Jump to content

Microsoft Office Outlook registry items recognized as PUP.Optional.AdvancedSystemProtector


ItielMaN
 Share

Recommended Posts

Hello,

 

I wanted to test MBAM after upgrading it to v3 and made a scan.

Some of the results are claiming some registry items are PUP.Optional.AdvancedSystemProtector, but infact they seem to be related to Microsoft Office Outlook Time Zone Control. I have Microsoft Office 2007 installed.

Scan log, exported registry items and some files are attached in a zip (ignore the other items found in the scanlog).

Note that I didn't scan with MBAM v2 perior to scanning with MBAM v3.

 

Thanks.

Items.zip

Link to post
Share on other sites

2 minutes ago, shadowwar said:

Thanks. This should be fixed in about 10 mins. Next update that comes down to 3.0

 

 

Thanks.

Also, note that one of the registry items that was detected in my report ({B0F3F4F9-CB76-9A52-9442-B481A5FF49D3}) matches the one that is pointed out in this article:

https://www.symantec.com/security_response/writeup.jsp?docid=2015-071310-5228-99&tabid=2

Not sure if this article is wrong, or if this is a rare case where ASP has the same registry item as the Outlook's item.

Link to post
Share on other sites

6 minutes ago, shadowwar said:

Yeah unfortunately this is what happened. I blocked that id for the future so we dont accidently target it again.  We should get the pup one another way in the engine though. Thanks for your very complete report. Made fixing this very easy!

I guess it would be possible to identify this item ({B0F3F4F9-CB76-9A52-9442-B481A5FF49D3}) as PUP only if does NOT contain the keys mentioned in my ZIP.

 

3 minutes ago, shadowwar said:

The update is public. If you want to rescan and doublecheck it should no longer be detected.

 

Thanks again for reporting.

Will re-scan and report back.

Edited by ItielMaN
Link to post
Share on other sites

I can confirm this PUP is no longer detected in a new scan.

1 hour ago, shadowwar said:

One more question if you dont mind. Was advanced system protector ever on this machine? We suspect the key was created by them as part of the shields feature of it. So once mbam found the key our heuristics detection triggered this file incorrectly.

Yes, a very long time ago.

This topic can be closed if you have no more questions for me.

 

Thank you :)

Edited by shadowwar
Link to post
Share on other sites

I've just now tried scanning with the latest version 3.0.5 and it seems the issue is back.

The key being targeted:

Registry Key: 1
PUP.Optional.AdvancedSystemProtector, HKLM\SOFTWARE\CLASSES\CLSID\{B0F3F4F9-CB76-9A52-9442-B481A5FF49D3}, No Action By User, [348], [351523],1.0.791

 

The registry key is attached.

I see some strange (what seems to be random) keys in it, not sure if that's related to the detection.

 

Thanks.

{B0F3F4F9-CB76-9A52-9442-B481A5FF49D3}.rar

Link to post
Share on other sites

  • Staff

This should be ok to remove. We reevaulated the def and only targeted this key alone. This is not a legit key. Let me know if you remove it and have any issues afterwards. This was the only thing detected correct? The way systweak worked was to copy some info into their key to make it look legit.

 

 

Edited by shadowwar
Link to post
Share on other sites

4 minutes ago, shadowwar said:

This is not a legit key.

Even though it has what seems to be legit registry entries such as ToolboxBitmap32=C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE,5519,  VersionIndependentProgID=Outlook.OlkTimeZone etc?

I thought about removing the random junk in there manually.

6 minutes ago, shadowwar said:

Let me know if you remove it and have any issues afterwards.

I won't notice as I don't use the desktop version of Outlook anymore. But I thought to report this so other users' Outlook won't get corrupted by this detection.

8 minutes ago, shadowwar said:

This was the only thing detected correct?

Yes.

Link to post
Share on other sites

  • Staff

Its just a leftover from systweak. i had someone else double check for me also. They copy random ms files into the key. Our original def was overagressive and then deleted the files also. This wont affect settings or anything with microsoft.

For example different ms file in this one:.

{B0F3F4F9-CB76-9A52-9442-B481A5FF49D3}\InProcServer32]
"(Default)" = "%Program Files%\NetMeeting\nac.dll"

 

 

Link to post
Share on other sites

7 minutes ago, shadowwar said:

Its just a leftover from systweak. i had someone else double check for me also. They copy random ms files into the key. Our original def was overagressive and then deleted the files also. This wont affect settings or anything with microsoft.

For example different ms file in this one:.

{B0F3F4F9-CB76-9A52-9442-B481A5FF49D3}\InProcServer32]
"(Default)" = "%Program Files%\NetMeeting\nac.dll"

Okay then, I'm removing it.

But remember, if something will go wrong, you owe me a beer! ;)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.