ChuckLTC

OK - thank you again for the assistance.

Thanks. Here are the updated logs. Addition.txt FRST.txt

Thanks Ron - appreciate your help. Hope you have a good weekend!

That post should have read: "I didn't run the Clean portion of ADW yet" after the second scan.

Thanks. I ran another ADW scan in the meantime, and now it is alerting about 3 other things: wecutil.exe in Windows and prefs.js in Firefox. I didn't run the scan portion of ADW yet - I thought I should ask first. AdwCleaner11112016-2.txt

Are those the same items MBAM already has quarantined, or other things that need to be removed?

Thank you! Here is the ADW log. It didn't mention anything about ASK, but did clean out the annoying ANT toolbar from a Firefox plugin. AdwCleaner11112016.txt

MBAM found 4 registry keys indicating PUP.Optional.ASK, and successfully quarantined them all. I'd appreciate it if someone could confirm that I do / do not need to perform further cleaning steps. FBAR logs and MBAM scan log are attached. Please let me know if you need any other information. Thanks for your assistance. ScanLog11102016.txt FRST.txt Addition.txt

Hi - Just wanted to follow up on this issue. On Tuesday, I received the latest Win10 update (Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB3200970)). The MBAM problem I was having now appears to have corrected itself, and the program is behaving like it used to. Update checks now only take around 30 seconds, and the databases are updating themselves (all of them, instead of only one or two at a time). Just to be sure, could someone take a look at my MBAM-check log to confirm that the program is fully updated? I'd appreciate it. I also attached Protection Logs from the udpate and scan process, FYI. MBAMProtectionLog11112016.txt MBAMProtectionLog11102016.txt CheckResults.txt

Yes, if you could please list all the program and file exclusions that should be listed in Norton Security Suite, I would appreciate it. I don't see a master list in the FAQ. I've added a few things based on other forum posts, but I'd like to make sure all the necessary pieces are listed in Norton.

Sorry for the delay - Windows decided it was time to update itself in the middle of the MBAM / NSS boxing match. MBAM-check log file attached. CheckResults.txt

LOL - It took me 5 tries to connect to data-cdn.mbamupdates.com. The connections kept timing out. I'm using Comcast/Xfinity cable internet, and I get download speeds typically in the 90Mbps range. When the program finally downloaded, I ran it as administrator. It immediately ran an application error "unable to start correctly (0x0000022), and Norton Security Suite alerted to a Heuristic violation of mbamcore.dll - "Heur.AdvML.B". It has quarantined that program (even though it ran fine a couple of weeks ago when I started this topic): ------------------- Filename: mbamcore.dll Threat name: Heur.AdvML.BFull Path: c:\users\chuck\appdata\local\temp\7z70622bac\mbamcore.dll ____________________________ On computers as of 10/11/2016 at 11:35:01 AM Last Used 10/11/2016 at 11:37:02 AM Startup Item: No Launched: No Threat type: Heuristic Virus. Detection of a threat based on malware heuristics. ____________________________ mbamcore.dll Threat name: Heur.AdvML.B Few Users: Hundreds of users in the Norton Community have used this file. Mature: This file was released 2 years 7 months ago. High: This file risk is high. ____________________________ Source: External Media Source File: mbamcore.dll ____________________________ File Actions File: c:\users\chuck\appdata\local\temp\7z70622bac\ mbamcore.dll Removed ____________________________ File Thumbprint - SHA: 990ca3dc5dacf44b1e557d4e503ce2cd1aab24666a7915dbcfc16cd7af7814bf File Thumbprint - MD5: Not available

Thanks for the reply. The link returned: v2016.10.11.07 I tried it with and without MBAM running, and got the same number each time. I just tried to update, and the Malware database downloaded, and now matches that number. As you can see from the Protection log below, the program was still showing the Sept 30 database upon startup. And each time I check for updates, the update process takes about 5 minutes (checking, downloading, installing). I realize I'm on the free version, but that seems like a long time compared to every other program I use and update. -------------- Malwarebytes Anti-Malware www.malwarebytes.org Update, 10/11/2016 9:59 AM, SYSTEM, SORCERER, Manual, Malware Database, 2016.9.30.15, 2016.10.11.7, (end) -------------- Unfortunately, I ran CCleaner yesterday, and forgot to un-check MBAM in its cleaning options. I lost my previous log files. I don't know the status of the other internal databases (IP, Remediation, Domain, etc...). Is there a way to check the version number on those?

I'm still unable to update on 2 separate computers. I saw several other newer threads with similar update problems. Is there any new information about what is happening? ------------------ Latest Daily Protection Log: Error, 10/9/2016 9:32 PM, SYSTEM, SORCERER, Manual, 0, Update, 10/9/2016 9:32 PM, SYSTEM, SORCERER, Manual, Malware Database, Failed, Unable to access update server, 2016.9.30.15, 2016.10.9.8, (end) ------------------ I also saw the instructions about pinging the update servers. Here is what I got, using the admin command prompt: nslookup data-cdn.mbamupdates.com Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32> nslookup data-cdn.mbamupdates.com Server: cdns02.comcast.net Address: 75.75.76.76 Non-authoritative answer: Name: vip0x062.ssl.hwcdn.net Address: 205.185.208.98 Aliases: data-cdn.mbamupdates.com data-cdn.mbamupdates.com.akadns.net ping data-cdn.mbamupdates.com Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>ping data-cdn.mbamupdates.com Pinging vip0x062.ssl.hwcdn.net [205.185.208.98] with 32 bytes of data: Reply from 205.185.208.98: bytes=32 time=19ms TTL=57 Reply from 205.185.208.98: bytes=32 time=22ms TTL=57 Reply from 205.185.208.98: bytes=32 time=21ms TTL=57 Reply from 205.185.208.98: bytes=32 time=23ms TTL=57 Ping statistics for 205.185.208.98: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 19ms, Maximum = 23ms, Average = 21ms

Thanks again for looking into this for me. But just to be clear - the slow update process had started before the Win10 Anniversary Update, and still continues when the program actually reaches the update servers. The errors and update failures have never happened before, and didnt start until after the Win10 update. I also remembered that while trying to download the mbam-clean and mbam-install programs (from the direct links in the sticky FAQ post here on the forum), I had to restart them several times as the downloads would time before connecting. That issue may or may not be connected, but just FYI. I only have the free MBAM version. I just use it as a backup to Norton, and scan once every week or two. Someone who has the premium version, with auto-updates and scheduled scanning probably wouldn't notice errors like this. Just thought I'd bring them to the team's attention, in case the Win10 update (or something else) has created an issue. Thanks again for the help - I appreciate it.

Thanks for the info about chkdsk. I found the logs in Event Viewer, and attached them here. Chkdsk1 is the scan run through File Explorer (Properties / Tools / Error Checking), and Chkdsk2 is the command-line scan, with the /r switch. I also copied the text from the TFC and created a log from that. I rebooted, and tried another MBAM update. I'm now showing database version v2016.09.29.01. It looks like I finally got the IP Database update, which kept failing yesterday. I've also attached two MBAM Protection logs - the final from yesterday, and the one just created. Any manual update request still takes much longer than before. In fact, the MBAM update process has gotten much slower with the last couple of program updates. It now takes several minutes just to check the database versions, then about a minute to download, then a while to install depending on the size of the update. Is that normal? Then, if you initiate a scan, the program automatically runs the update check again, and you get to wait several more minutes before the scan actually begins... (That last bit is just a gripe with the program design, not necessarily a problem.) Thanks again for your help. Chkdsk1.txt Chkdsk2.txt Daily Protection Log 2016-09-28-Final.txt Daily Protection Log 2016-09-29.txt TFC Log.txt.txt

Thanks for the confirmation, Firefox. I ran chkdsk twice - once through Windows File Explorer, and once through an Admin command prompt. Neither scan found any errors. If you need to see the logs for some reason, I'll hunt around for them. I'm not actually sure where Win10 stashes them.

Thanks for the reply. I actually ran a System File Check after I upgraded to the Win10 Anniversary edition (Version 1607, Build 14393.187). SFC found no errors. Or are you suggesting to run chkdsk? I've tried the MBAM updater several times today, with varying results. I think I may have finally gotten all the various databases updated (one by one), but just received another error code "0 - unable to access update server". I'm not sure if I'm still missing any updates. I've attached an export of the Daily Protection Log to this message, if that will help. Daily Protection Log 2016-09-28.txt

Thanks for the reply. I've already done the clean removal process (before creating the topic). It didn't correct the issue, so I downloaded the mbamcheck and Farbar tools and attached their logs. Are you saying I need to do clean removal again? Malwarebytes is showing as version 2.2.1.1043 / Build Date: 3/10/2016 4:06 PM

Malwarebytes update was working fine (although very slowly) before the Win10 Anniversary Update. Now, its database appears to be stuck, showing date 2016.02.16.06. The app logs show an error code of "0", and failures updating the various databases: ------------------ Malwarebytes Anti-Malware www.malwarebytes.org Error, 9/28/2016 1:47 AM, SYSTEM, SORCERER, Manual, 0, Update, 9/28/2016 1:47 AM, SYSTEM, SORCERER, Manual, Domain Database, Failed, Unable to access update server, 2016.2.16.8, 2016.9.27.6, Update, 9/28/2016 1:47 AM, SYSTEM, SORCERER, Manual, Remediation Database, Failed, Unable to access update server, 2016.2.12.1, 2016.9.21.1, Error, 9/28/2016 10:02 AM, SYSTEM, SORCERER, Manual, 0, Update, 9/28/2016 10:02 AM, SYSTEM, SORCERER, Manual, Remediation Database, Failed, Unable to access update server, 2016.2.12.1, 2016.9.21.1, (end) ------------------ My system is Win10 with the Anniversary update, also running Norton Security Suite (Comcast/Xfinity build). I've already done the clean uninstall / reinstall. I also saw a previous thread about update server access problems, and added mbamscheduler and mbamservice to the Norton firewall rules - Windows firewall rules are not accessible due to Norton. Mbam.exe and mbamresearch rules were already present in Norton upon reinstall. If you need any further system info or other details, please let me know. Thanks! Addition.txt CheckResults.txt FRST.txt

I've completed the cleanup, and everything seems to be working fine. Thanks again for your time and expertise.

I installed Microsoft Security Essentials. It is up to date, but I was waiting for the all-clear to turn the auto-protect back on.

I agree about the toolbars - hate them. The computer seems to be running OK. I'm going to leave it on overnight, and check it in the morning. Here is the Security Check log. I really appreciate all your help. Results of screen317's Security Check version 0.99.74 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! ESET Online Scanner v3 Microsoft Security Essentials `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 CCleaner ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe Microsoft Security Essentials msseces.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 5% ````````````````````End of Log``````````````````````

Also, one more thing I noticed: The owner does use the WeatherBug desktop app, and asked that it remain if possible. Was this line from the fixlist removing something extra from the WeatherBug folder, and will removing affect the app's use? "C:\Program Files\AWS\WeatherBug\Local\askToolbarInstaller-1.5.0.0.exe => Moved successfully"

Thank you. When I started Internet Explorer after the reboot, it showed a popup which stated my search setting had been modified by a program. I had set the search engine to Yahoo manually, since the PC's owner uses Yahoo for email and his Home page. I realize I can reset it to Yahoo - I just wanted to mention the popup in case it had other implications regarding the virus/spyware infections FRST cleaned out. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-10-2013 Ran by Arliss at 2013-10-06 23:47:50 Run:1 Running from C:\Documents and Settings\Arliss\Desktop Boot Mode: Normal ============================================== Content of fixlist: ***************** DeleteJunctionsInDirectory: C:\Program Files\Windows Defender DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client C:\Program Files\AWS\WeatherBug\Local\askToolbarInstaller-1.5.0.0.exe C:\RECYCLER\S-1-5-21-1202660629-299502267-839522115-1004\Dc2.exe HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...=ie&ar=iesearch SearchScopes: HKLM - DefaultScope value is missing. SearchScopes: HKCU - DefaultScope {C45E413E-D612-4F2A-B751-10A6AA87BEB2} URL = http://search.yahoo....rtPage?}&fr=ie8 SearchScopes: HKCU - {C45E413E-D612-4F2A-B751-10A6AA87BEB2} URL = http://search.yahoo....rtPage?}&fr=ie8 BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" C:\Documents and Settings\Arliss\Local Settings\temp\System.Data.SQLite.dll ***************** "C:\Program Files\Windows Defender" => Not Found "C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking started. "C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking completed. C:\Program Files\AWS\WeatherBug\Local\askToolbarInstaller-1.5.0.0.exe => Moved successfully. C:\RECYCLER\S-1-5-21-1202660629-299502267-839522115-1004\Dc2.exe => Moved successfully. HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully. HKCU\Software\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C45E413E-D612-4F2A-B751-10A6AA87BEB2} => Key deleted successfully. HKCR\Wow6432Node\CLSID\{C45E413E-D612-4F2A-B751-10A6AA87BEB2} => Key not found. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key not found. HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key not found. HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key deleted successfully. HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Value deleted successfully. HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found. JavaQuickStarterService => Service not found. C:\Documents and Settings\Arliss\Local Settings\temp\System.Data.SQLite.dll => Moved successfully. The system needs a manual reboot. ==== End of Fixlog ====