Cartel

still not fixed, maybe by 2020?

Hello I'd like to help mbam remove this false positive for Registry Keys: 1 PUP.Optional.Hicosmea, HKU\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}, , HKEY_USERS\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86} This key is created everytime I use Windows Media Encoder x64 Edition https://go.microsoft.com/fwlink/?LinkId=67406

I have the CEF folder but I never have had steam...

I installed 2.2.0.1024 because is said "Enhanced safeguards to prevent false positives on legitimate files". I had some false positives before so I removed them from quarantine and exceptions to see if they were no longer detected. It detected them all again so I re-applied my exceptions and decided to "fix" the other 2 items. I chose not to reboot and while running another program I was greeted with a UAC prompt accompanied by the "secure desktop" which I have disabled. I ran autoruns and noticed the windows defender service and iphelper service were both running also. I have no reason to have these so I disable them. After I disabled these items again, after a reboot they were "fixed" back to automatic start-up again, so was the UAC setting. I used the "recommended" threat scan and I don't see anything that mentions these actions so it's kinda annoying that these settings were altered against my wishes. I only use mbam once in a while and then delete it, as I did earlier, I'm sorry I cant give you the logs but I'm 100% sure that these changes are made by the software.

MBAM does things without asking, like re-enabling UAC settings and re-enabling the Windows Defender and the IP Helper service. Is that really necessary?

I never had any detections but those, I run mbam and have run your antirootkit before also. This only happens every 6 months I do a double check with mbam and then use Avira 24/7. Avira 9 actually, shhhh I backed up the keys and deleted them. CD burning still seems to function and thumbnails still work so the only way to be sure is to nuke the entire site from....oops I mean safer to delete the keys. If it was something critical I'd be more concerned thanks

Here it is. thanks FBEB8A05-BEEE-4442-804E-409D6C4515E9.zip

Thanks for the reply. Here you go: (Creation dates are today because I restored the keys.) FBEB8A05-BEEE-4442-804E-409D6C4515E9.txt

AB8902B4-09CA-4BB6-B78D-A8F59079A8D is a empty key like the others above and below it.

FBEB8A05-BEEE-4442-804E-409D6C4515E9 keys

These keys are for CD burning. Installed with the OS (Windows 7 64bit) ********************************************************************************** *** Trojan.Poweliks.B, HKU\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}, , [72383eeed9b2280e8efa6b97b14fc63a], **Hijack.Trojan.Siredef.C, HKU\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}, , [6842aa820d7e8fa72d07a061d9270cf4], **Hijack.Trojan.Siredef.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}, , [6842aa820d7e8fa72d07a061d9270cf4], ************************************************************************************ *** These keys are my group policy software restriction rules to stop Avira nagging. Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48D87BF0-9ACC-4133-9827-8A1BD16C4C01}, , [7238af7ded9ea29489d6c7a4b94b55ab], **Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48D87BF0-9ACC-4133-9827-8A1BD16C4C01}, , [4466fd2fb5d6c4726df25e0d9a6a728e], **Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48d87bf0-9acc-4133-9827-8a1bd16c4c01}|ItemData, C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe, , [7238af7ded9ea29489d6c7a4b94b55ab] **Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48d87bf0-9acc-4133-9827-8a1bd16c4c01}|ItemData, C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe, , [4466fd2fb5d6c4726df25e0d9a6a728e]

Be nice if I could edit the preview of my post or edit it after posting.....sorry its a block of text, it wasn't when I typed it.

These keys are for CD burning. Installed with the OS (Windows 7 64bit) Trojan.Poweliks.B, HKU\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}, , [72383eeed9b2280e8efa6b97b14fc63a], Hijack.Trojan.Siredef.C, HKU\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}, , [6842aa820d7e8fa72d07a061d9270cf4], Hijack.Trojan.Siredef.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}, , [6842aa820d7e8fa72d07a061d9270cf4], These keys are my group policy software restriction rules to stop Avira nagging. Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48D87BF0-9ACC-4133-9827-8A1BD16C4C01}, , [7238af7ded9ea29489d6c7a4b94b55ab], Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48D87BF0-9ACC-4133-9827-8A1BD16C4C01}, , [4466fd2fb5d6c4726df25e0d9a6a728e], Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48d87bf0-9acc-4133-9827-8a1bd16c4c01}|ItemData, C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe, , [7238af7ded9ea29489d6c7a4b94b55ab] Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48d87bf0-9acc-4133-9827-8a1bd16c4c01}|ItemData, C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe, , [4466fd2fb5d6c4726df25e0d9a6a728e]