Jump to content
JubNot

Can't Get Rid of HKU\S-1-5-21 / Disable.MCPROPERTIES

Recommended Posts

I really need help getting rid of a pesky virus, HKU\S-1-5-21

I scan my computer and it's there. I get rid of it, and a few days later, it comes right back! I don't know how to completely exterminate this thing! I'm sure its causing me the problems I've been having with my PC. I'm using a Student account, and yet some programs ask me to give permission to run with the little admin shield symbol. Also, my Mozilla Firefox bookmarks, history, ect. will sometimes stop working, and that red bar will appear at the top of Firefox telling me it can't access my bookmarks because they're being accessed elsewhere. Also, the Malwarebytes taskbar logo disappears when my computer's acting up like this, and I click to open Malwarebytes and it doesn't open. I then go to the Program files of Malwarebytes and it tells me I don't have access. It also tells me I don't have access when I try to uninstall MBAM.

*Note: A bit (a few weeks) after I logged into the Admin account on my PC and changed a registry file to make a game that wasn't working on my PC work, and I updated my PC, this all started. I don't know if there's any correlation between the two events, but my computer was fine up until that point. I changed:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\

SharedSection=1024,3072,512. Change 3072 into 4096 so it reads: SharedSection=1024,4096,512

 

Here's the scan log for the virus:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/16/17
Scan Time: 11:39 AM
Log File: af1cae6c-e27f-11e7-908c-e4115bfc336f.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3501
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Student

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 243651
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 45 min, 6 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 1
PUM.Optional.DisableMCProperties, HKU\S-1-5-21-3769206596-2729350310-207999698-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NOPROPERTIESMYCOMPUTER, Replace-on-Reboot, [14365], [293306],1.0.3501

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

Edited by JubNot

Share this post


Link to post
Share on other sites

Is this PC covered by an IT department, has there been policies set by them.....?

Quote

*Note: A bit (a few weeks) after I logged into the Admin account on my PC and changed a registry file to make a game that wasn't working on my PC work, and I updated my PC, this all started. I don't know if there's any correlation between the two events, but my computer was fine up until that point. I changed:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\

SharedSection=1024,3072,512. Change 3072 into 4096 so it reads: SharedSection=1024,4096,512

In the above quote, have you tried reverting that setting back to original...?

Share this post


Link to post
Share on other sites

Sort of. The computer has an IT department that doesn't help very much. I changed the registry value back to normal the day after changing it originally. Seems like me changing that ShareSection value brought a virus of some sort out of wherever, or interrupted something within my system.

Share this post


Link to post
Share on other sites

All of the following policies and a batch file are set by the IT guys....

HKLM\...\Run: [SMARipReplace] => C:\AeXInst\RipReplace.bat
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\system: [DisableChangePassword] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\system: [DisableLockWorkstation] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoNetHood] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoCloseDragDropBands] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoPropertiesMyDocuments] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoPropertiesRecycleBin] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoNetworkConnections] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoUserNameInStartMenu] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoAutoTrayNotify] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoLogoff] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [RestrictWelcomeCenter] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoManageMyComputerVerb] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoNetConnectDisconnect] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoComputersNearMe] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoSetTaskbar] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [NoSecurityTab] 1
HKU\S-1-5-21-3769206596-2729350310-207999698-1000\...\Policies\Explorer: [RestrictCpl] 1
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION

 

You should really go to the IT dept to have them take a look. bit of a clash going on...

Share this post


Link to post
Share on other sites

Alright. But before I do, could you explain exactly what you mean by "clash?" And is there anyway that I could fix this myself or with your help?? The IT aren't the friendliest and I could be scolded for causing said "clash," and they lack such knowledge to fix it. They'd just tell me to wipe my system, deleting all my data and such, which would be devastating to me

Share this post


Link to post
Share on other sites

I meant Malwarebytes seems to try and replace a policy that was set legitimately....  I suppose you could add that as an exclusion, MB should ignore after that...

Edited by kevinf80

Share this post


Link to post
Share on other sites

OK! Would adding such exclusion stop the other system malfunctions I've been experiencing?? (Firefox not letting me access history or bookmarks, MBAM's taskbar icon disappearing)

If so, how would I add the exclusion?

Share this post


Link to post
Share on other sites

I always doubted that this was a legitimate virus. I've always been super careful with what I download, and have had Malwarebytes for years. Very rarely do I get a virus. And this all only started happening right after I changed the registry value. If you could potentially help me save my PC, I'd be so grateful!

Share this post


Link to post
Share on other sites

It is not possible to manually add a registry key as an exclusion, it has to be done when the key is triggered during a scan... Have a look at answers #9, #10, and #11 at the following link:

What is going wrong with your PC, is it just what you mentioned about Firefox and Malwarebytes... Has Malwarebytes always ran ok with "AV: Symantec Endpoint Protection"

Share this post


Link to post
Share on other sites

Ok, I'll look over those answers. And yes. The computer I use came with Symantec Endpoint Protection pre-installed, and I didn't uninstall it or modify it at all. Malwarebytes always ran perfectly fine with it. Firefox and the Malwarebytes taskbar icon started glitching once this "virus" thing appeared on my computer, which is why I think those two problems stem from the "virus." I mean when they're glitching, both programs tell me they/I don't have access, so like you said previously, there is obviously some sort of "clash" happening within my system due to the changes I made in the registry, and MBAM is trying to fix or replace it,as you previously stated.

Share this post


Link to post
Share on other sites

I excluded the HKU\S-1-5-21 and attached a picture of the exclusion. As for the other glitches I've been experiencing, will this fix them? Also, the HKU\S-1-5-21 is still in my Quarantine. What should I do with it? Restore it? Or should I delete it??

new picture.jpg

Edited by JubNot

Share this post


Link to post
Share on other sites

Is your version of symantec current "Symantec Endpoint Protection (HKLM\...\{6B730122-A03B-49BE-BBAD-D96C58A0F303}) (Version: 12.1.7266.6800 - Symantec Corporation)"

Just searching around for possible answers, the following link is dated June 2017 and quotes version 14 having issues with Malwarebytes:

https://www.symantec.com/connect/forums/endpoint-v140-malwarebytes-breaking-systems-100s

Share this post


Link to post
Share on other sites

My version of Symantec is the same as the version in your reply. Version 12.1.7266.6800 I don't have version 14

Edited by JubNot

Share this post


Link to post
Share on other sites

Yes I see that version, the one in the link I give is dated June 2017 but is version 14. did you open the link..?

Share this post


Link to post
Share on other sites

Yes, I opened the link and read the post, why do you ask? My Malwarebytes Web Protection and Malware Protections never get turned off because of Symantec. That actually is not one of the problems I've been having. The MBAM tray icon just keeps disappearing, and when it does, I am unable to open MBAM unless I restart the computer

Edited by JubNot

Share this post


Link to post
Share on other sites

I only ask if your version of endpoint is outdated, you have version 12, the link quotes version 14 and is dated June 2017

Share this post


Link to post
Share on other sites

Yes, my version is outdated. Like the post stated, its version 14 that causes the conflicts with MBAM, not version 12 right?

Edited by JubNot

Share this post


Link to post
Share on other sites

Yes version 14 is dated June 2017, it is now December, surely there will be another more updated version that solves that quoted problem... I`ve never used any endpoint security such as Symantec so do not know for sure what is available....

Just looked at this link: https://support.symantec.com/en_US/article.TECH103088.html  seems to quote version 12 as current, must depend on system requirements...?

Go for a fresh install of Malwarebytes, see what happens after that...

Totally Remove Malwarebytes from your system:

Download the latest version of Malwarebytes cleanup tool from here: https://downloads.malwarebytes.com/file/mb_clean and save to your Desktop..

If applicable, backup your Malwarebytes license key information and deactivate the product.

Close all open applications and deactivate Malwarebytes <---- Very important, do not miss that step

To deactivate Malwarebytes:

Right click on tray icon, from the opened list select "Quit Malwarebytes" an UAC alert will open, select "Yes" to deactivate Malwarebytes...
 
  • Double-click mb-clean.exe to run it
  • A prompt to confirm the cleanup will appear, select Yes or No
  • Yes - will proceed with the cleanup process <---- Select this option to start the tool
  • No - will exit the utility
  • The Utility will launch a Command Prompt window which will disappear once the the cleanup process completes.
  • Once completed, a log file ("mb-cleanresult.txt") will be on your desktop and you'll be prompted to reboot
  • We recommend an immediate reboot <--- Do Not miss out this step
  • Suppressing the reboot may result in an incomplete cleanup
  • Upon reboot Malwarebytes will be totally removed from your system


To re-install Malwarebytes:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/
 
  • Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....
  • When the install completes and is updated do the following:
  • Open Malwarebytes, select > "settings" > "protection tab"
  • Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....
  • Go back to "DashBoard" select the Blue "Scan Now" tab......


When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

If you have lost the activation licence key information it can be located here: http://www.cleverbridge.com/342/?scope=cusecolp

 

Share this post


Link to post
Share on other sites

Ok. Do you believe this will solve my previously stated glitch with Firefox as well? Also, if I uninstall MBAM, will my exclusions remain?

Share this post


Link to post
Share on other sites

What are the Firefox issues..? A fresh install of Malwarebytes would require the exclusion adding again..

Share this post


Link to post
Share on other sites

For Firefox, not exactly every time I exit the browser, but usually, around the same time MBAM starts acting up, if I exit out of the browser, and open it again, Firefox glitches, and tells me it cannot access or store history anymore, and It cannot access my bookmarks.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.