prombamuser Posted April 29, 2014 ID:825311 Share Posted April 29, 2014 I was too by member AdvancedSetup to post this message here. As a test, I performed a Threat Scan and it took over 16 min. to complete. I then did another Custom Scan and it took only 3 1/2 min. to complete. There is obviously a problem with Custom Scan - I put a check-mark in C: and it looks like all folders and files are checked, but did not go through them all. The scanner must be not be checking all files. No infections are found in either scan, or previous scans; so I don't think that is the problem. AVAST AV does not report infection either. I also ran FRST and MBAM-Check tools. I am attaching the reports of those tools and the 2 scan logs. Thanks. Diaglogs.zipScanlogs.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 2, 2014 Root Admin ID:825995 Share Posted May 2, 2014 Something appears to be blocking or causing issues still in your Event Logs. Please read the following and post back the logs when ready.General P2P/Piracy Warning: If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.Before we proceed further, please read all of the following instructions carefully.If there is anything that you do not understand kindly ask before proceeding.If needed please print out these instructions.Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text. If the log is too large then you can use attachments by clicking on the More Reply Options button. Please enable your system to show hidden files: How to see hidden files in Windows Make sure you're subscribed to this topic:Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder) STEP 0RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processesso that your normal security software can then run and clean your computer of infections.When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policiesthat stop us from using certain tools. When finished it will display a log file that shows the processes that wereterminated while the program was running.As RKill only terminates a program's running process, and does not delete any files, after running it you should not rebootyour computer as any malware processes that are configured to start automatically will just be started again.Instead, after running RKill you should immediately scan your computer using the requested scans I've included.Please download Rkill by Grinler from one of the links below and save it to your desktop. Link 1Link 2On Windows XP double-click on the Rkill desktop icon to run the tool. On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. If not, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs. If the tool does not run from any of the links provided, please let me know. Do not reboot the computer, you will need to run the application again. STEP 01Backup the Registry:Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.Please download ERUNT from one of the following links: Link1 | Link2 | Link3 ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed. Double click on erunt-setup.exe to Install ERUNT by following the prompts. NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO. Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process. Choose a location for the backup.Note: the default location is C:\Windows\ERDNT which is acceptable. [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe STEP 02Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... linkOpen up Malwarebytes > Settings > Detection and Protection > Under Non Malware Protection set both PUP and PUM to Treat detections as malware.Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply. STEP 03Please download RogueKiller and save it to your desktop.You can check here if you're not sure if your computer is 32-bit or 64-bitRogueKiller 32-bit | RogueKiller 64-bit Quit all running programs. For Windows XP, double-click to start. For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run. Read and accept the EULA (End User Licene Agreement) Click Scan to scan the system. When the scan completes Close the program > Don't Fix anything! Don't run any other options, they're not all bad!! Post back the report which should be located on your desktop. Thanks Link to post Share on other sites More sharing options...
prombamuser Posted May 2, 2014 Author ID:826028 Share Posted May 2, 2014 I have completed steps 0-2. Here is the log of the threat scan you requested. Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 5/1/2014Scan Time: 8:29:13 PMLogfile:Administrator: NoVersion: 2.00.2.1009Malware Database: v2014.05.02.02Rootkit Database: v2014.03.27.01License: PremiumMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 8.1CPU: x64File System: NTFSUser: JasonScan Type: Threat ScanResult: CompletedObjects Scanned: 180251Time Elapsed: 17 min, 14 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) I will complete step 3 and submit the report soon. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 2, 2014 Root Admin ID:826041 Share Posted May 2, 2014 The logs shows that you're using the Premium version but that the protection modules are not enabled. Is there an issue with enabling them?The log also shows a normal scan time Objects Scanned: 180251Time Elapsed: 17 min, 14 sec Link to post Share on other sites More sharing options...
prombamuser Posted May 2, 2014 Author ID:826055 Share Posted May 2, 2014 Btw, I am NOT running any peer2peer software or cracked software. Here is the RogueKiller Report. RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.comOperating System : Windows 8.1 (6.3.9200 ) 64 bits versionStarted in : Normal modeUser : Jason - Admin [Admin rights]Mode : Scan -- Date : 05/01/2014 21:22:38| ARK || FAK || MBR |¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 2 ¤¤¤[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Startup Entries : 0 ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ Browser Addons : 0 ¤¤¤¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤[Address] IAT @explorer.exe (NtSetSystemInformation) : ntdll.dll -> HOOKED (Unknown @ 0x1AF70000)[Address] IAT @explorer.exe (DeleteDC) : GDI32.dll -> HOOKED (Unknown @ 0x18810000)[Address] IAT @explorer.exe () : dwmapi.dll -> HOOKED (Unknown @ 0x05AF0040)[Address] IAT @explorer.exe () : dwmapi.dll -> HOOKED (Unknown @ 0x05AF0020)[Address] IAT @explorer.exe () : dwmapi.dll -> HOOKED (Unknown @ 0x05AF0000)[Address] EAT @explorer.exe (GetAsymmetricEncryptionInterface) : ole32.dll -> HOOKED (C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x02AA9A20)[Address] EAT @explorer.exe (GetCipherInterface) : ole32.dll -> HOOKED (C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x02ABDDC8)[Address] EAT @explorer.exe (GetHashInterface) : ole32.dll -> HOOKED (C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x02AABD44)[Address] EAT @explorer.exe (GetKeyDerivationInterface) : ole32.dll -> HOOKED (C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x02ACD880)[Address] EAT @explorer.exe (GetRngInterface) : ole32.dll -> HOOKED (C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x02AA3C14)[Address] EAT @explorer.exe (GetSecretAgreementInterface) : ole32.dll -> HOOKED (C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x02AB516C)[Address] EAT @explorer.exe (GetSignatureInterface) : ole32.dll -> HOOKED (C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x02AB4FFC)[Address] EAT @explorer.exe (ProcessPrng) : ole32.dll -> HOOKED (C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x02AA12D0)[Address] EAT @explorer.exe (DllCanUnloadNow) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A274C)[Address] EAT @explorer.exe (DllGetClassObject) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A4984)[Address] EAT @explorer.exe (DwmAttachMilContent) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A8180)[Address] EAT @explorer.exe (DwmDefWindowProc) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A2C30)[Address] EAT @explorer.exe (DwmDetachMilContent) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A8180)[Address] EAT @explorer.exe (DwmEnableBlurBehindWindow) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A2A70)[Address] EAT @explorer.exe (DwmEnableComposition) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163AC60C)[Address] EAT @explorer.exe (DwmEnableMMCSS) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A3788)[Address] EAT @explorer.exe (DwmExtendFrameIntoClientArea) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A2DC0)[Address] EAT @explorer.exe (DwmFlush) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A26C0)[Address] EAT @explorer.exe (DwmGetColorizationColor) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163AC118)[Address] EAT @explorer.exe (DwmGetCompositionTimingInfo) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A1D40)[Address] EAT @explorer.exe (DwmGetGraphicsStreamClient) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A8180)[Address] EAT @explorer.exe (DwmGetGraphicsStreamTransformHint) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A8180)[Address] EAT @explorer.exe (DwmGetTransportAttributes) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163AC8B0)[Address] EAT @explorer.exe (DwmGetWindowAttribute) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A1010)[Address] EAT @explorer.exe (DwmInvalidateIconicBitmaps) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A6308)[Address] EAT @explorer.exe (DwmIsCompositionEnabled) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A11B0)[Address] EAT @explorer.exe (DwmModifyPreviousDxFrameDuration) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163AD050)[Address] EAT @explorer.exe (DwmQueryThumbnailSourceSize) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A6F34)[Address] EAT @explorer.exe (DwmRegisterThumbnail) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A69A8)[Address] EAT @explorer.exe (DwmRenderGesture) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A7CEC)[Address] EAT @explorer.exe (DwmSetDxFrameDuration) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163AD050)[Address] EAT @explorer.exe (DwmSetIconicLivePreviewBitmap) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163AD1CC)[Address] EAT @explorer.exe (DwmSetIconicThumbnail) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163AD558)[Address] EAT @explorer.exe (DwmSetPresentParameters) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163AD050)[Address] EAT @explorer.exe (DwmSetWindowAttribute) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A10E8)[Address] EAT @explorer.exe (DwmShowContact) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A3A90)[Address] EAT @explorer.exe (DwmTetherContact) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163ACB1C)[Address] EAT @explorer.exe (DwmTransitionOwnedWindow) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163ADBD8)[Address] EAT @explorer.exe (DwmUnregisterThumbnail) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A677C)[Address] EAT @explorer.exe (DwmUpdateThumbnailProperties) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A3A10)[Address] EAT @explorer.exe (DwmpAllocateSecurityDescriptor) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A2320)[Address] EAT @explorer.exe (DwmpDxGetWindowSharedSurface) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A5FE0)[Address] EAT @explorer.exe (DwmpDxUpdateWindowSharedSurface) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A7710)[Address] EAT @explorer.exe (DwmpDxgiIsThreadDesktopComposited) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A3760)[Address] EAT @explorer.exe (DwmpFreeSecurityDescriptor) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163A22E4)[Address] EAT @explorer.exe (DwmpRenderFlick) : DUI70.dll -> HOOKED (C:\WINDOWS\SYSTEM32\dwmapi.dll @ 0x163ACE70)[Address] EAT @explorer.exe (AsyncGetClassBits) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC70B0)[Address] EAT @explorer.exe (AsyncInstallDistributionUnit) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC7210)[Address] EAT @explorer.exe (BindAsyncMoniker) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1F90)[Address] EAT @explorer.exe (CDLGetLongPathNameA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC78D0)[Address] EAT @explorer.exe (CDLGetLongPathNameW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC78E8)[Address] EAT @explorer.exe (CORPolicyProvider) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1674)[Address] EAT @explorer.exe (CoGetClassObjectFromURL) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC73FC)[Address] EAT @explorer.exe (CoInstall) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC7460)[Address] EAT @explorer.exe (CoInternetCanonicalizeIUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF75660)[Address] EAT @explorer.exe (CoInternetCombineIUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF780A0)[Address] EAT @explorer.exe (CoInternetCombineUrl) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF646A4)[Address] EAT @explorer.exe (CoInternetCombineUrlEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF643C0)[Address] EAT @explorer.exe (CoInternetCompareUrl) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB5280)[Address] EAT @explorer.exe (CoInternetCreateSecurityManager) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF31EE0)[Address] EAT @explorer.exe (CoInternetCreateZoneManager) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF40810)[Address] EAT @explorer.exe (CoInternetFeatureSettingsChanged) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFF0284)[Address] EAT @explorer.exe (CoInternetGetProtocolFlags) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB537C)[Address] EAT @explorer.exe (CoInternetGetSecurityUrl) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB53D0)[Address] EAT @explorer.exe (CoInternetGetSecurityUrlEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF79CD0)[Address] EAT @explorer.exe (CoInternetGetSession) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF32460)[Address] EAT @explorer.exe (CoInternetIsFeatureEnabled) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF78DC0)[Address] EAT @explorer.exe (CoInternetIsFeatureEnabledForIUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF751B8)[Address] EAT @explorer.exe (CoInternetIsFeatureEnabledForUrl) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF71820)[Address] EAT @explorer.exe (CoInternetIsFeatureZoneElevationEnabled) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB586C)[Address] EAT @explorer.exe (CoInternetParseIUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF656A8)[Address] EAT @explorer.exe (CoInternetParseUrl) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF41490)[Address] EAT @explorer.exe (CoInternetQueryInfo) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF77C50)[Address] EAT @explorer.exe (CoInternetSetFeatureEnabled) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB5AF4)[Address] EAT @explorer.exe (CompareSecurityIds) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF4D1A4)[Address] EAT @explorer.exe (CompatFlagsFromClsid) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF74044)[Address] EAT @explorer.exe (CopyBindInfo) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC3020)[Address] EAT @explorer.exe (CopyStgMedium) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF3BA0C)[Address] EAT @explorer.exe (CreateAsyncBindCtx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF886C0)[Address] EAT @explorer.exe (CreateAsyncBindCtxEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF73D14)[Address] EAT @explorer.exe (CreateFormatEnumerator) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF568E0)[Address] EAT @explorer.exe (CreateIUriBuilder) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF33660)[Address] EAT @explorer.exe (CreateURLMoniker) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF8CCF4)[Address] EAT @explorer.exe (CreateURLMonikerEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF378D0)[Address] EAT @explorer.exe (CreateURLMonikerEx2) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF740F0)[Address] EAT @explorer.exe (CreateUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF316F0)[Address] EAT @explorer.exe (CreateUriFromMultiByteString) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1EE4)[Address] EAT @explorer.exe (CreateUriPriv) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1EF8)[Address] EAT @explorer.exe (CreateUriWithFragment) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1F40)[Address] EAT @explorer.exe (DllCanUnloadNow) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF31600)[Address] EAT @explorer.exe (DllGetClassObject) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF7AB3C)[Address] EAT @explorer.exe (DllInstall) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB2458)[Address] EAT @explorer.exe (DllRegisterServer) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB2464)[Address] EAT @explorer.exe (DllRegisterServerEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF8E070)[Address] EAT @explorer.exe (DllUnregisterServer) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB2470)[Address] EAT @explorer.exe (Extract) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC7F74)[Address] EAT @explorer.exe (FaultInIEFeature) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC8FE8)[Address] EAT @explorer.exe (FileBearsMarkOfTheWeb) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF66B60)[Address] EAT @explorer.exe (FindMediaType) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB2E9C)[Address] EAT @explorer.exe (FindMediaTypeClass) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF56080)[Address] EAT @explorer.exe (FindMimeFromData) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF750BC)[Address] EAT @explorer.exe (GetAddSitesFileUrl) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFF02B0)[Address] EAT @explorer.exe (GetClassFileOrMime) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF8B8EC)[Address] EAT @explorer.exe (GetClassURL) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB2074)[Address] EAT @explorer.exe (GetComponentIDFromCLSSPEC) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC92E8)[Address] EAT @explorer.exe (GetIDNFlagsForUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF4C7F0)[Address] EAT @explorer.exe (GetIUriPriv) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1F60)[Address] EAT @explorer.exe (GetIUriPriv2) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1F50)[Address] EAT @explorer.exe (GetLabelsFromNamedHost) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFF8B54)[Address] EAT @explorer.exe (GetMarkOfTheWeb) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE9390)[Address] EAT @explorer.exe (GetPortFromUrlScheme) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1E94)[Address] EAT @explorer.exe (GetPropertyFromName) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1EA4)[Address] EAT @explorer.exe (GetPropertyName) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1EB4)[Address] EAT @explorer.exe (GetSoftwareUpdateInfo) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF8E070)[Address] EAT @explorer.exe (GetUrlmonThreadNotificationHwnd) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF8DEB4)[Address] EAT @explorer.exe (GetZoneFromAlternateDataStreamEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF36D90)[Address] EAT @explorer.exe (HlinkGoBack) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE6E78)[Address] EAT @explorer.exe (HlinkGoForward) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE6F24)[Address] EAT @explorer.exe (HlinkNavigateMoniker) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE6FD0)[Address] EAT @explorer.exe (HlinkNavigateString) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE7004)[Address] EAT @explorer.exe (HlinkSimpleNavigateToMoniker) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE7038)[Address] EAT @explorer.exe (HlinkSimpleNavigateToString) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE75E8)[Address] EAT @explorer.exe (IECompatLogCSSFix) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC12FC)[Address] EAT @explorer.exe (IEDllLoader) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB26F0)[Address] EAT @explorer.exe (IEGetUserPrivateNamespaceName) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC3244)[Address] EAT @explorer.exe (IEInstallScope) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC7554)[Address] EAT @explorer.exe (IntlPercentEncodeNormalize) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1F70)[Address] EAT @explorer.exe (IsAsyncMoniker) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF721FC)[Address] EAT @explorer.exe (IsDWORDProperty) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1EC4)[Address] EAT @explorer.exe (IsIntranetAvailable) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFF0668)[Address] EAT @explorer.exe (IsJITInProgress) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF4B328)[Address] EAT @explorer.exe (IsLoggingEnabledA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE855C)[Address] EAT @explorer.exe (IsLoggingEnabledW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE8688)[Address] EAT @explorer.exe (IsStringProperty) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB1ED4)[Address] EAT @explorer.exe (IsValidURL) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF67610)[Address] EAT @explorer.exe (MkParseDisplayNameEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF892F0)[Address] EAT @explorer.exe (ObtainUserAgentString) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFBDCE0)[Address] EAT @explorer.exe (PrivateCoInstall) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC7560)[Address] EAT @explorer.exe (QueryAssociations) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF4E9C0)[Address] EAT @explorer.exe (QueryClsidAssociation) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC0A8C)[Address] EAT @explorer.exe (RegisterBindStatusCallback) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF6F600)[Address] EAT @explorer.exe (RegisterFormatEnumerator) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF71C6C)[Address] EAT @explorer.exe (RegisterMediaTypeClass) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB20C0)[Address] EAT @explorer.exe (RegisterMediaTypes) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB2210)[Address] EAT @explorer.exe (RegisterWebPlatformPermanentSecurityManager) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF68C54)[Address] EAT @explorer.exe (ReleaseBindInfo) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF37D40)[Address] EAT @explorer.exe (RevokeBindStatusCallback) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF6FBF0)[Address] EAT @explorer.exe (RevokeFormatEnumerator) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB22CC)[Address] EAT @explorer.exe (SetAccessForIEAppContainer) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFC3258)[Address] EAT @explorer.exe (SetSoftwareUpdateAdvertisementState) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF8E070)[Address] EAT @explorer.exe (ShouldDisplayPunycodeForUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFBDE50)[Address] EAT @explorer.exe (ShouldShowIntranetWarningSecband) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF73A3C)[Address] EAT @explorer.exe (ShowTrustAlertDialog) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFF0820)[Address] EAT @explorer.exe (URLDownloadA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB5CC4)[Address] EAT @explorer.exe (URLDownloadToCacheFileA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE7D9C)[Address] EAT @explorer.exe (URLDownloadToCacheFileW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF5A0C4)[Address] EAT @explorer.exe (URLDownloadToFileA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE7F10)[Address] EAT @explorer.exe (URLDownloadToFileW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF5EFD0)[Address] EAT @explorer.exe (URLDownloadW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB5D78)[Address] EAT @explorer.exe (URLOpenBlockingStreamA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE8058)[Address] EAT @explorer.exe (URLOpenBlockingStreamW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE8138)[Address] EAT @explorer.exe (URLOpenPullStreamA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE821C)[Address] EAT @explorer.exe (URLOpenPullStreamW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE82E0)[Address] EAT @explorer.exe (URLOpenStreamA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE8408)[Address] EAT @explorer.exe (URLOpenStreamW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE84D0)[Address] EAT @explorer.exe (UnregisterWebPlatformPermanentSecurityManager) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF8C9B4)[Address] EAT @explorer.exe (UrlMkBuildVersion) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFB2804)[Address] EAT @explorer.exe (UrlMkGetSessionOption) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF43E60)[Address] EAT @explorer.exe (UrlMkSetSessionOption) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF6D0E4)[Address] EAT @explorer.exe (UrlmonCleanupCurrentThread) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FF5A27C)[Address] EAT @explorer.exe (WriteHitLogging) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE85D0)[Address] EAT @explorer.exe (ZonesReInit) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x0FFE9C30)¤¤¤ External Hives: ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD1600BEVT-60ZCT1 ATA Device +++++--- User ---[MBR] 65731693086aa07776bfab91497da0ae[bSP] 35ee350aaf60497366e2bc4d01f53037 : MBR Code unknownPartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152624 MBUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[0]_S_05012014_212238.txt >>RKreport[0]_S_05012014_210255.txt;RKreport[0]_S_05012014_211025.txtP.S. Thanks for all your help. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 2, 2014 Root Admin ID:826059 Share Posted May 2, 2014 Are you running any type of hard drive encryption like BitLocker or other? Please download Security Check by screen317 from HERE or HERE.Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. If you get Unsupported operating system. Aborting now, just reboot and try again. A Notepad document should open automatically called checkup.txt. Please Post the contents of that document. Do Not Attach It!!! Link to post Share on other sites More sharing options...
prombamuser Posted May 2, 2014 Author ID:826063 Share Posted May 2, 2014 I got your replies. First, I have intentionally disabled the File protection and Malicious Websites protection - they were slowing don my system. Also, the problem is not with threat scan; it is with custom scan - it only takes 3 1/2 mins. to complete. Custom is supposed to be Full scan and it only takes 3 1/2 min. That does not seem right. I am running TrueCrypt. This was not a problem when I was using MBAM 1.75. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 2, 2014 Root Admin ID:826064 Share Posted May 2, 2014 TrueCrypt is not a problem but 1.75 did not have an Anti-Rootkit scanner and that is a major difference. The new version will work with TrueCrypt. Please start a custom scan and make sure you enable all features (by default they will not be on) and then select your entire C: volume and do the scan and post back the new log once completed. Link to post Share on other sites More sharing options...
prombamuser Posted May 2, 2014 Author ID:826066 Share Posted May 2, 2014 Here is the SecuriyCheck Report you requested. Results of screen317's Security Check version 0.99.82 x64 (UAC is enabled) Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Windows Defender avast! Antivirus Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Secunia PSI (3.0.0.9016) PCTuneUp Driver Backup 4.1.6 Java 7 Update 55 Adobe Flash Player 13.0.0.206 Mozilla Firefox (29.0)````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbam.exe Comodo Firewall cmdagent.exe Malwarebytes Anti-Malware mbamscheduler.exe AVAST Software Avast AvastSvc.exe AVAST Software Avast AvastUI.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: %````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
prombamuser Posted May 2, 2014 Author ID:826070 Share Posted May 2, 2014 Here is the log of the custom scan you requested Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 5/1/2014Scan Time: 9:58:02 PMLogfile:Administrator: NoVersion: 2.00.2.1009Malware Database: v2014.05.02.02Rootkit Database: v2014.03.27.01License: PremiumMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 8.1CPU: x64File System: NTFSUser: JasonScan Type: Custom ScanResult: CompletedObjects Scanned: 170602Time Elapsed: 3 min, 26 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 2, 2014 Root Admin ID:826073 Share Posted May 2, 2014 Interesting... not sure why that would be. I'll have to submit it to our QA Team and see if they can duplicate this issue or not. Link to post Share on other sites More sharing options...
prombamuser Posted May 2, 2014 Author ID:826082 Share Posted May 2, 2014 Does that mean that my system is okay? Don't forget to tell me how to remove these tools and logs. It is probably an obsecure bug, since I have not seen any other mebers mentioning this on the forums. Threat scan seems to be working prefectly, I guess I can just use that and not worry about Custom scan. I would assumbe that if I become infected, threat scan would be enough to detect it. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 2, 2014 Root Admin ID:826100 Share Posted May 2, 2014 Download Delfix from here and save it to your desktop. (you may already have this)Ensure Remove disinfection tools is checked.Click the Run button.RebootAny other programs or logs that are still remaining, you can manually delete. (right click.....Delete)IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.Note:If you used FRST and can't delete the quarantine folder:Download the fixlist.txt to the same folder as FRST.exe.Run FRST.exe and click Fix only once and waitThat will delete the quarantine folder created by FRST.The rest you can manually delete. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 2, 2014 Root Admin ID:826106 Share Posted May 2, 2014 On Windows 7 here are the results for my full scan. Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 5/1/2014Scan Time: 7:51:40 PMLogfile:Administrator: YesVersion: 2.00.2.1009Malware Database: v2014.05.02.02Rootkit Database: v2014.03.27.01License: PremiumMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: SUP-RDLScan Type: Custom ScanResult: CompletedObjects Scanned: 632312Time Elapsed: 38 min, 49 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
prombamuser Posted May 2, 2014 Author ID:826246 Share Posted May 2, 2014 Update - I tried doing a custom scan as administrator. I right-clicked on desktop icon and selected Run as Administrator and type Admin password. The scan still only took 3 1/2 min, but when I looked at the log, it showed I was NOT running as administrator. I decided to do a clean uninstall using clean-mbam and reinstalling. It was not help. I can't seem to run as administrator. I have not tried to run a threat scan yet. I don't know it running as Administrator would have help custom scan, but it won't let me run as Admin. This seems to be another problem. I got to tell you v2.x is a mess. I hope you are able to figure out the cuse of these bugs and fix them. I am baffled. I have done everything I can think of. Link to post Share on other sites More sharing options...
prombamuser Posted May 2, 2014 Author ID:826307 Share Posted May 2, 2014 I decided to uninstall MBAM and reinstall v2.0.1.1004 and after a couple of restarts; I was finally able to get the program to run as administrator. I then installed v2.0.2.1009. I did a threat scan (admin). I have not tried a custom scan yet, but running as Admin seems to be the key to these problems. If we are supposed run MBAM as administrator, then I suggest the dev team fix it so that it run automatically as administrator. The old version (1.75) did behave that way, but v2.x does not. Here is the log of the threat scan, just in case Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 5/2/2014Scan Time: 1:46:16 PMLogfile:Administrator: YesVersion: 2.00.2.1009Malware Database: v2014.05.02.10Rootkit Database: v2014.03.27.01License: PremiumMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 8.1CPU: x64File System: NTFSUser: Jason - AdminScan Type: Threat ScanResult: CompletedObjects Scanned: 280942Time Elapsed: 33 min, 53 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 2, 2014 Root Admin ID:826313 Share Posted May 2, 2014 Please just stay with the v2.0.2.1009 after a clean removal and reinstall. As I said you cannot compare 1.75 to 2.x as they are completely different. 1.75 did not scan or parse text logs for infection in Firefox, Chrome, etc. 1.75 did not use the Anti-Rootkit scanner like 2.x does. On TrueCrypt. Are you encrypting the entire drive or just files or folders?What version of TrueCrypt are you using?Is it possible for you to temporarily uninstall TrueCrypt and do some testing? Link to post Share on other sites More sharing options...
prombamuser Posted May 2, 2014 Author ID:826320 Share Posted May 2, 2014 I am using Whole Drive Encryption (v7.1a) and it is not possible for me to remove it. The program seem to run as Admin now...not sure how I did it. It took a couple of restarts after reinstalling to get it to work. I also noticed that if I use the icon in the systray to open and scan, it runs as Admin; I don't have to remember to right-click on desktop icon. Also, I have not logged off or restarted pc yet either. I am not sure what the scanning times should be considered normal as Admin. I know people have complained about slow scanning. I will probably do a cystom scan tonight or tomorrow. I will also log off and reboot and see if anything happens. I need a break from testing and trouble-shooting right now. Will keep you posted. Thanks. Let me know if those scan logs or diagnostics logs reveal anything useful. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 2, 2014 Root Admin ID:826321 Share Posted May 2, 2014 At this point no there is not enough information to know what's really going on. When you have time please do the custom scan with everything enabled and post the log.Then run another one but with the Anti-Rootkit not enabled and post that one too. Thanks again Link to post Share on other sites More sharing options...
prombamuser Posted May 3, 2014 Author ID:826435 Share Posted May 3, 2014 I think I have figured out what is going on. I have the program set to start with windows so that the defs are updated automatically. The problem is that MBAM is does NOT have admin rights; probably because I log into windows using a standard user account. Even if I right-click on the desktop icon and choose "run as administrator", the program still does NOT get admin rights. I assume this is because the program is already running. The solution is to right-click on the icon in the systray and chosse exit. You then can right-click on desktop icon and choose "run as administrator" and the program will then run as administrator. I suggest the dev team figure out a way for users to run MBAM with admin rights automatically when using standard user accounts. It is confusing to know if you need to run as administrator from a standard user account. Have MBAM run with admin rights, reguardless of the account type is a way to avoid this. Here is the Custom scan log you requested. Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 5/2/2014Scan Time: 5:55:06 PMLogfile:Administrator: YesVersion: 2.00.2.1009Malware Database: v2014.05.02.12Rootkit Database: v2014.03.27.01License: PremiumMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 8.1CPU: x64File System: NTFSUser: Jason - AdminScan Type: Custom ScanResult: CompletedObjects Scanned: 407073Time Elapsed: 3 hr, 0 min, 30 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) The scan took 3 hrs to complete. That is very long in my opinion and not normal, but that is probably another problem, since a lot of people are having scanning time problems. I will do the other custom scan tomorrow. It should be easy, now that I know how to give it admin access. I hope this new information is very helpful to the team. Btw, I also have Access Policies enabled and every box checked for added security to prevent accidently changing settings. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 3, 2014 Root Admin ID:826462 Share Posted May 3, 2014 It confirms what QA suspected. The Anti-Rootkit driver does not run under a limited local user account and why the scan times were very fast. The 3 hours does appear excessive and QA is reviewing but not sure if they'll be able to duplicate or not. So far their scan times are a lot less than an hour. Link to post Share on other sites More sharing options...
prombamuser Posted May 3, 2014 Author ID:826606 Share Posted May 3, 2014 Okay...Here is the other custom log you request with Rootkits DISABLED. It only took 4 min and I had Admin access. It did have to close MBAM and restart as administrator. So there is definitely a problem with the driver starting in a non-admin user account automatically. If the scan time of this log is appropriate, then the heart of these issues (possibly all) is related to this Rootkit Driver. I hope this is very helpful and the QA is able to fix these issues with Admin privilege and get the scan times down. Let me know if I can be of any additional help. These past few days have been very educational for me. Good Luck! Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 5/3/2014Scan Time: 1:28:40 PMLogfile:Administrator: YesVersion: 2.00.2.1009Malware Database: v2014.05.03.06Rootkit Database: v2014.03.27.01License: PremiumMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 8.1CPU: x64File System: NTFSUser: Jason - AdminScan Type: Custom ScanResult: CompletedObjects Scanned: 269957Time Elapsed: 4 min, 13 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 5, 2014 Root Admin ID:827114 Share Posted May 5, 2014 Yes, at this point I think the main issue is running it as a limited user. If double click to launch from the task tray it should be running as an administrator already. Link to post Share on other sites More sharing options...
prombamuser Posted May 5, 2014 Author ID:827247 Share Posted May 5, 2014 Not exactly...if the program starts automatically when you log in to your limited user account, then the program does not have Admin access (even if you use the icon in the task tray). You have to close the program and restart it (right-click and run as Admin). Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 5, 2014 Root Admin ID:827304 Share Posted May 5, 2014 Yes, you're correct. My mistake as I was testing with an admin account. QA and Development are aware of this issue. Thank you again for the feedback. Link to post Share on other sites More sharing options...
Recommended Posts