BSOD in latest version of MBAM Premium.

[zounce]

For the past week since building my computer I've had random BSODs. Using OSROnline I was able to find that the cause was mbamservice.ex.

I then uninstalled the program (Clean uninstall) immediately.  I have been a MBAM user for quite a while and I often rely on the malicious website protection for various internet searches. Because of this I need this issue with BSODs to be fixed ASAP. 

 

Here is the OSROnline report

 

Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.comfor more information
Windows 8 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 9600.17415.amd64fre.winblue_r4.141028-1500
Machine Name:
Kernel base = 0xfffff803`79a8e000 PsLoadedModuleList = 0xfffff803`79d67250
Debug session time: Sat Nov 22 17:12:02.384 2014 (UTC - 5:00)
System Uptime: 0 days 15:31:11.042
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000020, a pool block header size is corrupt.
Arg2: ffffe001210a4ce0, The pool entry we were looking for within the page.
Arg3: ffffe001210a4d00, The next pool entry.
Arg4: 0000000004020012, (reserved)

Debugging Details:
------------------

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

BUGCHECK_STR: 0x19_20

POOL_ADDRESS: fffff80379d54c60: Unable to get special pool info
fffff80379d54c60: Unable to get special pool info
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
ffffe001210a4ce0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: mbamservice.ex

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff80379d3305e to fffff80379bde9a0

STACK_TEXT:
ffffd000`31106108 fffff803`79d3305e : 00000000`00000019 00000000`00000020 ffffe001`210a4ce0 ffffe001`210a4d00 : nt!KeBugCheckEx
ffffd000`31106110 fffff800`281c1819 : 00000000`00000008 00000000`00000000 ffffd000`31106300 00000000`00000002 : nt!ExDeferredFreePool+0x7ee
ffffd000`31106200 fffff800`282dff0a : ffffe001`210b3840 00000000`00000001 00000000`00000000 ffffe001`1d1134c0 : tcpip!IppInspectBuildHeaders+0x5e9
ffffd000`311064f0 fffff800`2b629135 : 00000000`00000008 ffffd000`00000014 ffffe001`20f2e6f0 ffffe001`20f2e714 : fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+0x1be
ffffd000`311065a0 00000000`00000008 : ffffd000`00000014 ffffe001`20f2e6f0 ffffe001`20f2e714 ffffe001`20f2e704 : mwac+0x6135
ffffd000`311065a8 ffffd000`00000014 : ffffe001`20f2e6f0 ffffe001`20f2e714 ffffe001`20f2e704 ffffe001`00000011 : 0x8
ffffd000`311065b0 ffffe001`20f2e6f0 : ffffe001`20f2e714 ffffe001`20f2e704 ffffe001`00000011 00000000`00000000 : 0xffffd000`00000014
ffffd000`311065b8 ffffe001`20f2e714 : ffffe001`20f2e704 ffffe001`00000011 00000000`00000000 00000000`00000000 : 0xffffe001`20f2e6f0
ffffd000`311065c0 ffffe001`20f2e704 : ffffe001`00000011 00000000`00000000 00000000`00000000 ffffe001`00000000 : 0xffffe001`20f2e714
ffffd000`311065c8 ffffe001`00000011 : 00000000`00000000 00000000`00000000 ffffe001`00000000 ffffe001`00000000 : 0xffffe001`20f2e704
ffffd000`311065d0 00000000`00000000 : 00000000`00000000 ffffe001`00000000 ffffe001`00000000 00000000`00000000 : 0xffffe001`00000011


STACK_COMMAND: kb

FOLLOWUP_IP:
fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+1be
fffff800`282dff0a 85c0 test eax,eax

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+1be

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: fwpkclnt

IMAGE_NAME: fwpkclnt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 545054f3

FAILURE_BUCKET_ID: X64_0x19_20_fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+1be

BUCKET_ID: X64_0x19_20_fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+1be

Followup: MachineOwner
---------

[zounce]

Since you have asked for diagnostic logs in previous posts here are mine attached. Please help me with this.

Addition.txt

FRST.txt

CheckResults.txt

[1PW]

Hello zounce:
 
Unfortunately a run with mbam-check, while MBAM2 is not installed, yields only a limited amount of useful information.

Please perform the following steps only in Windows Normal boot mode:

• Despite already having done so, please run mbam-clean-2.1.1.1001.exe again followed by the mandatory system restart.
• Then, please download mbam-setup-2.0.3.1025.exe only from here and only to an Administrator's desktop. Please execute the MBAM installer by single right-clicking mbam-setup-2.0.3.1025.exe and left-clicking Run as administrator and install only to the system's default C:\Program Files (x86)\ directory.
• Following a successful install, please activate your license, if available, and update to the latest MBAM database followed by a Threat Scan.

If your original issue returns, then please run mbam-check while MBAM2 is still installed, and attach your report's text file in a reply to this thread.

Thank you.

[gonzo]

Doing a cursory read of your report, I spotted the words "Terminal Server".  If you're running Terminal Server, you will get this on a regular basis.  Malwarebytes cannot run on Terminal Server because of the way TS is implemented.  Severe memory leaks will occur, and you will run out of RAM.  This all goes back to whether my assumption of your environment is correct or not though.

[zounce]

Doing a cursory read of your report, I spotted the words "Terminal Server".  If you're running Terminal Server, you will get this on a regular basis.  Malwarebytes cannot run on Terminal Server because of the way TS is implemented.  Severe memory leaks will occur, and you will run out of RAM.  This all goes back to whether my assumption of your environment is correct or not though.

Okay, it came back today. What is this "Terminal Server" and how do I stop running it?

Attached is the Mbam check file

CheckResults.txt

[zounce]

Doing a cursory read of your report, I spotted the words "Terminal Server".  If you're running Terminal Server, you will get this on a regular basis.  Malwarebytes cannot run on Terminal Server because of the way TS is implemented.  Severe memory leaks will occur, and you will run out of RAM.  This all goes back to whether my assumption of your environment is correct or not though.

Doing a quick google said something about remote server so I unchecked http://puu.sh/d5YXV/3dedb700d5.png this box. Is this what you meant?

[1PW]

Hello zounce:

 

Please read your P.M.

 

Thank you.

[gonzo]

I just went through the files which were posted.  It looks like Windows 8.1 is your operating system, so references to Terminal Server appear just to be internals to the system itself.  It looks like you can ignore what I said earlier about Terminal Server.  While the information is accurate, it also does not apply to you.  Sorry to have created any confusion.

[zounce]

I just went through the files which were posted.  It looks like Windows 8.1 is your operating system, so references to Terminal Server appear just to be internals to the system itself.  It looks like you can ignore what I said earlier about Terminal Server.  While the information is accurate, it also does not apply to you.  Sorry to have created any confusion.

Okay, I've posted the mbam check, what now?

[1PW]

Hello zounce:

The logs indicate the computer might still be infected and malware removal actions are not permitted in this sub-forum.

I recommend following the advice from the topic: Available Assistance for Possibly Infected Computers and have one of the Malware Removal Experts assist you with your issue.

If, as recommended, you do open a topic in Malware Removal Help, please make reference to this thread.

If you would like to get off to a very fast start, the Malware Removal Experts would appreciate it if you would also Copy and Paste (not attach) both the FRST.txt and the Addition.txt output diagnostic reports from only Log Set 1 into your new topic.

Thank you.

[zounce]

What part shows its infected?

[zounce]

Look, if you're saying my computer is infected how come I've scanned with MBAM, Avast and Adwcleaner and deleted everything it found? I did a rescan with adwcleaner and deleted roobot64.exe, but that's it. 

[AdvancedSetup]

We're not saying the computer is infected but it does need to be further scanned and analyzed to try to determine why you're having an issue and we cannot run those scans in this section of the forum is all. Please post a new topic in the requested forum and someone will help you look at this further.

Thank you.

[zounce]

We're not saying the computer is infected but it does need to be further scanned and analyzed to try to determine why you're having an issue and we cannot run those scans in this section of the forum is all. Please post a new topic in the requested forum and someone will help you look at this further.

Thank you.

I have and haven't got a single response.

[1PW]

Hello zounce:

It's a Thanksgiving holiday in the USA where some of the Malware Removal Helpers live and they may wish to spend time with their families. The general rule is, your post may not be answered for up to 48 hours. At that time you may notify a forum Moderator. In the meantime please do not bump your post over there.

Thank you.