deleted item not in quarentine

[wyrmrider]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

ani idea wht this is and why it would not be in quarentine?

is it a symptom of anything else?

this was the only item found

subsequent Spybot and avast scans found nothing

system has windows defender

vista 32 bit comodo firewall IE (former AOL) user

[yardbird]

I also posted "almost" the same comments. Never got an answer?, 10 days ago..

[EliteKiller]

Registry keys should be quarantined.

[beck]

I think there is a quarantine issue. See my post in the Quarantine thread.

[JeanInMontana]

Sorry you didn't get a reply yardbird that is not the norm here. http://www.malwarebytes.org/forums/index.php?showtopic=5699 addresses part of this issue.

[Raid]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

ani idea wht this is and why it would not be in quarentine?

is it a symptom of anything else?

If this is something you set yourself, just right click ignore in the future. Quarantining these is really resetting back to default value, no restriction. If you want to re-enable it, just set the policy key back. Which was disable ShowSearch from your start menu. If you didn't set it, then you probably wouldn't want to re-enable it. The long and short, we don't store the policy key settings; We detect some, and offer the user the choice to remove them or tell the software to ignore them in the future and not bother you with detecting them.

most antivirus programs that I know of do not alert on policy settings being enforced on the PC from which they run. It's a dilemma for us, as we have no way of knowing if the policy is something the administrator of the PC wants, or if some malware set the policies to make things more difficult for the administrator and/or users of the machine.

[wyrmrider]

Thanks for the responses yardbird

Raid Jean Beck et all

First

I read Quarantined and removed as removed from the registry not removed from quarantine

why would MBAM quarantine something and then remove it- just remove it already

second kind of hard to reverse if not in quarantine

in this case I know nothing of this policy change

all instences I could find on google were mixed in with so many other problems that it was not possible to identify

Friends computer seems to be working fine without whatever this was

[nosirrah]

I will have to ask on this one but it could be that this is not a removal . All BAD:/GOOD: detections are a data swap , nothing is actually removed .

This is also not a file here , MBAM is reactivating the search button in the start menu , a common component disabled by malware .

MBAM cant tell if the user has done this intentionally so if you have , remove the search button again , run a scan and then tell MBAM to ignore this detection in the future .

[beck]

Hm,

Here's one with a named filed and nothing ever showed up in quarantine.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Downloaded Program Files\uninst.bat (Trojan.Agent) -> Quarantined and deleted successfully.

[wyrmrider]

thanks for the explanation nosirrah

Makes sense now just a policy change

I'll tell the owner