Win Svr 2007-registry/Image File Execution Options\iexplore.exe

[caiinc]

Can you tell me any information on the listed error below? Error log is attached also.

Thanks

Malwarebytes' Anti-Malware 1.44

Database version: 3916

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

3/26/2010 8:28:45 AM

mbam-log-2010-03-26 (08-28-38).txt

Scan type: Full Scan (C:\|)

Objects scanned: 879993

Time elapsed: 40 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe (Security.Hijack) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

mbam_log_2010_03_26__08_28_38_.txt

[miekiemoes]

Hi,

Please update and verify if this is fixed.

Thanks.

[caiinc]

I just posted it. I need to know if it is a legit error or false positive. No it is not fixed.

Thanks,

Jim

[exile360]

I had this detection this morning as well, as of the latest database update 3917 it is now corrected.

[miekiemoes]

This is not really a false positive. This depends what's under the key.

Malware may use the Image File Execution Options key and adds certain legitimate executable names under there. It then creates a value with the name "debugger" and the valuedata is pointing to a malicious exe instead.

So this means, in your case, since the executable name is iexplore.exe here, malware may have set a debugger under it and runs the debugger instead of running Internet explorer (iexplore.exe).

This since Windows always checks the "Image File Execution Options" key in the registry first before an application is run.

Not sure if you have updated already, Database version: 3917 now. This update contains an extra check for the Debugger value only and will ignore the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe key if no debugger value is present there.

That's why I need you to verify if mbam is still detecting this withe the database version 3917.

Thanks.

[caiinc]

exile...odd, I updated to 3916 about 7:30am before I scanned. Will update and scan again. Does 3917 fix the error, ie it is a false positive or should it be Removed if found again?

[miekiemoes]

Does 3917 fix the error, ie it is a false positive or should it be Removed if found again?

If no debugger is present there, mbam shouldn't detect this anymore.

If mbam is still detecting it, then I would need an export of the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe" key so I can have a look what debugger is present there.

Thanks.

[exile360]

If it is still detected after updating to database version 3917 then it is not a false positive, but if it is not detected after updating to 3917 then that means it was an FP and is now fixed .

[caiinc]

Miekiemoes-I misunderstood you request for me to update, I thought you meant my request, not the program.

All-I updated Malware, removed the error from the Ignore list, reran Malware and got no errors. It looks like a fix. Thanks for the quick response from everyone.

Jim

[miekiemoes]

Good to hear