There are two most powerful tools from Sysinternals that can help us lot in our search for suspected threats on our systems. 1. Autoruns for Windows 2. Procexp AUTORUNS : You can download Autoruns for Windows from http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx Runs on Windows XP and higher and Server 2003 and higher Logon This entry results in scans of standard autostart locations such as the Startup folder for the current user and all users, the Run Registry keys, and standard application launch locations. Explorer Select this entry to see Explorer shell extensions, browser helper objects, explorer toolbars, active setup executions, and shell execute hooks. Internet Explorer This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions. Services All Windows services configured to start automatically when the system boots. Drivers This displays all kernel-mode drivers registered on the system except those that are disabled. Scheduled Tasks Task scheduler tasks configured to start at boot or logon. AppInit DLLs This has Autoruns shows DLLs registered as application initialization DLLs. Boot Execute Native images (as opposed to Windows images) that run early during the boot process. Image Hijacks Image file execution options and command prompt autostarts. Known DLLs This reports the location of DLLs that Windows loads into applications that reference them. Winlogon Notifications Shows DLLs that register for Winlogon notification of logon events. Winsock Providers Shows registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock service provider because there are few tools that can remove them. Autoruns can uninstall them, but cannot disable them. LSA Providers Shows registers Local Security Authority (LSA) authentication, notification and security packages. Printer Monitor Drivers Displays DLLs that load into the print spooling service. Malware has used this support to autostart itself. Sidebar Displays Windows Vista sidebar gadgets Getting More Information about an Entry There are several ways to get more information about an autorun location or entry. To view a location or entry in Explorer or Regedit chose Jump To in the Entry menu or double-click on the entry or location's line in the display. You can view Explorer's file properties dialog for an entry's image file by choosing Properties in the Entry menu. You can also have Autoruns automatically execute an Internet search in your browser by selecting Search Online in the Entry menu. Autoruns is the best and most reliable (Since it is from Microsoft Sysinternals ) tool for determining whether a file is Legitimate or Suspicious. Download and run Autoruns. Once it is executed it takes few minutes (sometimes) to scan all the entries on your computer. Once this is done on the top click on "Options" and select "Hide Microsoft and Windows entries" then click on the refresh button. Now whatever is left behind is the common load point for any Threat on your System. Browse through each of the tabs to check if you find anything without a publisher or with a suspicious Name. You will get the location and the registry entry for that file. The best part is, If you are not sure about the file just right-click on it and click "Search Online" and it will try to find some information on that file or entry. Once you have got any suspicious entries either you just go ahead and delete it by right-clicking on it or Submit it to Symantec Security Response so that they will review the file and get back to you. If it is clean you will get a mail that it is clean. If it is a threat you will get a mail with complete steps on how to get rid of it and what actually it is (Trojan/Worm/Spyware etc ) To submit the file to Symantec Security response go to https://submit.symantec.com/retail or /basic or /Essential or /BCS depending on your support contract with Symantec. PROCEXP : You can download this tool from http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx It can be used in Windows XP and higher and Server 2003 and higher Process Explorer is an advanced process management utility. You can call it an advanced version of Task Manager You can view detailed information about a process including its icon, command-line, full image path, memory statistics, user account, security attributes, and more. When you highlight a particular process you can view the DLLs it has loaded or the operating system resource handles it has open. When we look at the Task Manager we are not able to determine what are legitimate files and what are Unknown or threat files. We can also get the location of where the file is located. Threats mostly load under svchost.exe or rundll32.exe so in the task manager it just shows that either svchost or rundll32 is running but when we use Procexp we can know which DLL or while file is loading under these and the location as well. It also has a color coding and a publisher name against each process that makes us easier to determine whether it is legitimate or suspicious. Once we get the filename we can submit it to https://submit.symantec.com/retail or /basic or /Essential or /BCS depending on your support contract with Symantec.
New article on this topic now available!
Using Today's SymHelp to Combat Today's Threats https://www-secure.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats
This new article may be of interest to anyone needing to send files to Security Response for analysis:
Symantec Insider Tip: Successful Submissions! https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions
Many thanks!
Mick
The latest release of SymHelp includes enhanced capabilities for threat detection and removal. For details, please see:
About the Threat Analysis Scan http://www.symantec.com/docs/TECH215550 How to run the Threat Analysis Scan in Symantec Help (SymHelp) http://www.symantec.com/docs/TECH215519
About the Threat Analysis Scan http://www.symantec.com/docs/TECH215550
How to run the Threat Analysis Scan in Symantec Help (SymHelp) http://www.symantec.com/docs/TECH215519
Just a quick note: NSS is currently past its End Of Life (EOL). Using Symantec Power Eraser in its place:
About Symantec Power Eraser http://www.symantec.com/docs/TECH134803 How to run Symantec Power Eraser with the SymHelp utility http://www.symantec.com/docs/TECH203683
About Symantec Power Eraser http://www.symantec.com/docs/TECH134803
How to run Symantec Power Eraser with the SymHelp utility http://www.symantec.com/docs/TECH203683
"About, buying 'tools' *like* hijackthis or similar...I've 'no comments' on it.I would leave it to Symantec to decide.However, you may post this in the "Ideas sections". " It was a 'thought' in response to int3rn3t's statement... "Symantec is such a big company and it keeps buying companies so why doesn't it buy something like sysinternals, hijakthis, Gmer etc"