Infected registry found by MBAM

FranzB · 20 Sep 2011

Hi

W7 Home 64bit - Windows firewall (highest settings) - MSE (real time protection)
Browser: Firefox in safe mode but IE is still on the computer since i use Windows Live Mail.

MBAM found an infection, quick scan, admin rights:
Malware.Trace: Registry value HKEY_current_user_software\Microsoft\currentversion\Policies\Explorer\DisallowCpl|1

I put it in quarantine.

Next day i had some time and restored the infection. Then i ran (quick) scans with MSE, MBAM and SuperAntiSpyware. Nothing found. Also a scan with Hitmanpro 3.5: nothing found. A full registry scan with SuperAS: nothing found.
A renewed scan with MBAM found it again. I put it back into quarantine.

My questions now are:
Is it a false positive?
If not, can i just delete it from quarantine and that's it? Or do i have to look at the registy entries and change/check something there too?
I also did (quick) scans with those AV programs in safe mode while the infection was in quarantine but nothing found in addition.
I am at a loss that MBAM found something that no less than 3 other AV programs did not find.
Thanks.

ignatzatsonic · 20 Sep 2011

You could upload the file in question to virustotal.com and see what results you get there. It will analyze the file with a bunch of different scanners.

You also might want to take a gander at Malwarebytes forums to see if there are any posts about it, particularly re false positive.

Phone Man · 20 Sep 2011

It may be just alerting you to the setting being set to "1".

DisallowCpl

Jim

FranzB · 20 Sep 2011

Thanks to both of you. I did have a look at the link given (not that i understand it).
It may be something for the Malwarebyte's forum, rather than for this forum.

It may also be connected with CCleaner. I usually fix the registry problems there but once i stored a backup in my documents before fixing and left it there.
It may be wiser not to fix the registry problems found with CCleaner but up to now it has never caused any problems.
Meanwhile i decided to delete the infection from quarantine and get rid of that backup in my documents. Some icons in the start menue are now gone. No problem though.
Point remains why that setting was changed to 1 and how and by whom.
Greetings.

Phone Man · 20 Sep 2011

You could edit the registry and change it to "0" which is the default and see if it gets changed again.

Jim

DBone · 20 Sep 2011

MBAM once found a false positive on my machine regarding a registry key. I had customized the start menu and chose to hide the "help and support" link in the start menu, and MBAM flagged it as PUM (potentially unwanted modification).

FranzB · 21 Sep 2011

I tried taking a restore point but the icons in the start menu did not return.
I'll try your suggestions above but i can live with no icons.
Everything else seems ok.
I probably posted all this too fast but you are always afraid something is really wrong.
I should swallow my own medicine and surf with Linux exclusively and also transfer my mailbox to Linux. All this looking over your shoulder constantly when online is getting on my nerves, trying to outwit tens of thousands of virus writers.
Thanks all for your replies.