Incorrect identification of Jeppesen FlightStar RoutePack?

I recently installed:

Microsoft AntiSpyware Version: 1.0.501
This version expires on: 7/31/2005
Current User: Garrett
Spyware Definition Version: 5683 (1/21/2005 9:43:44 AM)

When it runs, it identifies I have the "Radlight
(Trojan)", with details that point to the following keys:

HKEY_CLASSES_ROOT\.rpk
HKEY_CLASSES_ROOT\.rpk Jeppesen.RoutePack
HKEY_LOCAL_MACHINE\software\classes\.rpk
HKEY_LOCAL_MACHINE\software\classes\.rpk Jeppesen
RoutePack

These registry hives contain only one key, a "(Default)
REG_SZ Jeppessen.RoutePack". Which seems to just be
related to the Jeppesen FlightStar product (Jeppesen is
one of the largest aviation hardware/software
companies).

I believe AntiSpyware is returning a false positive
here. Is there any way to confirm one way or the other
that the Radlight trojan is on my computer?

thanks,
Garrett

, and don't seem to have anything to do with a Trojan

Restart your computer in safe mode and run the scan again. On the scan page
choose Scan Options > Full Scan. Remember to turn off system restore at
first before you restart into safe mode.

Andre
"Garrett" <garrettmcauliffe@hotmail.com> wrote in message
news:23b901c5022d$d599fdb0$a601280a@phx.gbl...
>I recently installed:
>
> Microsoft AntiSpyware Version: 1.0.501
> This version expires on: 7/31/2005
> Current User: Garrett
> Spyware Definition Version: 5683 (1/21/2005 9:43:44 AM)
>
> When it runs, it identifies I have the "Radlight
> (Trojan)", with details that point to the following keys:
>
> HKEY_CLASSES_ROOT\.rpk
> HKEY_CLASSES_ROOT\.rpk Jeppesen.RoutePack
> HKEY_LOCAL_MACHINE\software\classes\.rpk
> HKEY_LOCAL_MACHINE\software\classes\.rpk Jeppesen
> RoutePack
>
> These registry hives contain only one key, a "(Default)
> REG_SZ Jeppessen.RoutePack". Which seems to just be
> related to the Jeppesen FlightStar product (Jeppesen is
> one of the largest aviation hardware/software
> companies).
>
> I believe AntiSpyware is returning a false positive
> here. Is there any way to confirm one way or the other
> that the Radlight trojan is on my computer?
>
> thanks,
> Garrett
>
> , and don't seem to have anything to do with a Trojan

Looks like a false positive. Jeppesen uses the .rpk file extension for its
"Route Packs". And, from some articles I read on the Radlight trojan, it
also has "RPK" in its name. So, I'm pretty sure AntiSpyware is wrong...

Garrett

"Andre Da Costa" <andred25@hotmail.com> wrote in message
news:OKJ8DUjAFHA.2452@cpmsftngsa05.privatenews.microsoft.com...
> Restart your computer in safe mode and run the scan again. On the scan
> page choose Scan Options > Full Scan. Remember to turn off system restore
> at first before you restart into safe mode.
>
> Andre
> "Garrett" <garrettmcauliffe@hotmail.com> wrote in message
> news:23b901c5022d$d599fdb0$a601280a@phx.gbl...
>>I recently installed:
>>
>> Microsoft AntiSpyware Version: 1.0.501
>> This version expires on: 7/31/2005
>> Current User: Garrett
>> Spyware Definition Version: 5683 (1/21/2005 9:43:44 AM)
>>
>> When it runs, it identifies I have the "Radlight
>> (Trojan)", with details that point to the following keys:
>>
>> HKEY_CLASSES_ROOT\.rpk
>> HKEY_CLASSES_ROOT\.rpk Jeppesen.RoutePack
>> HKEY_LOCAL_MACHINE\software\classes\.rpk
>> HKEY_LOCAL_MACHINE\software\classes\.rpk Jeppesen
>> RoutePack
>>
>> These registry hives contain only one key, a "(Default)
>> REG_SZ Jeppessen.RoutePack". Which seems to just be
>> related to the Jeppesen FlightStar product (Jeppesen is
>> one of the largest aviation hardware/software
>> companies).
>>
>> I believe AntiSpyware is returning a false positive
>> here. Is there any way to confirm one way or the other
>> that the Radlight trojan is on my computer?
>>
>> thanks,
>> Garrett
>>
>> , and don't seem to have anything to do with a Trojan
>
>

Well, you can always report it here:
http://www.spynet.com/falsepositive.aspx

Andre
"Garrett" <garrettmcauliffe@hotmail.com> wrote in message
news:%23aZyTFkAFHA.2184@CPMSFTNGSA04.privatenews.microsoft.com...
> Looks like a false positive. Jeppesen uses the .rpk file extension for
> its "Route Packs". And, from some articles I read on the Radlight trojan,
> it also has "RPK" in its name. So, I'm pretty sure AntiSpyware is
> wrong...
>
> Garrett
>
> "Andre Da Costa" <andred25@hotmail.com> wrote in message
> news:OKJ8DUjAFHA.2452@cpmsftngsa05.privatenews.microsoft.com...
>> Restart your computer in safe mode and run the scan again. On the scan
>> page choose Scan Options > Full Scan. Remember to turn off system restore
>> at first before you restart into safe mode.
>>
>> Andre
>> "Garrett" <garrettmcauliffe@hotmail.com> wrote in message
>> news:23b901c5022d$d599fdb0$a601280a@phx.gbl...
>>>I recently installed:
>>>
>>> Microsoft AntiSpyware Version: 1.0.501
>>> This version expires on: 7/31/2005
>>> Current User: Garrett
>>> Spyware Definition Version: 5683 (1/21/2005 9:43:44 AM)
>>>
>>> When it runs, it identifies I have the "Radlight
>>> (Trojan)", with details that point to the following keys:
>>>
>>> HKEY_CLASSES_ROOT\.rpk
>>> HKEY_CLASSES_ROOT\.rpk Jeppesen.RoutePack
>>> HKEY_LOCAL_MACHINE\software\classes\.rpk
>>> HKEY_LOCAL_MACHINE\software\classes\.rpk Jeppesen
>>> RoutePack
>>>
>>> These registry hives contain only one key, a "(Default)
>>> REG_SZ Jeppessen.RoutePack". Which seems to just be
>>> related to the Jeppesen FlightStar product (Jeppesen is
>>> one of the largest aviation hardware/software
>>> companies).
>>>
>>> I believe AntiSpyware is returning a false positive
>>> here. Is there any way to confirm one way or the other
>>> that the Radlight trojan is on my computer?
>>>
>>> thanks,
>>> Garrett
>>>
>>> , and don't seem to have anything to do with a Trojan
>>
>>
>
>

I'd recommend doing what you can to be sure that any code identified as a
trojan is, in fact, bit for bit identical with the correct code from an
installation source for the reputable product you have installed.

False postives can be reported in these groups--ideally in the .signatures
group, or directly via a web form available here:

http://www.spynet.com/falsepositive.aspx
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

"Garrett" <garrettmcauliffe@hotmail.com> wrote in message
news:%23aZyTFkAFHA.2184@CPMSFTNGSA04.privatenews.microsoft.com...
> Looks like a false positive. Jeppesen uses the .rpk file extension for
> its "Route Packs". And, from some articles I read on the Radlight trojan,
> it also has "RPK" in its name. So, I'm pretty sure AntiSpyware is
> wrong...
>
> Garrett
>
> "Andre Da Costa" <andred25@hotmail.com> wrote in message
> news:OKJ8DUjAFHA.2452@cpmsftngsa05.privatenews.microsoft.com...
>> Restart your computer in safe mode and run the scan again. On the scan
>> page choose Scan Options > Full Scan. Remember to turn off system restore
>> at first before you restart into safe mode.
>>
>> Andre
>> "Garrett" <garrettmcauliffe@hotmail.com> wrote in message
>> news:23b901c5022d$d599fdb0$a601280a@phx.gbl...
>>>I recently installed:
>>>
>>> Microsoft AntiSpyware Version: 1.0.501
>>> This version expires on: 7/31/2005
>>> Current User: Garrett
>>> Spyware Definition Version: 5683 (1/21/2005 9:43:44 AM)
>>>
>>> When it runs, it identifies I have the "Radlight
>>> (Trojan)", with details that point to the following keys:
>>>
>>> HKEY_CLASSES_ROOT\.rpk
>>> HKEY_CLASSES_ROOT\.rpk Jeppesen.RoutePack
>>> HKEY_LOCAL_MACHINE\software\classes\.rpk
>>> HKEY_LOCAL_MACHINE\software\classes\.rpk Jeppesen
>>> RoutePack
>>>
>>> These registry hives contain only one key, a "(Default)
>>> REG_SZ Jeppessen.RoutePack". Which seems to just be
>>> related to the Jeppesen FlightStar product (Jeppesen is
>>> one of the largest aviation hardware/software
>>> companies).
>>>
>>> I believe AntiSpyware is returning a false positive
>>> here. Is there any way to confirm one way or the other
>>> that the Radlight trojan is on my computer?
>>>
>>> thanks,
>>> Garrett
>>>
>>> , and don't seem to have anything to do with a Trojan
>>
>>
>
>

I am certain it is flagging an icon change. The icon for
routepacks are used in multiple applications (FliteStar,
Jeppview3, FliteDeck3), so the routepack has it's own icon
association. This has been done as identified in the
document:
http://msdn.microsoft.com/library/default.asp?
url=/library/en-
us/shellcc/platform/shell/programmersguide/shell_basics/she
ll_basics_extending/icon.asp
The problem is when the routepack is first used, Windows
associates it with the program that used it (an example
would be FliteStar). When Jeppesen tries to leave the
program association unchanged, but change the icon so it
reflects a routepack, this is seen as 'spyware behavior'.
I am not certain why, but it does.

>-----Original Message-----
>I recently installed:
>
>Microsoft AntiSpyware Version: 1.0.501
>This version expires on: 7/31/2005
>Current User: Garrett
>Spyware Definition Version: 5683 (1/21/2005 9:43:44 AM)
>
>When it runs, it identifies I have the "Radlight
>(Trojan)", with details that point to the following keys:
>
>HKEY_CLASSES_ROOT\.rpk
>HKEY_CLASSES_ROOT\.rpk Jeppesen.RoutePack
>HKEY_LOCAL_MACHINE\software\classes\.rpk
>HKEY_LOCAL_MACHINE\software\classes\.rpk Jeppesen
>RoutePack
>
>These registry hives contain only one key, a "(Default)
>REG_SZ Jeppessen.RoutePack". Which seems to just be
>related to the Jeppesen FlightStar product (Jeppesen is
>one of the largest aviation hardware/software
>companies).
>
>I believe AntiSpyware is returning a false positive
>here. Is there any way to confirm one way or the other
>that the Radlight trojan is on my computer?
>
>thanks,
>Garrett
>
>, and don't seem to have anything to do with a Trojan
>.
>

Thanks for posting now submit to:
http://www.spynet.com/falsepositive.aspx

Andre

"RGarrison" <rgarrison@jeppesen.com> wrote in message
news:008101c5024d$94460000$a601280a@phx.gbl...
>I am certain it is flagging an icon change. The icon for
> routepacks are used in multiple applications (FliteStar,
> Jeppview3, FliteDeck3), so the routepack has it's own icon
> association. This has been done as identified in the
> document:
> http://msdn.microsoft.com/library/default.asp?
> url=/library/en-
> us/shellcc/platform/shell/programmersguide/shell_basics/she
> ll_basics_extending/icon.asp
> The problem is when the routepack is first used, Windows
> associates it with the program that used it (an example
> would be FliteStar). When Jeppesen tries to leave the
> program association unchanged, but change the icon so it
> reflects a routepack, this is seen as 'spyware behavior'.
> I am not certain why, but it does.
>
>>-----Original Message-----
>>I recently installed:
>>
>>Microsoft AntiSpyware Version: 1.0.501
>>This version expires on: 7/31/2005
>>Current User: Garrett
>>Spyware Definition Version: 5683 (1/21/2005 9:43:44 AM)
>>
>>When it runs, it identifies I have the "Radlight
>>(Trojan)", with details that point to the following keys:
>>
>>HKEY_CLASSES_ROOT\.rpk
>>HKEY_CLASSES_ROOT\.rpk Jeppesen.RoutePack
>>HKEY_LOCAL_MACHINE\software\classes\.rpk
>>HKEY_LOCAL_MACHINE\software\classes\.rpk Jeppesen
>>RoutePack
>>
>>These registry hives contain only one key, a "(Default)
>>REG_SZ Jeppessen.RoutePack". Which seems to just be
>>related to the Jeppesen FlightStar product (Jeppesen is
>>one of the largest aviation hardware/software
>>companies).
>>
>>I believe AntiSpyware is returning a false positive
>>here. Is there any way to confirm one way or the other
>>that the Radlight trojan is on my computer?
>>
>>thanks,
>>Garrett
>>
>>, and don't seem to have anything to do with a Trojan
>>.
>>

Interesting--I don't know why such a change should be flagged, but it is
probably an issue I've not learned much about.

It might help to post a short message in appcompat detailing repro steps for
this issue, ideally with some demo or trial app from this vendor which can
be downloaded.

--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

"RGarrison" <rgarrison@jeppesen.com> wrote in message
news:008101c5024d$94460000$a601280a@phx.gbl...
>I am certain it is flagging an icon change. The icon for
> routepacks are used in multiple applications (FliteStar,
> Jeppview3, FliteDeck3), so the routepack has it's own icon
> association. This has been done as identified in the
> document:
> http://msdn.microsoft.com/library/default.asp?
> url=/library/en-
> us/shellcc/platform/shell/programmersguide/shell_basics/she
> ll_basics_extending/icon.asp
> The problem is when the routepack is first used, Windows
> associates it with the program that used it (an example
> would be FliteStar). When Jeppesen tries to leave the
> program association unchanged, but change the icon so it
> reflects a routepack, this is seen as 'spyware behavior'.
> I am not certain why, but it does.
>
>>-----Original Message-----
>>I recently installed:
>>
>>Microsoft AntiSpyware Version: 1.0.501
>>This version expires on: 7/31/2005
>>Current User: Garrett
>>Spyware Definition Version: 5683 (1/21/2005 9:43:44 AM)
>>
>>When it runs, it identifies I have the "Radlight
>>(Trojan)", with details that point to the following keys:
>>
>>HKEY_CLASSES_ROOT\.rpk
>>HKEY_CLASSES_ROOT\.rpk Jeppesen.RoutePack
>>HKEY_LOCAL_MACHINE\software\classes\.rpk
>>HKEY_LOCAL_MACHINE\software\classes\.rpk Jeppesen
>>RoutePack
>>
>>These registry hives contain only one key, a "(Default)
>>REG_SZ Jeppessen.RoutePack". Which seems to just be
>>related to the Jeppesen FlightStar product (Jeppesen is
>>one of the largest aviation hardware/software
>>companies).
>>
>>I believe AntiSpyware is returning a false positive
>>here. Is there any way to confirm one way or the other
>>that the Radlight trojan is on my computer?
>>
>>thanks,
>>Garrett
>>
>>, and don't seem to have anything to do with a Trojan
>>.
>>

Hi Bill -

AntiSpyware doesn't actually identify any EXE's as having been infected --
just the 4 registry keys I mention below (none of which directly identify an
EXE -- just associate the extension RPK with the Jeppesen FlightStar.

Wouldn't AnitySpyware mention a particular file if it were infected, not
just registry keys? Also, the fact that the Radlight trojan and the
legitimate Jeppesen product use the .RPK extension seems very
coincidental... In addition, I don't have any of the registry keys that
have been identified as part of the Radlight trojan, nor do I have any of
the EXE/DLL's that have been identified as part of the Radlight trojan (see
http://www.pestpatrol.com/PestInfo/R/RadLight.asp).

So, I'm 99.999% certain we this is a false positive -- I will, however,
compare the Jeppesen directory file by file with a backup when I get a
chance...

Garrett

"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
news:uFSGoXkAFHA.2524@cpmsftngsa05.privatenews.microsoft.com...
> I'd recommend doing what you can to be sure that any code identified as a
> trojan is, in fact, bit for bit identical with the correct code from an
> installation source for the reputable product you have installed.
>
> False postives can be reported in these groups--ideally in the .signatures
> group, or directly via a web form available here:
>
> http://www.spynet.com/falsepositive.aspx
> --
> FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
>
> "Garrett" <garrettmcauliffe@hotmail.com> wrote in message
> news:%23aZyTFkAFHA.2184@CPMSFTNGSA04.privatenews.microsoft.com...
>> Looks like a false positive. Jeppesen uses the .rpk file extension for
>> its "Route Packs". And, from some articles I read on the Radlight
>> trojan, it also has "RPK" in its name. So, I'm pretty sure AntiSpyware
>> is wrong...
>>
>> Garrett
>>
>> "Andre Da Costa" <andred25@hotmail.com> wrote in message
>> news:OKJ8DUjAFHA.2452@cpmsftngsa05.privatenews.microsoft.com...
>>> Restart your computer in safe mode and run the scan again. On the scan
>>> page choose Scan Options > Full Scan. Remember to turn off system
>>> restore at first before you restart into safe mode.
>>>
>>> Andre
>>> "Garrett" <garrettmcauliffe@hotmail.com> wrote in message
>>> news:23b901c5022d$d599fdb0$a601280a@phx.gbl...
>>>>I recently installed:
>>>>
>>>> Microsoft AntiSpyware Version: 1.0.501
>>>> This version expires on: 7/31/2005
>>>> Current User: Garrett
>>>> Spyware Definition Version: 5683 (1/21/2005 9:43:44 AM)
>>>>
>>>> When it runs, it identifies I have the "Radlight
>>>> (Trojan)", with details that point to the following keys:
>>>>
>>>> HKEY_CLASSES_ROOT\.rpk
>>>> HKEY_CLASSES_ROOT\.rpk Jeppesen.RoutePack
>>>> HKEY_LOCAL_MACHINE\software\classes\.rpk
>>>> HKEY_LOCAL_MACHINE\software\classes\.rpk Jeppesen
>>>> RoutePack
>>>>
>>>> These registry hives contain only one key, a "(Default)
>>>> REG_SZ Jeppessen.RoutePack". Which seems to just be
>>>> related to the Jeppesen FlightStar product (Jeppesen is
>>>> one of the largest aviation hardware/software
>>>> companies).
>>>>
>>>> I believe AntiSpyware is returning a false positive
>>>> here. Is there any way to confirm one way or the other
>>>> that the Radlight trojan is on my computer?
>>>>
>>>> thanks,
>>>> Garrett
>>>>
>>>> , and don't seem to have anything to do with a Trojan
>>>
>>>
>>
>>
>
>

I agree--looks harmless, but bad--don't want that stuff removed, 'cause it
may break Jeppesen.
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

"Garrett" <garrettmcauliffe@hotmail.com> wrote in message
news:O7uVmivAFHA.2520@CPMSFTNGSA04.privatenews.microsoft.com...
> Hi Bill -
>
> AntiSpyware doesn't actually identify any EXE's as having been infected --
> just the 4 registry keys I mention below (none of which directly identify
> an EXE -- just associate the extension RPK with the Jeppesen FlightStar.
>
> Wouldn't AnitySpyware mention a particular file if it were infected, not
> just registry keys? Also, the fact that the Radlight trojan and the
> legitimate Jeppesen product use the .RPK extension seems very
> coincidental... In addition, I don't have any of the registry keys that
> have been identified as part of the Radlight trojan, nor do I have any of
> the EXE/DLL's that have been identified as part of the Radlight trojan
> (see http://www.pestpatrol.com/PestInfo/R/RadLight.asp).
>
> So, I'm 99.999% certain we this is a false positive -- I will, however,
> compare the Jeppesen directory file by file with a backup when I get a
> chance...
>
> Garrett
>
> "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
> news:uFSGoXkAFHA.2524@cpmsftngsa05.privatenews.microsoft.com...
>> I'd recommend doing what you can to be sure that any code identified as a
>> trojan is, in fact, bit for bit identical with the correct code from an
>> installation source for the reputable product you have installed.
>>
>> False postives can be reported in these groups--ideally in the
>> .signatures group, or directly via a web form available here:
>>
>> http://www.spynet.com/falsepositive.aspx
>> --
>> FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt
>>
>> "Garrett" <garrettmcauliffe@hotmail.com> wrote in message
>> news:%23aZyTFkAFHA.2184@CPMSFTNGSA04.privatenews.microsoft.com...
>>> Looks like a false positive. Jeppesen uses the .rpk file extension for
>>> its "Route Packs". And, from some articles I read on the Radlight
>>> trojan, it also has "RPK" in its name. So, I'm pretty sure AntiSpyware
>>> is wrong...
>>>
>>> Garrett
>>>
>>> "Andre Da Costa" <andred25@hotmail.com> wrote in message
>>> news:OKJ8DUjAFHA.2452@cpmsftngsa05.privatenews.microsoft.com...
>>>> Restart your computer in safe mode and run the scan again. On the scan
>>>> page choose Scan Options > Full Scan. Remember to turn off system
>>>> restore at first before you restart into safe mode.
>>>>
>>>> Andre
>>>> "Garrett" <garrettmcauliffe@hotmail.com> wrote in message
>>>> news:23b901c5022d$d599fdb0$a601280a@phx.gbl...
>>>>>I recently installed:
>>>>>
>>>>> Microsoft AntiSpyware Version: 1.0.501
>>>>> This version expires on: 7/31/2005
>>>>> Current User: Garrett
>>>>> Spyware Definition Version: 5683 (1/21/2005 9:43:44 AM)
>>>>>
>>>>> When it runs, it identifies I have the "Radlight
>>>>> (Trojan)", with details that point to the following keys:
>>>>>
>>>>> HKEY_CLASSES_ROOT\.rpk
>>>>> HKEY_CLASSES_ROOT\.rpk Jeppesen.RoutePack
>>>>> HKEY_LOCAL_MACHINE\software\classes\.rpk
>>>>> HKEY_LOCAL_MACHINE\software\classes\.rpk Jeppesen
>>>>> RoutePack
>>>>>
>>>>> These registry hives contain only one key, a "(Default)
>>>>> REG_SZ Jeppessen.RoutePack". Which seems to just be
>>>>> related to the Jeppesen FlightStar product (Jeppesen is
>>>>> one of the largest aviation hardware/software
>>>>> companies).
>>>>>
>>>>> I believe AntiSpyware is returning a false positive
>>>>> here. Is there any way to confirm one way or the other
>>>>> that the Radlight trojan is on my computer?
>>>>>
>>>>> thanks,
>>>>> Garrett
>>>>>
>>>>> , and don't seem to have anything to do with a Trojan
>>>>
>>>>
>>>
>>>
>>
>>
>
>