Jump to content

Recommended Posts

I've been using Malwarebytes Premium for about 8 months. Last night it scanned as usual and when I woke up this morning there was a MWB alert stating I was not fully protected. It said that my web protection was off and rootkit protection was off. When I went to re-enable them the rootkit protection enabled, but the web protection just stayed at the 'enabling' state. Then I tried doing a scan and it went for 10 seconds and stopped saying no threats detected and the log said it was cancelled although I didn't cancel it. Then I did a custom scan configured for all threats and all my drives (C: D: E:). This went for about 5 minutes and crashed to a blackscreen full reboot. I did this a second time with the same results. This was with V3.0.6. Then I found the 3.1.2 update on the forum and downloaded and installed that. I ran a custom scan as configured above and it went for about 15 minutes before a reboot. So I then came here, followed the protocol as outlined in the "I'm infected - What do I do now" thread and here I am. Hopefully this can get fixed soon. I've downloaded and run the Farbar tool and have attached the scan files below.

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Sorry for the delay. This appears to be a business computer. As such you really should contact your System IT Admin for repairs.

I'll go ahead and give you some things to run to look at fixing issues, but does not appear to be too infected at this point. Some errors from the network.

 

Quote

System errors:
=============
Error: (05/19/2017 09:47:31 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Error: (05/19/2017 09:47:31 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain FUTURA-TEK due to the following:
There are currently no logon servers available to service the logon request.


This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (05/19/2017 09:47:30 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 9:45:54 AM on ?5/?19/?2017 was unexpected.

Error: (05/19/2017 09:26:12 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}
 and APPID
{344ED43D-D086-4961-86A6-1106F4ACAD9B}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Error: (05/19/2017 09:24:58 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Error: (05/19/2017 09:24:58 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain FUTURA-TEK due to the following:
There are currently no logon servers available to service the logon request.


This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

The following will run some clean up as well as a full disk check, the disk check will probably take a while to run but let it run.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Hi Ron,

I DL'd and ran mb_clean-3xxx from the provided link. After the reboot and install I attempted to run the scan as instructed. It ran for about 60 seconds and crashed to a black screen and the "Windows did not shut down properly" boot screen with options to go to the various versions of safe mode or a reboot normally. Because of this, I was unable to get a log file to post.

Link to post
Share on other sites

  • Root Admin

Wow, I wonder if the computer is getting stressed and over heating. Once the scanner is running I've not heard of it crashing like that before. Normally if it crashes it just won't run. Shutting the computer down as though it lost power almost sounds like we're stressing it past some trigger point that resets the computer.

Let me have you run this scanner from Kaspersky and it will scan for malware and stress the system too. Let me know if it completes or not

Please download and run the following tool to remove any found threats

Kaspersky Virus Removal Tool

Link to post
Share on other sites

Ok, I dl'd and ran the Kaspersky scanner using the defaults. It completed in about 2 minutes and found nothing. Then I selected the system drive as an additional component to scan and it ran for 29:41 and found 0 threats. One interesting thing though. When I opened the details link, the next window to come up showed blank and had in gray letters "No Enough Memory". That's not me misspelling, that was the exact wording.

Anyway, I await your reply. BTW, I have Speedfan installed. Would it be helpful to run that while I scan with MWB?

 

Link to post
Share on other sites

  • Root Admin

There are a couple tools we could use to try and capture what's happening but they are a bit complex to use and I've not written up any instructions on how to use so that might take a bit of time on my part if we went that route.

Let me have you try running our standalone anti-rootkit program and see if it crashes out too or not.

 

Please download Malwarebytes Anti-Rootkit from here
If needed there is a self help tutorial here: MBAR tutorial

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

 

Edited by AdvancedSetup
Link to post
Share on other sites

  • Root Admin

Okay, that's good. We know that their is no rootkit and that the system for the most part seems ok. Please read and follow the directions from this topic and post back all the requested logs and files and I'll look at them with another Engineer and see what we can find going on.

Thank you

Ron

 

Link to post
Share on other sites

  • Root Admin

One of the things I notice is that you're using old drivers for the Killer Network Card and Suite - In the past there was a history of issues and updated drivers corrected the issue.
I cannot promise this is your issue, but certainly recommended that you update your drivers.

Here is what you're currently using on your computer.
Qualcomm Atheros Bandwidth Control Filter Driver (Version: 1.0.30.1259 - Qualcomm Atheros) Hidden
Qualcomm Atheros Killer E220x Drivers (Version: 1.0.30.1259 - Qualcomm Atheros) Hidden
Qualcomm Atheros Killer Network Manager Suite (HKLM-x32\...\{FE5DFB80-6937-4154-A2C7-EF845C1301F8}) (Version: 1.0.30.1259 - Qualcomm Atheros)
Qualcomm Atheros Network Manager (Version: 1.0.30.1259 - Qualcomm Atheros) Hidden

 

Killer Network Manager Suite - Downloads
Last update: 30 May 2017
Comments: This is the older Killer Suite software. Includes Killer Network Manager software and drivers for Killer E2200, E2400, Wireless-N and Wireless-AC 1525/1535/1435.
Operating Systems: Windows 7, Windows 8.1, Windows 10 64-bit and 32-bit
Version: 1.1.69.1774

Please create a new System Restore Point. Then download the updated drivers and install them and restart the computer. Then see if the protection modules for Malwarebytes are able to load now.

Ron

 

Link to post
Share on other sites

Hi Ron, I dl'd and installed the 1.2.1302.0 version for v1.0 of the motherboard. rebooted and tried to run MWB. It didn't load and about 30 seconds later a message came up saying "Unable to connect to the service". So I ran mb-clean-3, and it cleaned MWB, dl'd a new copy and installed. It then came up saying I was fully protected. So I chose a custom scan and selected the C: drive and also Scan for Rootkit. It went through the scan process and about 3 seconds after it got into the file system, right after the memory scan, the computer crashed to the black screen and rebooted to the "Windows did not shut down properly" screen. I then chose Start Windows normally and the computer booted to the desktop. When I went to invoke MWB to do a standard threat scan, it didn't initialize and after about 30 seconds it displayed the "Unable to connect to the service" dialog. I was not able to get any reports because of this.

One other note. I ran Speedfan while running the Kaspersky tool you had me download. My CPU temps started out at 66 F for all cores and throughout the scan they hovered around the 150 F mark. I did the same with MWB and until it crashed, it ran about the same...maybe a little cooler, around the 145 deg F with some spikes to 150F. It never went higher than 150 F. I'm using a Phanteks cooler. Just an FYI, as I was curious.

Edited by ArKay99
Link to post
Share on other sites

Hi Ron, the post just above this one was a description of what I did last night. After I typed in that post I went to run MWB and it came up with the "Unable to connect to the service" dialog. I then ran mb-clean-3 again, got a new version of MWB 3 (I think it was a later revision), and after it installed and came up with the main screen I ran a Threat Scan. It completed, show ~410k objects scanned and no threats. I've attached the log file here. So I then went and checked, and scan for rootkits was turned off. I don't know if that is the default, so I turned it on. Then I went and selected Custom Scan and selected the C: drive and Scan For Rootkits. It got about 30 seconds into the file system scan and crashed to the "Windows did not shut down properly" screen. I wanted to communicate the behavior of the Threat Scan and Custom Scan scenario's to you. It appears, at least this time, that a fresh install and Threat Scan completes, but a Custom Scan with those parameters does not.

After Killer Update 1.txt

Link to post
Share on other sites

  • Root Admin

That is odd, as the log shows that you did have rootkit scan enabled on the Threat Scan

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Can I get a NEW MB-Check log please, now that you have an updated version installed.

Follow the information from this link and get me all new logs.

 

Let me see if anyone else has run into something like this and get back to you.

 

Edited by AdvancedSetup
Link to post
Share on other sites

Hi Ron,

I have attached the new mb-check log as requested. One thing I wanted to point out that after I get the crash to the reboot and subsequent "Windows did not shut down properly" screen, MWB will not initialize when invoked. After about 30 seconds it comes up with the message dialog, "Unable to connect to the service". I wanted to be explicit with that info. It appears that whatever is triggering the crash is disabling MWB's ability to run afterwards in that way. This mb-check log is after the crash which rendered MWB unable to run. Would it be helpful to give 2 mb-check logs? 1 before, with a fresh install of MWB, and a second afterwards?

mb-check-results.zip

Link to post
Share on other sites

  • Root Admin

Interesting... The log shows some errors cleaning up and removing Malwarebytes. Let's try the following.

Go ahead and download the latest MB-Clean and run it and reboot. DO NOT allow it to reinstall Malwarebytes for you at this time.

After the removal and reboot, please run a new FRST scan and make sure you place a checkmark in the Additions.txt check box and attach both new logs on your next reply.

Then also run the following for me.

Please download the correct version of SystemLook for your computer and save it to your desktop.
You can check here if you're not sure if your computer is 32-bit or 64-bit

SystemLook 32-bit x86 | or | SystemLook 64-bit x64

 

  • Right-click over SystemLook.exe or SystemLook_x64.exe and choose Run as administrator to run it
  • Copy the contents of the following code box into the main text field - including the colon characters.

 

:filefind
*mbam*
*malware*
:folderfind
*mbam*
*malware*
:regfind
MBAM
Malwarebytes
  • Click the Look button to start the scan

  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

  • Note: The log can also be found on your Desktop named SystemLook.txt

Edited by AdvancedSetup
Link to post
Share on other sites

  • Root Admin

Can you please find these 2 files and zip them up and upload them for me please.

C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\MBAMService.exe.2168.dmp

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_mbamservice.exe_3075d91cb6d3cf7cbee23fe121933a621bf66fb0_0467d883


Are you comfortable creating a new System Restore Point and then manually removing the following entries from the Registry? Would like to remove the Registry entries for the following Malwarebytes or MBAM settings, please.

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\bc0d9b25_0]
@="{0.0.0.00000000}.{4d8c1f1e-27c3-4572-8d8a-13ebd4ffe405}|\Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbam.exe%b{00000000-0000-0000-0000-000000000000}"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\f172b60_0]
@="{0.0.0.00000000}.{4d8c1f1e-27c3-4572-8d8a-13ebd4ffe405}|\Device\HarddiskVolume3\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe%b{00000000-0000-0000-0000-000000000000}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation"="C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_mbamservice.exe_3075d91cb6d3cf7cbee23fe121933a621bf66fb0_0467d883"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\mbamservice.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\mbamchameleon]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\mbamchameleon]
"EventMessageFile"="C:\Windows\system32\drivers\mbamchameleon.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\eventlog\System\mbamchameleon]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\eventlog\System\mbamchameleon]
"EventMessageFile"="C:\Windows\system32\drivers\mbamchameleon.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\mbamchameleon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\mbamchameleon]
"EventMessageFile"="C:\Windows\system32\drivers\mbamchameleon.sys"

[HKEY_USERS\S-1-5-21-502676559-664533377-4181304041-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\bc0d9b25_0]
@="{0.0.0.00000000}.{4d8c1f1e-27c3-4572-8d8a-13ebd4ffe405}|\Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbam.exe%b{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-21-502676559-664533377-4181304041-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\f172b60_0]
@="{0.0.0.00000000}.{4d8c1f1e-27c3-4572-8d8a-13ebd4ffe405}|\Device\HarddiskVolume3\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe%b{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-21-502676559-664533377-4181304041-1000\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation"="C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_mbamservice.exe_3075d91cb6d3cf7cbee23fe121933a621bf66fb0_0467d883"
wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==

 

Then, let me have you run this updated fixlist file with FRST

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

If you have any questions or need help with any of this please let me know.

Thanks

Ron

 

 

Link to post
Share on other sites

Hi Ron,

I did a System Restore Point. Also I've zipped and uploaded the files you requested. Then proceeded to edit the registry according to your list. There were a few entries that were not there, or were different than the item in the list. I've notated them here.

In your list:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation"="C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_mbamservice.exe_3075d91cb6d3cf7cbee23fe121933a621bf66fb0_0467d883"

In my registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Debug]

"StoreLocation"="C:\Users\ArKay99\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_Explorer.EXE_e9cf5a57f9bf35ec61e8535fedf14cbf86df1_14f17c40"

In your list:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\mbamchameleon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\mbamchameleon] "EventMessageFile"="C:\Windows\system32\drivers\mbamchameleon.sys"

In my registry:

No entries for either.

In your list:

[HKEY_USERS\S-1-5-21-502676559-664533377-4181304041-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\bc0d9b25_0] @="{0.0.0.00000000}.{4d8c1f1e-27c3-4572-8d8a-13ebd4ffe405}|\Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbam.exe%b{00000000-0000-0000-0000-000000000000}"

In my registry:

Only Default and value not set

In your list:

[HKEY_USERS\S-1-5-21-502676559-664533377-4181304041-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\bc0d9b25_0] @="{0.0.0.00000000}.{4d8c1f1e-27c3-4572-8d8a-13ebd4ffe405}|\Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbam.exe%b{00000000-0000-0000-0000-000000000000}"

In my registry:

Only Default and value not set

In your list:

[HKEY_USERS\S-1-5-21-502676559-664533377-4181304041-1000\Software\Microsoft\Windows\Windows Error Reporting\Debug] "StoreLocation"="C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_mbamservice.exe_3075d91cb6d3cf7cbee23fe121933a621bf66fb0_0467d883"

In my registry:

C:\Users\ArKay99\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_Explorer.EXE_e9cf5a57f9bf35ec61e8535fedf14cbf86df1_14f17c40

I  have not edited or done anything else with the above entries.

I have not downloaded or run the FRST with the fixlist.txt parameters. I am awaiting further instructions or the 'go ahead' from you based on the differences in the registry.

 

AppCrash_mbamservice.exe_3075d91cb6d3cf7cbee23fe121933a621bf66fb0_0467d883.zip

MBAMService.exe.2168.zip

Link to post
Share on other sites

  • Root Admin

Just want to remove entries for MBAM, Malwarebytes, etc. Not the main parent keys though. Just the data entries. If it does not contain or pertain to Malwarebytes then leave it alone please.

Thanks for the files so far. Please go ahead and run the fixlist with FRST

Will have some others look at the dump file you provided. It looks like it is reading a memory range that then seems to cause the crash but will need one of the programmers to take a deeper look at it.

Thanks

 

 

Link to post
Share on other sites

  • Root Admin

Okay, looks good. We have submitted your crash dump file and other logs to the Development team to have them review and see if there is some specific issue causing this that they can find.

Please make sure you're antivirus is installed, updated and running to protect your computer while we work on researching this. Please send me a follow-up private message if you've not heard back from me by Monday on this.

 

Thank you

Ron

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.