Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 7th, 2008, 6:01am
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Scanner (Moderators: Helena, Gavin_Coe, Magnus)
   Items in Registry Scan		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Items in Registry Scan  (Read 777 times)
art77e
Newbie
*





   


Posts: 30
Items in Registry Scan
« on: Sep 5th, 2006, 4:04pm »		 Quote Quote  Modify Modify
Hi,
I just upgraded from 4.5 to 4.6 and installation went fine.
After re-installing license from 4.5 to 4.6 I ran my first scan.
Under "Registry" scan I am getting twoitems that I know to be okay-----both Tweak UI settings under Run Services and Run.These were not picked up under 4.5.
How do I Exclude these 2 items from the scan,as it looks like only files can be excluded.
Thanks,
Art
My system is 98se
IP Logged
Jrb
Full Member
***



I love YaBB 1G - SP1!

   


Posts: 210
Re: Items in Registry Scan
« Reply #1 on: Sep 5th, 2006, 5:07pm »		 Quote Quote  Modify Modify
Hi Art,
 
Of course the answer has to come from the TH-guys.
But may I ask you a question in the meanwhile: which build-number (not only version but build-number) of TH were you using before upgrading to version 4.6?
And could you give (if possible) the exact reg-keys and their data?
Reason for asking:
I've reported a similar situation on my Win98SE box but with completely different application(s), with one of the last builds of version 4.5. (Of course I am not saying that exactly something similar is happening on your system). Anyhow, in my case I just ignore that warning.
IP Logged
art77e
Newbie
*





   


Posts: 30
Re: Items in Registry Scan
« Reply #2 on: Sep 5th, 2006, 6:52pm »		 Quote Quote  Modify Modify
Hello Jrb,
Glad to be of assistance if I can.
My version of TH before upgrade was 4.5.0.922
My scan was as follows:
Registry scan
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Tweak UI (Regedit Jump)
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Tweak UI (Regedit Jump)
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan (autostarted files, running executables)
No trojan files found
Art
IP Logged
Jrb
Full Member
***



I love YaBB 1G - SP1!

   


Posts: 210
Re: Items in Registry Scan
« Reply #3 on: Sep 5th, 2006, 9:35pm »		 Quote Quote  Modify Modify
Hi Art,
 
I don't have Tweak UI installed on my Win98SE machine.
 
I don't know whether you are familiar with the registry.
The registry is something you have to be very cautious with!!
 
Could you perhaps give a bit more info about these registry entries:
1.
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Tweak UI
2.
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Tweak UI
 
In Regedit is at the left side the reg-key mentioned.
And at the right side Name, Data, Size.
It would be interesting to see whether in those two reg-entries the same Name is occuring at that right side.
 
You didn't have installed the latest build-number of TH version 4.5.
As far as I understood: in one of the last build-numbers of TH version 4.5 was an heuristic detection introduced that would trigger a warning in case the same Name occurs both in Run and RunServices.
 
IP Logged
Jrb
Full Member
***



I love YaBB 1G - SP1!

   


Posts: 210
Re: Items in Registry Scan
« Reply #4 on: Sep 5th, 2006, 11:48pm »		 Quote Quote  Modify Modify
Here is an example of something similar (and again: I'm not saying that this is exactly the same as you saw on your system).
This is on Win98SE. It's about Acronis with several Acronis programs installed (some of them outdated).
 
---
Registry scan
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Acronis Scheduler2 Service  
(Regedit Jump)
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Acronis Scheduler2 Service  
(Regedit Jump)
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
No trojan files found
---
 
The reg-entries about these two are (only giving here the important parts):
1.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Acronis Scheduler2 Service"=
""C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe""
2.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices]
"Acronis Scheduler2 Service"=
""C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedul2.exe""
 
In this example the Name "Acronis Scheduler2 Service" is showing in both the Run and the RunServices reg-entries.
Some malware is doing a similar thing, and that is why TH is giving a warning.
I had contact with Magnus and Gavin about it. There is a thread about it here in the TH-forum and in the DSLR-security-forum.
I just ignore the warning because in my case I know it is OK.
But of course with every warning you have to take a closer look at it and in doubt ask the TH-guys.
In your case it might be a similar thing, but of course I don't know that for 100% sure.
 
IP Logged
art77e
Newbie
*





   


Posts: 30
Re: Items in Registry Scan-New TH 4.6
« Reply #5 on: Sep 6th, 2006, 1:37pm »		 Quote Quote  Modify Modify
Hi Jrb,
Thank you very much for your input in regards to this scan I now get every time after DL new Def,s.
However I have NOT received a definitive answer from any Mod,s or Magnus regarding my initial question  IE---Can these SUSPICIOUS ENTRIES be excluded,and if so---HOW---or do you just have to LIVE with them coming up every time.
Hope to receive some info on this soon.
Thanks
Art
IP Logged
Jrb
Full Member
***



I love YaBB 1G - SP1!

   


Posts: 210
Re: Items in Registry Scan
« Reply #6 on: Sep 6th, 2006, 5:51pm »		 Quote Quote  Modify Modify
Hi Art,
 
Quote:

Can these SUSPICIOUS ENTRIES be excluded

 
As far as I have seen, the answer is "no".
Maybe I did overlook something, but I don't see such an option for these reg-entries.
 
Well, I myself can live with that.
 
I know it's happening, and I learned from Magnus and Gavin (as far as I understood them) why it is happening.
So: I see the warning when I do a full system scan with TH, but I just ignore it.
 
 
IP Logged
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 2037
Re: Items in Registry Scan
« Reply #7 on: Sep 7th, 2006, 7:11am »		 Quote Quote  Modify Modify
So far no, but we could make an option for this detection or even adjust its strength to "normal" and "strong" which might be the way to go (probably in TH5)
 
Be aware that tens of thousands of trojans will be detected when installed, this detection can nab them !
 
But if its alarming on something normal you can ignore it Grin
IP Logged
art77e
Newbie
*





   


Posts: 30
Re: Items in Registry Scan
« Reply #8 on: Sep 7th, 2006, 12:39pm »		 Quote Quote  Modify Modify
Hi Gavin,
Thanks for the response,not what I wanted to hear,but hopefully it can be rectified as per your suggestions in a later version---hoping so--as I personally find this annoying.
Thanks again for your answer.
Art
IP Logged
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 2037
Re: Items in Registry Scan
« Reply #9 on: Sep 9th, 2006, 9:31am »		 Quote Quote  Modify Modify
You have 2 duplicate entries for the same program, I suggest choosing FIX ! then run a scan again.
 
The scan result should be gone. Then reboot the PC !
 
If it returns after a reboot, it actually IS malware. Do a regedit jump find the file and send it in..
IP Logged
teanick
Newbie
*






   


Gender: male
 Posts: 17
Re: Items in Registry Scan
« Reply #10 on: Sep 9th, 2006, 12:15pm »		 Quote Quote  Modify Modify
I had the same problem that jrb had with the two registry entries on my W98 machine:
Registry scan  
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Acronis Scheduler2 Service  
(Regedit Jump)  
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Acronis Scheduler2 Service  
(Regedit Jump)  
when I "cleaned: these two entries, I found I could no longer perform a Acronis True Image 7 backup and had to reinstall Acronis True Image.
There should be a way to ignore specific registry entries in a scan in the same way that specific files can be ignored under the "ignore list" button under options in TH 4.6.
This would be a great feature to add to a future version of Trojan Hunter.
IP Logged
''When one door closes another door opens; but we so often look so long and so regretfully upon the closed door that we do not see the ones which open for us.'' - Alexander Graham Bell
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 2037
Re: Items in Registry Scan
« Reply #11 on: Sep 9th, 2006, 9:43pm »		 Quote Quote  Modify Modify
Ok great thanks for the info !
 
It does seem very strange they would use 2 identical startup names, when they aren't doing the SAME thing ? why isn't one called Scheduler and the other Scheduler2.. if they are different why not differentiate between them Huh
IP Logged
Jrb
Full Member
***



I love YaBB 1G - SP1!

   


Posts: 210
Re: Items in Registry Scan
« Reply #12 on: Sep 14th, 2006, 12:17pm »		 Quote Quote  Modify Modify
Hi teanick,
 
Thanks teanick for confirming that TH-warning about Acronis on a W98 machine. Thanks very much!!!
 
---
 
Hi Gavin,
 
Yes, I understand what you're saying; it is strange...
I did ask Acronis for some "explanation" but never got a reply.
IP Logged
dp
Full Member
***






   


Posts: 102
Re: Items in Registry Scan
« Reply #13 on: Sep 18th, 2006, 6:47am »		 Quote Quote  Modify Modify
on Sep 9th, 2006, 9:43pm, Gavin_Coe wrote:
Ok great thanks for the info !
 
It does seem very strange they would use 2 identical startup names, when they aren't doing the SAME thing ? why isn't one called Scheduler and the other Scheduler2.. if they are different why not differentiate between them Huh
Acronis is not the only one that does this. Sygate also does the same thing with SmcServices. There really should be a way to exclude these from scans.  
IP Logged
Microsoft Security MVP / 2004 - 2008
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register