Jump to content

Unable to load the Anti-rootkit driver?


Recommended Posts

hi,

i had installed MBAM and activated the trial. but everytime the program was started, it displayed the (screenshot) message. also realtime protection was turned off by default. when i clicked the red FIX NOW button nothing happened ie., realtime protection did not turn on. when i manually navigated to settings and turned on the radio buttons (malware protection and malicious website protection) the options changed but the realtime protection was not activated. now my trial period is over, but that is ok. what bothers me now is that the anti-rootkit driver is not activated. i have run the latest TDSSKILLER by kaspersky, BITDEFENDER ROOTKIT REMOVER, MALWAREBYTES ANTIROOTKIT BETA (with latest definitions) but nothing is detected. am i infected? how should i proceed now?

mbam-error.png

Link to post
Share on other sites

  • Root Admin

Hello @anniyan and :welcome:

 

 

Please try the CLEAN REMOVAL procedure below. Then ensure you're using an account with Admin rights.

Please uninstall your current version of MBAM and reinstall the latest version using the following guide. MBAM Clean Removal Process 2x


Let us know.

Thanks

 

Link to post
Share on other sites

thank you mr. Ron Lewis. :)

i ran mbam-clean in an account with admin rights; rebooted to the account with admin rights as directed; installed mbam from the link you pointed to; no error occurs in the admin account. but when i rebooted to my standard account, the (screenshot) error occurs again. :( what can i do next?

Link to post
Share on other sites

hi, sorry about the late response.
i have some doubts regarding running the tools you have mentioned:
a. i have these security products 

1. free AV (qihoo 360 total security with built-in bitdefender and avira engines)
2. free HIPS firewall (private firewall 7.0)
3. MBAE premium
4. ad-muncher
5. MBAM free
the following are disabled all the time unless needed :-
6. glasswire free (without firewall functions)
7. crystal security
8. peerblock free

which of the above 8 should be exit-ed when running each of the tools you have mentioned?

b. should the laptop be connected to the internet when running these tools?
c. should my 3 external HDDs (1TB each) and 1 thumb-drive (8GB) be connected to my laptop during running these tools?
d. should i run these tools from the admin account or my usual standard account?
e. before running FRST, which of those checkboxes should be ticked?

thanks in advance :)

Link to post
Share on other sites

  • Root Admin

You can try leaving them running. If FRST has issues accessing something the log will be cut off and we'll see it and then give additional advice.

Initially I'd leave the external drives removed. Use and Admin account for everything we're doing for now.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

 

Thanks

 

Link to post
Share on other sites

i ran FRST first without the internet connected. but i saw it displaying "update-check", so after the first run was complete, i deleted the first run logs - FRST.TXT and ADDITION.TXT and ran FRST again, this time with the internet connected. everything was done from ADMIN account. qihoo, MBAE, MBAM, admuncher, privatefirewall, glasswire were enabled and i exit-ed peerblock, crystal-security, glarysoft utilities before i started the scan. i have attached the logs for your kind perusal. thank you :)

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Well unless it's your antivirus stopping it I'm not seeing anything known to be an issue in the logs.

 

Please visit this web page and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites

11 minutes ago, AdvancedSetup said:

Well unless it's your antivirus stopping it I'm not seeing anything known to be an issue in the logs.

i have been using this combination of security software(s) for long, but only recently i am experiencing this issue. also i reiterate that the above error message shows up only in my STANDARD account and not the ADMIN account. anyways i will follow your instructions and report back.

thank you very much :)

Link to post
Share on other sites

  • Root Admin

No, should not need Defogger.

A standard account cannot load drivers, which may be the issue you're talking about if you're running MBAM manually in that account.

If you install MBAM with an Admin account and setup scheduling so that it runs updates and scans with the system account then it should run silently. If you're manually opening and running with a Standard account then they would not have rights to run it.

 

Link to post
Share on other sites

for years, i have been using MBAM in only this standard account (with rootkit scanning enabled), but never got this error. neither have i changed the security configuration recently. i have doubts of infection. so i will do as you suggested (run combofix) and revert back with the log. thanks for guiding me :)

Link to post
Share on other sites

i did not know from which account to run combofix from, so i assumed it should be probably the ADMIN account and so i ran combofix from the ADMIN account (and not the standard account which produces the error message), after exit-ing all the above mentioned security software and stopping MBAE (could not exit it). two error messages were displayed, but i clicked on YES for each. i have attached those screenshots. also please find attached the combofix logs.

PS. i did not connect my external drives for the scan, is it ok?

ComboFix.txt

error1.png

error2.png

ComboFix-quarantined-files.txt

Link to post
Share on other sites

  • Root Admin

That's okay. It was not able to run the Registry backup with admin rights is all.

Please make sure you're always using an Admin account while running any scans unless told otherwise, thanks.

 

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 04
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 05
Let's clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista / Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done, you'll see: Pending: Please uncheck elements you don't want to be removed.
  • Now click on the Report button and a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look at the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up, click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want to be restored > now click on Restore.

STEP 06
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

i have followed your instructions and cleaned all detected stuff. i have attached the logs. but still the issue persists. can you share your findings till now about what could be the reason? also can i know why some extensions of cyberfox were detected? i only install extensions from addons.mozilla.org and nowhere else. also can i know what WarnOnPostRedirect means? is it serious? my little brother had installed some games it seems, which were detected to cause WARNonPOSTdetect?

JRT.txt

AdwCleaner[S0].txt

AdwCleaner[C0].txt

SophosVirusRemovalTool.log

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Do you mean this redirect notice in IE ?

https://help.salesforce.com/apex/HTViewSolution?id=000005615&language=en_US

Not certain yet what is causing the rootkit driver to not load, will do some other testing on my own as I have another user with a similar issue.

Just because a plugin is on Mozilla site does not mean it's 100% safe. Sometimes there are false positives as well. If you think it is a false positive you need to submit it to the author of the software tool in question that tagged it.

Let's go ahead and clean up a bit more stuff.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Link to post
Share on other sites

1 hour ago, AdvancedSetup said:

Do you mean this redirect notice in IE ?

no, i just read the log by sophos-VRT and i came across such a deletion WarnOnPostRedirect.
 

 

BTW, is there a typo in the first line of the fixlist.txt that you have attached? KLM instead of HKLM ?

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.