Video Screencast Help

How to find Suspected Threats on your computer.

Created: 19 Jun 2009 • Updated: 11 Sep 2009 | 31 comments
Language Translations
Vikram Kumar-SAV to SEP's picture
+28 28 Votes
Login to vote

There are two most powerful tools from Sysinternals that can help us lot in our search for
suspected threats on our systems.
1. Autoruns for Windows
2. Procexp

AUTORUNS :
You can download Autoruns for Windows from
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Runs on Windows XP and higher and Server 2003 and higher

Logon This entry results in scans of standard autostart locations such as the
Startup folder for the current user and all users, the Run Registry keys, and
standard application launch locations.

Explorer Select this entry to see Explorer shell extensions, browser helper
objects, explorer toolbars, active setup executions, and shell execute
hooks.

Internet Explorer This entry shows Browser Helper Objects (BHO's),
Internet Explorer toolbars and extensions.

Services All Windows services configured to start automatically when the
system boots.

Drivers This displays all kernel-mode drivers registered on the system
except those that are disabled.

Scheduled Tasks Task scheduler tasks configured to start at boot or logon.

AppInit DLLs This has Autoruns shows DLLs registered as application
initialization DLLs.

Boot Execute Native images (as opposed to Windows images) that run
early during the boot process.

Image Hijacks Image file execution options and command prompt
autostarts.

Known DLLs
This reports the location of DLLs that Windows loads into
applications that reference them.

Winlogon Notifications Shows DLLs that register for Winlogon notification
of logon events.

Winsock Providers Shows registered Winsock protocols, including
Winsock service providers. Malware often installs itself as a Winsock
service provider because there are few tools that can remove them.
Autoruns can uninstall them, but cannot disable them.

LSA Providers Shows registers Local Security Authority (LSA)
authentication, notification and security packages.

Printer Monitor Drivers Displays DLLs that load into the print spooling
service. Malware has used this support to autostart itself.

Sidebar
Displays Windows Vista sidebar gadgets

Getting More Information about an Entry
There are several ways to get more information about an autorun location
or entry. To view a location or entry in Explorer or Regedit chose Jump To
in the Entry menu or double-click on the entry or location's line in the
display. You can view Explorer's file properties dialog for an entry's image
file by choosing Properties in the Entry menu. You can also have Autoruns
automatically execute an Internet search in your browser by selecting
Search Online in the Entry menu.

Autoruns is the best and most reliable (Since it is from Microsoft
Sysinternals ) tool for determining whether a file is Legitimate or
Suspicious.
Download and run Autoruns. Once it is executed it takes few minutes
(sometimes) to scan all the entries on your computer.
Once this is done on the top click on "Options" and select "Hide Microsoft
and Windows entries" then click on the refresh button.
Now whatever is left behind is the common load point for any Threat on
your System.
Browse through each of the tabs to check if you find anything without a
publisher or with a suspicious Name.
You will get the location and the registry entry for that file.
The best part is, If you are not sure about the file just right-click on it and
click "Search Online" and it will try to find some information on that file or
entry. Once you have got any suspicious entries either you just go ahead
and delete it by right-clicking on it or Submit it to Symantec Security
Response so that they will review the file and get back to you.
If it is clean you will get a mail that it is clean. If it is a threat you will get a
mail with complete steps on how to get rid of it and what actually it is
(Trojan/Worm/Spyware etc )
To submit the file to Symantec Security response go to
https://submit.symantec.com/retail or /basic or /Essential or /BCS
depending on your support contract with Symantec.

PROCEXP :

You can download this tool from
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
It can be used in Windows XP and higher and Server 2003 and higher

Process Explorer is an advanced process management utility. You can call
it an advanced version of Task Manager
You can view detailed information about a process including its icon,
command-line, full image path, memory statistics, user account, security
attributes, and more. When you highlight a particular process you can view
the DLLs it has loaded or the operating system resource handles it has
open.
When we look at the Task Manager we are not able to determine what are
legitimate files and what are Unknown or threat files. We can also get the
location of where the file is located.
Threats mostly load under svchost.exe or rundll32.exe so in the task
manager it just shows that either svchost or rundll32 is running but when
we use Procexp we can know which DLL or while file is loading under
these and the location as well.
It also has a color coding and a publisher name against each process that
makes us easier to determine whether it is legitimate or suspicious.
Once we get the filename we can submit it to
https://submit.symantec.com/retail or /basic or /Essential or /BCS
depending on your support contract with Symantec.

Comments 31 CommentsJump to latest comment

Bijay.Swain's picture

Nice Article.

I do use Process explorer but will try Autoruns for Windows.

0
Login to vote
Vikram Kumar-SAV to SEP's picture

 I find autoruns the most powerful tool

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+3
Login to vote
Bijay.Swain's picture

autoruns is a very good utility. It helps a lot.

0
Login to vote
Aniket Amdekar's picture

Brilliant tool. I use it myself a lot of times to find the anomalies in the systems.

Few screenshots would help a lot better!

0
Login to vote
abdi_cinta's picture

and How to detect new variant hidden rootkit, before it recognize via av virus definition data ?

you have simple method.

Thank's

0
Login to vote
Vikram Kumar-SAV to SEP's picture

Here's my article specially on rootkits.
https://www-secure.symantec.com/connect/articles/rootkit-intruder-living-your-kernel

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
mon_raralio's picture

I used them too. Process Explorer and that other application (forgot what it was) sometimes fail to stop a process. Don't know what to do then.

“Your most unhappy customers are your greatest source of learning.”

0
Login to vote
Dugie's picture

When using SysInternals' Process Explorer you must first SUSPEND the virus process and associated processes.  After you suspend them you can then kill them.

If you kill the main virus first other buddy virus processes will just start up another instance of the virus.

When you have time I would suggest watching the Malware video at Sysinternals.com

0
Login to vote
Nel Ramos's picture

the autoruns tool is very valuable...
we already tried it..
thanks...

Nel Ramos

0
Login to vote
Maximilian's picture

I have used Sysinternal files before but never these two programs. They look pretty impressive. For autoruns I have been using hijackthis but it is not as advanced as this tool.

+1
Login to vote
cable mite's picture

Maxmillian - I too used hijackthis, however the product is no longer updated. Autoruns is regularly revised to add new autostart locations.

------------------------------------------------------------
MR99 will fix it all.

0
Login to vote
mon_raralio's picture

Symantec has a tool similar to hijackthis, although I think it installs itself before running unlike hijackthis which runs as is.
And unlike hijackthis, it has more indepth report in mht format to be opened with a web browser app.

“Your most unhappy customers are your greatest source of learning.”

0
Login to vote
Aniket Amdekar's picture

Hi,

Are you referring to SymBatchDiag or ESUG logs tool?

Aniket

0
Login to vote
Nel Ramos's picture

What tool is that Mon?
do you have a link on its specs and options?
thanks.

Nel Ramos

0
Login to vote
mon_raralio's picture

Sorry for the late reply, yes, Aniket is right on the Symantec tool I used. And from the looks of it, it looks like it's installing something. At least that's what the GUI looks like when running.

“Your most unhappy customers are your greatest source of learning.”

0
Login to vote
Vikram Kumar-SAV to SEP's picture

Symantec has only the ESUG LoadPoint diag. tool which gives a detailed report in .htm  

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Vikram Kumar-SAV to SEP's picture

 https://www-secure.symantec.com/connect/downloads/load-point-diagnostic-utility-identify-suspected-threats 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Int3rn3t's picture

HI Vikram,

Good piece of information on Autoruns..I actually used it and found it very helpful..but I don't think the ESUG Loadpoint that you are talking about is at all helpfull..it just dumps the registry and file system infornt of you to search. So why should it be called a Tool.
Symantec  is such a big company and it keeps buying companies so why doesn't it buy something like sysinternals, hijakthis, Gmer etc..

0
Login to vote
Satyam Pujari's picture

Well..int3rn3t, I've used ESUG in many odd cases and it an awsome tool which worked for me.Addtionally,it's an 'offline anaysis' tool  which gives you indepth information about  the 'file system'  and 'registry'.This tool was created to assist  'tech support' and 'security response folks' to have a look at a suspected system when it's not available  'remotely or physically',in scenarios like only the system owner has the access and yes, you're right that it dumps the system's file system and registry...that's what you need *first* to check for possible infection of a system right ?

About sysinternals they're awsome set of tools .If you have a copy of ESUG ...just explore it how it works *along* with sysinternal tools[command line versions].ESUG is very flexible and useful trust me!

About, buying 'tools' like hijackthis or similar...I've 'no comments' on it.I would leave it to Symantec to decide.However, you may post this in the "Ideas sections".   

Inviting good karma to CPU...beep

0
Login to vote
Maximilian's picture

Cable Mite: Hijackthis is still developed but since purchased by Trend Micro they do the development of it. 

0xal0ne0 hijackthis is not something you buy it is a freeware tool. However since purchased by Trend Micro you are right that promoting it in this forum is not the right way to go.
I am merely referencing to it as a tool that I have used and not promoting it.


0
Login to vote
Satyam Pujari's picture

@Maximilian
I'm well aware that hijackthis is free..FYI, I've have explored  it  since it's infancy (when it was first developed by Merijn Bellekom). I would request you to read my statement again..

"About, buying 'tools' *like*  hijackthis or similar...I've 'no comments' on it.I would leave it to Symantec to decide.However, you may post this in the "Ideas sections". "

It was a 'thought' in response to int3rn3t's statement...
"Symantec  is such a big company and it keeps buying companies so why doesn't it buy something like sysinternals, hijakthis, Gmer etc"
 

 

Inviting good karma to CPU...beep

0
Login to vote
Vikram Kumar-SAV to SEP's picture

Well even Symantec has NSS ( Norton Security Scanner ) its and its free..Even i would agree that like Trend bought Hijakthis , symantec should by GMER or some tool that gives an ease of scanning in GUI..it show what is the when it shouldn't have been there..Like Autoruns,GMER,ICesword,Hijackthis..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Mick2009's picture

Just a quick note: NSS is currently past its End Of Life (EOL). Using Symantec Power Eraser in its place:

About Symantec Power Eraser
http://www.symantec.com/docs/TECH134803

How to run Symantec Power Eraser with the SymHelp utility
http://www.symantec.com/docs/TECH203683 

 

 

With thanks and best regards,

Mick

0
Login to vote
Maximilian's picture

 0xal0ne0 thanks for clarifying for me 

No further questions. 

I rest my case :)


0
Login to vote
Satyam Pujari's picture

Here's an IDEA ...I've voted already :-)

https://www-secure.symantec.com/connect/idea/malicious-software-removal-toolkit 

Inviting good karma to CPU...beep

0
Login to vote
AravindKM's picture

Very useful article. Thank u

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

0
Login to vote
RSBlind's picture

I've been using autoruns for the past few years... Ever since I saw a lecture by the developer Mark Russinovich at a Tech-Ed conference.

A recent development on my end is that the malware developers are also becoming aware that this is a good tool... In two recent malware infections, the malware would not let me run AutoRuns or Process Explorer...

It's popularity amoung users like us is bringing unwanted attention...

0
Login to vote
Aniket Amdekar's picture

Mark Russinovich is a great guy. Saw his videos for Sysinternal Tools. Explains the concepts very thoroughly.

Aniket

0
Login to vote
Vikram Kumar-SAV to SEP's picture

 There is no match for autoruns however there are many alternatives for process explorer though..The problem is still not enough people know about it..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+1
Login to vote
Mick2009's picture

The latest release of SymHelp includes enhanced capabilities for threat detection and removal.  For details, please see:

 

About the Threat Analysis Scan
http://www.symantec.com/docs/TECH215550

How to run the Threat Analysis Scan in Symantec Help (SymHelp)
http://www.symantec.com/docs/TECH215519

Many thanks!

Mick

 

With thanks and best regards,

Mick

0
Login to vote
Mick2009's picture

This new article may be of interest to anyone needing to send files to Security Response for analysis:

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

Many thanks!

Mick

With thanks and best regards,

Mick

0
Login to vote