13 replies to this topic

[LUSHER]

RunScanner is a completely free windows system utility which scans your
system for all configured running programs. You can use runscanner to
detect autostart programs, spyware, adware, homepage hijackers,
unverified drivers and other problems.


 mainscreen.png   334.68K   14 downloads



1) Very comprehensive autostart list

* Freeware.

* Scanning of 80+ hijack locations, hosts file editor, process killer,
online malware/whitelist analysis.

* One executable, no installation required.

* Backup / restore of deleted items.

Malware will find it harder than ever to hide.

2) For beginner and expert users

** Beginner mode **

This is for novice users that want to do a scan and upload their results
to a malware specialist forum.
You cannot make any changes in this mode!

** Classic mode **
Classic scan mode with easy click and fix all. This mode only shows non
whitelist items and it's primary use is to remove malware.


** Expert mode **
This is for advanced users, all startup tweaks, scanning, reporting,
filtering and delete features are available.


3) Powerful file inspection

RunScanner makes it easier to determine which entries are likely to be
malicious.

* Authenticode signature analysis - Check all the certificates of your started files and verify if you
trust the publisher.

* Virustotal integration - Upload suspect files to Virustotal with a
click and have them checked by multiple anti-virus engines.

* FileAdvisor integration - Compare the MD5 hash of your files with the
online Fileadvisor database, just with one click.Currently 4.028.732.854
hashes available.

* Castlecops integration. - Compare the MD5 hash of your files with the
online Castlecops database, just with one clicj. Currently 31.743.604
hashes available.

*Runscanner online database integration. (+ online malware analysis)
Compare the MD5 hash of your files with the online Runscanner database.
Currently 160.000 (startup file) hashes available.

* Powerful filtering. - Show unsigned files, classic mode shows only none-whitelisted (trusted publishers and known clean entries) files.

* Google search integration. - Search information for suspicious
files on Google.



4) Log analysis made easy  mainscreen.png   334.68K   14 downloads

*Plain text file logging with only the items that need your attention.

* Saving and importing of text files to .run files (all information
available) - A user with problems can save the .run file, an expert can
mark the items that need fixing and send the .run file back to the user.


http://www.runscanne...runscanner.aspx


5) Malware removal abilities and misc

*Powerful process killer.
*Kill multiple processes at once.
*Kill and rename.
*Kill and delete.
*Delete at next reboot.
*Analysis of loaded modules.
*Regedit jump.
*Explorer jump.

[DennisD]

Thanks for the info. Now got the update.

[CeeCee]

Here's an online malware scanner: http://virusscan.jotti.org/

Virus definitions are updated every hour. There is a 10Mb limit per file.

[TonyKlein]

CeeCee, on Dec 5 2007, 04:47 PM, said:

Here's an online malware scanner: http://virusscan.jotti.org/

And here are two other ones:

http://www.virustota.../en/indexf.html
http://www.virscan.org/



RunScanner is indeed a laudable effort; kind of HijackThis on steroids...
..
Just like with Sysinternals Autoruns, make sure you KNOW what exactly it is you 'fix'...

[LUSHER]

TonyKlein, on Dec 5 2007, 04:49 PM, said:

And here are two other ones:

http://www.virustota.../en/indexf.html
http://www.virscan.org/

Not bad. Tony. But I know of another 2...

http://www.viruschief.com/index.html
http://scanner.virus.org/



So in total for multi-engine virus scanner online there are actually 5 of them to my knowledge (including jotti).

http://wiki.castlecops.com/Online_antiviru...le_engine_scans

[LUSHER]

TonyKlein, on Dec 5 2007, 04:49 PM, said:

RunScanner is indeed a laudable effort; kind of HijackThis on steroids...
..
Just like with Sysinternals Autoruns, make sure you KNOW what exactly it is you 'fix'...

Just like Hijackthis too....

One wonders why RunScanner is still not as popular as the outdated Hijackthis though.

[LUSHER]

CeeCee, on Dec 5 2007, 03:47 PM, said:

Here's an online malware scanner: http://virusscan.jotti.org/

RunScanner is not a online (or even local) malware scanner!!!!

[TonyKlein]

LUSHER, on Dec 6 2007, 03:15 PM, said:

Not bad. Tony. But I know of another 2...

http://www.viruschief.com/index.html
http://scanner.virus.org/

I specifically didn't mention virus.org, as the reputation of the people involved is said to be questionable (and I'm putting it mildly)
Hadn't heard of viruschief.com, thanks.

However, the two I mentioned are useful as both of them use a larger variety of AV engines to test uploaded files than the other three.

[LUSHER]

TonyKlein, on Dec 8 2007, 12:34 PM, said:

I specifically didn't mention virus.org, as the reputation of the people involved is said to be questionable (and I'm putting it mildly)

yes, I've heard.

Quote

Hadn't heard of viruschief.com, thanks.

It's new. No doubt it's questionable too.

Quote

However, the two I mentioned are useful as both of them use a larger variety of AV engines to test uploaded files than the other three.

Personally i would just stick with virustotal if it's variety of av engines you want and it's reasonable quick.
That's why runscanner loads suspect malware to virustotal (with permission) and not some other site...

[TonyKlein]

LUSHER, on Dec 8 2007, 02:52 PM, said:

Personally i would just stick with virustotal if it's variety of av engines you want and it's reasonable quick.

I like virscan.org as well, as it submits files to additional Chinese and Korean based AVs. Very useful when uploading malware to be tested that hails from those parts.

[LUSHER]

TonyKlein, on Dec 8 2007, 02:24 PM, said:

I like virscan.org as well, as it submits files to additional Chinese and Korean based AVs. Very useful when uploading malware to be tested that hails from those parts.

Why the heck is this thread derailed?? Back to talking about RunScanner okay?

What do you like about it? what do you dislike about it?

What do you want to see from it in the future?

Me? I think it's time for consolidation, for stability and bug fixing...

I can always think of more features but that shouldn't be added without further thought.

[JDPower]

LUSHER, on Dec 10 2007, 03:10 PM, said:

Why the heck is this thread derailed?? Back to talking about RunScanner okay?

Geez, who elected you master of the forums. Way to kill a thread

[LUSHER]

New launch/hijack items 1.6

Restrictions for internet explorer:
080 HKLM\Software\Policies\Microsoft\Internet Explorer (+subfolders)
081 HKCU\Software\Policies\Microsoft\Internet Explorer (+subfolders)

Startup/Shutdown/logon/logoff scripts
090 HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
091 HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
092 HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
093 HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown
094 HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff

Various
110 HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
174 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
200 HKLM\System\CurrentControlSet\Control\Session Manager\Execute
201 HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute

Shell hijacking (removed from general policies)
162 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
163 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell

Terminal server related
190 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
191 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
192 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
193 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
194 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LogoffApp

Debugger hijacking
176 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger (thanks to Tony Klein)

Denying access to websites/IP addresses by setting a wrong static route (thanks to Bruce Harrison - nosirrah)
177 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes

Hijacking of standard windows tools
210 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath
211 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\Cleanuppath
212 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath
213 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Magnifier
214 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Narrator
215 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\On-Screen Keyboard

[LUSHER]

Relatively minor update 1.6.1

Changelog:
Bug fixed: Bitmap image is not valid. (corrupt embedded icon)
Bug fixed: malware analysis after import not working in expert mode
Bug fixed: Lookup at Runscanner when no MD5 available popupmenu
Sub run folders are now only scanned on windows 2000