Jump to content

What Is Mbamservice.exe Doing At Boot Time?


Recommended Posts

WIN 7 SP1 x64, MBAM Pro 1.51.1.1800

I have MBAM Pro set to download definition updates hourly. I have it scheduled to do a quick scan daily in the late afternoon.

What I have observed recently and always after a cold boot usually the first for the day is mbamservice.exe running for an extended period of time with concurent hard disk access. This activity occurs usually a few minutes after the initial definition update has occured. The activity goes on for a while; around 2 - 4 minutes.

I know how long a definition update takes, MBAM log shows 1 minute approx., on my PC and this activity runs much longer. I would assume it was a MBAM scan running but I was not aware that MBAM did a quick scan after a def. update?

Link to post
Share on other sites

New day, new initial cold boot.

I have more info I am posting and I don't like what I am seeing! BTW - the other recent posting of mbamsevice being hijacked is right on point.

Today as MBAM Pro dials out for an update as expected. That update completes and a minute later another update is initiated. Now I am watching all this in TCPView and here is what I observed.

Svchost.exe dials out to IP 24.143.196.66 and connection is established.

Mbamservice.exe starts running but this time only runs for a short time and then stops.

Now I know about the above 24.143.196.0 - 24.143.196.255 IP range since I have observed it doing suspicious activities in the past. I check my WIN 7 event logs and as I expected I see the following event:

Log Name: System

Source: Microsoft-Windows-DNS-Client

Date: 8/21/2011 8:34:48 AM

Event ID: 1014

Task Category: None

Level: Warning

Keywords:

User: NETWORK SERVICE

Computer: xxx-PC

Description:

Name resolution for the name 66.196.143.24.in-addr.arpa timed out after none of the configured DNS servers responded.

Note that the IP address is a RARP of 224.143.196.66.

Appears this time the connection wasn't established completely hence the short span for mbamservice.exe run time.

Now I think an explaination by MBAM is needed as to what the heck is going on here? The activity I am seeing looks very much like a DNS rebind and hi-jack.

Link to post
Share on other sites

Update.

I am 99% sure my original trial version download of MBAM was compromised. This was downloaded from one on the mirrors on your web site.

Yesterday, I did the MBAM Clean to uninstall, reboot, and reinstall from the CD for the boxed version of MBAM Pro I purchased a while back. Updated to current ver. and definitions. Also changed my firewall rules to log all TCP activity from svchost.exe.

Did my initial cold first boot of the day and watched everything in TCPView. Low and behold! No malformed dial-out to 24.143.196.xxx. No DNS Client WIN 7 event log entry for a time out for an RARP connection to xxx.196.143.24 after the MBAM update completed. No disk scanning with mbamservice.exe running for an extended period of time.

Did see a connection to IP 209.18.42.81 which I had observed previously. I am hoping this is one of your IPs since this svchost.exe connection TCP port 80 outbound appears to have slipped through my firewall since I have no log entry for it.

Link to post
Share on other sites

  • Root Admin

Did see a connection to IP 209.18.42.81 which I had observed previously. I am hoping this is one of your IPs since this svchost.exe connection TCP port 80 outbound appears to have slipped through my firewall since I have no log entry for it.

Well that IP does not appear to be one of ours from the Content Delivery Network.

Name: 209-18-42-81.chi10.tbone.rr.com

Address: 209.18.42.81

Instead of guessing if you're infected or if there is an issue I would highly recommend you follow the instructions below and someone will be happy to assist you in checking to see if you're possibly infected.

We don't do actual malware detection and removal in this General forum - it is done in the HJT forum where others are not allowed to interfere with your post and a helper.

If you think you are infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

You have 3 Options that you can choose from as listed below:

  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the
General Malwarebytes' Anti-Malware Forum
, you need to start a topic in the
Malware Removal forum
so a qualified helper can help you fix any malware related problems/infections you may have.

  • Please read and follow the
    directions here
    , skipping any steps you are unable to complete. Then post a
    NEW topic here
    .

  • After posting your new post, make sure under
    options
    , you select
    Track this topic
    and choose
    Immediate Email Notification
    , so that you're alerted when someone has replied to your post.

  • One of the
    expert helpers
    there will give you one-on-one assistance when one becomes available.

  • Please refrain from making any further changes to your computer such as (Install/Uninstall programs, use special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.

NOTE:

Please DO NOT post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies. If you reply to your own post helpers may think that you're already being helped and thus overlook your post.
    • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.

      Or

    • You may send a Private Message to a Moderator asking for assistance.

OPTION 2

Alternatively, as a paying customer, you can contact the help desk at
support@malwarebytes.org
or
here
.

OPTION 3

If you would like to use our Malwarebytes Premium Services, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our
Malwarebytes Premium Services
support site.

Please be patient, someone will assist you as soon as it is possible.

PS: Please use the "ADDREPLY" Add-Reply.png button instead of other ones when you start replying. :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.