Everything is a malicious process attempting to start

[mynorgeek]

I came home and found both of my computers locked up from one hour ago with a MBAM alert dialog on the desktop saying...

"MBAM detected a malicious process attempting to start and has blocked the execution attempt."

The malicious file was C:WINDOWS\system32\setupapi.dll.

My other computer was similarly locked with C:\Program Files\PuranDefrag\PuranADT.exe.

Both of these are trusted files.

I had to reboot

and on startup I got one MBAM alert after another on both machines...

ntmarta.dll

clbrafq.dll

mbamgui.exe

ipfltdrv.sys

Avastui.exe

knetcfg.dll

etc. etc. before I finally disabled protection.

When I try to start the scanner I get this message:

"MBAM_ERROR_LOAD_DATABASE (0,5)"

When I try to update, it says I have the most recent database version.

Yikes!

[Samsters]

I support a small office where a very similar thing happened today to 5 computers at once!

"detected a malicious process" warning box kept popping up over and over and completely hung up all 5 of these XP systems.

Unfortunately some people just started clicking on Quarantine and I think some of their vital System files are now Quarantined.

I am working now from a machine where I just clicked "Disable Protection" and that stopped all the (apparently false?) pop-ups from MalwareBytes.

I am attaching the Protection log - 1.2 MB!

I hope there is an answer pretty quick - these people are out of business until I help resolve the problem.

Thanks - Sam

[nosirrah]

I need to know a few more things here from both of you.

What service pack do each of you have installed?

Do you both have Avast installed?

Please zip and attach a copy of any file that is being detected to your next post.

[nosirrah]

I am going to assume that both of you have XP here, please do the following:

Disable protection

Delete : X:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref (X:\ is whatever you OS drive is, likely C:)

Set protection to not start on startup (right click MBAM tray icon has this option)

Reboot

Launch MBAM, it should see the missing database and download the latest version

From the protection tab enable protection again

Reboot

If this does not solve the issue there may be some sort of antivirus conflict going on here. I have the latest update on an XP pro machine now and protection is functioning normally and there are no issues when rebooting.

[mynorgeek]

I need to know a few more things here from both of you.

What service pack do each of you have installed?

Do you both have Avast installed?

Please zip and attach a copy of any file that is being detected to your next post.

XP,SP3 (just installed the most recent MS High Priority Updates too... prior to this issue).

Yes, I have avast v5.0.677 Free installed.

Here is a zipped copy of the first file that MBAM detected as malicious... setupapi.dll

setupapi.zip

[mynorgeek]

I am going to assume that both of you have XP here, please do the following:

Disable protection

Delete : X:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref (X:\ is whatever you OS drive is, likely C:)

Set protection to not start on startup (right click MBAM tray icon has this option)

Reboot

Launch MBAM, it should see the missing database and download the latest version

From the protection tab enable protection again

Reboot

If this does not solve the issue there may be some sort of antivirus conflict going on here. I have the latest update on an XP pro machine now and protection is functioning normally and there are no issues when rebooting.

I'm following these steps now and will report back...

[Samsters]

I have already disabled protection and Start with Windows on all affected machines (the one Win 7 machine does not seem to be affected)

All affected machines are XP with SP3.

The anti-virus on all machines is Trend Worry Free Internet Security, which has all Exceptions set correctly and been working fine for months.

I will try the posted suggestion first thing tomorrow.

But as I said earlier, some office workers naturally thought they were under some kind of attack and kept pressing the Quarantine button. Some of their very important System and Program files were apparently quarantined.

One machine will not even boot into Safe Mode now - this is a disaster . . .

Supposing that I can get MBAM running after following the suggestion posted - how do I restore the Quarantined System and Program files? Will I be able to sort or filter by a time stamp to make sure I'm only restoring files that were improperly Quarantined yesterday?

I am trying again to attach the Protection Log - zipped up this time.

Thanks - Sam

protection_log_2010_10_13.zip

[mynorgeek]

Disable protection

Delete : X:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref (X:\ is whatever you OS drive is, likely C:)

Set protection to not start on startup (right click MBAM tray icon has this option)

Reboot

Launch MBAM, it should see the missing database and download the latest version

From the protection tab enable protection again

Reboot

Okay, it worked.

FYI, upon relaunch, MBAM did not see the missing database and download the latest version, as you indicated it would.

So I tried to update manually and it said I had the most current (v4818).

I enabled protection & told it to load on startup & rebooted.

So far, all seems fine.

I haven't done this on the other machine yet, (I have to tear myself away from these computers) but I anticipate the same results.

I feel fortunate that I did not quarantine anything... I chose either Ignore or Disable Protection.

Experience has taught me that much.

[nosirrah]

FYI, upon relaunch, MBAM did not see the missing database and download the latest version, as you indicated it would.

With no database MBAM cant launch so I am not sure what happened but either way I am glad that this is on its way to being resolved.

[mynorgeek]

I'll try your instructions on the other computer now and report back...

[mynorgeek]

Your steps worked fine on my second computer.

This time, upon relaunch of MBAM, it saw the missing database and asked if I would like to download a new copy.

YES.

It went from 0 to 4819.

The issue appears to have been resolved at this time, at least for me, as I did not quarantine anything.

Bruce, did the attached zip file help shed any light on this situation?

Thank you for your very prompt assistance with this.

Great support.

[nosirrah]

Bruce, did the attached zip file help shed any light on this situation?

It did, thanks for that BTW.

We are looking at what went wrong here and this log will help.

We are sorry for any inconvenience this has caused.

[mynorgeek]

Okay, if you don't need anything else from me I'm gonna log off.

Good luck.

[Samsters]

After following the suggested steps, MalwareBytes is up and running again on all but one machine, with no further false positives so far. That one machine would not even boot into Safe Mode, and I am now attempting a Repair from the XP setup CD.

On the working machines, I have managed to restore the System and Program Files that were Quarantined.

But on some of the machines, a few of the files that I Restored are showing up on the Quarantine tab again!

I have tried the Restore button several times, but they just come back again in the Quarantine list, even after a reboot. However, these might be "false Quarantines" because the files are actually in the folders where they belong.

Please let me know what steps I should take to clear up the Quarantine list.

I hope someone can figure out how this glitch happened. Let me know if I should submit any more files (the rules.ref is in the Recycle Bin on each computer)

I never would have imagined a computer could get so disabled as a result of any MalwareBytes mishap.

Thanks - Sam