Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit? Malwarebytes is unable to load the anti-rootkit dda driver


  • Please log in to reply
7 replies to this topic

#1 z3n_Force

z3n_Force

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 31 March 2018 - 07:34 PM

I'm getting this message. Not sure whether it's a legitimate threat or a mistake on Malwarebytes end?

 

 

 mcLvBkA.jpg

 

 

I ran a TDDS killer scan (adware cleaner as well) just to see if anything came up. There was nothing flagged (aside from Auslogics disk defrag by adware cleaner as a PUP, apparently they have bad business practices?).

 

I'm running a kapersky full scan as well and waiting for the results on that. 


Edited by z3n_Force, 31 March 2018 - 07:44 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:18 PM

Posted 31 March 2018 - 08:03 PM

I recall something about Avast may cause that error...do you have Avast installed?

 

That is a legit error notice. I attempted to find a fix for that at Malwarebytes Forum. The latest looks like the staff member gave up.

MB 3.3 Anti-Rootkit DDA Driver - Malwarebytes 3 - Malwarebytes Forums  You can try some of the recommendations in that topic.

 

Another one goes back to 2016 and some other scans were run to clean, remove adware and malware along with using a tool that

can't be used in this forum....only in the malware removal forum.

 

You can try running the programs below and then reinstalling Malwarebytes by following the directions in the link above for using the

special tool for complete removal of Malwarebytes first.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 z3n_Force

z3n_Force
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 31 March 2018 - 08:19 PM

I'm using kapersky and had to add malwarebytes as an exception, or it ended up freezing my computer.

 

I ran CCleaner, the kapersky scan isn't done yet. So I'll wait and run eset tomorrow or later on unless you suggest otherwise.



#4 buddy215

buddy215

  • Moderator
  • 13,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:18 PM

Posted 01 April 2018 - 06:08 AM

You can forgo the Eset scan. Kaspersky is good enough.

 

Have you looked at the info in the link I gave for a Malwarebyte's Topic on your problem?

If so, have you reinstalled Malwarebytes after uninstalling per instructions in that topic?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 buddy215

buddy215

  • Moderator
  • 13,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:18 PM

Posted 01 April 2018 - 10:52 AM

More recent discussion on this error/ problem: Unable to load DDA driver Malwarebtes 3.4.4 - Malwarebytes 3 - Malwarebytes Forums


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 z3n_Force

z3n_Force
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 01 April 2018 - 10:53 AM

That's so odd, I just booted up my computer this morning and nothing appears to be wrong with it. (even if after numerous reboots yesterday this didn't resolve the issue)

 

If it happens again I'll try to reinstall it, thanks.

 

 

 

edit: Just saw the other link , seems like there was a similar result for someone else. 

 

Thanks again!


Edited by z3n_Force, 01 April 2018 - 10:54 AM.


#7 buddy215

buddy215

  • Moderator
  • 13,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:18 PM

Posted 01 April 2018 - 10:58 AM

Could be the Thursday patch helped.

 

new patch upgrade for Malwarebytes for Windows—v. 3.4.5.

We’ve started rolling out upgrades for this version via in-app upgrades. If you don't want to wait to be notified by the program that your upgrade is available you can always grab the upgrade manually by clicking Install Application Updates in Settings > Application (if you're running MB 3.2 or later).  The updated installer is also available for download now from the main Malwarebytes website.

 

You're welcome....


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 tp5000

tp5000

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 06 May 2018 - 04:01 PM

Windows rootkit detectors are totally useless. Their creators seem to think that building a rootkit detector is the same as making a virus scanner and that the Trojan file will be existing somewhere within the logical filesystem. In reality rootkit trojans are like  death adders, they find their hidden location within secluded windows disk management folders that you cannot see with your  average file explorer where the security permissions are denied to you. A program like r-studio would give you access to one hiding location like C;\\$extend. They are known to be dynamically self encrypting, so its possible a virus scanner would even overlook them.

Mostly rootkit executables get hidden within unpartitioned space. There would be some discrepancy between the layout of the physicial and logical appearance of the drives. A rootkit, which has altered the master boot record to be the first program loaded when you switch your computer on, has loaded up some special hooks that are preventing you from accessing parts of that logical disk. That's why they get really up tight about you using disk programs to access the disk directly, physically. That might expose unusual phenonoma, the computer blue screens. Also, regardless of how you set your boot options hierarchy in the bios, that mbr infected drive will be the first thing that actually runs, though once it loads its hooks, it fools you into thinking that boot order was actually followed.

Its all about interfering with the windows file access dll functions. These will ensure you never access the location that some 200 000 bytes that represents the rootkit exe on the harddrive, but also creating subterfuge profiles for virus scanners. Instead of preventing the scanner from running, which is suspicious, it will track the location on hdd that the virus database is being stored. Then its file access functions that its hooking and interfering with automatically produce false data when that virus scanner reads its virus database, though that false data still has some checksum validation to it.

Those rootkits do slip up, and you will notice unusual blue screens of death which is unheard of in the day and age.
The best rootkit detector is linux debian installed onto a flash drive. Though that installer is still susceptible to hooks and will crash out if any hooks have been loaded. There is an option in many bioses where you directly run a drive and it doesn't inadvertently run an mbr infected drive accidentally.

Once Linux loads, it will show up a drive with these folders you never used to be able to view. But if you do suspect an mbr infected drive, don't plug in the sata cable. Hard drives are theoretically hot swappable and it is possible to plug in the sata cable
once linux or windows has loaded up. Assuming you've disabled autorun and there arn't any code running vulnerabilities from stupid stuff like windows showing an icon file from that drive that is exploiting a code running exploit. Thats how stuxnet got stuff autorunning, with a rouge icon file or something. But yeah its these formiddable hooks loading up when the bios starts. It starts with hooks, then it starts changing your winload.exe file, disabling integrity checks, changing your network settings. Whoever makes these rootkits, they are real dangerous programmers.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users