...\Image File Execution Options\taskmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Is this a false positive? I am using an old, updated Windows XP Pro. SP3 machine. I never had this one before. Attached a zip file with logs from its C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\.
Thank you in advance.
hello,
this is kind of a false positive.
In your case this should not have been detected unless malicious exe files from Crypt.InfectRansom have been detected on your computer. And you would actually know it when your computer is taken for ransom.
Image File Execution Options are usually not set. Some times a debugger is set there for legit operations but mostly it is used by malware to either block execution of files or to start malware when a file is started.
Ah thanks. I let Spybot S&D remove it. So far, nothing weird/odd on the machine. I already rebooted too.Originally Posted by Yodama
Yes, this is/can be a false positive.
I have process explorer from sysinternals installed, and set to replace task manager on my machines, I have downloaded only from microsoft technet, and even old versions of process explorer are tripping the new "Crypt.InfectRansom++" detection.
The installation (manual) directory I have used is: C:\Program Files\ProcessExplorer\ .
I understand the severity of this, if it weren't a benign program, and PE for having a fast update track, would almost be impossible to avoid. So the mistaken identity is completely understood (I am the author of ZB Block, and I know all about false positives... headaches.)
The question is, what can be done?
Zap
73 from AE7EC
Ahh! I used PE!Yes, this is/can be a false positive.
I have process explorer from sysinternals installed, and set to replace task manager on my machines, I have downloaded only from microsoft technet, and even old versions of process explorer are tripping the new "Crypt.InfectRansom++" detection.
The installation (manual) directory I have used is: C:\Program Files\ProcessExplorer\ .
I understand the severity of this, if it weren't a benign program, and PE for having a fast update track, would almost be impossible to avoid. So the mistaken identity is completely understood (I am the author of ZB Block, and I know all about false positives... headaches.)
The question is, what can be done?
Zap
Thanks for the additional info.
I forgot to tell you that the next detection update scheduled for Wednesday 2012-07-25 will fix this issue. I changed a dependency in the detection.
Thanks! I have restore my quarantined registry key entry then.
i got that just a minute ago crypt.infectRansom
exact same location
I didnt have any problem with my computer and i installed a microsoft word program ealier so i think thats it.
I also have procexp64
no problems i could find.
confirmed from me also
Hi!
I confirm that false positive. Frightened me a lot.
Looks like any change of that registry entry from Windows default cause that false positive.
On last Sunday I've got that from installed Process Explorer mentioned and that ruin my free day.
Today I tested ProcessHacker from http://processhacker.sourceforge.net/ which is "cousin" of PE and also enable "Replace Task Manager".
And HEY, yes the same False Positive reappear.
So SB team please narrow search of a Malware in that particular two registry keys.
Regardless of above I give 10 of 10 point for Spybot.
I use it for a very long time and hard to wait for a new version now in beta.
Regards!
They said they fixed it for tomorrow's updates. Let's try again tomorrow!Hi!
I confirm that false positive. Frightened me a lot.
Looks like any change of that registry entry from Windows default cause that false positive.
On last Sunday I've got that from installed Process Explorer mentioned and that ruin my free day.
Today I tested ProcessHacker from http://processhacker.sourceforge.net/ which is "cousin" of PE and also enable "Replace Task Manager".
And HEY, yes the same False Positive reappear.
So SB team please narrow search of a Malware in that particular two registry keys.
Regardless of above I give 10 of 10 point for Spybot.
I use it for a very long time and hard to wait for a new version now in beta.
Regards!
Posting Permissions
Reply With Quote
