Jump to content
asianmusicguy

Riskware process explore

Recommended Posts

Posted (edited)

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/23/19
Scan Time: 2:03 PM
Log File: f63fb876-ad84-11e9-947b-10bf487f7f03.json

-Software Information-
Version: 3.8.3.2965
Components Version: 1.0.613
Update Package Version: 1.0.11688
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 306145
Threats Detected: 4
Threats Quarantined: 0
Time Elapsed: 3 min, 59 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 2
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKMGR.EXE, No Action By User, [6345], [711127],1.0.11688
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKMGR.EXE, No Action By User, [6345], [711127],1.0.11688

Registry Value: 2
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKMGR.EXE|DEBUGGER, No Action By User, [6345], [711127],1.0.11688
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\TASKMGR.EXE|DEBUGGER, No Action By User, [6345], [711127],1.0.11688

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

my report matchs the following 

 

and thats only today what is going on guys

I

Edited by asianmusicguy

Share this post


Link to post
Share on other sites

Hello asianmusicguy,

The detection is OK in your case. You can ignore it since you chose to use Process Explorer to replace the Task Manager (taskmgr.exe)

Share this post


Link to post
Share on other sites

I know I can ignore it however  it should  not be detected at all as has not been  until today and my version is much older them the other users so  there has be  a change  in the last 34 hrs to malwarebytes to cause this 

Share this post


Link to post
Share on other sites

Yes it was part of a database update from yesterday (the 22nd)

Share this post


Link to post
Share on other sites

I just had this EXACT same thing happen to me as well, as a result of today's MWB Premium scan. 

thisisu:  So, ... are you guys going to fix this or what?  You did not respond to that part of asianmusicguy's post. I always intended to ignore it, but I have to agree with asianmusicguy, it should not happen in the first place! Process Explorer is a Microsoft Product, and its Task Manager version is miles better than the one that comes with Windows. Beyond that however, is the fact that the Process Explorer version does not install itself alongside the original version - it REPLACES it! A less knowledgeable user might take MWB at its word and click the 'big red X in the circle' and completely disable ANY Task Manager capability in the system. That would be a HUGE problem when the time comes that it is really needed. 

I think malware-flagging any product published by the very same developer as the operating system that MWB itself operates within, should be a really BIG no-no, don't you?

'nuff said.

Share this post


Link to post
Share on other sites
Posted (edited)

Hello GDog,

I understand that in this case it's a false positive and I too don't like detecting software built by Microsoft, although we're not detecting Process Explorer, just a registry key that was being used to launch Process Explorer instead of Task Manager. The detection is in place due to  malware now abusing the registry key. It's not a part of the operating system by default. The detection is new to the database which is why you are just now seeing it.

Having Malwarebytes delete this entry wouldn't delete the default Windows Task Manager. The executable is still present. Your default Task Manager would be reverted is all. You would just have to go back into Process Explorer, select Options and tick Replace Task Manager again.

Hope this clears things up

Regards

 

Edited by thisisu

Share this post


Link to post
Share on other sites

thisisu: Thanks for the explanation, ... I think. So you're saying that MWB will continue to mark this sort of Registry usage, regardless of where the software using it comes from. Is that right? So your discovery logic code doesn't allow for any kind of exceptions in this kind of registry use, right? 

Just want to be sure I understand it correctly.

I told MWB to leave it alone permanently in the disposal popup. We'll see if it does that or not.

 

15 hours ago, thisisu said:

Hello GDog,

I understand that in this case it's a false positive and I too don't like detecting software built by Microsoft, although we're not detecting Process Explorer, just a registry key that was being used to launch Process Explorer instead of Task Manager. The detection is in place due to  malware now abusing the registry key. It's not a part of the operating system by default. The detection is new to the database which is why you are just now seeing it.

Having Malwarebytes delete this entry wouldn't delete the default Windows Task Manager. The executable is still present. Your default Task Manager would be reverted is all. You would just have to go back into Process Explorer, select Options and tick Replace Task Manager again.

Hope this clears things up

Regards

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.