If you’re a malware hunter, and you’re in the market for a free system utility which will scan your system for running programs, autostart locations, drivers, services and hijack points, then Runscanner should make your shortlist.
The developers of Runscanner describe this freeware utility as having been designed to “detect changes and misconfigurations in your system caused by spyware, viruses, or human error.”
Sounds a bit like HijackThis, the free utility from Trend Micro, which has a well deserved reputation for being aggressive in tracking down unauthorized changes that have been made to your system/applications.
Runscanner though, takes this process miles beyond HijackThis, and does so by using an intuitive approach that casual users*, and experienced users alike, should find easy to work with.
*The only difficulty I see, that casual users might have a problem with is – the enormous volume of information this application is capable of producing. This could make it difficult for a casual user to interpret results.
Runscanner is a simple executable, and no installation is required. Just click on the file, and then choose your mode – beginner or expert.
The following screen capture shows the results of a full scan I ran on a Win 7 (32 bit), machine. The only entry I was unfamiliar with was Staropen.sys. Runscanner was right on the job though, with the right click context menu providing access to “lookup” services, as the screen shot below illustrates.
I took a look at Staropen.sys using a Google link to the Prevx file investigation site, and found the following: The filename Staropen.sys is used by objects that are classified as safe. It has not yet been seen to be associated with malicious software.
I then uploaded the file to VirusTotal (another context menu option),and VirusTotal reported the following – as shown in the screen shot below.
I suspected that this system driver was a component of CDBurner XP, and opening the location (another context menu option), then reading the driver with NotePad, indicated this was correct.
The next part of the test involved generating an online malware analysis report, which generates a massive report on all items which are considered safe, unsafe, whitelisted and additionally, verification of each file’s digital signature.
The screen capture below shows only a tiny (and I do mean tiny), portion of this report. The report is the most comprehensive of any I’ve ever seen, produced by this type of utility.
Fast facts:
100+ start/hijack locations
Online malware analysis
Import and export of .run files
Powerful process killer
Save to text log file
Powerful file filtering
Host file editor
History backup / restore
Explorer jump
Analysis of file certificates
Beginner, Expert mode
Bit9 FileAdvisor MD5 lookup
Systemlookup.com lookup
Upload file to VirusTotal
Analyze loaded modules
Google lookup
Runscanner database lookup
Regedit jump
If you are a casual user, one caveat from the developer you should be aware of: Runscanner requires advanced knowledge about Windows. If you delete an item, without knowing what it is, it can lead to major Windows problems. If you are not sure what to delete, post your Run file to a helper forum.
A list of helper forums is available directly from within the application, or here.
System requirements: Windows 2003, Windows 2000, Windows Vista, Windows XP, Windows 7 (according to the developers, the application is x 64 compatible).
Download at: Download.com
Public process list is an additional service provided by the developers. In this list you will be able to browse all processes and files found by Runscanner. Extra information for top processes is added to the database and optional security info is provided by research.
Runscanner has additional capabilities not reviewed here, so I recommend that you take a close look at this freebie. I think you’ll find that it’s worth the effort.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.
Bill Mullins' Weblog - Tech Thoughts 
Hi Bill,
I couldn’t resist the temptation but you know that already.
I ran this through VT first before downloading and it came up with 1 positive probably false of course but it says ParetoLogic is a malaware site.
This ParetoLogic has come up quite a few times lately when I run VT first before downloading a new app. Is this something to worry about at all?
Cheers
John
Hi John,
You’re misreading the results. ParetoLogic is a site scanner on VirusTotal, and it’s reporting Download.com as a malware site. How crazy is that.
Do this search again, but this time click on “View downloaded file analysis”, and you get a clean report for the application from all 43 engines. BTW, the ParetoLogic web site is rated as “dangerous” by WOT,
Best,
Bill
Bill,
Thanks for explaining that, and yes very interesting results when the full scan is run, i.e. no virus found.
Cheers
John
Hey John,
No Problem – always happy to help. 🙂
Best,
Bill
Hey Bill,
This looks really good, I will try it out for sure.
Cheers
Hey Mal,
Very cool. It’s the most comprehensive I’ve come across.
Best,
Bill
Hello 🙂
In same case, do you know ZHPDiag ? it allows to generate log for boards, and it can be analysed with a another tool of same autor : ZHPHelpProcess.
You can find it :
– ZHPDiag : http://www.premiumorange.com/zeb-help-process/zhpdiag.html
– ZEB Help Process : http://www.premiumorange.com/zeb-help-process/zhp_tutoriel.html
It is a french tool of Nicolas Coolman. Many languages available.
Thanks 🙂
Hey Gof.
Thanks for the link.
Bill
Hi Bill,
This is indeed an excellent additional layer of protection since it scans fast & provides detailed information about processes using the combined info & research expertise of Google, Systemlookup, Runscanner, File Advisor & special forums! Many malware get caught out by using such collective expertise. For example one useful caution was – “Some malware might rename itself to gsservice.exe. Always make sure that your file is from a verified publisher”. Thanks for suggesting this
srp
Hey Srpgmt,
You’re quite right – the input from forums is very valuable in assessing possible malware. Thanks for pointing this out.
Bill
Pingback: Runscanner a comprehensive review « TTC Shelbyville – Technical Blog