Jump to content

RiskWare.IFEOHijack.KMS troubleshooting


Recommended Posts

Hello everyone

 

I just ran a weekly scan as usual, and suddenly Malwarebytes reported a series of problems in the registry, and I don't know what to do. 

Are these problems infectious? Do I need to quarantine them or can I just ignore them? How can I get rid of them?

 

Please find attached the .txt file for a report. Thank you very much in advance?

HKLM 15.08.22.txt

Link to post
Share on other sites

Here's the report also listed below as copy/paste:

-----------------

Malwarebytes
www.malwarebytes.com

-Protokolldetails-
Scan-Datum: 15.08.22
Scan-Zeit: 11:09
Protokolldatei: 08564810-1c7a-11ed-ad73-040e3c328349.json

-Softwaredaten-
Version: 4.5.12.204
Komponentenversion: 1.0.1725
Version des Aktualisierungspakets: 1.0.58643
Lizenz: Kostenlos

-Systemdaten-
Betriebssystem: Windows 10 (Build 19044.1826)
CPU: x64
Dateisystem: NTFS
Benutzer: DESKTOP-PBOE0K5\mdlop

-Scan-Übersicht-
Scan-Typ: Bedrohungs-Scan
Scan gestartet von: Manuell
Ergebnis: Abgeschlossen
Gescannte Objekte: 311116
Erkannte Bedrohungen: 8
In die Quarantäne verschobene Bedrohungen: 0
Abgelaufene Zeit: 0 Min., 47 Sek.

-Scan-Optionen-
Speicher: Aktiviert
Start: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Deaktiviert
Heuristik: Aktiviert
PUP: Erkennung
PUM: Erkennung

-Scan-Details-
Prozess: 0
(keine bösartigen Elemente erkannt)

Modul: 0
(keine bösartigen Elemente erkannt)

Registrierungsschlüssel: 4
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSPPSVC.EXE, Keine Aktion durch Benutzer, 6351, 1077833, 1.0.58643, , ame, , , 
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPPEXTCOMOBJ.EXE, Keine Aktion durch Benutzer, 6351, 1077834, 1.0.58643, , ame, , , 
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSPPSVC.EXE, Keine Aktion durch Benutzer, 6351, 1077833, 1.0.58643, , ame, , , 
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPPEXTCOMOBJ.EXE, Keine Aktion durch Benutzer, 6351, 1077834, 1.0.58643, , ame, , , 

Registrierungswert: 4
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSPPSVC.EXE|VERIFIERDLLS, Keine Aktion durch Benutzer, 6351, 1077833, 1.0.58643, , ame, , , 
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPPEXTCOMOBJ.EXE|VERIFIERDLLS, Keine Aktion durch Benutzer, 6351, 1077834, 1.0.58643, , ame, , , 
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSPPSVC.EXE|VERIFIERDLLS, Keine Aktion durch Benutzer, 6351, 1077833, 1.0.58643, , ame, , , 
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPPEXTCOMOBJ.EXE|VERIFIERDLLS, Keine Aktion durch Benutzer, 6351, 1077834, 1.0.58643, , ame, , , 

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Daten-Stream: 0
(keine bösartigen Elemente erkannt)

Ordner: 0
(keine bösartigen Elemente erkannt)

Datei: 0
(keine bösartigen Elemente erkannt)

Physischer Sektor: 0
(keine bösartigen Elemente erkannt)

WMI: 0
(keine bösartigen Elemente erkannt)


(end)

Link to post
Share on other sites

Hello :welcome:  @LivKelli

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply
  • The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
  • We do need the support zip reports to see more detail  ( the screen grabs just do not have full details + those screens give no clue as to what processes are running.
Link to post
Share on other sites

Next, 

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes sca

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

44 minutes ago, Maurice Naggar said:

Next, 

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes sca

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Hello Maurice

 

Please find attached the required zip file as well as the scan run report.

 

Looking forward to your answer.

mbst-grab-results.zip Scan run report.txt

Link to post
Share on other sites

2 hours ago, Maurice Naggar said:

Thank you for the reports. This last run with Malwarebytes is much much better. It removed the IFEOHijack pests. Bravo.
This system does have McAfee antivirus. Please launch McAfee and do a new regular scan. Let me know the result.

Hello Marice

 

Can I delete all the files within Malwarebytes which have been quarantined? I did run my McAfee full scan and it did not recognize any threats. However, even before I Quarantined the IFEOHijack, McAfee did not recognize any threats. Only Malwarebytes found the IFEOHijack. 

 

Do you know from where I got that IFEOHijack? Is it harmful as McAfee did not find this malware?

 

Thank you in advance!

Link to post
Share on other sites

Leave what is in the Quarantine alone. The items there are in permanent solitary jail. They are no longer any threat.
The items were a few registry entries that mis-used the Image File Execution Options (IFEO) registry key in Windows.
They were removed.  They were classified as riskware. Riskware is defined as
 

Riskware, or "risky software," describes legitimate software programs that contain loopholes or vulnerabilities that can be exploited by hackers for malicious purposes.

We need to do more scanning. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

11 hours ago, Maurice Naggar said:

Leave what is in the Quarantine alone. The items there are in permanent solitary jail. They are no longer any threat.
The items were a few registry entries that mis-used the Image File Execution Options (IFEO) registry key in Windows.
They were removed.  They were classified as riskware. Riskware is defined as
 

Riskware, or "risky software," describes legitimate software programs that contain loopholes or vulnerabilities that can be exploited by hackers for malicious purposes.

We need to do more scanning. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review

Hello Maurice

 

Thank you very much for your explanation.

 

Please find attached the ESET Scan Result. 

 

ESET Scan Result.txt

Link to post
Share on other sites

@LivKelli The ESET scanner found no virus; no trojan; no malware.

[ 2 ]

I would recommend getting a readout report as to update status of some key apps.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.