Jump to content

Recommended Posts

I came from Linux after 8 years using it, expecting to come home and buy MB so I can be a litte safer, but during a Threat Scan a BSOD happens. "Whoa!" I think, I must be infected. But I can't be infected, and here's why:

* Installed Windows7 2 days ago (MBR was erased with DD), it's fully updated and it's original;

* Only downloaded my Steam games;

* I don't have much software running;

* I don't use any pirated software, be it music, games, programs or whatever;

* Re-installing the system from zero didn't work, even with MBR erased;

* Scanning in Safe-Mode also causes BSOD;

* No other software detects malware: Kaspersky, Avira, avast, MSE, HitmanPRO, G-DATA, Bitdefender. Hell, I scanned my HD with 4 different BoodCD's and yet nothing comes. Plus, I know how to be safe online, I don't use Flash neither Java, I can't be infected!

 

What I have installed:

* Kaspersky Pure;

* Current NVIDIA drivers;

* Truecrypt;

* Audio driver;

* Securepoint VPN;

* Steam;

* 7zip;

* Revo unninstaller.

 

The BSOD's happen when Truecrypt and SecurepointVPN are NOT installed as well.

 

Any help is appreciated.

 

Regards,

Amarildo.

Link to post
Share on other sites

Admins: Please enable newly registered users to edit their posts.

 

 

======================================================================

 

Here's a log form Windows:
 

Problem signature:  Problem Event Name:    BlueScreen  OS Version:    6.1.7601.2.1.0.256.1  Locale ID:    1046Additional information about the problem:  BCCode:    1e  BCP1:    FFFFFFFFC0000005  BCP2:    FFFFF80002AEFBE6  BCP3:    0000000000000000  BCP4:    FFFFFFFFFFFFFFFF  OS Version:    6_1_7601  Service Pack:    1_0  Product:    256_1Files that help describe the problem:  C:\Windows\Minidump\070414-18734-01.dmp  C:\Users\Júnior\AppData\Local\Temp\WER-46359-0.sysdata.xmlRead our privacy statement online:  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409If the online privacy statement is not available, please read our privacy statement offline:  C:\Windows\system32\en-US\erofflps.txt
Link to post
Share on other sites

Hello:
 
Until the staff members arrive....
 
Do you have anti-rootkit (ARK) scanning enabled in the settings and in the advanced scan settings?
 
The only encryption method for which ARK scanning is supported is Truecrypt (for technical reasons, ARK scanning with other encryption methods (e.g. Bitlocker, SecureDoc, etc.) is not supported.
So, Truecrypt ought NOT to be causing a conflict.

However, I do recall seeing 1 or 2 other reports of BSOD with Truecrypt drives.
I don't recall if that was a contributing factor or a coincidence for those users.
 
So, I would suggest the following:

  • Disable ARK from both settings and scheduled scan advanced settings, if it is enabled.
  • If that doesn't resolve the issue, please read the following and post back as attachments the 3 requested logs - Diagnostic Logs

The staff may need some additional information, such as minidumps, but this will get the process started.

 

EDIT: Alas, because of prior abuse, the ability to edit posts had to be changed, so that new members cannot do so.

 

Thanks

Link to post
Share on other sites

I decided not to run Farbar Recovery Scan Tool, because not only it doesn't have a digital signature, it was known today and KSN doesn't give me a clear status of it. Hijackthis also doesn't have a signature, but more than 10.000 Kaspersky users have used it.

 

So, hijackthis gives me the following message:

 

Notthisagain.png

 

I suppose it's because I have UAC enabled.

I'll attach it's log and MB's one.

 

EDIT: Alas, because of prior abuse, the ability to edit posts had to be changed, so that new members cannot do so.

Well, it not only is annoying, it makes the thread look uglier. The admins could set the edit permissions as OK after the first post of the user was approved.

CheckResults.txt

hijackthis.log

Link to post
Share on other sites

Hello AmarildoJr:

I admire and respect your personal policy with regards to downloading/installing software you are not familiar with. We wish all computer users would observe this policy.

Farbar is a 5+ year member of our forum and was elevated long ago to the coveted title of Expert by Malwarebytes leadership. Farbar has authored/maintained Farbar Recovery Scan Tool (FRST) a functional replacement for Trend Micro's HijackThis and sUBs' DDS. Farbar uses the highly respected Bleeping Computer site for global distribution of all his software diagnostic tools.

The use of Malwarebytes' in-house authored and distributed mbam-check.exe diagnostic tool must be used in concert with FRST to give maximum meaning to each other. In your case the results of your diagnostic logs are so far inconclusive but pending the receipt of the two diagnostic reports files from FRST.

Malwarebytes vouches for the total integrity of FRST downloaded from BleepingComputer.com You may further vet FRST by submitting the executable to VirusTotal.

Thank you.

Link to post
Share on other sites

HI

 

Thanks for the information.

 

In addition to the minidump 1PW requested....

 

FRST is perfectly safe, and is run 100s (1000s) of times a day here and at other computer help forums.

It is perfectly safe.

HijackThis is no longer sufficient and is not a recommended scanning tool.

So, the staff will need to see those FRST logs in order to be able to help you.

 

You did not mention whether you did or did not have ARK scanning enabled, and, if so, whether you tried to disable it?

 

As for the post editing, again, it's not the "first" post that has been the problem.

Abuse by other members in the past has necessitated the policy of restricting editing capability to users who have achieved a minimum number.

Having said that, we all make mistakes and errors from time to time.  One can use the "Preview Post" button to check a post before replying.

Or one can post a follow-up reply.

 

EDIT: As 1PW is now on the case, I will turn over your support to him and to the staff, so as not to create clutter or confusion. :)

 

Thanks for your understanding,

Link to post
Share on other sites

Hello AmarildoJr and :welcome:

If your system's BSOD dump file C:\Windows\Minidump\070414-18734-01.dmp has not been deleted, please attach to a reply to this thread.

Thank you.

I can't attach them: Error You aren't permitted to upload this kind of file

 

Hello AmarildoJr:

I admire and respect your personal policy with regards to downloading/installing software you are not familiar with. We wish all computer users would observe this policy.

Farbar is a 5+ year member of our forum and was elevated long ago to the coveted title of Expert by Malwarebytes leadership. Farbar has authored/maintained Farbar Recovery Scan Tool (FRST) a functional replacement for Trend Micro's HijackThis and sUBs' DDS. Farbar uses the highly respected Bleeping Computer site for global distribution of all his software diagnostic tools.

The use of Malwarebytes' in-house authored and distributed mbam-check.exe diagnostic tool must be used in concert with FRST to give maximum meaning to each other. In your case the results of your diagnostic logs are so far inconclusive but pending the receipt of the two diagnostic reports files from FRST.

Malwarebytes vouches for the total integrity of FRST downloaded from BleepingComputer.com You may further vet FRST by submitting the executable to VirusTotal.

Thank you.

So this means Hijackthis isn't functional?

As for the safeness of Farbar, I will assume the MB staff have reviewed the source code of if.

And don't get me wrong, but you know there are way more things that can contribute to backdoors and other malicious code than virustotal is capable of detecting :)

 

I will do a scan with it and will also attach it's logs.

 

You did not mention whether you did or did not have ARK scanning enabled, and, if so, whether you tried to disable it?

No. All settings are the default ones. But if it matters, once I tested the PRO version for a few days and have maxed out it's settings, so ARK was enabled. After a few days the entire program stopped working and wouldn't start with Windows. I tried scanning with mbar on safemode and it also caused BSOD's.

 

Unfortunatelly I don't remember if I was using truecrypt then, but it's likely I was.

Addition.txt

FRST.txt

Link to post
Share on other sites

AmarildoJr, Hello and welcome....

 

Try zipping the *.dmp file and uploading it once again...

 

 

So this means Hijackthis isn't functional?

 

Hijackthis is still functional, its just outdated and most experts have moved on to more updated tools such as FRST, OTL just to name a couple...

 

Thanks for the two logs for FRST, now you also need to post the mbam check log as well, then wait for someone to review the logs for assistance...

 

EDIT: Sorry I had missed that you had already posted the mbam check log above...

Link to post
Share on other sites

Hello AmarildoJr:
 

 

So this means Hijackthis isn't functional?

 

1) I believe we all appreciate HijackThis but HJT needed to continuously improve and expand its value and utility. sUBs' filled that need for us with DDS for years, but it's undergoing a major rework and testing. Hence Farbar's tools have gained great popularity.

 

2) Please see my post #5 above. That dmp file could be key here.

 

3) Your FRST logs suggest further analysis is required.

 

Thank you.

Link to post
Share on other sites

UPDATE2: UAC doesn't matter, neither that net.conf file posted by a mod here.

I noticed my system crashed always while scanning "steam.ink" on my desktop, but removing the file didn't solve the problem.

 

I was thinking, maybe one of Kaspersky's vulnerability fix is causing this. Here's the list:

 

Harddrive autoexec is permitted

Network hardware autoexec is permitted

CD/DVD autoexec is permitted

Removable media autoexec is permited

Microsoft IE: Clean typed URL history

Microsoft IE: Disable cached received items throught protected channel

Microsoft IE: Disable error log sending

Microsoft IE: Delete Cookies

Microsoft IE: Enable cache autodeltion when closing the program

Windows explorer: The known filetypes extention exibition is off

Microsoft IE: Reset homepage

 

Screenshot (pt_BR)

 

image.png

Link to post
Share on other sites

Hello AmarildoJr:

As Friday, July 4th begins a National holiday in the U.S.A., the time till your dump files and diagnostics are thoroughly analyzed may be prolonged. In the meantime I recommend you temporarily discontinue unguided remediation efforts until a Malwarebytes staffer has joined this thread.

Thank you for patience and understanding.

Link to post
Share on other sites

No problem :) Happy Holidays everybody.

 

Well, I have good news and bad news for everybody. The good news is, I found the conflicting problem.

Bad news is, Malwarebytes was conflicting with Truecrypt; after removing TC completely I can now scan my system (as shown in the attached image).

 

O seriously hope you fix this because there are hundreds of thousands customers who use Truecrypt. I would say "myself included" but I can't purchase a product that conflicts with others I must use, as not using Trucrypt isn't an option.

post-168299-0-75438200-1404638627_thumb.

Link to post
Share on other sites

Hi:
 
It looks as if we are back to where we started... :)
 

 
Do you have anti-rootkit (ARK) scanning enabled in the settings and in the advanced scan settings?
 
The only encryption method for which ARK scanning is supported is Truecrypt (for technical reasons, ARK scanning with other encryption methods (e.g. Bitlocker, SecureDoc, etc.) is not supported.
So, Truecrypt ought NOT to be causing a conflict.
However, I do recall seeing 1 or 2 other reports of BSOD with Truecrypt drives.
I don't recall if that was a contributing factor or a coincidence for those users.
 
So, I would suggest the following:

  • Disable ARK from both settings and scheduled scan advanced settings, if it is enabled.
  • If that doesn't resolve the issue, please read the following and post back as attachments the 3 requested logs - Diagnostic Logs
The staff may need some additional information, such as minidumps, but this will get the process started.

 


 

 
Well, I have good news and bad news for everybody. The good news is, I found the conflicting problem.
Bad news is, Malwarebytes was conflicting with Truecrypt; after removing TC completely I can now scan my system (as shown in the attached image).
 
O seriously hope you fix this because there are hundreds of thousands customers who use Truecrypt. I would say "myself included" but I can't purchase a product that conflicts with others I must use, as not using Trucrypt isn't an option.

 

I suspect that the product development team will be interested in your findings, because Truecrypt is supposed to be supported.

 

(Having said that, as you probably know, Truecrypt shut down in May 2014.  So I don't know if the MBAM product team will be devoting extensive resources to possible compatibility problems with a software product that is no longer developed or supported.)

 

We will need to wait for staff members to weigh in on the status of Truecrypt support.

 

Thank you,

Link to post
Share on other sites

We can't be on the stack zero because I've said ARK was not enabled and all settings were default. Also, there's an evident problem with the compatibility of malwarebytes and truecrypt, it's not compatible even when ARK is disabled.

I don't agree with your point about truecrypt. Even though it's misteriously stopped it's development (which was already stopped since 7.1a in 2012), it's been proven it doesn't contain any malicious code or backdoors in it. So even though it's discontinued people still use it and will probably continue to do so. Not to mention FSF will fork it in a near future, so there's already a "not so good" compatibility you can use it in the future.

 

I'm not sure what the technical reasons are not to make ARK compatible with other encryption tools (and I'd love to see why), but there are good tools like DiskCryptor which is licensed under the beloved GPL and it's under active development. You may consider making MB compatible with it.

 

But since yesterday I decided to ditch Truecrypt, so I won't be having any problems. However, I'm looking forward to an official response on this encryption issue people are having. I'm sure Malwarebytes will stand up to it's name and make v2 compatible with almost everything, thus gaining it's reputation back and, of course, more users -myself included.

Link to post
Share on other sites

Hi:

 

I was merely remarking that Truecrypt might have been playing an as-yet unknown role in your BSOD issues; whether ARK scanning was involved, I cannot say.

It is a known consideration, so I had brought it up initially in an effort to help you.  Nothing more.

 

The staff will need to provide the detailed explanation you seek re: proprietary encryption methods (as opposed to the open-source Truecrypt) and ARK scanning.

 

FWIW, it's not "my point" -- Truecrypt shut down on May 29, 2014.  That's a fact.

I don't personally use Truecrypt, but a quick internet search about the subject will turn up numerous sites and blogs and forums with vigorous discussion. It's entirely your choice, of course, whether or not to use it. :)

 

Your concerns and the data you provided in your posts and system logs present information that far exceeds my level of expertise.

As such, as 1PW suggested yesterday, it would be best to wait for expert input from the Malwarebytes staff.

As it is a 3-day holiday weekend in the U.S., many of them are spending time with family.

 

I'm certain that @AdvancedSetup and/or other staff members will reply to you at the earliest opportunity.

 

Take care,

Link to post
Share on other sites

Hi, and thanks for taking time to answer :) I really appreciate.

 

The point I referred wasn't about whether Truecrypt has stopped or not, which is true; but your opinion "if the MBAM product team will be devoting extensive resources to possible compatibility problems with a software product that is no longer developed or supported", as you can see in a section of my comment bellow:
 

I don't agree with your point about truecrypt. Even though it's misteriously stopped it's development (which was already stopped since 7.1a in 2012), it's been proven it doesn't contain any malicious code or backdoors in it. So even though it's discontinued people still use it and will probably continue to do so. Not to mention FSF will fork it in a near future, so there's already a "not so good" compatibility you can use in the future.

 

Regards.

Link to post
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.