Run: [Malwarebytes Anti-Malware (reboot)]

[jholland1964]

I volunteer at several forums. MBA-M is our tool of choice on all of them, however recently, in the last week or so I would say, we have so many logs continually show the listing

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

even AFTER the reboot to complete the fix has been done. Is this something new with the newest version? We have seen this on both Free and Paid version logs.

We always have the people reboot again but it continues to show.

In the past we usually knew this meant the poster had not rebooted when the MBA-M results showed the computer would have to reboot to complete the fix. We generally include Reboot the System in our instructions to them as a matter of course.

Is this something with the new version or should a person fix this entry?

[GT500]

I'm not sure why that is happening, but I hope it is just that MBAM didn't remove it after performing the DOR operations.

I'll notify the developers, and see if they have any input.

[jholland1964]

I'm not sure why that is happening, but I hope it is just that MBAM didn't remove it after performing the DOR operations.

I'll notify the developers, and see if they have any input.

Thanks I appreciate it. It is quite possibly the best program out there!

[AdvancedSetup]

Can you provide the FULL reg link this please.

Are you sure it's not due to another security tool blocking it from being removed or completed?

[jholland1964]

Can you provide the FULL reg link this please.

Are you sure it's not due to another security tool blocking it from being removed or completed?

Have had our latest poster generate a Startup list using HJT. Here are the listings from that log concerning MBA-M. I do have the full list if you need it;

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

StartCCC = "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

TSMAgent = "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"

CLMLServer for HP TouchSmart = "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"

UCam_Menu = "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"

UpdateLBPShortCut = "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"

UpdatePDIRShortCut = "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"

HP Health Check Scheduler = c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

HP Software Update = C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe

hpWirelessAssistant = C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

ArcSoft Connection Service = "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"

EEventManager = C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe

TkBellExe = "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot

nmctxth = "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

Adobe Reader Speed Launcher = "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

avgnt = "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

QuickTime Task = "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

iTunesHelper = "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

SunJavaUpdateSched = "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"

Malwarebytes Anti-Malware (reboot) = "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

As you can see this IS a computer running a 64bit Windows Vista SP2 (WinNT 6.00.1906)

Detected: Internet Explorer v8.00 with Avira as the anti-virus program.

On this thread the poster came on because of constant cpu going from 18% to 50%+

This is the first MBA-M log results:

Malwarebytes' Anti-Malware 1.41

Database version: 2783

Windows 6.0.6001 Service Pack 1

9/12/2009 10:27:41 AM

mbam-log-2009-09-12 (10-27-41).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 307903

Time elapsed: 1 hour(s), 12 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 6

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\{5617ECA9-488D-4BA2-8562-9710B9AB78D2} (Adware.DoubleD) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Users\micvivi\AppData\Roaming\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

C:\Users\micvivi\AppData\Roaming\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

C:\Users\micvivi\AppData\Roaming\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

C:\Program Files (x86)\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\Program Files (x86)\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\ProgramData\Microsoft\Windows\Start Menu\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Files Infected:

C:\Users\micvivi\AppData\Roaming\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

C:\Users\micvivi\AppData\Roaming\AdwareAlert\Log\2009 Sep 06 - 09_24_16 PM_465.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

C:\Users\micvivi\AppData\Roaming\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

C:\Program Files (x86)\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\ProgramData\Microsoft\Windows\Start Menu\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\Windows\Tasks\AdwareAlert Scheduled Scan.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Windows\Tasks\AdwareAlert System Startup.job (Trojan.Downloader) -> Quarantined and deleted successfully.

The HJT listing appeared following running of MBA-M and reboot of the computer.

Poster ran ESET online scanner which came back clean.

Rebooted. Ran a second scan with MBA-M later on the 12th of Sept. and it came up clean.

The computer has been shut down and rebooted numerous times but the latest HJT log shows the same O4 entry for MBA-M.

We also have had the poster run random's system information tool (RSIT) which shows the same O4 entry.

[swagger]

Can you provide the FULL reg link this please.

Are you sure it's not due to another security tool blocking it from being removed or completed?

I believe AdvancedSetup was looking for the full registry entry...

Go to the Start menu and click Run... Type in "regedit" and hit enter. Navigate to HKEY_Local_Machine -> Software -> Microsoft -> Windows -> Current Version -> Run or RunOnce. Should look something like this in the path (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)

Right click on the key (Run or RunOnce -- depending on where the value shows up) and export it to your desktop. Go to your desktop, right click on the registry file and click "Edit". Copy and paste the full entry in your next post.

ex. "WinPatrol"="C:\\Program Files\\WinPatrol\\winpatrol.exe -expressboot"

[jholland1964]

I believe AdvancedSetup was looking for the full registry entry...

Go to the Start menu and click Run... Type in "regedit" and hit enter. Navigate to HKEY_Local_Machine -> Software -> Microsoft -> Windows -> Current Version -> Run or RunOnce. Should look something like this in the path (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)

Right click on the key (Run or RunOnce -- depending on where the value shows up) and export it to your desktop. Go to your desktop, right click on the registry file and click "Edit". Copy and paste the full entry in your next post.

ex. "WinPatrol"="C:\\Program Files\\WinPatrol\\winpatrol.exe -expressboot"

Ok will have the poster do this and post that when I get it.

By the way, just had this same thing show on another forum, poster is using Windows XP SP2, 32bit so it isn't limited to Vista or 64bit systems. All posters are running version 1.41

[AdvancedSetup]

@jholland1964

No, what you provided so far is good enough. Let me have one of the developers take a look and see if they have any suggestions.

Do you have a link to the actual post where you're helping this user?

[jholland1964]

@jholland1964

No, what you provided so far is good enough. Let me have one of the developers take a look and see if they have any suggestions.

Do you have a link to the actual post where you're helping this user?

http://www.daniweb.com/forums/thread222420.html

[AdvancedSetup]

Okay, thanks. I've asked a developer to take a look just in case, but typically I've only seen this happen when other software or Malware is preventing the key from being removed.

[swagger]

I do apologize... It looks like that was the full registry entry that you posted.

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Malwarebytes Anti-Malware (reboot) = "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

That would be the same value that the person you are helping would find... I think I'll shut my mouth for awhile. My apologies again!

[jholland1964]

By the way, here is a link to the second forum where I have seen this problem today with the XP computer.

http://forum.worldstart.com/showthread.php?t=141137

[jholland1964]

Another bit of info on this:

The thread at daniweb, since running MBA-M the person always gets a pop-up when rebooting the computer which says

If you started this program, continue,

Malwarebytes Anti malware

c:\programfiles(x86) malwarebytes'Anti-malware mbam.exe"runcleanupscript

select

continue or cancel

He has chosen both at one time or another and it made no difference, the next time he got the same pop-up.

On the thread at World Start and the person running XP does NOT get the pop up but the start up entry still shows in the most recent HJT logs.

[GT500]

I had this issue in a ticket today on the helpdesk. User was complaining that they got a UAC popup on every startup, and it was because of the removal script in HKLM/.../Run not getting deleted.

[beavis4ever]

I am also having an issue with the UAC blocking MalwarewareBytes Reboot startup item. This is with a fresh install of Mbam on Vista. If you delete the reg key it is recreated at next boot. Turning it off w/ msconfig avoids getting the message. This is happening w/o even doing a scan w/ Mbam.

[Porthos]

I am also seeing Windows Defender (so far an outdated version) blocking MBAM on every reboot.

This is on vista home basic.

[jholland1964]

I am also seeing Windows Defender (so far an outdated version) blocking MBAM on every reboot.

This is on vista home basic.

On my two threads I have noted here the Vista machine does not appear to have Windows Defender but the XP machine does and it IS active.

[Porthos]

I have noted here the Vista machine does not appear to have Windows Defender

It is installed by default on Vista. You download it on XP.

[jholland1964]

It is installed by default on Vista. You download it on XP.

This is what I thought also but it doesn't show anywhere. I have posted a question to the person I am helping and hopefully will have a reply soon.

[beavis4ever]

I am also having an issue with the UAC blocking MalwarewareBytes Reboot startup item. This is with a fresh install of Mbam on Vista. If you delete the reg key it is recreated at next boot. Turning it off w/ msconfig avoids getting the message. This is happening w/o even doing a scan w/ Mbam.

Just wanted to adjust what I said. If you try to remove the reg key w/ HJT it is not removed. HJT is making a backup but not removing it. Deleting the reg key through regedit does remove the entry permanently. It does not returning after rebooting. I was trying to use HJT like others here, and didn't do another HJT scan after trying to remove it. I was just rebooting and assumed it was being recreated. Sorry for the mix up, but I am 100% sure now that my statement is correct.

I am going to let this laptop go out with the way it is now, and hopefully the reg key issue doesn't return for the customer.

[GT500]

We do have a developer looking at this issue. His first thought is something like TeaTimer preventing the removal. I've given him an RSIT log and a ComboFix log from two different users experiencing this problem (I don't think either of them had TeaTimer though). I can't promise when he'll get it figured out, but he'll do his best to test and see if he can reproduce it.

[jholland1964]

My guy running Vista in this link http://www.daniweb.com/forums/thread222420.html DOES also have Windows Defender up and running.

[exile360]

Windows Defender should only block unknown startup items and unknown changes to the system if it has been changed from its default settings, otherwise it only blocks based on its actual definitions.

[jholland1964]

Any results on this yet? We are still seeing this show up in new HJT logs after cleaning has been done and a second MBA-M scan done shows clean.

[beavis4ever]

The laptop I was cleaning up definately did not have TeaTimer running. I installed Spybot but never use the extras other than Immunize. It is usually the tool used to cleanup the pieces Combofix and Mbam didn't remove and older junk. This is the first time I have ever had this problem w/ Mbam and Vista and believe it has to be related to the latest version. Xp has the same reg key present but w/o UAC it's not a big deal.

I am pretty sure Windows Defender is not the culprit. If you turn off UAC, you will not get the blocked startup program message.