Jump to content

Win Svr 2007-registry/Image File Execution Options\iexplore.exe


Recommended Posts

Can you tell me any information on the listed error below? Error log is attached also.


Malwarebytes' Anti-Malware 1.44

Database version: 3916

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

3/26/2010 8:28:45 AM

mbam-log-2010-03-26 (08-28-38).txt

Scan type: Full Scan (C:\|)

Objects scanned: 879993

Time elapsed: 40 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe (Security.Hijack) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)


Link to post
Share on other sites

  • Staff

This is not really a false positive. This depends what's under the key.

Malware may use the Image File Execution Options key and adds certain legitimate executable names under there. It then creates a value with the name "debugger" and the valuedata is pointing to a malicious exe instead.

So this means, in your case, since the executable name is iexplore.exe here, malware may have set a debugger under it and runs the debugger instead of running Internet explorer (iexplore.exe).

This since Windows always checks the "Image File Execution Options" key in the registry first before an application is run.

Not sure if you have updated already, Database version: 3917 now. This update contains an extra check for the Debugger value only and will ignore the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe key if no debugger value is present there.

That's why I need you to verify if mbam is still detecting this withe the database version 3917.


Link to post
Share on other sites

  • Staff
Does 3917 fix the error, ie it is a false positive or should it be Removed if found again?
If no debugger is present there, mbam shouldn't detect this anymore.

If mbam is still detecting it, then I would need an export of the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe" key so I can have a look what debugger is present there.


Link to post
Share on other sites

Miekiemoes-I misunderstood you request for me to update, I thought you meant my request, not the program.

All-I updated Malware, removed the error from the Ignore list, reran Malware and got no errors. It looks like a fix. Thanks for the quick response from everyone.


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.