Jump to content

Search the Community

Showing results for tags 'registry'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes 3 Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 16 results

  1. Hi Malwarebytes, I've infected from KMSPico Installation. Very sure of infected signs. (Unfortunately, just after a day, noticed about Malwares and Virus.) So, I've clean restored window. And the window was activated by digital signature activation from my cooperation. But, After check by FRST, I'm still suspecting some are still infected. Please check about my attached FRST log. Since, I've no idea, what kind of virus still infecting my system files. Please kindly help me? Any kinds of support are much appreciate. FRST.txt
  2. As the title suggests, malwarebytes keeps skipping registry files and I KNOW that's where something is located that windows defender is too bad to detect... is there a way to maybe let it scan there at all?
  3. I recently ran Malwarebytes for the first time in a while and the following was detected: Registry Key: 10 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE, No Action By User, [6454], [249843],1.0.8051 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE, No Action By User, [6454], [249843],1.0.8051 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE, No Action By User, [6454], [249279],1.0.8051 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNSAS.EXE, No Action By User, [6454], [249733],1.0.8051 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE, No Action By User, [6454], [249279],1.0.8051 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNSAS.EXE, No Action By User, [6454], [249733],1.0.8051 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE, No Action By User, [6451], [249279],1.0.8057 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE, No Action By User, [6451], [249279],1.0.8057 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE|DEBUGGER, No Action By User, [6451], [249279],1.0.8057 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ITUNES.EXE|DEBUGGER, No Action By User, [6451], [249279],1.0.8057 Are these detections false positives? I have recently installed AVG Tune Up and suspect that some of them maybe false positives. AVG and Antispyware did not detect anything. Scans.docx
  4. I have these two programs called Idle Buddy and SSO on my computer. I ran a scan with Malwarebytes and cleaned up 18 threats, two of which were Trojan.Roraccoon, and the rest were riskware or PUPs. After rescanning my computer with Malwarebytes, Emsisoft, Norton, and other scanners, only a few things popped up and I cleaned them up. After another rescan everything seemed clean... So I uninstalled the programs and thought I was safe. However, just today malwarebytes came up with two new threats, this time in the admin account in my computer, both riskware. This prompted me to rescan everything (scans came up clean). I then opened the program files and searched through to see if there were any files leftover from the virus. I got rid of several files associated with Idle Buddy and SSO, and I think they’re all gone now (but i’m not sure). Then, I checked the registry for anything weird. I saw three registry entries that had been created by SSO and Idle Buddy, but when I tried to delete them I was given an error that said that these keys could not be deleted. Is there any way I can get rid of these for good? I have a bad feeling that even though most of them were caught and quarantined/deleted, they may still be doing things behind the scenes (like what happened to my admin account)... Here are the registry keys that I’m trying to delete: HKLM\SOFTWARE\IdleBuddy HKLM\SOFTWARE\WOW6432Node\IdleBuddy HKLM\SOFTWARE\WOW6432Node\SSO
  5. I have posted a question "Unable to remove exclusions files and location (Either in Safe mode run Windows Defender or in Registry Editor) " in Mircosoft Community. Anyone can help me solve
  6. I am looking for a way to at least be notified of when a app/prog modifies the window registry, specifically the ~15 startup/auto-run areas of the registry. Hoping Malwarebytes premium has an option to do this. Yes many tools show you what is ALREADY in Run areas on Startup/Logon, but none that notify or block entry into those registry areas BEFORE or when they are created/modified. Tools such as Sysinternals Suite’s autoruns and Ccleaner (both recommended) show current RUN items, But do not block or notify. This should be windows innately ability: notify or block reg modifications. Yes I have windows UAC set to max, but it only notifies of a app/prog wanting to run and once given permission it doesn’t monitor the Allowed app/prog's other activities; including and specifically adding/modifying autorun reg areas.: Startup (user) - the current user's Startup folder in the Start Menu. Startup (common) - the common (all users) Startup folder in the Start Menu. HKLM / Run - the Run registry key located in HKEY_LOCAL_MACHINE. These apply for all users. HKCU / Run - the Run registry key located in HKEY_CURRENT_USER. These apply for the current user only. HKLM / RunOnce HKLM / RunOnceEx HKCU / RunOnce HKCU / Windows NT\CurrentVersion\Windows\RUN HKCU /Windows NT\CurrentVersion\Windows\Load HKLM / Policies\Explorer\Run HKCU /Policies\Explorer\Run HKCU / Control Panel\Desktop HKLM / Active Setup\Installed Components\ (Active-X) HKLM / Windows NT\CurrentVersion\Winlogon HKLM / CurrentVersion\ShellServiceObjectDelayLoad Added Service; usually SvcHost.exe Runned (Owner Process) Thanks for your time and consideration.
  7. Hey there everybody. I apologize if this has already been answered, but I wanted to get your advice on something as I have more than one question. My computer has been popping up with the black screen displaying "taskeng.exe" very quickly, and then it goes away. It usually only does this a bit after starting up and sometimes after opening Chrome. I looked this up and some people say it's fine, others say it could be a sign of a virus/spyware. I did open up task scheduler, go to the task scheduler library, and disabled a task called "User_Feed_Synchronization" after being advised to do so on a Microsoft forum regarding taskeng.exe issues. But apparently that didn't help, because I saw it again? Today I ran a scan with Malwarebytes and 6 threats were detected. I quarantined them, but have not deleted them yet. Should I? Do you think that would help my taskeng.exe problem? Problem is, after I did this scan, the taskeng.exe popup still came after the scan's restart. I will post my results here. Do you think the taskeng.exe is a virus, or don't worry about it? To anyone who replies, thank you so much!!! -Scan Summary- Scan Type: Custom Scan Result: Completed Objects Scanned: 227556 Threats Detected: 6 Threats Quarantined: 6 Time Elapsed: 12 hr, 5 min, 0 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 3 PUP.Optional.ASK, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2FA28606-DE77-4029-AF96-B231E3B8F827}, Quarantined, [478], [341071],1.0.4030 PUP.Optional.ASK, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2FA28606-DE77-4029-AF96-B231E3B8F827}, Quarantined, [478], [341071],1.0.4030 PUP.Optional.ASK, HKU\S-1-5-21-470504079-2056641531-4023931026-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2fa28606-de77-4029-af96-b231e3b8f827}, Quarantined, [478], [341071],1.0.4030 Registry Value: 3 PUP.Optional.ASK, HKU\S-1-5-21-470504079-2056641531-4023931026-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2fa28606-de77-4029-af96-b231e3b8f827}|URL, Quarantined, [478], [341071],1.0.4030 PUP.Optional.ASK, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2fa28606-de77-4029-af96-b231e3b8f827}|URL, Quarantined, [478], [341070],1.0.4030 PUP.Optional.ASK, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2fa28606-de77-4029-af96-b231e3b8f827}|URL, Quarantined, [478], [341070],1.0.4030 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected)
  8. Good morning, To say that our Malwarebytes EP experience has been poor is an understatement. We rolled out to the entire enterprise the weekend of the mal-formed update and still have not completely recovered. The tech has been unpleasant "I've already called you twice", and we have not been able to track down a workable exclusion for the hundreds of end users forced to reboot with a registry change that Malwarebytes is cleaning daily. I'm turning to the forums since it appears we have exhausted our support through two phone calls. Basically we are forcing a wallpaper image and not allowing users to change it. The error in the console looks like this: PUM.Optional.NoChangingWallpaper Quarantined Detection Data Name: PUM.Optional.NoChangingWallpaper Category: PUM Type: Registry Value Location: HKU\S-1-5-21-2425530655-2670725271-3209618128-9677\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER Detection ID: 1d93df19-0d56-11e8-aed3-6c0b8469375e Endpoint: Scanned At: 02/09/2018 - 07:51:35 AM Scan ID: Blocked By Real-Time Protection Looking for any thoughts or recommendations to allow us to control the wallpaper in this manner through exclusions so that we don't have hundreds of users being forced to reboot daily. I see this is part of Malwarebyte's design (https://blog.malwarebytes.com/detections/pum-optional-nochangingwallpaper/), but we need to exclude detection of this. Note it's an user key location, so different with each user. Thanks so much for your insight and help!
  9. I really need help getting rid of a pesky virus, HKU\S-1-5-21 I scan my computer and it's there. I get rid of it, and a few days later, it comes right back! I don't know how to completely exterminate this thing! I'm sure its causing me the problems I've been having with my PC. I'm using a Student account, and yet some programs ask me to give permission to run with the little admin shield symbol. Also, my Mozilla Firefox bookmarks, history, ect. will sometimes stop working, and that red bar will appear at the top of Firefox telling me it can't access my bookmarks because they're being accessed elsewhere. Also, the Malwarebytes taskbar logo disappears when my computer's acting up like this, and I click to open Malwarebytes and it doesn't open. I then go to the Program files of Malwarebytes and it tells me I don't have access. It also tells me I don't have access when I try to uninstall MBAM. *Note: A bit (a few weeks) after I logged into the Admin account on my PC and changed a registry file to make a game that wasn't working on my PC work, and I updated my PC, this all started. I don't know if there's any correlation between the two events, but my computer was fine up until that point. I changed: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\ SharedSection=1024,3072,512. Change 3072 into 4096 so it reads: SharedSection=1024,4096,512 Here's the scan log for the virus: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/16/17 Scan Time: 11:39 AM Log File: af1cae6c-e27f-11e7-908c-e4115bfc336f.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3501 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x86 File System: NTFS User: Student -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243651 Threats Detected: 1 Threats Quarantined: 1 Time Elapsed: 45 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 1 PUM.Optional.DisableMCProperties, HKU\S-1-5-21-3769206596-2729350310-207999698-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NOPROPERTIESMYCOMPUTER, Replace-on-Reboot, [14365], [293306],1.0.3501 Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end)
  10. Is it normal find a lot "Pesistent Handler" in registry? I only saw the HKEY_CLASSES_ROOT but it have about 200 of those. Looking at the data I got this: {098f2470-bae0-11cd-b579-08002b30bfeb}. Is it some malware?
  11. I think MBAM just got me a false positive result.After a threat scan it found that the registry \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run|Windows Update with data on C:\Users\wcwra\AppData\Local\Microsoft Windows|svchost.exe is a backdoor.bot,I went to the folder and it was empty,just a svchost.exe.config. backdoor.txt
  12. Malwarebytes has run its scheduled Hyper Scan and has detected an .exe and registry value as malware. Both belong to Lightshot. This appears to have once been a previous issue: Is it possible to confirm whether these are false positives? I obviously cannot attach the .exe and registry value. I have attached the screenshot of the scan results and the .txt of the results. Has anyone else experienced this? I will also create a ticket for this. malware lightshot false positive.txt
  13. Rkill 2.8.4 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2017 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 06/10/2017 06:16:45 AM in x86 mode. Windows Version: Windows 7 Professional Service Pack 1 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * C:\Windows\AutoKMS.exe (PID: 1380) [WD-HEUR] * C:\ProgramData\Rpcnet\Bin\rpcld.exe (PID: 2632) [AU-HEUR] * C:\ProgramData\AutoKMS\Resources\MSGBox\Messagebox.exe (PID: 2984) [AU-HEUR] 3 proccesses terminated! Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * No issues found. Checking Windows Service Integrity: * Windows Update (wuauserv) is not Running. Startup Type set to: Automatic (Delayed Start) * TBS [Missing Service] Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * No issues found. Program finished at: 06/10/2017 06:18:16 AM Execution time: 0 hours(s), 1 minute(s), and 31 seconds(s) Everytime i start my pc i have to start Rkill to stop this trojan and i do not know how to find and get rid of it completely as it becomes undetectable by my anti-virus. How do i get rid of it completely from my registry?
  14. I'll start by noting that this issue does not exist on one machine, but several machines which are all on the same domain. However, not every machine on the domain has this issue. The machines all use either Windows 7 or Windows 10. Malwarebytes does not freeze. What happens is at some point during any point after scanning "startup items" the scan will suddenly appear stuck as the "number of objects scanned" will stop increasing. The scan timer will keep ticking the entire time, but no progress is being made. I can pause the scan, and when I resume the scan there is no change in progress. The graphic with the spinning green arrows keeps going as normal even with no progress being made. I can let the scan keep going all night, and when I come back the next day the scan will still be stuck at the same spot as before. Upon finally hitting cancel, the scan acts like something is happening, but nothing ever happens. I am forced to go into task manager and end process on "malwarebytes service" in order to perform another scan. I am able to navigate through all of the other various menus within the program during a scan, etc. The scan is never stuck on the same file, file type, etc. Sometimes it will sit on "Scanning startup items" or "scanning file system" or during "registry items" or even during "heuristics analysis", but the number of objects scanned does not increase. The only way Malwarebytes can complete a scan is by going to the custom scan menu, choosing the custom scan option, and unchecking "Scan Startup and Registry settings." I can deselect all other options other than startup and registry settings, and the scan will become stuck during "heuristics analysis". So far I am still able to complete a threat scan on three different machines out of many that cannot. All machines can complete a scan by unchecking startup and registry settings from the scan. One of these three machines is running Windows 7, while the other two are running Windows 10. Windows and all other programs are up to date. I've tried excluding as well as completely uninstalling and purging the antivirus since that is the only program other than Windows/Microsoft office/adobe reader that is consistent between all machines (removing any or all of these programs does not change the outcome either), but that did not change the outcome of the scan. The antivirus has since been reinstalled. I'm running out of ideas. Any ideas and help is appreciated. I have tried using 3.2 beta version as well, and there is no change in the outcome of the scan. mb-check-results.zip
  15. Hello, I am in need of help in the removal of a Malwarebytes detection within my registry. Whenever I scan I consistently find PUP.Optional.PSScriptLoad.EncJob being detected, and no matter how many times I quarantine and remove it, it returns. I have attached a scan report and a Farbar Recovery Scan Tool Report. I hope that you will be able to help me with this issue. Scan Log 7-7-17.txt FRST.txt Addition.txt
  16. Basically what the title says. Ran ADWCleaner, found a couple of folders, something in Chrome, and 7-8 registry keys. I'm very cautious of cleaning registry keys for obvious reasons. I have the logfile from the time I ran it (only a while ago). If I post that will it be apparent which can safely be cleaned? I have no idea what backing up the registry entails, or how I would go about restoring it if I did indeed clean something necessary. I know just enough to be dangerous and nowhere near enough to be confident with these things. Any help would be appreciated.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.