Jump to content
seventhcube2832

Are these related to windows components? should i remove or not?

Recommended Posts

so i did a normal scan and came across 12 problems, 4 PUP's and 8 Malware. here are the results:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/14/17
Scan Time: 12:38 PM
Log File: a1e0e58e-e0cb-11e7-b31b-3065ec17b5c3.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3488
License: Free

-System Information-
OS: Windows 10 (Build 16299.125)
CPU: x64
File System: NTFS
User: MARKS-PC\mark

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 356187
Threats Detected: 12
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 26 min, 46 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 6
PUP.Optional.IFEO, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SKYPE.EXE, No Action By User, [8727], [239345],1.0.3488
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\sandboxieinstall64.exe, No Action By User, [650], [249743],1.0.3488
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\START.EXE, No Action By User, [650], [249840],1.0.3488
PUP.Optional.IFEO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SKYPE.EXE, No Action By User, [8727], [239345],1.0.3488
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\sandboxieinstall64.exe, No Action By User, [650], [249743],1.0.3488
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\START.EXE, No Action By User, [650], [249840],1.0.3488

Registry Value: 6
PUP.Optional.IFEO, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SKYPE.EXE|DEBUGGER, No Action By User, [8727], [239345],1.0.3488
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\sandboxieinstall64.exe|DEBUGGER, No Action By User, [650], [249743],1.0.3488
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\START.EXE|DEBUGGER, No Action By User, [650], [249840],1.0.3488
PUP.Optional.IFEO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SKYPE.EXE|DEBUGGER, No Action By User, [8727], [239345],1.0.3488
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\sandboxieinstall64.exe|DEBUGGER, No Action By User, [650], [249743],1.0.3488
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\START.EXE|DEBUGGER, No Action By User, [650], [249840],1.0.3488

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

 

Not sure what to exclude or remove because START.exe seems to me that it's a windows component 

Share this post


Link to post
Share on other sites

Hi,

None of these are keys created by Windows. What this key actually means is, to give an example from one of the above ones, let's use:

PUP.Optional.IFEO, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SKYPE.EXE|DEBUGGER, No Action By User, [8727], [239345],1.0.3488

In this case, skype.exe is set as subkey under the HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS key.

Skype.exe, as we all know, is a legitimate application. But the goal of this key is different. What this key does is - if being set - when you launch Skype.exe, Windows always looks if there's a debugger created for it. In this case, there is, as above key is created. So INSTEAD of skype.exe it will launch, it will launch what is under the debugger instead. This can be anything, but in a lot of cases, created by malware. So it will launch the malware instead of skype.exe

This key unfortunately doesn't show to what program the debugger is set, but it is strongly suggested you have malwarebytes remove this.

There are however some cases where a legitimate program is set as a debugger, for example TuneUp Utilities that does this. More info about this here: 

But it is still recommended to not have any debuggers by any other programs set if it's not the goal to actually debug, as it might break launching some applications when the debugger is removed.

So above are no false positives, that's why I still suggest that you have malwarebytes remove them.

Edited by miekiemoes

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.