Do I need to worry about this ?

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
#1

I was looking around for something to put an OS install disk onto a USB key and ran into somthing called BetterInstaller. It modifies some questionable keys, I’m concerned about the
HKLM\SOFTWARE\MICROSOFT\SystemCertificates\ stuff. Do I need to worry about this ?
Thanks in advance,
Bruce.

2012-09-30 10:45:42 C:\Documents and Settings\bruce\My Documents\Downloads\Wintoflash_downloader_by_betterinstaller.exe Modify Key, Suspicious HKLM\SYSTEM\ControlSet001\Control\SESSION MANAGER
2012-09-30 10:45:47 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify File C:\WINDOWS\Debug\UserMode\ChkAcc.log
2012-09-30 10:45:48 C:\Documents and Settings\bruce\My Documents\Downloads\Wintoflash_downloader_by_betterinstaller.exe Modify Key, Suspicious HKLM\SYSTEM\ControlSet001\Control\SESSION MANAGER\PendingFileRenameOperations
2012-09-30 10:45:53 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify File C:\WINDOWS\Debug\UserMode\ChkAcc.bak
2012-09-30 10:45:55 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKUS\S-1-5-21-2890045335-886734956-365881250-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
2012-09-30 10:45:58 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKUS\S-1-5-21-2890045335-886734956-365881250-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
2012-09-30 10:45:59 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKUS\S-1-5-21-2890045335-886734956-365881250-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
2012-09-30 10:45:59 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKUS\S-1-5-21-2890045335-886734956-365881250-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
2012-09-30 10:46:00 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKUS\S-1-5-21-2890045335-886734956-365881250-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
2012-09-30 10:46:00 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
2012-09-30 10:46:02 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe DNS/RPC Client Access
2012-09-30 10:46:03 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT
2012-09-30 10:46:04 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile
2012-09-30 10:46:04 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile
2012-09-30 10:46:05 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryCount
2012-09-30 10:46:06 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\TypesSupported
2012-09-30 10:46:12 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL
2012-09-30 10:46:14 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKUS\S-1-5-21-2890045335-886734956-365881250-1003\Software\Microsoft\SystemCertificates\Root
2012-09-30 10:46:16 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKUS\S-1-5-21-2890045335-886734956-365881250-1003\Software\Microsoft\SystemCertificates\Root\Certificates
2012-09-30 10:46:18 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKUS\S-1-5-21-2890045335-886734956-365881250-1003\Software\Microsoft\SystemCertificates\Root\CRLs
2012-09-30 10:46:19 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKUS\S-1-5-21-2890045335-886734956-365881250-1003\Software\Microsoft\SystemCertificates\Root\CTLs
2012-09-30 10:46:20 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SOFTWARE\MICROSOFT\SystemCertificates\ROOT
2012-09-30 10:46:21 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SOFTWARE\MICROSOFT\SystemCertificates\ROOT\Certificates
2012-09-30 10:46:21 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SOFTWARE\MICROSOFT\SystemCertificates\ROOT\CRLs
2012-09-30 10:46:23 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SOFTWARE\MICROSOFT\SystemCertificates\ROOT\CTLs
2012-09-30 10:46:23 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot
2012-09-30 10:46:24 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\Certificates
2012-09-30 10:46:24 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\CRLs
2012-09-30 10:46:24 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\CTLs
2012-09-30 10:46:25 C:\Documents and Settings\bruce\Local Settings\Temp\BetterInstaller.exe Modify Key HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\root

#2

Did you load a program from a reputated source, after you read about it on a reputated source?

Everything else is dangerous.
ESPECIALLY if you are going to create a “basic installation” which should not be altered by malware.

So far,
YES, you should be worried.

#3

To ensure that your computer is not infected please follow the advice in an article I wrote about How to Know If Your Computer Is Infected. Make sure you take the time to examine any files flagged as FLS.Unknown and let us know the results.

Thanks.

#4

I’ve done a secure erasure of my HD and rebuilt my machine. Here’s what I sent to MS and google malware reporting :

goto http://wintoflash.com/download/en/
select first download link :
BetterInstaller (fastest partner download): Download WinToFlash with BetterInstaller (En)
export registry before.reg
run installer (machine will be infected)
export registry after.reg
windiff exported reg files.

I still have a VM which is infected for reference.
I have the files :
Wintoflash_downloader_by_betterinstaller.exe which downloads the application I was looking for and also the malware.
novicorp wintoflash 0.7.0054 beta.zip which is the file I was after

I also have exported reg files but I can’t seem to get windiff to put meaningful data on the clipboard to post - when I cut and paste, I loose the arrows indicating which file that particular line belonged to - suggestions please.
Please tell me how I can submit the files for analysis. Though, as I said I think the first one is the problem and it downloads the malware rather than being the malware.
Bruce.

#5

Betterintaller is a form of tracking software for installers:

BetterInstaller.exe is main executable for Better Installer Host application from Somoto Ltd. This application is monetizing system for installation process - any company issuing their software can use this application to watch, check, gather statistics etc. from installations of their software. Check more on http://betterinstaller.somotoinc.com/
Source

If that is not to your liking simply download WinToFlash without BetterInstaller from the WinFoFlash download pages.