loop in Malwarebytes caused by "STARTUP-" folder

Questions and comments regarding Soft Organizer
heikwith
Posts: 4
Joined: Thu Dec 27, 2018 10:43 am

loop in Malwarebytes caused by "STARTUP-" folder

Post by heikwith » Thu Dec 27, 2018 12:26 pm

We have here a big problem.
Every time when I start Soft Organizer a STARTUP- folder (with a dash!!) is created in our system.
We do not understand why this happens or is needed.
But the problem is that with this folder, we get a LOOP when scanning are computer with Malwarebytes.
After deleting this "STARTUP-" folder the LOOP is gone.
But after the next restart of Soft Organizer the STARTUP- folder causes the loop again.
By the way to test this at yours, you need to set ON in Malwarebytes the Rootkit scan.
I already mailed with Malwarebytes and they told me the DASH in your "STARTUP-" folder is the culprit of the loop.

User avatar
Chemtable Software
Developers Team
Posts: 344
Joined: Thu Aug 07, 2008 12:59 pm

Re: loop in Malwarebytes caused by "STARTUP-" folder

Post by Chemtable Software » Fri Dec 28, 2018 4:32 am

Hello,

Probably the startup folder configuration is corrupted in your system (the name of that folder stored in the registry is set to "Startup-" instead of "Startup"). And no matter what application creates the startup entry: The Startup folder with the incorrect name will be created.

Try to open the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
and find the value named "Common Startup" there. Does it contains the dash? If so, remove the dash from the path.
Also check the below keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

In the below keys the value name you should search for is "Startup":

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Backup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

heikwith
Posts: 4
Joined: Thu Dec 27, 2018 10:43 am

Re: loop in Malwarebytes caused by "STARTUP-" folder

Post by heikwith » Fri Dec 28, 2018 2:56 pm

Hello,
I found 5 times Startup- in with you specified above.
(see the 3 attachments)
Can I delete them all safely and how do I do that ?
As you can see there are not only dashes in a path !!
Probably you can create a reg file for me.
I have no experience in register editing.
By the way this is a Dutch Windows 10.
Thanks in advance.
Dh
Attachments
STARTUP- in regedit3.jpg
STARTUP- in regedit3.jpg (121.36 KiB) Viewed 62662 times
STARTUP- in regedit2.jpg
STARTUP- in regedit2.jpg (139.54 KiB) Viewed 62662 times
STARTUP- in regedit.jpg
STARTUP- in regedit.jpg (176.75 KiB) Viewed 62662 times

User avatar
Chemtable Software
Developers Team
Posts: 344
Joined: Thu Aug 07, 2008 12:59 pm

Re: loop in Malwarebytes caused by "STARTUP-" folder

Post by Chemtable Software » Fri Dec 28, 2018 7:22 pm

No, you don't need to delete. Double click on the value name of the values ending with "\Startup-" and in the appeared window correct the path (remove the dash). Then press OK. Do this for the each of the incorrect values.

heikwith
Posts: 4
Joined: Thu Dec 27, 2018 10:43 am

Re: loop in Malwarebytes caused by "STARTUP-" folder

Post by heikwith » Fri Dec 28, 2018 8:54 pm

Yes, I understand that for the dashes in the path (3 times)
But there also 2 times a startup- in the name ("naam" in Dutch) column.
What must be done (and how) with that ?

User avatar
Chemtable Software
Developers Team
Posts: 344
Joined: Thu Aug 07, 2008 12:59 pm

Re: loop in Malwarebytes caused by "STARTUP-" folder

Post by Chemtable Software » Thu Jan 03, 2019 12:47 pm

Hello,

Sorry for the delay. The values names with the dash are not used by the system. You should remove the dash from the values names too or remove such values if there is already a value with the same name except the dash.

heikwith
Posts: 4
Joined: Thu Dec 27, 2018 10:43 am

Re: loop in Malwarebytes caused by "STARTUP-" folder

Post by heikwith » Wed Jan 09, 2019 4:00 pm

I got this reaction from the ticket owner of Malwarebytes:
--------------------------------------
The QA guys said that the "Soft Organizer appears to be responsible (it also messed up my machine quite badly - probably by patching explorer)"
Upon initially running the program, it renamed the "Startup" folder to "Start-up" and created a second folder (identically named) in the same location.
I cannot reproduce the MB3 scan hang/loop. However, based on my experience with Soft Organizer, it is certainly the cause of the issue here. The program has likely modified the machine in an unexpected/unrealistic manner. The user should return to the vendor of Soft Organizer and emphasize that their program is resulting in undesirable changes to the machine (and is the cause of the "Startup-" folder).
---------------------------------------

I asked them to prove this accusation.
I do not know who are that "QA guys" at Malwarebytes.

But can there have been a "bug" or "feature" (in the past) in Soft Organizer ot other ChemTable program, so that this can be true somehow ?
Be honest!
If no, do you know which other program can have put the "Startup-" entries in my registry in the past ?
By the way, there is not only a bug in Malwarebytes, but also in the quoted reaction above, because "Start-up" should be "Startup-" I think.

I put my Loop problem also in de "Latest Malwarebytes updates"forum of Tenforums:
https://www.tenforums.com/antivirus-fir ... ost1551476
Dh

User avatar
Chemtable Software
Developers Team
Posts: 344
Joined: Thu Aug 07, 2008 12:59 pm

Re: loop in Malwarebytes caused by "STARTUP-" folder

Post by Chemtable Software » Thu Jan 10, 2019 9:30 am

Hello,

If the startup folder path registered in your system is corrupted as was in your case then any program that creates the startup entry (for example, Soft Organizer) will cause this incorrectly named folder to be created.

Soft Organizer like any other program, which needs to create the startup item, just receives the startup folder path from the system using the SHGetSpecialFolderPathW WinAPI function and then if this folder not exists, creates it.

So you need to fix the source of the problem - the incorrect startup folder path registered in the system.

The change of the startup path in the system could be caused by a malware or incorrect behavior of the unknown program.

PS. From our experience, MWB is a software that likes to mark as viruses the applications that has nothing with the viruses and in order to show the activity with confirming this as false-positive afterwards. I afraid, their product in other parts, such as a scanning engine, has the same quality.

Post Reply