-
Posts
1,931 -
Joined
-
Last visited
-
MWB vs System Mechanic
TonyKlein replied to Saucer's topic in Malwarebytes for Windows Support Forum
That should be the one -
MWB vs System Mechanic
TonyKlein replied to Saucer's topic in Malwarebytes for Windows Support Forum
If you have premium, there's an option in quarantaine setings that tells Malwarebytes not to immediately quarantaine malware once it is detected. That should solve that problem -
MWB vs System Mechanic
TonyKlein replied to Saucer's topic in Malwarebytes for Windows Support Forum
You're absolutely right. But simply do it when scan results are ready: Uncheck related registry keys and values, then From the documentation: You can of course also tell MBAM to ignore PUPS altogether, although it's no recommended -
MWB vs System Mechanic
TonyKlein replied to Saucer's topic in Malwarebytes for Windows Support Forum
Nothing of the sort; please read Registry Cleaners: Digital Snake Oil These are categorized as "potentially unwanted", and not as malware. If you'd still like to continue using them, please do, at your own discretion and potentially peril. All you need to do then, is simply exclude the files or folder in question from scanning. All there is to it. -
Malwarebytes Acquires Junkware Removal Tool
TonyKlein replied to RubbeR DuckY's topic in Malwarebytes News
Congrats, MBAM team and WTG, Filipos! -
you know something about CLSIDs?
TonyKlein replied to 3aken's topic in Malwarebytes for Windows Support Forum
Other than changing their 'target' or deleting them, not really. If you change the CLSID itself, it in effect becomes a new CLSID/GUID, which equals adding a brand new one. Of course, aside from CLSIDs, malware can and does add, add to, and change many other Registry keys, values and data. For example, have a look at Pieter's excellent Malware Removal Guides as well as at the Collection of Autostart Locations topic in my signature -
you know something about CLSIDs?
TonyKlein replied to 3aken's topic in Malwarebytes for Windows Support Forum
np, glad to have helped. Have fun (but be careful!) -
you know something about CLSIDs?
TonyKlein replied to 3aken's topic in Malwarebytes for Windows Support Forum
Simply by having the InProcServer subkey for the existing CLSID point to an executable file of the malware itself. Let's take as an example the way a legitimate browser helper object is registered; here's the principle of how that goes: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}] @="RoboForm BHO" [HKEY_CLASSES_ROOT\CLSID\{724d43a9-0d85-11d4-9908-00400523e39a}] @="RoboForm Toolbar Helper" [HKEY_CLASSES_ROOT\CLSID\{724d43a9-0d85-11d4-9908-00400523e39a}\InprocServer32] @="C:\\Program Files\\Siber Systems\\AI RoboForm\\roboform.dll" This ensures that roboform.dll is loaded every time an instance of Internet Explorer is launched. You can replace the path of roboform.dll by the path of a malware dll, and that dll will then be loaded instead. -
you know something about CLSIDs?
TonyKlein replied to 3aken's topic in Malwarebytes for Windows Support Forum
HI Jenn, A CLSID, according to Microsoft, is a "globally unique identifier that identifies a COM class object”, if you wish a "social security number" for a Windows or third party software application or component thereof, a particular system folder, etcetera If you're asking whether malware can change/use/affect a CLSID, the answer is yes: malware, just like legitimate software, can modify the registry, ie adding, deleting or modifying components, and of course that includes CLSIDs. To give one example, you'll be familiar with the "Open With" context menu entry you get when right-clicking a file. In the Registry it looks as follows: [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With] @="{09799AFB-AD67-11d1-ABCD-00C04FC30936}" The {09799AFB-AD67-11d1-ABCD-00C04FC30936} Class ID refers to a subkey of the same name in HKEY_CLASSES_ROOT\CLSID, whose InProcServer subkey holds the path to the context handler's dll, in this case Shell32.dll. Now this method can also be used by malware, for example HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gxmmxn] @="{f1445181-385e-4b9f-ba55-4fec86b25d01} The InProcServer subkey to HKEY_CLASSES_ROOT\CLSID\{f1445181-385e-4b9f-ba55-4fec86b25d01} will then show the path to a 'rogue' dll that's loaded into memory. So malware, just like regular software can certainly add new CLSIDs where it wants or modify the 'target' of existing ones. -
Additionally, after a hard reset, it's never a bad idea to have Windows check your disk for errors: Check your hard disk for errors in Windows 7 How to perform disk error checking in Windows XP How to Run Disk Error Checking in Windows 8
-
Not Showing in Startup
TonyKlein replied to fishnchips48's topic in Malwarebytes for Windows Support Forum
You're very welcome; glad we were able to clear this up for you -
Not Showing in Startup
TonyKlein replied to fishnchips48's topic in Malwarebytes for Windows Support Forum
FYI, The new version no longer relies on the Registry's 'Run' keys to start a component, but instead it now uses services, which is why you won't find it in Msconfig/Startup, even if correctly installed. -
Adware.Keenval detected in Malwarebytes file
TonyKlein replied to Alceste's topic in Malwarebytes for Windows Support Forum
Not only that, but that particular adware hasn't been seen 'in the wild' for six or more years ago, so, combined with the fact that according to yourself Norton removed the detection shortly afterwards, you can be sure it was a FP... -
Here are four sites that will help you decide what's what: http://www.systemlookup.com/lists.php?list=2 http://www.pacs-portal.co.uk/startup_search.php http://www.bleepingcomputer.com/startups/ http://www.answersthatwork.com/Tasklist_pages/tasklist.htm Should you have any further questions, dont hesitate to ask.