"GOOD" MALware in MBAM??

• This is a common hijack point for a common infection.
• There is no way for MBAM to determine if the user has done this or malware is at fault
• Please have MBAM ignore these to prevent them from showing up in your scans again.

If you wish to check further for any possible malware on your system then complete the rest of the scans and attach the requested logs.

 

Read your log again! It did not mark them as "Good"! It said it quarantined and deleted them. However these are typically not problems as most people change these settings from defaults and MBAM is marking any change from default to be bad.

 

You had a registry value that was set to 0 when the default value is normally 1. Thus MBAM was telling you 0 = bad and 1 = Good. And that is what it changed it to when it said Quarantined and Deleted. If the value had already been set to one, you would not have seen anything in the MBAM report.

The fact remains that many of these types of registry key detections by MBAM are not necessarily valid malware detections. If you change a setting to how you want it to be and it is not the normal Microsoft default value, MBAM will tell you that it is bad when it may just be what you want it to be set to. MBAM cannot tell the difference between something you knowingly changed and something changed by malware. Thus MBAM attempts to just set things to defaults which is not necessarily a good thing since it could be changing values that a person decided to make on their own.. Kestrel13! mentioned this to you.

These kinds of detections are similar to the issues that Spybot caused years ago when it started reporting changes to Windows Security Center defaults and everyone kept assuming they were problems/malware when in 99% of cases they were settings that the end user chose to do or that their security software made automatically.

 

Yes it means 1 is not the default value expected.

Let me give you an example that you may find interesting/helpful. You will need Spybot installed to try this example.

• Run Spybot
• Click Mode and select Advanced Mode
• On the left side select the Tools menu and click + to expand it.
• Click on IE Tweaks and lock the IE start page. Double click the below snapshot to see what this looks like

• Now do not exit Spybot ( so that you will be able to quickly undo this later ).
• Now run MBAM and do a quick scan and save a log without fixing. Notice you will see the below lines
• A 1 in this value of the registry key means the Homepage is locked but being locked is not the default.
• Obviously this is a setting that you just made. It could have also been a setting made by other protection software options you chose. It is not malware, nor is it bad in this case because you chose it to be this way. MBAM is defaulting to deciding that this is always bad which is not really a good idea. It would have been a better option to show it as a Warning/Advisorory with a suggestion to only fix if you did not set it this way.
• Now undo what you did with Spybot

Get the idea?

 

Yes!