Jump to content

Finding the virus or file name from a Malwarebytes report


RobertCunningham

Recommended Posts

Hi Forum

First time poster, I've tried to find this info on google and via a search on the forum but suspect I may not be searching on the correct phrase.

What I'd like to know is once Malwarebytes identifies a virus, Riskware or malware, where can I find the actual file or malicious code name?

I get reports that state things like this:

RiskWare.IFEOHijack, HKU\S-1-5-21-101202350-1709135890-1364944312-120735\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWRUN|22, regedit.exe, , [bca4cc343862e0567fd3b7108281c43c]
RiskWare.IFEOHijack, HKU\S-1-5-21-101202350-1709135890-1364944312-122527\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWRUN|22, regedit.exe, , [a6babc44ceccce687ed4e9de33d06898]
RiskWare.IFEOHijack, HKU\S-1-5-21-101202350-1709135890-1364944312-122567\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWRUN|22, regedit.exe, , [4e12d22e900a1d19aaa8a126eb1803fd]
RiskWare.IFEOHijack, HKU\S-1-5-21-101202350-1709135890-1364944312-128155\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWRUN|22, regedit.exe, , [d7893dc3801af54193bf4c7bd92aa15f]
RiskWare.IFEOHijack, HKU\S-1-5-21-101202350-1709135890-1364944312-132909\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWRUN|22, regedit.exe, , [b3adf30db4e654e27bd7f6d114efdf21]

however, how do I find out what the actual file is that its referring to or the name of the malware?

Link to post
Share on other sites

Is this what you want?

RiskWare.IFEOHijack, HKU\S-1-5-21-101202350-1709135890-1364944312-120735\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWRUN|22, regedit.exe

Red = Malware name given by malwarebytes

Black = File location/path

 

Link to post
Share on other sites

Thank you for the reply pondus.

I already did some research on the Image File Execution Options Hijack and in my case it lists keys, like disallowrun that could be hijacked. When I open the key it is blank. Hence the question. Is there any way to find out from the log what application is performing the hijack so that I can get to the actual file name?

To manually remove it I need to know what file is requesting to be used instead of the standard one. In the case of the above for example, where could I find the name if the key and values are all null?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.