Thanks a lot for your answer. I use EMET and I just learned* enabling SEHOP for a tool creates the value DisableExceptionChainValidation in the key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<tool.exe> with value 0. The value is 1, if I disable SEHOP and the value is deleted, if I remove the tool in EMET completely. The key remains, though. After removing hijackthis.exe, autoruns.exe and autorunsc.exe from EMET, I still get the warnings in MBAM, I guess because the registry key still exists, allthough it doesn't contain any values anymore. * http://support.microsoft.com/kb/956607/en-us I guess I didn't run MBAM sice I added some software to the EMET apps list. Oddly enough, this key is created for every software I add to EMET, but it only creates a warning in MBAM for the three executables mentioned above. I exported the keys to textfiles (while SEHOP was enabled): Schlüsselname: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exeKlassenname: <KEINE KLASSE>Letzter Schreibzugriff: 31.07.2013 - 04:08Wert 0 Name: DisableExceptionChainValidation Typ: REG_DWORD Daten: 0Schlüsselname: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exeKlassenname: <KEINE KLASSE>Letzter Schreibzugriff: 31.07.2013 - 04:08Wert 0 Name: DisableExceptionChainValidation Typ: REG_DWORD Daten: 0Schlüsselname: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exeKlassenname: <KEINE KLASSE>Letzter Schreibzugriff: 31.07.2013 - 04:08Wert 0 Name: DisableExceptionChainValidation Typ: REG_DWORD Daten: 0I just found this thread: http://forums.malwarebytes.org/index.php?showtopic=127984&hl=+emet The problem seems to be the same, doesn't it?