RunScanner - Analyse de tous les emplacements de démarrage de Windows
J’observe, depuis 1 mois environ, les diverses versions en bêta test d'un nouvel outil qui me paraît très prometteur et auquel j'apporte tout mon soutien - c'est un vrai coup de cœur. Les habitués de HijackThis, pourriez-vous le tester et uploader vos journaux d’analyse afin d’enrichir la base de données.
J’ai fait un papier en anglais pour nos amis de l’autre côté de la grande mer et j’ai la flemme de le traduire en français (désolé - mais nous en parlons, en français, sur http://assiste.forum.free.fr/viewtopic. ... sc&start=0 )
RunScanner
A new tool to analyze all autostart locations
A replacement for HijackThis / Autoruns...
state : beta
- Site : http://www.runscanner.net/
- Forum : http://forum.runscanner.net/
- Download : http://www.runscanner.net/runscanner.zip (always latest version)
All versions of Windows beginning at Windows 2000
What does it do ?
- Do a log of (at that time) 73 autostart locations
- Do an on line analysis of the log
- Very easy to read and comfortable
- Ability to fix
- Use hashes (ie : official from Microsoft and an internal DB)
- And the best for us (helpers and experts)
- A user can save the .run file
- A user can send the .run file to an expert - (We can receive a .run file)
- We can analyze the .run file with RunScanner
- We can mark items that need fixing
- We can send the .run file back to the user with items marked
- The user re-open the .run file with his RunScanner and fix what we check
- Check to see if user has administrator rights
- Lookup at google.com to maingrid
- Process killer : Start explorer (if all your explorers are killed)
- Kill process popup menu
- - Kill and rename of process
- - Kill and delete of process
- - Delete at next reboot of process file
- - Copy to clipboard
- - Open location
- - Show file properties
- Many ways for marking of items (space, doubleclick, popupmenu)
- Whitelist
- Importing of .run files directly from internet links
- Possibility to save text .log files. (to post in forums, ...)
- Service information (enabled, disabled, automatic)
- Driver infromation (kernel, IO, enabled, disabled, automatic)
- Username/Domain in the process killer list
- Regedit jump jumps to values
000 Items in the header of the log- General info:
- Runscanner Version
- Time of scan
- Type of scan (full, quick)
- Productname
- Service Pack
- Version Build
- Language
- Internet explorer version
- Windir
002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
004 C:\Documents and Settings\<CurrentUser>\Start Menu\Programs\Startup
005 C:\Documents and Settings\<AllUsers>\Start Menu\Programs\Startup
006 %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
007 %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
010 Windows services
011 Windows drivers
030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
032 HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
033 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
034 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
035 HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
036 HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
037 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
038 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
040 HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
041 HKCU\Software\Microsoft\Internet Explorer\Toolbar
041 HKCU\Software\Microsoft\Internet Explorer\Toolbar
042 HKLM\Software\Microsoft\Internet Explorer\Extensions
043 HKCU\Software\Microsoft\Internet Explorer\Extensions
044 HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
051 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
060 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
061 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
062 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
064 HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
065 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options (Debugger)
066 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
068 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\ (Current_Protocol_Catalog)
107 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\ (Current_NameSpace_Catalog)
069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitor
070 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
071 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
072 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
073 %windir%\Tasks
074 %windir%\System32\Tasks
100 Internet Explorer settings Start Page HKCU
100 Internet Explorer settings Start Page HKLM
100 Internet Explorer settings Search Page HKCU
100 Internet Explorer settings Search Page HKLM
100 Internet Explorer settings Default_Page_URL HKCU
100 Internet Explorer settings Default_Page_URL HKLM
100 Internet Explorer settings Default_Search_URL HKCU
100 Internet Explorer settings Default_Search_URL HKLM
100 Internet Explorer settings SearchAssistant HKCU
100 Internet Explorer settings SearchAssistant HKLM
100 Internet Explorer settings CustomizeSearch HKCU
100 Internet Explorer settings CustomizeSearch HKLM
100 Internet Explorer settings ProxyServer HKCU
100 Internet Explorer settings ProxyServer HKLM
100 Internet Explorer settings ProxyOverride HKCU
100 Internet Explorer settings ProxyOverride HKLM
100 Internet Explorer settings SearchUrl HKCU
100 Internet Explorer settings SearchUrl HKLM
100 Internet Explorer settings ShellNext HKCU
100 Internet Explorer settings ShellNext HKLM
102 HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
102 HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
104 HKLM\Software\Microsoft\Code Store Database\Distribution Units (activeX xontrols)
106 HKLM\Software\Microsoft\Windows\CurrentVersion\URL (Default url handlers)
120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\VXD\MSTCP : Domain
120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\VXD\MSTCP : NameServer
120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\Tcpip\Parameters : Domain
120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\Tcpip\Parameters : NameServer
120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\Tcpip\Parameters : SearchList
120 Domain/DNS hijacking SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony : DomainName
120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces (Nameserver, Domain)
121 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
122 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
135 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (+subkeys)
136 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (+subkeys)
137 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx (+subkeys)
138 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx (+subkeys)
139 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows :Load
140 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows :Run
145 HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters
146 HKLM\System\CurrentControlSet\Control\SafeBoot : AlternateShell
147 HKLM\System\CurrentControlSet\Control\SecurityProviders :SecurityProviders
148 HKLM\System\CurrentControlSet\Control\WOW :cmdline
149 HKLM\System\CurrentControlSet\Control\WOW :wowcmdline
150 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
151 HKLM\Software\Microsoft\Command Processor :Autorun
152 HKCU\Software\Microsoft\Command Processor :Autorun
160 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
166 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+subkeys)
167 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+subkeys)
170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
171 HKCU\Control Panel\Desktop : SCRNSAVE.EXE
172 HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
173 HKCR\*\shellex\ContextMenuHandlers
180 FileType Hijacking
http://www.runscanner.net/report.aspx?repo...33-b8e3d15e9a7b
Exemple of the (future) rating of the files - we can see the template of those pages
http://www.runscanner.net/getmd5.aspx?md5=...ess=svchost.exe
Reading the log
- State Icons - Far left column
- Driver or service starts up automaticly
- Driver or service starts up manually
- Driver or service is disabled
- IO Driver
- Kernel Driver
- Shield Icons - Second colomn
- Certified with an MD5 - The signature of this file is verified (it is from a trusted source and signed by Verisign, ...).
- No wintrust signature - the file is not signed (this does not mean that the file is malware) - (This function is buildin into windows "wintrust.dll").
- When hashes will be rated, it will exist a red shield for parasites. The MD5 hash is used to store the file in the online database. As soon as the final version is ready there will be a rating of the files on the website - At this moment, rating of processes begins.
The good thing would be that RunScanner act as a front end for DBs like
- Castlecops
http://hashes.castlecops.com/Hashes.html (31 743 604 file hash entries including parasites (this is what we are looking for)) - File Advisor File Identification
http://www.bit9.com/index.php (2 054 736 194 file hash entries without parasites (!)) - Or redo, in internal, a same db
- Or work with distributed DB (RunScanner + Castlecops + File Advisor + Microsoft + Others SW editors proposing such DB)
(and, if Trend do the same with HijackThis as they do with CWShredder...)
Need beta testing and upload of logs to feed the DB
If many people do an online analysis, it will rapidly grow.
HowTo
Download > Unzip > Run (no install) > Do a scan > do an « Online Analysis »
Links
- Who is Geert ? Other works
http://www.lansweeper.com
http://www.moernaut.com - A French thread - Discussion en français sur RunScanner
http://assiste.forum.free.fr/viewtopic.php...=asc&highlight= - A French page
http://assiste.com.free.fr/p/logitheque/runscanner.html - Forum at RunScanner.net
http://forum.runscanner.net/default.aspx?g=forum - A thread at Wilders Security Forums
http://www.wilderssecurity.com/showthread....ight=runscanner
Sincerely