Jump to content

MBAM Premium Stops Working During File System Scan When Anti-Rootkit Scanning Enabled


garioch7

Recommended Posts

Good day.  I was assisted with the problem of MBAM Premium stopping working when Anti-Rootkit scanning was enabled, in the Malware Help Forum about a week or so ago.  AdvancedSetup recommended I come to this Forum to rule out an infection.  I can't figure out how to paste the link to that thread here.  Sorry about that.

 

The problem started about two weeks ago and it is the only indication of a possible infection.  AdvancedSetup believed that there might be registry damage caused by a Paretologic program (long since uninstalled) or Wise Care, which I do use.  I ran both the Windows System Update Readiness Tool and sfc /scannow.  I can't find the "checksur.txt file any longer, but I have attached the errors that the sfc scan found.  Basically, Wise Care took out my Sample Pictures, a SampleRes.dll and a desktop.ini file.  The checksur.txt reported the same missing files and those were the only errors it found.  I put all of the files back into the Sample Pictures folder, except the desktop.ini, but sfc still reports those errors that it can't fix, so presumably the corresponding registry entries were removed by Wise Care.

 

If MBAM is run without Anti-Rootkit scanning enabled, it works fine.  Not sure how the absence of Sample Pictures would cause this behaviour, so I would like to rule out a possible infection.  My AV solution is Bitdefender 2015 Total Security.  All Windows updates are current.

 

This is a low priority issue for me, since I have full use of the laptop except for the anti-rootkit scanning component of MBAM, so please assist others first who have more urgent problems.

 

Thank you in advance for any assistance you can provide.  Have a great day.

 

Regards,

-Phil

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

The computer is having issues with services not loading and a few other minor things. I wouldn't think it would be preventing a rootkit scan but maybe something there that's bothering it for some reason.
 
Please see the following errors. We'll try to see if we can correct some of them and a few other minor issues and go from there.
 
System errors:
=============

Error: (09/19/2014 01:13:14 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068SafeBox{F681ABD0-41DE-46C8-9ED3-D0F4EBA19111}

Error: (09/19/2014 01:12:45 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
RxFilter

Error: (09/19/2014 01:12:12 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Net.Tcp Listener Adapter service depends on the Net.Tcp Port Sharing Service service which failed to start because of the following error:
%%1053

Error: (09/19/2014 01:11:46 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (09/19/2014 01:11:38 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SessionLauncher service failed to start due to the following error:
%%3

Error: (09/19/2014 01:11:27 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Net.Tcp Port Sharing Service service failed to start due to the following error:
%%1053

Error: (09/19/2014 01:11:27 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Net.Tcp Port Sharing Service service to connect.

Error: (09/19/2014 01:10:05 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 4:44:32 PM on ‎10/‎09/‎2014 was unexpected.

Error: (09/10/2014 04:44:35 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the VSSERV service.

Error: (09/10/2014 04:24:04 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
RxFilter

 
 
 


Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

General P2P/Piracy Warning:
 
 

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 


 
Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit
  • Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
  • When we are done, I'll give you instructions on how to cleanup all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)

STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.
 


Link 1
Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 02
Please run a Threat Scan with MBAM.  If you're unable to run or complete the scan as shown below please see the following:  MBAM Clean Removal Process 2x
When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.
 
 
STEP 03
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.

Thank you
 
 
 
 
 
Please go into Control Panel, Add/Remove and uninstall ALL versions of Java and then run the following.
 
Please download JavaRa-1.16 and save it to your computer.

  • Double click to open the zip file and then select all and choose Copy.
  • Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
  • Quit all browsers and other running applications.
  • Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.

Next:
 
Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

RESTART the computer now and then run the following and post back all new logs on your next reply.
 
 
Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Link to post
Share on other sites

AdvancedSetup:  Thank you for your instructions.  Wow, that's a lot of scanning and logs.  I will get up early tomorrow and run everything suggested and post back the logs and results.  If we get MBAM anti-rootkit scanning enabled and running again, it will have been well worth the effort.

 

Thanks again, and will post tomorrow.  Have a great day.

 

Regards,

-Phil

Link to post
Share on other sites

Good morning, AdvancedSetup.  Thank you for all of your help.  I have done all of the requested steps.  I did run MBAM with anti-rootkit scanning enabled after RKILL and ERUNT.  Windows reported that it had stopped working.  I did the MBAMCLEAN and reinstalled.  Reran RKILL and scanned again.  Same result.  I then ran the remaining programs and am attaching or copying results.  In all three cases, the MBAM history logs did not show the program stopping working, although MBAM reported that it had scanned when relaunched.  Please note that I did remove the PerfectUpdater program since my last submission of scan logs, which is why the fixlog shows the failure to modify that program (replaced by DriverToolkit).  I have rerun FRST64 and MBAMCHECK so that you can see the current configuration of the laptop after all of the programs that you recommended were run.

 

 

All three runs of RKILL produced identical log files.

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 10/01/2014 08:32:14 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Users\Phil\Downloads\PCMeter\PCMeter.exe (PID: 2844) [uP-HEUR]
 * C:\ProgramData\Rpcnet\Bin\rpcld.exe (PID: 4640) [AU-HEUR]
 * C:\Windows\system32\CorelCreatorMessages.exe (PID: 6944) [WD-HEUR]
 
3 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
  1             localhost
 
Program finished at: 10/01/2014 08:34:33 AM
Execution time: 0 hours(s), 2 minute(s), and 18 seconds(s)
 
 
The three runs of MBAM produced pretty much identical logs, with the only difference being the amount of times it reported starting.  Attached is the log from the last run.
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
 
Update, 2014-10-01 08:17:40, SYSTEM, PHIL-LAPTOP, Manual, Rootkit Database, 2014.2.20.1, 2014.9.19.1, 
Update, 2014-10-01 08:18:30, SYSTEM, PHIL-LAPTOP, Manual, Malware Database, 2014.3.4.9, 2014.10.1.4, 
Protection, 2014-10-01 08:19:16, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Starting, 
Protection, 2014-10-01 08:19:16, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Started, 
Protection, 2014-10-01 08:19:16, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Starting, 
Protection, 2014-10-01 08:19:16, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Started, 
Protection, 2014-10-01 08:27:14, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Starting, 
Protection, 2014-10-01 08:27:16, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Started, 
Protection, 2014-10-01 08:27:16, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Starting, 
Protection, 2014-10-01 08:28:40, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Started, 
Protection, 2014-10-01 09:00:50, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Starting, 
Protection, 2014-10-01 09:00:50, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Started, 
Protection, 2014-10-01 09:00:50, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Starting, 
Protection, 2014-10-01 09:02:57, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Started, 
Protection, 2014-10-01 09:12:15, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Starting, 
Protection, 2014-10-01 09:12:16, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Started, 
Protection, 2014-10-01 09:12:16, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Starting, 
Protection, 2014-10-01 09:13:42, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Started, 
 
(end)
 
 
Please note that Mozilla Firefox is not installed in this laptop according to Revo Uninstaller Pro (and according to me).
 
JavaRa 1.16 Removal Log.
 
Report follows after line.
 
------------------------------------
 
The JavaRa removal process was started on Wed Oct 01 08:52:44 2014
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0001-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0002-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0003-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0004-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0005-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0006-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0007-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0008-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0009-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0010-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0011-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0012-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0013-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0014-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0015-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0016-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0017-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0018-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0019-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0020-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0021-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0022-ABCDEFFDCBA}. The error returned was 124.
 
Found and removed: SOFTWARE\Classes\JavaPlugin.170_09
 
Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.6.0.0
 
Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
 
Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA}
 
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA}
 
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBB}
 
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBC}
 
Found and removed: SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
 
Found and removed: SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}
 
Found and removed: SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
 
Found and removed: SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}
 
Found and removed: SOFTWARE\Classes\Interface\{5852F5EC-8BF4-11D4-A245-0080C6F74284}
 
Found and removed: SOFTWARE\Classes\MIME\Database\Content Type\application/java-deployment-toolkit
 
Found and removed: SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-applet
 
Found and removed: SOFTWARE\Classes\MIME\Database\Content Type\application/x-java-jnlp-file
 
Found and removed: SOFTWARE\Classes\TypeLib\{5852F5E0-8BF4-11D4-A245-0080C6F74284}
 
Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled
 
Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.7.0.0
 
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
 
Found and removed: SOFTWARE\JavaSoft
 
Found and removed: SOFTWARE\JreMetrics
 
Found and removed: SOFTWARE\Classes\JavaPlugin.10512
 
------------------------------------
 
Finished reporting.
 
 
 
JavaRa 1.16 Removal Log.
 
Report follows after line.
 
------------------------------------
 
The JavaRa removal process was started on Wed Oct 01 08:52:53 2014
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0001-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0002-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0003-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0004-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0005-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0006-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0007-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0008-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0009-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0010-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0011-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0012-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0013-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0014-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0015-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0016-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0017-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0018-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0019-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0020-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0021-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0022-ABCDEFFDCBA}. The error returned was 124.
 
------------------------------------
 
Finished reporting.
 
 
 
TFC did remove some temporary files, but I keep the laptop pretty clean with CCleaner.
 
 
There is no rush on this as I am not aware of being infected.  Just something about the configuration of this laptop is annoying the anti-rootkit scan capability of MBAM.  That works fine on my tower computer.
 
Any advice or assistance you can offer, when you have the time, will be appreciated greatly.  Let me know, please, what you need from me.  Have a fine day.
 
Regards,
-Phil

 

Link to post
Share on other sites

AdvancedSetup:

 

Sorry about that.  Us old timers get a bit confused and I was attaching and pasting so many logs that it was inevitable that my geriatric brain would have a lapse.  As requested:

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-09-2014
Ran by Phil at 2014-10-01 09:06:28 Run:1
Running from C:\Users\Phil\Documents\My Utilities
Loaded Profile: Phil (Available profiles: Phil & DefaultAppPool)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
Task: {14CBFEB2-0023-4A1E-9D1B-7B163361774F} - \ParetoLogic Registration3 No Task File <==== ATTENTION
Task: {08DD5AAA-B067-4335-B8BD-A76ADE139A47} - System32\Tasks\Wise Care 365 => C:\Program Files (x86)\Wise\Wise Care 365\WiseTray.exe [2014-09-04] (WiseCleaner.com)
Task: {6C715CE7-0D59-4BAB-A50D-77F46EB1F7C4} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-11-26] (Google Inc.)
Task: {8ED3B370-6E0E-46F2-AC78-E78F3BD2B638} - \ParetoLogic Update Version3 No Task File <==== ATTENTION
Task: {E683A0D0-623C-4102-AFE6-733D3103FD52} - \0C8B663C-680C-4CB7-BA20-A9CAC82116C7 No Task File <==== ATTENTION
Task: {F71FD9DF-D333-409F-B7BE-C183DBD5D72F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-11-26] (Google Inc.)
Task: {F7678CB0-A630-4212-B759-4F010BAAA5BB} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {F81690FB-DB0C-490D-9AED-9137C8D0E14D} - System32\Tasks\ParetoLogic Update Version2 => C:\Program Files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\ParetoLogic Registration.job => C:\Program Files (x86)\Common Files\ParetoLogic\UUS2\UUS.dll
Task: C:\Windows\Tasks\ParetoLogic Update Version2.job => C:\Program Files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
Task: C:\Windows\Tasks\PerfectUpdater.job => ?
Task: C:\Windows\Tasks\Wise Care 365.job => C:\Program Files (x86)\Wise\Wise Care 365\WiseTray.exe
AlternateDataStreams: C:\Windows:
AlternateDataStreams: C:\Windows\system32\autochk.exe:BDU
AlternateDataStreams: C:\Users\Phil\Downloads\amddriverdownloader.exe:BDU
AlternateDataStreams: C:\Users\Phil\Downloads\catalyst_mobility_64-bit_util.exe:BDU
AlternateDataStreams: C:\Users\Phil\Downloads\wavmp3_converter.exe:BDU
 
*****************
 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{14CBFEB2-0023-4A1E-9D1B-7B163361774F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{14CBFEB2-0023-4A1E-9D1B-7B163361774F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ParetoLogic Registration3" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{08DD5AAA-B067-4335-B8BD-A76ADE139A47}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{08DD5AAA-B067-4335-B8BD-A76ADE139A47}" => Key deleted successfully.
C:\Windows\System32\Tasks\Wise Care 365 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Wise Care 365" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6C715CE7-0D59-4BAB-A50D-77F46EB1F7C4}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C715CE7-0D59-4BAB-A50D-77F46EB1F7C4}" => Key deleted successfully.
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8ED3B370-6E0E-46F2-AC78-E78F3BD2B638}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8ED3B370-6E0E-46F2-AC78-E78F3BD2B638}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ParetoLogic Update Version3" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E683A0D0-623C-4102-AFE6-733D3103FD52}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E683A0D0-623C-4102-AFE6-733D3103FD52}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0C8B663C-680C-4CB7-BA20-A9CAC82116C7" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F71FD9DF-D333-409F-B7BE-C183DBD5D72F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F71FD9DF-D333-409F-B7BE-C183DBD5D72F}" => Key deleted successfully.
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F7678CB0-A630-4212-B759-4F010BAAA5BB}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F7678CB0-A630-4212-B759-4F010BAAA5BB}" => Key deleted successfully.
C:\Windows\System32\Tasks\Apple\AppleSoftwareUpdate => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Apple\AppleSoftwareUpdate" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F81690FB-DB0C-490D-9AED-9137C8D0E14D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F81690FB-DB0C-490D-9AED-9137C8D0E14D}" => Key deleted successfully.
C:\Windows\System32\Tasks\ParetoLogic Update Version2 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ParetoLogic Update Version2" => Key deleted successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => Moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => Moved successfully.
C:\Windows\Tasks\ParetoLogic Registration.job => Moved successfully.
C:\Windows\Tasks\ParetoLogic Update Version2.job => Moved successfully.
C:\Windows\Tasks\PerfectUpdater.job not found.
C:\Windows\Tasks\Wise Care 365.job => Moved successfully.
"C:\Windows" => ":" ADS not found.
C:\Windows\system32\autochk.exe => ":BDU" ADS removed successfully.
C:\Users\Phil\Downloads\amddriverdownloader.exe => ":BDU" ADS removed successfully.
C:\Users\Phil\Downloads\catalyst_mobility_64-bit_util.exe => ":BDU" ADS removed successfully.
C:\Users\Phil\Downloads\wavmp3_converter.exe => ":BDU" ADS removed successfully.
 
==== End of Fixlog ====
 
 
 
Hope this helps.  Once again, please accept my apologies.  Have a great day.
 
Regards,
-Phil
Link to post
Share on other sites

  • Root Admin

No problem Phil just wanted to make sure you had run it.

 

Temporarily disable your antivirus and then run the following and let's see if it works now or not.

 

 

Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.
 

Link to post
Share on other sites

AdvancedSetup:

 

I disabled active virus scanning on my laptop (Bitdefender 2015 Total Security) and tried to run a threat scan.  As before, Windows reports that MBAM has stopped working and it is checking for a solution.

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
 
Protection, 2014-10-03 13:32:02, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Starting, 
Protection, 2014-10-03 13:32:03, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Started, 
Protection, 2014-10-03 13:32:03, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Starting, 
Protection, 2014-10-03 13:33:48, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Started, 
Update, 2014-10-03 13:45:44, SYSTEM, PHIL-LAPTOP, Manual, Malware Database, 2014.10.2.7, 2014.10.3.4, 
Protection, 2014-10-03 13:45:46, SYSTEM, PHIL-LAPTOP, Protection, Refresh, Starting, 
Protection, 2014-10-03 13:45:46, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Stopping, 
Protection, 2014-10-03 13:45:46, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Stopped, 
Protection, 2014-10-03 13:45:50, SYSTEM, PHIL-LAPTOP, Protection, Refresh, Success, 
Protection, 2014-10-03 13:45:50, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Starting, 
Protection, 2014-10-03 13:45:50, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Started, 
 
(end)
 
 
I have installed Malwarebytes Anti-Exploit Premium since I have sent you all of the logs from two days.  I am very about the lack of anti-rootkit scanning capability.
 
Also noteworthy is that MBAM consistently updates the last threat scan to the the failed scans.  Not sure where we go from here?  I am running Bitdefender 2015 Total Security on my main computer, along with MBAM Premium, and have had no issues with them playing nice.  Appropriate exclusions added to both.  So there must be something in the configuration of this laptop that MBAM decided to stop liking, because previoiusly, it had worked just fine.
 
As always, thank you AdvancedSetup for your efforts to help me identify the cause of this issue.  Have a great day.
 
Regards,
-Phil
Link to post
Share on other sites

  • Root Admin

Please uninstall MBAM and reboot. Then read and download the latest public beta version and install it and update it and try to scan with it and let me know.

 

 

https://forums.malwarebytes.org/index.php?/topic/158226-malwarebytes-anti-malware-203-beta-1/

 

As its the weekend my replies may be limited but I'll try to reply as soon as I can. If I've not replied by Sunday night please send me a private message reminder.

 

Thanks

Link to post
Share on other sites

AdvancedSetup:

 

Thank you for your continuing interest and assistance and for suggesting that I download the beta version.  It solved the problem.

 

 

Protection Log

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
 
Update, 2014-10-05 15:05:08, SYSTEM, PHIL-LAPTOP, Manual, Rootkit Database, 2014.9.18.1, 2014.9.19.1, 
Update, 2014-10-05 15:05:59, SYSTEM, PHIL-LAPTOP, Manual, Malware Database, 2014.9.19.5, 2014.10.5.7, 
Protection, 2014-10-05 15:06:26, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Starting, 
Protection, 2014-10-05 15:06:26, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Started, 
Protection, 2014-10-05 15:06:26, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Starting, 
Protection, 2014-10-05 15:06:26, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Started, 
Protection, 2014-10-05 15:10:11, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Starting, 
Protection, 2014-10-05 15:10:12, SYSTEM, PHIL-LAPTOP, Protection, Malware Protection, Started, 
Protection, 2014-10-05 15:10:12, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Starting, 
Protection, 2014-10-05 15:11:54, SYSTEM, PHIL-LAPTOP, Protection, Malicious Website Protection, Started, 
Scan, 2014-10-05 15:32:07, SYSTEM, PHIL-LAPTOP, Manual, Start:2014-10-05 15:16:08, Duration:15 min 58 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections, 
 
(end)
 
 
 
Scan Log
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 2014-10-05
Scan Time: 15:16:08
Logfile: 
Administrator: No
 
Version: 2.00.3.1024
Malware Database: v2014.10.05.07
Rootkit Database: v2014.09.19.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Phil
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 381290
Time Elapsed: 15 min, 58 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
Thanks again.  If there are any other log files you need or want to check, please advise.  I guess my laptop was one of those that had issues with 2.02.   Have a great day, and thanks again.
 
Regards,
-Phil
Link to post
Share on other sites

  • Root Admin

Great, that's good news. Glad that was able to resolve your issue with the program.

At this time there are no more signs of an infection on your system.

However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.

They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.

bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot
Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:

If you used FRST and can't delete the quarantine folder:

Download the fixlist.txt to the same folder as FRST.exe.

Run FRST.exe and click Fix only once and wait

That will delete the quarantine folder created by FRST.

The rest you can manually delete.

If there are any other left over Folders, Files, Logs then you can delete them on your own.

Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.

How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP

As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers

How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.

Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.
Link to post
Share on other sites

AdvancedSetup:

 

Thank you for your reply and all of your assistance.  I have already removed JAVA from the laptop and will remove it from my main computer.  I will clean out the leftover scan files and apps on Friday.  I do have MBAM Premium on both computers as well as Malwarebytes Anti-Exploit Premium.

 

I have no reason to believe that there are any infections on either computer.

 

Have a great day.  You can close this thread, but please leave it so I can come back on Friday and follow your instructions to remove cleaning apps and logs from the laptop.

 

Regards,

-Phil

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.