Jump to content

MBAM detecting MWS

Recommended Posts

Hi guys,

I am handling a log from PCPitstop and have instructed my OP to use your product. I shall quote the issue here


To the best of my knowledge I ran all the previous scans as administrator, from the administrator desktop (mine).

Initially, when I logged off my desktop and logged onto my sons and ran MBAM from there, I didn't even think to right click it and run as administrator. That is when I first saw MBAM catch the MyWebSearch infected file.

After your recent instruction to clean the malware with MBAM, I ran it from my desktop (as admin) and it didn't find anything to clean, so I logged back on to my sons side and ran it from there (as admin) and again it found nothing. I ran it again but this time without admin priveledges and that's when it located and cleaned the malware.

What may be the cause of this?


Link to post
Share on other sites

  • Root Admin

Hello Conspire and welcome to Malwarebytes

That is normal expected behavior. The program only scans the HKCU keys of the account running the program.

So if you're logged on as an account with Admin rights you can scan and repair all of HKLM and your own HKCU keys. The program does not load up the profile hives of all the other accounts on the system.

If you logon to a limited account and scan then it will scan certain portions of the HKLM but it cannot repair them if there is a detection unless that limited user account has rights to modify the keys. It will also scan all of the current limited users HKCU keys and those that it has permissions to modify it can repair. Files on disk as well that the account has modify rights to.

If that limited account then uses RUNAS of an Administrator account it will then scan HKLM and HKCU of the Administrator account not the Limited User account because you've told it to use the Administrator account.

However, in the vast majority of cases the first scan should be done with an Admin account so that it can detect and remove all file and registry infections. Then once that is done one can logon to any other accounts and do a scan to remove any left over registry traces. The files that those traces point to will already have been removed by the Admin scan thus only leaving behind a potential error dialog box because the registry may be telling it to load a file that no longer exists because the Admin scan has removed it. So the other accounts for all intensive purposes may only have potential registry traces left to remove.

If you have any other questions please let me know.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.