Jump to content

Possible Infection Preventing MBAM From Working Properly?


Recommended Posts

Referred to this section from https://forums.malwarebytes.org/index.php?/topic/169455-mbam-version-2161022-not-working-properly/.

 

Basically MBAM does work properly after trying to update (definitions) online. Suspected there may be some malware hidden somewhere causing this issue, and possibly causing some other (minor) computer issues also?

 

MBAM works from clean install and provided that no updates have been attempted. As soon as updates have been attempted, MBAM only runs briefly and then stops/quits with one of two error messages appearing. Note that I'm using a dial-up (slow) internet connection, so what effect that may have on updates (if any) is unknown.

 

Either the error is -

 

"SDK. . database . . 21002" or similar message; or get "Threat Scan was canceled".

 

MBAM stops with either of these error messages about the time the scan procedure reaches "Rootkits" stage (Rootkits scan enabled in MBAM settings).

 

Running 2.1.6.1022 FREE version of MBAM.

 

Attached are logs from FRST64 and mbam-check.

 

 

FRST.txt

Addition.txt

CheckResults.txt

Link to post
Share on other sites

  • Replies 56
  • Created
  • Last Reply

Top Posters In This Topic

  • Staff

Hello,
 
 
 
Your PC has not Antivirus installed, you must do it, I'm not going to tell you how important that is.
 
 
Let's perform some cleanup:
 
 
51a612a8b27e2-Zoek.png Scan with ZOEK
 
Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    createsrpoint;autoclean;emptyalltemp;ipconfig /flushdns;b
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

Link to post
Share on other sites

  • Staff

Good. Let's scan with FRST again:
 
 
FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

Link to post
Share on other sites

  • Staff

FRST.gif Fix with Farbar Recovery Scan Tool
 


icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please upload it to your reply.

fixlist.txt

Link to post
Share on other sites

Thanks for the help so far!

 

Unfortunately there still seems to be a problem with updating MBAM definitions/program. It seems that updates are attempted to be downloaded but eventually they stop being downloaded before downloads are completed for whatever reason(s)?

 

And trying to run a (Threat) Scan, get error message "SDKDatabaseLoadDefaults failed with code: 20012" once the scan reaches Scan for Rootkits part of scan procedure and MBAM then stops running and shows a message that "Threat Scan completed successfully", when it hasn't!?

 

I removed MBAM by using mbam-clean utility, then reinstalled MBAM 2.1.6.1022 free version, but still had above errors occuring.

 

Either there is some well hidden malware causing these problems? Or maybe MBAM is bugged? Or maybe because I'm on a slow internet connection updates are not being downloaded fast enough? Or?

 

Unfortunately at this time the issue has not as yet been resolved.

Link to post
Share on other sites

Thanks for the link!

 

Despite using a download manager, there were difficulties in downloading this file. Although resuming downloads was supported, it appears that this download site uses time limited tokens/codes in which the download link would expire after a set amount of time. And downloads would not be able to be resumed after expiration of tokens/codes.

 

The download stopped three times and would not resume, presumably because of expired tokens/codes. So, I had to manually restart the downloads three times and then copy the new token/code into the download manager in order to complete downloading.

 

It seems the download site assumes everyone is using a fast (broadband) internet connection, so not a lot of download time is allocated for downloading this file. Unfortunately and very inconveniently, this causes issues for those trying to download files using slower internet connections (such as myself).

 

Eventually downloaded and installed version 2.1.7.1055 of MBAM. Then tried updating MBAM database twice. Database appeared to be downloading/updating, but after approximately 10 ~ 15 minutes the updating stopped and got message "Unable to access update server" on both update attempts.

 

Beginning to suspect that the "update server" (is it the same as the server for downloading programs as above?) may have download time limited tokens/codes as well? If so, then the time limits should be removed, or at the very least the time allowed for downloading updates should be extended substantially to allow plenty time for those using slow internet connections.

 

Suggestions? Comments?

Link to post
Share on other sites

  • Staff

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit to your desktop.

  • Double-click the icon to start the tool.
  • It will ask you where to extract it, then it will start.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"

FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

Link to post
Share on other sites

Again had some difficulty in downloading MBAR using a download manager. But managed to download it and extract/run it.

 

Trying to update MBAR database, but, once again, the update stopped after approximately 10 minutes or so. And the download progress had not shown the update as being finished yet. Message on MBAR stated something to the effect that the update was successful anyway.

 

Tried to scan but got error message "Could not initialize database", and MBAR stopped.

 

Tried updating database again, but after a minute or so MBAR claimed update was successful. Tried again to scan but got the same error message Could not initiliaze database, and MBAR stopped once again.

 

I vaguely recall having some similar issue sometime ago with MBAR (that is, the updates didn't work and/or scans didn't work?), but I think it was suggested by someone that MBAM with Scan for Rootkits option was the better option instead of using MBAR.

 

In any case updates seem to be impossible at the moment. There seems to be a definite problem in trying to update MBAM and MBAR! The updates are not being downloaded completely and/or not installed properly (although it seems more like the updates are not being fully downloaded).

 

Again, some hidden malware may be causing the failure of updates? Or is there a problem with the update server(s)? Or some other issue?

 

What do we do now?

 

As a last resort I might have to do a complete wipe of the HDD, reformat it etc., but only if there is no other option.

Link to post
Share on other sites

  • Staff

Let's check your PC again:
 
 
TDSSKiller_Kaspersky.png Scan with TDSSKiller
 
Please download TDSSKiller by Kaspersky and save it to your desktop.

  • Right-click on TDSSKiller_Kaspersky.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
  • Your machine may appear very slow and unusable after that - it's normal.
  • TDSSKiller will run automaticaly. Click on Change parameters and click OK.
  • Click the Start Scan button and wait patiently.

If anything will be found follow this guidelines:

  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    If Cure is not available, please choose Skip instead.
  • Do not choose Delete unless instructed!

A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.
 
 
 

FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

Link to post
Share on other sites

  • Staff

reg_file_icon.jpg Registry Fix

Modifying the registry may create unforeseen results. Please do not proceed, unless you have created a registry backup prior to doing that!

Please download the attached registry fix file and save it to your desktop:
 
http://www92.zippyshare.com/v/tENUWbEi/file.html


Now we need to import the file into the registry.

  • Locate the NlaSvc.reg file on your desktop.
  • Right-click the reg_file_icon.jpg icon of your file and select Merge.
  • You'll be prompted about adding the information to the registry. Please agree.

After this please manually reboot your machine. Any report won't be generated.
 



 
FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
  • Please include their content into your next reply.
Link to post
Share on other sites

Reinstalled and ran MBAM version 2.1.7.1055.

 

MBAM then started searching for database updates. But after about 10 minutes of waiting for updates to actually start downloading I stopped MBAM as it seemed to be taking a bit too long to find updates.

 

Restarted MBAM, and after searching for database updates for about 5 minutes, MBAM started downloading updates. Unfortunately after 6 minutes of downloading updates, MBAM stopped downloading and an error message appeared "Unable to access update server".

 

So there is still an issue with inability to complete update downloads.

Link to post
Share on other sites

  • Staff

FRST.gif FRST search
 
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

  • Copy {57CE581A-0CB6-4266-9CA0-19364C90A0B3} into the Search: field in FRST then click the Search Registry button.
  • FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  • Please attach it to your reply.

 

 

 

reg_file_icon.jpg Registry Fix

Modifying the registry may create unforeseen results. Please do not proceed, unless you have created a registry backup prior to doing that!

Please download the attached registry fix file and save it to your desktop:
 
http://www62.zippyshare.com/v/YZPqC1jv/file.html


Now we need to import the file into the registry.

  • Locate the TermService.reg file on your desktop.
  • Right-click the reg_file_icon.jpg icon of your file and select Merge.
  • You'll be prompted about adding the information to the registry. Please agree.

After this please manually reboot your machine. Any report won't be generated.

Link to post
Share on other sites

  • Staff

Sorry, here is the reg file you need:
 
http://www34.zippyshare.com/v/FCe2tQdG/file.html
 
 
 
FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.