feeling-hassled Posted March 14, 2018 ID:1224313 Share Posted March 14, 2018 hi i found this thread and it sounded similar to my problem, but i'm running windows7, on a Dell laptop I did the clean uninstall from your link, reinstalled, made sure rootkit was set to check, ran a full scan and still "rootkit disabled" in the report now what do i do? mb-clean-results.txt Link to post Share on other sites More sharing options...
exile360 Posted March 14, 2018 ID:1224340 Share Posted March 14, 2018 What type of scan did you run? If it is a custom scan you must make sure to check the Scan for rootkits option in the Configure Scan screen once you select Custom Scan. If it was a scheduled scan, you have to click on the Advanced button in the scheduled scan creator/editor and check the box Scan for Rootkits otherwise it won't do so for your scheduled scan. The setting for enabling rootkit scanning located under Settings>Protection only impacts manually launched Threat scans (the default scan type). Link to post Share on other sites More sharing options...
feeling-hassled Posted March 14, 2018 Author ID:1224361 Share Posted March 14, 2018 and that is exactly the scan that i induced, it happened 4 times before i did the clean removal/reinstall, you kno set for rootkits then hit SCAN when i did see the "scanning for Rootkits" bubble in the scan progress lineal (before this reinstall) my computer crashed (a graceful degredation of sorts) Link to post Share on other sites More sharing options...
feeling-hassled Posted March 14, 2018 Author ID:1224366 Share Posted March 14, 2018 just did it again, set rootkit scan on in preferences, then scanned for threats from the dashboard here's the report, you will see rootkits scan disabled Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/14/18 Scan Time: 11:48 PM Log File: 3b358714-27e2-11e8-b636-0023ae0da39f.json Administrator: Yes -Software Information- Version: 3.4.4.2398 Components Version: 1.0.322 Update Package Version: 1.0.4360 License: Trial -System Information- OS: Windows 7 CPU: x86 File System: NTFS User: DELL-PC\DELL -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 167200 Threats Detected: 0 (No malicious items detected) Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 5 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
exile360 Posted March 15, 2018 ID:1224375 Share Posted March 15, 2018 Based on your description, it sounds like there's a problem with the rootkit driver or some related component failing to load when the scan runs, thus causing it not to enable properly according to your settings when you run your scans. Please open a command prompt and run the following command if you would: sc query mbamswissarmy Let us know what it says in the command prompt window for STATE. It should say 4 RUNNING, however if it says it is stopped, then that's likely the problem. You can do this while running a scan if you wish, but you shouldn't need to as the driver should stay loaded from boot if it's working correctly. Link to post Share on other sites More sharing options...
feeling-hassled Posted March 15, 2018 Author ID:1224380 Share Posted March 15, 2018 did so, returns type 1 kernel driver STATE 4 running all other values associted are 0 and/or (0x0) Link to post Share on other sites More sharing options...
exile360 Posted March 15, 2018 ID:1224383 Share Posted March 15, 2018 Yep, that's what mine shows here as well (my logs show rootkit scanning enabled). I'm not sure what's going on, but perhaps a Process Monitor log would shed some light if you're willing: Create a Process Monitor Log: Create a new folder on your desktop called Logs Please download Process Monitor from here and save it to your desktop Double-click on Procmon.exe to run it In Process Monitor, click on File at the top and select Backing Files... Click the circle to the left of Use file named: and click the ... button Browse to the Logs folder you just created and type MBAM Log in the File name: box and click Save Exit Process Monitor and open it again so that it starts creating the logs Open Malwarebytes and perform a scan. Once it completes, go ahead and close the scan dialog. Close Process Monitor Right-click on the Logs folder on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder Please attach the Logs.zip file you just created to your next reply, or if it is too large, please upload it to WeTransfer and provide us with the link to the file Thanks Link to post Share on other sites More sharing options...
Firefox Posted March 15, 2018 ID:1224387 Share Posted March 15, 2018 Did they ever fix the bug where the rookit scan was actually happening but the log/report was showing incorrectly? Link to post Share on other sites More sharing options...
exile360 Posted March 15, 2018 ID:1224389 Share Posted March 15, 2018 I'm not sure, but it seems so since my logs show it correctly when doing the same type of scan with the same settings as these users. In fact, the only major difference I can see is that feeling-hassled is using the 32 bit version of Windows 7, while I'm on 7 x64. So if there's a known issue with it not displaying correctly, but only for x86 OS versions then that would explain it, but to my knowledge that is not the case (I was formerly affected by that issue myself on 7 x64 in the past if I recall correctly). Link to post Share on other sites More sharing options...
feeling-hassled Posted March 15, 2018 Author ID:1224391 Share Posted March 15, 2018 i followed your instructions, already 3million events still climbing and malwarebytes stopped responding for over 5 mins, and is now running very slowly, but still just crawling along, is this expected Link to post Share on other sites More sharing options...
feeling-hassled Posted March 15, 2018 Author ID:1224396 Share Posted March 15, 2018 finished now, i think there was some autoupdates or summat going on in the background maybe NIGHTMARE the LOGS folder is empty!!!!! will try again scan report: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/15/18 Scan Time: 1:05 AM Log File: fcdd37ea-27ec-11e8-978f-0023ae0da39f.json Administrator: Yes -Software Information- Version: 3.4.4.2398 Components Version: 1.0.322 Update Package Version: 1.0.4360 License: Trial -System Information- OS: Windows 7 CPU: x86 File System: NTFS User: DELL-PC\DELL -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 167209 Threats Detected: 0 (No malicious items detected) Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 9 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
exile360 Posted March 15, 2018 ID:1224399 Share Posted March 15, 2018 Yeah, that's pretty brutal. If you want you can try just running the scan until it gets through the rootkit scan part and that should hopefully be sufficient to reveal what's going on, or at least we can try that first rather than having you go through that long process (and the even longer process of uploading a massive file from Process Monitor). So once it gets through the rootkit part and moves on to scanning memory, you can cancel the scan then close Process Monitor. Link to post Share on other sites More sharing options...
feeling-hassled Posted March 15, 2018 Author ID:1224401 Share Posted March 15, 2018 scanning again , with procmon running too I notice when i checked settings rootkit scanning got switched off after previous scan so i had to switch back on Link to post Share on other sites More sharing options...
exile360 Posted March 15, 2018 ID:1224403 Share Posted March 15, 2018 Aha, you may have stumbled onto the cause of the issue my friend. If there's a problem with the config files that control the settings so that your modified setting doesn't stick, that could be why this is happening. You're in an administrative user account, right? If so, is User Account Control enabled? I'm asking because these things might affect Malwarebytes and its ability to save settings if you're in a limited user account or UAC is turned off. Link to post Share on other sites More sharing options...
feeling-hassled Posted March 15, 2018 Author ID:1224404 Share Posted March 15, 2018 6 minutes ago, exile360 said: Yeah, that's pretty brutal. If you want you can try just running the scan until it gets through the rootkit scan part and that should hopefully be sufficient to reveal what's going on, or at least we can try that first rather than having you go through that long process (and the even longer process of uploading a massive file from Process Monitor). So once it gets through the rootkit part and moves on to scanning memory, you can cancel the scan then close Process Monitor. "until gets through the rootkit part " implies i should see SCAN FOR ROOTKITS in the progress bar . i do not. . 4 minutes ago, exile360 said: Aha, you may have stumbled onto the cause of the issue my friend. If there's a problem with the config files that control the settings so that your modified setting doesn't stick, that could be why this is happening. You're in an administrative user account, right? If so, is User Account Control enabled? I'm asking because these things might affect Malwarebytes and its ability to save settings if you're in a limited user account or UAC is turned off. I am administrator, scan now complete, i will check to send log Link to post Share on other sites More sharing options...
exile360 Posted March 15, 2018 ID:1224405 Share Posted March 15, 2018 Oh wow, I didn't realize you weren't seeing the scanning for rootkits portion during your scans. That definitely implies we may be right about the settings issue. I know you already tried MB-Clean/reinstall, so let's approach this from a different angle. Can you try booting into Safe Mode and opening Malwarebytes and turning on rootkit scanning, then try running a scan there in Safe Mode and let me know how it goes? If that worked, go ahead and reboot the system and let it start normally then see if the scan for rootkits setting stuck or not. Link to post Share on other sites More sharing options...
feeling-hassled Posted March 15, 2018 Author ID:1224411 Share Posted March 15, 2018 SO i had to restart procmon because i forgot to hit the final ok, sorry ran scan, with preferences set to rootkit scan, no rootkit bubble in progress bar then i got your last reply, read it , and pop-up from toolbar said scan complete, i moved my pointer to close that message, might just have got to "close" button AND MY MACHINE SHUTDOWN before i could even read it properly, or be sure i'd clicked !!!!!!!!!!!!!!!! ( this has happened before when i tried hence the clean install etc) started up again, procmon logs seem to be there ok but they are too big to attach, i have never used wetransfer before, can i just email them to you? 32 minutes ago, exile360 said: it gets worse Link to post Share on other sites More sharing options...
exile360 Posted March 15, 2018 ID:1224412 Share Posted March 15, 2018 I haven't got an email for you to send them to, but one of the staff members might. That said WeTransfer isn't difficult to use and you don't even need to register. Just select the free option, click the ... blue round settings button to change it from email to link, then click it again and click the Add button and then browse to the file you wish to upload and once it's done, just post the link here. By the way, if you haven't yet, it may be worth a shot to try running Malwarebytes Anti-Rootkit BETA to see if it finds anything. I'm hoping this is not the case, but it's always possible that an infection is the cause of what's going on and if it is, it likely doesn't know about MBAR. To run it, just download it from this page then run it and follow the onscreen instructions. No need for any Procmon logs this time, just run the scan and let us know how it goes. If it finds any threats, have it remove them and reboot if needed to complete the process. If it won't run in normal mode you can try it in Safe Mode. If anything is found, please post back with the log from MBAR. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 15, 2018 Root Admin ID:1224420 Share Posted March 15, 2018 Hello @feeling-hassled I've moved your topic in to the malware removal forum. Let me have you run the following please. Please follow the advice from the following topic Then attach the logs back here please. Once it's done also please read the following and download that tool and post back the log it generates. Thank you Ron Link to post Share on other sites More sharing options...
feeling-hassled Posted March 15, 2018 Author ID:1224428 Share Posted March 15, 2018 currently responding from inside safemode with networking been scanning away in there, with no rootkit scan in progress line despite setting preference , settings there would not respond to Malicious website , or Ransomware Protection, toggles switched OFF, trying to set them ON they simply bounce back to OFF in front of my eyes, so am now ultimately paranoid, i think my files are backed up off line, i'm just about to restart normally, so i can read your posts this screen is basic here goes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 15, 2018 Root Admin ID:1224429 Share Posted March 15, 2018 Sounds good, let me know. Link to post Share on other sites More sharing options...
feeling-hassled Posted March 15, 2018 Author ID:1224448 Share Posted March 15, 2018 i ran mbar from your link. fished saying no rootkits found ran mbam again, with rootkits scan selected, but it still will not enable it in threat scan i cannot find mbar log to attach here Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 15, 2018 Root Admin ID:1224450 Share Posted March 15, 2018 (edited) From the 2nd link I gave you for our support tool. Please try the following. You can download the tool from here: https://downloads.malwarebytes.com/file/mbst Locate the executable file "mb-support-x.x.x.xxx.exe" and double-click to launch the application. Place a check mark next to Accept License Agreement by clicking the box. Click Next. Click Advanced Options. The Advanced Options page has two options, please choose one: Gather Logs: Collects troubleshooting information from the computer using Check and Grab functionality. As part of this process, Farbar Recovery Scan Tool (FRST) is also run to perform a complete diagnosis of the computer. The troubleshooting information is saved to a file on the Desktop named mbst-grab-results.zip. This file can be added as an email attachment or uploaded to a forum post and will assist your Malwarebytes Support agent with troubleshooting the issue currently being experienced. Clean: Performs an automated uninstallation of all Malwarebytes products currently installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. This process may require a reboot of the computer, which must be manually consented to. If you select Gather Logs, a message box will be displayed once the process has finished. Click OK to close. A file named mbst-grab-results.zip will be saved to your Desktop. Please upload that file on your next reply. If you select Clean, Malwarebytes Support Tool will prompt you for confirmation. If you consent to Malwarebytes Support Tool removing all Malwarebytes products from your computer, click Yes. If you wish to cancel, click No. Edited March 15, 2018 by AdvancedSetup updated reply Link to post Share on other sites More sharing options...
feeling-hassled Posted March 15, 2018 Author ID:1224454 Share Posted March 15, 2018 found this Malwarebytes Anti-Rootkit BETA 1.10.3.1001 www.malwarebytes.org Database version: main: v2018.03.15.01 rootkit: v2018.03.08.03 Windows 7 x86 NTFS Internet Explorer 8.0.7600.16385 DELL :: DELL-PC [administrator] 15/03/2018 05:17:26 mbar-log-2018-03-15 (05-17-26).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 156717 Time elapsed: 21 minute(s), 7 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
feeling-hassled Posted March 15, 2018 Author ID:1224458 Share Posted March 15, 2018 and this threat scan afterwards, it still shows rootkit as diabled, despite settings potection having rootkit enabled before the scan, and no such task shown in the progress bar Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/15/18 Scan Time: 7:06 AM Log File: 73cfc764-281f-11e8-a28d-0023ae0da39f.json Administrator: Yes -Software Information- Version: 3.4.4.2398 Components Version: 1.0.322 Update Package Version: 1.0.4364 License: Trial -System Information- OS: Windows 7 CPU: x86 File System: NTFS User: DELL-PC\DELL -Scan Summary- Scan Type: Threat Scan Result: Cancelled Objects Scanned: 15842 Threats Detected: 0 (No malicious items detected) Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 0 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Recommended Posts