Jump to content



Go to solution Solved by blender,

Recommended Posts

Using the Endpoint Cloud Product here. I have an Endpoint which sends a report on the daily scan that it detects and removes something called "Adware.Ghokswa" Reg Key.  I have attached the email.

This same detection occurs daily, and it cannot seem to completely eradicate it.  Any ideas why this is found every day?  Is a legitimate software installing this key and this is actually a false positive?

Thanks for any input.



Link to post
Share on other sites

On 10/28/2020 at 1:36 PM, exile360 said:


Please post the scan report, accessible by clicking the Scan Report link listed in the above dialog so that we may take a look.


Scan Report: 11/03/2020  4:00:02 AMBack to Scan History
Scan Log Details	
Endpoint name:	xxxxx.xxxxx.com
Scan date and time:	11/03/2020 4:00:02 AM
Component package version:	1.0.652
Protection update version:	1.0.18820
OS:	Windows Server 2012
CPU:	x64
File system type:	NTFS
Logged-in user:	xxxxx\xxxxx
Scan Summary	
Scan Type:	Threat
Result:	Completed
Objects scanned:	279969
Time elapsed:	0h 14m 48s
Processes:	0
Modules:	0
Registry keys:	1
Registry values:	0
Registry data:	0
Folders:	0
Files:	0
Scan Options	
Memory:	True
Startup:	True
File system:	True
Rootkits:	True
Heuristics:	True
Archives:	True
PUM:	True
PUP:	True
Threats Found
Name	Type	Location	Action	ID
Adware.Ghokswa	Registry Key	HKLM\SOFTWARE\WOW6432NODE\BIRDEYE	Quarantined	66f8770e-1dbb-11eb-a228-109836a0bf9f

This is the same detection every night during the automated scan at 4 AM.

Edited by ktechno1
Link to post
Share on other sites

Thank you.  I've asked that this thread be moved to the FP area so that a member of Research may check to verify whether or not this is indeed a false positive (I suspect that it may be since it is the only item being detected).

In the meantime, have you had a chance to open the registry on the affected endpoint and verify that the key exists and tried deleting it by hand?  If not, that may be worth a try since it could simply be a permissions issue or something similar causing Malwarebytes to fail to remove it, resulting in the repeated detections with each scan.  You can create a backup of the key by exporting it in case it does turn out to be a false positive so that you don't risk damaging any legitimate application's installation.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.