Not sure if I'm infected, but can't run mbam or chameleon

[Venla31]

System: Windows 7

I'm not entirely sure if I'm infected, but signs point to a yes. I tried to do a scan since one of my programs suddenly stopped working and re installation didn't resolve it.  When I try to start Malwarebytes it automatically closes. I checked the event log but it just states there was an error but provides nothing else. I decided to play it safe by downloading chameleon then running it only to run into this.  So am I infected and how do I fix this because I do like using malware bytes.

[Maurice Naggar]

Hi Venla31.

My name is Maurice.  I will be helping you.

Firstly, mbam chameleon is old tool meant to be used on versions 1 or 2 of the OLD Malwarebytes anti-malware.  It is NOT designed for & does NOT recognize nor is it consistent with version 3.x  , our current Version.

Please stop using it.

We will be using other methods.

We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

[Venla31]

I'm sorry, apparently I had a bit of a dumb moment and did a bit of a typo. I am not using the mbam. I did reinstall Malware bytes at one point and double checked if the reinstall was indeed the latest version from this link.

https://www.malwarebytes.com/mwb-download/thankyou/

I forgot to mention that I have tried running Malware bytes as a admin only for it to fail. No error notice pops up, just a brief loading circle via mouse then it disappears. It does show up in my event log. 

 

 

mbst-grab-results.zip

[Maurice Naggar]

Hello Venla31,

Thanks for the report.

 

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from here this link
and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
Thank you,

 

[Venla31]

I managed to do the following up to a point. I had reached the scan option and started a scan. However, the scan seemed to close and just automatically close the program all together? I tried re-installing the program at the desktop as its destination, but upon completion it just closes and the UI never reappears. 

 

[Maurice Naggar]

The report tool named FRSTENGLISH is already on the Downloads folder.

Use Windows Explorer & go to the Downloads folder.

Run report with FRSTENGLISH

Right-click on FRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.




The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt_ 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

[Venla31]

FRST.txt Addition.txt

[Maurice Naggar]

Thanks for the FRST.

This PC has both Malwarebytes + Bitdefender.

Lets exclude Bitdefender's program folder(s) along with any of its services/processes that run in the background  via the process described under the Exclude a File or Folder section found in this support article and the items listed in this support article should be excluded from Bitdefender's real-time protection. 

 

BitDefender needs some adjusting so that it treats Malwarebytes as a trusted application.

What follows is a first step to have Windows 7 show all files and folder. Do not let this spook you out.
https://www.sevenforums.com/tutorials/394-hidden-files-folders-show-hide.html

What follows are the adjustments for BitDefender.
Open the Bitdefender product installed
Click VIEW FEATURES
Under ANTIVIRUS, Click Settings
Click EXCLUSIONS

Click ADD
Ensure Both is selected
Enter C:\Program Files\Malwarebytes into the text field and click Add
Repeat for C:\ProgramData\Malwarebytes

Click ADD
Ensure Both is selected
Enter C:\Windows\System32\drivers\mbam.sys into the text field and click Add
Repeat for the following files:
C:\Windows\System32\drivers\mwac.sys
C:\Windows\System32\drivers\mbamswissarmy.sys
C:\Windows\System32\drivers\mbamchameleon.sys
C:\Windows\System32\drivers\farflt.sys
C:\Windows\System32\drivers\mbae64.sys
Click the back arrow
Under WEB PROTECTION, click Whitelist

Enter *.mwbsys.com into the text field and click Add
Click Save
Click Close to finish

I would suggest a Windows Restart from the Start menu at this point. Wait for system to reload and to settle beck in.

 

 

also see this post by SteveS_66

 

Then let me know if this has helped.

Thank you.

Edited June 16, 2019 by Maurice Naggar

[Venla31]

Interesting, I followed your instructions and it worked. 

I want to point out that originally Bit Defender was not the anti virus I was carrying, it was Microsoft Security Essentials  + Malware Bytes. My friend roughly 2 hours from the post where I state the rootkit exe wouldn't open insisted that I installed Bit Defender and give it a try. It was on the exception list for that program. It seems that strangely the problem of the issue was Microsoft Security Essentials, strange. I thank you for your time and apologize, at least I wasn't infected  

[Maurice Naggar]

Thanks for the update.

I would just suggest, if you have not already done so, do a scan with Malwarebytes & with BitDefender.

 

Let me know if you need other help.

You may delete the tools and files that I had you download.

Cheers.

[Venla31]

Sorry for the late reply, I did a full scan and it came out clean and everything seems good now so I believe this can be labeled as resolved. Again thank you   

[Maurice Naggar]

That is good t know.   I am glad to have helped.

My best to you.

Maurice

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks