Endpoint Protection

 View Only

How to find Suspected Threats on your computer. 

Jun 19, 2009 09:55 AM

There are two most powerful tools from Sysinternals that can help us lot in our search for
suspected threats on our systems.
1. Autoruns for Windows
2. Procexp

You can download Autoruns for Windows from

Runs on Windows XP and higher and Server 2003 and higher

Logon This entry results in scans of standard autostart locations such as the
Startup folder for the current user and all users, the Run Registry keys, and
standard application launch locations.

Explorer Select this entry to see Explorer shell extensions, browser helper
objects, explorer toolbars, active setup executions, and shell execute

Internet Explorer This entry shows Browser Helper Objects (BHO's),
Internet Explorer toolbars and extensions.

Services All Windows services configured to start automatically when the
system boots.

Drivers This displays all kernel-mode drivers registered on the system
except those that are disabled.

Scheduled Tasks Task scheduler tasks configured to start at boot or logon.

AppInit DLLs This has Autoruns shows DLLs registered as application
initialization DLLs.

Boot Execute Native images (as opposed to Windows images) that run
early during the boot process.

Image Hijacks Image file execution options and command prompt

Known DLLs
This reports the location of DLLs that Windows loads into
applications that reference them.

Winlogon Notifications Shows DLLs that register for Winlogon notification
of logon events.

Winsock Providers Shows registered Winsock protocols, including
Winsock service providers. Malware often installs itself as a Winsock
service provider because there are few tools that can remove them.
Autoruns can uninstall them, but cannot disable them.

LSA Providers Shows registers Local Security Authority (LSA)
authentication, notification and security packages.

Printer Monitor Drivers Displays DLLs that load into the print spooling
service. Malware has used this support to autostart itself.

Displays Windows Vista sidebar gadgets

Getting More Information about an Entry
There are several ways to get more information about an autorun location
or entry. To view a location or entry in Explorer or Regedit chose Jump To
in the Entry menu or double-click on the entry or location's line in the
display. You can view Explorer's file properties dialog for an entry's image
file by choosing Properties in the Entry menu. You can also have Autoruns
automatically execute an Internet search in your browser by selecting
Search Online in the Entry menu.

Autoruns is the best and most reliable (Since it is from Microsoft
Sysinternals ) tool for determining whether a file is Legitimate or
Download and run Autoruns. Once it is executed it takes few minutes
(sometimes) to scan all the entries on your computer.
Once this is done on the top click on "Options" and select "Hide Microsoft
and Windows entries" then click on the refresh button.
Now whatever is left behind is the common load point for any Threat on
your System.
Browse through each of the tabs to check if you find anything without a
publisher or with a suspicious Name.
You will get the location and the registry entry for that file.
The best part is, If you are not sure about the file just right-click on it and
click "Search Online" and it will try to find some information on that file or
entry. Once you have got any suspicious entries either you just go ahead
and delete it by right-clicking on it or Submit it to Symantec Security
Response so that they will review the file and get back to you.
If it is clean you will get a mail that it is clean. If it is a threat you will get a
mail with complete steps on how to get rid of it and what actually it is
(Trojan/Worm/Spyware etc )
To submit the file to Symantec Security response go to
https://submit.symantec.com/retail or /basic or /Essential or /BCS
depending on your support contract with Symantec.


You can download this tool from
It can be used in Windows XP and higher and Server 2003 and higher

Process Explorer is an advanced process management utility. You can call
it an advanced version of Task Manager
You can view detailed information about a process including its icon,
command-line, full image path, memory statistics, user account, security
attributes, and more. When you highlight a particular process you can view
the DLLs it has loaded or the operating system resource handles it has
When we look at the Task Manager we are not able to determine what are
legitimate files and what are Unknown or threat files. We can also get the
location of where the file is located.
Threats mostly load under svchost.exe or rundll32.exe so in the task
manager it just shows that either svchost or rundll32 is running but when
we use Procexp we can know which DLL or while file is loading under
these and the location as well.
It also has a color coding and a publisher name against each process that
makes us easier to determine whether it is legitimate or suspicious.
Once we get the filename we can submit it to
https://submit.symantec.com/retail or /basic or /Essential or /BCS
depending on your support contract with Symantec.

0 Favorited
0 Files

Tags and Keywords


Jul 24, 2015 09:14 AM

New article on this topic now available!


Using Today's SymHelp to Combat Today's Threats

May 13, 2014 06:44 AM

This new article may be of interest to anyone needing to send files to Security Response for analysis:

Symantec Insider Tip: Successful Submissions!

Many thanks!


Mar 11, 2014 05:37 AM

The latest release of SymHelp includes enhanced capabilities for threat detection and removal.  For details, please see:


About the Threat Analysis Scan

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

Many thanks!



Sep 10, 2013 05:47 AM

Just a quick note: NSS is currently past its End Of Life (EOL). Using Symantec Power Eraser in its place:

About Symantec Power Eraser

How to run Symantec Power Eraser with the SymHelp utility



Mar 18, 2010 03:16 PM

Mar 16, 2010 08:21 PM

and How to detect new variant hidden rootkit, before it recognize via av virus definition data ?

you have simple method.


Mar 11, 2010 12:00 PM

When using SysInternals' Process Explorer you must first SUSPEND the virus process and associated processes.  After you suspend them you can then kill them.

If you kill the main virus first other buddy virus processes will just start up another instance of the virus.

When you have time I would suggest watching the Malware video at Sysinternals.com

Feb 25, 2010 04:45 PM

 There is no match for autoruns however there are many alternatives for process explorer though..The problem is still not enough people know about it..

Feb 25, 2010 04:23 PM

Mark Russinovich is a great guy. Saw his videos for Sysinternal Tools. Explains the concepts very thoroughly.


Feb 25, 2010 02:03 PM

I've been using autoruns for the past few years... Ever since I saw a lecture by the developer Mark Russinovich at a Tech-Ed conference.

A recent development on my end is that the malware developers are also becoming aware that this is a good tool... In two recent malware infections, the malware would not let me run AutoRuns or Process Explorer...

It's popularity amoung users like us is bringing unwanted attention...

Aug 29, 2009 03:24 AM

Very useful article. Thank u

Aug 26, 2009 07:29 AM

Aug 26, 2009 06:35 AM

 0xal0ne0 thanks for clarifying for me 

No further questions. 

I rest my case :)

Aug 26, 2009 05:01 AM

Well even Symantec has NSS ( Norton Security Scanner ) its and its free..Even i would agree that like Trend bought Hijakthis , symantec should by GMER or some tool that gives an ease of scanning in GUI..it show what is the when it shouldn't have been there..Like Autoruns,GMER,ICesword,Hijackthis..

Aug 26, 2009 04:19 AM

I'm well aware that hijackthis is free..FYI, I've have explored  it  since it's infancy (when it was first developed by Merijn Bellekom). I would request you to read my statement again..

"About, buying 'tools' *like*  hijackthis or similar...I've 'no comments' on it.I would leave it to Symantec to decide.However, you may post this in the "Ideas sections". "

It was a 'thought' in response to int3rn3t's statement...
"Symantec  is such a big company and it keeps buying companies so why doesn't it buy something like sysinternals, hijakthis, Gmer etc"


Aug 26, 2009 02:06 AM

Cable Mite: Hijackthis is still developed but since purchased by Trend Micro they do the development of it. 

0xal0ne0 hijackthis is not something you buy it is a freeware tool. However since purchased by Trend Micro you are right that promoting it in this forum is not the right way to go.
I am merely referencing to it as a tool that I have used and not promoting it.

Aug 25, 2009 09:02 PM

Sorry for the late reply, yes, Aniket is right on the Symantec tool I used. And from the looks of it, it looks like it's installing something. At least that's what the GUI looks like when running.

Aug 24, 2009 04:55 AM

Well..int3rn3t, I've used ESUG in many odd cases and it an awsome tool which worked for me.Addtionally,it's an 'offline anaysis' tool  which gives you indepth information about  the 'file system'  and 'registry'.This tool was created to assist  'tech support' and 'security response folks' to have a look at a suspected system when it's not available  'remotely or physically',in scenarios like only the system owner has the access and yes, you're right that it dumps the system's file system and registry...that's what you need *first* to check for possible infection of a system right ?

About sysinternals they're awsome set of tools .If you have a copy of ESUG ...just explore it how it works *along* with sysinternal tools[command line versions].ESUG is very flexible and useful trust me!

About, buying 'tools' like hijackthis or similar...I've 'no comments' on it.I would leave it to Symantec to decide.However, you may post this in the "Ideas sections".   

Aug 24, 2009 04:02 AM

HI Vikram,

Good piece of information on Autoruns..I actually used it and found it very helpful..but I don't think the ESUG Loadpoint that you are talking about is at all helpfull..it just dumps the registry and file system infornt of you to search. So why should it be called a Tool.
Symantec  is such a big company and it keeps buying companies so why doesn't it buy something like sysinternals, hijakthis, Gmer etc..

Aug 05, 2009 10:33 AM

Symantec has only the ESUG LoadPoint diag. tool which gives a detailed report in .htm  

Jul 20, 2009 10:52 AM


Are you referring to SymBatchDiag or ESUG logs tool?


Jul 19, 2009 09:16 PM

What tool is that Mon?
do you have a link on its specs and options?

Jul 19, 2009 10:49 AM

Symantec has a tool similar to hijackthis, although I think it installs itself before running unlike hijackthis which runs as is.
And unlike hijackthis, it has more indepth report in mht format to be opened with a web browser app.

Jul 17, 2009 10:20 AM

Maxmillian - I too used hijackthis, however the product is no longer updated. Autoruns is regularly revised to add new autostart locations.

Jul 17, 2009 03:12 AM

I have used Sysinternal files before but never these two programs. They look pretty impressive. For autoruns I have been using hijackthis but it is not as advanced as this tool.

Jun 26, 2009 10:49 PM

the autoruns tool is very valuable...
we already tried it..

Jun 25, 2009 04:21 AM

I used them too. Process Explorer and that other application (forgot what it was) sometimes fail to stop a process. Don't know what to do then.

Jun 22, 2009 11:35 AM

Brilliant tool. I use it myself a lot of times to find the anomalies in the systems.

Few screenshots would help a lot better!

Jun 22, 2009 06:03 AM

autoruns is a very good utility. It helps a lot.

Jun 20, 2009 01:00 AM

 I find autoruns the most powerful tool

Jun 20, 2009 12:30 AM

Nice Article.

I do use Process explorer but will try Autoruns for Windows.

Related Entries and Links

No Related Resource entered.