Jump to content
villandra

Question about registry entries and virus infection

Recommended Posts

I ran SuperAntiSpyware and a few other things. Because nothing but Vipre, which you're lucky if it finds even part of a virus, would run, I actually removed most of the TrojanWin32.FakeAv.oq virus manually by deleting files that were created at that time and the file that ran the process. Only one registry entry - or three if you count three disabled security alerts that SuperAntiSpyware found - have been found, suggesting that there are more. There were of course also the ones responsible for disabling every exe file on the computer, and messing up the shortcuts, but that's all been fixed.

My problem is that I selectively can't install the service for Malaybytes Malware. That means the program won't run. Their tech support is pretty much useless. If you need to hear back from them tonight they will spend from now until Dec 2012 making you jump through hoops in order to be ignored on the right forum. The service does not appear in services.msc or the services tab in msconfig. I've uninstalled and rebooted and run Malabytes' cleaner file and rebooted and reinstalled and rebooted, nothing works. Cleaner file allegedly removes all traces of the program from your computer and it didn't even remove all the files.

I'm posting this question here because of all the places on the Internet it looks like there are people here who would know the answer.

Here is what I found in my Windows registry (Windows XP Pro Service Pack 3), AFTER uninstalling and running the cleaner to remove every trace of the program from my computer.

I want to know what these entries are and if I should delete them.

HKEY_LOCAL_MACHINE

System

Control Set 002 (after folder for Control Set 001 w/ + in front of it)

Enum

Root

LEGACY_MBAMCHAMELEON Default REG_SZ (value not set)

NextInstance REG_DWORD 0x00000001 (1)

0000 (Default) REG_SZ (value not set)

Class " LegacyDriver

ClassGUID " {BECCO55D-047F-11D1-AS37-0000F8753ED1}

ConfigFlags REG_DWORD 0x00000000 (0)

Device Desc REG_SZ mbamchameleon

Legacy REG_DWORD 0x00000001 (1)

Service REG_SZ mbamchameleon

LEGACY_MBAMPROTECTOR {Default} REG_SZ (value not set)

NextInstance REG_DWORD 0x00000001(1)

0000 - values the same as above except MBAMProtector instead of mbamchamelon

LEGACY_MBAMSERVICE same values as above.

0000 same values as above except MBAMService

LEGACY_MBAMSWISSARMY same values as above. 0x00000001 (1)

----------------------------------------

There was also this value, which I removed; it referrs to a file that is no longer in E:\Program Files.

HKEY_CURRENT_USER

Software

Microsoft

Windows

ShellNoRoam/ MUI Cache

E:\ Program Files\REG_SZ Malabytes Anti-Malware

ControlSet003 - the same entries.

CurrentControlSet the same entries.

HKEY_USERS

5-1-5-21-4 long series numbers and dashes

Softare

Microsoft

Windows

Current Version

Applets

Regedit

{Default} REG_SZ (value not set)

FindFlags REG_DWORD 0x0000000e (14)

LastKey REG_SZ My computer]HKEY_LOCALMACHINE]SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShExt

View REG_BINARY 2c long strings of numbers. /f, ae, et.

HKEY_CURRENT_USERS

everything above except the line 5-1-5-21 etc.

I also ran Hijack This and a uitility of Malabytes' that identifies running processes and registry entries, if there is anyone here who should want to see them. But I most want to know what to do with these registry entries.

Thanks!

Share this post


Link to post
Share on other sites

I forgot to mention that I've installed and run three other antivirus programs including SuperAntiSpyware, and all of their services installed, and the programs ran successfully. Without finding very much.

Share this post


Link to post
Share on other sites

Trying this again. I accidentally put a block of text in the middle of the page instead of at the end.

HKEY_LOCAL_MACHINE

System

Control Set 002 (after folder for Control Set 001 w/ + in front of it)

Enum

Root

LEGACY_MBAMCHAMELEON Default REG_SZ (value not set)

NextInstance REG_DWORD 0x00000001 (1)

0000 (Default) REG_SZ (value not set)

Class " LegacyDriver

ClassGUID " {BECCO55D-047F-11D1-AS37-0000F8753ED1}

ConfigFlags REG_DWORD 0x00000000 (0)

Device Desc REG_SZ mbamchameleon

Legacy REG_DWORD 0x00000001 (1)

Service REG_SZ mbamchameleon

LEGACY_MBAMPROTECTOR {Default} REG_SZ (value not set)

NextInstance REG_DWORD 0x00000001(1)

0000 - values the same as above except MBAMProtector instead of mbamchamelon

LEGACY_MBAMSERVICE same values as above.

0000 same values as above except MBAMService

LEGACY_MBAMSWISSARMY same values as above. 0x00000001 (1)

E:\ Program Files\REG_SZ Malabytes Anti-Malware

ControlSet003 - the same entries.

CurrentControlSet the same entries.

HKEY_USERS

5-1-5-21-4 long series numbers and dashes

Softare

Microsoft

Windows

Current Version

Applets

Regedit

{Default} REG_SZ (value not set)

FindFlags REG_DWORD 0x0000000e (14)

LastKey REG_SZ My computer]HKEY_LOCALMACHINE]SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShExt

View REG_BINARY 2c long strings of numbers. /f, ae, et.

HKEY_CURRENT_USERS

everything above except the line 5-1-5-21 etc.

----------------------------------------

There was also this value, which I removed; it referrs to a file that is no longer in E:\Program Files.

HKEY_CURRENT_USER

Software

Microsoft

Windows

ShellNoRoam/ MUI Cache

Share this post


Link to post
Share on other sites

OK, now I got it right.

HKEY_LOCAL_MACHINE

System

Control Set 002 (after folder for Control Set 001 w/ + in front of it)

Enum

Root

LEGACY_MBAMCHAMELEON Default REG_SZ (value not set)

NextInstance REG_DWORD 0x00000001 (1)

0000 (Default) REG_SZ (value not set)

Class " LegacyDriver

ClassGUID " {BECCO55D-047F-11D1-AS37-0000F8753ED1}

ConfigFlags REG_DWORD 0x00000000 (0)

Device Desc REG_SZ mbamchameleon

Legacy REG_DWORD 0x00000001 (1)

Service REG_SZ mbamchameleon

LEGACY_MBAMPROTECTOR {Default} REG_SZ (value not set)

NextInstance REG_DWORD 0x00000001(1)

0000 - values the same as above except MBAMProtector instead of mbamchamelon

LEGACY_MBAMSERVICE same values as above.

0000 same values as above except MBAMService

LEGACY_MBAMSWISSARMY same values as above. 0x00000001 (1)

ControlSet003 - the same entries.

CurrentControlSet the same entries.

HKEY_USERS

5-1-5-21-4 long series numbers and dashes

Softare

Microsoft

Windows

Current Version

Applets

Regedit

{Default} REG_SZ (value not set)

FindFlags REG_DWORD 0x0000000e (14)

LastKey REG_SZ My computer]HKEY_LOCALMACHINE]SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShExt

View REG_BINARY 2c long strings of numbers. /f, ae, et.

HKEY_CURRENT_USERS

everything above except the line 5-1-5-21 etc.

----------------------------------------

There was also this value, which I removed; it referrs to a file that is no longer in E:\Program Files.

HKEY_CURRENT_USER

Software

Microsoft

Windows

ShellNoRoam/ MUI Cache

E:\ Program Files\REG_SZ Malabytes Anti-Malware

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×