There are two most powerful tools from Sysinternals that can help us lot in our search for
suspected threats on our systems.
1. Autoruns for Windows
2. Procexp
AUTORUNS :
You can download Autoruns for Windows from
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Runs on Windows XP and higher and Server 2003 and higher
Logon This entry results in scans of standard autostart locations such as the
Startup folder for the current user and all users, the Run Registry keys, and
standard application launch locations.
Explorer Select this entry to see Explorer shell extensions, browser helper
objects, explorer toolbars, active setup executions, and shell execute
hooks.
Internet Explorer This entry shows Browser Helper Objects (BHO's),
Internet Explorer toolbars and extensions.
Services All Windows services configured to start automatically when the
system boots.
Drivers This displays all kernel-mode drivers registered on the system
except those that are disabled.
Scheduled Tasks Task scheduler tasks configured to start at boot or logon.
AppInit DLLs This has Autoruns shows DLLs registered as application
initialization DLLs.
Boot Execute Native images (as opposed to Windows images) that run
early during the boot process.
Image Hijacks Image file execution options and command prompt
autostarts.
Known DLLs This reports the location of DLLs that Windows loads into
applications that reference them.
Winlogon Notifications Shows DLLs that register for Winlogon notification
of logon events.
Winsock Providers Shows registered Winsock protocols, including
Winsock service providers. Malware often installs itself as a Winsock
service provider because there are few tools that can remove them.
Autoruns can uninstall them, but cannot disable them.
LSA Providers Shows registers Local Security Authority (LSA)
authentication, notification and security packages.
Printer Monitor Drivers Displays DLLs that load into the print spooling
service. Malware has used this support to autostart itself.
Sidebar Displays Windows Vista sidebar gadgets
Getting More Information about an Entry
There are several ways to get more information about an autorun location
or entry. To view a location or entry in Explorer or Regedit chose Jump To
in the Entry menu or double-click on the entry or location's line in the
display. You can view Explorer's file properties dialog for an entry's image
file by choosing Properties in the Entry menu. You can also have Autoruns
automatically execute an Internet search in your browser by selecting
Search Online in the Entry menu.
Autoruns is the best and most reliable (Since it is from Microsoft
Sysinternals ) tool for determining whether a file is Legitimate or
Suspicious.
Download and run Autoruns. Once it is executed it takes few minutes
(sometimes) to scan all the entries on your computer.
Once this is done on the top click on "Options" and select "Hide Microsoft
and Windows entries" then click on the refresh button.
Now whatever is left behind is the common load point for any Threat on
your System.
Browse through each of the tabs to check if you find anything without a
publisher or with a suspicious Name.
You will get the location and the registry entry for that file.
The best part is, If you are not sure about the file just right-click on it and
click "Search Online" and it will try to find some information on that file or
entry. Once you have got any suspicious entries either you just go ahead
and delete it by right-clicking on it or Submit it to Symantec Security
Response so that they will review the file and get back to you.
If it is clean you will get a mail that it is clean. If it is a threat you will get a
mail with complete steps on how to get rid of it and what actually it is
(Trojan/Worm/Spyware etc )
To submit the file to Symantec Security response go to
https://submit.symantec.com/retail or /basic or /Essential or /BCS
depending on your support contract with Symantec.
PROCEXP :
You can download this tool from
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
It can be used in Windows XP and higher and Server 2003 and higher
Process Explorer is an advanced process management utility. You can call
it an advanced version of Task Manager
You can view detailed information about a process including its icon,
command-line, full image path, memory statistics, user account, security
attributes, and more. When you highlight a particular process you can view
the DLLs it has loaded or the operating system resource handles it has
open.
When we look at the Task Manager we are not able to determine what are
legitimate files and what are Unknown or threat files. We can also get the
location of where the file is located.
Threats mostly load under svchost.exe or rundll32.exe so in the task
manager it just shows that either svchost or rundll32 is running but when
we use Procexp we can know which DLL or while file is loading under
these and the location as well.
It also has a color coding and a publisher name against each process that
makes us easier to determine whether it is legitimate or suspicious.
Once we get the filename we can submit it to
https://submit.symantec.com/retail or /basic or /Essential or /BCS
depending on your support contract with Symantec.