Malwarebytes 3 does not start automatically after ransomeware attack

[Raymond]

Replying from another machine

 

Ron

I think we are fiinished

I ran a scan with Rootkits ON   Self Protect OFF

scan stayed on rootkits for 1 minute without increment number of items

canceled with mouse on cancel button - scan stopped but machine locked up

powered down machine

It will NOT power up at all now.   Plugged in or on Battery power

and I cant get you the dump since it was on that machine.

[AdvancedSetup]

You could try pulling the battery, and pulling the CMOS batter out of the unit and leave out for a few minutes. Then put it all back together and see if it will boot up.

Ron

 

[Raymond]

all riight

pulling the battery worked.  was able to boot. 

verified Rootkits ON  Self Prot  OFF

started scan

spent a minute or more on Rootkits.   item number incremented 1 more than usual.

then transferred to memory objects.   Started at 1 for item number.

5 minutes later incremented to 12

Still running.   17min.   item number still at 12.

Will leave it run 1 hour and then force poweroff

[Raymond]

its been 50 minutes

Memory objects still incrementing.   Will leave scan run for now.   Post back later.

[AdvancedSetup]

Yes, a rootkit scan can take a while on some systems. Leave it run please.

Thanks

Ron

 

[Raymond]

It is not rootkits incrementing it is Memory Objects.

at 1.5 hrs the count is 57

Will continue to let it run.

[AdvancedSetup]

I wonder if something is going on with your memory.

Please visit the following site and download and burn either a CD from ISO image or try the USB version and then test your memory

http://www.memtest.org/

Ron

 

[Raymond]

OK   I will go to memtest tomorrow.

 

I am going to let the scan run overnight and see if it ends

we are at 9.5 hours with 300 memory objects scanned ... no threats

[Raymond]

MB scan memory objects had only reached 500 by 8:00am this morning

powered down machine

Booted

Ran MB scan with Rootkits OFF / self protection ON  - scan ran 8 minutes - saved MBcheck[off_on].ziip

Rebooted

Ran MB scan with Rootkits OFF / self protection OFF - scan ran 8 minutes - saved MBcheck[off_off].zip

Downloaded memtest . burned ISO to CD . ran Memtest --  PASSED - NO ERRORS

attaching 082417-4007 dump

MBcheck files attached too

currently running HP diagnostics [memory test]

 

082417-44007-01.dmp

mb-check-results[off_off].zip

mb-check-results[off_on].zip

[Raymond]

hp memory test PASSED

[Raymond]

Ron

all these problems started happening after the  ransomeware attack on 8/3.  
I did not open a problem since MB said it had blocked the attack.
Prior to the attack the MB product (3.0.0) worked correctly.

I have a backup prior to 8/3.
Would it make sense to restore the backup / update Norton / update MB and see
   if things start working correctly.

Alternatively I coud just leave Rootkits OFF and run that way.   
I could run rootkits from TrendMicro and see how long that takes.

ALSO

In reinstalling Norton I ran per instructions NPE (Norton Power Eraser) that indicated I should
get rid of 3 files
1. nis.ese
2. symerr.exe
3. patch.js

I can restore any of these if you think it would help.

BTW
I ran all the HP diags except disk test ... everything PASSED

AND

I can attached the ransomware logs from 8/3 if you wish  (2 logs)

[AdvancedSetup]

Hi Raymond

As long as you have your data backed up, it might be worth a shot, and yes, please post those old logs so we can at least take a look. Probably won't help us with anything, but be nice to see none the less

Ron

 

[Raymond]

well two bad things in one day

    the backup is from march 18 2017

    the ransomware logs are gone

 

but

I can restore from 8/6/2017 and get the ransomware logs - or not -  your call

I can try to update mb3.0.0 on 8/6 to MB3.2.2 and see if anything better

I can go back to March backup and try to update Norton and MB

Or just run without rootkits turn ON

 

What do you thiink?

 

[AdvancedSetup]

How are you restoring these? Are you sure the backup imaging you're using works properly? If you're sure it's working well, then I would recommend creating a new to capture how the computer is today.

Then restore the one from March 18, 2017. Even though it's old - if it was before the attack and before the trouble it would be better off to have a computer that is working properly.

Before you revert back to the restore though make sure you deactivate Malwarebytes.

Then after the restore, make sure all seems okay. That Malwarebytes can open and can run a rootkit scan without issue before doing anything else. If that goes well, then uninstall Malwarebytes, reboot, and install that latest version of Malwarebytes and see if it still works as expected and let me know.

If it works well with the new one too, then check for Norton updates too. Then scan with Norton making sure no issues. If still all good, do one more reboot and try the rootkit scan with the latest Malwarebytes again.

Then, if all still good, go to Windows Updates and make sure the computer is fully up to date on all security updates.

Let me know how things go please.

Thanks

Ron

 

[Raymond]

thanks for the reply .... did a new -current- backup last night using Macrium

would not have thought to deactivate MB before restore ... thanks

this might take a couple days ... I am going to backup all computers (3) just in case of another ransomware attack

My wife's computer is not available to me right now.

Will keep you posted

[AdvancedSetup]

Great, sounds good. Nice to work with you, being able to support these changes, options, etc. Makes my job easier to try to help you.

Ron

 

[Raymond]

I assume when you say uninstall Malwarebytes and reboot and install latest version you want me to use MB-clean for the uninstall.   Is that correct?

[AdvancedSetup]

If the system is in good condition it shouldn't need the clean removal tool this time.

 

[Raymond]

Ron

The attempt to use the 3/18 backup has failed.
MB322 acts the same (rootkits scan locks if it is run)

Here are the steps I followed

deactivate
restore 3/l18
boot
blue screen
windows update was rimmomg    
boot
scan with MB 3.0.6 [level om 3/18]
locks up on rootkits
poweroff
re-boot
let windows update finish
re-boot
run MB-clean  [because of the lockup]
re-boot
install  MB 3.2.2
update MB
run scan [rootkits OFF]
find and quarantine 5 trojan.BHO.generic registry keys
run a second scan [rootkits OFF]
scan successful
turn rootkits ON
run scan
scan locks up on memory objects
poweroff
reboot
mb did not start
reboot
MB starts & says that scan has never been run
scan with rootkits OFF /  self-prot  ON
scan successful

So you can see I am right back where I started
MB 3.2.2 locks up if rootkits scan is ON
the lockup either occurs in Rootkits Scan or Memory Objects
this is the same thing that happens to laptop before 3/18 restore

updated Norton
did another backup

I think I am going to restore "current" laptop contents from 8/27
and run with rootkits OFF

I might do a full machine recovery from the laptop recovery pattition
but that is going to take some prep on my part.

If you have any suggesstions/ideas please respond..

and THANKS for all your help

Ray

[AdvancedSetup]

Wow, that's not good. Since you do have a full working restore process. How about installing a demo or clean fresh install of Windows 7 with no updates, no other software, etc. aside from driver updates to make the hardware work. I know that's a lot of work and one certainly should not need to do that, but thinking it could help us verify if there is some unknown corruption, driver, or other issue going on that we're not able to find on the current builds you have. Again, don't feel obligated as I know that's a lot to ask. I eat, live, and breath computers, but not everyone does and most of us only have so much free time to play with computers.

If you'd like to go the route of having our QA research the issue more we can do that too.

Let me know.

Thanks again

Ron

 

[Raymond]

Ron

 

It was worth it .  MB 3.2.2 worked as expected (free version).   Norton came with the recovery, so I installed MB and it ran fine.  Rootkits and all.

I am going to run more tests after windows update finishes the sp1 install.   Then there is the 100 updates after that.  Will keep you posted.

[AdvancedSetup]

Yes, Windows has a ton of updates after a new install. But, you then have a clean build. Make sure once all updates are done and all drivers are working, and no real issues, that you make a new image of the system for backup/restore.

Keep me posted

Ron

 

[Raymond]

Ron

The problem came back BUT i  think I figured it out.

Norton had a problem (3093,1) which instructed me to reboot
  if that did not work remove and re-install Norton.

Rebooted.  Seemed to work and about 30 min later another
   Norton error.

Rebooted again.  Seemed to work but later another Norton error.

during this time I did not try MB.

Dowloaded/installed win7 updates

Realized the next morning that the sequence of events was exactly
  what happened on 8/3

8/3     error 8505,101
9/1     error 3039,1 (3 times)
9/2     error 3035,2

on 9/2  MB locked up after doing a rootkit scan

Removed Norton

Installed Webroot Anywhere

MB worked fine.  Rootkits OK.

Continued to rebuild Win 7

Will watch this.   If finishs ok will keep Webroot.
If not ..... will probably wipe and get rid of laptop

have run about 15 scans with Webroot, both manual and scheduled
only 1 has locked up the pc

will keep testing

[Raymond]

Ron

Testing last couple days and I found a bad USB port - which I was using.

To recover the laptop I had to unplug everything so MB worked that whole time.

When I plugged the USB (hub, keyboard, mouse, hdd) in MB started failing again.

Unplug the device and MB would work again.

Apparently this was the problem - possibly with Norton too.   Webroot seems OK.

I ordered a new hub from Amazon for safety's sake and I will be testing on Thu.

I will update you then

Ray

[AdvancedSetup]

Thanks for the update @Raymond let me know how it goes

Cheers

Ron