Jump to content

Recommended Posts

Sorry- should have realised what you were asking for:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

"DllName"=""

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"OldName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

Link to post
Share on other sites

  • Root Admin

Found the problem, and it will be fixed in 0.75 probably tomorrow or Monday. Here is the problem

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

"DllName"=""

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"OldName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"

MBAM was failing when that entry was empty. If you want to 'temporarily' resolve the issue, change the value to "1" or something along those lines and then don't forget to change it back. I simply made MBAM check if the parameter was empty.

Link to post
Share on other sites

All is well, no problems to report. B)

Malwarebytes' Anti-Malware Version 0.74

Database version: 211

Scan type: Quick Scan

Objects scanned: 19177

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Link to post
Share on other sites

Hmm - didn't realize this - uninstalling the 0.74 Alpha needs a reboot - be back in a few folks.

Core2Duo machine - No problems upgrading, db version updated to 211, no looping, and scan completed in 2:31, no FPs.

However, on the Core2Duo machine, 0.74 is not bringing up the log - it is set to do so, but in fact it is not doing so. I think this may have to do with permissions on a Vista machine - unless MBAM has permission to write to Program Files (or at least its own installation folder) it may have some difficulties.

On the P4 Machine, 0.74 is not bringing up the log either. Otherwise, no problems, no FPs and no other problems.

I talked with Marcin via MSN - logs now go to AppData\Malwarebytes\Logs, and for Vista Users this is C:\Users\{username}\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Only problem is that neither of my machines (Vista Home Premium and Vista Ultimate) are producing logs with the latest version.

OK, the no log thing is my stupidity.

Malwarebytes' Anti-Malware Version 0.74Database version: 211Scan type: Quick ScanObjects scanned: 13910
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:(No malicious items detected)
Link to post
Share on other sites

DuckY,

Got a lot of these types errors since last night (from the monitor):

SYMANTEC TAMPER PROTECTION ALERT
Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exeEvent Info:  Suspend ThreadAction Taken:  BlockedActor Process:  C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (PID 5668)Time:  Sunday, November 25, 2007  11:47:29 AM
SYMANTEC TAMPER PROTECTION ALERT
Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exeEvent Info:  Resume ThreadAction Taken:  BlockedActor Process:  C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (PID 5668)Time:  Sunday, November 25, 2007  11:47:29 AM
Link to post
Share on other sites

I'm running NIS 2008 and I don't have any alerts.

I'm getting these results now.

Not real sure why I didn't get this before.

I show logs in hidden folder.

Malwarebytes' Anti-Malware Version 0.74

Database version: 211

Scan type: Quick Scan

Objects scanned: 13502

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:csrss.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:lsass.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:services.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:smss.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

C:svchost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Link to post
Share on other sites

Just checked - no FPs here

Malwarebytes' Anti-Malware Version 0.75Database version: 211Scan type: Quick ScanObjects scanned: 14212
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:(No malicious items detected)
Link to post
Share on other sites

Hi everyone,

Uninstalled old version

Installed 0.74 beta

Uptated to defs 211

Quick Scan Ok nothing found Objects scanned 17,624 in 4 minutes 46 seconds.

B)

tx

~~ edit

Full Scan Ok No malicious items were detected. Objects scanned 77,468 in 46 minutes 24 seconds ie 1,669.6 objects/min.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.