\Internet Connection Wizard', HKEY_CURRENT_USER, 'ShellNext'
100 Internet Explorer settings', 'Software\Microsoft\Internet Connection Wizard', HKEY_LOCAL_MACHINE, 'ShellNext'
102 HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
102 HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
106 HKLM\Software\Microsoft\Windows\CurrentVersion\URL
107 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\' + 'Current_NameSpace_Catalog'
120 Domain/DNS hijacking', 'SYSTEM\CurrentControlSet\Services\VXD\MSTCP', 'Domain'
120 Domain/DNS hijacking', 'SYSTEM\CurrentControlSet\Services\VXD\MSTCP' 'NameServer'
120 Domain/DNS hijacking', 'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', HKEY_LOCAL_MACHINE, 'Domain',
120 Domain/DNS hijacking', 'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', HKEY_LOCAL_MACHINE, 'NameServer'
120 Domain/DNS hijacking', 'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters', HKEY_LOCAL_MACHINE, 'SearchList'
120 Domain/DNS hijacking', 'SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony', HKEY_LOCAL_MACHINE, 'DomainName'
120 Domain/DNS hijacking', 'SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces'
121 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows', HKEY_LOCAL_MACHINE, 'AppInit_DLLs', '');
122 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
135 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (+subkeys)'
136 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (+subkeys)',
137 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx (+subkeys)'
138 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx (+subkeys)',
139 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load'
140 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run'
145 HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters',
146 HKLM\System\CurrentControlSet\Control\SafeBoot\AlternateShell',
147 HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders'
148 HKLM\System\CurrentControlSet\Control\WOW\cmdline
149 HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
150 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore',
151 HKLM\Software\Microsoft\Command Processor\Autorun'
152 HKCU\Software\Microsoft\Command Processor\Autorun
160 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
166 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+subkeys)
167 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+subkeys)
170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
171 HKCU\Control Panel\Desktop\SCRNSAVE.EXE',
172 HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
173 HKCR\*\shellex\ContextMenuHandlers
174 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
180 FileType Hijacking', HKEY_CLASSES_ROOT, '.bat',
180 FileType Hijacking', HKEY_CLASSES_ROOT, '.cmd',
180 FileType Hijacking', HKEY_CLASSES_ROOT, '.com',
180 FileType Hijacking', HKEY_CLASSES_ROOT, '.exe',
180 FileType Hijacking', HKEY_CLASSES_ROOT, '.hta',
180 FileType Hijacking', HKEY_CLASSES_ROOT, '.pif',
180 FileType Hijacking', HKEY_CLASSES_ROOT, '.scr',
180 FileType Hijacking', HKEY_CLASSES_ROOT, 'batfile',
180 FileType Hijacking', HKEY_CLASSES_ROOT, 'cmdfile',
180 FileType Hijacking', HKEY_CLASSES_ROOT, 'comfile',
180 FileType Hijacking', HKEY_CLASSES_ROOT, 'exefile',
180 FileType Hijacking', HKEY_CLASSES_ROOT, 'htafile',
180 FileType Hijacking', HKEY_CLASSES_ROOT, 'piffile',,
180 FileType Hijacking', HKEY_CLASSES_ROOT, 'scrfile',
180 FileType Hijacking', HKEY_CURRENT_USER, '.bat',
180 FileType Hijacking', HKEY_CURRENT_USER, '.cmd',
180 FileType Hijacking', HKEY_CURRENT_USER, '.com',
180 FileType Hijacking', HKEY_CURRENT_USER, '.exe',
180 FileType Hijacking', HKEY_CURRENT_USER, '.hta',
180 FileType Hijacking', HKEY_CURRENT_USER, '.pif',
180 FileType Hijacking', HKEY_CURRENT_USER, '.scr',
180 FileType Hijacking', HKEY_CURRENT_USER, 'batfile'
180 FileType Hijacking', HKEY_CURRENT_USER, 'cmdfile',
180 FileType Hijacking', HKEY_CURRENT_USER, 'comfile',
180 FileType Hijacking', HKEY_CURRENT_USER, 'exefile',
180 FileType Hijacking', HKEY_CURRENT_USER, 'htafile',
180 FileType Hijacking', HKEY_CURRENT_USER, 'piffile',
180 FileType Hijacking', HKEY_CURRENT_USER, 'scrfile',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.bat',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.cmd',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.com',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.exe',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.hta',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.pif',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, '.scr',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'batfile',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'cmdfile',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'comfile',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'exefile',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'htafile',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'piffile',
180 FileType Hijacking', HKEY_LOCAL_MACHINE, 'scrfile',
http://www.runscanner.net/report.aspx?repo...33-b8e3d15e9a7b
Example of the (future) rating of the files - we can see the template of those pages
http://www.runscanner.net/getmd5.aspx?md5=...ess=svchost.exe
Reading the log
- State Icons - Far left column
Driver or service starts up automaticly
Driver or service starts up manually
Driver or service is disabled
IO Driver
Kernel Driver
- Shield Icons - Second colomn
Certified with an MD5 - The signature of this file is verified (it is from a trusted source and signed by Verisign, ...).
No wintrust signature - the file is not signed (this does not mean that the file is malware) - (This function is buildin into windows "wintrust.dll" - Redmond sign may be trusted - Using a database of certainty clean system files significantly reduce the number of objects that have to be hand analyzed.).- When hashes will be rated, it will exist a red shield for parasites. The MD5 hash is used to store the file in the online database. As soon as the final version is ready there will be a rating of the files on the website - At this moment, rating of processes begins.
The good thing would be that RunScanner act as a front end for DBs like
- Castlecops
http://hashes.castlecops.com/Hashes.html (31 743 604 file hash entries including parasites (this is what we are looking for)) - File Advisor File Identification
http://www.bit9.com/index.php (2 054 736 194 file hash entries without parasites (!)) - Or redo, in internal, a same db
- Or work with distributed DB (RunScanner + Castlecops + File Advisor + Microsoft + Others SW editors proposing such DB)
(and, if Trend do the same with HijackThis as they do with CWShredder...)
Need beta testing and upload of logs to feed the DB
If many people do an online analysis, it will rapidly grow.
HowTo
Download > Unzip > Run (no install) > Do a "Full Scan" (Not a "Quick Scan") > Do an « Online Analysis »
Links
- Who is Geert ? Other works
http://www.lansweeper.com
http://www.moernaut.com - A French thread - Discussion en français sur RunScanner
http://assiste.forum.free.fr/viewtopic.php...=asc&highlight= - A French page
http://assiste.com.free.fr/p/logitheque/runscanner.html - Forum at RunScanner.net
http://forum.runscanner.net/default.aspx?g=forum - A thread at Wilders Security Forums
http://www.wilderssecurity.com/showthread....ight=runscanner
