Makwarebytes detects SuperAntiSpyware as a problem Attached frst.txt and ad

[DR_Smith]

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/4/19
Scan Time: 12:31 PM
Log File: 63edaf15-3ea3-11e9-beb2-a01d4868da35.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.482
Update Package Version: 1.0.9536
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Andy-HP\Andy

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 384266
Threats Detected: 12
Threats Quarantined: 0
Time Elapsed: 20 min, 25 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 6
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNSAS.EXE, No Action By User, [6433], [249733],1.0.9536
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNSAS.EXE, No Action By User, [6433], [249733],1.0.9536
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDFILES.EXE, No Action By User, [6433], [249769],1.0.9536
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDFILES.EXE, No Action By User, [6433], [249769],1.0.9536
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE, No Action By User, [6433], [249843],1.0.9536
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE, No Action By User, [6433], [249843],1.0.9536

Registry Value: 6
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNSAS.EXE|DEBUGGER, No Action By User, [6433], [249733],1.0.9536
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNSAS.EXE|DEBUGGER, No Action By User, [6433], [249733],1.0.9536
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDFILES.EXE|DEBUGGER, No Action By User, [6433], [249769],1.0.9536
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDFILES.EXE|DEBUGGER, No Action By User, [6433], [249769],1.0.9536
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE|DEBUGGER, No Action By User, [6433], [249843],1.0.9536
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE|DEBUGGER, No Action By User, [6433], [249843],1.0.9536

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

1. Download Malwarebytes Support Tool
2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
3. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
4. Place a checkmark next to Accept License Agreement and click Next
5. You will be presented with a page stating, "Get Started!"
6. Click the Advanced tab
   
    
7. Click the Gather Logs button
   
    
8. A progress bar will appear and the program will proceed with getting logs from your computer
   
    
9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
   
    
10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
       

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[exile360]

Greetings,

I'm pretty sure those entries are not created by SUPERantiSpyware.  Those are Image File Execution Options (IFEO) entries that tell Windows that whenever the target program is executed, to run some other program instead (or as well as, in the case of the Debugger entries).  It is a tactic commonly used by malware to prevent security programs (like Malwarebytes and SUPERAntiSpyware) from running and I would definitely recommend allowing Malwarebytes to remove them.

Also, if your system is showing any other signs of infection I would highly recommend following the instructions in this topic and creating a new topic in the malware removal area including the requested logs and info by clicking here and one of our malware removal specialists will assist you in checking and clearing the system of any threats as soon as one becomes available.

[exile360]

By the way, you can find more info on IFEO entries and how they work and what they do in this Malwarebytes blog article in case you're curious.

[DR_Smith]

Thank you exile360. I have never had a problem with Malwarebytes detecting SuperAntiSpyware.  Both are running passive.  I will follow through with your advice and keep the forum in the loop.

Thanks!!!

 

[DR_Smith]

Just checked a Windows 7 machine on a separate isolated by a firewall segment running both Malwarebytes and SuperAntiSpyware. No troubles.  So it looks like it not related to the 2 applications clashing.  I did notice that an update to SuperAntiSpyware failed. (maybe unrelated.  Ran Malwarebytes and removed the problem.  Rebooted and ran Malwarebytes again. No trouble found.  Now running Farbar tool.  Again thanks for the troubleshooting info.  At work we just re-image, but you never learn too much by doing that.

[DR_Smith]

Ran FarBar and attached the output logs.

Thanks!!!!

 

Addition.txt

FRST.txt

[DR_Smith]

Hi All,

Attached are the output files from Farbar.  Let me know if you see anything.  I'm reading through the Farbar instuctions/explanation.

Thanks again!!

Addition.txt

FRST.txt

[exile360]

Good deal.  I saw you went ahead and posted your logs in the malware removal forum.  One of the helpers there will check them out as soon as they are available.  Hopefully those detections were just some remnants from an old threat that has long since been removed but you never know so better safe than sorry.

[DR_Smith]

Hi Exile360,

Thanks again for your assistance!!!

 

[AdvancedSetup]

Hello @DR_Smith

Please follow the directions from the following topic and post back the logs as an attachment.

Thank you

Ron

 

[DR_Smith]

Hi Ron,

I ran the scan and I get "congratulations no malware found".  I tried to run the update for SuperAntiSpyware and the update still doesn't work.  There are 2 types of updates just like Malwarebytes, the usual one that happens everytime I run a scan and then the periodic update that happens occasionally.  It is the latter that fails to update.  So I get the usual signatures, but when the periodic update tries to update the version, that fails.  Is it possible the Malwarebytes cleanup of the initial problem could have damaged something with SuperAntispyware code?  I was going to uninstall SuperAntispyware and try to reinstall and see what happens, but I'm waiting for the ok that things look good as far as eradicating the initial infection.

Thank you for your help in resolving this problem!!!!

 

[AdvancedSetup]

Difficult to tell for sure what happened but it's possible. Go ahead and uninstall SuperAnitSpyware, reboot. Then reinstall it and let me know.

 

[DR_Smith]

Hi Ron,

Uninstalled SuperAntiSpyware rebooted and reinstalled.  Scanned using SuperAntiSpyware, reported clean.  So far so good.  Ran Malwarebytes again showed clean.  Anything else you would like me to try.

Thanks!!!!!

[DR_Smith]

Hi Ron,

Maybe I spoke too soon.  Looks like Spybot got tagged as bad.  I saw a post from last year as a false positive, but this may be different.  I can run Farbar again and attach the results.

 

Thanks!!!!

[DR_Smith]

Hi Ron,

Ran Farbar and I have attached the FRST.txt and Addition.txt.  Let me know if you see anything.  I took a quick look nothing obvious, but I'll look again.  Looks like there may be a problem because first the problem was with SuperAntiSpyware and now with Spybot.  It would be nice if this were a false positive, but I think not. Let me know what you need. 

Thank you!!!!

 

Addition.txt FRST.txt

[AdvancedSetup]

FRST is not going to show that location on its own. Do you know how to use Regedit to check on that key to see if it's there and set? I can write something to do it if not.

That alone is not too serious just something that does not belong

 

[DR_Smith]

Hi Ron,

I have scanned the laptop again after remove it and rebooted a couple of times in between each scan.  I think there are 2 factor that contribute to this: 1.  I have installed the advanced version (auto detect version of Malwarebytes).  2,  I think it;s related to me running Spybot.  I can prove this out because I have a couple of clean scans and reboots and all looks well.  I believe if I run Spybot, Ill get a detection and if I scan with Malwarebytes will pick up another set of reg. keys.  I can get you a snapshot of those reg. keys so you can see.  I'll also run Spybot to see if there is a problem after or during the run.  Now that I have the paid version of Malwarebytes, I might de-install the other anti-virus/malware software.  I do like that Spybot blackholes bad sites ad IP's by including the them in the hosts file and directing them to 127.0.0.1.

 

Thanks!!!!

[DR_Smith]

Hi Ron,

Maybe I do need some help with the registry search.  I did a find in HK Local Machine and I can't fine SDFILES.exe.  Let me know and I'll get you the info.

 

Thanks!!!

 

[AdvancedSetup]

The files may not be there. Why I was aksing to manually search to verify.  The main path is here:

 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

I don't think the computer is infected but by using different other security software they can potentially revert changes from other security apps, etc.

 

[AdvancedSetup]

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

[DR_Smith]

Hi Ron,

I did a manual check of the registry and I didn't find what we were looking for.  I ran Kaspersky and it did find anything.  I think we are clean.  Let me know if we need to check further.

Thanks!!!!!!!!

 

[DR_Smith]

Kaspersky did not find anything. I think we are clean.  Let me know if we need to check further.

Thanks!!!!!!!!

[AdvancedSetup]

Agreed, I think your computer is clean.

 

Help Secure your browsers

Please install uBlock Origin for your browsers to better protect your system

FireFox, Chrome, Opera , Safari, Microsoft Edge
AdBlock for Internet Explorer

Follow-up Reading

Everything you need to know about cybercrime
10 easy ways to prevent malware infection 
Keep your data backed up

 

Thank you for choosing Malwarebytes
 

Take care and stay safe ou there

Ron

 

[DR_Smith]

Hi Ron,

I really want to thank you, I work in computer/network security, but not as a malware expert.  PC and laptops get compromised and they are just re-imaged.  It's the quick way to an end, but you never find root cause or how these little devils operate.  I try to run an image of my machines once a week and keep scanning.  Linux is my main laptop's OS, but I need MS for a few things. I'll install uBlock as you recommended. 

Thank you!!!!!!!!!!!!!!!!!!!