Hijack.SecurityRun,Trojan.Poweliks.B,Hijack.Trojan.Siredef.C

[Cartel]

These keys are for CD burning.

Installed with the OS (Windows 7 64bit)

Trojan.Poweliks.B, HKU\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}, , [72383eeed9b2280e8efa6b97b14fc63a],

Hijack.Trojan.Siredef.C, HKU\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}, , [6842aa820d7e8fa72d07a061d9270cf4],

Hijack.Trojan.Siredef.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}, , [6842aa820d7e8fa72d07a061d9270cf4],

These keys are my group policy software restriction rules to stop Avira nagging.

Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48D87BF0-9ACC-4133-9827-8A1BD16C4C01}, , [7238af7ded9ea29489d6c7a4b94b55ab],

Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48D87BF0-9ACC-4133-9827-8A1BD16C4C01}, , [4466fd2fb5d6c4726df25e0d9a6a728e],

Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48d87bf0-9acc-4133-9827-8a1bd16c4c01}|ItemData, C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe, , [7238af7ded9ea29489d6c7a4b94b55ab]

Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48d87bf0-9acc-4133-9827-8a1bd16c4c01}|ItemData, C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe, , [4466fd2fb5d6c4726df25e0d9a6a728e]

[Cartel]

Be nice if I could edit the preview of my post or edit it after posting.....sorry its a block of text, it wasn't when I typed it.

[Cartel]

These keys are for CD burning. Installed with the OS (Windows 7 64bit)

**********************************************************************************

***

Trojan.Poweliks.B, HKU\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}, , [72383eeed9b2280e8efa6b97b14fc63a],

**Hijack.Trojan.Siredef.C, HKU\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}, , [6842aa820d7e8fa72d07a061d9270cf4],

**Hijack.Trojan.Siredef.C, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}, , [6842aa820d7e8fa72d07a061d9270cf4],

************************************************************************************

***

These keys are my group policy software restriction rules to stop Avira nagging. Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48D87BF0-9ACC-4133-9827-8A1BD16C4C01}, , [7238af7ded9ea29489d6c7a4b94b55ab],

**Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48D87BF0-9ACC-4133-9827-8A1BD16C4C01}, , [4466fd2fb5d6c4726df25e0d9a6a728e],

**Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48d87bf0-9acc-4133-9827-8a1bd16c4c01}|ItemData, C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe, , [7238af7ded9ea29489d6c7a4b94b55ab]

**Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{48d87bf0-9acc-4133-9827-8a1bd16c4c01}|ItemData, C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe, , [4466fd2fb5d6c4726df25e0d9a6a728e]

[Cartel]

FBEB8A05-BEEE-4442-804E-409D6C4515E9 keys

[Cartel]

AB8902B4-09CA-4BB6-B78D-A8F59079A8D is a empty key like the others above and below it.

[miekiemoes]

Hi,

 

As for the Hijack.SecurityRun - if you have set this policy manually, then you can ignore this detection or add to your whitelist.

Unfortunately, a lot of malware sets these policies as well to prevent AVs to run, hence why we need to address this.

 

As for the other detections, can you export the following key?

HKU\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}

Please zip and attach to your post, do not post a screenshot.

 

Because it's weird that this key is created under the HKU/HKCU branch - The {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} key shouldn't also be under the HKU/HKCU branch, so since, in your case, this is empty, it's safe to remove.

 

We have this detection in our database for a while already, so this seems like a rare case scenario

[Cartel]

Thanks for the reply.

Here you go:

(Creation dates are today because I restored the keys.)

FBEB8A05-BEEE-4442-804E-409D6C4515E9.txt

[miekiemoes]

Can you use regedit to export these? Because above don't display the valuedata of the keys.

Also, that key isn't set by default in Win7 under the HKCU or HKU branch though, so unsure how that ended up in there for you. That's why this is a rare case here.

[Cartel]

Here it is.

thanks

FBEB8A05-BEEE-4442-804E-409D6C4515E9.zip

[miekiemoes]

Seems to be empty keys indeed (as I expected), so you can basically remove the HKEY_USERS\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} key (ONLY this one).

Or ignore the detection in mbam. In either way, it's ok to remove this key, as that won't trigger it for the other one either anymore.

The same applies for the HKU\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} key.

 

Or just ignore in the mbam scan.

 

I wonder if you actually were dealing with Poweliks or Siref before, where probably another AV deleted its valuedata rather. Or some other (beta) removal tool you ran that actually wrote these keys rather instead.

[Cartel]

I never had any detections but those, I run mbam and have run your antirootkit before also.

This only happens every 6 months I do a double check with mbam and then use Avira 24/7.

Avira 9 actually, shhhh

I backed up the keys and deleted them.

CD burning still seems to function and thumbnails still work so the only way to be sure is to nuke the entire site from....oops I mean safer to delete the keys.

If it was something critical I'd be more concerned

thanks

[Cartel]

Hello I'd like to help mbam remove this false positive for
Registry Keys: 1
PUP.Optional.Hicosmea, HKU\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}, , HKEY_USERS\S-1-5-21-3891387264-3673818761-2909559850-1000_Classes\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}

This key is created everytime I use Windows Media Encoder x64 Edition
https://go.microsoft.com/fwlink/?LinkId=67406

[miekiemoes]

Hi,

This has been fixed for more than a year already.

Can you make sure you are running the latest database version?

Thanks!

[shadowwar]

We did find something that may be causing this. should be fixed in about 20 mins.
 

[Cartel]

still not fixed, maybe by 2020?

[blender]

Hello,

Those won't be "fixed" as Mieke explained above. They are the same ones you posted in your original post? What WAS fixed was the detection you posted regarding "PUP.Optional.Hicosmea".

Quote from Mieke:
"As for the Hijack.SecurityRun - if you have set this policy manually, then you can ignore this detection or add to your whitelist.

Unfortunately, a lot of malware sets these policies as well to prevent AVs to run, hence why we need to address this."

---------

If you purposely set these policies, you will need to tell MBAM to "ignore always" these detections.