Just turfed Avast for s#&%ing 2 hours of hard work with a surprise upgrade banner--trying to drag myself back to Earth from Sirius Major I must have clicked the "Upgrade" icon... Anyway, instal ZAM Free and light the blue touch-paper, I get: I have no idea where "EnableShellExecuteHooks" came from, and I think I need to know. ZAM has deleted the entry, but what would have put that there? I do have to say I have not seen anything that looks like malware on this box.
Assuming you mean Zemana AntiMalware, I have not used it to decide if I trust it, or not. I would scan it with something else (regardless what I was using) - CCleaner and Malwarebytes for example and see what they say. I hate these "potentially unwanted ______" findings. I want my scanners to conclusively tell me if somethings is "malicious" or not.
It's always a good idea to scan with another scanner, better if using different signatures, for example hitmanpro. About "EnableShellExecuteHooks", it could be related to browser hijacking: http://blog.zemana.com/2016/06/youndoocom-using-shellexecutehooks-to.html
@Bill_Bright & @imuade, thanks for the input. ZAM--as was Avast--is not my primary anti-malware, VS does that now. And yes, "Potentially Unwanted Anything" covers a lot of false positives: ZAM promptly flagged HashGenerator and DownloadHashVerifier as PUPs I did do a quick search on "EnableShellExecuteHooks", and it wasn't reassuring. And I did have a browser hijack attempt some time ago, before I found VS, it was a rogue ad on Major Geeks, but was bowled for a golden duck (ask @Krusty) by CryptoPrevent. I swept up quite a lot of debris from that one, so the registry hack could well have come from that.
Drawing a blank on VS - what's that? FTR, I Windows 10 built-in Windows Defender and Windows Firewall as my primary security and Malwarebytes as my secondary on all our systems here. I use Pale Moon as my primary browser with IE as my secondary. Never had any security issues - but I do "practice safe computing" by first and foremost, making sure my systems stay current, I don't partake in risky behavior like illegal filesharing via Torrents or P2P sites, and I am not "click-happy" on unsolicited downloads, links, popups, or attachments. Of course, those are the same precautions users must take regardless their security setup.
With respect to the Hollies, "Sometimes all I need Is the air that I breathe": ZAM seems to be a lot like VS, you can pay for the Premium, but the free version will do a more than competent job. Not that I have problems with paying a licence fee, but only if I need it for functionality. And somebody in the earlier pages of the VS thread did say that all you need is ZAM free and VS (free?) for more than adequate protection.
No. But VS does. So VS as primary layer, with ZAM Free for forensics and preemptive cleaning. BTW, the box boots much faster with ZAM Free than it did with Avast! I wonder why?
After a spot of forensics on the Registry, and a quick email, it is confirmed from Kay Bruns personally that SuRun "... uses a ShellExecute Hook to intercept Process creation in a by Microsoft officially supported and documented way." I also found that SuRun has reinstated the key... FWIW, SuRun (http://kay-bruns.de/wp/software/surun/) is a sudo for Windows, extremely useful for localised Elevated Rights rather than Windows "Run As" putting you into the Admin account context. I reckon this is where VS--or some anti-executable--as primary defense is absolutely necessary, as I'm not sure any real-time AV protection would catch a browser hijack using a ShellExecute. But I am impressed with ZAM.
Ummm. This (below) turned up today. The first, my son allowed the block. The second, I blocked. The third appeared when ZAM Free wanted to update itself, and I blocked it immediately. So, I think the offender is ZAM. ZAM's notification icon has now disappeared But the %appdata% folders have disappeared and I cannot interrogate them. Is this the way ZAM upgrades itself? Because the alert looks pretty dodgy with no sig & etc. (sorry, I screenshotted it, but immediately overwrote with Wilders password ).
The hash of all three blockings is the same (at least the beginning of the hash), so in all three cases ZAM tried to update itself. Yes, the offender should be ZAM And according to the changelog, a new version has been released yesterday:
Yes, the hashes are identical in every case. But this would also apply if it was malware... And I just got an email back from Zemana Support: Unfortunately I'm not sure Dan can treat this as "False Positive" since there is no parent process, and the folder and file names are different every time--exactly as malware does it. I hope that Zemana reps take a dekko at these pages occasionally, because I explained the problem in minute detail when I emailed Zemana Support, including both the varying random-looking names and the lack of a parent process. Life becomes really difficult when the anti-malware looks like actual malware I might have to suss out MBAM... I already use that as a forensic scanner.