...\Image File Execution Options\taskmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Is this a false positive? I am using an old, updated Windows XP Pro. SP3 machine. I never had this one before. Attached a zip file with logs from its C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\.
Thank you in advance.
hello,
this is kind of a false positive.
In your case this should not have been detected unless malicious exe files from Crypt.InfectRansom have been detected on your computer. And you would actually know it when your computer is taken for ransom.
Image File Execution Options are usually not set. Some times a debugger is set there for legit operations but mostly it is used by malware to either block execution of files or to start malware when a file is started.
Ah thanks. I let Spybot S&D remove it. So far, nothing weird/odd on the machine. I already rebooted too.Originally Posted by Yodama
Yes, this is/can be a false positive.
I have process explorer from sysinternals installed, and set to replace task manager on my machines, I have downloaded only from microsoft technet, and even old versions of process explorer are tripping the new "Crypt.InfectRansom++" detection.
The installation (manual) directory I have used is: C:\Program Files\ProcessExplorer\ .
I understand the severity of this, if it weren't a benign program, and PE for having a fast update track, would almost be impossible to avoid. So the mistaken identity is completely understood (I am the author of ZB Block, and I know all about false positives... headaches.)
The question is, what can be done?
Zap
73 from AE7EC
Ahh! I used PE!Yes, this is/can be a false positive.
I have process explorer from sysinternals installed, and set to replace task manager on my machines, I have downloaded only from microsoft technet, and even old versions of process explorer are tripping the new "Crypt.InfectRansom++" detection.
The installation (manual) directory I have used is: C:\Program Files\ProcessExplorer\ .
I understand the severity of this, if it weren't a benign program, and PE for having a fast update track, would almost be impossible to avoid. So the mistaken identity is completely understood (I am the author of ZB Block, and I know all about false positives... headaches.)
The question is, what can be done?
Zap
Thanks for the additional info.
I forgot to tell you that the next detection update scheduled for Wednesday 2012-07-25 will fix this issue. I changed a dependency in the detection.
Posting Permissions
Reply With Quote