Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Undetected Malware

Hi there,

If I want open a image file, then there is a suspect app - maybe malware? Undetected atm?



This thread was automatically locked due to age.
Parents
  • Can you export/take a look in the registry at the following key:

    HKEY_CURRENT_USER\Software\Classes\Applications

    I assume there is an application listed in there which relates to it.  

    I'm sure it's fine, just a broken entry.

  • I have the followed registrx entries:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Classes\.png\OpenWithProgids]
    "AppXcdh38jxzbcberv50vxg2tg4k84kfnewn"=hex(0):
    "AppX2jm25qtmp2qxstv333wv5mne3k5bf4bm"=hex(0):
    "AppXvsqkg1th80rv6s2rkh5m1hjp3hxryydd"=hex(0):
    "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"=hex(0):
    "AppXcesbfs704v2mjbts9dkr42s9vmrhxbkj"=hex(0):

    Looks little bit crazy I mean...

  • AppXcdh38jxzbcberv50vxg2tg4k84kfnewn = Microsoft.MSPaint

    AppX2jm25qtmp2qxstv333wv5mne3k5bf4bm = Microsoft.ScreenSketch

    AppX43hnxtbyyps62jhe9sqpdzxn1790zetc = Microsoft.Windows.Photos

    AppXcesbfs704v2mjbts9dkr42s9vmrhxbkj = Microsoft.Paint

    Not sure what AppXvsqkg1th80rv6s2rkh5m1hjp3hxryydd is?

    Do you see it under the key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs

    If you can see the prog id (AppXvsqkg1th80rv6s2rkh5m1hjp3hxryydd) as a key, the value under it will be the fullpackageid. If you run the following PS command, you can filter by the fullpackageid at the top of the output grid view and it will show you details about the package.

    Get-AppxPackage | select * | ogv

    That might explain it?

    Also check under:
    HKEY_CURRENT_USER\Software\Classes\Applications
    for the entries.

    Does that odd entry only appear for certain file types?  If you right click on any file and choose "open with", then "choose another app", does it show for exe, dll, etc.. something other than image files?

Reply
  • AppXcdh38jxzbcberv50vxg2tg4k84kfnewn = Microsoft.MSPaint

    AppX2jm25qtmp2qxstv333wv5mne3k5bf4bm = Microsoft.ScreenSketch

    AppX43hnxtbyyps62jhe9sqpdzxn1790zetc = Microsoft.Windows.Photos

    AppXcesbfs704v2mjbts9dkr42s9vmrhxbkj = Microsoft.Paint

    Not sure what AppXvsqkg1th80rv6s2rkh5m1hjp3hxryydd is?

    Do you see it under the key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs

    If you can see the prog id (AppXvsqkg1th80rv6s2rkh5m1hjp3hxryydd) as a key, the value under it will be the fullpackageid. If you run the following PS command, you can filter by the fullpackageid at the top of the output grid view and it will show you details about the package.

    Get-AppxPackage | select * | ogv

    That might explain it?

    Also check under:
    HKEY_CURRENT_USER\Software\Classes\Applications
    for the entries.

    Does that odd entry only appear for certain file types?  If you right click on any file and choose "open with", then "choose another app", does it show for exe, dll, etc.. something other than image files?

Children
  • The key AppXvsqkg1th80rv6s2rkh5m1hjp3hxryydd  is not under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs

    and here  HKEY_CURRENT_USER\Software\Classes\Applications

    is only Firefox...

    Thanks for your help!

  • You could maybe search the registry for AppXvsqkg1th80rv6s2rkh5m1hjp3hxryydd see if you can match it back to an application.  You could always remove it from the registry having exported it?

    Maybe check under the keys and values under for example:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithList
    If you see it with .png files? Maybe try other extensions in that path for other images types?

    I would probably run Process Monitor (Process Monitor - Sysinternals | Microsoft Learn) and see what registry keys are read when you reproduce the issue.

    Sorry, other than that I don't know but Process Monitor should help identify it. Thanks.

  • Hi Sophos User,

    thanks so much for your effort! This app I dont know before, looks nice - but much output! The search take 38 minutes, and im running an i7 with 16G RAM - it looks like I should upgrade to i12 with 128G RAM. :D

    I'm sure, that I can solve the issue with this application. Thanks so much!