2 questions- 1 about DrWeb

Discussion in 'other anti-virus software' started by bellgamin, Jan 20, 2006.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    A moment ago I had two things happen on my granddaughter's WinME computer, neither of which I understand...

    #1- In the update of DrWeb's signatures, I noticed the updater downloaded drwreg.exe. I checked drwebupw.log. It had the statement "drwreg.exe executed" on 4 different lines, at 07:45:36, 07:45:37 07:45:38 & 07:45:40. In DrWeb's folder, the drwreg.exe file is dated 11/20/2005. VERY mysterious (at least to me).

    QUESTION #1- Can anyone offer an opinion as to what was the purpose of this drwreg.exe activity?

    #2- When starting up this morning, RegWatcher gave the following alert...
    I put the entry into quarantine (just to see what would happen). Several seconds later, the same alert came up. I gave in & let it happen.

    QUESTION #2- Is something fishy going on? If not, I wonder why this Hotkeys entry suddenly appeared today when it never has done so before -- even though today's startup was no different than any other day?
     
  2. Honyak

    Honyak Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    346
    Location:
    Deep South
    I cannot answer your question and had the same notice from watcher. After the update of DrWeb, I was aked if I wanted to restart my computer for the update.
    I have not seen any other unusual activity and have updated and scanned with Antivir (my back-up) with a clean report. But I thought this odd and have been checking here to see if anyone else experienced this.
     
  3. Nitrox

    Nitrox Registered Member

    Joined:
    Aug 11, 2003
    Posts:
    64
    Location:
    Ontario, Canada
    I was asked to reboot as well, therefore I figured it must have been an engine update as well as defs.
     
  4. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    I noticed the version number in my control panel changed to version 4.33.1.11100 so it must of been a guard or engine update. As Serge Popov posted a couple months ago, this also seems to be the final fix for the Process Guard issue...:eek: :D
     
    Last edited: Jan 20, 2006
  5. shorty1

    shorty1 Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    97
    Location:
    Vermont
    bellgamin, I don't think anything fishy is going on but looking in the registry here I don't see the entry you mention. Of course, maybe it is because I'm using XP and you have Win ME. I wonder if Honyak is using Win 9x - ME or if he has XP. Did you look to see if that key exists in the registry at this time? In any case, I don't think you have anything to worry about.

    A good way to check to see what has been updated in DrWeb is to look at the update log file "drwebupw.log". In XP, it is located at Root\Documents and Settings\User name\DoctorWeb. I would asume in Win 9x and ME it's in the program folder. Looking at mine for today I see this update - with a few edits for privacy and to keep the length of the post reasonable. I haven't heard any word on what the updates to the components are but I'm sure we will hear soon.


    2006-01-20, 09:00:04 Connecting to host:
    2006-01-20, 09:00:04 Searching drweb32.lst...
    2006-01-20, 09:00:04 Transferring drweb32.lst...
    2006-01-20, 09:00:04 drweb32.lst transferred
    2006-01-20, 09:00:04 Searching en-spider.cnt...
    2006-01-20, 09:00:04 Transferring en-spider.cnt...
    2006-01-20, 09:00:04 en-spider.cnt transferred
    2006-01-20, 09:00:04 Searching en-spider.hlp...
    2006-01-20, 09:00:05 Transferring en-spider.hlp...
    2006-01-20, 09:00:08 en-spider.hlp transferred
    ********
    ********
    2006-01-20, 09:00:08 Searching spider.sys...
    2006-01-20, 09:00:08 Transferring spider.sys...
    2006-01-20, 09:00:14 spider.sys transferred
    2006-01-20, 09:00:14 Searching spiderui.dll...
    2006-01-20, 09:00:14 Transferring spiderui.dll...
    2006-01-20, 09:00:16 spiderui.dll transferred
    2006-01-20, 09:00:16 Searching spidernt.exe...
    2006-01-20, 09:00:16 Transferring spidernt.exe...
    2006-01-20, 09:00:19 spidernt.exe transferred
    2006-01-20, 09:00:19 Searching spider.cpl...
    2006-01-20, 09:00:19 Transferring spider.cpl...
    2006-01-20, 09:00:30 spider.cpl transferred
    2006-01-20, 09:00:30 Searching drwreg.exe...
    2006-01-20, 09:00:30 Transferring drwreg.exe...
    2006-01-20, 09:00:31 drwreg.exe transferred
    2006-01-20, 09:00:31 drwreg.exe present
    2006-01-20, 09:00:31 Searching drwtoday.vdb...
    2006-01-20, 09:00:31 Transferring drwtoday.vdb...
    2006-01-20, 09:00:32 drwtoday.vdb transferred
    2006-01-20, 09:00:32 Searching drwtoday.txt...
    2006-01-20, 09:00:32 Transferring drwtoday.txt...
    2006-01-20, 09:00:33 drwtoday.txt transferred
    2006-01-20, 09:00:33 drwreg.exe present
    2006-01-20, 09:00:33 drwreg.exe present
    2006-01-20, 09:00:33 Files transferred
    2006-01-20, 09:00:33 Updating files...
    2006-01-20, 09:00:33 EXEC(C:\Program Files\DrWeb\drwreg.exe -xi) = 1 (rc = 0)
    2006-01-20, 09:00:33 drwreg.exe - executed (0)
    2006-01-20, 09:00:34 EXEC(C:\Program Files\DrWeb\drwreg.exe -s) = 1 (rc = 0)
    2006-01-20, 09:00:34 drwreg.exe - executed (0)
    2006-01-20, 09:00:35 EXEC(C:\Program Files\DrWeb\drwreg.exe -pp) = 1 (rc = 0)
    2006-01-20, 09:00:35 drwreg.exe - executed (0)
    2006-01-20, 09:00:35 EXEC(C:\Program Files\DrWeb\drwreg.exe -433) = 1 (rc = 0)
    2006-01-20, 09:00:35 drwreg.exe - executed (0)
    2006-01-20, 09:00:35 Disconnected
     
  6. Honyak

    Honyak Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    346
    Location:
    Deep South
    I am using XP.
    I believe there was just an engine update and have not seen anything to be alarmed about so far.
     
  7. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Yesssss!!! Those are exactly the same entries I saw in my granddaughter's drwebupw.log. So I guess it's legit. Taihen domo arigato for posting that info!

    As for question #2, the hotkeys matter remains an enigma. I tried Google, but bombed. The words "registry" & "hotkeys" are simply too common. And yes -- the hotkeys item IS there in my granddaughter's registry.

    bellgamin
     
  8. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Explorer diddles with Hotkeys several times daily, so it's HOPEFULLY *just routine*:eek:

    I attach a shot of Hotkeys current values. Thanks for taking an interest.
     

    Attached Files:

  10. Serge Popov

    Serge Popov Guest

    drwreg.exe is a small updater helper. Dr.Web updater utility is driven by drweb32.lst script. This script describes file versions, checksums, paths and flags for every supported version. While Dr.Web updater takes care of files, other tasks (like registry tweaks) are handled by drwreg.exe utility. Basically, any activity what cannot be described in drweb32.lst script belongs to drwreg.exe utility. This utility is signed and safe to execute.

    I doubt it could be ours :) Cannot say for sure, but as far as I know we never used that key.
     
    Last edited by a moderator: Jan 27, 2006
  11. Serge Popov

    Serge Popov Guest

    Oops... I made a mistake while quoting bellgamin's questions. Words between "drwreg.exe is..." and "...safe to execute" are mine. Sorry.
     
  12. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I fixed it for you Serge. ;)


    tD
     
  13. shorty1

    shorty1 Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    97
    Location:
    Vermont
    Thank you Serge for the explanation of drwreg.exe and its exact function. Also thank to Technodrome for the timely edit.

    P.S. *Hint* Serge, registered users can edit their posts. :)
     
Loading...
Thread Status:
Not open for further replies.