Was able to start MBAM after using Chameleon, want to check is everything's fine

[SRoy]

Hi,

The AV on my system caught a malware from a pendrive. I cleaned it, removed a few music files from there, and formatted the pendrive. When I went to run MBAM after this incident I found that I wasn't able to run it (MBAM): later I tried running Chameleon, without success. However, after that exercise, I found I could run MBAM. No issues/threats identified. 

I ran a few tests as per this post. Also, before creating this topic, I went through this.

Should I be getting a confirmation as to everything's fine? If yes, I would request your help .

I am mentioning the details below.

Thanks and regards: SRoy

1. MS Windows Defender caught a malware on a USB on my system (Windows 10 Pro, 64 bit): screenshot: 1_Malware from USB.png (attached)
2. System appeared slow: especially in areas of Explorer integration: open a file from (say) notepad, creating a new folder from there (file open dialog box), etc.
3. Tried running MBAM, but failed. Its icon would show in the notification area, disappear in a few seconds.
4. Went to the folder to check, mbam.exe was having some issues with permissions.
5. (Searched on the net,) Stumbled upon Chameleon, ran it through the CHM file. 
6. All 13 were unsuccessful. Sample screenshot: 2_Chameleon 13 results.png (attached)
7. After this I tried running MBAM, it ran, and completed the scan (with Scan for rootkits option enabled). No issues found.
8. (After that) I ran a few tests from this post (Note- there were no issues with shortcuts/scheduled tasks):
   1. rkill.exe (Log: 3_Rkill.txt - attached)
   2. exehelper.com (Log: 4_exehelperlog.txt - attached)
   3. FixDamage.exe
   4. Malwarebytes Anti-Rootkit Supplement (Log: 5_mbar system-log.txt - attached)
9. Then I ran the tests from this post:
   1. FRST 64 bit: (Files: 6A_FRST.txt, 6B_Addition.txt: both attached)
10. If you need more specific information, kindly let me know.

3_Rkill.txt

4_exehelperlog.txt

5_mbar system-log.txt

6A_FRST.txt

6B_Addition.txt

[AdvancedSetup]

Hello @SRoy

Let me have you run the following, please.

 

Please download and run the following Kaspersky tool to remove any found threats

Kaspersky Virus Removal Tool

 

 

Please read the following article concerning the use of MSCONFIG and Reset MSCONFIG back to Normal
Msconfig Is Not A Startup Manager

Then restart the computer and run the following.

 

Please read the following topic and then run the Malwarebytes Clean Removal tool mb-clean

https://forums.malwarebytes.com/topic/196955-malwarebytes-mb-clean-tool/

The download link for the tool is:  https://downloads.malwarebytes.com/file/mb_clean

Restart the computer when done and reinstall Malwarebytes 3 with the latest build again.

Here is the link for the latest installer
https://downloads.malwarebytes.com/file/mb3

Thank you

Ron

 

Edited April 26, 2017 by AdvancedSetup

[SRoy]

3_postreboot.txt

[AdvancedSetup]

Please restart the computer one more time and let me know if you still get an error

 

[SRoy]

Done, no error. However, EMET 5.51 is giving errors ('emet detected SimExecFlow mitigation and will close the application') for Acrord32, Office Programs. Screenshot attached for reference. Found a mention linking Malwarebytes' upgrade with this error, but without a solution.

Thanks a lot for your help.

[AdvancedSetup]

Hi Roy,

I'm checking internally with others to see if there are any known issues. Will get back to you tomorrow.

Ron

 

[AdvancedSetup]

Can we get the mbae-default.log

There is also this posting about it

https://forums.malwarebytes.com/topic/163985-running-emet-and-mbae-together/

Ron

 

[SRoy]

Hi Ron: Regret the late response: 

Attaching the log file (Zipped).

On a side note, I noticed that my response from Wednesday does not have a covering note, only the screenshots etc. I am positive that I had added a note explaining the images etc. Is it possible to edit a post (so that I could add that note)?  TIA

mbae-default.zip

[AdvancedSetup]

Hi Roy,

The log appears to be corrupt. When I open with Notepad or UltraEdit it looks more like a binary file than a text log file.

Can you please restart the computer one more time and then grab us all of the logs per this topic below so we can review.

Thanks

Ron

 

[SRoy]

Hi Ron:

I am working on this:

1. On restart, MBAM gave an error: Cannot connect to service. Restarted system again, same error. Opened services.msc, Malwarebytes service was in status 'stopping'. Killed the process from task manager, renamed the logs folder to logs.org, created a logs folder again in "C:\ProgramData\Malwarebytes\MBAMService\". Restarted the service, started MBAM, Started scan (no issues identified. log attached-Log-01May17-001.txt). Checked the services logs, mbae-default still has binary content.
2. FRST Logs attached.
3. MB check logs attached

Kindly confirm if you would still want me to attach the zipped logs folder in programdata

Thanks and regards, SRoy

Log-01May17-001.txt

Addition.txt

FRST.txt

MB-CheckResult.txt

[AdvancedSetup]

No, something odd still going on there.

Please go ahead and run a new clean removal, but this time download and install the latest 3.1 beta we put up.

 

You can download the new beta from here

NEW BETA!  Malwarebytes 3.1.0.1716
https://forums.malwarebytes.com/topic/200230-new-beta-malwarebytes-3101716/

Then let me know if you're still having issues with this version

Cheers

Ron

 

[SRoy]

Hi Ron:

Thanks for your help. Did as per your message. No issues found, but the service logs are still binary (attached). 

These days, in the task manager, Disk utilization is always near 100%.

Regards, SRoy

MBAM ServiceLogs.zip

MBAM Log-02May17-001.txt

[AdvancedSetup]

Please try the following and see if it helps with disk utilization.

 

1. Open a CMD Window as an Administrator on the target server and enter the following commands:

 

• cd %windir%\system32\
• lodctr /R
• cd %windir%\sysWOW64\
• lodctr /R

 

    Note: This should not affect performance on the machine. This command resyncs the counter values.

 

2. Open up Regedit and navigate to the following registry key:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfProc\Performance

 

3. Make sure that the value (if it exists) for the Disable Performance Counters is not 1.  If the entry does exist and the entry is 1, change it to 0 or delete that entry within the key.  ** PLEASE NOTE ** make sure you contact your system administrator before making changes to the registry, and make sure that you back it up before you delete it.

 

4. Note: After completing the Microsoft instructions, a reboot is required.

 

 

[SRoy]

Thanks for your help, Ron: the disk utilization has reduced somewhat. How often should I run these (lodctr) commands? the Disable Performance Counters in the registry were not there.

The MBAM service logs are still binary (non-text files). Kindly advise.

Any update on EMET?

Rgds, SRoy

[AdvancedSetup]

You should not need to run the lodctr again, at least not for a long time. It's sort of a one-time fix unless it gets corrupted again.

Yes, I spoke with the Dev Team and they say that one is a special log and the information we'd normally need to see is in the mbam service log, so seems that binary data is normal and we can ignore it.

The consensus for running EMET alongside Malwarebytes is not to do it. For those with advanced computer skills that wants to experiment with it, making different changes in the programs and testing may work.

Unless there is something else, we should be about done here, let me know.

Thanks

Ron

 

[SRoy]

Thanks a lot, Ron, for your help, and clarifications. Things seem to be okay for now.

Do you have a version of the Beta Programs that have perpetual licenses (for the Real-time protection)?

Regards, SRoy

[AdvancedSetup]

No, sorry. Just the trial. After that, need to purchase a license.

Take care and stay safe out there

Ron

 

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!