calintexas

Maurice, thank you for your help. I'll need more direction to run FSS.com. I did not have the "run as administrator" choice when I right clicked on the FSS.com Icon (see attached image). I clicked open and got a "DDS is not meant to run in compatibility mode" message (image attached). Please advise. The requested FSS scan is attached. FSS.txt

Ok, there is no immediate rush. Now that I know the box is basically clean, I can wait. I do really appreciate your help.

Thanks Ron. I ran SFC /SCANNOW multiple times as suggested on the linked page you provided, but the only items it identified are related to an AMD 64 processor (my pc has an Intel i7 (run log attached). The DISM /Cleanup-Image tool failed as it gave an error (0x000f0906) with a "The source files could not be downloaded." message (image attached). I'm out of my depth here. I'm thinking I should see if Win 10 is different enough that the upgrade will solve the problem, and if not, start back clean with 8 that came with the PC (in a partition on the hard disc) then upgrade to 8.1 with minimal apps loaded and go from there. It looks like the only items actually installed in our efforts to find an infection are ERUNT and Eset. Everything else should be just a matter of deleting the files on the desktop? Is there anything that was found that I really should get rid of? sfcdetails.txt

STEP 04: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 8.0.2 (01.06.2016) Operating System: Windows 8.1 x64 Ran by Cal CA (Administrator) on Mon 02/15/2016 at 7:57:42.10 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ File System: 1 Successfully deleted: C:\Users\Cal CA\AppData\Roaming\Mozilla\Firefox\Profiles\zs7x4kug.default\searchplugins\safesearch.xml (File) Registry: 2 Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} (Registry Key) Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E3C9BFF1-AEA7-4EB0-84E4-4BBF094FFE68} (Registry Key) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Mon 02/15/2016 at 8:00:32.99 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ STEP 05: No confidence in what to eliminate here. I'll take your advice. There wasn't much found. # AdwCleaner v5.033 - Logfile created 15/02/2016 at 08:36:58 # Updated 07/02/2016 by Xplode # Database : 2016-02-07.2 [server] # Operating system : Windows 8.1 (x64) # Username : Cal CA - 1_GENE # Running from : C:\Users\Cal CA\Desktop\AdwCleaner.exe # Option : Cleaning # Support : http://toolslib.net/forum ***** [ Services ] ***** ***** [ Folders ] ***** ***** [ Files ] ***** [x] File Not Deleted : C:\Users\Gene\AppData\Roaming\Mozilla\Firefox\Profiles\62hdlfqv.default\searchplugins\safesearch.xml ***** [ DLLs ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled tasks ] ***** ***** [ Registry ] ***** [x] Key Not Deleted : HKCU\Software\APN PIP [x] Key Not Deleted : HKLM\SOFTWARE\PIP [x] Key Not Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8DBC5A0A-31C4-46C7-B252-6B593EA11A87} ***** [ Web browsers ] ***** [x] [C:\Users\Gene\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Not Deleted : aol.com [x] [C:\Users\Gene\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Not Deleted : ask.com ************************* :: "Tracing" keys removed :: Winsock settings cleared ########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1209 bytes] ########## STEP 06: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 2/15/2016 Scan Time: 9:15 AM Logfile: Administrator: Yes Version: 2.2.0.1024 Malware Database: v2016.02.15.03 Rootkit Database: v2016.02.08.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 8.1 CPU: x64 File System: NTFS User: Cal CA Scan Type: Threat Scan Result: Completed Objects Scanned: 433342 Time Elapsed: 14 min, 46 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) STEP 07: C:\Users\Public\Documents\Downloads Shared\Google_Earth_Setup.exe a variant of Win32/DownloadAssistant.C potentially unwanted application C:\Users\Public\Documents\Downloads Shared\Installed\epson14552.exe a variant of Win32/Bundled.Toolbar.Ask.C potentially unsafe application C:\Users\Public\Documents\Hardware & Software Manuals & Information\Epson WF-3540 AIO Prntr\Epson WF-3540 Software\Silverlight_x64.exe a variant of Win32/Bundled.Toolbar.Ask.C potentially unsafe application F:\ABS & 1_gene & other Data from 06_13 and before\ABS 04_08_13\Shared\Documents\Internet Program Dnlds\ImgBurn 2550\SetupImgBurn_2.5.5.0.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application F:\ABS & 1_gene & other Data from 06_13 and before\Lenovo 1 05_06_13\Documents\Hardware & Software Manuals & Information\Epson WF-3540 AIO Prntr\Epson WF-3540 Software\Silverlight_x64.exe a variant of Win32/Bundled.Toolbar.Ask.C potentially unsafe application STEP 08: Files Attached - too long to paste due to recent update to Win 8.1 FRST.txt Addition.txt

Did you leave out Step 03 on purpose? It's too late here for me to start Step 04. I'm going to shut the computer off and start Step 04 in the (for me) morning. Should I run Rkill after the startup before I begin Step 04? I assume that re-running Rkill isn't required after the specified reboot in Step 05? Thank you for your help.

Thanks for taking this topic Ron. Rkill ran without issues. To my untrained eye it didn't make any changes. I've attached the run log (Rkill.txt). The requested MBAM Threat Scan ran without issues (cleaning and re-installing MBAM was not required). Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 2/14/2016 Scan Time: 11:08 AM Logfile: Administrator: Yes Version: 2.2.0.1024 Malware Database: v2016.02.14.05 Rootkit Database: v2016.02.08.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 8.1 CPU: x64 File System: NTFS User: Cal CA Scan Type: Threat Scan Result: Completed Objects Scanned: 433396 Time Elapsed: 16 min, 54 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Rkill.txt

I upgraded from win 8.0 to 8.1 last week. Everything seems to be running fine except only the Office updates were offered by Windows Update on patch Tuesday this week. I discovered that the Installed Updates file is only listing Office, 1 Silverlight, and 2 Visual C++2010 updates. The Microsoft Windows updates section is missing from the list. There is limited information on the web about this, but most of what I found points to malware activity. Norton, MBAM home premium, mbar all scan clean. The FARBAR results are attached (due to "topic too long" messages). FRST.txt Addition.txt

Thanks Ron, I did get a resolution from the Help Desk just a few minutes ago. I was advised that I should de-activate the license before un-installing mbam. Is that a new license management requirement (or did I just get caught in a system problem as Gonzo suggested previously)? Help Desk response: You have reached the activation limit for all 3 codes. I have reset the codes for you as a reminder the code you purchased is for 1 PC. If you have issues with your computer please deactivate the software first by going to my account. Thank you for contacting Malwarebytes, I'm fixed, but the thread originator AaLF53 is still hanging as far as I know. AaLF53: I did get an auto-acknowledgement right after I submitted my issue on 02/06.

I have the same issues as AaLF53, and I submitted an email to customer support on 02/06/2016. Do you have an idea what the current wait time for a response is?

Thanks Becky, I installed 2.2.0.1014 over the top of the current installation, and everything seems to be working fine.

I see that a new version 2.2.0.1024 has been released which resolves the limited user account issues addressed in this thread. Thank you to the mbam team for that. I installed TetonBob's fix (which has continued to work very well) a couple of weeks ago. Are there any special steps I need to take relative to TetonBob's fix before I install 2.2.0.1024?

I'll confirm that TetonBob's interim solution has been working seamlessly on both of my computers since I installed it shortly after Becky first recommended that we check it out.

Thanks for the response TetonBob. I'll go ahead and use mbam in my regular LUA without using "Run as Administrator". Thank you again for the fix.

Thanks, sorry about you losing the taskbar Icon. That doesn't happen with my Win 8. I've read that there is a lot of Win 8 in Win 10. We'll have to wait and see what TetonBob says. You'd think that there would be warnings if the databases weren't accessible to the program; so, hopefully, it's just a reporting glitch. The Malicious Website test page produces a warning pop up. Mbam must access one of the databases to do that.

Unicore, will you please run mbam-check when you are logged in to a LUA and running mbam as a LU? You'll have to use "Run as Administrator" to run mbam-check. I expect that the databases will all have no date values (which is what I still experience even after loading TetonBob's fix). I think it might be a reporting issue rather than the databases not actually being available to the program, but TetonBob will need to respond to that. I'm interested whether your results mirror mine. Here are my results (all LUA except actually running mbam-check using "Run as Administrator" within the LUA). If I exit mbam and re-start it using "Run as Administrator", the database information shows up when I run mbam-check. I'm running Win 8. It's possible mbam reacts differently with Win 8 and Win 10. mbam-check result log version: 2.1.1.1001 ======================================== User Account type: Administrator OS: Windows 8 64 bit Operating System Current Version and Build: 6.2.9200.0 Malwarebytes Anti-Malware: 2.1.8.1057 Installed On: 2015/07/24 Malware Database: 0000.00.00.00 Rootkit Database: 0000.00.00.00 Remediation Database: 0000.00.00.00 IP Database: 0000.00.00.00 Domain Database: 0000.00.00.00 License: Premium Malware Protection: 4 (The service is running.) Malicious Website Protection: 4 (The service is running.) Chameleon: 4 (The service is running.) Log Created: 2015/09/05 10:07:39 Compatibility Flag Settings:

Thanks Becky. I'll give tetonbob's process a try. Thanks to Tabvia and David for continuing to poke.

What I noticed is that Malicious Website Protection did start after the error occurred. Becky Dubrow referred me to this thread from Malicious Website Protection problem, any status update ? Do I understand correctly that "Update Now" won't work in a LUA after applying your fix and that I need to let the auto update schedule keep MBAM databases up to date when I'm logged in to a LUA? If I do a "Scan Now" within a LUA, will MBAM update (providing updates are available)? If any errors clear within a short time, and the protections always re-start when in a LUA; that's a big step forward. Thanks for the work on this. The work around I've been doing to mitigate this issue is getting very old.

I'm pretty sure that you are both correct. David's comment, " Did you do an Update from an Admin account when Malicious Website Protection is not working?" Is the key for me. Once Malicious Website Protection is not turned back on during an update, nothing I've tried (restart, log in as admin, run a scan) except a clean and re-install will get it turned back on until there is a successful database update which results in Malicious Website Protection being turned back on (logged in the Daily Protection Log). I recall updates that actually updated a database (even some that showed as failed updates) but didn't turn Malicious Website Protection back on. It seems to be a pretty tricky thing. I believe that's why Tabvia has been able to observe what he has. In every circumstance the mbam program window and tray information continued to indicate that all is well. What I try to do is avoid situations that can result in Malicious Website Protection not being turned back on. So far, what is working for me is to log into an admin account at startup, update (if one is available) with "Update Now", wait for the next step if I'm near my set hourly automatic update check at 15 min past the hour, log out of the admin account, log into the LUA I use, "Exit" mbam from the tray, "Run as administrator" from the desktop icon, minimize the program window after checking that all is still well per the Daily Protection Log. When I think about it I access the check page to confirm Malicious Website Protection is working or run mbam-check. I avoid "Update Now" when I'm in the LUA (even when running mbam as administrator) choosing to let mbam just run as it will. This cumbersome technique has worked since July 29. It's possibly more than I need to do, but I'm sticking with what has been working for me. Thanks to AdvancedSetup and bdudrow for providing status information.

Thanks Ron, sounds like you have duplicated my experience except for the difficultly recovering from the system turning website protection off, but that won't matter if the issues you have verified are resolved. I'll watch for a fix.

Here's today's adventure (DPL 8_36 PM 07_28_15.txt - attached): * Started computer and logged in to admin account. * 8:24 AM Malware & Malicious Website Protections started. * 8:32 AM "update now" updated 2 databases and Malicious Website Protection stopped and started. * 8:45 AM logged out of admin account and logged in to LUA. * 8:51 AM launched mbam IP block test page which produced a malicious website warning confirming that Malicious Website Protection is running. * 9:00 AM (approximately) shut computer down. * 10:15 AM (approximately) restarted computer and logged in to LUA. * 10:19 AM Malware & Malicious Website Protections started. * 11:15 AM - 1:21 PM lots of errors and failed database updates. * 1:51 PM & 1:56 PM launched mbam IP block test page which produced a malicious website warning confirming that Malicious Website Protection is running. * 2:06 PM - 5:22 PM lots of errors and failed database updates. * 5:25 PM logged out of LUA and logged in as an admin. * 5:26 PM ran mbam-check (CheckResults 5_26 PM 07_28_15 all admin.txt - attached) which showed that Malicious Website Protection was running. * 5:30 PM used "update now" in attempt to correct errors, Malicious Website Protection stopped. * 5:31 PM ran mbam-check (CheckResults 5_31 PM 07_28_15 all admin.txt - attached) which showed that Malicious Website Protection was not running. * 6:35 PM - 6;54 PM Attempted unsuccessfully to turn Malicious Website Protection back on. * 6:56 PM (approximately) logged out of admin account and into LUA, exited mbam and started mbam with "run as administrator". * 6:58 PM Malware Protection started. * 7:29 PM error, failed Malware Database Update. (I've no clue why this failed) * 8:22 PM successful updates. * 8:23 PM Malicious Website Protection started. (DPL 8_36 PM 07_28_15.txt-attached). Confirmed with mbam IP block test. Notes (observations from today and previously): Running in the LUA didn't work great; as, a number of scheduled updates failed. If the DPL says either Malware Protection or Malicious Website Protection are on or off, mbam-check will confirm what the DPL says. Mbam-check often shows a database version as current that the DPL indicates failed to install. Ron: Please let me know if there is value in this work. Also, you recommended that DavidMbncus use the Help Desk. Should I do the same, or do we have enough momentum here now? DPL 8_36 PM 07_28_15.txt CheckResults 5_26 PM 07_28_15 all admin.txt CheckResults 5_31 PM 07_28_15 all admin after update now.txt

No worries Ron, If I understand correctly, you are saying that I should just let mbam run in an LUA and not use the "Update Now" button? I'll do that today and see how it goes.

My workaround plan until Malwarebytes determines what has gone wrong and fixes it was to log in as an admin from computer startup, check out that mbam was workning as expected, "update now", log out of the admin account, log in to LUA, exit mbam, restart mbam using "run as administrator, check out that everything looks ok, mimimze the mbam taskbar window (to prevent creating additional mbam tray icons when I open the window). That's what I did this morning, and it all worked fine after an initial error including Malicious Website Protection being off was resolved with a database update at 8:48 AM until errors started popping up at 4:43 PM that weren't resolved until 6:19 PM. Also, at 6:19 PM, Malicious Website Protection stopped and wasn't turned back on (DPL 10_48 PM 07_27_15 LUA mbam-RAA.txt - attached) which was verified by CheckResults 6_35 PM 07_27_15 LUA mbam-RAA.txt (attached). I tried some steps to turn Malicious Website Protection back on at 6:23 PM but was unsuccessful. I decided to wait it out and see if a later successful database update would turn Malicious Website Protection on as had happened at 8:48 AM this morning which did happen at 10:48 PM (see attached DPL). CheckResults 10_51 PM 07_27_15 LUA mbam-RAA.txt (attached) confirms that Malicious Website Protection is back on. DPL note: The failure to access the database server at 1:26 PM was due to a temporary Internet outage. You'll notice it was just a listed event in the log and note labeled as an error. DPL 10_48 PM 07_27_15 LUA mbam-RAA.txt CheckResults 6_35 PM 07_27_15 LUA mbam-RAA.txt CheckResults 10_51 PM 07_27_15 LUA mbam-RAA.txt

I just (4:43 PM CDT) got an "unable to access database server" message from the Dashboard on using the "update now" button. It then reverted back to showing that v2015.07.27.06 is the installed database, The DPL (DPL 4_43 PM 07_27_15 LUA mbam-RAA.txt - attached) confirms the failure, but mbam-check (CheckResults 4_44 PM 07_27_15 LUA mbam-RAA.txt - attached) shows 2015.07.27.07 as the installed Malware Database. I'm logged in to an LUA and running mbam as an admistrator. I tried "update now" again about 20 minutes later and got a "No Updates Available" message. The Dashboard displayed the updated v2015.07.27.07 when the dashboard reverted to displaying the current installed database version. The DPL hasn't updated. DPL 4_43 PM 07_27_15 LUA mbam-RAA.txt CheckResults 4_44 PM 07_27_15 LUA mbam-RAA.txt

Thanks David. Tabvia, the cause of your issues may be different than mine and your computer may respond differently than mine. It's always best to follow the advice of a moderator, admin, certified volunteer, mbam employee, etc. While I feel at times (for me) this has gotten to the rub your tummy 3 times, clap with your hands behind your back and say "why me" 3 times, here's what I recall regarding Malicious Website Protection in the last couple of days: * Once it's turned off, it can be difficult to get turned back on. * Short of a mbam clean and re-install, it seem like it takes a successful update (when logged in as an admin or running mbam as an admin (after an exit and "run as administrator") when logged in to a LUA) of one of the databases that normally turns off Malicious Website Protection and then turns it back on as part of the update process to get it to come back on. * I've used mbam-check to verify whether Malicious Website Protection was running or not. The test web page link is a lot simpler. * I don't think I've had an instance that Malicious Website Protection was running when the DPL didn't indicate that it was running. * A mbam clean and re-install when logged in as an admin will get Malicious Website Protection running again. I have observed the successful database update phenomena you discussed in post #9 (although I can't verify that it works for me in both LUA and admin modes). An mbam-check (when logged in as an admin) should tell you what database versions are loaded. The mbam-check is always "run as administrator", but the results for me vary (zeroing out the database values when I log directly in to an LUA at computer start up). I discuss it all in Post 20 here: https://forums.malwarebytes.org/index.php?/topic/170847-malicious-website-protection-problem-any-status-update/ Today's workaround plan is log in as an admin from computer startup, check out mbam status, "update now", log out of the admin account, log in to LUA, exit mbam, restart mbam using "run as administrator, check out that everything looks ok, mimimze the mbam taskbar window (to prevent creating addition mbam tray icons when I open the window). Pretty nutso. Will it actually work? Who knows. I'm hoping mbam figures the problems out soon.

Request from shadowwar: First Response: Follow Up: It's several hours later. There have been so few updates today that I don't know that I can say that there is any difference. DPL 8_20 PM 07_26_15.txt (attached) shows the LUA computer restart at 12:20 PM. The only other events are an error and "Malware Database, Failed, Unable to access update server, 2015.7.26.5, 2015.7.26.6," line items at 2:11 PM. The DPL still hadn't logged any additional events as of 10:45 PM. This is the first time I can recall seeing a Malware Database Update failure since the current set of problems began. Oddly, the Dashboard indicates the current malware database is 2015.7.26.6. The "update now" button still functions as expected. Dashboard screen shots are attached. I've attached CheckResults (CheckResults all LUA 8_31 PM 07_26_15 .txt - attached) from just after the attached DPL was captured. It still has all the databases zero'd out. I was curious about the databases and logged out of the LUA and logged in to an admin account and ran another mbam-check (CheckResults all admin 10_26 PM 07_26_15 .txt - attached) which does list the databases. DPL 8_20 PM 07_26_15.txt CheckResults all LUA 8_31 PM 07_26_15.txt CheckResults all admin 10_26 PM 07_26_15.txt