Jump to content

Can't Get Rid of HKU\S-1-5-21 / Disable.MCPROPERTIES


JubNot

Recommended Posts

I really need help getting rid of a pesky virus, HKU\S-1-5-21

I scan my computer and it's there. I get rid of it, and a few days later, it comes right back! I don't know how to completely exterminate this thing! I'm sure its causing me the problems I've been having with my PC. I'm using a Student account, and yet some programs ask me to give permission to run with the little admin shield symbol. Also, my Mozilla Firefox bookmarks, history, ect. will sometimes stop working, and that red bar will appear at the top of Firefox telling me it can't access my bookmarks because they're being accessed elsewhere. Also, the Malwarebytes taskbar logo disappears when my computer's acting up like this, and I click to open Malwarebytes and it doesn't open. I then go to the Program files of Malwarebytes and it tells me I don't have access. It also tells me I don't have access when I try to uninstall MBAM.

*Note: A bit (a few weeks) after I logged into the Admin account on my PC and changed a registry file to make a game that wasn't working on my PC work, and I updated my PC, this all started. I don't know if there's any correlation between the two events, but my computer was fine up until that point. I changed:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\

SharedSection=1024,3072,512. Change 3072 into 4096 so it reads: SharedSection=1024,4096,512

 

Here's the scan log for the virus:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/16/17
Scan Time: 11:39 AM
Log File: af1cae6c-e27f-11e7-908c-e4115bfc336f.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3501
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Student

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 243651
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 45 min, 6 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 1
PUM.Optional.DisableMCProperties, HKU\S-1-5-21-3769206596-2729350310-207999698-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NOPROPERTIESMYCOMPUTER, Replace-on-Reboot, [14365], [293306],1.0.3501

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

Edited by JubNot
Link to post
Share on other sites

Is this PC covered by an IT department, has there been policies set by them.....?

Quote

*Note: A bit (a few weeks) after I logged into the Admin account on my PC and changed a registry file to make a game that wasn't working on my PC work, and I updated my PC, this all started. I don't know if there's any correlation between the two events, but my computer was fine up until that point. I changed:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\

SharedSection=1024,3072,512. Change 3072 into 4096 so it reads: SharedSection=1024,4096,512

In the above quote, have you tried reverting that setting back to original...?

Link to post
Share on other sites

Sort of. The computer has an IT department that doesn't help very much. I changed the registry value back to normal the day after changing it originally. Seems like me changing that ShareSection value brought a virus of some sort out of wherever, or interrupted something within my system.

Link to post
Share on other sites

All of the following policies and a batch file are set by the IT guys....

HKLM\...\Run: [SMARipReplace] => C:\AeXInst\RipReplace.bat
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\system: [DisableChangePassword] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\system: [DisableLockWorkstation] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoNetHood] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoCloseDragDropBands] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoPropertiesMyDocuments] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoPropertiesRecycleBin] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoNetworkConnections] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoUserNameInStartMenu] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoAutoTrayNotify] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoLogoff] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [RestrictWelcomeCenter] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoManageMyComputerVerb] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoNetConnectDisconnect] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoComputersNearMe] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoSetTaskbar] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoSecurityTab] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [RestrictCpl] 1
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION

 

You should really go to the IT dept to have them take a look. bit of a clash going on...

Link to post
Share on other sites

Alright. But before I do, could you explain exactly what you mean by "clash?" And is there anyway that I could fix this myself or with your help?? The IT aren't the friendliest and I could be scolded for causing said "clash," and they lack such knowledge to fix it. They'd just tell me to wipe my system, deleting all my data and such, which would be devastating to me

Link to post
Share on other sites

I always doubted that this was a legitimate virus. I've always been super careful with what I download, and have had Malwarebytes for years. Very rarely do I get a virus. And this all only started happening right after I changed the registry value. If you could potentially help me save my PC, I'd be so grateful!

Link to post
Share on other sites

It is not possible to manually add a registry key as an exclusion, it has to be done when the key is triggered during a scan... Have a look at answers #9, #10, and #11 at the following link:

What is going wrong with your PC, is it just what you mentioned about Firefox and Malwarebytes... Has Malwarebytes always ran ok with "AV: Symantec Endpoint Protection"

Link to post
Share on other sites

Ok, I'll look over those answers. And yes. The computer I use came with Symantec Endpoint Protection pre-installed, and I didn't uninstall it or modify it at all. Malwarebytes always ran perfectly fine with it. Firefox and the Malwarebytes taskbar icon started glitching once this "virus" thing appeared on my computer, which is why I think those two problems stem from the "virus." I mean when they're glitching, both programs tell me they/I don't have access, so like you said previously, there is obviously some sort of "clash" happening within my system due to the changes I made in the registry, and MBAM is trying to fix or replace it,as you previously stated.

Link to post
Share on other sites

I excluded the HKU\S-1-5-21 and attached a picture of the exclusion. As for the other glitches I've been experiencing, will this fix them? Also, the HKU\S-1-5-21 is still in my Quarantine. What should I do with it? Restore it? Or should I delete it??

new picture.jpg

Edited by JubNot
Link to post
Share on other sites

Is your version of symantec current "Symantec Endpoint Protection (HKLM\...\{6B730122-A03B-49BE-BBAD-D96C58A0F303}) (Version: 12.1.7266.6800 - Symantec Corporation)"

Just searching around for possible answers, the following link is dated June 2017 and quotes version 14 having issues with Malwarebytes:

https://www.symantec.com/connect/forums/endpoint-v140-malwarebytes-breaking-systems-100s

Link to post
Share on other sites

Yes, I opened the link and read the post, why do you ask? My Malwarebytes Web Protection and Malware Protections never get turned off because of Symantec. That actually is not one of the problems I've been having. The MBAM tray icon just keeps disappearing, and when it does, I am unable to open MBAM unless I restart the computer

Edited by JubNot
Link to post
Share on other sites

Yes version 14 is dated June 2017, it is now December, surely there will be another more updated version that solves that quoted problem... I`ve never used any endpoint security such as Symantec so do not know for sure what is available....

Just looked at this link: https://support.symantec.com/en_US/article.TECH103088.html  seems to quote version 12 as current, must depend on system requirements...?

Go for a fresh install of Malwarebytes, see what happens after that...

Totally Remove Malwarebytes from your system:

Download the latest version of Malwarebytes cleanup tool from here: https://downloads.malwarebytes.com/file/mb_clean and save to your Desktop..

If applicable, backup your Malwarebytes license key information and deactivate the product.

Close all open applications and deactivate Malwarebytes <---- Very important, do not miss that step

To deactivate Malwarebytes:

Right click on tray icon, from the opened list select "Quit Malwarebytes" an UAC alert will open, select "Yes" to deactivate Malwarebytes...
 
  • Double-click mb-clean.exe to run it
  • A prompt to confirm the cleanup will appear, select Yes or No
  • Yes - will proceed with the cleanup process <---- Select this option to start the tool
  • No - will exit the utility
  • The Utility will launch a Command Prompt window which will disappear once the the cleanup process completes.
  • Once completed, a log file ("mb-cleanresult.txt") will be on your desktop and you'll be prompted to reboot
  • We recommend an immediate reboot <--- Do Not miss out this step
  • Suppressing the reboot may result in an incomplete cleanup
  • Upon reboot Malwarebytes will be totally removed from your system


To re-install Malwarebytes:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/
 
  • Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....
  • When the install completes and is updated do the following:
  • Open Malwarebytes, select > "settings" > "protection tab"
  • Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....
  • Go back to "DashBoard" select the Blue "Scan Now" tab......


When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

If you have lost the activation licence key information it can be located here: http://www.cleverbridge.com/342/?scope=cusecolp

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.