13 replies to this topic

[HoverButter]

Hi guys. I actually posted this on bleepingcomputer.com, but I posted it in the wrong section. My question: Why does Malwarebytes indicate that I'm on [limited] access when I'm scanning as an administrator? For example: http://forums.malwar...owtopic=114233. The log here says "Zeroes :: ROOT [admin]", but when I scan, it says [limited]. Also, after I scan with HJT; when I try to click on AnalyzeThis, it shows me an error that says "No Internet Connection Available". Is the button malfunctioned? I can access the internet perfectly and I don't think it's a malware issue.

[AdvancedSetup]

Hello HoverButter and Welcome to Malwarebytes

In order to assist you better and determine what's really going on if the post you linked to does not answer your question please post the following logs for us to check on for you.

Please create an mbam-check log:

• Download mbam-check.exe from here and save it to your desktop
  
• Double-click on mbam-check.exe to run it, it should then open a log file
  
• Please do not copy and paste the entire contents of the log into your next post, instead please attach the log CheckResults.txt file which should now be located on your desktop to your next post

Please run a Quick Scan with Malwarebytes and post back that log as well.


Next, Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop
dds.scr
dds.com


Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool, on Vista or Win 7 right click and select Run as administrator
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt
  You can ignore the note about zipping the Attach.txt file in most cases.

Thanks

[HoverButter]

Hi AdvancedSetup! Thanks for replying. Logs are attached.

Attached Files

•  CheckResults.txt   36.65K   18 downloads
•  mbam-log-2013-01-18 (13-02-48).txt   1.79K   15 downloads
•  attach.txt   10.29K   16 downloads

[HoverButter]

Oops, I forgot to attach the dds file.

Attached Files

•  dds.txt   21.4K   16 downloads

[AdvancedSetup]

You should back up your registry and then go in and remove all these entries from the compatibility mode in the Registry and then reboot and see if you're still having an issue or not.
If you need further directions please let us know.


Compatibility Flag Settings (Any MBAM file listings should be removed):
=======================================================================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
c:\program files (x86)\warcraft iii\war3.exeREG_SZ DISABLEUSERCALLBACKEXCEPTION
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeREG_SZ RUNASADMIN
C:\Program Files (x86)\OGPlanet\RumbleFighter\RUMBLEFIGHTER.EXEREG_SZ DISABLEUSERCALLBACKEXCEPTION
C:\Users\Owner\Desktop\mmSeq120b7-Setup.exeREG_SZ WINXPSP2
C:\Program Files (x86)\Than Long\Uninstal.exeREG_SZ WINXPSP2
C:\Users\Owner\Desktop\Skype PTT 1.01 Beta\SkypePTT.exeREG_SZ RUNASADMIN
C:\Users\Owner\Desktop\WinRAR\Game Boy Advance\VisualBoyAdvance.exeREG_SZ RUNASADMIN
C:\Users\Owner\Documents\A+\Games\3MLE\3MLE.exeREG_SZ VISTASETUP RUNASADMIN
C:\Users\Owner\AppData\Local\Temp\Temporary Internet Files\Content.IE5\7ARG32CN\startuplite-setup-1.07.exeREG_SZ VISTARTM
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
C:\Program Files (x86)\OGPlanet\RumbleFighter\RumbleLauncher.exeREG_SZ RUNASADMIN
C:\Program Files (x86)\OGPlanet\RumbleFighter\gemdumploader.exeREG_SZ RUNASADMIN
C:\Program Files (x86)\OGPlanet\RumbleFighter\rumblefighter.exeREG_SZ RUNASADMIN
SIGN.MEDIA=18A6224 NEBULA\nebula.exeREG_SZ #
C:\Program Files\FRAPS\fraps.exeREG_SZ RUNASADMIN
C:\Users\Owner\Desktop\VirtualDub\Veedub64.exeREG_SZ RUNASADMIN
C:\Program Files\Riot Games\League of Legends\lol.launcher.exeREG_SZ RUNASADMIN
C:\Program Files (x86)\Warcraft III\Frozen Throne.exeREG_SZ RUNASADMIN
C:\Users\Owner\Desktop\NOBODY.exeREG_SZ RUNASADMIN
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXEREG_SZ RUNASADMIN
C:\Users\Owner\Desktop\WinRAR\Game Boy Advance\VisualBoyAdvance.exeREG_SZ WINXPSP3
C:\Program Files (x86)\Kill3rCombo\Elsword\elsword.exeREG_SZ WINXPSP3 RUNASADMIN
C:\Program Files (x86)\TeamSpeak 3 Client\ts3client_win32.exeREG_SZ RUNASADMIN
C:\Program Files (x86)\Silkroad\sro_client.exeREG_SZ ELEVATECREATEPROCESS
C:\Users\Owner\Documents\A+\Tool\Magnifier.exeREG_SZ WINXPSP2
C:\Program Files (x86)\Planetside 2\LaunchPad.exeREG_SZ DISABLETHEMES DISABLEDWM RUNASADMIN
C:\Program Files (x86)\Planetside 2\PlanetSide2.exeREG_SZ DISABLEDWM
C:\Program Files (x86)\Origin Games\Battlefield 3\bf3.exeREG_SZ DISABLEDWM
C:\Program Files (x86)\GooTool\bin\gootool.exeREG_SZ RUNASADMIN
C:\Program Files (x86)\CCleaner\CCleaner64.exeREG_SZ RUNASADMIN
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
C:\Program Files (x86)\BrawlBusters(EN)CBT\bin\PbLauncher.exeREG_SZ RUNASADMIN

[HoverButter]

Yay! I removed the registry files and mbam is scanning as administrator now I just have a few more questions.

Is it malware that added those registry files?

Is it ok for me to delete registry files in regedit at a later time (the registry files you listed were all the files in those particular folders)?

Is the HJT problem normal?

I have a long startup time, even though there's few startup items in msconfig and nothing on startuplite that indicates unnecessary startups. Someone suggested me to use http://technet.micro.../bb963902.aspx. I've only deleted a few entries that I know are safe. Sometimes I have a drastically longer startup time and the screen will flicker for 1 second. I'm not sure if that indicates hardware failure. Thanks for your help!

[HoverButter]

Oops, I have one more question.

Before and after the registry fix, Malwarebytes' quick scan would freeze at ~17 seconds, scanning around ~1160 files and unpause at ~39 seconds at ~1200 files (this only applies to the first scan after rebooting; first scan would take around 3 mins and subsequent scans are dramatically faster finishing in 48 seconds). The number of scanned files seem to fluctuate depending on the scan. No scan has the same number of files scanned. Is this normal?

[HoverButter]

I forgot to include that before registry deletion, my mbam definition updates were quite small (~6-7 kb). Now it downloads 6679.41 mb every time.

[AdvancedSetup]

Well I don't suggest using MSCONFIG as a Startup Manager. It is a diagnostic tool that can't easily be used as a diagnostic tool when it's being used as a startup manager tool.

I would recommend this tool (which may be what you linked to but your link is broken) Autoruns for Windows - By Mark Russinovich and Bryce Cogswell

In any case... it sounds like you might possibly have a bit more going on there that may require Expert assistance. Please follow the advice from here: Available Assistance for Possibly Infected Computers and one of the Experts will help you check on your system further.

Thanks

[HoverButter]

AdvancedSetup, on 19 January 2013 - 06:14 PM, said:

Well I don't suggest using MSCONFIG as a Startup Manager. It is a diagnostic tool that can't easily be used as a diagnostic tool when it's being used as a startup manager tool.

I would recommend this tool (which may be what you linked to but your link is broken) Autoruns for Windows - By Mark Russinovich and Bryce Cogswell

In any case... it sounds like you might possibly have a bit more going on there that may require Expert assistance. Please follow the advice from here: Available Assistance for Possibly Infected Computers and one of the Experts will help you check on your system further.

Thanks

Yeah, that's the link xD. I guess I'll go with option 1.

[HoverButter]

MBAM is running as [limited] again. I don't know what's going on.

[AdvancedSetup]

AdvancedSetup, on 19 January 2013 - 06:14 PM, said:

In any case... it sounds like you might possibly have a bit more going on there that may require Expert assistance. Please follow the advice from here: Available Assistance for Possibly Infected Computers and one of the Experts will help you check on your system further.

Thanks

[HoverButter]

Oh, sorry. Thanks for your help AdvancedSetup!

[AdvancedSetup]

No problem. You're quite welcome.

Good luck and take care