9 replies to this topic

[gugarci]

Anti-Malware keep finding this issue in my registry. The last couple of builds have also found this issue. Decided to play it safe and ask for help before I clean this up. Is this a threat or a false positive???
Below is my text from my log file.
Thanks.


Malwarebytes' Anti-Malware 1.41
Database version: 3081
Windows 5.1.2600 Service Pack 3

11/5/2009 10:39:18 AM
mbam-log-2009-11-05 (10-39-10).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 273557
Time elapsed: 1 hour(s), 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> No action taken. [4054423730538380756679153472707985130192222126672268662414216625231418186924146
6216971141717172524211825176767209413014739]

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[miekiemoes]

Hi,

This is no false positive. This key is most probably locked.

Scan and post logs - read note at bottom in green
If you're having Malware related issues with your computer that you're unable to resolve.

• Please read and follow the instructions provided here: I'm infected - What do I do now?
  
• If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  
• When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

[gugarci]

miekiemoes, on Nov 5 2009, 11:27 AM, said:

Hi,

This is no false positive. This key is most probably locked.

Scan and post logs - read note at bottom in green
If you're having Malware related issues with your computer that you're unable to resolve.

• Please read and follow the instructions provided here: I'm infected - What do I do now?
  
• If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  
• When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

I'm not having any issues at all on my PC otherwise I would of looked into this issue sooner. I'm going to run another scan and see if I can remove it. If not I'll follow the other steps.
Thanks.

[miekiemoes]

Hi,

If the key is locked, then malwarebytes won't be able to remove it for now.
That's why it's better to start a new thread about this with a HijackThislog in the Malware removal forums here - this to make sure your pc is clean and no malware is locking it.
Then someone will help you asap with it.

[gugarci]

miekiemoes, on Nov 5 2009, 11:52 AM, said:

Hi,

If the key is locked, then malwarebytes won't be able to remove it for now.
That's why it's better to start a new thread about this with a HijackThislog in the Malware removal forums here - this to make sure your pc is clean and no malware is locking it.
Then someone will help you asap with it.

Thanks.

[nosirrah]

An additional FYI :

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\

This is a location I chose to include as it is often overlooked and even if malware had been cleaned up , is a good indicator as to what malware you had in the past . Frequently when this turns up in a scan but there is not a matching CLSID the malware is truly already dead .

[gugarci]

I was able to remove with Malwarebytes with no issues. I restarted my PC and rescan it and it's still clean.
Thanks.

[miekiemoes]

Good to hear
I actually misunderstood your first post. I thought that malwarebytes couldn't delete it since you said it keeps finding it again.
As long as you don't select to remove what malwarebytes finds, then it will indeed keep finding the same

[gugarci]

That's OK. When it comes to malware I like to be sure that what I'm deleting is not a false positive. And since my PC has been working well, knocking on wood, I figured it was a false positive or something very minor.

That's why I decided to finally register here, and to post my question before acting.
Thanks.

[Trevro]

I came across this issue today, and after doing some research I've found that the key must come from MS Money 2004. Anti-Malware found this same registry key (549b5ca7-4a86-11d7-a4df-000874180bb3), and I found (through a fair amount of digging) a couple references on the internet describing how other users came to find that it was from MS Money 2004. I have MS Money 2004 installed, so it made sense that this could be the case. To confirm, I went to another computer that did not have MS Money 2004 installed, and did the following steps:

1) Disconnected it from the network.
2) Ran HijackThis and confirmed the key did not exist on this system.
3) Installed MS Money 2004.
4) Ran HijackThis and confirmed that the key did now in fact exist.
5) Uninstalled MS Money 2004.
6) Ran HijackThis yet again and confirmed that the key was removed.

Since it took a few hours to sort all this out, I'm hoping to spread the word. Also, does this mean that it is a false positive? Or is MS installing malware on our machines through MS Money?


Thanks, and hope this helps!