Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adwcleaner seems to regard Googleupdate.exe as malware


  • This topic is locked This topic is locked
9 replies to this topic

#1 Gorbulan

Gorbulan

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 29 October 2014 - 04:56 PM

I ran Adwcleaner on two different computers today and found this:

# AdwCleaner v4.001 - Report created 29/10/2014 at 11:06:33
# Updated 20/10/2014 by Xplode
# Database : 2014-10-26.6
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : lausd_administrator - LIBGIGABYTEPC
# Running from : J:\Software\Windows\Antivirus\AdwCleaner.exe
# Option : Scan


***** [ Services ] *****




***** [ Files / Folders ] *****




***** [ Scheduled Tasks ] *****




***** [ Shortcuts ] *****




***** [ Registry ] *****


Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe


***** [ Browsers ] *****


-\\ Internet Explorer v0.0.0.0




-\\ Mozilla Firefox v32.0.1 (x86 en-US)




-\\ Google Chrome v38.0.2125.111




*************************


AdwCleaner[R0].txt - [772 octets] - [29/10/2014 11:06:33]


########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [831 octets] ##########

It seems adwcleaner thinks Googleupdate.exe is a virus. Adwcleaner succeeded in removing it. But, Malwarebytes and Bitdefender came back with clean results (before adw cleaned it). Also the Googleupdate.exe reappears if you reinstall Chrome.

 

I think Adwcleaner 4.001 has a false positive with Chrome's updater program.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:16 AM

Posted 29 October 2014 - 06:12 PM

The detection is not related to a virus. AdwCleaner will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers , browser extensions, add-ons/plug-ins, browser helper objects (BHOs) and other junkware to include related registry entries (values, keys). AdwCleaner will remove all traces of these types of programs which includes related services, registry entries (values, keys), files, folders and potentially unwanted extensions.

In your case, the detection is related to a registry key (Image File Execution Option or IFEO). Many programs will add this registry key so it's presence is not unusual or uncommon.
 

Image File Execution options provides you with a mechanism to always launch an executable directly under the debugger. This is extremely useful if you ever need to investigate issues in the executable's startup code (services especially). You can set the IFEO options directly via the registry or indirectly using the Gflags tools (available with the Window debugging toolkit).

Image File Execution Options (IFEO)

IFEO lets you set some registry goo such that when you launch a target app (specified by a registry key name), a debugger (specified by a string named "debugger" under that registry key) is executed instead. The debugger then launches the target app under its control.

IFEO and Managed-debugging

Evil can be done with the Image File Execution Options key. Malware can install themselves as the "debugger" for a frequently-run program (such as Explorer) and thereby inject themselves into the execution sequence.

Beware the Image File Execution Options key (IFEO)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 tech@123

tech@123

  • Banned Spammer
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 30 October 2014 - 12:25 AM

I think this is the source code error. You must  registered AdwCleaner on your computer before running in administrator mode and if your are using window 7 or window vista.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:16 AM

Posted 30 October 2014 - 05:19 AM

Vista/Windows 7/8 users just need to right-click on AdwCleaner.exe and select Run As Administrator.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Gorbulan

Gorbulan
  • Topic Starter

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 30 October 2014 - 01:49 PM

Even if the user has Admin rights? No problem selecting "Run As Admin", as it is a force of habit anyway.



#6 Without_A_Monitor

Without_A_Monitor

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:02:16 AM

Posted 30 October 2014 - 02:47 PM

Could you, quietman, please clarify if the GoogleUpdate.exe should be deleted or not?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:16 AM

Posted 30 October 2014 - 04:35 PM

%ProgramFiles%\Google\Update\GoogleUpdate.exe is a valid file and path for Google Software...see here.

In this case the detection is related to a registry key. I don't use Google Software so I cannot confirm if it is a legit entry without more information.

Gorbulan had posted the same question here yesterday and was advised what to do in order to get a better look at his system.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Gorbulan

Gorbulan
  • Topic Starter

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 30 October 2014 - 04:54 PM

I can post the Farbar logs...but I do not see a link for attachments here.

 

Here is the link for the appropriately placed post in Mbam's forum, the one with the logs.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:16 AM

Posted 30 October 2014 - 05:07 PM

After posting a log(s) for assistance at another security forum, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by their Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log(s) you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

If the computer is not infected and you are just posting your log(s) for a more detailed examination of your system, the same information above in regards to confusion and system modification applies.

From this point on the Malware Response Team where you asked for help should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic.

Good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:16 AM

Posted 31 October 2014 - 06:14 AM

In this case the detection is related to a registry key. I don't use Google Software so I cannot confirm if it is a legit entry without more information.

Just an fyi for those who may read, I have the key on my computer so I would indeed say it is legit. A lot of programs add keys there so it is not usual, the problem is when there is a debugger value set when there should not be one (something malware does).
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users