Jump to content

"RiskWare.IFEO ...Irish-IT


Recommended Posts

Hi,     :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

 

In this forum section, a Topic is only for the originator.   We do not do group replies or group-type things.   One originator - one topic only for the originator.

I have split off your me-too post.

Please know that for most everyday systems, the use of Image File Execution Option  is not present / not needed /  & is typically an indicator of a likely hijack.

We need to see details from your machine.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.


I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
 
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.0.774.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.
Thank you,
Sincerely.
 

Link to post
Share on other sites

We need to see a copy of the Malwarebytes Scan ( log) report that lists the detail about the registry key
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION
or
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\
AND 
to see exactly what file is being tagged !

IF and only IF the files is OSPPSVC.EXE    (Office Software Protection Platform Service from Microsoft Corporation)
then see the posting on this other forum area
https://forums.malwarebytes.com/topic/259355-riskwareifeohijack-osppsvc/?do=findComment&comment=1378778


IF on the other hand it is any other file, we do not to have the reports from the Support tool.
Regards.

Link to post
Share on other sites

that is exactly what the email alerts are indicating.

 

Malwarebytes Management Server Notification

--------------------------------------------

 

Alert Time: 5/4/2020 10:33:07 PM

Server Hostname: APPUSG01

Server Domain/Workgroup: unionsupply.net Server IP: 10.1.12.23 Notification Catalog: Client

Description:

Malware threat detected, see details below:

 

5/4/2020 10:31:04 PM   PCOH-008            10.1.92.107         RiskWare.IFEOHijack      < No action taken >                HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSPPSVC.EXE

5/4/2020 10:31:04 PM   PCOH-008            10.1.92.107         RiskWare.IFEOHijack      < No action taken >                HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSPPSVC.EXE

 

Total count: 2.

Link to post
Share on other sites

I have 2 good suggestions for you.

( A  ) 

there is an area on our forum for reporting potential  ( or suspected ) ( or actual) false positives.  Use that.   The Malwarebytes team that handles those monitors that area all the time

see

the posting on this other forum area
https://forums.malwarebytes.com/topic/259355-riskwareifeohijack-osppsvc/?do=findComment&comment=1378778

 

( B )

You have the Business software.   So your area for other help is on a specific sub-forum for Business software

https://forums.malwarebytes.com/forum/111-malwarebytes-anti-malware-for-business/

 

This area here is for consumers who use Malwarebytes for Windows.    ( non-business  /  non-organization)

Link to post
Share on other sites

  • Root Admin

This is not a false positive. This is an entry point hijack used by KMSpico Activator and similar hacks. The file is valid and should not have been removed, just the IFEO entry

In general as long as there are no other signs of KMS the computer should be okay

Providing FRST logs can help confirm if there are any other issues

Typical entry seen in the Registry:

IFEO\osppsvc.exe: [VerifierDlls] SppExtComObjHook.dll
IFEO\SppExtComObj.exe: [VerifierDlls] SppExtComObjHook.dll

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

Regarding the link I provided about OSPPSVC.EXE

The posting by a Research staffer some 15 hours ago.indicated that a update would be pushed out to address that.   Please be sure to first do a Update run in Malwarebytes, to insure your systems have the latest database updates.

https://forums.malwarebytes.com/topic/259355-riskwareifeohijack-osppsvc/?do=findComment&comment=1378778

 

Edited by Maurice Naggar
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.