Jump to content

villandra

Members
  • Content Count

    5
  • Joined

  • Last visited

About villandra

  • Rank
    Newbie
  1. I've seen ALOT of discussion online about whether this registry entry is likely to be malware or a false positive, and I can't find where any single person has ever gotten a straight answer, anywhere; not on this forum, and not on any other forum, particularly the Malwarebytes forum where noone ever gets a straight answer anyway. . If I don't get one, I'll be giving SuperAntiSpyware bad reviews all over the place. That's an actual straight answer. I am cleaning up my brother's computer, and I don't want for instance to be removing his actual registry entry that works the Windows logon shell! I do NOT think so. Alot of people are reporting that no other antimalware ever finds this malware.trace registry key, and when other scans do find it, they find alot more wrong besides. SuperAntiSpyware is notorious for false positives, so I hardly want to go deleting what only this program finds without specific reason to do so - especially when the tech forums are full of people who aren't convinced it is malware. One person reported that when he removed it, and some other stuff, his computer stopped functioning, which one might expect to happen if one removed the Windows logon shell. Here is the key. Malware.Trace HKU\S-1-5-21-1499385294-1294109063-3957283044-100\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL I'm finding this line all over the internet, with different numbers after 1-5-21 - just noone has ever gotten a straight answer on whether it's real or a false positive. How specifically would one recognize valid Windows registry Logon shell entries?
  2. OK, now I got it right. HKEY_LOCAL_MACHINE System Control Set 002 (after folder for Control Set 001 w/ + in front of it) Enum Root LEGACY_MBAMCHAMELEON Default REG_SZ (value not set) NextInstance REG_DWORD 0x00000001 (1) 0000 (Default) REG_SZ (value not set) Class " LegacyDriver ClassGUID " {BECCO55D-047F-11D1-AS37-0000F8753ED1} ConfigFlags REG_DWORD 0x00000000 (0) Device Desc REG_SZ mbamchameleon Legacy REG_DWORD 0x00000001 (1) Service REG_SZ mbamchameleon LEGACY_MBAMPROTECTOR {Default} REG_SZ (value not set) NextInstance REG_DWORD 0x00000001(1) 0000 - values the same as above except MBAMProtector instead of mbamchamelon LEGACY_MBAMSERVICE same values as above. 0000 same values as above except MBAMService LEGACY_MBAMSWISSARMY same values as above. 0x00000001 (1) ControlSet003 - the same entries. CurrentControlSet the same entries. HKEY_USERS 5-1-5-21-4 long series numbers and dashes Softare Microsoft Windows Current Version Applets Regedit {Default} REG_SZ (value not set) FindFlags REG_DWORD 0x0000000e (14) LastKey REG_SZ My computer]HKEY_LOCALMACHINE]SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShExt View REG_BINARY 2c long strings of numbers. /f, ae, et. HKEY_CURRENT_USERS everything above except the line 5-1-5-21 etc. ---------------------------------------- There was also this value, which I removed; it referrs to a file that is no longer in E:\Program Files. HKEY_CURRENT_USER Software Microsoft Windows ShellNoRoam/ MUI Cache E:\ Program Files\REG_SZ Malabytes Anti-Malware
  3. Trying this again. I accidentally put a block of text in the middle of the page instead of at the end. HKEY_LOCAL_MACHINE System Control Set 002 (after folder for Control Set 001 w/ + in front of it) Enum Root LEGACY_MBAMCHAMELEON Default REG_SZ (value not set) NextInstance REG_DWORD 0x00000001 (1) 0000 (Default) REG_SZ (value not set) Class " LegacyDriver ClassGUID " {BECCO55D-047F-11D1-AS37-0000F8753ED1} ConfigFlags REG_DWORD 0x00000000 (0) Device Desc REG_SZ mbamchameleon Legacy REG_DWORD 0x00000001 (1) Service REG_SZ mbamchameleon LEGACY_MBAMPROTECTOR {Default} REG_SZ (value not set) NextInstance REG_DWORD 0x00000001(1) 0000 - values the same as above except MBAMProtector instead of mbamchamelon LEGACY_MBAMSERVICE same values as above. 0000 same values as above except MBAMService LEGACY_MBAMSWISSARMY same values as above. 0x00000001 (1) E:\ Program Files\REG_SZ Malabytes Anti-Malware ControlSet003 - the same entries. CurrentControlSet the same entries. HKEY_USERS 5-1-5-21-4 long series numbers and dashes Softare Microsoft Windows Current Version Applets Regedit {Default} REG_SZ (value not set) FindFlags REG_DWORD 0x0000000e (14) LastKey REG_SZ My computer]HKEY_LOCALMACHINE]SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShExt View REG_BINARY 2c long strings of numbers. /f, ae, et. HKEY_CURRENT_USERS everything above except the line 5-1-5-21 etc. ---------------------------------------- There was also this value, which I removed; it referrs to a file that is no longer in E:\Program Files. HKEY_CURRENT_USER Software Microsoft Windows ShellNoRoam/ MUI Cache
  4. I forgot to mention that I've installed and run three other antivirus programs including SuperAntiSpyware, and all of their services installed, and the programs ran successfully. Without finding very much.
  5. I ran SuperAntiSpyware and a few other things. Because nothing but Vipre, which you're lucky if it finds even part of a virus, would run, I actually removed most of the TrojanWin32.FakeAv.oq virus manually by deleting files that were created at that time and the file that ran the process. Only one registry entry - or three if you count three disabled security alerts that SuperAntiSpyware found - have been found, suggesting that there are more. There were of course also the ones responsible for disabling every exe file on the computer, and messing up the shortcuts, but that's all been fixed. My problem is that I selectively can't install the service for Malaybytes Malware. That means the program won't run. Their tech support is pretty much useless. If you need to hear back from them tonight they will spend from now until Dec 2012 making you jump through hoops in order to be ignored on the right forum. The service does not appear in services.msc or the services tab in msconfig. I've uninstalled and rebooted and run Malabytes' cleaner file and rebooted and reinstalled and rebooted, nothing works. Cleaner file allegedly removes all traces of the program from your computer and it didn't even remove all the files. I'm posting this question here because of all the places on the Internet it looks like there are people here who would know the answer. Here is what I found in my Windows registry (Windows XP Pro Service Pack 3), AFTER uninstalling and running the cleaner to remove every trace of the program from my computer. I want to know what these entries are and if I should delete them. HKEY_LOCAL_MACHINE System Control Set 002 (after folder for Control Set 001 w/ + in front of it) Enum Root LEGACY_MBAMCHAMELEON Default REG_SZ (value not set) NextInstance REG_DWORD 0x00000001 (1) 0000 (Default) REG_SZ (value not set) Class " LegacyDriver ClassGUID " {BECCO55D-047F-11D1-AS37-0000F8753ED1} ConfigFlags REG_DWORD 0x00000000 (0) Device Desc REG_SZ mbamchameleon Legacy REG_DWORD 0x00000001 (1) Service REG_SZ mbamchameleon LEGACY_MBAMPROTECTOR {Default} REG_SZ (value not set) NextInstance REG_DWORD 0x00000001(1) 0000 - values the same as above except MBAMProtector instead of mbamchamelon LEGACY_MBAMSERVICE same values as above. 0000 same values as above except MBAMService LEGACY_MBAMSWISSARMY same values as above. 0x00000001 (1) ---------------------------------------- There was also this value, which I removed; it referrs to a file that is no longer in E:\Program Files. HKEY_CURRENT_USER Software Microsoft Windows ShellNoRoam/ MUI Cache E:\ Program Files\REG_SZ Malabytes Anti-Malware ControlSet003 - the same entries. CurrentControlSet the same entries. HKEY_USERS 5-1-5-21-4 long series numbers and dashes Softare Microsoft Windows Current Version Applets Regedit {Default} REG_SZ (value not set) FindFlags REG_DWORD 0x0000000e (14) LastKey REG_SZ My computer]HKEY_LOCALMACHINE]SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShExt View REG_BINARY 2c long strings of numbers. /f, ae, et. HKEY_CURRENT_USERS everything above except the line 5-1-5-21 etc. I also ran Hijack This and a uitility of Malabytes' that identifies running processes and registry entries, if there is anyone here who should want to see them. But I most want to know what to do with these registry entries. Thanks!
×
×
  • Create New...