RunScanner : needs beta testers

Meanwhile version 0.9.0.0 is uploaded.
You can now create an online analysis, but not all processes are whitelisted yet. (still working on that)

 

Going along fine here as well, lots of detail which are easy to read and make sense of.

 

Looks good. Developing fast.

 

Hi to all,

Recap

RunScanner
A new tool to analyze all autostart locations
A replacement for HijackThis / Autoruns...
state : beta

• Site : http://www.runscanner.net/
• Forum : http://forum.runscanner.net/
• Download : http://www.runscanner.net/runscanner.zip (always latest version)

RunScanner is compatible with those versions of Windows
All versions of Windows beginning at Windows 2000

What does it do ?

• Do a log of (at that time) 73 autostart locations
• Do an on line analysis of the log
• Very easy to read and comfortable
• Ability to fix
• Use hashes (ie : official from Microsoft and an internal DB)
• And the best for us (helpers and experts)
  • A user can save the .run file
  • A user can send the .run file to an expert - (We can receive a .run file)
  • We can analyze the .run file with RunScanner
  • We can mark items that need fixing
  • We can send the .run file back to the user with items marked
  • The user re-open the .run file with his RunScanner and fix what we check
  Miscellaneous
  • Check to see if user has administrator rights
  • Lookup at google.com to maingrid
  • Process killer : Start explorer (if all your explorers are killed)
  • Kill process popup menu
  • - Kill and rename of process
  • - Kill and delete of process
  • - Delete at next reboot of process file
  • - Copy to clipboard
  • - Open location
  • - Show file properties
  • Many ways for marking of items (space, doubleclick, popupmenu)
  • Whitelist
  • Importing of .run files directly from internet links
  • Possibility to save text .log files. (to post in forums, ...)
  • Service information (enabled, disabled, automatic)
  • Driver infromation (kernel, IO, enabled, disabled, automatic)
  • Username/Domain in the process killer list
  • Regedit jump jumps to values
  Currently scanned items
  000 Items in the header of the log
  • General info:
  • Runscanner Version
  • Time of scan
  • Type of scan (full, quick)
  • Productname
  • Service Pack
  • Version Build
  • Language
  • Internet explorer version
  • Windir
  001 Running processes
  002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
  003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
  004 C:\Documents and Settings\<CurrentUser>\Start Menu\Programs\Startup
  005 C:\Documents and Settings\<AllUsers>\Start Menu\Programs\Startup
  006 %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  007 %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  010 Windows services
  011 Windows drivers
  030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
  031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
  032 HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
  033 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  034 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  035 HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
  036 HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
  037 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
  038 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
  040 HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
  041 HKCU\Software\Microsoft\Internet Explorer\Toolbar
  041 HKCU\Software\Microsoft\Internet Explorer\Toolbar
  042 HKLM\Software\Microsoft\Internet Explorer\Extensions
  043 HKCU\Software\Microsoft\Internet Explorer\Extensions
  044 HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
  045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
  050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  051 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  060 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  061 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  062 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
  063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
  064 HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  065 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options (Debugger)
  066 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
  067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  068 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\ (Current_Protocol_Catalog)
  107 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\ (Current_NameSpace_Catalog)
  069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitor
  070 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
  071 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
  072 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
  073 %windir%\Tasks
  074 %windir%\System32\Tasks
  100 Internet Explorer settings Start Page HKCU
  100 Internet Explorer settings Start Page HKLM
  100 Internet Explorer settings Search Page HKCU
  100 Internet Explorer settings Search Page HKLM
  100 Internet Explorer settings Default_Page_URL HKCU
  100 Internet Explorer settings Default_Page_URL HKLM
  100 Internet Explorer settings Default_Search_URL HKCU
  100 Internet Explorer settings Default_Search_URL HKLM
  100 Internet Explorer settings SearchAssistant HKCU
  100 Internet Explorer settings SearchAssistant HKLM
  100 Internet Explorer settings CustomizeSearch HKCU
  100 Internet Explorer settings CustomizeSearch HKLM
  100 Internet Explorer settings ProxyServer HKCU
  100 Internet Explorer settings ProxyServer HKLM
  100 Internet Explorer settings ProxyOverride HKCU
  100 Internet Explorer settings ProxyOverride HKLM
  100 Internet Explorer settings SearchUrl HKCU
  100 Internet Explorer settings SearchUrl HKLM
  100 Internet Explorer settings ShellNext HKCU
  100 Internet Explorer settings ShellNext HKLM
  102 HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
  102 HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
  104 HKLM\Software\Microsoft\Code Store Database\Distribution Units (activeX xontrols)
  106 HKLM\Software\Microsoft\Windows\CurrentVersion\URL (Default url handlers)
  120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\VXD\MSTCP : Domain
  120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\VXD\MSTCP : NameServer
  120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\Tcpip\Parameters : Domain
  120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\Tcpip\Parameters : NameServer
  120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\Tcpip\Parameters : SearchList
  120 Domain/DNS hijacking SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony : DomainName
  120 Domain/DNS hijacking SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces (Nameserver, Domain)
  121 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
  122 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
  135 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (+subkeys)
  136 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (+subkeys)
  137 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx (+subkeys)
  138 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx (+subkeys)
  139 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows :Load
  140 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows :Run
  145 HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters
  146 HKLM\System\CurrentControlSet\Control\SafeBoot : AlternateShell
  147 HKLM\System\CurrentControlSet\Control\SecurityProviders :SecurityProviders
  148 HKLM\System\CurrentControlSet\Control\WOW :cmdline
  149 HKLM\System\CurrentControlSet\Control\WOW :wowcmdline
  150 HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
  151 HKLM\Software\Microsoft\Command Processor :Autorun
  152 HKCU\Software\Microsoft\Command Processor :Autorun
  160 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
  161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
  166 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+subkeys)
  167 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+subkeys)
  170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  171 HKCU\Control Panel\Desktop : SCRNSAVE.EXE
  172 HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
  173 HKCR\*\shellex\ContextMenuHandlers
  180 FileType Hijacking

Exemple of an online analysis
http://www.runscanner.net/report.aspx?repo...33-b8e3d15e9a7b

Exemple of the (future) rating of the files - we can see the template of those pages
http://www.runscanner.net/getmd5.aspx?md5=...ess=svchost.exe

Reading the log

• State Icons - Far left column
  • http://assiste.com.free.fr/m/img/runscanner_automatic.png Driver or service starts up automaticly
  • http://assiste.com.free.fr/m/img/runscanner_manual.png Driver or service starts up manually
  • http://assiste.com.free.fr/m/img/runscanner_disabled.png Driver or service is disabled
  • http://assiste.com.free.fr/m/img/runscanner_io.png IO Driver
  • http://assiste.com.free.fr/m/img/runscanner_kernel.png Kernel Driver
• Shield Icons - Second colomn
  • http://assiste.com.free.fr/m/img/runscanner_v.png Certified with an MD5 - The signature of this file is verified (it is from a trusted source and signed by Verisign, ...).
  • http://assiste.com.free.fr/m/img/runscanner_n.png No wintrust signature - the file is not signed (this does not mean that the file is malware) - (This function is buildin into windows "wintrust.dll").
  • When hashes will be rated, it will exist a red shield for parasites. The MD5 hash is used to store the file in the online database. As soon as the final version is ready there will be a rating of the files on the website - At this moment, rating of processes begins.

Dream of the day
The good thing would be that RunScanner act as a front end for DBs like

• Castlecops
  http://hashes.castlecops.com/Hashes.html (31 743 604 file hash entries including parasites (this is what we are looking for))
• File Advisor File Identification
  http://www.bit9.com/index.php (2 054 736 194 file hash entries without parasites (!))
• Or redo, in internal, a same db
• Or work with distributed DB (RunScanner + Castlecops + File Advisor + Microsoft + Others SW editors proposing such DB)

I do believe in this tool
(and, if Trend do the same with HijackThis as they do with CWShredder...)

Need beta testing and upload of logs to feed the DB
If many people do an online analysis, it will rapidly grow.

HowTo
Download > Unzip > Run (no install) > Do a scan > do an « Online Analysis »

Links

• Who is Geert ? Other works
  http://www.lansweeper.com
  http://www.moernaut.com
• A French thread - Discussion en français sur RunScanner
  http://assiste.forum.free.fr/viewtopic.php...=asc&highlight=
• A French page
  http://assiste.com.free.fr/p/logitheque/runscanner.html
• Forum at RunScanner.net
  http://forum.runscanner.net/default.aspx?g=forum
• A thread at Wilders Security Forums
  https://www.wilderssecurity.com/showthread....ight=runscanner

Sorry for my English :

Sincerely

 

This is exactly what I have been hoping for lately! Time to beta test

 

Nice ap,

Running ok, added 5 fields to watch in my EQSecure registry protection thanks very helpfull info on startup protection

Regards K

 

Added about 50 or so entries into the online database, hope this helps. Runs smooth so far.