Jump to content
Sign in to follow this  
rmlake13

Registry Check

Recommended Posts

I ran into a rogue antivirus program while cleaning a computer today that modified several registry entries under "[HKEY_LOCAL_MACHINE]\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options". I've never ran into something like this before, but apparently this registry location is intended for debugging purposes, but malware authors are using it to start malicious processes when someone attempts to run a legitimate program or it just prevents programs from being opened in the first place. I'm not sure if SuperAntiSpyware scans for this type of problem or not, but it would sure be nice. When I ran a scan with it today, it came back with nothing so my only clue was running Malwarebyte's afterward which then came up with the almost 800 registry modifications that were giving me my trouble.

Share this post


Link to post
Share on other sites

I ran into a rogue antivirus program while cleaning a computer today that modified several registry entries under "[HKEY_LOCAL_MACHINE]\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options". I've never ran into something like this before, but apparently this registry location is intended for debugging purposes, but malware authors are using it to start malicious processes when someone attempts to run a legitimate program or it just prevents programs from being opened in the first place. I'm not sure if SuperAntiSpyware scans for this type of problem or not, but it would sure be nice. When I ran a scan with it today, it came back with nothing so my only clue was running Malwarebyte's afterward which then came up with the almost 800 registry modifications that were giving me my trouble.

We certainly are aware of that key! I would be curious to see the log of MBAM on that scan to see if actual threats were removed or just registry traces.

Share this post


Link to post
Share on other sites

I'm working on seeing if I can get the MBAM log since I already returned the computer to it's owner yesterday. I was just wondering what you were referring to as the actual threat though? The executable that caused all this? or something else?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...