Broken digital signature, issued by: Malwarebytes Corporation

[BelleCoeur]

Hello, I have an issue that's popped up twice on my AVG scan. It reads,

Threat: The file is signed with a broken digital signature, issued by: Malwarebytes Corporation.

Object Name: C:\users\owner\AppData\Local\Mozilla\Firefox\Profiles\4jlm5zh.default-1473997761617\cache2\entries\BC59AC20E6E93E9E53A3F4CFAD91A81FCE4BE379

Severity: Message

State: Notification

Identified by: Scan

 

Plus earlier today when I went to run MalwareBytes I received this message:

"Malwarebytes was unable to load the Anti-Rootkit DDA driver, this error may be caused by rootkit activity. Do you want to reboot the system and attempt to install the Driver? (If you don't choose to reboot, Anti-Rootkit scanning will be disabled for this session.)

 

What steps should I take? Should I uninstall my current edition of Malwarebytes and download a new one? Any steps and advice would be much appreciated. Thank you.

[AdvancedSetup]

Hi @BelleCoeur and

Not sure why it would be reading one of our files from the Firefox profile but let's go ahead and get some logs and see if we can figure out what's going on here.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
  

 

 

[BelleCoeur]

Hello, and thank you for the welcome! I'm so glad to have this resource and your help on this matter.

I attached the FRST.txt and Addition.txt from running the Farbar tool.

Thank you.

FRST.txt

Addition.txt

[AdvancedSetup]

Hi Belle

Notice that your Event Logs are showing some errors with an Access Denied. I could be wrong but I believe this might be due to your installation of AVG. What I'd like to suggest is doing a full uninstall of all AVG software Then also do a clean removal and reinstall of MBAM and then reboot a couple times and let's see if those error are still present or not.

 

 

Quote

Application errors:
==================
Error: (10/27/2016 12:00:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (10/26/2016 09:47:17 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (10/26/2016 09:37:52 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000208,(null),0,REG_BINARY,0000000001F6EC80.72).  hr = 0x80070005, Access is denied.
.

Error: (10/26/2016 09:37:52 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x0000063c,(null),0,REG_BINARY,00000000034CE170.72).  hr = 0x80070005, Access is denied.
.

Operation:
   BackupShutdown Event

Context:
   Execution Context: Writer
   Writer Class Id: {a6ad56c2-b509-4e6c-bb19-49d8f43532f0}
   Writer Name: WMI Writer
   Writer Instance ID: {14656717-d309-4fc7-a21c-a34c42fbfac5}

Error: (10/26/2016 09:37:52 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000cb0,(null),0,REG_BINARY,00000000065DDE30.72).  hr = 0x80070005, Access is denied.
.

Operation:
   BackupShutdown Event

Context:
   Execution Context: Writer
   Writer Class Id: {cd3f2362-8bef-46c7-9181-d62844cdc0b2}
   Writer Name: MSSearch Service Writer
   Writer Instance ID: {9745e2b2-4c47-45e5-8f93-f4711546af00}

Error: (10/26/2016 09:37:52 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000318,(null),0,REG_BINARY,000000000163DE30.72).  hr = 0x80070005, Access is denied.
.

Operation:
   BackupShutdown Event

Context:
   Execution Context: Writer
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {8479ea0a-c473-47d9-b173-334519b2fd04}

Error: (10/26/2016 09:37:52 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x0000063c,(null),0,REG_BINARY,00000000034CE170.72).  hr = 0x80070005, Access is denied.
.

Operation:
   BackupShutdown Event

Context:
   Execution Context: Writer
   Writer Class Id: {a6ad56c2-b509-4e6c-bb19-49d8f43532f0}
   Writer Name: WMI Writer
   Writer Instance ID: {14656717-d309-4fc7-a21c-a34c42fbfac5}

Error: (10/26/2016 09:37:52 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x000001b0,(null),0,REG_BINARY,000000000208EA50.72).  hr = 0x80070005, Access is denied.
.

Operation:
   BackupShutdown Event

Context:
   Execution Context: Writer
   Writer Class Id: {afbab4a2-367d-4d15-a586-71dbb18f8485}
   Writer Name: Registry Writer
   Writer Instance ID: {e4ed02f6-e432-4b26-a271-520ae407d459}

Error: (10/26/2016 09:37:52 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000cb0,(null),0,REG_BINARY,00000000065DDE30.72).  hr = 0x80070005, Access is denied.
.

Operation:
   BackupShutdown Event

Context:
   Execution Context: Writer
   Writer Class Id: {cd3f2362-8bef-46c7-9181-d62844cdc0b2}
   Writer Name: MSSearch Service Writer
   Writer Instance ID: {9745e2b2-4c47-45e5-8f93-f4711546af00}

Error: (10/26/2016 09:37:52 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000318,(null),0,REG_BINARY,000000000163DE30.72).  hr = 0x80070005, Access is denied.
.

Operation:
   BackupShutdown Event

Context:
   Execution Context: Writer
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {8479ea0a-c473-47d9-b173-334519b2fd04}

System errors:
=============
Error: (10/27/2016 11:59:32 AM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
Access is denied.

Error: (10/27/2016 11:59:24 AM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
Access is denied.

Error: (10/27/2016 02:00:06 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {995C996E-D918-4A8C-A302-45719A6F4EA7} did not register with DCOM within the required timeout.

Error: (10/27/2016 01:59:52 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C} did not register with DCOM within the required timeout.

Error: (10/27/2016 01:59:49 AM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
Access is denied.

Error: (10/26/2016 09:46:22 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
Access is denied.

Error: (10/26/2016 09:46:17 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
Access is denied.

Error: (10/26/2016 09:44:32 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
Access is denied.

Error: (10/26/2016 09:44:30 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {078AEF33-C48A-49F7-AFF3-A0EE810BFE7C} did not register with DCOM within the required timeout.

Error: (10/26/2016 09:44:25 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
Access is denied.

 

 

 

 

STEP 1

Please uninstall your current version of MBAM and reinstall the latest version using the following guide. MBAM Clean Removal Process 2x

STEP 2

Uninstall All AVG software and reboot the computer.

STEP 3

Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below, please see the following:
MBAM Clean Removal Process 2x
When reinstalling the program, please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

STEP 4

Restart the computer 2 more times. Then run a new FRST scan and make sure you place a check mark in the Addition.txt check box and post back both new logs as attachments.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
  

 

[BelleCoeur]

Thank you so much for all of your guidance and help! I really appreciate it. I've already noticed a huge great difference in how my computer and Mozilla is running now. I'm happy to report it's much faster and more back to normal!

Here is my scan log from Malwarebytes and attached are the recent FRST.txt and Addition.txt.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/28/2016
Scan Time: 3:36 AM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.10.28.05
Rootkit Database: v2016.09.26.02
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 350743
Time Elapsed: 37 min, 4 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

When/or would you recommend I reinstall the latest edition of AVG? Thank you again!

FRST.txt

Addition.txt

[AdvancedSetup]

Thanks for the logs, glad to hear things are running much better now. However the FRST and Addition logs are the old logs. Please remove those logs and restart the computer 2 times. Then run FRST again. Make sure you place a check mark in the Additions.txt check box and then attach both new logs again. Thanks.

As for the AVG please note that soon there will be no more AVG Avast Announces Agreement to Acquire AVG for $1.3B

You may wish to look at installing Avast antivirus if that is your choice of antivirus but please run the FRST log again, before installing antivirus. Once that is done, make sure you choose and antivirus and get it installed and updated.

Thanks again 

Ron

 

[BelleCoeur]

Thanks Ron!

Oh shoot, I apologize. I ran it again per the earlier instructions and thought it had started new logs. I've been a bit under the weather so hadn't had time to get back on my laptop but I will run them in the morning if that's ok. 

Wow, thank you for the Avast news! I'll look into them. 

Thank you again; I wanted to touch base here and let you know I got your message. Will post the new logs tomorrow. 

[AdvancedSetup]

Not a problem. We'll be here @BelleCoeur when you're ready

Ron

 

[BelleCoeur]

Hi Ron,

Thanks for everything. It's much appreciated!

I restarted my computer twice and ran FRST. Attached are the latest FRST & Addition logs.

 

FRST.txt

Addition.txt

[AdvancedSetup]

The logs show you're running an old compromised version of Java (Java 8 Update 77). Please uninstall all versions of Java. If possible and you can do without Java that would be my recommendation as that software often gets compromised. If you really have to have Java then make sure you keep it up to date at all times.

All the even log errors you were having are now gone now that AVG has been removed, so yes that confirms they were due to AVG. However, you need to install some type of antivirus software for protection. It can be Microsoft Security Essentials or Avast, or any other well-known antivirus, but you need something.

Also, I cannot stress how important it is to have external USB backup of all of your important data. I highly recommend you read the following  Backup Software and if you're not already backing up then get an external USB drive and get started. Remember though, don't keep the drive connected all the time. Only when doing your backups and don't connect it if you think the computer may be infected.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Thanks

 

 

 

 

 

[BelleCoeur]

Hello!

I uninstalled Java and set up BitDefender as my new antivirus software. I plan to set up my backup this week.

Attached is the Fixlog txt. Thanks!

Fixlog.txt

[AdvancedSetup]

Great, that looks good.

How is the computer running now?

Are there any other issues or concerns before we close up here?

Thanks

Ron

 

 

[BelleCoeur]

Great! I'm very happy to report that my laptop is running much, much better and a lot more normal. Thank you so much for your help, time and effort in helping me figure this matter out. I really appreciate it! 

[AdvancedSetup]

You're quite welcome @BelleCoeur

Here is a closing speech for you. Please review as you have time as it can help you to prevent future infection issues. If there is anything else I can do to assist you please me know.

 

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP

As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

• How Malware Spreads - How did I get infected
• Best Practices for Safe Computing - Prevention of Malware Infection
• Avoiding those unwanted free applications
• A close look at how Oracle installs deceptive software with Java updates
• IAC / Ask.com toolbars
• Malwarebytes Unpacked Blog

If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

 

[BelleCoeur]

Thanks for the info!

I ran Delfix and all the FRST items are deleted.

This forum and you have been a wonderful resource. I'm so grateful for all your help! It's great to have my laptop running smoothly again.

[AdvancedSetup]

You're quite welcome @BelleCoeur - glad we could get things going well again for you.

Take care and stay safe out there.

 

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!