Jump to content
villandra

Is this probably a false positive?

Recommended Posts

I've seen ALOT of discussion online about whether this registry entry is likely to be malware or a false positive, and I can't find where any single person has ever gotten a straight answer, anywhere; not on this forum, and not on any other forum, particularly the Malwarebytes forum where noone ever gets a straight answer anyway.  .  If I don't get one, I'll be giving SuperAntiSpyware bad reviews all over the place.   That's an actual straight answer.   I am cleaning up my brother's computer, and I don't want for instance to be removing his actual registry entry that works the Windows logon shell!    I do NOT think so.

 

Alot of people are reporting that no other antimalware ever finds this malware.trace registry key, and when other scans do find it, they find alot more wrong besides.

 

SuperAntiSpyware is notorious for false positives, so I hardly want to go deleting what only this program finds without specific reason to do so - especially when the tech forums are full of people who aren't convinced it is malware.

 

One person reported that when he removed it, and some other stuff, his computer stopped functioning, which one might expect to happen if one removed the Windows logon shell.   

 

Here is the key.

 

Malware.Trace

 

HKU\S-1-5-21-1499385294-1294109063-3957283044-100\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

 

I'm finding this line all over the internet, with different numbers after 1-5-21 - just noone has ever gotten a straight answer on whether it's real or a false positive.   

 

How specifically would one recognize valid Windows registry Logon shell entries?   

 

 

 

Share this post


Link to post
Share on other sites

The numbers after S-1-5-21 corrispond to the user ID on your computer (which is why it's different for others).

 

I believe the presence of the Shell value within the Winlogon registry key is "unusual", which is why it's classified as a malware trace; it's the junk that's often left behind after an infection.  It's possible that something is re-adding it on your machine, or that something legitimate is creating that value (though it's odd) or it simply isn't getting removed correctly.  If you open up regedit.exe and find that value, you could see the file that is putting itself in there.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×