Jump to content

MBAM quits after scanning for just a few seconds


Recommended Posts

I have read several posts here about certain malware infestations defeating MBAM by shutting it down shortly after the scan starts.

This is clearly a major problem and one which I recently overcame by using perhaps the simplest method, namely adding the infected drive as a slave on another system and running the scan from there.

However during the clean-up process I checked the symptoms of some of the infections found and discovered that several viruses have the ability to simulate mouse clicks. In other words my suggestion is that MBAM is sometimes being shut down by a simulated click of the Abort Scan button.

This leads me to ask the question, could MBAM be improved by having a "no abort possible" mode. Essentially if the infection is seen to actively shut down the programme it can be run in a mode that does not allow shutting down until the scan is complete.

I appreciate that the increasingly inventive malware writers may also find a way around this but it would perhaps be one more layer of self-defence for our favourite anti-malware programme.

Link to post
Share on other sites

@ Robolovsky Welcome to Malwarebytes! After looking at the title of your post, and this issue:

Essentially if the infection is seen to actively shut down the programme it can be run in a mode that does not allow shutting down until the scan is complete.

If you need to get fixed up if you believe you have an infection, follow these instructions please:

follow these instructions & post it in the HiJackLog Forum please

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

  1. Please read and follow the instructions provided here: I'm infected - What do I do now?
  2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

  • Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  • Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  • Using these other tools often makes the cleanup task more difficult and time consuming.
  • If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  • Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  • There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

Note: there busy in the HJK forum it may take a day or two before you get a reply!

Link to post
Share on other sites

@ Robolovsky Welcome to Malwarebytes! After looking at the title of your post, and this issue:

If you need to get fixed up if you believe you have an infection, follow these instructions please:

Thanks for the information Yardbird but as you will see from my original post I was able to solve my problem by hooking up the drive as a slave to another machine and use the full might of MBAM coupled with a heavyweight AV programme to clean out the infected files. Boy wouldn't you like to get your hands on the people that perpetrate this stuff.

Once cleared of the actual problem files I put the drive back in the original machine and was able to run MBAM properly and remove the relevant registry entries. A very neat and tidy solution with none of the risks involved with programmes such as Combofix and Ccleaner.

Prior to doing that I had read endless articles about sending in a variety of logs from various malware removal programmes and then following a lengthy series of eradication procedures. Believe me, if you have the chance, slaving the drive in another machine is the way to go.

Essentially my post was about finding a way to programme MBAM to prevent automated shutting down by rogue software. I am not sure if this is actually possible but it was just a thought as I had read that one of the infections on my machine had the ability to simulate mouse clicks. If MBAM were to remove the ability to abort the scan by clicking a button it may be one way of making it more difficult for the script kiddies.

Link to post
Share on other sites

Unfortunately most of the nasties these days are using rootkit hidden drivers and services to kill MBAM's process, or any other program's process, often even any aside from essential system processes once they enter memory :) . Originally they targetted MBAM by name, but that quickly changed once people figured out how to rename MBAM to get around it. Now it's much tougher. Working as you did from a second system or booted into a CD to either scan or remove the nasties manually is much easier for sure, but you must also be careful that critical system files (which are sometimes altered or replaced by malware) don't get deleted in the process, rendering the system unbootable.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.