Jump to content

FP or Active malware.


Recommended Posts

Hey all running EAM and also Beta ESS and came across these detections on my laptop.   I ran EAM before and also ESS after a clean image to make sure it wasn't just ESS.  Running Win 8.1 64 bit. 

 

Emsisoft Internet Security - Version 9.0

Last update: 4/29/2014 11:11:23 AM

User account:

 

Scan settings:

 

Scan type: Quick Scan

Objects: Rootkits, Memory, Traces

Detect PUPs: On

Scan archives: Off

ADS Scan: On

File extension filter: Off

Advanced caching: On

Direct disk access: Off

 

Scan start: 4/29/2014 11:11:39 AM

Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR  detected: Setting.DisableTaskMgr (A)

Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR  detected: Setting.DisableTaskMgr (A)

Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR  detected: Setting.DisableTaskMgr (A)

Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR  detected: Setting.DisableTaskMgr (A)

Value: HKEY_USERS\S-1-5-21-3397574334-2122873388-1719720996-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR  detected: Setting.DisableTaskMgr (A)

Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR  detected: Setting.DisableTaskMgr (A)

Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD  detected: Setting.DisableCMD (A)

Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD  detected: Setting.DisableCMD (A)

Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD  detected: Setting.DisableCMD (A)

Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD  detected: Setting.DisableCMD (A)

Value: HKEY_USERS\S-1-5-21-3397574334-2122873388-1719720996-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD  detected: Setting.DisableCMD (A)

Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD  detected: Setting.DisableCMD (A)

Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS  detected: Setting.DisableRegistryTools (A)

Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS  detected: Setting.DisableRegistryTools (A)

Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS  detected: Setting.DisableRegistryTools (A)

Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS  detected: Setting.DisableRegistryTools (A)

Value: HKEY_USERS\S-1-5-21-3397574334-2122873388-1719720996-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS  detected: Setting.DisableRegistryTools (A)

Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS  detected: Setting.DisableRegistryTools (A)

Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN  detected: Setting.NoRun (A)

Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN  detected: Setting.NoRun (A)

Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN  detected: Setting.NoRun (A)

Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN  detected: Setting.NoRun (A)

Value: HKEY_USERS\S-1-5-21-3397574334-2122873388-1719720996-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN  detected: Setting.NoRun (A)

Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN  detected: Setting.NoRun (A)

 

Scanned 56271

Found 24

Scan end: 4/29/2014 11:12:02 AM

Scan time: 0:00:23

 

Any idea what might be causing these detections?  I also currently have WSA and Sandboxie running in RT.  

Link to comment
Share on other sites

Those are Group Policies that can be abused by malware. If they exist, then they will be detected (regardless of whether the value is 1 or 0). I don't think Sandboxie would create those. It might be WSA, but you'd have to ask their support if it tries to create those registry values.

It's also important to note that most company IT departments will set up computers with Group Policy restrictions to prevent people from doing certain things, but they generally do it through Active Directory on a domain controller (which means that sort of thing is usually done on a company computer that logs in to the company's network).

Link to comment
Share on other sites

I do know a lot of ad hoc adware, etc. removal software resets registry permissions so it can access the user's registry. For example, Junkware Removal Tool(JRT) definitely creates these two keys when it runs:

 

Value: HKEY_USERS\S-1-5-21-3397574334-2122873388-1719720996-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR  detected: Setting.DisableTaskMgr (A)

Value: HKEY_USERS\S-1-5-21-3397574334-2122873388-1719720996-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS  detected: Setting.DisableRegistryTools (A)

 

If you haven't run any special malware cleaning tools, I would strongly suspect it is WSA creating these keys to gain access to your registry. As preiously suggested, I would contact WebRoot for confirmation. 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...