Jump to content

Suppenhuhn

Members
  • Posts

    4
  • Joined

  • Last visited

Everything posted by Suppenhuhn

  1. Thanks for your help. I'll add them to the ignore list. I think this post fits very well the problem in this thread, doesn't it? http://forums.malwarebytes.org/index.php?showtopic=127984#entry693065 Instead of just blocking the entries, the next step would be to let MBAM know, when the registry keys & values are changed by EMET itself or by some kind of malware. Greetings
  2. Oh I forgot, the exported data is in German. Schlüsselname: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exeKlassenname: <KEINE KLASSE>Letzter Schreibzugriff: 31.07.2013 - 04:08Wert 0 Name: DisableExceptionChainValidation Typ: REG_DWORD Daten: 0basically means this Key name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exeClass name: <NO CLASS>Last write access: 31.07.2013 - 04:08Value 0 Name: DisableExceptionChainValidation Type: REG_DWORD Data: 0Greetings
  3. Thanks a lot for your answer. I use EMET and I just learned* enabling SEHOP for a tool creates the value DisableExceptionChainValidation in the key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<tool.exe> with value 0. The value is 1, if I disable SEHOP and the value is deleted, if I remove the tool in EMET completely. The key remains, though. After removing hijackthis.exe, autoruns.exe and autorunsc.exe from EMET, I still get the warnings in MBAM, I guess because the registry key still exists, allthough it doesn't contain any values anymore. * http://support.microsoft.com/kb/956607/en-us I guess I didn't run MBAM sice I added some software to the EMET apps list. Oddly enough, this key is created for every software I add to EMET, but it only creates a warning in MBAM for the three executables mentioned above. I exported the keys to textfiles (while SEHOP was enabled): Schlüsselname: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exeKlassenname: <KEINE KLASSE>Letzter Schreibzugriff: 31.07.2013 - 04:08Wert 0 Name: DisableExceptionChainValidation Typ: REG_DWORD Daten: 0Schlüsselname: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exeKlassenname: <KEINE KLASSE>Letzter Schreibzugriff: 31.07.2013 - 04:08Wert 0 Name: DisableExceptionChainValidation Typ: REG_DWORD Daten: 0Schlüsselname: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exeKlassenname: <KEINE KLASSE>Letzter Schreibzugriff: 31.07.2013 - 04:08Wert 0 Name: DisableExceptionChainValidation Typ: REG_DWORD Daten: 0I just found this thread: http://forums.malwarebytes.org/index.php?showtopic=127984&hl=+emet The problem seems to be the same, doesn't it?
  4. Hi, Today I ran a scan and MBAM found the following: Registry Keys Detected: 3HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Trojan.Agent)HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe (Security.Hijack)HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe (Security.Hijack)Here's the log: Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.07.30.10Windows 7 Service Pack 1 x64 NTFSInternet Explorer 10.0.9200.16635Sebastian :: LAPTOPSK [limited]31.07.2013 00:34:37MBAM-log-2013-07-31 (00-38-15).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2PScan options disabled: Objects scanned: 162556Time elapsed: 3 minute(s), 26 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 3HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Trojan.Agent) -> No action taken. [2949a1c2b0bc9f9779ea31aeb151a25e]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe (Security.Hijack) -> No action taken. [680a6102e08c42f4a9bbe5fa3fc3b54b]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe (Security.Hijack) -> No action taken. [c3afaab91a52f2444821e1008979c53b]Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)I downloaded the tools from their official sites a while ago, but today is the first time MBAM found sth. http://technet.microsoft.com/en-us/sysinternals/bb963902 http://sourceforge.net/projects/hjt/ I guess they are false positives, but I'm no expert ^^ Greetings
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.