215fw

What to do with 2 detections?

Recommended Posts

On WinXP-SP3, I just, for the first time, I ran Emergency kit scan. In normal, not in safe mode.

 

Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKMGR.EXE -> DEBUGGER     detected: SecHijack (A)
Key: HKEY_USERS\S-1-5-21-1060284298-682003330-725345543-1006\SOFTWARE\YAHOOPARTNERTOOLBAR     detected: Application.Win32.YTool (A)


1. is false positive. In the registry it confirma that it's Process Explorer, legit hijack,
2. isn't classified as hi risk, but baffles me completely. I don't know of any yahoo toolbar I have, and there is no such key (...-1006) in the registry.

At this point I did nothing, unchecked both and exited.
What should I do now? Thanks in advance.

BTW, goldious utility, reminds me of the old a2 scans :)

Share this post


Link to post
Share on other sites

1. is false positive. In the registry it confirma that it's Process Explorer, legit hijack,

Actually it's not a false positive. It's a hijack. It may be a hijack that you put in place knowingly, but it is still a hijack. If you want to keep it in place, just right click the detection and white list it.

2. isn't classified as hi risk, but baffles me completely. I don't know of any yahoo toolbar I have, and there is no such key (...-1006) in the registry.

It's a PUP. PUPs have no risk assigned as doing so may be considered slander in some legislation. The detection took place in a HKEY_USERS key which usually stores the user profile specific registry hives. The reason why you can't find the key manually is most likely due to the fact that the registry key is located in a user profile that belongs to a user that isn't logged in right now. EEK does scan all user profiles, so it will still detect registry traces that are stored in inactive profiles as well.

What should I do now? Thanks in advance.

White list the first detection and let EEK clean the second one.

Share this post


Link to post
Share on other sites

Done. Exactly as you suggested Fabian, thank you. I did some snooping under Admin2 user (not me), and suspect the toolbar might have come, in 2010, with Sun Java which I no longer have. Makes sense?

Few follow up questions, items 2 and 3 are OT, hope you don't mind:
1. Did I have to rerun the scan (albeit stopped short once 2 detections showed up) to see the list and be able to delete one and whitelist PE? I looked all over and didn't find it other than in the log file.

 

2. The default settings for the Smart scan included "Direct disk access" set to NO. Yet, SSM (System safety monitor) did alert, and I allowed, a direct disk access driver. Is that normal?

 

3. I wanted to trial a custom scan of a folder in a non-system partition. Is that possible? I saw the selection of partitions, and selected partition, folder,  yet it seems it didn't really get selected. And EEK was doing scanning C:. Log file does show all drives and the folder I selected, rather than just the folder. It is really unclear to me how to do that.

Share this post


Link to post
Share on other sites

1. Did I have to rerun the scan (albeit stopped short once 2 detections showed up) to see the list and be able to delete one and whitelist PE? I looked all over and didn't find it other than in the log file.

Yes, you will have to do that at the moment. We may change it in the future though.

 

2. The default settings for the Smart scan included "Direct disk access" set to NO. Yet, SSM (System safety monitor) did alert, and I allowed, a direct disk access driver. Is that normal?

Yes, as DDA is still used for the rootkit scan implicitly.

 

3. I wanted to trial a custom scan of a folder in a non-system partition. Is that possible? I saw the selection of partitions, and selected partition, folder,  yet it seems it didn't really get selected. And EEK was doing scanning C:. Log file does show all drives and the folder I selected, rather than just the folder. It is really unclear to me how to do that.

Per default the Custom scan will scan all disks. If you don't want to scan all disks, you will have to remove them from the lists of objects to scan first.

Share this post


Link to post
Share on other sites

Once again, many thanks for responding. Just bear with me a tad more, please.
1. ok, would be nice to change
2. DDA - why didn't I think of it :(
3. I finally see how custom scan works.
The GUI for that part is clear as mud, but the scan worked perfectly.
The problem is/was that, initially, you don't even see what is being added because of the size of the selection box and the number of default partitions/volumes already listed.
There's so much blank space on the screen that I'd think a decent looking table with checkmarks would be a nicer solution :)

Whitelisting: is there a quick way to get some feedback that whitelisting actually took place? View report button just shows detections.
I whitelisted two program but a2whitelist.ini has the names of detections, not files. Such as Backdoor.Generic.220498 (B), or Application.Win32.InstallAd (A). I did this on purpose. BUT I'd hate to see all backdoor group or open candy ads whitelisted for the future, important scans. Should I worry or not?

Submit FP: I clicked to submit a file, just to see how it would work. Nothing happened far as I can tell. Nothing in the firewall, nothing in TCPview.

4. New item, likely the last one, since EEK basically looks good to me: the old a-squared scan used to show a ton of traces or tracking cookies etc. These scans do not. Does it mean my box is superclean (unlikely), or simply different emphasis?
 

Share this post


Link to post
Share on other sites

Whitelisting: is there a quick way to get some feedback that whitelisting actually took place? View report button just shows detections.

Scan/Manage whitelist.

Submit FP: I clicked to submit a file, just to see how it would work. Nothing happened far as I can tell. Nothing in the firewall, nothing in TCPview.

We will look into it.

4. New item, likely the last one, since EEK basically looks good to me: the old a-squared scan used to show a ton of traces or tracking cookies etc. These scans do not. Does it mean my box is superclean (unlikely), or simply different emphasis?

Cookie scan was removed a few versions ago. It was pretty useless anyways.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.