Possible Infection Preventing MBAM From Working Properly?

[meeshu]

Just tried updating MBAM V 2.1.7.1055 database again. But after 7 minutes of downloading the updates, MBAM stopped downloading and got message "Unable to access update server", once again.

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

[meeshu]

Re-ran FRST64 again with results enclosed below.

 

As a long shot, tried adding MBAM exceptions to Windows firewall, but made no difference regarding MBAM updating (updates still not finishing downloading, and still get "Unable to access update server" message after awhile).

FRST.txt

Addition.txt

[TwinHeadedEagle]

Is other software okay to update?

 

 

Fix with Farbar Recovery Scan Tool
 

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

fixlist.txt

[meeshu]

Tried updating MBAR BETA 1.09.1.1004, but updating stopped after ~ 20 minutes with download uncompleted. However, MBAR claimed update was successful. So tried MBAR scan, but after brief delay got error message "Could not initialize database" and MBAR stopped running. So updates still a problem.

 

Possibly related is that while using download managers (Getright in particular), it is not unusual to have downloads stop before completion and error message appearing that the download URL/server can't be found!? However in most cases I can usually manually resume downloads. This didn't use to happen (often), but seems to have been occurring more often since about a year ago or so. And around this time is when I started having MBAM and MBAR update problems also. Previously didn't have much difficulty updating MBAM.

 

Another possible relation is roughly a year or so ago tried using an internet optimizing program TCPOptimizer. But this didn't seem to have any appreciable effect, so reverted to the original configuration (theoretically according to TCPOptimizer), But this program may have messed up some internet settings? Also have been using Registry cleaner often which again might have messed up internet settings?

 

Anyway ran FRST64 fix with the following result.

 

 

Fixlog.txt

[TwinHeadedEagle]

Can you try Complete Internet Repair?

 

http://www.majorgeeks.com/files/details/complete_internet_repair.html

[meeshu]

Yesterday, downloaded and ran 'Complete Internet Repair'. Unfortunately it was not entirely obvious as to what parameters needed to be selected for repairs to be attempted. So selected several parameters as a best guess and ran the program which ended in requiring the computer to be rebooted.

 

Today,

uninstalled MBAM 2.1.7.1055

ran mbam-clean

reinstalled MBAM 2.1.7.1055

ran MBAM which then checked for updates for ~ 17 minutes

MBAM then updating database for ~ 2 minutes and then stopped with message "Database Out of Date"

selected MBAM update

MBAM then checked for updates for ~ 1 minute

MBAM then updating database for ~ 6 minutes and stopped updating with message "Unable to Access Update Server"

 

So there is still a problem with updating.

 

Either have persistent, well hidden malware? Or there is a problem with the update server? Or incorrect/corrupted computer internet settings? Or ?

 

Remember I'm on a dial-up connection, so does this slow connection maybe cause these updating issues?

 

Maybe need internet connection expert?

 

Would running Combofix and/or some other anti-malware scanner help?

[TwinHeadedEagle]

We tried various tools, but they didn't show signs of infection. Let's run ComboFix as our last check:
 
 
Scan with ComboFix
 
This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!
 
Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
• Accept the disclaimer and agree if prompted to install Recovery Console.
• Do not take any actions while ComboFix goes through your System - it may cause it to stall!
• This scan may take some time!
• When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

[meeshu]

Downloaded and ran latest version of ComboFix (15.6.23.1) with the following result.

 

I had a quick look through the log, and there doesn't appear to be any obvious sign of malware.

 

If there is no evidence of malware, then what would be the best way forward to help resolve this issue of inability to complete MBAM and MBAR updates?

ComboFix.txt

[TwinHeadedEagle]

Yes, PC seems clean. How is the situation now?

[meeshu]

Unfortunately MBAM is still not updating properly.

 

Ran MBAM V 2.1.7.1055 (free version).

clicked on Update Now for updating database

MBAM then checked for updates for ~ 3 minutes

MBAM then started downloading updates

but after ~ 7 minutes MBAM stopped downloading updates with error message, once again, "Unable to access update server".

 

So, if there is no malware, then it seems there is a network issue, either on my computer, or at the server(s), or maybe both on my computer and at server(s)?

 

Have been reading some other posts elsewhere here for people also having difficulty updating MBAM. Some users are able to resolve the issue by reinstalling MBAM, but this doesn't seem to work for other users. So far, it appears that there may be issues with some servers depending on geographical location of the downloader/MBAM user. In my case I live in NZ. Is there some issue with server(s) providing service to NZ?

 

What should we do now?

[AdvancedSetup]

Hello, I've been asked to step in and see if I can assist you in getting your issue resolved.

The logs show that you have multiple devices that do not appear to be functioning correctly. Please open Control Panel, System and Security, and click on Device Manager.

Then take a screen shot of it and post back the image please.

Please also let me know what the computer manufacturer is (Dell, HP, Sony, etc) then if it's a desktop or a laptop. Then what is the exact make/model number.

 

Name: Ethernet Controller

Description: Ethernet Controller

Class Guid:

Manufacturer:

Service:

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:

Description:

Class Guid:

Manufacturer:

Service:

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Universal Serial Bus (USB) Controller

Description: Universal Serial Bus (USB) Controller

Class Guid:

Manufacturer:

Service:

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Teredo Tunneling Pseudo-Interface

Description: Microsoft Teredo Tunneling Adapter

Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}

Manufacturer: Microsoft

Service: tunnel

Problem: : This device cannot start. (Code10)

Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.

On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Video Controller

Description: Video Controller

Class Guid:

Manufacturer:

Service:

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Universal Serial Bus (USB) Controller

Description: Universal Serial Bus (USB) Controller

Class Guid:

Manufacturer:

Service:

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller

Description: PCI Simple Communications Controller

Class Guid:

Manufacturer:

Service:

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

[meeshu]

OK.

 

I have made some changes to my system before I was aware of the previous post,

 

Completely wiped, reformatted and reinstalled Windows 7 x64 SP1 on C: drive, with minimum number of applications reinstalled.

 

Installed and ran MBAM version 2.1.7.1055.

MBAM checked for updates for 10 minutes

briefly got "Unable to access update server" message for a few seconds

MBAM then continues to update for nearly two hours with no further issues

 

MBAM then restarted to install latest version (2.1.8.1057)

MBAM 2.1.8.1057 then checked for updates for 6 minutes

then MBAM started updating database for 18 minutes, but stopped updating with error message "Unable to access update server".

 

So there are still issues with updating, despite cleaning my HDD and reinstalling minimum number of applications.

 

As my system had changed, decided to run FRST64 with the following results. Also included is a screenshot of Device Manager as requested.

 

My system is a custom built desktop.

 

Principle components are -

 

motherboard - AsRock Z77 Performance  <- INF chipset and Intel USB 3 drivers installed from disk supplied with motherboard

CPU - i5-3570K

video card - Radeon HD 7770  <- video drivers installed from download (from AMD website)

sound card - Creative Sound Blaster X-Fi  <- drivers installed automatically by W7, didn't have to use driver disk supplied with sound card

internal modem - Netcomm IN5920  <- drivers installed automatically by W7, didn't have to use driver disk supplied with modem

 

Note that I am on a dial-up internet connection also.

FRST.txt

Addition.txt

[AdvancedSetup]

Well all those items in Yellow mean the hardware is not working due to missing or misconfiguration of drivers.
 
Assuming this is the Fatal1ty Z77 Performance motherboard, then please visit the following link and download and save all the files listed.
 
http://www.asrock.com/mb/Intel/Fatal1ty%20Z77%20Performance/?cat=Download&os=Win764

 

Once you have all the files downloaded then extract any that are zipped into their own folder.

 

Then install the INF driver ver:9.3.0.1019 first. Then reboot.

 

Then try to go to the Windows Update and get all Windows updates.

 

Then let me know and we'll look at updating other drivers.

 

[meeshu]

The presence of the yellow triangles within the Device Manager has been known for some time. Just didn't bother updating/adding drivers as the system seemed to be basically working OK.

Anyway, after another HDD wipe, and re-installation of Windows 7, appropriate drivers have now been installed, so there are no more issues regarding drivers. Screen shot of Device Manager enclosed.

Windows is also mostly up to date with latest fixes downloaded and installed. Only Internet Explorer updates, Windows Defender (or similar) updates, and a massive ~ 1 GB W7 x64 SP1 update were not downloaded and installed.

Downloaded MBAM version 2.1.8.1057. Had problems downloading this file with - frequent drop-outs, a lot of download resumes, wildly varying download speeds. And initially after 10 minutes of downloading, download stopped with message saying couldn't find server and resume wasn't supported. But I managed to resume download manually using Internet Download Manager.

Installed and ran MBAM 2.1.8.1057 with nothing else running (no firewalls apart from Windows 7 firewall, and no anti-virus/anti-malware programs installed/running).

MBAM checked for updates for ~ 6 minutes

then MBAM started updating database for ~ 1 minute

then MBAM stopped with message "Unable to Access Update Server"

Tried running MBAM a bit later on.

MBAM reported "Databases out of date"

clicked on "Update Now"

MBAM checked for updates for ~ 4 minutes

then MBAM started updating database for ~ 2 minutes

and again MBAM stopped with message "Unable to Access Update Server"

There is definitely a problem here with updating MBAM. And it seems more likely to be a network/internet issue rather than some sort of malware at this stage.

Ran FRST64 with following results.

What is the best way to proceed to help identify and solve the problem of updating MBAM?

FRST.txt

Addition.txt

[AdvancedSetup]

Well there could be a few things going on.

 

1. What region of the World are you in?

2. What type of Internet service are you using? Dialup, VPN, DSL, FastEthernet, Cable, Satellite ?

 

There are still many recent errors in your Event Logs from today. I would highly recommend you ferret out what's causing them and correct them.

 

Please download the following tool and run it, then send us back the log.

http://tools.malwarebytes.org/traceroute_malwarebytes_cdn.exe
 

 

 

 

System errors:
=============
Error: (06/30/2015 01:07:34 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Intel® Content Protection HECI Service service terminated with the following error:
%%-2147024637

Error: (06/30/2015 01:07:02 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Security Center service failed to start due to the following error:
%%1069

Error: (06/30/2015 01:07:02 AM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The wscsvc service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:
%%50

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (06/30/2015 01:07:02 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Defender service failed to start due to the following error:
%%1069

Error: (06/30/2015 01:07:02 AM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The WinDefend service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error:
%%50

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (06/30/2015 01:07:02 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Software Protection service failed to start due to the following error:
%%1069

Error: (06/30/2015 01:07:02 AM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The sppsvc service was unable to log on as NT AUTHORITY\NetworkService with the currently configured password due to the following error:
%%50

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (06/30/2015 01:07:02 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Font Cache Service service failed to start due to the following error:
%%1069

Error: (06/30/2015 01:07:02 AM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The FontCache service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:
%%50

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (06/30/2015 00:58:13 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Windows Defender service terminated with the following error:
%%-2147024882
 

 

[meeshu]

First, sorry about the "wall" of text in my previous post. My post was separated into paragraphs etc, but all the formatting was apparently removed when my message was posted.

 

I'm in New Zealand (South of South Pacific Ocean).

 

I'm on a dialup connection. That is the main reason why I'm reluctant to download the Windows 7 SP1 fix/update of about 1 GB, which would take at least two days of continuous downloading.

 

Ran the traceroute program with the following results.

 

 

traceroute_malwarebytes_cdn.txt

[AdvancedSetup]

Well the time delays are certainly huge can could possibly be part of the reason. Not sure there is a good way for us to replicate that type of connection. You can't even contact one that should be in your region.

 

Again I would try to resolve the issues shown in the Event Logs. That may not be the issue or may not correct it as the time delays are pretty big and possibly causing an issue getting updates.

[meeshu]

Difficult to determine cause of the system errors as shown in previous Addition.txt log despite searching for causes/solutions on the 'Net.

 

So scanned for further Windows updates and found a few more "Important" updates which were downloaded and applied. Did not include two "Important" updates, which were Malicious Software Removal Tool and Windows Defender definition updates.

 

It should be noted that the Windows downloads totalled in excess of 50 MB, which my system downloaded without issue (apart from being slow due to dial-up connection).

 

After updating Windows, re-ran FRST64 with the results enclosed. It was noted in the latest Additions.txt log that the previous system errors were gone, but some new errors appeared instead.

 

Ran MBAM 2.1.8.1057 again and tried updating the database, but immediately got the message "Unable to Access Update Server", despite trying several times.

 

MBAM 2.1.8.1057 was uninstalled.

mbam-clean was then ran to thoroughly remove all traces of MBAM installation.

MBAM 2.1.8.1057 was then reinstalled and run once again.

 

MBAM 2.1.8.1057 checked for updates then started downloading updates. But the updates stopped soon, with no (error) message appearing(?) Tried running MBAM again with checking for updates and downloading updates. But again the downloads stopped and I think the message "Unable to Access Update Server" appeared again.

 

Previously, well over a year ago (with no change in ISP and with same or similar dial-up connection), updates to MBAM were possible. And although the updates were slow due to dial-up connection, the updates did complete. Now MBAM updates are not completed for whatever reason(s), although suspect some network/server issue.

 

The update servers, do they allow resuming of downloads?

 

If a server is down, are update requests to the downed server automatically redirected to another running server?

 

MBAM *.conf files, which are presumably configuration files, do not appear to be in (any known) text format and they can't be viewed/edited either(?)

 

It was suggested by a proprietor of a local computer store that problems downloading while using dial-up connection may be due to some servers giving priority for data transfer to fast connections. And slow (dial-up) connections are given lowest priority. So during heavy server loading, disconnections/drop-outs may occur, particularly, for the slow connections.

 

It is understood that the latencies for dial-up modem connection can vary quite a bit, and is dependent on distance. Latencies in excess of 200 ms is not unusual for dial-up modem connections.

 

Is there a problem with the update servers?

FRST.txt

Addition.txt

[meeshu]

Quick update.

 

Tried manually downloading latest definitions directly from data-cdn.mbamupdates.com, which is possible (according to various sources). Tried downloading twice (using browser, not download manager), but after 5 ~ 10 minutes, downloads stopped with error. And downloads could not be resumed.

 

Suspect "mbamupdates" server issue here, as downloading in general (although slow) usually completes without issue from most other download sites.

 

It appears that resuming downloads doesn't seem possible at mbamupdates server(s), and there might be a time limit on downloading the definitions also?

[AdvancedSetup]

I probably can't check on it until Monday but let me see if I can find another update tool

[meeshu]

Thanks!

 

Have also tried downloading MBAM updates using two different download managers (IDA and IDM). Initially, downloading seemed fine with both download managers reporting downloads could be resumed. But after 5 ~ 10 minutes of downloading, and with download speeds dropping off, downloads stopped. Both download managers then tried to resume downloads, but resuming downloads was not apparently possible (despite download managers reporting resuming was possible).

 

Both download managers then started downloads from the beginning, and then reported that downloads could not be resumed!? The download speeds seemed to be much slower this time, so I manually cancelled downloads.

 

This is unusual behaviour for the download managers. And although this behavior does occur while downloading from a few websites, most of the time downloads resume with no further issues.

[AdvancedSetup]

Please try the following tool but fully disable all download managers. Just use native Windows download mechanism.

 

http://downloads.malwarebytes.org/file/mbam_rules

 

This is a zip file with both 1.x and 2.x update programs. Run the 2.x version and let me know how it goes.

 

Thanks

[meeshu]

OK. Disabled all third party download managers.

 

Tried downloading "mbam-rules-2015-07-02.zip" file using browser in-built downloaders only.

 

Tried Internet Explorer and later tried Opera. Firefox browser was not used for downloading as it was downloading something in the background despite disabling automatic updates(?).

 

The file started downloading on all attempts. But after around 10 minutes or so, downloading just stopped with "error" appearing in the browser download window.

 

Tried resuming and/or restarting downloads, but downloads did not resume. Browsers then reported the file had been fully downloaded (when it hadn't); the file size was only 1 kB on the HDD.

 

So using just the browsers for downloading doesn't seem to work.

 

Installed Lightning Download download manager.

 

Tried downloading file again using Lightning Download (LD). File started downloading, but again downloading stopped after ~ 10 minutes with LD trying to resume the download. On one or two occasions the download did resume, but on three or four occasions LD stopped trying to resume downloading and an error message appeared something to the effect that the file and/or server could not be found!

 

I clicked on "Cancel" within the error message dialog box, and LD then retried and resumed downloading!!

 

Eventually managed to download mbam-rules-2015-07-02.zip file using LD!

 

Ran "mbam2-rules.exe" file (within the above zip file) which then presumably updated MBAM definitions.

 

With internet disconnected, MBAM ran and completed all scanning tasks (with no malware found).

 

I disconnected from the internet before running MBAM because MBAM will always check for and attempt to update the program/definitions if an internet connection is live. And from previous recent experience, the update(s) will most likely fail with MBAM failing to work properly after that.

 

 

At present there are only two ways of using/running MBAM, and in both cases MBAM HAS to be run with NO live/active internet connection.

 

1) Download the latest program (and accompanying definitions), and doing a clean install and running MBAM without any attempt at live/automatic updating.

 

2) Downloading the latest "mbam-rules" via LD and applying the updates manually this way. Again there can't be a live/active internet connection at any time when MBAM is running.

 

 

There seems to be as definite server/connection issue going on here which prevents MBAM updating properly and automatically any time MBAM is run with an active internet connection.

 

Can the server(s) be checked for proper functioning?

 

 

What now please?

[AdvancedSetup]

There are probably over 10,000 servers Worldwide so no in essence it cannot be checked. If it were an issue with the server (like it was a couple weeks ago) we get thousands of update error reports from people pretty quickly.

 

What is causing the issue between you and our update servers I'm not sure. Do you have another computer in the house or perhaps a friend that can visit with a laptop and test their system.?

 

Starting to run out of ideas here without involving your ISP