Jump to content

MBAM Won't Run As MBAM After Deleting Infection


Recommended Posts

Hello,

I was experiencing IE7 browsing problems with my computer running XP with McAfee antivirus software. I downloaded Malwarebytes. In order to execute Malwarebytes I had to rename the executable from mbam to winlogon. I ran the program twice and each time it removed 3 threats. The third time I ran the program it found nothing. I have uploaded the logs for your reference.

Now, I have two problems.

Problem #1 - MBAM will still not execute as MBAM. It runs fine if I rename it to winlogon although it reports no issues. Am I still infected or is this normal behavior?

Problem #2 - I have an administrator and two non administrator accounts on the machine. The admin account and one other account now seem to work fine after running MBAM. I can browse any website using IE7. The second non admin account cannot browse any web sites using IE7. Given the behavior identified in problem number #1, I wonder if I'm still infected or if perhaps the cleanup process had an unintended consequence.

Additional info: After reading through the common problems post, I ran rootrepeal to scan for files associated with Alureon. Rootrepeal returned only one file. It did not have a prefix noted in the watch list. I believe the file returned was called hiberfile.sys.

Can you offer any help or advice?

Thanks!

mbam_log_2010_09_08__00_08_08_.txt

mbam_log_2010_09_08__06_45_39_.txt

mbam_log_2010_09_08__09_52_38_.txt

Link to post
Share on other sites

Database version: 4052 - Log 9/8/2010

Please first try to update this version - Update is currently at Version 4585 at this time -

Your logs are about 1 month old - Or rescan with your newest update and post those logs -

To Fully Remove and Reinstall a Fresh New Copy of Malwarebytes - Read Carefully

Windows XP:

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important !
  • Download and run mbam-clean.exe from Here

It will ask to restart your computer, please allow it to do so, very important

After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from Here

Windows Vista and Windows 7:

  • Click on the Start button and select Control Panel
  • Click on Programs and Features
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important !
  • Download and run mbam-clean.exe from Here

It will ask to restart your computer, please allow it to do so, very important

After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from Here

Note: You will need to reactivate the program using the license you were sent via email if using the Paid version only

Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.

Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now reset any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications.

You may use the guides posted in the FAQ's here or ask me and I'll explain how to do it.

Please post back with any problems -

Thank You - :)

Link to post
Share on other sites

I ran through the procedure you described reinstalling mbam and checking for updates (current version 4586). I executed both a quck scan and a full scan however my situation is still the same. I had to rename mbam to winlogon to run and yet it found nothing. I have attached the log for reference.

Can you recommend a next step?

Thank you!

mbam_log_2010_09_09__23_14_03_.txt

mbam_log_2010_09_10__02_14_01_.txt

Link to post
Share on other sites

Please exclude the following files from your antivirus:

Also read This FAQ Item (Section E) about your A/virus program - It may help - Also read at the bottom -

Note: If using a software firewall besides the built in Windows Firewall you'll need to exclude them from it as well

For Windows XP:

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll
  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
  • C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
  • C:\Windows\System32\drivers\mbam.sys
  • C:\Windows\System32\drivers\mbamswissarmy.sys

For Windows Vista or Windows 7:

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll
  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
  • C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
  • C:\Windows\System32\drivers\mbam.sys
  • C:\Windows\System32\drivers\mbamswissarmy.sys

For 64 bit versions of Windows Vista or Windows 7:

  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\zlib.dll
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.dll
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll
  • C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
  • C:\Windows\System32\drivers\mbam.sys
  • C:\Windows\SysWoW64\drivers\mbamswissarmy.sys

Note: If using a software firewall besides the built in Windows Firewall you'll need to exclude MBAM.EXE from it as well

Note: Once that's done, please make sure that if either of those programs has any sort of web filter, that you add the following as a trusted site:

data-cdn.mbamupdates.com

If you think you may still have some part of an infection remaining please read and repost as directed Here -

Thank You -

Link to post
Share on other sites

I'm sorry. I don't understand how to add exclusions to my antivirus. I'm running a version of McAfee supplied by AT&T. I can't find any kind of version number.

Reading through the McAfee help, it would appear that if McAfee flags a program as a problem, it provides an opportunity to add it to a trusted list. However, if the antivirus software doesn't flag a program as a problem, it does not give you an opportunity to manually add an exclusion.

Link to post
Share on other sites

QUOTE:The second non admin account cannot browse any web sites using IE7. Given the behavior identified in problem number #1, I wonder if I'm still infected or if perhaps the cleanup process had an unintended consequence.

If you think your infected, please follow these instructions!

Please read the following so that you can begin the cleaning process:

As we don't deal with malware removal in the General Malwarebytes' Anti-Malware Forum, you need to start a topic in the Malware Removal forum so a qualified helper can help you fix any malware related problems/infections you may have.

  • Please read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.
  • After posting your new post, make sure under options, you select Track this topic and choose Immediate Email Notification, so that you're alerted when someone has replied to your post.
  • One of the expert helpers there will give you one-on-one assistance when one becomes available.
  • Please refrain from making any further changes to your computer (Install/Uninstall programs, use special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version

NOTE: Please DO NOT post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies. If you reply to your own post helpers may think that you're already being helped and thus overlook your post.

    • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
      Or
    • You may send a Private Message to a Moderator asking for assistance.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org or here.

Please be patient, someone will assist you as soon as it is possible.

Link to post
Share on other sites

OK... I found the version number - It's security center 9.15.

But, I do need help. I am the administrator of the PC however I cannot find where I can edit and add the list of programs. It seems that in order to add something to the trusted area, McAfee must flag it first. Then it gives you the option to add it.

Link to post
Share on other sites

For whatever reason, my McAfee looks nothing like the instructions in Section E http://forums.malwarebytes.org/index.php?s...mp;#entry162098.

However, to answer your question about following the instruction in post #9... Knowing that Malwarebytes cleaned out some threats (see my original post) I'll ask a couple of clarifying questions.

1.) The exercise we were going through to exclude mbam from the antivirus.... Is that because I made the comment that mbam will run as winlogon and the antivirus exclusion solves that problem and allow it run as mbam? OR, do you feel that because mbam still won't run as mbam, I am still infected?

2.) Going back to my other problem of IE not connecting to the internet under one non-admin account while it seems to work fine under both another non-admin and admin accounts. Is this typically a symptom of an ongoing infection? Did the cleanup of the initial threat possibly cause the IE problem? Could the resolution be as simple as deleting the bad user account?

Perhaps some tough questions.... I'm interested in hearing your thoughts.

Thanks!

Link to post
Share on other sites

If you have an infection? they will find it in the Malware Forum... If no infection, they will tackle your MAcFee issue & help you exclude the mbam file so your AV does not interfere with Malwarebytes Anti-Malware program.... address 1 computer at a time... I'm trying to get some help here with that McAfee... but the word infection appears in a few posts.

Think about posting in the Malware Removal forum... give it 5-10 mins see if anyone posts under my comment

EDIT: I think you should address one computer at a time in the Malware Forum as in post 9 above... If your infected they will clean you up. If not, they will get Malwarebytes to work or find out why?

EDIT 2 QUOTE "Did the cleanup of the initial threat possibly cause the IE problem? Could the resolution be as simple as deleting the bad user account?"

I would go below:

Please read the following so that you can begin the cleaning process:

As we don't deal with malware removal in the General Malwarebytes' Anti-Malware Forum, you need to start a topic in the Malware Removal forum so a qualified helper can help you fix any malware related problems/infections you may have.

  • Please read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.
  • After posting your new post, make sure under options, you select Track this topic and choose Immediate Email Notification, so that you're alerted when someone has replied to your post.
  • One of the expert helpers there will give you one-on-one assistance when one becomes available.
  • Please refrain from making any further changes to your computer (Install/Uninstall programs, use special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version

NOTE: Please DO NOT post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies. If you reply to your own post helpers may think that you're already being helped and thus overlook your post.

    • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
      Or
    • You may send a Private Message to a Moderator asking for assistance.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org or here.

Please be patient, someone will assist you as soon as it is possible.

Link to post
Share on other sites

The exercise we were going through to exclude mbam from the antivirus

This is purely so that the 2 programs co-exist peacefully - Many A/V programs seem to want Full Control of a system -

Most of Norton (Symantic) products do this in many ways - They have just altered a few settings as they find it will cause problems -

I am having problems with Yahoo Messenger and I needed to add exclusions to allow it to exist with most A/V systems now -

The world of security as we knew it is now more complicated , but we try to keep things as simple as we can -

That is among the reasons we have a panel of mostly volunteer experts that give their time to assist with your problems -

Thanks -

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.