Jump to content

Ghost registry values ?


Recommended Posts

Hi,

Is MB using a cache ? It seems that is is able to detect problems with registry values that do not exist. It just reported this "threat" :

Registry Value: 1
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxx-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, No Action By User, 6665, 251589, 1.0.14826, , ame,


But this registry value just does not exist. I had deleted it before the scan. I'm using 2 different registry editors and none of them is even able to find a LowRiskFileTypes value in my registry. I have deleted all of them. Even after exiting MB, relaunching it and re scanning, it continues to detect this "threat". If I quarantine this item, it no longer detects it but what did it quarantine since the value doesn't exist ?

A true false positive, so to say.

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab on the left column

    mbst_get_started.jpg
     
  7. Click the Gather Logs button

    mbst_advanced_gather_logs.jpg
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer

    mbst_getting_logs.jpg
     
  9. Upon completion, a file named mbst-grab-results.zip will be found on your Desktop. Click OK

    mbst_log_saved_desktop.jpg
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

 

Link to post
Share on other sites

Greetings,

Thank you for reporting this issue.  I've never encountered or seen this occur before so it may be a new bug in the new 4.0 release that you have discovered.  I will be sure to report it to the Product team for analysis and verification and if it is a bug, hopefully it will be fixed in a future update.

Thanks again for reporting the problem and if there is anything else we might assist you with please let us know.

Thanks

Link to post
Share on other sites

  • Staff

Thanks for the file.

As part of the scanning process, Malwarebytes temporarily mounts user registry hives . The 'LOWRISKFILETYPES' value was present in one of the temp user hives - hence the detection. The issue with this still being detected after the value was deleted from your actual user hive is due to a problem with unmounting the temp user hives. Something on the system is keeping an open handle to the temp hives, which is preventing them from being unmounted. We've seen this issue in the past and made changes to address some of the known causes.

Can you reboot the computer (ensure the Restart option is used; not Shut down), open Regedit afterwards and take a screenshot of the HKU hive expanded?

Link to post
Share on other sites

10 hours ago, exile360 said:

No, don't do that.  That could totally mess up your user accounts if you did that.  Please just wait for LiquidTension to provide further instructions.

Thanks

Thanks. However, I'm a former system engineer and I can differentiate legitimate entries in HKU. Anyway, I used the MB cleanup tool to uninstall it and these ghost entries had disappeared after the reboot. Everything is OK. I'm not sure I will reinstall. Should I be confident in a protection software that is able to do such things in the system registry ?

Link to post
Share on other sites

  • Staff

Hi @Samoreen,

There's something on your system that is preventing Malwarebytes from unloading the temporary user hives that it uses for scanning. We would need to troubleshoot the issue further to determine the source. With that said, I do understand your concern. We strive to make the product as robust and reliable as possible, but unfortunately, issues do arises.

If you would like to revisit using Malwarebytes and encounter the issue again, just let us know.
 

11/05/19	" 00:43:34.469"	47183359	13d8	17b8	ERROR	FileSystemUtils	mb::common::io::FileSystemUtils::Delete	"filesystemutils.cpp"	184	"File access error: sharing violation: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-18-11042019113723095-ntuser.dat"
11/05/19	" 00:43:34.469"	47183359	13d8	17b8	ERROR	FileSystemUtils	mb::common::io::FileSystemUtils::Delete	"filesystemutils.cpp"	184	"File access error: sharing violation: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-18-11042019113723095-ntuser.dat.LOG1"
11/05/19	" 00:43:34.469"	47183359	13d8	17b8	ERROR	FileSystemUtils	mb::common::io::FileSystemUtils::Delete	"filesystemutils.cpp"	184	"File access error: sharing violation: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-18-11042019113723095-ntuser.dat.LOG2"
11/05/19	" 00:43:34.469"	47183359	13d8	17b8	ERROR	FileSystemUtils	mb::common::io::FileSystemUtils::Delete	"filesystemutils.cpp"	184	"File access error: sharing violation: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-18-11042019113724298-ntuser.dat"
11/05/19	" 00:43:34.469"	47183359	13d8	17b8	ERROR	FileSystemUtils	mb::common::io::FileSystemUtils::Delete	"filesystemutils.cpp"	184	"File access error: sharing violation: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-18-11042019113724298-ntuser.dat.LOG1"
11/05/19	" 00:43:34.469"	47183359	13d8	17b8	ERROR	FileSystemUtils	mb::common::io::FileSystemUtils::Delete	"filesystemutils.cpp"	184	"File access error: sharing violation: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-18-11042019113724298-ntuser.dat.LOG2"
11/05/19	" 00:43:34.469"	47183359	13d8	17b8	ERROR	FileSystemUtils	mb::common::io::FileSystemUtils::Delete	"filesystemutils.cpp"	184	"File access error: sharing violation: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-19-11042019113723211-ntuser.dat"
11/05/19	" 00:43:34.469"	47183359	13d8	17b8	ERROR	FileSystemUtils	mb::common::io::FileSystemUtils::Delete	"filesystemutils.cpp"	184	"File access error: sharing violation: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-19-11042019113723211-ntuser.dat.LOG1"
11/05/19	" 00:43:34.469"	47183359	13d8	17b8	ERROR	FileSystemUtils	mb::common::io::FileSystemUtils::Delete	"filesystemutils.cpp"	184	"File access error: sharing violation: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-19-11042019113723211-ntuser.dat.LOG2"
11/05/19	" 00:43:34.469"	47183359	13d8	17b8	ERROR	FileSystemUtils	mb::common::io::FileSystemUtils::Delete	"filesystemutils.cpp"	184	"File access error: sharing violation: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-20-11042019113723264-ntuser.dat"
11/05/19	" 00:43:34.469"	47183359	13d8	17b8	ERROR	FileSystemUtils	mb::common::io::FileSystemUtils::Delete	"filesystemutils.cpp"	184	"File access error: sharing violation: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-20-11042019113723264-ntuser.dat.LOG1"
11/05/19	" 00:43:34.469"	47183359	13d8	17b8	ERROR	FileSystemUtils	mb::common::io::FileSystemUtils::Delete	"filesystemutils.cpp"	184	"File access error: sharing violation: C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-20-11042019113723264-ntuser.dat.LOG2"
Link to post
Share on other sites

I am not certain how much I am allowed to say as much of this crosses into the territory of Malwarebytes' proprietary information, so I will simply give you this: take note of the names of the files listed above as well as the file extension .DAT, and if you really know your stuff when it comes to Windows and the registry then you should have a pretty good idea of what is going on at least in a basic sense and that should answer most of your questions.

Link to post
Share on other sites

11 hours ago, exile360 said:

I am not certain how much I am allowed to say as much of this crosses into the territory of Malwarebytes' proprietary information, so I will simply give you this: take note of the names of the files listed above as well as the file extension .DAT, and if you really know your stuff when it comes to Windows and the registry then you should have a pretty good idea of what is going on at least in a basic sense and that should answer most of your questions.

OK, I see that these files are copies of the user registry hives and I guess they can't be deleted while they are loaded. But if MB was able to load them, it should be able to unload them as well before deleting the corresponding files. Maybe it's related to UAC ? UAC is disabled on my system.

Link to post
Share on other sites

That is a possibility, but I wouldn't think so if only because Malwarebytes' driver and service used for scans runs as the SYSTEM account which has highest privileges automatically (higher than admin), not to mention the fact that when Malwarebytes installs it configures its own data folder so that it has full read/write access to it.

That said, some kind of permissions issue is possible, and I do know that UAC being disabled can mess with Malwarebytes and other programs since Malwarebytes, like most modern software, is designed to be fully UAC compliant and compatible.  However, there are many users who disable UAC and I don't recall ever hearing of an issue like this before, so my suspicion is that there was some other variable involved that prevented Malwarebytes from either manipulating the backups, or the live registry hives themselves.  It could be as simple as some other program or tool on the system that monitors and/or backs up the registry or that was writing to one of those hives/keys at the time, or perhaps even a program that was analyzing what Malwarebytes was doing and checking the files that Malwarebytes created in its data folder, thus preventing them from being manipulated by Malwarebytes.  Either way LiquidTension should be able to determine what occurred and what the cause was with your help, and I'm sure the Developers will most likely be able to prevent this issue in future releases once he does.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.