Jump to content

Frankmeister

Frankmeister
 Share

Recommended Posts

Frankmeister

Frankmeister

Posted
Posted

Very sorry to say, this latest version of Anti-rootkit beta is not ready for prime time. It sits and plays dead without actually crashing.

 If it's actually doing something it needs an active progress bar. Just sits there....

No scan progress bar - program waiting but not crashed.jpg

2 Hours later, no crash but no indication of any progress.

2 hours later no crash but no progress.jpg

Try to shut it down and get: Scan interrupted but that's all.

Scan interrupted.jpg

Still trying to cancel and exit:

Can't close GUI.jpg

Opened Microsoft's "Resource Monitor program"

Took a look at the wait chain. Was surprised to see it appears to be waiting (forever) for cmd.exe

I interpret this to mean it is operating in command line mode under the GUI. However it appears to be stuck there waiting for something.....

Analyze Wait chain.jpg

My thought here is that the user can wait forever, but it will NOT help. It's stuck waiting for a command that never comes.

 

Link to post
Share on other sites
Frankmeister

Frankmeister

Posted
  • Author
Posted

Thanks for your FAST assistance !

Downloading always seems to be more of an adventure in Malware than anything else these days.

I would like to think Malwarebytes has in-house tools with less of a potential adventure component ??

Or perhaps a cleaner version of this tool ?

Thanks

Bob

VirusTotal Trojan report_for_5064154dd31f88f42264badb90cbb84848c067412ad4809831289167ada9e.jpg

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

A search on  Google and this is what I get for FRST

About 4,160,000 results 

The tool is very safe and just logs information about your system. It does not make any changes unless told to do so. It is used by dozens of malware removal forums all over the Internet as a goto tool to obtain information about what is running on a computer.

 

Link to post
Share on other sites
Frankmeister

Frankmeister

Posted
  • Author
Posted

I took a leap of faith and attempted to install Fabar.

Panda Antivirus halted the install and deleted the file twice. Now that's 2 virus programs reporting a virus.

I would be OK with further diagnostics. However, it appears (contrary to internet research), something is up with this file. I would prefer not to play with fire.

I imagine Malwarebytes with it's resources, has an in-house program to accomplish this task you can provide to me.

I tried to upload the Faber.exe file for you to examine, but your system will not allow an .exe  

You are welcome to download it from the source you indicated at bleepingComputer and see if you can get it past Panda and virustotal.Panda.jpg

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

I'm sorry @Frankmeister but we do not have a scanner like this ourselves. Often there are things that are not malware but are wrong and this tool can show that and help to fix it, or show things that may be a malware threat that have not yet been added for detection.

Please temporarily disable your system antivirus and download the tool and run it. Then when done, re-enable your antivirus.

 

Edited by AdvancedSetup
Link to post
Share on other sites
Frankmeister

Frankmeister

Posted
  • Author
Posted

Hi Ron,

I have prepared the requested 3 files.

A have few thoughts:

I was chasing Startpage24 malware until recently when I discovered it was from a downloader extension found in the top 10 on the Firefox site. (nice work Firefox). I thought I was rid of it and now I see it back again at the bottom of the CheckResults.txt  /  Startpage24 is lots of fun. It goes around to your browsers and plays havoc with your settings. At one point it had my chrome browser redirected through some weird proxy server which has since disappeared ! ( It was clearly trying to harvest information.)

You will also note my many virus programs. We are living in the wild west. It will only get worse form here. No matter what ANY antivirus company claims, no one company is the total solution. AVG, Avast now play nice resident together. (Not true in the past.) I recently added Panda and Zone alarm running resident. Oddly, they seem to work OK altogether.

Undoubtedly, you will object: expecting collisions, system crashing and high processor usage. However, on an AMD 8 core it idles at about 35%. Not too shabby. The problem arises when I add MBAntiRansomware. Processor goes up another 20%. This would be acceptable....but if I open chrome with 20 or more tabs I am running processor rather high.

DIagnostics:

If I shut down ALL 4 resident antivirus programs, MB-Anri-Ransom still uses about the same 20% of the processor all by itself. Oddly, when viewed as the single process on Task Manager or Resource Monitor, the process itself seems to only use a fraction of a percent. However, when the process is active it accounts for 20% of total processor. (When I use the 20% mark it is just a generality.)

Thanks,

Bob

CheckResults.txtFRST.txtAddition.txt

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

You're right I am going to say you have too much antivirus. Whether or not there is or is not a conflict in your opinion. Sorry but there is no way I'm going to even attempt to try to get MBAR working on a system with so many security programs running. It is not designed to do so.

You're also using MSCONFIG as a startup manager which is not what it's for either.

Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager

 

I do see an immediate issue that needs fixing.

 

Error: (07/25/2016 01:24:34 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (07/25/2016 01:24:34 PM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Please visit the following site and run the fixit tool from Microsoft.
Fix Windows Desktop Search when it crashes or not showing results

 

A much more worthwhile and effective means of protection would be spending a bit of time and money on good solid backups of your data.

Backup Software


Thank you

 

Link to post
Share on other sites
Frankmeister

Frankmeister

Posted
  • Author
Posted

>>>> You're right I am going to say you have too much antivirus. Whether or not there is or is not a conflict in your opinion. Sorry but there is no way I'm going to even attempt to try to get MBAR working on a system with so many security programs running. It is not designed to do so.

I will gladly shut down 3 of the resident AVs. However, with all 4 resident Antivirus programs switched off, Antiransom still uses too much processor. That's not good.

 

>>>> You're also using MSCONFIG as a startup manager which is not what it's for either.

Seemed Ok.   Who knew ? 

I have downloaded your suggested Autoruns and will give it a whirl.

 

>>>>>  Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

If this reference is for the Windows file indexing, I shut it down years ago. Not sure why the file wold be corrupt but I am NOT using it.

All file searching I do is with a utility called everything. It is 1000 x faster than indexing for windows file searches.

 

>>>>>>A much more worthwhile and effective means of protection would be spending a bit of time and money on good solid backups of your data.

Always a great idea. I have cloned my entire drive every 3 or so days for years now.

 

 

 

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted
37 minutes ago, Frankmeister said:

I will gladly shut down 3 of the resident AVs. However, with all 4 resident Antivirus programs switched off, Antiransom still uses too much processor. That's not good.

Shutting own does not remove the kernel drivers that are still running.

 

38 minutes ago, Frankmeister said:

Antiransom still uses too much processor.

Remember it is still BETA. Should not be using it on your main computer.

Link to post
Share on other sites
Frankmeister

Frankmeister

Posted
  • Author
Posted

>>>>>>  Shutting own does not remove the kernel drivers that are still running.

Hummmm. Did not think of that.

Agreed.

 

>>>>>>  Remember it is still BETA. Should not be using it on your main computer.

I kind of want to say YIKES.

How concerned should I be ????

 

Realistically, the only way to put it through the paces is on my everyday system where I can keep an eye on it.  

Otherwise I wouldn't be able to offer what might possibly be useful feedback.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Totally different products and methods. You posted screenshots of MBAR our rootkit remover.

That said, as for resource usage of our Malwarebytes Anti-Ransomware Beta product it runs live and is doing a lot of analysis work on files as well as debugging code. A released product would remove debugging code and in theory reduce overall resource usage some. Again, up to you as it's your computer and your time but way too much security software in use in my opinion.

 

 

 

Link to post
Share on other sites
Frankmeister

Frankmeister

Posted
  • Author
Posted

Yup.

I was having difficulty with both Beta products with different products.

Theses posts were were intended to be posted to Ransomware.

I think it's the heat in our office. Sorry for wasting your time but I gained valuable insight.

When I take up my difficulties with Rootkit again I will come back to this thread.

Thanks

Bob

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.