Emsisoft Emergency Kit - "Traces" scanner

Hi ya'll,

I noticed something funny during my weekly EEK scan - it's actually the first time I paid close attention to the scanning progress, and when EEK was scanning for "Traces" I saw a bunch of weird FP(?) or "ghost" folders / files that don't exist on my computer.

Here are some examples :

%USERPROFILE%\zzboif.exe
%USERPROFILE%\3buw.exe

C:\teddy afro.exe
C:\Casino\Golden Palace Casino\data\common\interface\logo.jpg
C:\Poker\JC Poker Demo\

%FAVORITES%\fresh xxx pics_movie.url

%COMMONPROGRAMS%\Tim's Keylogger\Tim's Keylogger.lnk
%PROGRAMFILESDIR%\Disable Spyware Demo\Localization.xml
%PROGRAMFILESDIR%\Slot Nuts\rsc\casino32.rsc
%PROGRAMFILESDIR%\Zango Programs\Foosball\Textures\
%PROGRAMFILESDIR%\filesubmit\areastergreetings.exe\areastergreetings.exe
%PROGRAMFILESDIR%\PC Activity Monitor Professional\Templates
%PROGRAMFILESDIR%\Alpine Gold Casino\GSM\
%PROGRAMFILESDIR%\\BitTorrent Smart\libgdk-win-32-2.0-0.dll
%PROGRAMFILESDIR%\DivX\DivX Pro Codec\DivX.com.url
%PROGRAMFILESDIR%\JackPotCash\
%PROGRAMFILESDIR%\Always Great Software\Big Planes
%PROGRAMFILESDIR%\trayokay\eygfyuoe.exe
%PROGRAMFILESDIR%\Spy Cleaner Platinum\SpyWatcher.exe
%PROGRAMFILESDIR%\AdwareGuardian.com\AdwareGuardian\Francais.inf
%PROGRAMFILESDIR%\ConfidentSurf\...\windows empty recylcing bin.scr
%PROGRAMFILESDIR%\GAmeFiesta\Cannon_Blast\gui\
%PROGRAMS%\MumboJumbo\Luxor 3\Buy Luxor 3.lnk

%DESKTOP%\EmoPack V1\Emo_99.gif

Etc.

1. My EEK scans always come out clean.

2. I'm aware of EEK's traces scanner doesn't use the typical anti malware signatures per se, but where do all these "ghost" files/folders come from? Or are these entries merely showing EEK's default traces' signatures?

3. I always download my software from reputable sites, and am security conscious (see my sig). I also always scan installers with virustotal and use only very small set of common and reputable software on my PC.

4. How to reproduce - During the EEK scan, after rootkit/memory scan finishes, and just about when the scanner proceeds to the Traces scanning, pause the scanner and resume the scanner with quick mouse clicks. Weird /ghost entries will then show up.

5. I don't play online poker! :-D

6. HitmanPro and other portable scanners, including Avira Rescue disk come up with zero.

 

That happens in every system you scan with EEK. I think that's a fast search for those "nasties", not that they´re really present in your computer. Nothing to worry

 

The status during the traces scan shows which trace (which is essentially a file or registry value that when present would indicate an infection) EEK is currently looking for. So if it says for example "%USERPROFILE%\zzboif.exe" it means EEK is currently looking inside all user profiles if there is a file zzboif.exe. That doesn't actually mean that there is one.

 

@Alec C - Thanks for the quick reply! I had some hunches but in a world of malware you never can be certain. For a second there, I thought I had to reevaluate my security setup.

@Fabian - Never thought I'd get a comment from an Emsisoft developer! Thank you for the explanation. What you wrote makes sense.