Spiff

And many thanks to you and to the Malwarebytes team for fixing this so speedily.

Ah, and thank you very much, shadowwar/ Rich Matteo, for your reply.

I confirm what ky331 reported, no detections with database v2013.06.19.06. And I support what ky331 said regarding those detections.

Thanks. It helped for 6 out of 7. One detection is still there: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe (Security.Hijack) When you're working on that one, perhaps you can anticipate on the wmplayer key, which isn't in my registry for some reason, but is in others. Thanks again and best regards

I hadn't checked what was in the exported keys, but I see you're right, there's no further data. And I see the same when I view those keys in the registry. I think it's not that odd for those software items that aren't on my system (like iTunes, for instance), but even that wordpad key has no value. I don't know what to think of it.

Attached is the archive Registry export.zip containing the seven exported keys: chrome, firefox, iTunes, opera, Safari, winamp and wordpad. By the way, someone else also reported MBAM detecting a wmplayer key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe See: https://www.security.nl/artikel/46690/ But that wmplayer key is not in my registry (although wmplayer is in the EMET Application Configuration list) so I can't include it in the zip file. Thanks very much and best regards Registry export.zip

Um, yes, but what do you mean? Do you mean the saved log in developer mode, including the registry keys (which are in my initial post also, by the way), or do you mean some other registry export, I guess? If so, could you please specify which keys to export. Thanks very much.

Thank you very much for your reply. I noticed I forgot to save and post a log in developer mode. I made it some minutes ago. But now I guess there's no need to post and attach that log? If you want me to, I can post it. Regarding the MBAM "Security.Hijack" detections, this phenomenon is new to EMET 4.0 final. It didn't occur using EMET 4.0 Beta, of with previous versions like EMET 3.5 Tech Preview and EMET 3.0. It's fine with me to add the concerning MBAM detections to MBAM Ignore List. But perhaps it's a good idea for Malwarebytes to find out why MBAM detects those items when EMET 4.0 final is applied, and decide if MBAM should alert about it or not. Not everyone is as wise as to ignore such MBAM detections. Some go on and delete such items without any further thought - which they shouldn't, of course, but they do. I think it might be good to give this some more thought. Thanks very much and best regards

Recently I installed and configured EMET 4.0 final. http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx http://www.microsoft.com/en-us/download/details.aspx?id=39273 EMET 4.0 configuration: Imported EMET protection profile "Popular Software.xml" and checked "Deep Hooks" in Application Configuration (as that was not checked by default, for some reason). Today I noticed MBAM scan results that seem to indicate probably EMET 4.0 related MBAM false positives. I checked using G Data 2014 and HitmanPro, both found no infections or other issues, so I assume the MBAM results can be regarded as false positives. Here's the MBAM log: Malwarebytes Anti-Malware 1.75.0.1300 Database version: v2013.06.19.03 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 19-6-2013 13:00:53 MBAM-log-2013-06-19 (13-05-31).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 277490 Time elapsed: 4 minute(s), 27 second(s) Registry Keys Detected: 7 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe (Security.Hijack) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe (Security.Hijack) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iTunes.exe (Security.Hijack) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe (Security.Hijack) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe (Security.Hijack) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winamp.exe (Security.Hijack) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordpad.exe (Security.Hijack) -> No action taken. .