frozen Posted June 15, 2016 ID:1045481 Share Posted June 15, 2016 I have Windows7 x64 and MBAM 2.2.1.1043 and if I have Malicious Website Protection enabled then when I go to community.intuit.com I get community.intuit.com’s server DNS address could not be found. in Google Chrome. If I try Firefox I get Firefox can't find the server at community.intuit.com. If I disable Malicious Website Protection I have no issues. I tried using the mbam-clean-2.2.2.7.exe and doing a reinstall after a reboot with the same issue. Link to post Share on other sites More sharing options...
frozen Posted June 19, 2016 Author ID:1046256 Share Posted June 19, 2016 Bump.. still scratching my head on this issue. Link to post Share on other sites More sharing options...
Firefox Posted June 19, 2016 ID:1046257 Share Posted June 19, 2016 Hello and Welcome! This may be a false positive and you can report it in the False Positives Section https://community.intuit.com/quickbooks-online If the site above is what your trying to get to, I can do it fine with my version of Malwarebytes that is completely updated. Can you post your protection log for review where its showing the blocks? We would need more info on the system.... Please read the following and in your next reply ATTACH the 3 requested logs - Diagnostic Logs (the three files should be CheckResults.txt, FRST.txt and Addition.txt) Thank You, Firefox Link to post Share on other sites More sharing options...
frozen Posted June 19, 2016 Author ID:1046265 Share Posted June 19, 2016 The issue is that MBAM is not showing anything in its logs nor is it popping up any alert boxes. Adding Intuit.com or community.intuit.com to MBAM whitelist does nothing to fix the problem. Only fix is if I disable MBAM Malicious Website option Link to post Share on other sites More sharing options...
frozen Posted June 20, 2016 Author ID:1046309 Share Posted June 20, 2016 Win7 x64 Ultimate Addition.txt FRST.txt CheckResults.txt ProtectionLog.txt Link to post Share on other sites More sharing options...
exile360 Posted June 21, 2016 ID:1046603 Share Posted June 21, 2016 (edited) Greetings, If you would, please contact our Support team via email here and they will assist you directly with this issue: support@malwarebytes.org Thanks Edited June 21, 2016 by exile360 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 27, 2016 Root Admin ID:1047866 Share Posted June 27, 2016 Very sorry for the delay. If you still need assistance and have not already contacted our Helpdesk please let me know and I'll assist you in reviewing this further. Thank you Link to post Share on other sites More sharing options...
frozen Posted June 28, 2016 Author ID:1048066 Share Posted June 28, 2016 I already contacted Helpdesk they looked at my log files found no blockage being reported. I am seeing no popup message yet when MBam is installed and Malicious Website blocking is enabled DNS lookups fail in all 4 different browsers here on this one particular computer. Helpdesk said " I’ll check with our team but not likely this issue is from our blocking " that was about a week ago and I am still waiting. Link to post Share on other sites More sharing options...
frozen Posted June 28, 2016 Author ID:1048067 Share Posted June 28, 2016 (edited) There is no problem with DNS lookups for intuit.com. I have done several MBAM scans and virus scans and found nothing. Other websites have no such issue although there may be other affected sites but I have yet to come across them. Edited June 28, 2016 by frozen Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 28, 2016 Root Admin ID:1048078 Share Posted June 28, 2016 Hi @frozen I understand - just want to take a look with you and see if we can track down why it's being blocked by MBMA if possible. If you have time or desire to let me work with you on the issue that would be great, otherwise all I can suggest would be to disable our web blocking mechanism and use the one from your antivirus. Thanks again Ron Link to post Share on other sites More sharing options...
frozen Posted June 28, 2016 Author ID:1048158 Share Posted June 28, 2016 I would prefer to get this fixed as past experience has shown one software will block some websites while the other software will not and vice versa. I just don't want multiple people involved in trying to fix this issue and duplicating the efforts. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 28, 2016 Root Admin ID:1048228 Share Posted June 28, 2016 Okay sounds good. I'll move your post to the Malware Removal section where others are not allowed to post. Please let me get a new set of FRST logs and run the following for me as well. Please download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Make sure you place a check mark in the Additions check box to get a new log for that as well. Next, Please create an mbam-check log: Download mbam-check.exe from here and save it to your desktop Double-click on mbam-check.exe to run it, it should then open a log file Please do not copy and paste the entire contents of the log into your next post, instead please attach the log CheckResults.txt file which should now be located on your desktop to your next post Next, Please download MiniToolBox save it to your desktop and run it. Checkmark the following check-boxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Devices List Users, Partitions and Memory size. List Minidump Files Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using Reset FF Proxy Settings option Firefox should be closed. Thanks Link to post Share on other sites More sharing options...
frozen Posted June 29, 2016 Author ID:1048242 Share Posted June 29, 2016 Here are all those files. Addition.txt FRST.txt MTB.txt CheckResults.txt MTB.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 29, 2016 Root Admin ID:1048247 Share Posted June 29, 2016 Great, thanks @frozen I'll check these logs in a couple hours and get back to you either later tonight or tomorrow depending on what if anything I find. Ron Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 29, 2016 Root Admin ID:1048269 Share Posted June 29, 2016 Did you create these ADS entries yourself? AlternateDataStreams: C:\Windows:nlsPreferences [514] AlternateDataStreams: C:\Windows\system.ini:c1_encryption_d [14] AlternateDataStreams: C:\Windows\system.ini:c1_encryption_e [16] AlternateDataStreams: C:\Windows\system.ini:c1_encryption_e2 [84] AlternateDataStreams: C:\Windows\win.ini:c1_encryption_d [14] AlternateDataStreams: C:\Windows\win.ini:c1_encryption_e [16] AlternateDataStreams: C:\Windows\win.ini:c1_encryption_e2 [84] AlternateDataStreams: C:\ProgramData\TEMP:44EAFCDF [262] AlternateDataStreams: C:\Users\gregg\Cookies:3TZfEPru8mf4iejIJQRUHw5Hyvx [2690] AlternateDataStreams: C:\Users\gregg\Cookies:KJllOSPvQuMwmPuGlYlx [2396] AlternateDataStreams: C:\Users\gregg\AppData\Local\Temp:9FN6KQ5wI2FCbf8P34 [2420] AlternateDataStreams: C:\Users\gregg\AppData\Local\Temp:Sfz8GXBYKxD2L4YyC0b9sE [2740] AlternateDataStreams: C:\Users\gregg\AppData\Local\Temporary Internet Files:UJ3FVCWPjLa38LVCh [2502] You have a lot of software and networking software installed that could possibly be conflicting with each other. There are errors that we need to work on fixing as we.. Error: (06/27/2016 01:45:07 PM) (Source: Application Hang) (EventID: 1002) (User: ) Description: The program Skype.exe version 7.23.85.105 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Error: (06/21/2016 12:02:42 PM) (Source: Application Hang) (EventID: 1002) (User: ) Description: The program DllHost.exe version 6.1.7600.16385 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Error: (06/19/2016 10:00:13 AM) (Source: NetBalancer 9.1.2) (EventID: 0) (User: ) Description: This version of NetBalancer is outdated, please download a new one from our website. Error: (06/18/2016 06:39:23 PM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Client application bug: DNSServiceResolve(40:d3:2d:76:11:8f@fe80::42d3:2dff:fe76:118f._apple-mobdev._tcp.local.) active for over two minutes. This places considerable burden on the network. System errors: ============= Error: (06/28/2016 02:59:19 PM) (Source: SbieDrv) (EventID: 1412) (User: ) Description: SBIE1412 In text: [Temp] \??\%SystemDrive%\Sandbox\%USER%\%SANDBOX% Error: (06/28/2016 02:59:19 PM) (Source: SbieDrv) (EventID: 1406) (User: ) Description: SBIE1406 Missing or invalid expansion for SystemDrive: [C0000189] CodeIntegrity: =================================== Date: 2016-03-17 09:21:18.011 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\LMouFilt.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Name: Standard PS/2 Keyboard Description: Standard PS/2 Keyboard Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318} Manufacturer: (Standard keyboards) Service: i8042prt Device ID: ACPI\PNP0303\4&17DB1A3&0 Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. You're running CryptoPrevent (HKLM-x32\...\{5C5B24E7-4694-4049-A222-CCE7D3FAC63F}_is1) (Version: - Foolish IT LLC) which is/was a good idea at the time but most of the newer encryption threats bypass this and its not as successful at blocking as it used to be. For the most part there should not be any issues with using it but very difficult to 100% test it out completly with the millions of possible differences in software and hardware out there. I doubt it is involved in the issue, at least at this point. For our MBAM program these files should be excluded by your firewallmbampt.exe,mbamscheduler.exe, and mbam.exe should be allowed out through your firewall This restriction is probably not valid and should be removed in most cases. CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION You're using the Google Public DNS which is good but I would make it the primary and your router the secondary unless you have a dozen computers or more at home you're constantly connecting to for data. Tcpip\..\Interfaces\{5533B2F9-7891-45FD-BAFC-C332FA9DFBC5}: [NameServer] 192.168.1.1,8.8.8.8 Please work on correcting the above errors as best you can and let me know if you need help with any of them. Then we'll scan again to see where we're at. Thanks Link to post Share on other sites More sharing options...
frozen Posted June 29, 2016 Author ID:1048274 Share Posted June 29, 2016 I did not create any of those ADS entries. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 29, 2016 Root Admin ID:1048297 Share Posted June 29, 2016 Okay, well we'll need to remove them as we continue to clean up issues. Please run a full disk check on your system - if you need to know how please let me know. Then review the other issues listed and try to repair those. I'll check back on you again tomorrow. Thanks again Link to post Share on other sites More sharing options...
frozen Posted June 29, 2016 Author ID:1048350 Share Posted June 29, 2016 I uninstalled the following apps: Netbalancer, Sandboxie, Cryptoprevent, NMap, Remote Utilities Viewer, UltraVNC, Unlocker, Wireshark and WOL Magic Packet Sender. Did a chkdsk c:/r in an elevated command prompt window and rebooted and let it run. I did not see any errors but did not catch all of the Journal checking it was doing. I changed the DNS settings around. Regarding excluding those certain MBAM files should not the installation process automatically do that? I am only using the Windows7 firewall here. Regarding the Google HKLM\Software\Policies would that of been inserted by ADWCleaner or by your Anti-Exploit product? I did not do anything to that registry entry. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 30, 2016 Root Admin ID:1048418 Share Posted June 30, 2016 Didn't necessarily mean for you to uninstall all of that. Just wanted you to be aware you're having issues according to the logs. I can help you with any adjustments, etc. Please run the FRST scan again and make sure you place a check mark in the Additions check box to get a new log for that too. Then post back both new logs as attachments and I'll take a look how things look now. Check Disk report: Press the + R on your keyboard at the same time. Type eventvwr and click OK. In the left panel, expand Windows Logs and then click on Application. Now, on the right side, click on Filter Current Log. Under Event Sources, check only Wininit and click OK. Now you'll be presented with one or multiple Wininit logs. Click on an entry corresponding to the date and time of the disk check. On the top main menu, click Action > Copy > Copy Details as Text. Paste the contents into your next reply. Thanks Link to post Share on other sites More sharing options...
frozen Posted June 30, 2016 Author ID:1048423 Share Posted June 30, 2016 Log Name: Application Source: Microsoft-Windows-Wininit Date: 6/29/2016 10:52:09 AM Event ID: 1001 Task Category: None Level: Information Keywords: Classic User: N/A Computer: GregAMD Description: Checking file system on C: The type of the file system is NTFS. Volume label is Win7NewInstall. A disk check has been scheduled. Windows will now check the disk. CHKDSK is verifying files (stage 1 of 5)... Cleaning up instance tags for file 0x22c7a. 421120 file records processed. File verification completed. 1117 large file records processed. 0 bad file records processed. 2 EA records processed. 58 reparse records processed. CHKDSK is verifying indexes (stage 2 of 5)... 521994 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered. CHKDSK is verifying security descriptors (stage 3 of 5)... 421120 file SDs/SIDs processed. CHKDSK is compacting the security descriptor stream Cleaning up 4428 unused security descriptors. 50438 data files processed. CHKDSK is verifying Usn Journal... 35949504 USN bytes processed. Usn Journal verification completed. CHKDSK is verifying file data (stage 4 of 5)... 421104 files processed. File data verification completed. CHKDSK is verifying free space (stage 5 of 5)... 10283658 free clusters processed. Free space verification is complete. Correcting errors in the Volume Bitmap. Windows has made corrections to the file system. 125293567 KB total disk space. 83508216 KB in 207712 files. 122948 KB in 50441 indexes. 4 KB in bad sectors. 527763 KB in use by the system. 65536 KB occupied by the log file. 41134636 KB available on disk. 4096 bytes in each allocation unit. 31323391 total allocation units on disk. 10283659 allocation units available on disk. Internal Info: 00 6d 06 00 6b f0 03 00 4a f1 06 00 00 00 00 00 .m..k...J....... 30 03 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 0...:........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Windows has finished checking your disk. Please wait while your computer restarts. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" /> <EventID Qualifiers="16384">1001</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2016-06-29T15:52:09.000000000Z" /> <EventRecordID>124416</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>GregAMD</Computer> <Security /> </System> <EventData> <Data> Checking file system on C: The type of the file system is NTFS. Volume label is Win7NewInstall. A disk check has been scheduled. Windows will now check the disk. CHKDSK is verifying files (stage 1 of 5)... Cleaning up instance tags for file 0x22c7a. 421120 file records processed. File verification completed. 1117 large file records processed. 0 bad file records processed. 2 EA records processed. 58 reparse records processed. CHKDSK is verifying indexes (stage 2 of 5)... 521994 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered. CHKDSK is verifying security descriptors (stage 3 of 5)... 421120 file SDs/SIDs processed. CHKDSK is compacting the security descriptor stream Cleaning up 4428 unused security descriptors. 50438 data files processed. CHKDSK is verifying Usn Journal... 35949504 USN bytes processed. Usn Journal verification completed. CHKDSK is verifying file data (stage 4 of 5)... 421104 files processed. File data verification completed. CHKDSK is verifying free space (stage 5 of 5)... 10283658 free clusters processed. Free space verification is complete. Correcting errors in the Volume Bitmap. Windows has made corrections to the file system. 125293567 KB total disk space. 83508216 KB in 207712 files. 122948 KB in 50441 indexes. 4 KB in bad sectors. 527763 KB in use by the system. 65536 KB occupied by the log file. 41134636 KB available on disk. 4096 bytes in each allocation unit. 31323391 total allocation units on disk. 10283659 allocation units available on disk. Internal Info: 00 6d 06 00 6b f0 03 00 4a f1 06 00 00 00 00 00 .m..k...J....... 30 03 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 0...:........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Windows has finished checking your disk. Please wait while your computer restarts. </Data> </EventData> </Event> Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 30, 2016 Root Admin ID:1048454 Share Posted June 30, 2016 I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome. You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed. Then I need you to go to >> Google Sync << and sign into your account. Scroll down until you see the “reset sync” button and click on the button At the prompt click on “Ok”. .Reset Your Browser Settings . In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines) Select “Settings”. At the bottom, click “Show advanced settings…” Scroll down until you see “Reset settings”, Then click on the button “Reset Settings”. In the dialog that appears, click “Reset”. .Close Chrome and restart it and check it out for me please Next, Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Thanks Link to post Share on other sites More sharing options...
frozen Posted June 30, 2016 Author ID:1048540 Share Posted June 30, 2016 I did not reset Chrome since I did that over this weekend and it did not help. The issue wrt community.intuit.com failing DNS lookups is happening in multiple browsers and even at an elevated CMD prompt or when using NSLOOKUP and multiple DNS servers. The issue goes away in all cases when MBAM's Malicious Website Protection is disabled. Fixlog.txt Link to post Share on other sites More sharing options...
frozen Posted June 30, 2016 Author ID:1048542 Share Posted June 30, 2016 I tried doing a tracert from an elevated command prompt out to community.intuit.com after running FRTS and rebooting and no change. It still times out. I turn off malicious website protection and the DNS and subsequent tracert completes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 1, 2016 Root Admin ID:1048652 Share Posted July 1, 2016 Yes, I understand and I believe you that it happens. Just trying to clean up the computer some first to make sure something else is not inferring. Please download MiniToolBox save it to your desktop and run it. Checkmark the following check-boxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Devices List Users, Partitions and Memory size. List Minidump Files Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using Reset FF Proxy Settings option Firefox should be closed. Then download Process Monitor from Microsoft https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx Then extract it to its own folder. Then run as administrator. Then open a browser window to the site and let it fail. Then right click MBAM and disable the web blocker and reload the browser. Then save the Process Monitor file and zip it up and attach on your next reply please. Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 1, 2016 Root Admin ID:1048653 Share Posted July 1, 2016 Yes, I understand and I believe you that it happens. Just trying to clean up the computer some first to make sure something else is not inferring. Please download MiniToolBox save it to your desktop and run it. Checkmark the following check-boxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Devices List Users, Partitions and Memory size. List Minidump Files Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using Reset FF Proxy Settings option Firefox should be closed. Then download Process Monitor from Microsoft https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx Then extract it to its own folder. Then run as administrator. Then open a browser window to the site and let it fail. Then right click MBAM and disable the web blocker and reload the browser. Then save the Process Monitor file and zip it up and attach on your next reply please. Thanks Link to post Share on other sites More sharing options...
Recommended Posts