Jump to content

on-demand scan always reports "Objects Scanned: 0"


Recommended Posts

Hello,

 

I am running Win7 Hoime Premium and MBAM 2.00.0.1000.

 

Every time I do a on-demand scan thru the right-click context menu, I always see the same thing.

It pops up the MBAM scan window and appear to scan something(it is NOT instantly done), however it always reports "Scanned Objects: 0"

 

Did it really scan the file I told it too?

(screen shots below)

 

Any help is appreciated!

 

Thanks,

brino

 

post-159632-0-97656100-1396207130_thumb.

post-159632-0-26497800-1396207145_thumb.

Link to post
Share on other sites

First, thanks for the welcome and suggestions. I have been a MalwareBytes user for many years, but only created this user account today as this is my first real problem/question.

 

Sorry for the delay in replying. During testing of some of the ideas above, I actually forced MBAM to scan something with adware in it and when I hit "quarantine" it rebooted the PC!!!! Of course at that point I had a long reply all type and ready to post.......here we go again.....this time saving it in a txt file as I go....(as I don't see a "save draft" button here)

 

Here's a list of file paths that give a result of "Scanned Objects: 0":

X:\Windows_Apps\Unlocker\unlocker1.8.7.exe

X:\Windows_Apps\Foxit_pdf_reader\FoxitReader30_enu_Setup.exe

X:\Windows_Apps\anti_Virus_Spyware_Malware\MalwareBytes\mbam-setup-1.75.0.1300.exe

 

X drive is my NAS, I am currently connected as a read-only user.

 

Interestingly, I started checking other files and do see some that enumerate properly.

Here's a list of file paths that give a "Scanned Objects: 1" (tested one at a time of course):

C:\Users\Brian\Downloads\mbam-clean-2.0.2.0.exe

F:\to_backup\system_rescue_CDs\BitDefender_Rescue_CD\ir052.exe

E:\Utilities\FoxIt_PDF_reader\FoxitReader514.0104_enu_Setup.exe

 

C and F drives are my internal hard drives.

E drive is a USB flash drive.

 

Issue #1

The pattern I see is that it counts properly on local drives, but not on remote ones like my NAS.

However, I just tried scanning an exe file on my son's PC that I have read-only access to over the network.

That resulted in a "Scanned Objects: 1" as well.

So apparently scans on remote PC's work, just not my NAS.

 

Issue #2

One other issue is that nowhere in the log file does it actually say what file it scanned.

If I remember correctly that info was available in version 1.75...wasn't it?

 

Finally I wanted to determine :

-if MBAM did the scan but didn't count the file or

-if it really did NOT scan what I told it to

 

I copied the file "unlocker1.8.7.exe" from the NAS to a folder on my desktop.

When I did the right-click, on-demand scan it did find "Adware.Clicker" as expected.

Issue #3 : But it rebooted the PC when I told it to quarantine!

 

Issue #4

This proves that MBAM 2.0 is not scanning exe files on my NAS.

 

This could be dangerous for anyone that keeps backup of install programs on network drives.

If you scan things there and don't look closely at the results it looks like everything was clean, but it did NOT scan your files!

It reports "Scan completed successfully" but that was only for the "Pre-scan Operation" as it did not do any "Filesystem Object" scan!!!!

 

I hope this helps!

Thanks,

brino

Link to post
Share on other sites

Until Rich returns....

I just scanned some files on a network drive (which the share is on a NAS) and It scanned 6 objects...

In the mean time can you provide the following logs so they can be reviewed by staff....

STEP 1

NOTE: If you have Win8/8.1 Skip Step 1 and go to Step 2 as DDS does not work on Win8/8.1

Please run the DDS scanner and send back both logs as attachments to your next reply.

Download DDS from one of the locations below and save it to your Desktop:

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool.

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop
  • Please include both of the following logs in your next reply as an attachment: DDS.txt and Attach.txt
  • You can ignore the note about zipping the Attach.txt file and just post it or attach it.
STEP 2

Please run mbam-check and send back the log as an attachment to your next reply.

  • Download mbam-check.exe from HERE and save it to your desktop
  • Double-click on mbam-check.exe to run it, it should then open a log file
  • Please do not copy and paste the entire contents of the log into your next post; instead please attach to your next reply the CheckResults.txt log file which should now be located on your desktop.
STEP 3

Please run the FRST tool and send back both logs as attachments to your next reply.

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system - that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your next reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your next reply.
Link to post
Share on other sites

Hi Firefox, thanks for your attention.

 

Would you rather have me collect all the logs that you asked for in post #5, or do the clean install you suggested in post #2?

 

Either way takes a little effort, but if the debug data is useful to the development/support of MBAM I will certainly provide it.

However, if the data collection is of little long-term use I may just do the clean install, which may fix the problem and I'm guessing destroy all the evidence.

 

It's your call!

 

Thanks,

brino

Link to post
Share on other sites

Hi Guys,

 

Having a few PC's each with it's own full MBAM pro license gave me some ideas. I tried a few things but did NOT get the results I expected.

Lets call my main PC that we've been discussing up to this point PC1.

 

Step 1 - On PC1 I did the "MBAM Clean Removal Process" to the letter, including turning off my antivirus and rebooting.

 

Step 2 - On PC1 I reinstalled MBAM 1.75 to answer shadowwar's question in post #8 again with antivirus off and rebooting after, as in the guide.

 

What I see is that MBAM 1.75 shows "The scan completed successfully. No malicious items were detected" and "Objects scanned: 0".

This is when I scan the same file "X:\Windows_Apps\Unlocker\unlocker1.8.7.exe" that I know has some adware in it.

I am 90% sure that my original MBAM 1.75 install did actually scan files on my NAS.

 

Step 3 - I went to PC2, this one is WinXP SP3, and is seldom used, so I had not upgraded to MBAM 2 yet.... On PC2 MBAM 1.75 absolutely does scan the same exe file on my NAS because it comes back with a "hit" on "Adware.Clicker". It is also using a read-only user account on the NAS.

 

Step 4 - I went to a third machine PC3 that is Win7 and I cannot get MBAM 2 to run. I tried it with right-click menu as "guest", I tried it as "admin". I rebooted and tried again, I turned off the other virus/malware product and tried again. I tried starting MBAM from the Start menu, everytime I get:

post-159632-0-56145100-1396402865_thumb.

 

With PC1 my intent is to run the Clean Removal again, but to install MBAM 2, I had originally installed MBAM2 "over" MBAM 1.75.

If that still has problems I will get all the logs asked for in post #5.

 

WIth PC3, I guess I'll do the same, that was also an install of MBAM 2 "over" MBAM 1.75.

 

Hopefully I can get the cleans and reinstalls done tonight, these computers are used by my family, and I am trying to train everyone to scan things before they run them. It will be a setback if the scanning tools aren't working.....

The logs(if required) will not be tonight.

 

Thanks for the support!

Link to post
Share on other sites

okay last update for the day.......

 

After doing clean remove and reinstall of MBAM 2.0 on PC1 and PC3 both are acting the same. They both report "The scan completed successfully. No malicious items were detected" and "Objects scanned: 0". That's for a right-click scan of the same file: "X:\Windows_Apps\Unlocker\unlocker1.8.7.exe" that I know contains adware.

 

Further, I tested one more PC. Let's call it PC4, it is WinXP SP3 but this one gets used more often and so was upgraded to MBAM 2.0.

It properly detects "Adware.Clicker" in the same file.

 

So basically, the results seem split along OS lines......two Win7 machines do not detect it; while two WinXP machines do detect it.

One of those WinXP machines is running MBAM v1.75 and the other has MBAM v2.0.

 

With PC1, even after a clean remove and "downgrade" to v1.75 it did not detect it.

How certain are we that the clean removal removes all traces of MBAM v2?

I still believe that v1.75 did actually scan files on my NAS.

 

BTW, I doubt it matters, but the NAS is a D-Link ShareCenter, model DNS-320, firmware version 2.00.

 

When I get some more time to play, I will get the logs asked for in post #5 from PC1.

 

Thanks for "listening".......

 

brino

Link to post
Share on other sites

Okay, I finally got some time to run these things.

All these logs are from "PC1" my main PC.

 

Here are the logs from dds.com:

DDS.txt

Attach.txt

 

Here is the log from mbam-check.exe:

CheckResults.txt

 

Here are the log files from FRST64.exe:

FRST.txt

Addition.txt

 

My son will be home this weekend with his laptop; another Win7 machine, but it is still on MBAM v1.75, so I will be able to get another data point.

 

Thanks again for the help!

brino

 

Link to post
Share on other sites

This computer is having more issue that can be worked on in this section of the forum. Also the logs are not complete. You are also showing signs of a rootkit infection.

You also seem to be running more than one Antivirus program on this computer. That's not a good idea as that can cause even more problems.

Its going to be best to have an expert help you get it all sorted out by following the instructions below....

Being that you are probably infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

Link to post
Share on other sites

Thanks Firefox, I have followed your advice (and your link) and sent a request off to the support group.

 

One more data point:

My son's laptop has Win7 Home Premium and MBAB 1.75, and finds the Adware.Clicker in the same file on the NAS.

 

So, based on what I have seen it appears that:

-MBAM 1.75 properly scans and identifies problems with files on my NAS (on WinXP and Win7)

-major: MBAM 2.00 does not properly scan files on my NAS, and therefore misses the problem

-major: doing a clean uninstall of MBAM 2.00 and re-installing MBAM 1.75 does not fix the problem

 

I admit all this cannot be 100% verified because I upgraded most machines to MBAM 2.00 before running this test, because I did know about the problem!

 

Thanks again for your help!

 

brino

Link to post
Share on other sites

  • 3 months later...

Sorry for the delay in reporting back. I meant to follow-up here with the outcome of my support ticket.

 

After a few weeks of generating logs, cleaning-up files and turning off other programs options(*), we finally got to the heart of the issue.

 

Basically Win7 has some file permission restrictions that do NOT allow MBAM to scan a file on a network drive.


I originally noticed this behaviour when I upgraded from MBAM version 1.75 to 2.00.0.1000. Initially, I thought the problem was with the new version of MBAM.

 

After a few weeks going thru a support ticket "Request #427533 right-click on demand scanning a file on NAS does not work" we determined that it was NOT an MBAM v1.75 vs. MBAM v2.00 issue, but instead a difference between WinXP and Win7!

 

On WinXP both MBAM v1.75 and v2.0 can scan a file on a network drive.

On Win7 neither MBAM v1.75 or v2.0 can scan a file on a network drive.

Therefore I am convinced that it is an OS permissions issue.

 

It is dangerous, because the pop-up _looks_ like it scanned and says all okay, but if you look closely it reports "Objects scanned: 0".
It is very easy to miss it because it still takes time to run the "prescan", and the results screen has a green banner reporting "Scan completed successfully! No malicious items were detected!".

 

Good Luck and Stay Safe!

-brino

 

 

(*) many items in the registry that looked really "wrong" to the support person were some rules generated by CryptoPrevent from FoolishIT.

See http://www.foolishit.com/vb6-projects/cryptoprevent/.

CryptoPrevent is an amazing program that seeks to block execution of a number of infection vectors. It started out as a prevention against the CryptoLocker malware, but really has many more uses.

 

It can block execution of files like "runme.jpg.exe". How could that be useful? Many malware executables are spread as email attachements. Many not only fake their icons to look like a harmless picture, music or pdf files but also are named like photo.jpg.exe, song.mp3.exe, or document.pdf.exe. On computer systems set to "hide extrension of known file types" these bad files cannot be distinguished by icon or file name and may accidentally get executed.

 

CryptoPrevent can also block running programs from "data" driectories, and this may cause hiccups with poorly written software. CryptoPrevent supports whitelist to help get aroud this issue.

 

The way CryptoPrevent works is by injecting software restriction policies directly into the OS.

Typically only "professional" versions of Win7 allow this kind of rule creation, leaving us "home" users out of luck.

However CryptoPrevent can create the same rules and  works with any version of Win7(and others).

 

I am not associated with FoolishIT or CryptoPrevent, just a happy customer and big fan of clever solutions to common problems.

 

See also: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.