bjm__

EEK newbie question

Recommended Posts

Hello EMSI Community,

Newbie questions regarding EEK v10.0.0.5488

 

EEK install / update / run / report appear to be okay.

 

Curious as to why EEK Help File points to EAM/EIS.

 

Is EEK esentially the same as EAM after 30 day Trial. 

For second opinion on-demand scanner, whether EEK is okay or EAM (free) would be more appropriate.

 

EEK scans find 34 detections with 4 No Risk and 30 without any Risk Level information.  30 appear to be reg keys.
What may/does the absence of "Risk Level" info denote.

 

May I attach scan report here or should I go to "Help, my PC is infected!

 

Thanks...(sorry, don't find editor spell check)

Share this post


Link to post
Share on other sites

EEK is very different than EAM, even when it is running in freeware mode, however both use the same scanning and deletion technology. You can find any relevant information about EEK at this link, and feel free to let me know if you have any questions.

When there is no "Risk level", that means that it is a setting that malicious programs have been known to change, such as the setting to disable the Task Manager.

You can paste the log here if you would like, or if you need assistance removing detections you can post it in the "Help, my PC is infected!" section.

Share this post


Link to post
Share on other sites

Hello,

Sorry for delay in responding.  I did not get email notice of your reply.

Thank you.  I am familar with relevant information about EEK at this link

That's how I was introduced to EEK.

I've read EAM may run as companion on-demand scanner in freeware mode. 

Although, I have no insight into how/why EEK is very different than EAM, even when it is running in freeware mode.

 

So, to my OP question >

For second opinion on-demand scanner, whether EEK is okay or EAM (free) would be more appropriate.

And how/why is EAM different from EEK when EAM is running in freeware mode. 

I'm trying to introduce myself to Emsisoft.

 

Since you prompt paste.  I'll paste.
Emsisoft Emergency Kit - Version 10.0
Last update: 10/25/2015 12:14:28 PM
User account: BJM-PCW8\bjms

Scan settings:

Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\, D:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    10/25/2015 12:32:22 PM
C:\Users\bj\AppData\Roaming\Mozilla\Firefox\Profiles\x8gadp9d.default\Searchplugins\safesearch.xml     detected: Application.SearchPlug (A)
C:\Users\bjms\AppData\Roaming\Mozilla\Firefox\Profiles\br0fgu8r.default\Searchplugins\safesearch.xml     detected: Application.SearchPlug (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-2084490526-3157944608-823130631-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-21-2084490526-3157944608-823130631-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-2084490526-3157944608-823130631-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-21-2084490526-3157944608-823130631-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Key: HKEY_USERS\S-1-5-21-2084490526-3157944608-823130631-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}     detected: Application.Win32.WSearch (A)
Key: HKEY_USERS\S-1-5-21-2084490526-3157944608-823130631-1004\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}     detected: Application.Win32.WSearch (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-21-2084490526-3157944608-823130631-1004\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)

Scanned    318410
Found    34

Scan end:    10/25/2015 1:09:34 PM
Scan time:    0:37:12
 

Share this post


Link to post
Share on other sites

For second opinion on-demand scanner, whether EEK is okay or EAM (free) would be more appropriate.

EEK would probably be ideal, since it is portable, and only installs a single driver.

And how/why is EAM different from EEK when EAM is running in freeware mode.

EAM is an anti-virus software, and installs a service and a driver. Before freeware mode can be used, there is a 30-day trial period, and once that trial is over then freeware mode can be activated. In freeware mode the service no longer runs at startup, but the UI will still show all of the normal EAM features even though most of them don't work in freemode. It will also always show all of the colored area that tell you protection status in red, and say "Not Protected" as long as it is in freeware mode.

EEK is just a portable scanner. It has no service, it runs from anywhere (including USB flash drives), and its colored areas in the UI will change only to let you know that the database is out of date by more than 24 hours. Its only real functions are downloading updates, scanning, deleting/quarantining, and managing logs and quarantined files which means that there aren't going to be a lot of things in the UI that you can't use.

Both products come with our Commandline Scanner (A2CMD), however they have different versions of it. The one with EAM uses the service to download updates and run scans, whereas the one that comes with EEK doesn't use a service.

As for those detections, you'll note that all of the ones that have no risk level have the following in the path:

MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES

These are Group Policies, or settings that disable certain Windows functions. For instance, the following is capable of disabling the Task Manager:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR

These Group Policies do not exist by default, and if our scanner detects them it will show them in the scan results regardless of their value. The value can be 0 for "false" or 1 for "true". Basically, 0 tells it not to disable the Task Manager, and 1 tells it to disable the Task Manager. Chances are that these are all set to 0, and you can check by opening the Task Manager to see if it works.

Share this post


Link to post
Share on other sites

Hello again,
I'll have to find email notification option (if there is one).

 

Great, so....EEK fits my current need.

 

Imagine EEK has a reason for detecting Group Policies.  
Perhaps, malware re-write Policy. 
 

These Group Policies do not exist by default, and if our scanner detects them....

 

....and if our scanner detects suggests detecting Group Policies is not norm...?

 

Thank you,

Regards

Share this post


Link to post
Share on other sites

I'll have to find email notification option (if there is one).

They're in the File Guard options. Here's a screenshot:

post-18745-0-69091700-1446222981_thumb.p
Download Image

Imagine EEK has a reason for detecting Group Policies.  

Perhaps, malware re-write Policy.

Yes, any Group Policy that malware has been known to change. For instance, disabling the Task Manager so that it can't be used to terminate malicious processes that are running on the computer.

....and if our scanner detects suggests detecting Group Policies is not norm...?

Detecting certain Group Policies is normal, but it is not normal for them to exist. Some legitimate software will create them with '0' as the value under the assumption that this somehow fixes something or prevents abuse, however malware can still change them unless registry permissions have been changed to prevent it, which isn't necessarily a good idea as it could prevent changing of those settings in the future if it is needed.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.