Is this a False Positve ? Only Emissoft is finding it !

Over the past several months Emissoft is finding these registry keys as being bad and run the clean/delete process.

Malwarebytes , SuperantiSpyware, and Comodo do not find these keys as malware. Not sure what is creating these keys, they have appeared in scans 6-7 times.

Here are the latest scan results:
Emsisoft Anti-Malware - Version 9.0
Last update: 7/24/2014 5:08:18 PM
User account: Martha-PC\Martha

Scan settings:

Scan type: Smart Scan
Objects: Rootkits, Memory, Traces, C:\Windows, C:\Program Files\

Detect PUPs: Off
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 7/24/2014 6:57:25 PM
Value: HKEY_USERS\S-1-5-21-1943577299-1749160357-1101987479-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM → DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-1943577299-1749160357-1101987479-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM → DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-1943577299-1749160357-1101987479-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM → DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-1943577299-1749160357-1101987479-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM → DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)

Scanned 199477
Found 4

Scan end: 7/24/2014 9:40:51 PM
Scan time: 2:43:26

Value: HKEY_USERS\S-1-5-21-1943577299-1749160357-1101987479-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM → DISABLEREGISTRYTOOLS Deleted Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-1943577299-1749160357-1101987479-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM → DISABLETASKMGR Deleted Setting.DisableTaskMgr (A)

Deleted 2

Thanks
UncleDoug

Looks like it’s possibly part of ZAccess Rootkit from the registry keys, but only Emsisoft detects it ? Try Malwarebytes Anti-Rootkit and GMER and see what comes back.

Not at all.
1st, MBAM was mentioned & it includes rootkit scan… later bout GMER
Then, Emsisoft is capable of detecting “ZAccess Rootkit”.

So, since nothing else was detected that is a different thingie including the fact that I’m 99.(999)% sure UncleDoug does not have any troubles with RegEdit/TaskManager.
Do you, UncleDoug? I would be very surprised. Please tell & correct me if I’m wrong.

Hi UncleDoug,

I would not trust Comodo AV ever, but correct & “past” many many months :o re:Emsi
It’s a matter of heading to their forum (“Infected” part one) in order to see how many people are scared for basically no reason. (Keep in mind that I do use Emsisoft for ages as my AV/AM protection)

Now, some of such Reg entries can be quarantined/removed by Emsi having no impact whatsoever on system , but some don’t for no apparent reason … therefore there are so many unneeded requests for removing those “manually”. Do not ask why.
I just white-list the ■■■■ because I do know what Software created those & basically what I have here (see below) are legit

Other than that

Well, Emsi is definitely very cautious about those keys. But I would say they are a bit over-cautious.

To make a short statement - those entries are not native to Windows. They basically should not be present. That’s true. And in addition that could be a sign of some tricky malware “deeds”…
The later is rare though & you would feel the consequences immediately

I can tell you that a lot of legit Software will create the said entries.
Why? Ask specific forums

Below is what I have currently (white-listed and/or ignored, but specifically de-white-listed in order to make this post)

Scan start:	3/08/2014 2:19:17 PM
C:\Program Files\styler\tb 	detected: Application.AppInstall (A)
Value: HKEY_USERS\S-1-5-21-507921405-113007714-839522115-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS 	detected: Setting.DisableRegistryTools (A)...Scanned	57370...

Here we go, I do use Software for different themes on XP. Who cares about XP now ;)? I am on Linux anyway… So, Vistamizer, 7mizer & bunch of other stuff
Old (unneeded) Styler good or bad, but working properly … Ha?
But there is more contemporary.
Did you ever use ProcessExplorer formerly by just Mark Russinovich, but unfortunately (hehe :'() currently by Microsoft? Sure you did
Here we go – simply hit Options > Replace TaskManager
Then fire up Emsisoft Quick scan… and that‘s what you‘ll get

Scan start:	3/08/2014 2:24:10 PM
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKMGR.EXE -> DEBUGGER 	detected: SecHijack (A)
Value: HKEY_USERS\S-1-5-21-507921405-113007714-839522115-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS 	detected: Setting.DisableRegistryTools (A) …. 

Hmmm
And sure you’ll not find those using MBAM, SuperAnti, & many others

… and Gmer!? WOW! I hope you do know what you are dealing with & how to run it

Anyways, sometimes (which is – mostly often) how can I put that decently, the way I will not be blamed again by particular Moderator(s) here? Do not listen & act upon pure ****

You are the judge after all

Cheers!

MBAM does not include by far the same functionality of MBAR when detecting active rootkits. Especially when dealing with AppInit DLLs and API functions.

Yes Gmer can be dangerous from a generic point of view if you don’t understand what your doing, but it also has specific signatures for many prevalent rootkits.

All I did was suggest UncleDoug run a scan with those tools and see what the results were. With that said I think your attitude is pure ****

Not sure how & why did you get this from my post here, including the fact that “do not listen… & act…” was not applicable to your reply by any means, but rather to the certain detections that could/should be further analyzed, which I tried to convey by giving some examples of possible causes.

Surprising, but anyway, that’s your right to accept my attitude like this. No need to go further !ot!

“Ever”
Hi SiberLynx,
That comment is no judge of a products quality.
It just shows that even if a product changes or has changed for the better, that your thought process remains the same.
Just saying.
Open arms and open minds create the future.

Kind regards.

Sorry for the delay. I did a search of the registry and could not find those keys ?
In the mean time Emmisoft updated there software and only had a trial of the paid version available. Even though I found Emmisoft Free very good, I did not want to install features that I was going to delete, so I uninstalled Emmisoft.

IF they ever have the Free Version again without requiring you to download a Trial let me know.

Thanks
UncleDoug

Hi UncleDoug,

Well, you acted upon the detections as I can see from your initial post (“Deleted 2”). That could answer your question.
In addition you may’ve either uninstalled some Software or changed some options/the way you used the Software as it was discussed above in given examples. There is not much info regarding that therefore the latter would be rather kinda speculations. Anyways, it seems to me - you should not be worrying a lot at this stage.

Hmm… What’s done is done – it’s gone
Now, you could’ve just disable Emsisoft’s real-time protection(s) and after 30 days trial it would go “Free Mode” itself. The advantage would be Explorer Integration as minimum, but let’s forget about it…

You don’t need to wait. Just download free EEK Emsisoft Emergency Kit and that’s it – just on demand scanner. It’s portable; same engines; same signatures; same power re: detection/removal

As an aside note: current number of signatures is just about 7.3 million which was dropped from 13.5 million during the last week & a half approximately … Not ~35 million :o or so with much much worth detection rate & FPs (saying no more… hush! :D)

Unzip to any folder of any partition you like if you wanna have it on your PC or to any external Hdrive or to flash stick.

I would say it’s must have brilliant thingy.

Just a few suggestions:

• Manually update as frequently as you can otherwise you’ll face a big download (after 50 missed differential updates as far as I remember);
• You may consider using beta updates checked. I know that some do not like it, but that’s how I use EAM & EEK for years and never had any issues. On the contrary – always real improvements.
  But if anything “happens” uncheck accepting betas, hit Update & it will revert back to stable in no time

Cheers!

I know this topic is REALLY old and I hate to bump it to add something, but I just found it as it related to something I was dealing with and so I felt that maybe adding my findings might make it easier for someone in the future to narrow down the possibilities a bit more. So apologies for the late post but I felt it was most appropriate to keep it within the context here instead of a new thread which would only serve to confuse people.

I wanted to add that some TaskManagers such as say System Explorer will give the user the option of replacing their default system taskmanger. When this happens, some like Emsisoft will detect that as a harmful behavior thinking that its being done to prevent you access to your taskmanager to kill it, something that many viruses do, obfuscate or block access to the taskmanager to avoid being killed. What it lacks is context on the fact that it wasn’t disabled to be removed, it was replaced. Anyway, thought this might bring some assistance.

For those who want to know how I came to this conclusion, here is the work product. I used the EEK to detect and remove it, and then found that when I called for my TaskManager, the default popped up instead. So I opened up SE and checked its option and it wasn’t set to default, so I checked it AGAIN, and then ran EEK again, sure enough it detected the EXACT same “problem”. So now we know, at least in my case, its not the SecHijack (A) but something quite benign and intentional.

Hope it helps someone, cheers.