Help - Search - Members - Calendar
Full Version: Malwarebytes Anti-Malware Plugin?
The CD Forum > Bart's PE Builder > Plugins
Pages: 1, 2, 3
AgentGOD
Mar 28 2008, 11:50 PM
Could somebody make a functional one?
AgentGOD
Mar 29 2008, 01:03 AM
Btw, just using RunScanner with this program will make the Windows installation no longer work, I've tested on VMWare.

It overwrites the registry entry for userinit.exe and redirects it to the X: drive.
hoest
Mar 31 2008, 06:19 PM
That's kinda important information happy68.gif good work

- Hoest

btw.. it must be possible to write a fix that redirects things back in place...
basskozz
Dec 11 2008, 12:05 AM
Any updates on this?
I would love to see a MalwareBytes plugin for UBCD4win.
nullpuppy
Dec 19 2008, 08:11 PM
QUOTE (basskozz @ Dec 10 2008, 10:05 PM) *
Any updates on this?
I would love to see a MalwareBytes plugin for UBCD4win.


I've been working on getting a plugin working off and on over the last several months. I've almost got something usable, but I still get the lovely 'vbAccelerator SGrid II Control - Runtime error '0' / Runtime error '440'; Automation Error' errors. I *think* this is due to mbam.sys and mbamswissarmy.sys not existing in X:\i386\System32\ (i think thats the path, i don't remember exactly at the moment, but it is in System32). Main problem is the System32 directory is read only on boot. I'm currently trying to figure out where I need to put those two .sys files so that they are put in the proper location when the CD build is done. (might just have the BartPE directory get built, and then build the image manually).

--nullpuppy
Ed_P
Dec 19 2008, 11:22 PM
QUOTE (nullpuppy @ Dec 19 2008, 08:11 PM) *
I'm currently trying to figure out where I need to put those two .sys files so that they are put in the proper location when the CD build is done.

To your PEBuilder's Malwarebytes' plugin folder add the two files and to the plugin's inf file add:

mbam.sys=2,,1
mbamswissarmy.sys=2,,1

hth
nullpuppy
Dec 23 2008, 08:46 PM
Ok. I've managed to make a tiny bit of progress. First, I apparently misremembered where the .sys files are stored (it is in system32/drivers). That part has been fixed. I now have a different problem, that. There are four dll files in the MBAM program directory. Two of them can be registered, two of them fail (due to missing entry points). If I register mbamext.dll and ssubtmr6.dll, I can no longer get the familiar vb runtime errors, instead I get Error code: 718, which I have been so far, unable to find any reason for it. I am not beaten yet, but input would be appreciated. If anyone is interested in seeing what I have so far, let me know, and I'll post it.

--nullpuppy
nuMe
Dec 23 2008, 09:42 PM
Have you enabled the VB plugin? I think it's a default PEBuilder plugin.
shinomen
Jan 3 2009, 03:42 PM
I too would love for this program to become a full fledged bartpe plugin. Have you had a chance to make any more progress? Another I would like to see is combofix.exe become a plugin.

It only makes sense to have programs like these be able to run from outside of windows so that it can more accurately and effeciently remove rogue softwares.
shinomen
Jan 6 2009, 02:27 PM
@nullpuppy

I'm interested in seeing what you have so far. Can you post something?
nullpuppy
Feb 20 2009, 04:29 PM
QUOTE (shinomen @ Jan 6 2009, 12:27 PM) *
@nullpuppy

I'm interested in seeing what you have so far. Can you post something?


@Shinomen

Here you are. This is what I have so far. I haven't really touched it since early January, and it still doesn't work quite right.

Looking at this currently, I think it might be more broken then it should be, currently wink.gif

mbam.sys and mbamswissarmy.sis need to be put in \Windows\System32\Drivers on the UBCD4Win build during the build. MBAM sort of starts, but I get VB errors (iirc) currently.

The .cmd structure and stuff is borrowed from the NOD32 plugin or the spybot plugin that someone (filecity?) created. I don't remember at the moment.

MBAM_Core.exe is just the contents of the MBAM directory from an install.

Anyways, I'm poking at it today. I hope to be able to get it working soon.

MBAM.inf
CODE
[Version]
Signature= "$Windows NT$"

[PEBuilder]
Name="Anti-Spyware: Malwarebytes' AntiMalware"
Enable=1

[WinntDirectories]
a="Programs\MBAM",2

[SourceDisksFiles]
Files\MBAM_CORE.exe=a,,1
MBAM.cmd=a,,1
Files\mbam.sys=4,,1
Files\mbamswissarmy.sys=4,,1

[Append]
nu2menu.xml, MBAM_nu2menu.xml


MBAM_nu2menu.xml
CODE
<NU2MENU>
    <MENU ID="Programs">
        <MITEM TYPE="POPUP" MENUID="Anti-Spyware Tools">Anti-Spyware Tools</MITEM>
    </MENU>
    <MENU ID="Anti-Spyware Tools">              
        <MITEM TYPE="ITEM" DISABLED="@Not(@FileExists(@GetProgramDrive()\programs\MBAM\MBAM.cmd))" CMD="RUN" FUNC="@GetProgramDrive()\programs\MBAM\MBAM.cmd">MBAM</MITEM>
    </MENU>
</NU2MENU>


MBAM.cmd
CODE
@ECHO OFF
Title MBAM Start Script
REM -------------------------------------------------------------------------
REM MBAM.cmd - Script to start MBAM from BartPE
REM Created by FileCity
REM -------------------------------------------------------------------------

SETLOCAL
IF "%temp%" == "" GOTO _ERR
IF EXIST "%temp%\MBAM\mbam.exe" GOTO _RUN

ECHO Uncompressing MBAM To RAMDisk, Please Wait...
START /wait /min X:\Programs\MBAM\MBAM_CORE.exe
IF NOT %ERRORLEVEL% == 0 GOTO _ERR
DELAY 2 > NUL
ECHO.

:_RUN
START %temp%\MBAM\mbam.exe
GOTO _END

:_ERR
ECHO.
ECHO MBAM.cmd: Try Adding A RamDisk Or Low Disk Space ...
ECHO.
PAUSE

:_END
ENDLOCAL
EXIT


--nullpuppy
StopSpazzing
Feb 20 2009, 06:57 PM
I would love to see this working aswell. So the only issue is errors it gives out about VB? And you have including VB files right?

Have you tried checking its dependencies with dependency walker and made sure everything is needs is there?


I have tried checking it with DP walker...my results:
So far needs VB runtimes, specifically VB6 AND needs microsoft C++ runtimes aswell for it to run properly. Im testing it right now with all the dependencies included.

UPDATED: Still get the vb errors you described above. Trying to register the files...
::UPDATE::
After including msjava.dll (microsoft VM is its descript)[dependency] and registering all the files I could (mbamext.dll,vbalsgrid6.ocx,ssubtmr6.dll) I get this error:



Same error you get right null?

Next step Im going to do is install mbam and capture all the registry keys it makes and files it installs and report back.

UPDATE AGAIN:
Finished installing and capturing files/registry changes.

Registry TXT file (so you can review the keys..easier to read than the reg file):Malwarebytes Anti-Malware - Registry.txt
Registry Key:Malwarebytes Anti-Malware - Registry - After Install.reg
I removed known unnessesary registry keys...but Im sure this still needs cleaning. The following keys are located at the bottom of the reg file and they are the settings, and I have tweaked them alittle already (Im sure they can be tested and tweaked again):

CODE
[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]


[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"language"="english.lng"

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"firstrun"=dword:00000001

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"terminateie"=dword:00000000

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"autosavelog"=dword:00000000

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"reportthreats"=dword:00000000

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"alwaysscanmemory"=dword:00000000

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"alwaysscanregistry"=dword:00000000

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"alwaysscanfiles"=dword:00000001

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"alwaysscanheuristics"=dword:00000001

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"contextmenu"=dword:00000001

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"startminimized"=dword:00000000

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"autoupdate"=dword:00000000

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"autoscan"=dword:00000000

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"updatetime"=dword:00000001

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"scantime"=dword:00000001

[HKEY_USERS\S-1-5-21-789336058-1343024091-1202660629-1001\Software\Malwarebytes' Anti-Malware]
"startwithwindows"=dword:00000000


Im sure | "contextmenu"=dword:00000001 | Can be changed to 0. We dont need a context menu.
Im unsure what | "firstrun"=dword:00000001 | does. Im sure its just a simple check tho, possibly an update check.


List of files/folders that have been added since the install. We already know this, but its for reference:
CODE
"FileName" "Size Before" "Size After" "Attrib Before" "Attrib After" "Date Before" "Date After" "Version Before" "Version After" "CRC Before" "CRC After"
"C:\Documents and Settings\All Users\Application Data\Malwarebytes" "" "1KB" "" "D" "" "" "" "" "" ""
"C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware" "" "1KB" "" "D" "" "" "" "" "" ""
"C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\ignore.dat" "" "1KB" "" "A" "" "2/20/2009 8:44:10 PM" "" "" "" ""
"C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref" "" "1,621KB" "" "A" "" "2/11/2009 10:15:52 AM" "" "" "" "3e33bc35"
"C:\Documents and Settings\TEST\Application Data\Malwarebytes" "" "1KB" "" "D" "" "" "" "" "" ""
"C:\Documents and Settings\TEST\Application Data\Malwarebytes\Malwarebytes' Anti-Malware" "" "1KB" "" "D" "" "" "" "" "" ""
"C:\Documents and Settings\TEST\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs" "" "1KB" "" "D" "" "" "" "" "" ""
"C:\Documents and Settings\TEST\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine" "" "1KB" "" "D" "" "" "" "" "" ""
"C:\MBAM\changes.rtf" "" "13KB" "" "A" "" "2/10/2009 8:20:34 PM" "" "" "" "d8aa789d"
"C:\MBAM\Languages" "" "1KB" "" "D" "" "" "" "" "" ""
"C:\MBAM\Languages\albanian.lng" "" "14KB" "" "A" "" "7/3/2008 9:10:26 AM" "" "" "" "41eb416"
"C:\MBAM\Languages\bulgarian.lng" "" "13KB" "" "A" "" "1/16/2009 7:08:46 PM" "" "" "" "87ed7a32"
"C:\MBAM\Languages\catalan.lng" "" "13KB" "" "A" "" "3/4/2008 7:05:10 PM" "" "" "" "83588e23"
"C:\MBAM\Languages\chineseSI.lng" "" "9KB" "" "A" "" "8/1/2008 8:03:38 AM" "" "" "" "4d364440"
"C:\MBAM\Languages\chineseTR.lng" "" "9KB" "" "A" "" "8/4/2008 11:58:40 AM" "" "" "" "c02c5fec"
"C:\MBAM\Languages\croatian.lng" "" "12KB" "" "A" "" "12/27/2008 3:41:44 PM" "" "" "" "489be0fa"
"C:\MBAM\Languages\czech.lng" "" "12KB" "" "A" "" "6/24/2008 10:49:16 PM" "" "" "" "9740a66e"
"C:\MBAM\Languages\danish.lng" "" "12KB" "" "A" "" "10/6/2008 5:48:34 PM" "" "" "" "a0637691"
"C:\MBAM\Languages\dutch.lng" "" "13KB" "" "A" "" "3/4/2008 6:56:46 PM" "" "" "" "cda47445"
"C:\MBAM\Languages\english.lng" "" "12KB" "" "A" "" "3/2/2008 6:33:12 PM" "" "" "" "bfd748fb"
"C:\MBAM\Languages\finnish.lng" "" "12KB" "" "A" "" "5/17/2008 9:09:12 AM" "" "" "" "5c26e639"
"C:\MBAM\Languages\french.lng" "" "14KB" "" "A" "" "3/4/2008 6:57:28 PM" "" "" "" "46092757"
"C:\MBAM\Languages\german.lng" "" "14KB" "" "A" "" "10/5/2008 9:25:38 PM" "" "" "" "983af49a"
"C:\MBAM\Languages\greek.lng" "" "14KB" "" "A" "" "10/7/2008 2:15:50 PM" "" "" "" "af99dfd8"
"C:\MBAM\Languages\hungarian.lng" "" "13KB" "" "A" "" "3/3/2008 4:39:30 PM" "" "" "" "a77c7bf9"
"C:\MBAM\Languages\italian.lng" "" "14KB" "" "A" "" "3/4/2008 7:03:28 PM" "" "" "" "68e844c0"
"C:\MBAM\Languages\latvian.lng" "" "12KB" "" "A" "" "12/19/2008 3:30:36 PM" "" "" "" "8774c4c2"
"C:\MBAM\Languages\macedonian.lng" "" "14KB" "" "A" "" "9/10/2008 9:29:22 PM" "" "" "" "c722e097"
"C:\MBAM\Languages\norwegian.lng" "" "12KB" "" "A" "" "11/25/2008 1:48:24 PM" "" "" "" "c57d6dbe"
"C:\MBAM\Languages\polish.lng" "" "12KB" "" "A" "" "1/10/2009 11:56:16 PM" "" "" "" "cceadfdc"
"C:\MBAM\Languages\portugueseBR.lng" "" "13KB" "" "A" "" "3/4/2008 6:56:14 PM" "" "" "" "72ba4ab"
"C:\MBAM\Languages\portuguesePT.lng" "" "13KB" "" "A" "" "6/15/2008 12:04:12 PM" "" "" "" "ac8cd634"
"C:\MBAM\Languages\romanian.lng" "" "13KB" "" "A" "" "3/13/2008 6:09:18 PM" "" "" "" "6fd8e3a"
"C:\MBAM\Languages\russian.lng" "" "12KB" "" "A" "" "7/3/2008 11:58:56 PM" "" "" "" "f63e90d5"
"C:\MBAM\Languages\serbian.lng" "" "13KB" "" "A" "" "3/3/2008 5:03:30 AM" "" "" "" "c71e9126"
"C:\MBAM\Languages\slovak.lng" "" "12KB" "" "A" "" "7/26/2008 8:58:36 AM" "" "" "" "f3683acb"
"C:\MBAM\Languages\slovenian.lng" "" "12KB" "" "A" "" "3/3/2008 10:28:10 PM" "" "" "" "8dabced1"
"C:\MBAM\Languages\spanish.lng" "" "13KB" "" "A" "" "7/11/2008 1:26:06 PM" "" "" "" "b1518dcf"
"C:\MBAM\Languages\swedish.lng" "" "13KB" "" "A" "" "11/9/2008 4:19:30 PM" "" "" "" "b1238e3e"
"C:\MBAM\Languages\turkish.lng" "" "12KB" "" "A" "" "10/28/2008 9:30:58 PM" "" "" "" "518156af"
"C:\MBAM\Languages\ukrainian.lng" "" "14KB" "" "A" "" "10/31/2008 4:54:46 PM" "" "" "" "a01cde9"
"C:\MBAM\license.txt" "" "5KB" "" "A" "" "1/4/2009 6:31:04 PM" "" "" "" "425aa5c2"
"C:\MBAM\mbam-dor.exe" "" "381KB" "" "A" "" "2/11/2009 10:19:34 AM" "" "1.00" "" "db04b25a"
"C:\MBAM\mbam.chm" "" "58KB" "" "A" "" "2/9/2009 4:38:04 PM" "" "" "" "30c132bb"
"C:\MBAM\mbam.dll" "" "74KB" "" "A" "" "2/11/2009 10:19:30 AM" "" "1, 2, 0, 0" "" "261b77c9"
"C:\MBAM\mbam.exe" "" "1,274KB" "" "A" "" "2/11/2009 10:19:32 AM" "" "1.34" "" "e9fd5579"
"C:\MBAM\mbamext.dll" "" "74KB" "" "A" "" "2/11/2009 10:19:36 AM" "" "1, 1, 0, 0" "" "c3286cc7"
"C:\MBAM\mbamgui.exe" "" "400KB" "" "A" "" "2/11/2009 10:19:38 AM" "" "1.00" "" "b463717d"
"C:\MBAM\mbamservice.exe" "" "180KB" "" "A" "" "2/11/2009 10:19:38 AM" "" "1.00" "" "e7a59040"
"C:\MBAM\ssubtmr6.dll" "" "45KB" "" "A" "" "2/11/2009 10:19:40 AM" "" "1.01.0003" "" "82e19eee"
"C:\MBAM\unins000.dat" "" "7KB" "" "A" "" "2/20/2009 8:43:14 PM" "" "" "" "9037c29c"
"C:\MBAM\unins000.exe" "" "689KB" "" "A" "" "2/20/2009 8:42:35 PM" "" "" "" "60fc8f61"
"C:\MBAM\unins000.msg" "" "11KB" "" "A" "" "2/20/2009 8:43:14 PM" "" "" "" "d2cb3901"
"C:\MBAM\vbalsgrid6.ocx" "" "496KB" "" "A" "" "2/11/2009 10:19:40 AM" "" "2.00.0040" "" "b402d2c0"
"C:\MBAM\zlib.dll" "" "78KB" "" "A" "" "2/11/2009 10:19:42 AM" "" "1.2.3.0" "" "92e4a594"
"C:\WINDOWS\system32\drivers\mbam.sys" "" "16KB" "" "A" "" "2/11/2009 10:19:34 AM" "" "1.00" "" "a928becf"
"C:\WINDOWS\system32\drivers\mbamswissarmy.sys" "" "39KB" "" "A" "" "2/11/2009 10:19:42 AM" "" "1.00" "" "e009696b"
"" "" ""


OFF TOPIC....
Haha..found something cool out. There is a file named news.txt located:"C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware" In it contains the latest news from the last time it checked for updates. You can CHANGE the entries to make it say whatever you like... make sure you make it read only afterwards. It will show up under the update tab.
nullpuppy
Feb 21 2009, 03:45 PM
@StopSpazzing

Awesome, looks like you've made some progress. I hadn't tried Java, not a bad idea. I have gotten the 718 error before, but I don't recall what lead up to that problem, I think it might have been from manually registering the DLLs and stuff. My current attempts give me vb errors with vbAccellerator GridII or something.

With the added registry stuff and what not, does it work now? Or are you still getting errors?

And, neat about the news.txt. Might have to play with that for the PE build wink.gif
StopSpazzing
Feb 21 2009, 07:09 PM
QUOTE (nullpuppy @ Feb 21 2009, 12:45 PM) *
@StopSpazzing

Awesome, looks like you've made some progress. I hadn't tried Java, not a bad idea. I have gotten the 718 error before, but I don't recall what lead up to that problem, I think it might have been from manually registering the DLLs and stuff. My current attempts give me vb errors with vbAccellerator GridII or something.

With the added registry stuff and what not, does it work now? Or are you still getting errors?

And, neat about the news.txt. Might have to play with that for the PE build wink.gif


Thank you. Its been a while since I worked with barebone plugins but its coming back to me. And just for you info, the msjava.dll description is microsoft VM, as in possibly microsofts own java. I unsure if it is actually related to java tho.

It seems that the folder located "C:\Documents and Settings\All Users\Application Data\Malwarebytes\" , the name of the folder is "Malwarebytes' Anti-Malware", same folder that the news.txt is located in, is REQUIRED for the program to run properly. I tried renaming the folder and then running that app on my computer and it spits out an error about not having the definitions and if I wanted to update or not. So we now know that this folder contains nessesary files. Now I need to double check but I am unsure if you can move this folder, or take the contains of the folder and put it somewhere else and point to it with registry. I have not checked the reg file looking for this specifically but I will say that I dont recall seeing anything related to this when I was cleaning the file. I will be checking it and testing on a new build later tonight.

On a side note its a good thing that its required...as we can set up and ignore b: (ram disk) and x: (drive the cd/usb is in) so it doesnt scan unnecessary folders and files with the file named "ignore.dat". Its just kinda stupid setup on their part as to why they dont just keep it, and the other files, in the same folder that the program is installed in.

I also tested to see if the other folder located here: "C:\Documents and Settings\%username%\Application Data\Malwarebytes" which contains the logs and quarentine folders is required, it is not. It automatically creates a new one.


Realized something...the settings for the TEST computer I used are saved under the last keys in the reg file. There is a "HKEY_CURRENT_USER" key with the same keys as the ones at the end of the reg file...I believe those are the ones you would edit, not the other ones...as those are specific to that computer.
StopSpazzing
Feb 21 2009, 08:43 PM
Where here is an update. Tweaked the registry file and setup everything..and it gave me a new error: error code: 707 (3). Atleast its new...I looked it up on their forums and they said that you have to reinstall the program...so I am now copying the whole registry file and not just parts hoping they werent needed. I will update this post when I have finished.

UPDATE:
Unfortunately it still doesnt work properly. Still gives the same error.

This is what my mbam.inf looks like (seeing as I didnt like the installer method):
CODE
[Version]
Signature= "$Windows NT$"

[PEBuilder]
Name="Anti-Spyware: Malwarebytes' Anti-Malware v1.34"
Enable=1

[WinntDirectories]
a="Programs\MBAM",2
b="Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\",2

[SourceDisksFiles]
Files\*.*=a,,1
Other\*.*=b,,1
mbam.sys=4,,1
mbamswissarmy.sys=4,,1
msjava.dll=2,,1

[Software.AddReg]
0x0,"Classes\.mbam"
0x1,"Classes\.mbam",,"mbam.script"
0x0,"Classes\mbam.script"
0x1,"Classes\mbam.script",,"Malwarebytes' Anti-Malware script"
0x0,"Classes\mbam.script\shell\open\command"
0x1,"Classes\mbam.script\shell\open\command",,"""X:\Programs\MBAM\mbam.exe"" %1"
0x0,"Classes\MBAMExt.MBAMShlExt"
0x1,"Classes\MBAMExt.MBAMShlExt",,"MBAMShlExt Class"
0x0,"Classes\MBAMExt.MBAMShlExt\CLSID"
0x1,"Classes\MBAMExt.MBAMShlExt\CLSID",,"{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
0x0,"Classes\MBAMExt.MBAMShlExt\CurVer"
0x1,"Classes\MBAMExt.MBAMShlExt\CurVer",,"MBAMExt.MBAMShlExt.1"
0x0,"Classes\MBAMExt.MBAMShlExt.1"
0x1,"Classes\MBAMExt.MBAMShlExt.1",,"MBAMShlExt Class"
0x0,"Classes\MBAMExt.MBAMShlExt.1\CLSID"
0x1,"Classes\MBAMExt.MBAMShlExt.1\CLSID",,"{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
0x0,"Classes\SSubTimer6.CTimer"
0x1,"Classes\SSubTimer6.CTimer",,"SSubTimer6.CTimer"
0x0,"Classes\SSubTimer6.CTimer\Clsid"
0x1,"Classes\SSubTimer6.CTimer\Clsid",,"{71A27034-C7D8-11D2-BEF8-525400DFB47A}"
0x0,"Malwarebytes' Anti-Malware"
0x1,"Malwarebytes' Anti-Malware","InstallPath","X:\Programs\MBAM"
0x1,"Malwarebytes' Anti-Malware","Affiliate","http://www.911cd.net"
0x0,"Classes\SSubTimer6.GSubclass"
0x1,"Classes\SSubTimer6.GSubclass",,"SSubTimer6.GSubclass"
0x0,"Classes\SSubTimer6.GSubclass\Clsid"
0x1,"Classes\SSubTimer6.GSubclass\Clsid",,"{71A27032-C7D8-11D2-BEF8-525400DFB47A}"
0x0,"Classes\SSubTimer6.ISubclass"
0x1,"Classes\SSubTimer6.ISubclass",,"SSubTimer6.ISubclass"
0x0,"Classes\SSubTimer6.ISubclass\Clsid"
0x1,"Classes\SSubTimer6.ISubclass\Clsid",,"{71A2702F-C7D8-11D2-BEF8-525400DFB47A}"
0x0,"Classes\vbAcceleratorSGrid6.cGridCell"
0x1,"Classes\vbAcceleratorSGrid6.cGridCell",,"vbAcceleratorSGrid6.cGridCell"
0x0,"Classes\vbAcceleratorSGrid6.cGridCell\Clsid"
0x1,"Classes\vbAcceleratorSGrid6.cGridCell\Clsid",,"{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}"
0x0,"Classes\vbAcceleratorSGrid6.cGridSortObject"
0x1,"Classes\vbAcceleratorSGrid6.cGridSortObject",,"vbAcceleratorSGrid6.cGridSortObject"
0x0,"Classes\vbAcceleratorSGrid6.cGridSortObject\Clsid"
0x1,"Classes\vbAcceleratorSGrid6.cGridSortObject\Clsid",,"{D2129738-6A78-4BCB-915A-412982CAA23D}"
0x0,"Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw"
0x1,"Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw",,"vbAcceleratorSGrid6.IGridCellOwnerDraw"
0x0,"Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid"
0x1,"Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid",,"{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}"
0x0,"Classes\vbAcceleratorSGrid6.vbalGrid"
0x1,"Classes\vbAcceleratorSGrid6.vbalGrid",,"vbAccelerator Grid Control"
0x0,"Classes\vbAcceleratorSGrid6.vbalGrid\Clsid"
0x1,"Classes\vbAcceleratorSGrid6.vbalGrid\Clsid",,"{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}"
0x0,"Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt"
0x1,"Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt",,"{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
0x0,"Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
0x1,"Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}",,"MBAMShlExt Class"
0x0,"Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32"
0x1,"Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32",,"X:\Programs\MBAM\mbamext.dll"
0x1,"Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32","ThreadingModel","Apartment"
0x0,"Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\ProgID"
0x1,"Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\ProgID",,"MBAMExt.MBAMShlExt.1"
0x0,"Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\TypeLib"
0x1,"Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\TypeLib",,"{AFF1A83B-6C83-4342-8E68-1648DE06CB65}"
0x0,"Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\VersionIndependentProgID"
0x1,"Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\VersionIndependentProgID",,"MBAMExt.MBAMShlExt"
0x0,"Classes\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}"
0x1,"Classes\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}",,"SSubTimer6.ISubclass"
0x0,"Classes\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\ProgID"
0x1,"Classes\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\ProgID",,"SSubTimer6.ISubclass"
0x0,"Classes\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\TypeLib"
0x1,"Classes\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\TypeLib",,"{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"
0x0,"Classes\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\VERSION"
0x1,"Classes\CLSID\{71A2702F-C7D8-11D2-BEF8-525400DFB47A}\VERSION",,"1.0"
0x0,"Classes\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}"
0x1,"Classes\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}",,"SSubTimer6.GSubclass"
0x0,"Classes\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32"
0x1,"Classes\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32",,"X:\Programs\MBAM\ssubtmr6.dll"
0x1,"Classes\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32","ThreadingModel","Apartment"
0x0,"Classes\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\ProgID"
0x1,"Classes\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\ProgID",,"SSubTimer6.GSubclass"
0x0,"Classes\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\TypeLib"
0x1,"Classes\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\TypeLib",,"{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"
0x0,"Classes\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\VERSION"
0x1,"Classes\CLSID\{71A27032-C7D8-11D2-BEF8-525400DFB47A}\VERSION",,"1.0"
0x0,"Classes\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}"
0x1,"Classes\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}",,"SSubTimer6.CTimer"
0x0,"Classes\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32"
0x1,"Classes\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32",,"X:\Programs\MBAM\ssubtmr6.dll"
0x1,"Classes\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\InprocServer32","ThreadingModel","Apartment"
0x0,"Classes\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\ProgID"
0x1,"Classes\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\ProgID",,"SSubTimer6.CTimer"
0x0,"Classes\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\TypeLib"
0x1,"Classes\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\TypeLib",,"{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"
0x0,"Classes\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\VERSION"
0x1,"Classes\CLSID\{71A27034-C7D8-11D2-BEF8-525400DFB47A}\VERSION",,"1.0"
0x0,"Classes\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}"
0x1,"Classes\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}",,"vbAcceleratorSGrid6.cGridCell"
0x0,"Classes\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}\ProgID"
0x1,"Classes\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}\ProgID",,"vbAcceleratorSGrid6.cGridCell"
0x0,"Classes\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}\TypeLib"
0x1,"Classes\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}\TypeLib",,"{DE8CE233-DD83-481D-844C-C07B96589D3A}"
0x0,"Classes\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}\VERSION"
0x1,"Classes\CLSID\{9BD3A001-42A2-491E-AACA-9512F6CF4CDB}\VERSION",,"1.1"
0x0,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}"
0x1,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}",,"vbAccelerator Grid Control"
0x0,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\Control"
0x1,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\Control",,""
0x0,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\InprocServer32"
0x1,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\InprocServer32",,"X:\Programs\MBAM\vbalsgrid6.ocx"
0x1,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\InprocServer32","ThreadingModel","Apartment"
0x0,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\MiscStatus"
0x1,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\MiscStatus",,"0"
0x0,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\MiscStatus\1"
0x1,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\MiscStatus\1",,"131473"
0x0,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\ProgID"
0x1,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\ProgID",,"vbAcceleratorSGrid6.vbalGrid"
0x0,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\ToolboxBitmap32"
0x1,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\ToolboxBitmap32",,"X:\Programs\MBAM\vbalsgrid6.ocx, 30000"
0x0,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\TypeLib"
0x1,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\TypeLib",,"{DE8CE233-DD83-481D-844C-C07B96589D3A}"
0x0,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\VERSION"
0x1,"Classes\CLSID\{C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}\VERSION",,"1.1"
0x0,"Classes\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}"
0x1,"Classes\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}",,"vbAcceleratorSGrid6.cGridSortObject"
0x0,"Classes\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}\ProgID"
0x1,"Classes\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}\ProgID",,"vbAcceleratorSGrid6.cGridSortObject"
0x0,"Classes\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}\TypeLib"
0x1,"Classes\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}\TypeLib",,"{DE8CE233-DD83-481D-844C-C07B96589D3A}"
0x0,"Classes\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}\VERSION"
0x1,"Classes\CLSID\{D2129738-6A78-4BCB-915A-412982CAA23D}\VERSION",,"1.1"
0x0,"Classes\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}"
0x1,"Classes\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}",,"vbAcceleratorSGrid6.IGridCellOwnerDraw"
0x0,"Classes\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}\ProgID"
0x1,"Classes\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}\ProgID",,"vbAcceleratorSGrid6.IGridCellOwnerDraw"
0x0,"Classes\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}\TypeLib"
0x1,"Classes\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}\TypeLib",,"{DE8CE233-DD83-481D-844C-C07B96589D3A}"
0x0,"Classes\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}\VERSION"
0x1,"Classes\CLSID\{DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}\VERSION",,"1.1"
0x0,"Classes\Folder\shellex\ContextMenuHandlers\MBAMShlExt"
0x1,"Classes\Folder\shellex\ContextMenuHandlers\MBAMShlExt",,"{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
0x0,"Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}"
0x1,"Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}",,"IMBAMShlExt"
0x0,"Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid"
0x1,"Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid32"
0x1,"Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid32",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib"
0x1,"Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib",,"{AFF1A83B-6C83-4342-8E68-1648DE06CB65}"
0x1,"Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib","Version","1.0"
0x0,"Classes\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}"
0x1,"Classes\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}",,"vbalGrid"
0x0,"Classes\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid"
0x1,"Classes\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid",,"{00020420-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid32"
0x1,"Classes\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\ProxyStubClsid32",,"{00020420-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\TypeLib"
0x1,"Classes\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\TypeLib",,"{DE8CE233-DD83-481D-844C-C07B96589D3A}"
0x1,"Classes\Interface\{1EDFD7DF-030D-4144-952E-9D7D86691CDB}\TypeLib","Version","1.1"
0x0,"Classes\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}"
0x1,"Classes\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}",,"cGridCell"
0x0,"Classes\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}\Forward"
0x1,"Classes\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}\Forward",,"{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}"
0x0,"Classes\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}\ProxyStubClsid"
0x1,"Classes\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}\ProxyStubClsid",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}\ProxyStubClsid32"
0x1,"Classes\Interface\{3E9FB490-7EE2-46E9-B52A-9DE91DD218F4}\ProxyStubClsid32",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}"
0x1,"Classes\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}",,"IGridCellOwnerDraw"
0x0,"Classes\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\ProxyStubClsid"
0x1,"Classes\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\ProxyStubClsid",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\ProxyStubClsid32"
0x1,"Classes\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\ProxyStubClsid32",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\TypeLib"
0x1,"Classes\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\TypeLib",,"{DE8CE233-DD83-481D-844C-C07B96589D3A}"
0x1,"Classes\Interface\{459A91BC-193F-4A70-959C-BFF69D781142}\TypeLib","Version","1.1"
0x0,"Classes\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}"
0x1,"Classes\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}",,"cGridCell"
0x0,"Classes\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\ProxyStubClsid"
0x1,"Classes\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\ProxyStubClsid",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\ProxyStubClsid32"
0x1,"Classes\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\ProxyStubClsid32",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\TypeLib"
0x1,"Classes\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\TypeLib",,"{DE8CE233-DD83-481D-844C-C07B96589D3A}"
0x1,"Classes\Interface\{464D3E06-7D5B-416F-A6EE-0FFB1A5E931B}\TypeLib","Version","1.1"
0x0,"Classes\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}"
0x1,"Classes\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}",,"cGridSortObject"
0x0,"Classes\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\ProxyStubClsid"
0x1,"Classes\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\ProxyStubClsid",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\ProxyStubClsid32"
0x1,"Classes\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\ProxyStubClsid32",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\TypeLib"
0x1,"Classes\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\TypeLib",,"{DE8CE233-DD83-481D-844C-C07B96589D3A}"
0x1,"Classes\Interface\{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}\TypeLib","Version","1.1"
0x0,"Classes\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}"
0x1,"Classes\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}",,"IGridCellOwnerDraw"
0x0,"Classes\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}\Forward"
0x1,"Classes\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}\Forward",,"{459A91BC-193F-4A70-959C-BFF69D781142}"
0x0,"Classes\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}\ProxyStubClsid"
0x1,"Classes\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}\ProxyStubClsid",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}\ProxyStubClsid32"
0x1,"Classes\Interface\{66718B8E-A382-4FE2-AA7A-926F9D8C4621}\ProxyStubClsid32",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}"
0x1,"Classes\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}",,"ISubclass"
0x0,"Classes\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid"
0x1,"Classes\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32"
0x1,"Classes\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\TypeLib"
0x1,"Classes\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\TypeLib",,"{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"
0x1,"Classes\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\TypeLib","Version","1.0"
0x0,"Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}"
0x1,"Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}",,"GSubclass"
0x0,"Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid"
0x1,"Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32"
0x1,"Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\TypeLib"
0x1,"Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\TypeLib",,"{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"
0x1,"Classes\Interface\{71A27031-C7D8-11D2-BEF8-525400DFB47A}\TypeLib","Version","1.0"
0x0,"Classes\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}"
0x1,"Classes\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}",,"CTimer"
0x0,"Classes\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid"
0x1,"Classes\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32"
0x1,"Classes\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\TypeLib"
0x1,"Classes\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\TypeLib",,"{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"
0x1,"Classes\Interface\{71A27033-C7D8-11D2-BEF8-525400DFB47A}\TypeLib","Version","1.0"
0x0,"Classes\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}"
0x1,"Classes\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}",,"CTimer"
0x0,"Classes\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid"
0x1,"Classes\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid",,"{00020420-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32"
0x1,"Classes\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\ProxyStubClsid32",,"{00020420-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\TypeLib"
0x1,"Classes\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\TypeLib",,"{71A2702D-C7D8-11D2-BEF8-525400DFB47A}"
0x1,"Classes\Interface\{71A27036-C7D8-11D2-BEF8-525400DFB47A}\TypeLib","Version","1.0"
0x0,"Classes\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}"
0x1,"Classes\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}",,"cGridSortObject"
0x0,"Classes\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}\Forward"
0x1,"Classes\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}\Forward",,"{497B84D4-FB2F-4AB0-A280-8AACFB4B355F}"
0x0,"Classes\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}\ProxyStubClsid"
0x1,"Classes\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}\ProxyStubClsid",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}\ProxyStubClsid32"
0x1,"Classes\Interface\{BC39A57D-DF2C-45B4-BFFD-7D55E911C1B2}\ProxyStubClsid32",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}"
0x1,"Classes\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}",,"vbalGrid"
0x0,"Classes\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\ProxyStubClsid"
0x1,"Classes\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\ProxyStubClsid",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\ProxyStubClsid32"
0x1,"Classes\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\ProxyStubClsid32",,"{00020424-0000-0000-C000-000000000046}"
0x0,"Classes\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\TypeLib"
0x1,"Classes\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\TypeLib",,"{DE8CE233-DD83-481D-844C-C07B96589D3A}"
0x1,"Classes\Interface\{CCA2E620-B807-451F-BAFD-2057AF9025FE}\TypeLib","Version","1.1"
0x0,"Classes\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0"
0x1,"Classes\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0",,"vbAccelerator VB6 Subclassing and Timer Assistant (with configurable message response, multi-control support + timer bug fix)"
0x0,"Classes\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\0\win32"
0x1,"Classes\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\0\win32",,"X:\Programs\MBAM\ssubtmr6.dll"
0x0,"Classes\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\FLAGS"
0x1,"Classes\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\FLAGS",,"0"
0x0,"Classes\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\HELPDIR"
0x1,"Classes\TypeLib\{71A2702D-C7D8-11D2-BEF8-525400DFB47A}\1.0\HELPDIR",,"X:\Programs\MBAM"
0x0,"Classes\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0"
0x1,"Classes\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0",,"MBAMExt 1.0 Type Library"
0x0,"Classes\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win32"
0x1,"Classes\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win32",,"X:\Programs\MBAM\mbamext.dll"
0x0,"Classes\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS"
0x1,"Classes\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS",,"0"
0x0,"Classes\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR"
0x1,"Classes\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR",,"X:\Programs\MBAM"
0x0,"Classes\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1"
0x1,"Classes\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1",,"vbAccelerator VB6 SGrid Control 2.0"
0x0,"Classes\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\0\win32"
0x1,"Classes\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\0\win32",,"X:\Programs\MBAM\vbalsgrid6.ocx"
0x0,"Classes\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\FLAGS"
0x1,"Classes\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\FLAGS",,"2"
0x0,"Classes\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\HELPDIR"
0x1,"Classes\TypeLib\{DE8CE233-DD83-481D-844C-C07B96589D3A}\1.1\HELPDIR",,"X:\Programs\MBAM"
0x0,"Microsoft\Windows\CurrentVersion\App Paths\mbam.exe"
0x1,"Microsoft\Windows\CurrentVersion\App Paths\mbam.exe",,"X:\Programs\MBAM\mbam.exe"
0x1,"Microsoft\Windows\CurrentVersion\App Paths\mbam.exe","Path","X:\Programs\MBAM"
0x0,"Microsoft\Windows\CurrentVersion\RunOnce"
0x1,"Microsoft\Windows\CurrentVersion\RunOnce","Malwarebytes' Anti-Malware","X:\Programs\MBAM\mbamgui.exe /install /silent"

[Default.AddReg]
0x0,"Software\Malwarebytes' Anti-Malware"
0x1,"Software\Malwarebytes' Anti-Malware","language","english.lng"
0x4,"Software\Malwarebytes' Anti-Malware","firstrun",0x0
0x4,"Software\Malwarebytes' Anti-Malware","terminateie",0x0
0x4,"Software\Malwarebytes' Anti-Malware","autosavelog",0x0
0x4,"Software\Malwarebytes' Anti-Malware","reportthreats",0x0
0x4,"Software\Malwarebytes' Anti-Malware","alwaysscanmemory",0x0
0x4,"Software\Malwarebytes' Anti-Malware","alwaysscanregistry",0x0
0x4,"Software\Malwarebytes' Anti-Malware","alwaysscanfiles",0x1
0x4,"Software\Malwarebytes' Anti-Malware","alwaysscanheuristics",0x1
0x4,"Software\Malwarebytes' Anti-Malware","contextmenu",0x0
0x4,"Software\Malwarebytes' Anti-Malware","startminimized",0x0
0x4,"Software\Malwarebytes' Anti-Malware","autoupdate",0x0
0x4,"Software\Malwarebytes' Anti-Malware","autoscan",0x0
0x4,"Software\Malwarebytes' Anti-Malware","updatetime",0x1
0x4,"Software\Malwarebytes' Anti-Malware","scantime",0x1
0x4,"Software\Malwarebytes' Anti-Malware","startwithwindows",0x0

[Append]
nu2menu.xml, MBAM_nu2menu.xml


"Files" folder contains everything from your malwarebytes install folder. "Other" folder contains all the files from "C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\" (mine contained: ignore.dat, news.txt, and rules.def). Put msjava.dll, found in system32 folder, mbamswissarmy.sys and mbam.sys found in your system32/drivers, into main program folder. BTW, this is the halved version of the registry file, same one I used in the first test...seeing as nothing changed by adding the double keys in the second test.

Oops...I messed up on something...msjava is suppose to go into system32 folder not drivers as it used to say in the inf. Ill rebuild and test again. UPDATE: It gives the same error with and without msjava.dll, which seems to mean that it is not required or could just mean this error isnt related.
skeeterpe
Feb 21 2009, 11:46 PM
@dedicated to MBAM Plugin-->

I went on the MBAM forum and inquired about the MBAM developers creating a portable MBAM for BartPE and they swore up and down that the application would suffer catastrophically from it's "installed in Windows" version..... They also became very defensive when I said I was working on one myself. Like I had just slapped their baby sister or something! From their forum, "....MBAM would lose it's effectiveness in PE" but the developers openly admitted they knew nothing about Anything PE and even less about BartPE so Guys/Gals... I don't have to tell you we're on our own as per MBAM developers' politics!

Every plugin I've tried to make has opened but failed after opening with VB and other errors. I honestly thought since they were such a pheonominal program for MalWare outbreaks that they would be open to the idea of a portable(not free obviously) version for Us PE people!

Regretfully,
SkeeterPE
StopSpazzing
Feb 22 2009, 03:00 AM
As I said in a previous post...Im am confused as why they seperate all of the files esp. the definition and ignore files...they put it into some random folder...its sad actually..didnt know they made such a horrible program layout. Dont get me wrong I love their program, but they need to get their act together and put everything into one folder...its not that hard. Its like they want to complicate things on purpose. So them saying what they have said is pretty sad and kinda expected. I will tell you this tho...I will NEVER buy the program unless they get smart and make it portable, and support PE enviroments.
skeeterpe
Feb 22 2009, 01:07 PM
I know when you mention "SuperAntiSpyware" it pisses them all off, especially in their own domain! A bit extreme to have to do so but, SAS has at least made somewhat of an effort to support the PE Community!
nullpuppy
Feb 23 2009, 04:04 PM
QUOTE (skeeterpe @ Feb 21 2009, 08:46 PM) *
@dedicated to MBAM Plugin-->

I went on the MBAM forum and inquired about the MBAM developers creating a portable MBAM for BartPE and they swore up and down that the application would suffer catastrophically from it's "installed in Windows" version..... They also became very defensive when I said I was working on one myself. Like I had just slapped their baby sister or something! From their forum, "....MBAM would lose it's effectiveness in PE" but the developers openly admitted they knew nothing about Anything PE and even less about BartPE so Guys/Gals... I don't have to tell you we're on our own as per MBAM developers' politics!

Every plugin I've tried to make has opened but failed after opening with VB and other errors. I honestly thought since they were such a pheonominal program for MalWare outbreaks that they would be open to the idea of a portable(not free obviously) version for Us PE people!

Regretfully,
SkeeterPE


I found a thread like that last week, in fact, might have been yours.. I agree, its really too bad that they're so against the PE environment. Really doesn't make any sense.

As much as I don't want to do it, I'm almost wondering if it might make sense to dig into their dll's and build a simple wrapper around it to just access the scanning engine, assuming its even possible... Then again, damn the DMCA...
nuMe
Feb 23 2009, 04:45 PM
With so many alternatives why waste the time?
nullpuppy
Feb 23 2009, 04:49 PM
QUOTE (nuMe @ Feb 23 2009, 01:45 PM) *
With so many alternatives why waste the time?


Because if we can get it to work, it'll save time in the long run. MBAM has, by far, been the most useful utility I've found so far for malware removal. If I can boot into a PE environment and scan, I can let it go and walk away and work on someone else while it cleans it up. It saves me time and lets me get more done.
StopSpazzing
Feb 24 2009, 01:41 PM
QUOTE (nuMe @ Feb 23 2009, 01:45 PM) *
With so many alternatives why waste the time?


I agree with that...that would be a complete waste of time. I would instead completely promote the alternatives else were and bash on malwarebytes all the time about the fact that dont want to support PE environments or portability. Atleast this can be done legally. smile.gif

And Im stuck on this error. I have not been able to get past it. Ive tried everything but using it in a readable/writable disk...such as a usb or pointing the reg keys to the ramdisk and manually copying the files over after start (havent had time, so if you want to try that, nullpuppy, would rule out everything I could think of). So, until they come to their senses and release pe supported version, we are out of luck, unless you know of anything I dont?

What might be a better alternative and NOT a complete waste of time is use their "rules.def", make a program that can read it and scan the computer using their definitions. The program is only as good as its definitions it uses. smile.gif Or just make a converter that will covert it to a readable format for another program...for instance SAS. Ofcourse its most likely illegal to do so...
Overburn
Feb 25 2009, 02:48 PM
I got this to work using the XPE plugin a while back. It's an older version of mbam, I haven't tested it in a while to see if it will still update. As of late, I've had much better success slaving hard drives on a 'test-tech' box and using RunScanner to scan the remote registry.
skeeterpe
Feb 25 2009, 10:47 PM
Honestly I don't have any PE worthy alternatives. I'm wasting my time because I think SAS and MBAM are the only anti-spyware solutions out there. Heck half the anti-virus/anti-malware plugins available either stink to high heaven, plagued by broken download links or just plain way too much work to edit directories, inf files an registry re-directs. I'm personally sick of trying to find any anti-virus solutions that work.

My solution as a result? Pop the windows cd in and worry about drivers and installed programs later. That's it! THAT MY FRIEND, IS A WASTE OF TIME! If I could get half of a reliable download link, I would be overjoyed! Thanks everyone for listening to my venting by-the-way. I'll get over it.

Respectfully,
SkeeterPE

QUOTE (nuMe @ Feb 23 2009, 03:45 PM) *
With so many alternatives why waste the time?
Virtual-R
Feb 26 2009, 05:53 AM
QUOTE (skeeterpe @ Feb 26 2009, 04:47 AM) *
Honestly I don't have any PE worthy alternatives. I'm wasting my time because I think SAS and MBAM are the only anti-spyware solutions out there. Heck half the anti-virus/anti-malware plugins available either stink to high heaven, plagued by broken download links or just plain way too much work to edit directories, inf files an registry re-directs. I'm personally sick of trying to find any anti-virus solutions that work.

My solution as a result? Pop the windows cd in and worry about drivers and installed programs later. That's it! THAT MY FRIEND, IS A WASTE OF TIME! If I could get half of a reliable download link, I would be overjoyed! Thanks everyone for listening to my venting by-the-way. I'll get over it.

Respectfully,
SkeeterPE


Ello! smile.gif I agree that MBAM is the best anti-malware/spyware program out there. I am sure that everybody here are doing their best to get
this program to work. Don't loose hope wink.gif . There are SAS-plugins in this forum that I think still works, so why not try them? MBAM haven't put
any energy in making the program portable or even BartPE-friendly, so let's see what we can do, have patience smile.gif
StopSpazzing
Feb 26 2009, 04:47 PM
QUOTE (Virtual-R @ Feb 26 2009, 02:53 AM) *
Ello! smile.gif I agree that MBAM is the best anti-malware/spyware program out there. I am sure that everybody here are doing their best to get
this program to work. Don't loose hope wink.gif . There are SAS-plugins in this forum that I think still works, so why not try them? MBAM haven't put
any energy in making the program portable or even BartPE-friendly, so let's see what we can do, have patience smile.gif



I need someone to test the plugin in a writable environment and get back to me if it errors still or not. Its a possibility that it needs a %username% folder...I have not been able to test this as I dont know how I would go about setting a ":\Documents and Settings\username" registry setting.

@Overburn
Could you release that the plugin? Or atleast tell me what version of malwarebtyes program you used? Maybe we can just use the defs and update the defs only and use an older version.
muggles
Feb 26 2009, 06:12 PM
QUOTE (StopSpazzing @ Feb 26 2009, 03:47 PM) *
I need someone to test the plugin in a writable environment and get back to me if it errors still or not.


FYI,

I have tested with FBFW and received the error code 718.
Then, I made a plugin for the setup.exe and installed mbam to RAM drive within UBCDW (with FBFW enabled) still error 718.

bummer
skeeterpe
Feb 27 2009, 09:09 PM
If you have a 100% working SAS plugin, by all means please post it hear and include the entire plugin. Thanks. I'll test anything you have!

SkeeterPE


QUOTE (Virtual-R @ Feb 26 2009, 04:53 AM) *
Ello! smile.gif I agree that MBAM is the best anti-malware/spyware program out there. I am sure that everybody here are doing their best to get
this program to work. Don't loose hope wink.gif . There are SAS-plugins in this forum that I think still works, so why not try them? MBAM haven't put
any energy in making the program portable or even BartPE-friendly, so let's see what we can do, have patience smile.gif
nullpuppy
Feb 28 2009, 06:03 PM
Quick update. Still getting the Error Code 718. Quick google search pointed me to this: http://www.malwarebytes.org/forums/index.php?showtopic=9410 GT500 mentions that it sounds like inability to load MD5 hash generator. I took a look at the services, and the crypto services don't appear to exist (I'm using the UBCD4Win builder, assuming PE builder is going to resort in the same problem).

Might just need to figure out how to add crypto to PE and might be good to go. Going to look into it today, might have an update later today.
nullpuppy
Feb 28 2009, 07:14 PM
Alright. Progress!!!

Adding crypto services (pulled xpe-crypto.inf from the XPE plugins), and mbam no longer crashes with error 718. It now alerts to the absence of the rules, so I need to fix that. If i click cancel (to not update rules), i get error 716, which i'm guessing should be fixed once i get the rules in place.
StopSpazzing
Mar 1 2009, 12:19 AM
QUOTE (nullpuppy @ Feb 28 2009, 04:14 PM) *
Alright. Progress!!!

Adding crypto services (pulled xpe-crypto.inf from the XPE plugins), and mbam no longer crashes with error 718. It now alerts to the absence of the rules, so I need to fix that. If i click cancel (to not update rules), i get error 716, which i'm guessing should be fixed once i get the rules in place.



Nice! GJ! Like I said use the inf I posted...as it puts the defs in the correct location. Im going to test what it requires.

Almost seems like you are ignoring my posts... as I have posted how to put the defs in the correct location.

Hmm, I still get an error 707. What are you doing different?
ka0s
Mar 3 2009, 11:57 AM
Sorry to butt in here, but i just would like to say, Referring back to what was said about the developers not wanting to help with the plugin for anything PE, from how i understand there app works it is most effective in a booted xp install, right in the midst of the malware infection, apparently the sys driver they install interacts with alot of the rootkits that get installed accompanying malware infections, that sys driver needs to be active to unhook processes and drivers from usually the svchost.exe or lsass.exe (in newer versions), and also enumeration of hidden files and processes, but i am all for using the program for its defs only, and doing a dumb scan on the system drive infected, but i think SAS does a better job of this. I hope you get this plugin to work since i know NOTHING of how to write plugins or the sort.
muggles
Mar 3 2009, 06:45 PM
FYI all,

adding the .inf (line 14 on down) from:
bartpe.boot-land.net/Projects/Tools/CorePlugins/Xpe107/xpe-crypto.inf
fixed the 718 error and it runs and scans X:, B: fine in my limited vmware.
(thank you nullpuppy for the crypto services hint and StopSpazzing for your .inf)
this was on a 1-14-09 install of mbam
more testing now.

This may all be in vain but you know how it is, gotta try it.

Maybe Malwarebytes was trying to discourage us from getting this to work?
Maybe it will be almost as good as a live system?
Maybe it will just s**k

But I tried, who needs to watch the news today anyway.

FYI2, 3-3-09 7:30pm
adding vanilla runscanner OK.
latest downloaded version OK
currently, live update has a write error to X:\PROGRAMS\ubam\%SystemDrive%
will look @ FBFW and the cfg tomorrow
I cannot compare to a compromised system yet, was tested on known clean one smile.gif

muggles
ka0s
Mar 4 2009, 03:10 PM
Once everything is done, can someone recap. I tried to piece together what was said and accomplished on this thread but i get the 707(3) error when trying to run it, also the mbam.cmd refers to the mbam_core.exe which doesn't exist, i changed it to mbam-dor.exe but im not sure if its the same.
muggles
Mar 4 2009, 05:09 PM
I seem to have a working plugin, just be sure to use the latest version. Older versions use the executable mb.exe, not mbam.exe like v1.34.

1) Install the latest version.
2) Extract to your plugin dir and hit the CONFIG button to copy your local files to the plugin dir.

Get it here if you wish to help TEST/HELP UPGRADE this beta:
mbam 1.34 test plugin
and please, report any issues.
ka0s
Mar 4 2009, 07:10 PM
QUOTE (muggles @ Mar 4 2009, 05:09 PM) *
I seem to have a working plugin, just be sure to use the latest version. Older versions use the executable mb.exe, not mbam.exe like v1.34.

1) Install the latest version.
2) Extract to your plugin dir and hit the CONFIG button to copy your local files to the plugin dir.

Get it here if you wish to help TEST/HELP UPGRADE this beta:
mbam 1.34 test plugin
and please, report any issues.



I wonder if that script was tested.. I say this because the Launch MBAM.cmd referred to runner.exe? that doesn't exist, after sorting that out. and running from the shell, it copies files necessary then spits out "Error loading database. Line #0.(0)" i wonder what database it is referring to?
muggles
Mar 4 2009, 07:27 PM
I wonder if you read the HELP button/html file.
Runscanner is required to scan the local registry.
If you do not have the runscanner plugin installed, run the Launch MBAM.cmd file to copy the necessary files to your temp dir, explore to X:\programs\mbam and execute mbam.exe this method may not be as useful without scanning your local registry, but at least it will run.
BTW, the runscanner plugin can be downloaded here:
RunScanner

Thank you for your feedback.
ka0s
Mar 5 2009, 11:16 AM
QUOTE (muggles @ Mar 4 2009, 07:27 PM) *
I wonder if you read the HELP button/html file.
Runscanner is required to scan the local registry.
If you do not have the runscanner plugin installed, run the Launch MBAM.cmd file to copy the necessary files to your temp dir, explore to X:\programs\mbam and execute mbam.exe this method may not be as useful without scanning your local registry, but at least it will run.
BTW, the runscanner plugin can be downloaded here:
RunScanner

Thank you for your feedback.


Thanks for the kick in the pants..
StopSpazzing
Mar 6 2009, 07:01 PM
QUOTE
; MalwareBytes Anti-Malware.inf
; PE Builder v3 plug-in INF file for MalwareBytes Anti-Malware
; Created by Richard Jordan
; Modified by muggles


Please give credit where credit is due. Who is richard?

QUOTE
; MalwareBytes Anti-Malware.inf
; PE Builder v3 plug-in INF file for MalwareBytes Anti-Malware
; Created by Richard Jordan
; Testing and Tweaking by Nullpuppy and StopSpazzing
; Modified by muggles


CODE
[SetupReg.AddReg]
0x1,"Software\Malwarebytes' Anti-Malware","Affiliate","https://www.cleverbridge.com/342/?scope=checkout&cart=69696"


Change to:
CODE
[SetupReg.AddReg]
0x1,"Software\Malwarebytes' Anti-Malware","Affiliate","http://www.911cd.net/forums/"

Or just remove it all together.

Since they dont care about us then I think we should atleast link back to here.
muggles
Mar 6 2009, 07:37 PM
I have no idea who Richard is, it was in the .inf I edited so it stayed. Affiliate removed and .inf updated.

BTW, a new version of the CONFIG_mbam.cmd has been included in the zip with update capabilities.
StopSpazzing
Mar 6 2009, 09:23 PM
QUOTE (muggles @ Mar 6 2009, 04:37 PM) *
I have no idea who Richard is, it was in the .inf I edited so it stayed. Affiliate removed and .inf updated.

BTW, a new version of the CONFIG_mbam.cmd has been included in the zip with update capabilities.



Thank you, I appreciate it!

Do you mind if I add the link on my website and to my signature? Or do you prefer I upload it to my website and host it myself?
muggles
Mar 6 2009, 09:33 PM
QUOTE (StopSpazzing @ Mar 6 2009, 08:23 PM) *
Thank you, I appreciate it!

Do you mind if I add the link on my website and to my signature? Or do you prefer I upload it to my website and host it myself?


Whatever you would rather do is fine by me.

It's been a while, but I finally found where I downloaded the plugin that I hacked to make work for v1.34:
http://www.malwarebytes.org/forums/index.p...ost&p=39551
Now we know who Richard Jordan is smile.gif
Ed_P
Mar 7 2009, 12:12 AM
I've recently had a need to use Malwarebyte's Anti-Malware. To remove a Antispyware 2008 infection. It's a very nice app, and I look forward to adding it to my BartPE system with this plugin.

Two comments you might consider:

1. I find it useful to add links to the threads that relate to the development of the plugin in it's inf file. You could a like to this thread and to the one for Richard Jordan. If at some point I have a question about the plugin being able to get back to the originating thread is useful.

2. The plugin's inf appears to contain half of the Registry. Can it be pared down to just the essentials? Sometimes many app Registry entries are default entries that get created the first time the app is executed.
StopSpazzing
Mar 7 2009, 06:28 PM
Thank you muggle...was very curious.

QUOTE (Ed_P @ Mar 6 2009, 09:12 PM) *
I've recently had a need to use Malwarebyte's Anti-Malware. To remove a Antispyware 2008 infection. It's a very nice app, and I look forward to adding it to my BartPE system with this plugin.

Two comments you might consider:

1. I find it useful to add links to the threads that relate to the development of the plugin in it's inf file. You could a like to this thread and to the one for Richard Jordan. If at some point I have a question about the plugin being able to get back to the originating thread is useful.

2. The plugin's inf appears to contain half of the Registry. Can it be pared down to just the essentials? Sometimes many app Registry entries are default entries that get created the first time the app is executed.


1. I think thats a great idea. All plugins should contain a link back to developmental post.

2. I believe those keys are from sherpya's xpe-crypto service file. It is REQUIRED for malwarebytes anti-malware to run (the service). I doubt we could remove any of it. All those keys except the top few are from his plugin inf file.
muggles
Mar 7 2009, 09:44 PM
QUOTE (StopSpazzing @ Mar 7 2009, 05:28 PM) *
Thank you muggle...was very curious.



1. I think thats a great idea. All plugins should contain a link back to developmental post.

2. I believe those keys are from sherpya's xpe-crypto service file. It is REQUIRED for malwarebytes anti-malware to run (the service). I doubt we could remove any of it. All those keys except the top few are from his plugin inf file.


I removed the blob's and so far OK, this will bring it down to <900 lines instead of >9k

will post after more tests
skeeterpe
Mar 8 2009, 05:29 PM
So, does this mean the plugin noted above is completed and working 100%?

QUOTE (muggles @ Mar 7 2009, 08:44 PM) *
I removed the blob's and so far OK, this will bring it down to <900 lines instead of >9k

will post after more tests
skeeterpe
Mar 8 2009, 05:31 PM
This link to the plugin is the one I am referring to:

<< Whatever you would rather do is fine by me.

It's been a while, but I finally found where I downloaded the plugin that I hacked to make work for v1.34:
http://www.malwarebytes.org/forums/index.p...ost&p=39551
Now we know who Richard Jordan is smile.gif >>



QUOTE (muggles @ Mar 7 2009, 08:44 PM) *
I removed the blob's and so far OK, this will bring it down to <900 lines instead of >9k

will post after more tests
muggles
Mar 8 2009, 06:55 PM
mbam plugin for v1.34
is the link to the plugin for v1.34.

UPDATED March 8th, 2009: Fixed copy bug in update cmd and cleaned inf.
Ed_P
Mar 9 2009, 12:40 AM
Your plugin's build script copies files from the Windows' Profile folder. While I understand the need to allocate these folders in the BartPE folder I don't think copying the logs and quarantined files from the host is advisable, or needed.

PEBuilder also has been known to struggle with paths with spaces in them. The plugin's folder might better be named simply files with all files including the 2 system driver files added to it. The inf parms determine where the files are positioned within the BartPE folders.

Just my opinion.

And I like the new pared down inf file. thumbsup.gif
Virtual-R
Mar 9 2009, 06:23 AM
Excellent work! The plugin works fine for me, but I had to do a modification

Launch MBAM.CMD

CODE
@echo off

echo Starting MalwareBytes Anti-Malware...

%Systemdrive%
cd "\Programs\mbam"

regsvr32 ssubtmr6.dll /S
regsvr32 vbalsgrid6.ocx /S

xcopy "%SystemDrive%\Programs\mbam\All Users\Application Data" "%ALLUSERSPROFILE%\Application Data\" /E /Y
xcopy "%SystemDrive%\Programs\mbam\Current User\Application Data" "%USERPROFILE%\Application Data\" /E /Y

Changed this Line---> start %SystemDrive%\Programs\RunScanner\RunScanner.exe mbam.exe

exit


Maybe a typo, but before it was start %SystemDrive%\Programs\RunScanner\RunScanner.exe mb.exe, and that didn't work.
Question, shouldn't Runscanner run with the timeout parameter, and maybe something more?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2013 Invision Power Services, Inc.