PDA

View Full Version : Fixed: WmiApSrv\ErrorControl (2008-06-11 Beta.sbi includes)


md usa spybot fan
2008-06-11, 16:11
I have a question concerning the 2008-06-11 Beta.sbi Includes.

Using the Beta.sbi delivered with the 2008-06-11 updates (actually dated 2008-06-10), I received the following:


--- Report generated: 2008-06-11 09:26 ---

Win32.Agent.ys: [SBI $0653D757] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApSrv\ErrorControl

Win32.Agent.ys: [SBI $83ABF598] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WmiApSrv\ErrorControl


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-01-31 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-06-03 Includes\Adware.sbi
2008-06-10 Includes\AdwareC.sbi
2008-06-10 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti
2008-06-03 Includes\Cookies.sbi
2008-06-03 Includes\Dialer.sbi
2008-06-10 Includes\DialerC.sbi
2008-06-03 Includes\HeavyDuty.sbi
2008-06-04 Includes\Hijackers.sbi
2008-06-03 Includes\HijackersC.sbi
2008-06-03 Includes\Keyloggers.sbi
2008-06-10 Includes\KeyloggersC.sbi
2008-06-03 Includes\Malware.sbi
2008-06-11 Includes\MalwareC.sbi
2008-06-03 Includes\PUPS.sbi
2008-06-10 Includes\PUPSC.sbi
2007-11-07 Includes\Revision.sbi
2008-06-10 Includes\Security.sbi
2008-06-10 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-06-03 Includes\Spyware.sbi
2008-06-03 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2008-06-11 Includes\Trojans.sbi
2008-06-11 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
My current registry entries:

ControlSet001 = "Current" and "Default":


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApSrv]
"ErrorControl"=dword:00000000
ControlSet003 = "LastKnownGood":


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WmiApSrv]
"ErrorControl"=dword:00000000
What is the purpose of ensuring the "ErrorControl" in the WmiApSrv is set to a dword:00000001?
Yodama
2008-06-12, 07:48
hello,

thank you for reporting this false positive, the next update will correct this issue so that these items are only checked if an infection is in place.

The default value for error control is 1 which means that an error message would be shown if it occurs. A value of 0 means that the error gets ignored and no message would be shown. In both cases Windows would continue starting.
Values 2 and 3 will load "last known good" show an error message and eventually start a system check.

An infection with Win32.Agent.ys will set the value to 0 to suppress an error message which could occur since the trojan horse replaced the image path.