[Mbam freezes during "scanning additional items" - doesn't complete scan]

Thank you Ron, for the very rapid reply. I'll submit a help desk ticket right away.

[Mbam freezes during "scanning additional items" - doesn't complete scan]

Greetings,

Problem just started. I hope it's just a running process conflict or perhaps a bad registry key...

On the computer in question, I run a MalwareBytes Quick Scan every few days to complement the free resident AV software I have running. Last run was a few days ago, and completed without problem (and detection free).

On repeated Quick Scans (all scan types checked) today, mbam locks-up when almost complete in the "additional items" scan. Looking via task manager, CPU goes to 100% for the mbam process and stays that way until I terminate the application (have waited 15 minutes). Disk I/O for that process stops as well at that point. Note: through that point it reports 0 (zero) detections. Log doesn't get generated.

This machine has 2 administrator accounts - one that's mine, and one that my wife used to use. The lock-up occurs on mine. On a whim, I tried it on the other account, and it runs successfully to completion. Looking at the timing of the failed scan and the successful one, the lock-up is coming very close to the time of completion of the successful one on the other account.

Note: on the account with the scan that completes shows the PUM.Disabled.SecurityCenter notification about the Windows firewall being disabled (as expected, ZoneAlarm is sub); this happens very close to completion. On the account where it locks up, it doesn't get to this point, but I think it gets close based on time.

If I disable "Scan additional items against heuristics", the scan completes without problem. No surprise, as that's the segment of the scan that's failing.

Data

Win-XP

AVG-Free resident with up-to-date database

ZoneAlarm software firewall resident

MBAM 1.70.0.1100 - update database before runs

Things I've Tried to Get it To Run

All failed except the very first (although it was not the first thing I tried)

• Run on another admin account - success: see above
  
• Disabled resident anti-virus and firewall during run
  
• Turned off "advanced heuristics engine"
  
• Tried with Chameleon - locks up after the same amount of time with high CPU as with reg scan.
  
• Ran mbam in safe mode (my account)
  
• Chkdsk (no errors found)
  
• Defrag
  
• Uninstall mbam, run mbam-clean, reboot, reinstall mbam. NOTE: Ran scan with the definitions (about 40 days old) that came with the fresh install; same failure. Updated database, re-scanned; same failure
  

Other AV Scans I Ran

Well, I guess I'm paranoid when a good piece of anti-malware locks up, so I ran a few other scans. All were completely clean:

• AVG full scan
  
• Trend Micro online quick "cloud" scan
  
• Panda online quick scan
  
• MS SafetyScanner quick scan
  

Additional Note -- Possible Red Herring / Wild Goose Chase

AVG intercepted an inbound spam email that came in today a about an hour before I ran mbam. It noted an HTML attachment named Efax_Corporate, with a detection of "HTML/Framer". AVG deleted the attachment long before I knew it was there, so I never opened that attachment (nor would I have). As I read HTML/Framer details, because I didn't open the attachment and thus didn't follow it's redirection to a Web site, it's not an issue for me. Google search of that file name shows a couple of blog posts about it in the past 20 hours or so.

So.... I'd really welcome expert insight here. Thanks very much in advance.

[Browser hijacked twice - but - Scans are clean. Infected?]

Merged

Good day,

Thanks in advance for your expertise, I really appreciate the dedication I see in these forums, especially from volunteers. I've tried to be succinct, but provide as much detail as I know to give. I've _not_ made any changes, just run scans as described. I'll happily and accurately follow any direction given to further diagnose.

Thanks again.

QUESTIONS UP-FRONT (Background Details Below)

1. MAIN CONCERN: Is there any reasonable chance I have an undetected, active malware infection given the information below? (five different clean scans today - see "Today" item #7 below for details)
   
2. Are the episodes of the two days related or coincidence?
   
3. Should I assume that the "Your computer is at risk" JavaScript popup was a trojan trying to get me to load something else, more virulent, and by not following it and killing the browser each time I prevented that?
   
4. If #3 is true, what the heck caused the browser re-direct but isn't being scan-detected? Do trojans sometimes commit suicide and delete themselves?
   

CONFIGURATION

• WinXP
  
• AVG 10.0.1424 with auto-updates actively running. Resident checks enabled. Current definitions (last update this AM) in place
  
• ZoneAlarm Free as firewall set to flag Internet access (in or out) from any program/process I've not explicitly given "yes" perm.
  
• Browser in question is Firefox. All described issues occurred in FF 3.6 (I know it's old -- I'm a Web developer and have to keep old versions to test sites). Also used Chrome today. No issues there.
  
• Firefox is set to block all Flash content by default. I need to manually allow each page's flash component.
  
• MBAM 1.60.1000 with 2012.03.21.02 DB for scans
  

HISTORY

TWO DAYS AGO 3/21/12

Mistakenly followed a link in a phishing email (sleepy early morning email reading - shame on me for that, I'm plenty embarassed by it).

Knew what I did it as soon as I did but too late to stop the Web page from opening. Don't remember the browser's exact behavior, but I killed it with Task Manager. Did not interact with the destination page in

any way. AVG did not display a detection warning.

Immediately scanned with MBAM (quick-scan with fresh definitions), TDSKiller and SpybotSD. No detections.

Figured I beat it by killing the browser.

Firewall did not report access of the Internet by any unknown program/process.

Phishing Destination URL: http://mgxls.com/k4H1CSBf/index.html

1. VirusTotal.com of that URL shows it as a phishing site (See https://www.virustot...sis/1332514434/)
   
2. VirusTotal of the site itself has two hits showing Malware (https://www.virustot...sis/1332514395/)
   
3. Scumware (one of the VirusTotal hits) shows the following for the IP of the site: http://www.scumware....rt/110.4.45.141
   

TODAY 3/23/12:

1. Visited a Web site of a local business. Following an internal link on the home page of the site to another page on the site resulted in a redirection and a JavaScript pop-up of "Attention! Your computer is at risk..." with the OK button to "start a scan". I immediately used Task Manager and killed the browser - did _not_ click the OK button.
   
2. Searches for that pop-up text show plenty of duplicate pages that look pretty junky. Followed NONE of the advice on any of them; wonder if they're part of the scam. All seem to be pretty new pages per Google.
   
3. Submitted the site and specific URL on which the redirect happened to VirusTotal - no detections.
   
4. Restart of the browser resulted in a re-direct, again with the JavaScript popup. I killed the browser with Task Manager - did not click "OK".
   
5. Subsequent restarts of the browser and normal browsing (including using search engines) result in no abnormal behavior, even after clearing cache & cookies.
   
6. Firewall has not reported access of the Internet by any unknown program/process.
   
7. Scans (all done in safe mode for what that's worth)
   A. MBAM full scan - No detections
   B. TDSKiller - No detections
   C. GMER - No detections
   D. AVG ("auto-clean" off) - No detections
   E. SpybotSD - No detections
   
8. Ran dds.scr. Attached outputs here.
   

One bit of additional configuration I neglected to include. I have Java (but not JavaScript) disabled in Firefox. Sites I visit don't use it, and as it is sometimes a vector for malware (I think), I leave it disabled.

dds.txt

attach.txt

[Poss. False Positive: MySql 4.1.9 my_print_defaults.exe - Reports as Trojan.Downloader.bh]

MBAM flagging this file with latest DB version. Didn't flag it with DB from about a week ago.

virustotal.com shows zero detections on file. Resident AVG doesn't show a positive. Thanks for checking.

File attached.

Log from diag scan follows:

Malwarebytes Anti-Malware 1.60.0.1800

Database version: v2012.01.19.03

Windows Vista Service Pack 1 x86 NTFS

Internet Explorer 8.0.6001.18702

Scan type: Custom scan

Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled: Memory | Startup | Registry | Heuristics/Extra

Files Detected: 1

c:\Program Files\MySQL.4.1.9\MySQL Server 4.1\bin\my_print_defaults.exe (Trojan.Downloader.bh) -> No action taken. [f6892b076eee1620d40bd7ae4fb1e818]

my_print_defaults.zip

[Poss. False Pos. - wmfdist.exe (Trojan.Dropper)]

Sorry -- just now saw the topic post 101691; looks like the same thing. It was posted and replied-to while I was re-running the scan to get the correct log format.

Please let me know if that's the case

[Poss. False Pos. - wmfdist.exe (Trojan.Dropper)]

Possible false pos. - wmfdist.exe reporting Trojan.Dropper.

Not detected by other local scans. Scan with MBAM 10 days ago using then-current DB did not flag the (presumably) unchanged file.

File passes all tests at virustotal.com (http://www.virustotal.com/file-scan/report.html?id=fd0754a2ef3567859db0bf3c75f18ec50aaeae6a7561aff9e7f6c7775a945ed7-1323567427)

File attached in Zip. Log follows:

Malwarebytes' Anti-Malware 1.51.2.1300

Database version: 8349

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

Files Infected:

c:\program files\windows media components\Encoder\wmfdist.exe (Trojan.Dropper) -> No action taken. [d7c6f927df21e818ceedd724eb1536ca]

wmfdist.zip

[VisHelper.exe - False Positive?]

File that has passed previous scans is now coming up as Rogue.SystemSmartSecurity.

File isn't flagged by any of the scanners at VirusTotal (see http://www.virustotal.com/file-scan/reanalysis.html?id=75c9e5b4abaa286d8bef1c808fe3086ad4504623da59d1c1387f48723b2277af-1308932720)

Scan log follows. File is attached in a zip.

Thanks in advance for checking this out.

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6936

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

6/24/2011 11:29:24 AM

mbam-log-2011-06-24 (11-29-07).txt

Scan type: Full scan (C:\|)

Objects scanned: 400823

Time elapsed: 1 hour(s), 38 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\mediamonkey\vishelper.exe (Rogue.SystemSmartSecurity) -> No action taken. [f72174a720e0b44cdba1b7e6c63aaf51]

MBAM_Possible_False_Positive_VisHelper.zip

[Rootkit? Odd attempts to access remote IP (alerted by & blocked by firewall)]

Greetings,

Do you still need help?

I think I've self-diagnosed, but I'd be interested in your thoughts on my analysis -- in the first two posts in this thread.

Thanks.

[Rootkit? Odd attempts to access remote IP (alerted by & blocked by firewall)]

Update

On what may have turned out to be a good whim, on the computer that was firing the firewall alert, I changed the DNS server from the ISP (Charter's) DNS servers to Google's public DNS servers (8.8.8.8 and 8.8.4.4).

Behavior, so far, isn't happening any longer.

ISP's DNS & Not Found

The ISP (Charter) has for some time been using their DNS servers to intercept not-found domain names and do a redirect to their "hey look at us, here's a search page for you because you typed in a bad domain name..." Hate that, but that's another story.

Changing to Google's DNS servers, of course, makes that stop.

Here's where it gets interesting. Now that bad DNS resolutions just stop there without redirect (thanks Google), I went to the offending destination IP address. Guess what? It still redirected. Tried a nonsense URL; no redirection.

Disabled the browser's following of Meta Refresh, and disabled javascript, and guess what I find when I go to the IP address now (Don't know if this forum allows HTML paste - will see if gets stripped):

<html>
<head>
<meta http-equiv="refresh" content="0;url=http://search.charter.net/index.php?origURL=http://184.106.31.166/"/>
</head>
<body>
<script>window.location="http://search.charter.net/index.php?origURL="+escape(window.location)+"&r="+escape(document.referrer);</script>
</body>
</html>

Isn't that special. That IP address is a HTML page with a meta refresh element and a javascript redirect to Charter's fancy-pants search page.

My Thought -- I'm Interested in Other Thoughts Agree/Disagree

The actions that spurred the odd firewall alert (printing: looking for network printer, computer boot: looking at shared resources, Acrobat reader startup: looking for SW updates at a bad address?) were all hitting the Charter DNS, which was doing it's redirect garbage. The firewall was seeing that as a problem.

Am I off base here? If I'm not off base, then I think I'm much less concerned that this a malware episode.

[Rootkit? Odd attempts to access remote IP (alerted by & blocked by firewall)]

I seriously hope I'm not seeing the results of (rootkit?) malware...

Background

WinXP sp2

File/print sharing is enabled (and needed on lan)

Shared printer connected to computer that is generating the alerts

ZA Free firewall 9.2.057.0000

NAT Router is interface to Internet

Popup Alert

"The firewall has blocked Internet access to dns_registration [184.106.31.166] (TCP Port 445) from your computer [TCP Flags: S]"

Log Entries

Show the same outbound destination as did the alert. Source comes from a variety of ports. Outbound destination in the "Destination DNS" column is "dns_registration:MYNETWORKNAME" (net name obscured for this message).

Destination IP

Not in my LAN. Best I can find, it's a Rackspace server, but I'm not 100% certain of that. Little info found about that IP.

Events Causing Alert

1. On boot of one specific other computer on the LAN. I believe it's the one in the LAN that has control of the DHCP addresses for the LAN (but I'm at the limit of my network knowledge on that)

2. On double-click on any PDF document (yesterday, but not today)

3. On File/Print dialog on Outlook email messages (today, not before). Intermittent, not every File/Print dialog.

4. On intermittent File/Print dialog on variety of, but not all applications (Notepad, Wordpad, Notepad++ do, Office products do not). Not seeing it on other applications, but haven't tried all.

5. In all applications if File/Print dialog is initiated with Ctrl-P instead of menu, no apparent access attempt made.

6. No such behavior on any other computer on the LAN.

Malware Prevention / Scan

1. AVG always running & up-to-date

2. Full scan by AVG: no malware found

3. Full scan by MalwareBytes: no malware found

4: Full scan by GMER: no malware found

Despite the clean scans, this seems to stink of malware attempting to phone home. I really, really hope there's a benign reason and I'm not seeing a well-hidden rootkit.

Questions

1. Is there a reasonable benign explanation for this?

2. If it is malware, with ZA blocking these attempts, would anyone hazard if I've been reasonably protected to-date?

Hoping someone has some insight. I can obtain, run & submit HJT output if it'll be of benefit.