SuspectFile - L'identificavirus

• Upload a file
• About us
• Companies
• Report
• SystemScan
• New Malwares
• Forum
• Blog
• Wednesday, 10 March 2010

SystemScan Guide

guida in italiano

Systemscan: what is it?

Systemscan started as a collection of freeware scanning tools, usefull (but we would say indispensable) to check and found malware infections, like trojans, worms, adwares and rootkits. These tools are forced to work together and their logs are saved in one single report. Furthermore Systemscan does some other own checks to integrate the original response of that tools it uses.

Details of the report could be found later, at point "What is the structure of the log?". We anticipate however that the log analisys could be done from everyone, but not from all persons: it must be interpreted from skilled people. If you need any help, feel free to join our forum.

Systemscan log is called report.txt. It is saved in suspectfile folder on desktop, and a zipped copy is saved as well, with indication of the date and the scanning time in the name. Having more than one copy helps to recognize the differences and easily find a new infection.

From release 3.5.0 SystemScan integrates (we thank him very much for his concession) "The Avenger" from Swandog46, a very powerful tool to remove persistent files and registry keys. Therefore you can now remove infected items found in the log. The integration has be done also to bypass that cases where it is not possible to download the tool from the original web site, because it is denied from a running malware. Systemscan uses some tricks to allow "The Avenger" running also in such critical cases. More details on the tool can be found in the Swandog46's web site

Why another scanning tool?

In these years the Suspectfile Team found, with increasing frequency, situations where it must be used more than one tool to understand how to clean an infected machine. This is a waste of time and of energy, as for the user, as for the helpers. For this reason we decided to do this tool, to collect all together what you need to obtain a clear picture of a PC. Initially developed for our internal use, we decided quite soon to make it available for free also for all interested persons.

Notes on the new releases

From the release number 2.024 all new featureas and changes are listed here: http://www.suspectfile.com/forum/viewtopic.php?p=9943#9943

Systemscan: what it is not?

Systemscan is not an antivirus, therefore it is not able to find "bad" files. It uses the same logic as Hijackthis: it shows the running start entries, but it is the person who read the log that must be able to understand if that entry is safe or not.

In any case Systemscan is not able to find viruses, namely that particular malware category that infectes exe files. For viruses you need a good AV. If you have to decide which AV to use, you could find useful our periodical report.

How to install / uninstall Systemscan

Once downloaded the latest version (from http://www.suspectfile.com/systemscan), you don't need to install it: it is a standalone scanner, so running the downloaded exe file (with random name) is enough. The first thing you will see is this message:

The warning remembers to the user that some components could be found suspicious from your AV. Obviously it is only due to the heuristical scanning of the antivirus: no one malware is inside Systemscan.

If you see a similar message, as it occurs with Antivir, you have to ignore the warning in order to use Systemscan.

In any case Systemscan doesn't modify the system: it creates a folder "c:\suspectfile" to save the logs and, in Windows XP, it loads a temporary driver when you search hidden things. To uninstall Systemscan simply delete the exe file and the c:\suspectfile folder.

Systemscan scanning

First Window is the disclaimer. You have to read it and agree in order to enable Proceed button.

Once Proceed button is clicked, you will see this window where you can find all features. By default all options are checked. The time of scanning is as longer as more options are checked, especially if "Autplay settings", "Alternate Data Streams", "EFS dumping", "Hidden Objects" and "Suspicious files" options are activated. A typical scanning time is about 10-15 minutes

To start a scan, simply click the Scan Now button and wait for the report. Near all checked options you will see a small arrow (-->) when that scan is executing and the word OK when it is completed.

Run as a System Task. This can start Systemscan as a System Task. When you find some difficulty to scan in normal mode, try the System mode: the scan can be more succesful. If you click on the button and Systemscan is on your desktop, a message will popup (here below at left): the tool will close and automatically reopen in 5 seconds. Please click OK. If Systemscan is in another folder, you have to insert in the window the right name with full path (see below at right).

After 5 seconds Systemscan will reopen itself and you can see the new mode from a changing in the button, it appears now gray and the label is System mode ON

When you click Scan Now, before scanning a warning popups. It remembers that it is better to save open documents before proceeding. We suggest not to use the PC while Systemscan has finished.

What is the structure of the log?

The report is a text file with many sections and it shows the outputs of the options checked before.

Recent files. At the beginning of this section you can find the user folders names. The info is useful when there is a malware like Gromozon. You can see also if the users have admin right. For each user found, all entries in Startup Foders are shown.

Below you can find the most recent files found on the PC. You can choose from 30 to 120 days. Systemscan analyzes: systemdrive; windir; windir\system; windir\system32; windir\system32\drivers; windir\Downloaded Program Files; temp; ProgramFile; CommonProgramFiles

Duplicates in BAK folders. This option can find BAK folders with file that have the same name of other files. Very useful with infections like Smitfraud, Instant Access and others.

Registry Run Keys. This section uses Swreg and Dumphive to check the registry run keys, directly from the system hives. Systemscan cheks the following entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\System\CurrentControlSet\Control\Session Manager\
HKLM\SYSTEM\CurrentControlSet\Control\WOW
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Command Processor\Autorun
HKCU\Software\Microsoft\Command Processor\Autorun
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks
HKLM\software\microsoft\shared tools\msconfig\startupfolder
HKCU\Control Panel\Desktop\
HKCR\exefile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\scrFile\shell\open\command
HKCR\htafile\shell\open\command
HKCR\logfile\shell\open\command
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
HKLM\SOFTWARE\Policies\Microsoft\Windows Firewall\
HKLM\SOFTWARE\Winsock2
HKLM\Software\Microsoft\Ole
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\
HKCU\Software\VB and VBA Program Settings
HKLM\Software\Microsoft\Internet Explorer\AdvancedOptions
HKCU\Software\Microsoft\Internet Explorer\AdvancedOption
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
HKLM\Software\Microsoft\Active Setup\Installed Components

Below these keys Systemscan compares also CurrentControlSet01, CurrentControlSet022 e CurrentControlSet03 in order to find new services or recent modifies to any of them.

Autoplay settings:. If this option is enabled, Systemscan will first check and decode the DWORD value "NoDroveAutorun" in the keys HKCU e HKU Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Systemscan will then search for all autorun.inf files and will list them (and thei content) in the log. This option has been included to found the autoplay load way of some trojans. For additional info, please see our blog (italian).

Scheduled jobs:. This option allow the report to show the content of %windir%\tasks folder. A list of active jobs will be reported as well together with the log of last executed jobs.

Running Services e Device Driver Services. This sections uses the a/m tools Swreg & Dumphive to dump registry services directly from registry hives.We decided to show also the stopped and not running services services because some malwares terminate their own service after the initial starting. This log section is quite long and quite boring, therefore Suspectfile have prepared a free tool Sara that, thanks to a whitelist, can easily recognize the legit services and underline the not standard services. The tool will be soon available on demand but it is intended only for technical people that deal with malwares removal. If you need it, please ask. Here below a screenshot of Sara.

Svchost instances. This options check all processes in svchost.exe.

Loaded modules. This sections uses Listdlls from Sysinternals. This info are usefull when you got infected from Vundo, Look2me and others.

Alternate Data Streams. This section uses LADS from Heysoft and lists all files in Alternate data streams, obviously in NT file systems.

EFS Dumping. This section elaborates the data provided from Efsinfo, a tool from the Windows Resource Kit. The crypted files found on PC are listed under the name of the referring user. Very useful for infection like Gromozon.

Network settings. This section provides a lot of information related to the network settings/connection/activity:
- Winsock dlls
- Network configuration (proxy, DNS, gateway). For privacy and security reasons the IP of the scanned PC is not shown
- open ports (TCP and UDP protocol)
- shared resources
- trusted domains and IP in the "Protection" section Internet Explorer (trusted zone)
- RAS active connections if found
- content of rasphone.pbk file

Include HOSTS file. if this option is enabled the %system%\drivers\etc\HOSTS file will be copied into the report.

Hidden Objects. This section uses Catchme. It checks hidden processes, registry entries and files (rootkit).

Suspicious Files. This options shows all files packed with packers frequently used from malwares. Not all file found are infected. Systemscan search for these packers: Upack, nspack, Enigma Protector, WinUpack, polycrypt, PECompact e Protected By 007

Include HijackThis log. This last option is automatically checked when HijackThis is found on the PC. We decided to integrate it as a helper can found convenient checking at beginning that report in that sites where an automatic analysis is available (www.hijackthis.de).

How to use Systemscan to remove known threats found in the log.

To access the "Removal Form" click the "Removal Script" button from the main Systemscan window and a window like this one will open:

Simply copy and past in the text box (red colour) the removal script and press the button "Proceed with removal". Be sure to use a script under the supervision of a qualified removal specialist because otherwise you can cause severe damages to your PC. Systemscan will do a small syntax check in order to verify if they are correct. Valid commands are listed in the message box opened by the button "Quick script help" which shows this message:

If the script appears not valid or it contains some mistakes a warning will appear and the removal procedure won't start.

Once the script has been validated you will receive this final warning. Please note that if you press OK Avenger's kernel driver will be set to run at startup, your computer will be automatically rebooted and the removal script executed. You decide to proceed at your own risk!

Please note that whatever script you are using, SystemScan will add a line in order to automatically run once at reboot and check about the result of removal procedure. Most of the times you will see at next logon this SystemScan window on a blank screen. A message and a blue line at the bottom (which links to the file avenger.txt) inform you that the script was executed.

If the script didn't run, at next load of SystemScan you will see this window below, with a red line reporting the failure and a different message which suggest you to try to run the script another time. We suggest you to try at least once, because sometimes for many reasons, the tool fails at first time, but runs good if you insist.

Do you want to help SuspectFile?

Comments or questions? E-mail: info@suspectfile.com © 2006

From 24-01-2006 this site has been visited 126607 times