TonyKlein
-
Posts
1,931 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by TonyKlein
-
-
If you have premium, there's an option in quarantaine setings that tells Malwarebytes not to immediately quarantaine malware once it is detected. That should solve that problem
-
2 hours ago, safespace-superhero said:
You're absolutely right. But simply do it when scan results are ready:
Uncheck related registry keys and values, then
From the documentation:
If any threats are not selected to be moved to Quarantine, you will be prompted to Ignore Once, Ignore Always, or Cancel. Ignore Once will result in the threat once again being reported as a threat during the next scan execution. Ignore Always causes the threat to be added to Exclusions. A threat which has been added to Exclusions will no longer be reported as a threat unless there is reason to believe that it has been tampered with.You can of course also tell MBAM to ignore PUPS altogether, although it's no recommended
-
This seems to be a attack on competitors.
Nothing of the sort; please read Registry Cleaners: Digital Snake Oil
These are categorized as "potentially unwanted", and not as malware. If you'd still like to continue using them, please do, at your own discretion and potentially peril.
All you need to do then, is simply exclude the files or folder in question from scanning. All there is to it.
-
Congrats, MBAM team and WTG, Filipos!
-
Other than changing their 'target' or deleting them, not really. If you change the CLSID itself, it in effect becomes a new CLSID/GUID, which equals adding a brand new one.
Of course, aside from CLSIDs, malware can and does add, add to, and change many other Registry keys, values and data.
For example, have a look at Pieter's excellent Malware Removal Guides as well as at the Collection of Autostart Locations topic in my signature
-
np, glad to have helped.
Have fun (but be careful!)
-
which ways does malware have to use an existing CLSID for itself?
Simply by having the InProcServer subkey for the existing CLSID point to an executable file of the malware itself.
Let's take as an example the way a legitimate browser helper object is registered; here's the principle of how that goes:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
@="RoboForm BHO"
[HKEY_CLASSES_ROOT\CLSID\{724d43a9-0d85-11d4-9908-00400523e39a}]
@="RoboForm Toolbar Helper"
[HKEY_CLASSES_ROOT\CLSID\{724d43a9-0d85-11d4-9908-00400523e39a}\InprocServer32]
@="C:\\Program Files\\Siber Systems\\AI RoboForm\\roboform.dll"
This ensures that roboform.dll is loaded every time an instance of Internet Explorer is launched.
You can replace the path of roboform.dll by the path of a malware dll, and that dll will then be loaded instead.
-
HI Jenn,
A CLSID, according to Microsoft, is a "globally unique identifier that identifies a COM class object”, if you wish a "social security number" for a Windows or third party software application or component thereof, a particular system folder, etcetera
CLSIDs are used by Windows to identify software components without having to know their "name". They can also be used by software applications to identify a computer, file or other item
If you're asking whether malware can change/use/affect a CLSID, the answer is yes: malware, just like legitimate software, can modify the registry, ie adding, deleting or modifying components, and of course that includes CLSIDs.
To give one example, you'll be familiar with the "Open With" context menu entry you get when right-clicking a file. In the Registry it looks as follows:
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"
The {09799AFB-AD67-11d1-ABCD-00C04FC30936} Class ID refers to a subkey of the same name in HKEY_CLASSES_ROOT\CLSID, whose InProcServer subkey holds the path to the context handler's dll, in this case Shell32.dll.
Now this method can also be used by malware, for example
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gxmmxn]
@="{f1445181-385e-4b9f-ba55-4fec86b25d01}
The InProcServer subkey to HKEY_CLASSES_ROOT\CLSID\{f1445181-385e-4b9f-ba55-4fec86b25d01} will then show the path to a 'rogue' dll that's loaded into memory.So malware, just like regular software can certainly add new CLSIDs where it wants or modify the 'target' of existing ones.
-
Additionally, after a hard reset, it's never a bad idea to have Windows check your disk for errors:
Check your hard disk for errors in Windows 7
How to perform disk error checking in Windows XP
How to Run Disk Error Checking in Windows 8 -
You're very welcome; glad we were able to clear this up for you
-
FYI, The new version no longer relies on the Registry's 'Run' keys to start a component, but instead it now uses services, which is why you won't find it in Msconfig/Startup, even if correctly installed.Do you know if it Usually Shows in msconfig/startup as it's Not Showing in mine , or is there a way to get it to show in startup
-
[edit]Whoops, Samuel already posted the link...[/edit]
-
Its not in the Macromedia registry key; if you look closely, you will see that it has its own own proprietary registry key underneath the Macromedia key
The Macromedia key has a 'plus' next to it, which, if you click it, will reveal its subkeys.
-
Not only that, but that particular adware hasn't been seen 'in the wild' for six or more years ago, so, combined with the fact that according to yourself Norton removed the detection shortly afterwards, you can be sure it was a FP...
-
Hi and welcome.
This has previously already been reported in the FP forum and was determined not to be a false detection:
-
Here are four sites that will help you decide what's what:
http://www.systemlookup.com/lists.php?list=2
http://www.pacs-portal.co.uk/startup_search.php
http://www.bleepingcomputer.com/startups/http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
Should you have any further questions, dont hesitate to ask.
-
It's just one of the many customizing options in Windows, nothing bad about it.
-
There is an AddLyrics adware variant that installs browser extensions by that name; which incidentally would appear to be confirmed by what you say MBAM quarantined.
Variants are detected by MBAM as Pup.Optional.ShowPassword, PUP.Optional.ViewPassword and so on.
BTW, if that's the culprit, it's is just adware that will come bundled with various third party software or as part of an adware bundle, not a password stealer, so no worries there
I suggest you create a post in the Malware Removal forum, so that one of the analysts can take a closer look. -
As for the cascading windows, right-click on the Taskbar and uncheck "Cascade Windows".
As for the file extensions, see How to show or hide file name extensions in Windows Explorer
Note that it is generally considered useful to be able to see file extensions, as that way you're in a better position to tell whether a file is an executable, an image file or something else
-
np, you're very welcome.
-
Hijackthis.nl is a trustworthy Dutch language security and malware removal site, 'CarlosTurco' doesn't have a "Trusted Advisor" title at Malwarebytes for no reason, and the tools he asked you to downlaoad are totally legit.
Do please go ahead and follow his advice!
-
Good to hear you were able to fix it.
Yes, finding exactly what you need with Google can be a fine art
The following tutorial should help:
-
I just noticed you already posted in the Malware Removal Forum. Certainly can't hurt to have an analyst take another look, if only to put your mind at rest.
Incidentally, its only a leftover FF extension, nothing serious.
-
because i dont experience anything wierd and since kevinf80 helped me and said my pc is clean i havent downloaded anything since
Well, in that case it's probably just a left-over from an already removed infection, and you shouldn't worry.
MWB vs System Mechanic
in Malwarebytes for Windows Support Forum
Posted
That should be the one