Jump to content
Sign in to follow this  
Jaheira

Weird Traces Found in Registry

Recommended Posts

A few days ago, I was giving my machine a full scan with SuperAntiSpyware, and just as it was coming to the end of scanning the registry, prior to moving on to scanning files, the scan unexpectedly finished with the message, "Scanning is complete. No harmful software was detected!". I thought this a little strange, so started another full scan with the same result.

The file that was being scanned prior to its unexpected end was called %PROGRAMFILES%\WINDOWS ANTIVIRUS PRO. My virus checker gave my system a clean bill of health, and just scanning all files on my machine with SAS came up clean. I also checked out the symptoms of this scareware infection at bleepingcomputer.com, and none of the symptoms, registry entries or files associated with it existed on my machine. All startup loctations (HKLM\Software\Microsoft\Windows\CurrentVersion\Run AND Runservices) were also clean. In fact, the only reference I could find to the infection was the registry entry mentioned above when SAS bombed out. Searching the registry for 'ANTIVIRUS PRO' also drew a blank, which demands the question where the hell is %PROGRAMFILES%\ in the registry!? From what I gather, it's a pointer to the actual Program Files directory on your Hard Disk, and no such folder called Windows Antivirus Pro existed there!

Convinced that the only problem on my machine was a rogue reference to Windows Antivirus Pro somewhere in my registry, I simply reverted to a registry backup, after which SAS performed a full system scan successfully, reported nothing unusual.

This morning, I decided to scan the registry again with SAS, and pausing the scan just before it was due to end, I noticed that registry entries to other malware items were being displayed, although SAS wasn't flagging them as infections. The two I noticed (although I only saw these because of fortuitous random pauses to the scan!!) were:-

%CSIDL_PROFILE%\Start Menu\Programs\Antivirus Trigger 2.1

and a reference to Perfect Protection 2009, I forget the actual path, but it was encapsulated by %

Once again, I checked out the files, registry entries and symptoms associated with these pieces of malware, and nothing exists on my machine other than the fleeting names displayed when SAS was scanning the registry. My Virus checker also gives my machine and clean bill of health, as does SuperAntiSpyware.

So, what's going on?!! I can't find the links in the registry that SAS is displaying, and unless I pause the scan, they flash past too quickly to notice. And anyway, SAS gives me a clean bill of health! Could it be that these are actually files that SAS is scanning for, rather than actual registry entries on my machine?

I'm using SAS version 4.24.0.1004, with the latest definitions. I'm also on of those dinosaur people still running Windows 98SE!

Thanks for any enlightenment anyone can shed on this matter!

Share this post


Link to post
Share on other sites

Hey, go into your C/WINDOWS/system32 folder and look if there is a file "desot.exe" and if it was recently added, delete it, restart your computer and try again, this seems to disable windows antivirus pro although there are still traces of it and you will need to run a scan after you delete the file "desot.exe"

Share this post


Link to post
Share on other sites

I think this issue really needs to be addressed by someone from SAS, at least for the peace of mind of those of us that may notice what I observed! :mrgreen:

To emulate my results, I ran a full scan with SAS on another machine, one I know is clean (MalwareBytes, SAS and Mcafee 2009 all said so!!). Once again, after SAS scanned the registry, it appeared to scan paths to known locations where the malware it's searching for could potentially exist. Once the registry is scanned (the Registry Items count is no longer incrementing) and before it starts scanning File Items, various paths to malware it must be searching for are displayed. The only way you can observe this behaviour is to pause the scan during this period.

On both machines, none of these paths actually exist, and no trace of the malware implied (registry items, files, symptoms) are present. Multiple security programs give a clean bill of health, and the paths observed don't exist in the registry or on HDD.

I'm 100% sure both machines are clean, and what I observed was part and parcel of SAS scanning for malware. Even so, it could possibly alarm users, as it did with me!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×