False positive(?) reg keys: autoruns & hijackthis

[Suppenhuhn]

Hi,

 

Today I ran a scan and MBAM found the following:

Registry Keys Detected: 3HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Trojan.Agent)HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe (Security.Hijack)HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe (Security.Hijack)

Here's the log:

Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.07.30.10Windows 7 Service Pack 1 x64 NTFSInternet Explorer 10.0.9200.16635Sebastian :: LAPTOPSK [limited]31.07.2013 00:34:37MBAM-log-2013-07-31 (00-38-15).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2PScan options disabled: Objects scanned: 162556Time elapsed: 3 minute(s), 26 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 3HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Trojan.Agent) -> No action taken. [2949a1c2b0bc9f9779ea31aeb151a25e]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe (Security.Hijack) -> No action taken. [680a6102e08c42f4a9bbe5fa3fc3b54b]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe (Security.Hijack) -> No action taken. [c3afaab91a52f2444821e1008979c53b]Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)

I downloaded the tools from their official sites a while ago, but today is the first time MBAM found sth.

http://technet.microsoft.com/en-us/sysinternals/bb963902

http://sourceforge.net/projects/hjt/

 

I guess they are false positives, but I'm no expert ^^

 

Greetings

[Atribune]

These do not appear to be false positives. The legitimate Autoruns and Hijackthis do not place values in that registry location.

[Suppenhuhn]

Thanks a lot for your answer.

 

 

I use EMET and I just learned* enabling SEHOP for a tool creates the value DisableExceptionChainValidation in the key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<tool.exe> with value 0. The value is 1, if I disable SEHOP and the value is deleted, if I remove the tool in EMET completely. The key remains, though. After removing hijackthis.exe, autoruns.exe and autorunsc.exe from EMET, I still get the warnings in MBAM, I guess because the registry key still exists, allthough it doesn't contain any values anymore.

* http://support.microsoft.com/kb/956607/en-us

 

 

I guess I didn't run MBAM sice I added some software to the EMET apps list. Oddly enough, this key is created for every software I add to EMET, but it only creates a warning in MBAM for the three executables mentioned above.

 

 

 

I exported the keys to textfiles (while SEHOP was enabled):

Schlüsselname:          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exeKlassenname:            <KEINE KLASSE>Letzter Schreibzugriff: 31.07.2013 - 04:08Wert 0  Name:            DisableExceptionChainValidation  Typ:             REG_DWORD  Daten:           0

Schlüsselname:          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exeKlassenname:            <KEINE KLASSE>Letzter Schreibzugriff: 31.07.2013 - 04:08Wert 0  Name:            DisableExceptionChainValidation  Typ:             REG_DWORD  Daten:           0

Schlüsselname:          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exeKlassenname:            <KEINE KLASSE>Letzter Schreibzugriff: 31.07.2013 - 04:08Wert 0  Name:            DisableExceptionChainValidation  Typ:             REG_DWORD  Daten:           0

I just found this thread: http://forums.malwarebytes.org/index.php?showtopic=127984&hl=+emet

 

The problem seems to be the same, doesn't it?

[Suppenhuhn]

Oh I forgot, the exported data is in German.

Schlüsselname:          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exeKlassenname:            <KEINE KLASSE>Letzter Schreibzugriff: 31.07.2013 - 04:08Wert 0  Name:            DisableExceptionChainValidation  Typ:             REG_DWORD  Daten:           0

basically means this

Key name:          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exeClass name:        <NO CLASS>Last write access: 31.07.2013 - 04:08Value 0  Name:            DisableExceptionChainValidation  Type:            REG_DWORD  Data:            0

Greetings

[miekiemoes]

Hi,

 

For anything you add to Emet (SEHOP), when you do a scan with Malwarebytes afterwards, please add the entries Malwarebytes finds to your ignore list.

[Suppenhuhn]

Thanks for your help.

 

I'll add them to the ignore list.

 

I think this post fits very well the problem in this thread, doesn't it? http://forums.malwarebytes.org/index.php?showtopic=127984#entry693065

Instead of just blocking the entries, the next step would be to let MBAM know, when the registry keys & values are changed by EMET itself or by some kind of malware.

 

Greetings