Jump to content

Malwares appear in Registry Keys : 'Old Malwarebytes' vs 'New Malwarebytes'

Recommended Posts


I use both old and new Malwarebytes to check but with different results:

1. I used the 'Old Malwarebytes' scanning out the malwares and pressing 'remove' button; However, the malwares could not be cleanned even I repeated the precess;

2. I removed the 'Old Malwarebytes' and install the 'New Malwarebytes'.  The new one did not show such malwares;

3. I uninstalled the 'New Malwarebytes' and reinstalled the 'Old Malwarebytes'. Unfortunelately, the malwares appeared again.

So, please advise how to tackle the malwares issues.  Thanks.


Link to post
Share on other sites

15 minutes ago, Welcomeccl said:

I uninstalled the 'New Malwarebytes' and reinstalled the 'Old Malwarebytes'. Unfortunelately, the malwares appeared again.

The old version could be reporting false positives that have been fixed in the new version. Depending on which "old" veersion you were using it might not get updates any longer.

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.


  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply


Link to post
Share on other sites

  • Root Admin

Your system is running ESET antivirus which is decent antivirus.

What keys are you seeing or believe to be an infection?

Please export the keys and show us or show a screenshot


I'm officially off work until Tuesday, but will try to assist you before then if possible.


Link to post
Share on other sites

Dear AdvanceSetup,

Please find attached further information fo your review.

The 2 infected Registry Keys are as follows:

HKLM\Software\Microsoft\Windows NT\CurrrentVersion\Image File Execution Options\MRT.exe

HKLM\Software\Microsoft\Windows NT\CurrrentVersion\Image File Execution Options\MsMpEng.exe




mbam-log-2022-08-30 (09-25-45).txt mbam-log-2022-09-01 (10-05-18).txt

Link to post
Share on other sites

15 minutes ago, Welcomeccl said:

Further scanning by old version on 3 Sep 2022 after testing the new version.

Version 1.6 was discontinued and no further development/updates was done on it since way before Windows 10 or 11 were even conceived.

The database of your old version is from 2011.


Database version: v2011.12.24.05

You need to stop being paranoid and stop using that version period.

Link to post
Share on other sites

  • Root Admin

Please follow the directions from @Porthos and uninstall all versions of Malwarebytes @Welcomeccl

Make sure you write down your license key first though so you know what it is.

Then install the latest version

MB4 Offline Installer


  • Like 1
Link to post
Share on other sites

  • Root Admin

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.



When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download






  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.


Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.



Link to post
Share on other sites

  • Root Admin

You have the following security software installed.

ESET Security
Huorong Internet Security
Malwarebytes version

Please make sure there are no conflicts between any of these programs.


The logs do not appear to show any obvious signs of an infection, but you do have quite a few drivers that may potentially be suspicious.
You would need to boot into the Recovery Environment and then copy those files to a new folder.

Then upload them to https://virustotal.com and have them scan them to see if they're bad or not.


S3 0d; system32\DRIVERS\0d.sys [X]
S3 4OETA0QNsITk; system32\DRIVERS\4OETA0QNsITk.sys [X]
S3 5VirSLpaswph; system32\DRIVERS\5VirSLpaswph.sys [X]
S3 7E4F37RLAa; system32\DRIVERS\7E4F37RLAa.sys [X]
S3 7Ky_HgiJBn; system32\DRIVERS\7Ky_HgiJBn.sys [X]
S3 ayvbgj8q_; system32\DRIVERS\ayvbgj8q_.sys [X]
S3 Byu; system32\DRIVERS\Byu.sys [X]
S3 CWDlpj3aCJUBxnz; system32\DRIVERS\CWDlpj3aCJUBxnz.sys [X]
S3 CWxTbZ9F; system32\DRIVERS\CWxTbZ9F.sys [X]
S3 iutJ78dkLWTp; system32\DRIVERS\iutJ78dkLWTp.sys [X]
S3 jI396l6aCa; system32\DRIVERS\jI396l6aCa.sys [X]
S3 kuJKeTgUppyoRl0; system32\DRIVERS\kuJKeTgUppyoRl0.sys [X]
S3 QYe8VQ9Ik; system32\DRIVERS\QYe8VQ9Ik.sys [X]
S3 rI2ipccM; system32\DRIVERS\rI2ipccM.sys [X]
S3 WhkBpQGAiAfocV9; system32\DRIVERS\WhkBpQGAiAfocV9.sys [X]
S3 xgdFicGthYmH; system32\DRIVERS\xgdFicGthYmH.sys [X]
S3 XOIjfTrd99tnX8; system32\DRIVERS\XOIjfTrd99tnX8.sys [X]
S3 XSIayLU; system32\DRIVERS\XSIayLU.sys [X]


Link to post
Share on other sites

  • Root Admin

No, ignore those items quarantined. They are PUP (Possibly Unwanted Programs) and do not belong on your computer

Yes, the default folder path for those other files is C:\Windows\System32\drivers

But sometimes those drivers are hidden and cannot be see from within a running copy of Windows.

We can run another antivirus scanner though and see if it finds any other issues for us.



Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.


add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.

That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"


In the new window select "Change Parameters"


In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"


Attach the report information as previously instructed...
Thank you



Link to post
Share on other sites

  • Root Admin

Yes, that's okay. Those are processes that are running normally

I don't believe the computer is infected, but since you're wanting to run scans to check or double-check I'm providing such scans for you.



Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.


Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3



Link to post
Share on other sites

  • Root Admin

Overall things look much better. Let me have  you run the following @Welcomeccl



SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt






Thank you



Link to post
Share on other sites

  • Root Admin

Please update, uninstall, or otherwise address the following as appropriate for your system.


------------------------------ [ ArchAndFM ] ------------------------------

WinRAR 6.02 (64-位) v.6.02.0 Warning! Download Update

-------------------------- [ IMAndCollaborate ] ---------------------------

Microsoft Teams v. Warning! Download Update

Zoom v.5.9.1 (2581) Warning! Download Update


-------------------------------- [ Media ] --------------------------------

K-Lite Codec Pack 16.0.5 Basic v.16.0.5 Warning! Download Update

--------------------------- [ AdobeProduction ] ---------------------------

Adobe Acrobat 5.0 Warning! This software is no longer supported. Please uninstall it and use Adobe Acrobat DC.

---------------------------- [ UnwantedApps ] -----------------------------
CCleaner v.6.03 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program.
----------------------------- [ End of Log ] ------------------------------





Then click on START and type in "Check for updates" and allow Windows to scan for and install any updates found.


Keep me posted on the status




Link to post
Share on other sites

  • Root Admin

All the scans look to be clean at this point. The computer is not showing signs of an infection.


Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)


  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin


Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes


Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.