MBAM detecting MWS

[Conspire]

Hi guys,

I am handling a log from PCPitstop and have instructed my OP to use your product. I shall quote the issue here

http://forums.pcpitstop.com/index.php?/topic/196555-virusstealth-control-over-my-pc/page__view__findpost__p__1731522

To the best of my knowledge I ran all the previous scans as administrator, from the administrator desktop (mine).

Initially, when I logged off my desktop and logged onto my sons and ran MBAM from there, I didn't even think to right click it and run as administrator. That is when I first saw MBAM catch the MyWebSearch infected file.

After your recent instruction to clean the malware with MBAM, I ran it from my desktop (as admin) and it didn't find anything to clean, so I logged back on to my sons side and ran it from there (as admin) and again it found nothing. I ran it again but this time without admin priveledges and that's when it located and cleaned the malware.

What may be the cause of this?

Thanks

[AdvancedSetup]

Hello Conspire and welcome to Malwarebytes

That is normal expected behavior. The program only scans the HKCU keys of the account running the program.

So if you're logged on as an account with Admin rights you can scan and repair all of HKLM and your own HKCU keys. The program does not load up the profile hives of all the other accounts on the system.

If you logon to a limited account and scan then it will scan certain portions of the HKLM but it cannot repair them if there is a detection unless that limited user account has rights to modify the keys. It will also scan all of the current limited users HKCU keys and those that it has permissions to modify it can repair. Files on disk as well that the account has modify rights to.

If that limited account then uses RUNAS of an Administrator account it will then scan HKLM and HKCU of the Administrator account not the Limited User account because you've told it to use the Administrator account.

However, in the vast majority of cases the first scan should be done with an Admin account so that it can detect and remove all file and registry infections. Then once that is done one can logon to any other accounts and do a scan to remove any left over registry traces. The files that those traces point to will already have been removed by the Admin scan thus only leaving behind a potential error dialog box because the registry may be telling it to load a file that no longer exists because the Admin scan has removed it. So the other accounts for all intensive purposes may only have potential registry traces left to remove.

If you have any other questions please let me know.

[Conspire]

Hi Ron,

Now I understand what's going on now.

Thanks for the welcome and your explanation.

Cheers