Hi guys,

This may seem like a great first spam post :)

But I'm looking for beta testers for my new freeware anti-malware software
http://www.runscanner.net

It is stil in beta and is supposed to become a "superior" version of hijackthis/autoruns (and much more)

All the help and advice of security professionals is welcome.

Hi,

Thanks for posting here.

Download your product and give it a try

Regards,

MaB69

Take note, that it's still in beta (but working nice already)

What features will RunScanner have to make it superior to Hijackthis/Autoruns?

I'm trying to combine the "strong" things of both

- Scanning of 73 startup/hijack items. (I'm trying to get them all, more to come)
73 Is already more than both programs
- Verification of file signatures and whitelisting (combination of the "strong" things of both programs)
- MD5 hash calculation of files. (and is a later version online lookup of the result)
- Import / export of .run files. (very userfriendly for people that want to help you with your "malware problems"
... (read the website)

Very nice :thumb:
Thanks for the answer.

All suggestions for improvement are welcome, it is supposed to help people.

Comparing logs? Useful for integrity checking/security benchmarking.

What exactly do you understand by "comparing logs"?

A feature which allows to compare two logs taken on different moments and see what´s changed.
This can be done using external tools, but would be nice to have it built-in.
Hope it´s clear now.

Good idea (but not for version 1.0)
I'll add it to my todo list for 1.5

Great :thumb:
Also, see if this document (http://weblog.infoworld.com/securityadviser/archives/WhereWindowsMalwareHides.doc) is helpful to you.

More lists for possible scanned items

http://gladiator-antivirus.com/forum/index.php?showtopic=24610
http://www.silentrunners.org/sr_launchpoints.html

My todo list keeps getting longer :)
Thanks

Hello!!

I have downloaded Runscanner...is working fine here!!!

-{ Quote: "Hello!!

I have downloaded Runscanner...is working fine here!!!" }-

Same here: Like the additional registry locations paragraphs.

Running fine here.

Like the lookup online feature for extra info.

Quite like this app.Using about 13.5 meg after ther the scan.

One queery.Processess on the first tab show two instances of "generic host process for Win 32 Services" and if I go to the "kill process" tab they don't show.

Taskmanager and my Firewall show no "generic host process" as I have the DNS service disabled.

Probably your app is using them to run maybe and not showing in the kill tab?

Have you tried :
- Refresh the processes list (check if you see the svchost)
- Do the scan
- Refresh the processes list (check if you see the svchost)

The wintrust verify is probably using the svchost.

OK rerun the tests without the MD5 checksums and the two generic hosts still show up in the Auto Runs tab but not the kill process tab even after refresh.

Tried to kill explorer.exe and Firefox but no go.

No probs killing those processess through XP's taskmanager.

I found the problem, I changed something in the current version without testing.
Should be fixed in the next build.

OK,will post anything further over at your forum as I should have done in the first place.:)

Sorry Wilders.:-[

Meanwhile, I've uploaded a new version which should solve all your problems (and more :))

Changelog 0.8.0.0
- Check to see if user has administrator rights
- Fixed bug with corrupt drivers and services
- Added : lookup at google.com to maingrid
- Added icons to the popup menu
- Added "first run privacy blablabla " form
- Layout changes to show more entries on the screen.
- Process killer : Start explorer (if all your explorers are killed)
- Kill process popup menu added
- - Kill and rename of process
- - Kill and delete of process
- - Delete at next reboot of process file
- - Copy to clipboard
- - Open location
- - Show file properties
- - Lookup at Google
- Marking of items (space, doubleclick, popupmenu)
(a user can save the .run file, an expert can mark the items that need fixing and send the .run file back to the user)

New items:
000 General info:
Runscanner Version
Time of scan
Type of scan (full, quick)
Productname
Service Pack
Version Build
Language
Internet explorer version
Windir

Very nice, running fine here :)

Running very well here. Developing nicely!

Meanwhile version 0.9.0.0 is uploaded.
You can now create an online analysis, but not all processes are whitelisted yet. (still working on that)

Going along fine here as well, lots of detail which are easy to read and make sense of.

Looks good. Developing fast.

Hi to all,

Recap

RunScanner
A new tool to analyze all autostart locations
A replacement for HijackThis / Autoruns...
state : beta
Site : http://www.runscanner.net/
Forum : http://forum.runscanner.net/
Download : http://www.runscanner.net/runscanner.zip (always latest version)RunScanner is compatible with those versions of Windows
All versions of Windows beginning at Windows 2000

What does it do ?
Do a log of (at that time) 73 autostart locations
Do an on line analysis of the log
Very easy to read and comfortable
Ability to fix
Use hashes (ie : official from Microsoft and an internal DB)
And the best for us (helpers and experts)
A user can save the .run file
A user can send the .run file to an expert - (We can receive a .run file)
We can analyze the .run file with RunScanner
We can mark items that need fixing
We can send the .run file back to the user with items marked
The user re-open the .run file with his RunScanner and fix what we checkMiscellaneous
Check to see if user has administrator rights
Lookup at google.com to maingrid
Process killer : Start explorer (if all your explorers are killed)
Kill process popup menu
- Kill and rename of process
- Kill and delete of process
- Delete at next reboot of process file
- Copy to clipboard
- Open location
- Show file properties
Many ways for marking of items (space, doubleclick, popupmenu)
Whitelist
Importing of .run files directly from internet links
Possibility to save text .log files. (to post in forums, ...)
Service information (enabled, disabled, automatic)
Driver infromation (kernel, IO, enabled, disabled, automatic)
Username/Domain in the process killer list
Regedit jump jumps to valuesCurrently scanned items
000 Items in the header of the log
General info:
Runscanner Version
Time of scan
Type of scan (full, quick)
Productname
Service Pack
Version Build
Language
Internet explorer version
Windir001 Running processes
002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
004 C:\Documents and Settings\<CurrentUser>\Start Menu\Programs\Startup
005 C:\Documents and Settings\<AllUsers>\Start Menu\Programs\Startup
006 %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
007 %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
010 Windows services
011 Windows drivers
030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
032 HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
033 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
034 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
035 HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
036 HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
037 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
038 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
040 HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
041 HKCU\Software\Microsoft\Internet Explorer\Toolbar
041 HKCU\Software\Microsoft\Internet Explorer\Toolbar
042 HKLM\Software\Microsoft\Internet Explorer\Extensions
043 HKCU\Software\Microsoft\Internet Explorer\Extensions
044 HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
051 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
060 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
061 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
062 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
064 HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
065 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options (Debugger)
066 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
068 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\ (Current_Protocol_Catalog)
107 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\ (Current_NameSpace_Catalog)
069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitor
070 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
071 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
072 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
073 %windir%\Tasks
074 %windir%\System32\Tasks
100 Internet Explorer settings Start Page HKCU
100 Internet Explorer settings Start Page HKLM
100 Internet Explorer settings Search Page HKCU
100 Internet Explorer settings Search Page HKLM
100 Internet Explorer settings Default_Page_URL HKCU
100 Internet Explorer settings Default_Page_URL HKLM
100 Internet Explorer settings Default_Search_URL HKCU
100 Internet Explorer settings Default_Search_URL HKLM
100 Internet Explorer settings SearchAssistant HKCU
100 Internet Explorer settings SearchAssistant HKLM
100 Internet Explorer settings CustomizeSearch HKCU
100 Internet Explorer settings CustomizeSearch HKLM
100 Internet Explorer settings ProxyServer HKCU
100 Internet Explorer settings ProxyServer HKLM
100 Internet Explorer settings ProxyOverride HKCU
100 Internet Explorer settings ProxyOverride HKLM
100 Internet Explorer settings SearchUrl HKCU
100 Internet Explorer settings SearchUrl HKLM
100 Internet Explorer settings ShellNext HKCU
100 Internet Explorer settings ShellNext HKLM
102 HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
102 HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
104 HKLM\Software\Microsoft\Code Store Database\Distribution Units (activeX xontrols)
106 HKLM\Software\Microsoft\Windows\CurrentVersion\URL (Default url handlers)
120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\VXD\MSTCP : Domain
120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\VXD\MSTCP : NameServer
120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\Tcpip\Parameters : Domain
120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\Tcpip\Parameters : NameServer
120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\Tcpip\Parameters : SearchList
120 Domain/DNS hijacking SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony : DomainName
120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces (Nameserver, Domain)
121 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
122 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
135 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (+subkeys)
136 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (+subkeys)
137 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx (+subkeys)
138 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx (+subkeys)
139 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows :Load
140 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows :Run
145 HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters
146 HKLM\System\CurrentControlSet\Control\SafeBoot : AlternateShell
147 HKLM\System\CurrentControlSet\Control\SecurityProviders :SecurityProviders
148 HKLM\System\CurrentControlSet\Control\WOW :cmdline
149 HKLM\System\CurrentControlSet\Control\WOW :wowcmdline
150 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
151 HKLM\Software\Microsoft\Command Processor :Autorun
152 HKCU\Software\Microsoft\Command Processor :Autorun
160 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
166 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+subkeys)
167 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+subkeys)
170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
171 HKCU\Control Panel\Desktop : SCRNSAVE.EXE
172 HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
173 HKCR\*\shellex\ContextMenuHandlers
180 FileType HijackingExemple of an online analysis
http://www.runscanner.net/report.aspx?repo...33-b8e3d15e9a7b (http://www.runscanner.net/report.aspx?report=fa2296eb-085f-441d-a333-b8e3d15e9a7b)

Exemple of the (future) rating of the files - we can see the template of those pages
http://www.runscanner.net/getmd5.aspx?md5=...ess=svchost.exe (http://www.runscanner.net/getmd5.aspx?md5=1BD6C2F707A275CB7C16FD99FE0F31CA&process=svchost.exe)

Reading the log
State Icons - Far left column
http://assiste.com.free.fr/m/img/runscanner_automatic.png Driver or service starts up automaticly
http://assiste.com.free.fr/m/img/runscanner_manual.png Driver or service starts up manually
http://assiste.com.free.fr/m/img/runscanner_disabled.png Driver or service is disabled
http://assiste.com.free.fr/m/img/runscanner_io.png IO Driver
http://assiste.com.free.fr/m/img/runscanner_kernel.png Kernel Driver
Shield Icons - Second colomn
http://assiste.com.free.fr/m/img/runscanner_v.png Certified with an MD5 - The signature of this file is verified (it is from a trusted source and signed by Verisign, ...).
http://assiste.com.free.fr/m/img/runscanner_n.png No wintrust signature - the file is not signed (this does not mean that the file is malware) - (This function is buildin into windows "wintrust.dll").
When hashes will be rated, it will exist a red shield for parasites. The MD5 hash is used to store the file in the online database. As soon as the final version is ready there will be a rating of the files on the website - At this moment, rating of processes begins. Dream of the day
The good thing would be that RunScanner act as a front end for DBs like
Castlecops
http://hashes.castlecops.com/Hashes.html (31 743 604 file hash entries including parasites (this is what we are looking for))
File Advisor File Identification
http://www.bit9.com/index.php (2 054 736 194 file hash entries without parasites (!))
Or redo, in internal, a same db
Or work with distributed DB (RunScanner + Castlecops + File Advisor + Microsoft + Others SW editors proposing such DB)I do believe in this tool
(and, if Trend do the same with HijackThis as they do with CWShredder...)

Need beta testing and upload of logs to feed the DB
If many people do an online analysis, it will rapidly grow.

HowTo
Download > Unzip > Run (no install) > Do a scan > do an « Online Analysis »

Links
Who is Geert ? Other works
http://www.lansweeper.com
http://www.moernaut.com
A French thread - Discussion en français sur RunScanner
http://assiste.forum.free.fr/viewtopic.php...=asc&highlight= (http://assiste.forum.free.fr/viewtopic.php?t=14974&start=60&postdays=0&postorder=asc&highlight=)
A French page
http://assiste.com.free.fr/p/logitheque/runscanner.html
Forum at RunScanner.net
http://forum.runscanner.net/default.aspx?g=forum
A thread at Wilders Security Forums
http://www.wilderssecurity.com/showthread....ight=runscanner (http://www.wilderssecurity.com/showthread.php?t=167310&highlight=runscanner)Sorry for my English : :)

Sincerely

This is exactly what I have been hoping for lately! Time to beta test ;D

Nice ap,

Running ok, added 5 fields to watch in my EQSecure registry protection thanks very helpfull info on startup protection

Regards K

Added about 50 or so entries into the online database, hope this helps. Runs smooth so far.