Jump to content

Not scanning for rootkits


Recommended Posts

What type of scan did you run?  If it is a custom scan you must make sure to check the Scan for rootkits option in the Configure Scan screen once you select Custom Scan.  If it was a scheduled scan, you have to click on the Advanced button in the scheduled scan creator/editor and check the box Scan for Rootkits otherwise it won't do so for your scheduled scan.  The setting for enabling rootkit scanning located under Settings>Protection only impacts manually launched Threat scans (the default scan type).

Link to post
Share on other sites

just did it again, set rootkit scan on in preferences, then scanned for threats from the dashboard

here's the report, you will see rootkits scan disabled

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/14/18
Scan Time: 11:48 PM
Log File: 3b358714-27e2-11e8-b636-0023ae0da39f.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4360
License: Trial

-System Information-
OS: Windows 7
CPU: x86
File System: NTFS
User: DELL-PC\DELL

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 167200
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 5 min, 29 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Based on your description, it sounds like there's a problem with the rootkit driver or some related component failing to load when the scan runs, thus causing it not to enable properly according to your settings when you run your scans.

Please open a command prompt and run the following command if you would:

sc query mbamswissarmy

Let us know what it says in the command prompt window for STATE.  It should say 4      RUNNING, however if it says it is stopped, then that's likely the problem.

You can do this while running a scan if you wish, but you shouldn't need to as the driver should stay loaded from boot if it's working correctly.

Link to post
Share on other sites

Yep, that's what mine shows here as well (my logs show rootkit scanning enabled).  I'm not sure what's going on, but perhaps a Process Monitor log would shed some light if you're willing:

Create a Process Monitor Log:

  • Create a new folder on your desktop called Logs
  • Please download Process Monitor from here and save it to your desktop
  • Double-click on Procmon.exe to run it
  • In Process Monitor, click on File at the top and select Backing Files...
  • Click the circle to the left of Use file named: and click the ... button
  • Browse to the Logs folder you just created and type MBAM Log in the File name: box and click Save
  • Exit Process Monitor and open it again so that it starts creating the logs
  • Open Malwarebytes and perform a scan.  Once it completes, go ahead and close the scan dialog.
  • Close Process Monitor
  • Right-click on the Logs folder on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Please attach the Logs.zip file you just created to your next reply, or if it is too large, please upload it to WeTransfer and provide us with the link to the file

Thanks :) 

Link to post
Share on other sites

I'm not sure, but it seems so since my logs show it correctly when doing the same type of scan with the same settings as these users.

In fact, the only major difference I can see is that feeling-hassled is using the 32 bit version of Windows 7, while I'm on 7 x64.  So if there's a known issue with it not displaying correctly, but only for x86 OS versions then that would explain it, but to my knowledge that is not the case (I was formerly affected by that issue myself on 7 x64 in the past if I recall correctly).

Link to post
Share on other sites

finished now, i think there was some autoupdates or summat going on in the background maybe

NIGHTMARE the LOGS folder is empty!!!!!  will try again

scan report: 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/15/18
Scan Time: 1:05 AM
Log File: fcdd37ea-27ec-11e8-978f-0023ae0da39f.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4360
License: Trial

-System Information-
OS: Windows 7
CPU: x86
File System: NTFS
User: DELL-PC\DELL

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 167209
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 9 min, 22 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Yeah, that's pretty brutal.  If you want you can try just running the scan until it gets through the rootkit scan part and that should hopefully be sufficient to reveal what's going on, or at least we can try that first rather than having you go through that long process (and the even longer process of uploading a massive file from Process Monitor).  So once it gets through the rootkit part and moves on to scanning memory, you can cancel the scan then close Process Monitor.

Link to post
Share on other sites

Aha, you may have stumbled onto the cause of the issue my friend.  If there's a problem with the config files that control the settings so that your modified setting doesn't stick, that could be why this is happening.  You're in an administrative user account, right?  If so, is User Account Control enabled?  I'm asking because these things might affect Malwarebytes and its ability to save settings if you're in a limited user account or UAC is turned off.

Link to post
Share on other sites

6 minutes ago, exile360 said:

Yeah, that's pretty brutal.  If you want you can try just running the scan until it gets through the rootkit scan part and that should hopefully be sufficient to reveal what's going on, or at least we can try that first rather than having you go through that long process (and the even longer process of uploading a massive file from Process Monitor).  So once it gets through the rootkit part and moves on to scanning memory, you can cancel the scan then close Process Monitor.

"until gets through the rootkit part " implies i should see SCAN FOR ROOTKITS  in the progress bar . i do not. .

4 minutes ago, exile360 said:

Aha, you may have stumbled onto the cause of the issue my friend.  If there's a problem with the config files that control the settings so that your modified setting doesn't stick, that could be why this is happening.  You're in an administrative user account, right?  If so, is User Account Control enabled?  I'm asking because these things might affect Malwarebytes and its ability to save settings if you're in a limited user account or UAC is turned off.

I am administrator, scan now complete, i will check to send log

Link to post
Share on other sites

Oh wow, I didn't realize you weren't seeing the scanning for rootkits portion during your scans.  That definitely implies we may be right about the settings issue.  I know you already tried MB-Clean/reinstall, so let's approach this from a different angle.  Can you try booting into Safe Mode and opening Malwarebytes and turning on rootkit scanning, then try running a scan there in Safe Mode and let me know how it goes?

If that worked, go ahead and reboot the system and let it start normally then see if the scan for rootkits setting stuck or not.

Link to post
Share on other sites

SO

i had to restart procmon because i forgot to hit the final ok, sorry

ran scan, with preferences set to rootkit scan, no rootkit bubble in progress bar

then i got your last reply, read it , and pop-up from toolbar said scan complete, i moved my pointer to close that message, might just have got to "close" button

AND MY MACHINE SHUTDOWN before i could even read it properly, or be sure i'd clicked !!!!!!!!!!!!!!!! ( this  has happened before when i tried hence the clean install etc)

started  up again, procmon logs seem to be there ok but they are too big to attach, i have never used wetransfer before, can i just email them to you?

 

 

 

 

32 minutes ago, exile360 said:

it gets worse

Link to post
Share on other sites

I haven't got an email for you to send them to, but one of the staff members might.  That said WeTransfer isn't difficult to use and you don't even need to register.  Just select the free option, click the ... blue round settings button to change it from email to link, then click it again and click the Add button and then browse to the file you wish to upload and once it's done, just post the link here.

By the way, if you haven't yet, it may be worth a shot to try running Malwarebytes Anti-Rootkit BETA to see if it finds anything.  I'm hoping this is not the case, but it's always possible that an infection is the cause of what's going on and if it is, it likely doesn't know about MBAR.  To run it, just download it from this page then run it and follow the onscreen instructions.  No need for any Procmon logs this time, just run the scan and let us know how it goes.  If it finds any threats, have it remove them and reboot if needed to complete the process.  If it won't run in normal mode you can try it in Safe Mode.

If anything is found, please post back with the log from MBAR.

Link to post
Share on other sites

  • Root Admin

Hello @feeling-hassled

I've moved your topic in to the malware removal forum. Let me have you run the following please.

Please follow the advice from the following topic

Then attach the logs back here please.

Once it's done also please read the following and download that tool and post back the log it generates.

 

Thank you

Ron

 

Link to post
Share on other sites

currently responding from inside safemode with networking

been scanning away in there, with no rootkit  scan in progress line despite setting preference ,

 settings there would not respond to Malicious website , or Ransomware Protection, toggles switched OFF, trying to set them ON they simply bounce back to OFF in front of my eyes, so am now ultimately paranoid, i think my files are backed up off line,

i'm just about to restart normally, so i can read your posts this screen is basic

here goes

 

Link to post
Share on other sites

  • Root Admin

From the 2nd link I gave you for our support tool. Please try the following.

 

You can download the tool from here:   https://downloads.malwarebytes.com/file/mbst

 

  1. Locate the executable file "mb-support-x.x.x.xxx.exe" and double-click to launch the application.
  2. Place a check mark next to Accept License Agreement by clicking the box.
  3. Click Next.
  4. Click Advanced Options.
  5. The Advanced Options page has two options, please choose one:
    • Gather Logs: Collects troubleshooting information from the computer using Check and Grab functionality. As part of this process, Farbar Recovery Scan Tool (FRST) is also run to perform a complete diagnosis of the computer. The troubleshooting information is saved to a file on the Desktop named mbst-grab-results.zip. This file can be added as an email attachment or uploaded to a forum post and will assist your Malwarebytes Support agent with troubleshooting the issue currently being experienced.
    •  Clean: Performs an automated uninstallation of all Malwarebytes products currently installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. This process may require a reboot of the computer, which must be manually consented to.
  6. If you select Gather Logs, a message box will be displayed once the process has finished.
  7. Click OK to close. A file named mbst-grab-results.zip will be saved to your Desktop. Please upload that file on your next reply.
  8. If you select Clean, Malwarebytes Support Tool will prompt you for confirmation. If you consent to Malwarebytes Support Tool removing all Malwarebytes products from your computer, click Yes. If you wish to cancel, click No.

 

 

 

Edited by AdvancedSetup
updated reply
Link to post
Share on other sites

found this

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
  main:    v2018.03.15.01
  rootkit: v2018.03.08.03

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
DELL :: DELL-PC [administrator]

15/03/2018 05:17:26
mbar-log-2018-03-15 (05-17-26).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 156717
Time elapsed: 21 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

Link to post
Share on other sites

and this  threat scan afterwards, it still shows rootkit as diabled, despite settings potection having rootkit enabled before the scan, and no such task shown in the progress bar

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/15/18
Scan Time: 7:06 AM
Log File: 73cfc764-281f-11e8-a28d-0023ae0da39f.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4364
License: Trial

-System Information-
OS: Windows 7
CPU: x86
File System: NTFS
User: DELL-PC\DELL

-Scan Summary-
Scan Type: Threat Scan
Result: Cancelled
Objects Scanned: 15842
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 0 min, 25 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.