Jump to content
caiinc

Win Svr 2007-registry/Image File Execution Options\iexplore.exe

Recommended Posts

Can you tell me any information on the listed error below? Error log is attached also.

Thanks

Malwarebytes' Anti-Malware 1.44

Database version: 3916

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

3/26/2010 8:28:45 AM

mbam-log-2010-03-26 (08-28-38).txt

Scan type: Full Scan (C:\|)

Objects scanned: 879993

Time elapsed: 40 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe (Security.Hijack) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

mbam_log_2010_03_26__08_28_38_.txt

Share this post


Link to post
Share on other sites

I just posted it. I need to know if it is a legit error or false positive. No it is not fixed.

Thanks,

Jim

Share this post


Link to post
Share on other sites

This is not really a false positive. This depends what's under the key.

Malware may use the Image File Execution Options key and adds certain legitimate executable names under there. It then creates a value with the name "debugger" and the valuedata is pointing to a malicious exe instead.

So this means, in your case, since the executable name is iexplore.exe here, malware may have set a debugger under it and runs the debugger instead of running Internet explorer (iexplore.exe).

This since Windows always checks the "Image File Execution Options" key in the registry first before an application is run.

Not sure if you have updated already, Database version: 3917 now. This update contains an extra check for the Debugger value only and will ignore the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe key if no debugger value is present there.

That's why I need you to verify if mbam is still detecting this withe the database version 3917.

Thanks.

Share this post


Link to post
Share on other sites

exile...odd, I updated to 3916 about 7:30am before I scanned. Will update and scan again. Does 3917 fix the error, ie it is a false positive or should it be Removed if found again?

Share this post


Link to post
Share on other sites
Does 3917 fix the error, ie it is a false positive or should it be Removed if found again?
If no debugger is present there, mbam shouldn't detect this anymore.

If mbam is still detecting it, then I would need an export of the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe" key so I can have a look what debugger is present there.

Thanks.

Share this post


Link to post
Share on other sites

If it is still detected after updating to database version 3917 then it is not a false positive, but if it is not detected after updating to 3917 then that means it was an FP and is now fixed :).

Share this post


Link to post
Share on other sites

Miekiemoes-I misunderstood you request for me to update, I thought you meant my request, not the program.

All-I updated Malware, removed the error from the Ignore list, reran Malware and got no errors. It looks like a fix. Thanks for the quick response from everyone.

Jim

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.