Jump to content

Malwarebytes Premium Stops If Anti-Rootkit Scanning is Enabled


garioch7
 Share

Recommended Posts

Good day.  AdvancedSetup helped me with a similar problem about a month ago, which was eventually resolved by installing the new version of MBAM (1025, then in beta) and running a fixlist job.

 

Last week, the last thing I did was to run an MBAM scan and it ran fine.  Today, when I booted up the laptop (hadn't been turned on since), MBAM stopped responding when it was loaded and the tray icon was among the missing.  Windows reported that MBAM had stopped working.  It had real-time protection turned off and just listed "loading" as the database version.  In short, it was unuseable.

 

I used MBAM_CLEAN to take out MBAM, with my Bitdefender disabled, rebooted, and reinstalled MBAM.  It updated properly, but Windows would report that it had stopped working part way through a scan, if anti-rootkit scanning was enabled.  With anti-rootkit scanning disabled, the scan ran fine and was clean.

 

I have no reason to believe that this laptop is infected.  No infections were found the last time this happened.

 

I am attaching the usual logs in hopes that a solution may be found to this issue.  Thank you for your assistance.  Have a great day.

 

Regards,

-Phil

Link to post
Share on other sites

  • Root Admin

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

General P2P/Piracy Warning:
 
 

 
If you're using
Peer 2 Peer
software such as
uTorrent, BitTorrent
or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have
illegal/cracked software, cracks, keygens etc
. on the system, please remove or uninstall them now and read the policy on
Piracy
.



 
Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.
  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

    [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)


 
STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.
 


Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.
  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe


STEP 02
Please run a Threat Scan with MBAM.  If you're unable to run or complete the scan as shown below please see the following:  MBAM Clean Removal Process 2x
When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.
 
 

Link to post
Share on other sites

AdvancedSetup:

 

I ran RKILL.  Results below:

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 11/28/2014 12:39:16 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
  1             localhost
 
Program finished at: 11/28/2014 12:39:56 PM
Execution time: 0 hours(s), 0 minute(s), and 39 seconds(s)
 
 
I then attempted to run MBAM with Anti-Rootkit Scanning enabled and my Bitdefender Anti-Virus scanning disabled.  As before, the scan stopped just a little bit into the File System scan (around 56700 items scanned), and then Windows reported that MBAM had stopped working and it was checking for a solution.  I restarted MBAM, but there was no scan log there, just a protection log.  I then disabled anti-rootkit scanning and re-enabled my Bitdefender, and ran an MBAM Threat Scan again.  This time, it completed, as per usual (with this laptop).  Scan Log (No Anti-Rootkit Scan) below:
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 2014-11-28
Scan Time: 12:44:10
Logfile: 
Administrator: Yes
 
Version: 2.00.3.1025
Malware Database: v2014.11.28.05
Rootkit Database: v2014.11.22.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Phil
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 395264
Time Elapsed: 21 min, 10 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
Bitdefender Total Security 2015 is configured to ignore the MBAM .exe files as recommended in one of the threads that I read in this Forum.  I am running MAE Premium as well.  I have the same configuration on my tower computer and I have had no issues.  I can only assume the issue is unique to the configuration of this laptop.  I have no reason to believe that the laptop is infected, so cannot understand why it does not like MBAM Anti-Rootkit scanning.  I run full deep scans with Bitdefender (everything turned on for scanning) weekly, and it has never found anything but the odd tracking cookie.
 
As I indicated in my PM, this matter is not urgent at all.  I just would like to figure out why this happens.  If it is happening to me, it may be happening to a small percentage of other users because I seem to recall that MBAM ships with Anti-Rootkit scanning disabled by default.  If my memory is correct, then a lot of folks would not have changed the defaults, and so might be unaware that they have this issue.
 
I have cleaned up computers for friends, so I am aware of the amount of work involved; hence, my practice to enable all possible scans in my protection software.  Scan times are not an issue for me.
 
 
Thanks AdvancedSetup.  Have a great day.
 
Regards,
-Phil
Link to post
Share on other sites

  • Root Admin

Please try running the following.


Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

 

 

Then try running a full disk check. Click on START and type in CMD.EXE and when it shows on the menu right click and choose "Run as administrator" and type the following.

CHKDSK C: /R

You will get back the following.

The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process. Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N)


Press the Y key and then the Enter key and restart the computer. It should run for at least 10 minutes but could take hours to run - just let it run.

Then again try the MBAM scan and let me know.

Thanks Phil

Link to post
Share on other sites

AdvancedSetup:

 

Ran TFC.  It only removed 11 MB.  I keep the laptop pretty clean with CCleaner every week.  Chkdsk c: /r is running as I write this.  I have run it before on the laptop and it usually takes about five or six hours.  Will report back later today or tomorrow.

 

Your assistance is appreciated.  Have a great day.

 

Regards,

-Phil

Link to post
Share on other sites

AdvancedSetup:

 

Chkdsk c: /r run.  Results below:

 

 
 
Checking file system on C:
The type of the file system is NTFS.
Volume label is Phil.
 
A disk check has been scheduled.
Windows will now check the disk.                         
 
CHKDSK is verifying files (stage 1 of 5)...
Cleaning up instance tags for file 0xcdd.
  248576 file records processed.                                          File verification completed.
  1172 large file records processed.                                      0 bad file records processed.                                        0 EA records processed.                                              71 reparse records processed.                                       CHKDSK is verifying indexes (stage 2 of 5)...
  312484 index entries processed.                                         Index verification completed.
  0 unindexed files scanned.                                           0 unindexed files recovered.                                       CHKDSK is verifying security descriptors (stage 3 of 5)...
  248576 file SDs/SIDs processed.                                         Cleaning up 329 unused index entries from index $SII of file 0x9.
Cleaning up 329 unused index entries from index $SDH of file 0x9.
Cleaning up 329 unused security descriptors.
CHKDSK is compacting the security descriptor stream
  31955 data files processed.                                            CHKDSK is verifying Usn Journal...
  34695592 USN bytes processed.                                             Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  248560 files processed.                                                 File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  95807713 free clusters processed.                                         Free space verification is complete.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.
 
 472985397 KB total disk space.
  89281644 KB in 177437 files.
    108252 KB in 31958 indexes.
         0 KB in bad sectors.
    364649 KB in use by the system.
     65536 KB occupied by the log file.
 383230852 KB available on disk.
 
      4096 bytes in each allocation unit.
 118246349 total allocation units on disk.
  95807713 allocation units available on disk.
 
Internal Info:
00 cb 03 00 fc 31 03 00 c9 91 05 00 00 00 00 00  .....1..........
ca 03 00 00 47 00 00 00 00 00 00 00 00 00 00 00  ....G...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 
Windows has finished checking your disk.
Please wait while your computer restarts.
 
 
 
I ran an MBAM scan with anti-rootkit scanning enabled.  It completed.  Scan log below:
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 2014-11-30
Scan Time: 18:23:04
Logfile: 
Administrator: No
 
Version: 2.00.3.1025
Malware Database: v2014.11.30.08
Rootkit Database: v2014.11.30.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Phil
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 396297
Time Elapsed: 22 min, 32 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
 
I also ran an sfc /scannow with negative results.  No integrity errors found.
 
I suspect that MBAM has some issue with certain computer configurations, and this laptop is one of those.  As I have said, I have no indication of active malware or viruses.  Bitdefender Total Security 2015, with the deepest scanning that can be enabled, finds nothing.  I am totally mystified why the anti-rootkit scan completed after a TFC and a chkdsk.  Any light you can shed on that would be appreciated.
 
All assistance, as always, appreciated.  Have a great day.
 
Regards,
-Phil
Link to post
Share on other sites

AdvancedSetup:

 

I was hoping that you would have had some advice as to why this laptop has issues with MBAM, but I know the Forum is TOO busy.

 

In any event, I got notified on my laptop today, as did I on my main computer and my wife's computer, that 2.0.4.1028 was available.  I shut down the Bitdefender on the computers and on those two computers, the installs went well.

 

On the laptop, MBAM reported that I did not have administrator privileges.  UAC states, on the laptop, that there is only my account, with Administrator privileges, and the "Guest" account, which is off.  My account is password protected, so MBAM should have known that I have Admin.privileges.  Rebooted, no success.

 

Ran MBAM_Clean and then downloaded the 2.0.4.1028 and installed with by BD deactivated.  MBAM installed fine, but wouldn't update.   Just kept spinning and then reported that it could not connect with the Update server.  I skipped the update (I had 2014.12.04.08), but it failed, as described in my previous threads, during the file scan before 57,000 items with Anti-Rootkit scanning enabled.  Windows said it had encountered an error and it was searching for a solution.  Re-ran the scan with Anti-Rootkit scanning disabled.  Ran fine.

 

COLD REBOOT!  Upon reboot, ran TFC, then ran MBAM with Anti-Rootkit scanning enabled.  Ran successfully.

 

What is the issue with MBAM or this laptop?

 

Thanks for any advice.

 

Best Regards,

-Phil

Link to post
Share on other sites

  • Root Admin

Not really sure why it keeps having an issue like that Phil.

For testing let's temporarily have you uninstall BitDefender completely and install Microsoft Security Essentials and get it updated and reboot.

Then test updates and scans with MSE for a day or two and let me know if there are still any issues or not. That way we can rule out BitDefender as the issue or if needed look deeper to see why there is an issue with BitDefender.

http://windows.microsoft.com/en-us/windows/security-essentials-download

Ron

Link to post
Share on other sites

AdvancedSetup:

 

I thank you for your email and your interest in the problems that my laptop encounters with MBAM Premium.  Both my wife's computer and my main tower also run the same security solutions: Bitdefender 2015 Total Security, MBAM Premium 2.0.4.1028, and MAE Premium 1.0.4, with exceptions noted in all of those programs, as recommended.

 

There well may be some feature of my laptop's configuration that causes BD to not play nice with MBAM, but I am not prepared to drop from the best anti-virus solution to the worst, just to eliminate BD as a possible source of the problem.  Just yesterday, BD detected a new zero-day trojan.  I have been using BD for many years now, and though the product is not perfect, it is my choice as the most effective anti-virus solution out there.

 

What I think is worth exploring is why, after TFC was run, in the last two instances of this behaviour on the laptop, MBAM was able to complete with anti-rootkit scanning enabled.  Same BD.  What file, or files, is TFC taking out that CCleaner and WiseCleaner are not?

 

For now, I will run TFC if MBAM should fail to complete a scan with anti-rootkit scanning enabled, and see whether that fixes the problem as it has on two other occasions.

 

I don't know if you use BD, but if you do, you will know that the install is a very long process.  Killing off BD, only to re-install, is not an option that appeals to me.

 

In any event, TFC solved the problem last night, as it did once before, and I thank you sincerely for that valuable advice.  I was unaware that TFC existed.

 

My suspicion, and I emphasize that it is just the suspicion of an uninformed computer user, is that MBAM does have issues with certain platforms and anti-virus security solutions.  If this issue was afflicting all of the computers here, I would definitely take you advice and uninstall BD, but it is strange that MBAM works on two of three computers just fine with BD installed.

 

If the MBAM folks need further diagnostic logs from the laptop, I would be happy to oblige.  I greatly respect MBAM and the folks like you, who support the world-wide computing family and try to save us from our poor computing practices.  So few remember the old adage: "Practice safe hex!"

 

Have a great day, and thank you.

 

Regards,

-Phil

 

 

Link to post
Share on other sites

  • Root Admin

The only thing that comes to mind is possibly a corrupted file but then why would you keep getting them. It's possible that MBAM can hang on a corrupted file but once that has been fixed, removed it should not happen again.

 

I'll have to check with QA and see what they have to say about this and get back to you. They won't be back till Monday though so please send me a reminder on Monday and I'll get with them and see what they say.

TFC does kill off running applications which might be what's going on here.

 

You could possibly try running RKILL from Bleepingcomputer and then immediately run an MBAM scan and see if it completes after that as well or not.

 

Thanks

Link to post
Share on other sites

AdvancedSetup:

 

Thank you for offering to approach QA on my behalf.  It is much appreciated.

 

I did run RKILL as you suggested (results in an earlier post in this thread), but it found no processes to kill and the MBAM scan would not complete with anti-rootkit scanning enabled at that time.

 

Right now MBAM is working on the laptop, after the TFC run on Friday, so I am suspicious that TFC is deleting something that was annoying MBAM, since it has happened twice that running TFC enabled MBAM to run with anti-rootkit scanning enabled.

 

As always, thank you for your help.  It is REALLY appreciated.  Have a great day.

 

Regards,

-Phil

Link to post
Share on other sites

Ron:

 

Thank you for your email.  I am "reasonably" confident that it is not a Bitdefender issue as turning off BD protection never had any impact on the anti-rootkit scan failure.

 

If I encounter the error again, I will contact you and install whatever process monitoring tool you select.  So I guess for now, we can close this thread.

 

Thanks again for all of your help.  It is much appreciated.  Have a great day.

 

Regards,

-Phil

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.