Jump to content

Probable Malware, MBAM Not Working

meeshu
 Share

Recommended Posts

meeshu

meeshu

Posted
Posted (edited)

Running Windows 7 32 bit SP!.

Installed MBAM version mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092 a few days ago and it ran fine after installation. But it failed to run as of yesterday or so; keep getting error message that "Unable to start" and "Unable to connect the service". MBAM failed to run, despite trying to run under Safe Mode as well.

Tried MBAM-clean exe, and rebooted, and then reinstalled the above MBAM, but again it fails to run with error message appearing again!

Ran MBAM-clean exe again and installed MBAM version mb3-setup-consumer-3.1.2.1733-1.0.160-1.0.2251, but this version also failed to run with the error massage appearing once again!!??

 

Tried running SUPERAntiSpyware, AdWCleaner, RogueKiller, and maybe one or two other similar programs, but no malware (of concern) was found.

 

Ran Tweaking.com - Windows Repair program a few times after the first time I received MBAM error message, and before installing the latest version, but it didn't seem to help.

 

No hardware changes were made to my computer, but there were a few programs added/uninstalled around this time (mainly anti-malware), so that might have caused some issues with my system, which in turn may have effected the running of MBAM??

 

Ideas?

Edited by meeshu
Link to post
Share on other sites
1PW

1PW

Posted
Posted

Hello @meeshu:

Thank you for reporting the system's Start/Connect issue.  The Malwarebytes' staffers/helpers must have good log data for a quality fault analysis to begin.

  1. Please save your work and close all running user applications for your convenience. applications for your convenience.

  2. Please follow the steps within the locked/pinned topic at Having problems using Malwarebytes? Please follow these steps.

  3. In your next reply to your topic, please only attach the three (3) separate files that are developed above: mb-check-results.zip, FRST.txt, and Addition.txt.

  4. Additionally, please consider selecting the "Follow" button, near the upper-right corner of your topic, to receive punctual email notifications when updates are posted.

Thank you.

Link to post
Share on other sites
meeshu

meeshu

Posted
  • Author
Posted

This is in relation to -

 

There has not been a response to that thread, yet, from an anti-malware helper!!?? In addition I'm unable to post an update/add a reply to that thread!?

 

I've already done some attempt at malware removal, but there is still an issue with my computer.

 

On further investigation, although the service WmiApSrv.exe has been "stopped" (under Services under Windows Task Manager), a file with the name WmiApSrv.exe is running under Processes (under Windows Task Manager). I can stop this process, but eventually it returns and loads the CPU to 50%. Additionally, another WmiApSrv.exe process may also occur which then loads the CPU to 100%! The location of this "process" is within C:\Windows\fonts, which I suspect shouldn't be there and is possibly some sort of malware.

 

Also, MBAM will still not run, get error that "Unable to start" and "Unable to connect the service". I have already used MBAM clean to remove MBAM, rebooted the computer and (re)installed MBAM, but again MBAM will not run with the error messages appearing again!

 

Latest FRST scans included (waited until the "Process" WmiApSrv.exe occurred first before re scanning) -

 

FRST.txt

Addition.txt

Link to post
Share on other sites
meeshu

meeshu

Posted
  • Author
Posted (edited)

Still can't get MBAM to run!

MBAM version mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092 ran OK initially, then one day decided not to run any more with message "Unable to start" and "Unable to connect the service".

Tried uninstalling, reinstalling, using MBAM Clean and rebooting and even installing version mb3-setup-consumer-3.1.2.1733-1.0.160-1.0.2251, but MBAM still will not run!

Ran system checks (up to ~ 4 times) such as CHKDSK and SFC, but neither found any issues with my computer.

There was apparently some malware on my system, and my previous thread at these forums was then redirected to the malware removal section. Unfortunately no one responded in the malware removal section to this malware issue after three days, so I sought assistance elsewhere. And as of this writing, after about 5 days there still hasn't been a response here in the malware removal section, despite 100's of views!?

Malware was apparently removed using various software, but MBAM still does not run.

MBAM check result , and FRST scan results enclosed.

mb-check-results.zip

FRST.txt

Addition.txt

 

If malware is still present, then please do not redirect to the malware removal section unless it can be guaranteed that there will be a response this time from a helper, please!!

Edited by meeshu
Link to post
Share on other sites
meeshu

meeshu

Posted
  • Author
Posted

Thanks for the response!

 

Ran MBAR from the desktop.

5 malware items were found and then supposedly cleaned. Malware was mostly "Ransomware.Wannacrypt" I think it was.

Rebooted, but MBAM still will not run (error message "Unable to start" "Unable to connect the service")!

And CPU load still jumps to 50% (due to 'WmiApSrv.exe' within 'C:\Windows\Fonts' directory according to Windows Task manager). I can stop this WmiApSrv process temporarily via Windows Task Manager, but this process always restarts no later than a few minutes after stopping it!?

Link to post
Share on other sites
meeshu

meeshu

Posted
  • Author
Posted

I had difficulty in downloading KVRT from Kaspersky website because the file is around 100 MB, AND I'm on a slow internet connection. The downloads ultimately stop downloading before the downloads are complete, and there is no resume function either, apparently.

 

Had to download slightly older version of KVRT from another site.

 

Anyway, initial KVRT scan found a Trojan which was then removed. Computer was rebooted, and additional KVRT scan found three more malware entries which were removed as well.

 

Unfortunately MBAM (version mb3-setup-consumer-3.1.2.1733-1.0.160-1.0.2251) still fails to run with the error messages "Unable to start" and "Unable to connect the service"!

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Let's try doing a new Clean Removal and reinstall.

 

Please read the following topic and then run the Malwarebytes Clean Removal tool mb-clean

https://forums.malwarebytes.com/topic/196955-malwarebytes-mb-clean-tool/

The download link for the tool is:   https://downloads.malwarebytes.com/file/mb_clean

Restart the computer when done and reinstall Malwarebytes 3 with the latest build again. The removal tool should download and reinstall for you.

Here is the link for the latest installer though if needed:  https://downloads.malwarebytes.com/file/mb3

Thank you

Ron

Link to post
Share on other sites
meeshu

meeshu

Posted
  • Author
Posted

Thanks for the comments!

 

I've already downloaded and used MBAM Clean several times previously, but to no avail. I've also downloaded MBAM-Check.

 

I've tried overwriting the existing MBAM installation with the latest version of MBAM. I've just now re-run MBAM-Clean and reinstalled the latest version of MBAM. And I've tried running MBAM in Safe Mode as well, but again MBAM will not run; and continue to get error message - "Unable to start" "Unable to connect the service"

 

Here are the latest scan logs of MBAM-Check and FRST, even though they were not specifically requested (yet).

mb-check-results.zip

FRST.txt

Addition.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The logs seem to indicate that some files are possibly missing from the install. It's pretty late at night so I'll need to check tomorrow on this. I want to double-check with QC why some files show as possibly missing.

Will get back to you again sometime tomorrow.

Thanks

Ron

 

Link to post
Share on other sites
Aura

Aura

Posted
Posted

Hi meeshu :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Give me some time to review your logs and I'll be you soon.

Link to post
Share on other sites
Aura

Aura

Posted
Posted

Thank you for waiting. Follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

fixlist.txt

Link to post
Share on other sites
meeshu

meeshu

Posted
  • Author
Posted

Hello Aura!

 

Thanks for your assistance!

But this issue is already being looked into by AdvancedSetup here -

I thought that this thread here had been merged with the above thread (by AdvancedSetup ?).

 

It appears that there may be some files "missing" which is causing MBAM not to run. I am awaiting further details from AdvancedSetup, hopefully sometime today.

 

Not sure which is the best way forward? Should this thread here be merged with the above thread? Or should this thread be closed or deleted?

 

Sorry for any inconvenience!

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Looks like maybe something is on the box we're not seeing. The main program files are not accessing the server and preventing installation and running of Malwarebytes.

 

Please run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

 

 

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites
meeshu

meeshu

Posted
  • Author
Posted (edited)

MBAM is now running again!!

What I did was to run Tweaking.com Windows Repair All On One Utility with 'Repair WMI' and 'Remove Policies Set By Infections' and a few other settings as well. That did the trick! The settings were courtesy of someone else on another forum.

It appears that the malware had caused some issues related to WMI, so I tried WRAIO again, and it worked!

 

MBAM found a couple of Trojans which were removed.

To be sure all malware is clear, I'll run several other anti-malware programs as well.

 

If there are any further issues I'll report back ASAP.

Edited by meeshu
Link to post
Share on other sites
meeshu

meeshu

Posted
  • Author
Posted

JRT scan result -

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 7 Professional x86 
Ran by Administrator (Administrator) on Thu 13/07/2017 at 18:52:13.93
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


File System: 16 

Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JJ3NMADD (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3I84U77 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC1QA0SO (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ONFWPA4J (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PNCLSQXE (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U4ES9X9N (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W90DPVST (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z7SI7621 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JJ3NMADD (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3I84U77 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC1QA0SO (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ONFWPA4J (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PNCLSQXE (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U4ES9X9N (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W90DPVST (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z7SI7621 (Temporary Internet Files Folder) 

Registry: 0 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 13/07/2017 at 18:53:10.81
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

AdwCleaner scan result -

 

# AdwCleaner v6.047 - Logfile created 13/07/2017 at 18:58:56
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-07-11.1 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X86)
# Username : Administrator - MINE-PC
# Running from : C:\Users\Administrator\Desktop\adwcleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

No malicious registry entries found.


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [1172 Bytes] - [10/07/2017 14:55:59]
C:\AdwCleaner\AdwCleaner[S1].txt - [1093 Bytes] - [13/07/2017 18:58:56]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1166 Bytes] ##########
 

Sophos Virus Removal Tool is a large file (~ 160 MB), and as I'm on a dial-up internet connection, this download will take quite a few hours! I'll post results when I can, but will not be until tomorrow.

 

FRST scan results will follow once Sophos VRT has been run.

Link to post
Share on other sites
meeshu

meeshu

Posted
  • Author
Posted

OK. Tried to download SVRT (Sophos Virus Removal Kit), but had considerable difficulty! Download speed was around 1 kB/s ONLY! And download cut-out/stopped and didn't resume either. Tried to download again a bit later, but still only got ~ 1kB/s speed!? So I cancelled the download.

Downloaded SVRT and also KVRT (Kaspersky Virus Removal Tool) via a local Internet Cafe.

 

Installed/ran SVRT, but it was quite slow in scanning and it scanned ALL my drives when I only wanted it to scan the boot drive. Eventually stopped the scan and quit the program, it was taking too long.

 

Ran KVRT. It found two non-viral "threats" only (PC_Hunter.exe). But PC_Hunter is a legitimate program, so I didn't remove it. Otherwise there were no other issues found.

So it seems my boot drive is now probably clear of any malware.

 

Thank you!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.