Jump to content

Question about Registry Entry in logs


Recommended Posts

In a user's log there is the following entry:
 

PUP.Optional.RewardsArcade.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\RewardsArcade, , [54e383e55d1f52e4633d5a33d033d828],


Can someone explain the CLSID -0 in the key path? A subsequent search of the registry with other tools does not find this key path as listed.

Link to post
Share on other sites

Hello:
 
That detection is a PUP -- more information may be found here: What are the 'PUP' detections, are they threats, and should they be deleted?
 
I wouldn't want any of those on my computers.
But, if you're not sure what to keep/ignore and what to remove/quarantine, then you might want to have a malware expert assist you.

We are not permitted to work on possible malware-related issues here in this section of the forum.

So, for expert assistance, I suggest that you please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.
It explains the options for free, expert help >>AND<< the suggested preliminary steps to expedite the process.
A malware analyst will assist you with looking into your issue.

Thanks,

Link to post
Share on other sites

Thank you for the answer; I appreciate your time and concern.  However, there are some points I will clear up.

 

This is not on my machine nor do I have physical access to it.

 

I am a "Malware Removalist" on a different forum but I will keep in mind the kind offer of assistance should it ever be needed.

 

I just needed to understand what the line in the log actually was telling someone.  All other searches for the exact key path listed in the log turn up negative (no data / key not found or listed).

 

Thank you for your time and consideration in this matter.

Link to post
Share on other sites

A subsequent search of the registry with other tools does not find this key path as listed.

This is not on my machine nor do I have physical access to it.

Well there 'ya go.  It is in the Current User's Hive [ HKEY_CURRENT_USER ] which you do not have physical access to.

Link to post
Share on other sites

Actually I made a mistake.  It isn't the Current User's Hive [ HKEY_CURRENT_USER ],  It is HKEY_USERS

HKCU is for a particular User Profile.  HKEY_USERS is for all User Profiles that users inherit.

 

HKEY_USERS\S-1-5-18 references the Security IDentifier  (SID) for the LocalSystem account.  That is a predefined "local account" used by the Service Control Manager which in turn represents;   NT AUTHORITY\SYSTEM   and   BUILTIN\Administrators.

 

However, it still is a case of the user not having physical access to.

 

My apologies for the error.

Link to post
Share on other sites

Thank you for the information and corrections.  Let's take this a step further; suppose one wanted to write a batch / script file to delete these entries.  If I am properly reading what you advisers are telling me, then the {ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 part of the key path address should be removed?

 

To simplify -

 

This would be wrong => delete HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\RewardsArcade

 

This would be correct => delete HKU\S-1-5-18\SOFTWARE\APPDATALOW\SOFTWARE\RewardsArcade

 

?

Link to post
Share on other sites

Honestly...  I do not think I am allowed to discuss this subject matter in "Malwarebytes Anti-Malware Help".
 
It is for discussing MBAM product support and not for malware removal.  As a member of "Experts" I am allowed to provide the information but just not "here".

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.