Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

False positive?


  • Please log in to reply
5 replies to this topic

#1 Guest_IRI5HJ4CK_*

Guest_IRI5HJ4CK_*

  • Guests
  • OFFLINE
  •  

Posted 23 August 2011 - 05:30 AM

Hi all,

I scanned my system yesterday with Superantispyware. It came up with 44 security issues called: 'Security.HiJack[ImageFileExecutionOptions]'.

I've done a bit of searching, and some people have said that this is a false positive. However, I want to make sure that this is the case.

I sent off a 'false positive' report to Superantispyware, and as yet I have not received feedback. I have also done a scan with Bullgaurd's scanner, and it reported nothing. I am also currently running scans with Malwarebytes and Windows Defender, and I will let you all know when the scans finish.

I am slightly confused as to how a virus(s) got onto my system in the first place, if they are not false positives. I use Sandboxie which seems to have helped in the past with any potential threats. My only other concern is that a few days ago, I accidentally went on a site which left a virus on my parents laptop. Unfortunately at the time I hadn't got Sandboxie installed, and the system was infected. I did however manage to remove everything via safe mode and using Superantispyware. Later on I looked at the log, and it seems that there was indeed a 'real' virus, however, the same 'Security.HiJack[ImageFileExecutionOptions]' 'virus' was also there, but at the time I thought nothing of it, as I believed it to be part of the 'real' virus (which if I remember rightly was a trojan). Hence, I am slightly confused as to whether or not this indeed is a false positive or not, and whether if 'Security.HiJack[ImageFileExecutionOptions]' is a real virus, how did it cross over from the laptop to my system, or visa versa?

Here is Superantispyware's log from the scan on my system:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/22/2011 at 09:46 PM

Application Version : 4.45.1000

Core Rules Database Version : 7288
Trace Rules Database Version: 5100

Scan type : Complete Scan
Total Scan Time : 01:03:51

Memory items scanned : 628
Memory threats detected : 0
Registry items scanned : 15719
Registry threats detected : 42
File items scanned : 100523
File threats detected : 0

Security.HiJack[ImageFileExecutionOptions]
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HAMACHI-2-UI.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HAMACHI-2-UI.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ITUNES.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ITUNES.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LAYOUT.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LAYOUT.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSERVER.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSERVER.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORE.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORE.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCCOMPANION.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCCOMPANION.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RADIOSOUNDS.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RADIOSOUNDS.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHIPSIM2008.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHIPSIM2008.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SKETCHUP.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SKETCHUP.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\STYLE BUILDER.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\STYLE BUILDER.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UNINS000.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UNINS000.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UNINSTALL.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UNINSTALL.EXE#Debugger
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE#Debugger

Thanks in advance, I greatly appreciate your help.

Kind Regards,
Jack.
P.S. I have also manually updated Superantispyware to see if it still picks up any threats (assuming that if this is a false positive, it has been reported before). The update did not seem to make a difference as the threats were still detected.

Edited by IRI5HJ4CK, 23 August 2011 - 05:33 AM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US

Posted 23 August 2011 - 06:09 AM

IFEOs can be used for both legitimate and nefarious purposes.

Usually you won't have IFEOs on common apps such as iTunes though unless you've messed with them yourself. Not an absolute. . . just a generality.

Since you mention being infected before I'd go ahead and have SAS remove those.

Hope that helps.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Guest_IRI5HJ4CK_*

Guest_IRI5HJ4CK_*

  • Guests
  • OFFLINE
  •  

Posted 23 August 2011 - 02:21 PM

Hi Blade,

I haven't messed around with any of the files. My only suggestion could be that I recently installed TuneUp Utilities 2011 - would this have had any effect?

Also, if I remove this will it cause any errors or problems, if they are false positives? Also, what effects will these viruses have had on my system if they are not false positives?

Also, Malwarebytes finished the scan and flagged up:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\itunes.exe (Security.Hijack) -> No action taken.

Thanks once again for your help and quick response,

Kind Regards,
Jack.

Edited by IRI5HJ4CK, 23 August 2011 - 02:24 PM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:24 AM

Posted 23 August 2011 - 03:36 PM

Hi Jack.

My only suggestion could be that I recently installed TuneUp Utilities 2011 - would this have had any effect?


Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

• Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

• Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

• Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

• Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

• The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.
***************************************************

Also, if I remove this will it cause any errors or problems, if they are false positives?

If they were false positives, yes removing them could cause problems. However, I'm fairly confident that they are not. If you wish to be safe, you can take a registry backup first.

Download ERUNT from Derfisch or MVPS and save it to your desktop.

Please follow Step 4 onwards of the Installing & Using ERUNT guide to back up your registry. Skip Step 19 for now.

***************************************************

Also, what effects will these viruses have had on my system if they are not false positives?


Assuming you got rid of everything there are likely no lasting effects.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Guest_IRI5HJ4CK_*

Guest_IRI5HJ4CK_*

  • Guests
  • OFFLINE
  •  

Posted 23 August 2011 - 04:32 PM

Hi Blade,

Thankyou for your all your help. I have removed everything using Superantispyware.

After reading what you said regarding registry cleaners etc, I decided to un-install TuneUp Utilities as a precaution. Whilst doing so I noticed some files which it had been messing with as part of it's maintainence, and much of the software mentioned was listed as being hi-jacks in SAS. This makes me wonder whether or not the threats were actually detected by SAS as a result of TuneUp's maintainence, and so was actually a false positive. This would also tally up with the 'threats' which were on my parents laptop, as it too has TuneUp.

Either way, I have removed the threats as a precaution; just in case. I have tested the software after to make sure that they're all running okay, and all so far seems to be working as per usual.

Thankyou very much for all your help and expertise, I would gladly come here again for advice.

Kind Regards,
Jack.

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US

Posted 23 August 2011 - 06:57 PM

Glad I could help :)

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users