Jump to content

Malware seams to conveniently deactivate realtime-protection once in a while.


Recommended Posts

(My appologies for the length, if .)

On my laptop (updated from Windows 7 -> Windows 10 about 6 months ago) runs since 3 months Anti-Malware Premium (AM) and Anti-Exploit Premium (AEx) – daily complete scans (I activated rootkit search) without any findings (except for the first day when the rather nasty “Amazon1ButtonApp,” sneakily installed via the Java installer, was detected and removed). AEx is displaying since its installation consistently “Blocked Exploit Attempts: 0.”

Once in a while – maybe about 1 time in 2 weeks – does AM not initialise on starting the laptop (= icon does not appear in the bar). When I manually start it, the real-time protection is deactivated. [Screenshot 1]. Alternatively it does initialise on start, but the icon in the bar displays the red exclamation mark and opening the application shows the same result. (AEx instead is always running).

Clicking the button in the top right (“Fix Now”/“Jetzt beheben”) to activate the full protection does nothing (means, it’s as if it was an image that I’d click, no message, no visual change at all).

I run the same combination (AM + AEx) on my old laptop (which I barely use though) and ecountered the same problem once – however, a few days later on starting the machine everything seemed fine again. (I suspected some problem after an automatic update.)

Anyway. What showed to work on my new laptop when the issue appeared was to close the account and change to the Admin account (all others are standard accounts) and click on “Malwarebytes Anti-Malware Notifications” in the start menu – it initialised with realtime protection and when I returned to the standard account: the same (= real-time protection active again).

Just 5 days ago it happened again, and I decided to “cut the process short” by closing AM and re-starting it “as Admin” via the context menu. However, I got the message that the “anti rootkit dda driver” was not able to initialise. [Screenshot 2]

A second related error message followed (sorry, no screenshot in this case, but basically saying the same).

Restart of the laptop and going the described route via Admin account worked again.

TWO DAYS AGO (please bare with me, still something new here) – I was using one standard account for various hours where AM’s realtime-protection was active, and then I changed to another standard account (no restart of the laptop) where the protection was suddenly displayed as DEACTIVATED. I decided to close it and start again as Admin via the context menu (with the goal to document the full process via screenshots). To my surprise it worked fine this time, HOWEVER: while AM ran a full-scan I used the time to serve in Firefox only to suddenly receive (never before seen) messages from AM that it’s blocking a malicious domain that Firefox tried to contact [Screenshot 3]. (I was visiting an absolutely unsuspicious website, and indeed checking different websites still resulted in that warnings). Besides these messages, the full scan by AM resulted in no detection of malware.

Now I just remember that a day before Firefox had also thrown an error message that a security update failed and it didn’t succeeded in contacting the server.

After a restart of my laptop with an again successfully initialised AM, no messages about malicious websites show up during surfing (in the same account on the same browser, also checked with the same URLs). This underpinned the suspicion that is displayed in my thread’s title.

2 QUESTIONS ON FARBAR (Recovery Scan Tool)

1.) I downloaded the 64bit version directly from the Bleepingcomputer URL. On starting it I received a warning from Windows that the publisher isn’t verified, when continuing the mentioned disclaimer didn’t appear. May any of that be an indication that the software was compromised on the machine?

2.) Should FRST be started in the admin role?

Many thanks in advance!

Screenshot_1_deactivation.png

Screenshot_2_restartAEasAdmin.png

Screenshot_3_symcd_blocked.png

Link to post
Share on other sites
  • Root Admin

Just run FRST and post back the logs as attachments. Should not need to launch as admin

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

Link to post
Share on other sites
  • Root Admin

No problem, I see that you have a Killer Network card in your system. They've had some issues with older drivers. Please visit the manufacturer's website to see if they have updated network card drivers for your system.

Then install them and reboot even if not asked to reboot and let me know if the issue with MBAM continues or not.

I also see that Microsoft Edge keeps crashing too but not really sure why that's happening. Please try the network driver and see if that helps Edge too or not.

 

 

Link to post
Share on other sites

Okay, obviously it’d be great if this just happens due to a mere incompatibility instead of malware. I’ll check for the particular driver.

However, what’s up with the supposedly compromised Firefox trying to rapidly contacting a malicious server? (Is anything known about symcd.com?)

As I said, suspiciously this was only detected on an occasion when the real-time protection didn’t activate at first, and I managed to manually activate it as an admin and started Firefox afterwards.

Cheers & many thanks!

Link to post
Share on other sites

So I wanted to update the driver this evening, but right before it happened again by chance: realtime protection wasn’t active after I changed to another standard account. I closed Anti-Malware Premium (AM) and reopened as admin. Next opened Firefox for a visit, but no error message this time. UNTIL I opened Thunderbird and suddenly AM threw the attached message [Screenshot 1]. This recalled a weird matter that came to my attention a while ago [Screenshot 2]: a much older Thunderbird version was shown as installed on September 1st… it points to the same executable file as the other Thunderbird version, and within Thunderbird itself the update history showed no updates of the program. What could possibily be the problem?

thunderbird_08122016.png

mystery_mozilla_install.png

Link to post
Share on other sites
  • Root Admin
12 hours ago, lindenbyte said:

However, what’s up with the supposedly compromised Firefox trying to rapidly contacting a malicious server? (Is anything known about symcd.com?)

 

1

Hi @lindenbyte - It looks like this detection was a false positive and has been removed from our rules. Please make sure you update the database.

That said if you're having issues with the Web blocker loading and not loading, in general, it might be best to do a clean removal and reinstall of MBAM.

We've actually also released version 3 today. You may wish to try the clean removal of your 2.x version and install the latest 3.x version and let me know how it goes.

 

Here is the link for the clean removal procedure

Please uninstall your current version of MBAM and reinstall the latest version using the following guide. MBAM Clean Removal Process 2x


Thank you

Ron

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.