Jump to content

Recommended Posts

Hi everybody:

Malwarebyte is one of the best programs out there for detection and removal of Trojans, and in my experience, when Malwarebyte quits unexpectedly, then the system harbors a really bad one. In the current case I have used Malwarebyte for a full scan of the C: disk (Windows 7, fully updated, on a Bootcamp partition on a MacBook Air, 4GB RAM). As shown in the first screenshot (MalwarebyteLoop2Apr2011.jpg) the scan runs into a loop \\\\\\\\\\ (here after hitting C:\Program Files\Adobe\Adobe Device Central CS 5\Players\FlashLite\FLDH31\) and then quits unexpectedly 5 minutes later (cf. screenshot MalwarebyteStopped2Apr2011.jpg). If the folder "Adobe Device Central CS5" is temporarily moved to an external drive, this loop occurs at another location within the C: Windows 7 file system. However, this problem does not happen in safe mode. I have repeatedly deleted and reinstalled Malwarebytes, including the rules file, and I have disabled all other anti-viral programs and firewalls while running malwarebytes, to no avail. I have screened the same disk with a number of other Malware scanners, including Trojan Remover, Norton A360, Sophos Anti-Rootkit, SpyBot, and even Combofix (a kind of dangerous instrument) and no malware has been detected. The same version of Malwarebytes works fine on a Bootcamp Windows 7 partition of another (standard) MacBook Pro, as well as on a Dell Windows XP system. Can somebody help me out here? Many thanks.

fijiblue

post-75214-0-47366200-1301854443.jpg

post-75214-0-89536400-1301854462.jpg

Link to post
Share on other sites

Hello FijiBlue,

Please try running the following.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R 

Then restart your computer and it should run for a little while and check all the sectors on the drive.

If it does not run a disk check on reboot please let me know.

Thank you!

Link to post
Share on other sites

Grant:

Following your advice I clicked on START - RUN and copied / pasted the following entry into the box and then clicked OK

CMD /C ECHO Y|CHKDSK C: /R

After the reboot, the system did NOT execute CHKDSK before launching Windows 7.

However, I rebooted from the install disk and entered on the command line prompt CHKDSK C: /R which led to successful execution of the diskcheck and repair.

Thereafter I rebooted normally and ran malwarebytes full scan of C:, with the same result, i.e. malwarebyte enters into a loop and hangs up as described above. Based on other advice from malwarebytes forum I also executed sfc /scannow /offbootdir=c:\ /offwindir=c:\windows from the installation disk successfully, but again, after reboot malwarebyte C: full scan ran into the same loop.

Any other idea? Thanks, fijiblue

Link to post
Share on other sites

Hello FijiBlue,

Thank you for the concise feedback :)

Let's Create a process Monitor log.

Create a Process Monitor Log:

  • Create a new folder on your desktop called Logs
  • Please download Process Monitor from here and save it to your desktop
  • Double-click on Procmon.exe to run it
  • In Process Monitor, click on File at the top and select Backing Files...
  • Click the circle to the left of Use file named: and click the ... button
  • Browse to the Logs folder you just created and type MBAM Log in the File name: box and click Save
  • Exit Process Monitor and open it again so that it starts creating the logs
  • Re-Create the issue.
  • Close Process Monitor
  • Right-click on the Logs folder on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Please attach the Logs.zip file you just created to your next reply

Thank you!

Link to post
Share on other sites

Grant:

Did as instructed. However, this logfiles are awfully big (>200 MB each) and over ten of them generated during the process, so I am afraid I can't submit them or even E-mail them. This is not related to MBAM, if I run silent without any applications open, these logfiles fill up as quickly. Could this be part of the problem? Please advise.

Thanks, fijiblue

Link to post
Share on other sites

Grant:

There is another observation I made: When you run Malwarebyte on the system that produces the discussed loop --> quit, the Malwarebyte logo/icon is lost in the Windows 7 dock (i.e. the program / process is represented by the standard generic Windows icon (white with top blue bar and three three little specks (red, green, and blue)). The mbam.exe in the folder Malwarebyte's Anti-Malware within Program Files on C: has also lost its distinct icon, unlike mbamgui.exe, which retains its original icon. When you copy mbam.exe to the Desktop, it shows up with the proper red and white M icon, but when you move it back in the Program folder it loses its icon. Could be related or unrelated. Just an observation.

Thanks, fijiblue

Link to post
Share on other sites

Hello FijiBlue,

It appears my instructions did not include UAC information.

Please run a Disk Check on your C: drive in Windows Vista or Windws 7:

  • Click the Start vista-7-start.png button and type cmd
  • You should see cmd under Programs
  • Right-click on cmd and select Run as administrator
  • Click Continue at the User Account Control prompt
  • Copy and paste the following text in the code box into the black command prompt window and press Enter Note: you must right click with your mouse to paste the text into the window as CTRL+V will not work:
    echo y| chkdsk %systemdrive% /r


  • Restart your computer and when it loads it will check the hard drive, don't press any keys so that is allowed to do so

Thank you very much!

Link to post
Share on other sites

Also as per requested. We do not ask for this often in General Forum but please run combofix so we can view the log report.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Thank you very much!

Link to post
Share on other sites

Maynard:

Let me first reply to your post from Wednesday. I did initiate CHKDSK from the command prompt (run as administrator) and this time, upon reboot, the system executed CHKDSK -R successfully. I then removed (including the folder in AppData) and re-installed MBAM. I ran MBAM with Norton AV and Firewall OFF. However, the program quit again after entering into a loop.

I then proceeded to utilize MBAM's ignore function to narrow down where the loop happens. Thus I found five locations within the file system, where MBAM enters a loop and crashes. These are listed in the screenshot MBAM_IgnoreFinal.JPG, which I uploaded with my reply (I was unable to narrow down further beyond what you see in the shot). If I run a full scan of C: with these five items ignored, the scan proceeds successfully, and no malware is detected. If I screen these items separately (right click --> Scan with Malwarebytes) within their proper position in the file system, the loop initiates immediately. However, if I copy these items (even with equivalent paths) onto an external harddrive (E:) this is not being reproduced, rather MBAM does a very quick scan (perhaps no scan at all?) and says that no malware found. I have also uploaded the 5 items in the form of two archives Program Files.rar (4 items) and Program Data.rar (1 item) , where these items are contained in with their proper paths conserved. Could you check on whether there is a hidden bug?

I am a little hesitant to apply ComboFix, because it issues quite serious warnings and disclaimers, and says that Norton is still on, even though I have it disabled. I'll do a little bit more reading and get back to you on combofix tomorrow.

Thank you, Cheers, fijiblue

post-75214-0-16635100-1302222892.jpg

Program Files.rar

Program Data.rar

Link to post
Share on other sites

Maynard:

I did the ComboFix Scan. It was heart-wrenching, because all the icons disappeared temporarily and Windows stated that pve.exe had crashed.Then ComboFix deleted all kind of files without prompting for yes or no. However, the scan completed and a log was generated (uploaded to this forum). Windows 7 then restarted properly, and I hope that none of the drivers and applications have been ruined.

Unfortunately I do not understand the content of the log file. Please comment. Thanks, fijiblue

ComboFixFijiblue.txt

Link to post
Share on other sites

Hello FijiBlue,

Thank you very much for the combofix log!

Please remove each of the items from your ignore list. Then update MBAM. Please then run the scan and let me know if the infinite loop occurs again.

Thank you very much!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.