pgovotsos

It looks like that was a one off. The repeated warning is on another PC, not the one that we've been working on. Every tool that I run is showing the system is clean. I ran both while Windows was running normally as well as boot CDs. I ran MBAM, NOD32, spybot, Super antispyware, emsisoft, McAfee Stinger, Norton, ClamWin, AVG, Dr Web, Avira, Bitdefender, Comodo and Kaspersky. If there was something lingering I'd think at least one of those would find it so we're back where we've been. It doesn't seem to matter what I scan with MBAM. Even just scanning the Windows directory tree with MBAM threat mode with archive scan off takes 15 hours.

I just completed a Threat Scan and the time is worse than ever - 32 and a half hours! You'll see that it found an infection. We have had that pop up the last few days (since using MBAM 2.x) on the resident MBAM. We quarantine it every time, shutdown, restart and all seems well then it pops up again at some time. I don't know if that's related or not. Nothing else that we scan with shows anything related to the HOSTS file or the registry key.

I also ran chkdsk again and the log is attached. chkdsk log.txt

Attached are all the log files. Addition.txt CheckResults.txt FRST.txt Result.txt Shortcut.txt

No problem at all - I'm just grateful that you all are willing to take the time to work with me! I'm with family as well so I won't have time to sit down with it until tomorrow evening. Thanks again for your help!

Hi, The issue is that scans are taking an extremely long time to complete - Hyper Scan 1 hr 45 min, Threat Scan 24+ hrs. Advanced setup asked for the logs from several tools. The place we're at now is waiting for an examination of that data.

bump

Ran chkdsk and the log is attached. Ran a hyper scan and noticed something interesting. It ran faster than before "only" 1 hr 41 min but the interesting thing is that all the scans up to and including startup objects ran in about 1 minute. The heuristic scan took 1 hr 40 min. I ran the hyper scan a couple more times after a reboot and after using the computer for a while. The times were all about the same. Is there anything I can do to find out why heuristics took so long? As an aside, could you ask the GUI people to make the column that lists the tests running a little wider so the user could actually read everything there? chkdsk.txt

Sorry, forgot to add a question. You said to exclude the entire Malwarebytes directory. In another post, one of the staff listed several individual files to exclude. Obviously excluding the directory excludes the individual files, but would there be any reason to _just_ exclude the files and not the whole directory?

OK. I set the exclusion in Eset and turned off archive scanning in MBAM - I hadn't even noticed it was on - I guess it must be default. I know scanning archives would affect the Threat Scan (that's the equivalent of Full scan in 1.75 right?), but Hyper Scan (the equivalent of Flash in 1.75?) shouldn't be affected by the archive setting since it doesn't scan the whole drive right? Are there any exclusions for Eset that I should set in MBAM? As a side question, if Threat Scan = Full Scan (1.75) and Hyper Scan = Flash Scan (1.75), is there an equivalent to Quick Scan (1.75)? Thanks for all your help!

Attached is the result.txt file. Also, FWIW a hyper scan took 1 hour 46 minutes. Thanks Result.txt

Hi, Attached are the 3 files. Thanks for your help! Let me know if there's anything else I can give you. Thanks, Panagiotis Addition.txt CheckResults.txt FRST.txt

I did the clean install & rebooted. Surprisingly the clean tool did NOT remove everything. The program files [x86)\malwarebytes directory remained. There was a .tmp file that looks like it's a DLL still there. It didn't remove the licensing info, exclusions, or quarantine. When I reinstalled, it came up already licensed,the exclusions were still there, in the history tab it showed one file that had been previously quarantined. Strange thing about the exclusions - each time I looked at that setting it replicated them. It's now showing 3 copies of the exclusions. I disabled nod32 and ran a threat scan. 15 hours later it's still running. When it completes I'll post the logs.

Do you run MBAM before generating both log sets or do you do the farbar ones (frst and addition), run MBAM, then mbam-check? Just checking since one of the farbar reports is named frst. Thanks

PS I'm already running 2.0.2.1012

I'll work on 1 - 4 but in the meantime, what do you mean by setting mutual exclusions between MBAM and AV? Do mean some way to automatically have one turn the other off when it's doing something or something else? I currently have MBAM 2 Premium and Eset Nod32 7.x. Both are resident. Thanks

Hello, As the subject says, something is very wrong in MBAM land. A threat scan took over 25 hours to complete. On this same machine, 1.75 did a complete scan in under a half hour. This can't be correct! If more information will help, please ask. Thanks

Thank you

Actually, MalwareURL does NOT list this domain or IP address in their database. The link you provided doesn't have this listed and I searched for name and IP with no exact matches. There are similar IP addresses, but not this one and nothing close to the domain name. Panagiotis

Looking at those sites, what they are objecting to is the toolbarbrowser tool. Their analysis shows that there's no registry or hard drive modifications. Of course there are toolbar modifications - it's a toolbar aggregator (don't know if that's a real term) that lets you edit and combine parts of multiple toolbars into one. I don't understand why they find this to be malware of some kind. It is included with many of Trellian's products as an optional install or as a seperate product. It's not hidden and just stuck on your system without permission. Checking several major download sites (like download.com), Toolbarbrowser is tested as malware free. Based on what Toolbarbrowser does and that it is an opt-in install, I really don't see why it's considered malware. I think this should be reexamined. Panagiotis

Hello, IP Protector from MBAM v1.44 with database version 3575 reports a false positive on IP address 216.240.187.5 (trellian.com). This is the homepage of Trellian homepage editor. I'm not certain if the IP address is the same as always, but I have gone to www.trellian.com many times to download the app and access the documentation. IP Protector popped up when using Internet Explorer, tracert, and ping. Thanks, Panagiotis

The read error appears during POST (at least that's what it seems like - system turns on, POST runs, screen blanks, the error message appears - no other messages). The MBR apparently never executes and so starting Windows in any mode is impossible. The only reason I think it might be caused by malware and not a physical error is that I can access it with _some_ tools on UBCD4Win and Hiren's boot cd. The tool used to check the drive on UBCD4Win is the Toshiba disk check tool (it's a Toshiba drive). What would be the purpose of a rootkit simulating a hardware failure? I thought rootkits "infected" the system to achieve a purpose - an apparently nonfunctioning system prevents it from doing anything! Thanks again, Panagiotis

Hi Ron, Thanks for the reply. Yes, I'm still stuck. Can a rootkit make the system respond as if there is a hard drive failure at boot? The only way I've been able to get any access is using Hiren's boot CD. Running Super Anti Spyware is the only thing that reports anything and what it reports is "Rootkit.Unclassified/USBHubB". I've no idea what this is and googling only gives scant information beyond that it exists. Any help you can give would be greatly appreciated. Thanks, Panagiotis

Hello, I have a system that it is possibly infected and it is impossible for me to perform ANY of the tasks on it that the pinned msg instructs. I'll explain why. The system is a Dell laptop with WinXP loaded on an NTFS partition. The system was running Malwarebyte's AntiMalware 1.39 with resident protection ON. The system has 3 partitions - a small FAT32 diagnostic partition, the NTFS system partition, and a FAT32 recovery partition. Normally, the system boots into the system partition with no interaction. The other 2 are accessed during a POST intereuption. When I turn the machine on now, it POSTs normally then accesses the hard drive to boot. Immediately an error displays that a read error occurred (implying a hard drive failure) and freezes. No method has been able to boot. I tried Avira's rescue CD. It starts fine, but attempting to scan hda1, it freezes. I used FreeDOS boot cd and using fdisk, saw that all the partitions were there, but the system partition was no longer marked bootable. I fixed that, but it made no difference to the boot process. I used the Ultimate Boot CD and was able to run some disk scans. They reported several read errors on the disk. After about 100 errors, I stopped scanning. No tool I had used seemed to show anything other than a hard drive failure. Then I used Hiren's BootCD (I know it's shady, but I am desperate and stumbled across it on a search). I opened what it calls a mini Windows XP session. Drive manager showed all the partitions were present and properly set. I am running Super AntiSpyware on the system as I type (for some reason it is running SUPER slow). It has found 8 samples of what it calls "Rootkit.Unclassified/USBHubB". MBAM's resident protection found nothing. The system was shut down normally at the end of the day. When startup was attempted the next day, this was the situation presented. Any ideas what this rootkit is? How it entered? This machine ONLY runs a proprietary Chrysler program (it's used by a mechanic) and Internet Explorer to check webmail. No other processes are run on it. It is connected to the shop network by WiFi. Any suggestions on how to address this system? Thank in advance for any help you can offer, Panagiotis Govotsos

Why don't you put the email address back on the webpage so contact could be easier?