zounce Posted November 23, 2014 ID:911602 Share Posted November 23, 2014 For the past week since building my computer I've had random BSODs. Using OSROnline I was able to find that the cause was mbamservice.ex.I then uninstalled the program (Clean uninstall) immediately. I have been a MBAM user for quite a while and I often rely on the malicious website protection for various internet searches. Because of this I need this issue with BSODs to be fixed ASAP. Here is the OSROnline report Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com) Online Crash Dump Analysis ServiceSee http://www.osronline.comfor more information Windows 8 Kernel Version 9600 MP (4 procs) Free x64Product: WinNt, suite: TerminalServer SingleUserTS PersonalBuilt by: 9600.17415.amd64fre.winblue_r4.141028-1500Machine Name:Kernel base = 0xfffff803`79a8e000 PsLoadedModuleList = 0xfffff803`79d67250Debug session time: Sat Nov 22 17:12:02.384 2014 (UTC - 5:00)System Uptime: 0 days 15:31:11.042******************************************************************************** ** Bugcheck Analysis ** ********************************************************************************BAD_POOL_HEADER (19)The pool is already corrupt at the time of the current request.This may or may not be due to the caller.The internal pool links must be walked to figure out a possible cause ofthe problem, and then special pool applied to the suspect tags or the driververifier to a suspect driver.Arguments:Arg1: 0000000000000020, a pool block header size is corrupt.Arg2: ffffe001210a4ce0, The pool entry we were looking for within the page.Arg3: ffffe001210a4d00, The next pool entry.Arg4: 0000000004020012, (reserved)Debugging Details:------------------TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2BUGCHECK_STR: 0x19_20POOL_ADDRESS: fffff80379d54c60: Unable to get special pool infofffff80379d54c60: Unable to get special pool infounable to get nt!MmNonPagedPoolStartunable to get nt!MmSizeOfNonPagedPoolInBytesffffe001210a4ce0CUSTOMER_CRASH_COUNT: 1DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULTPROCESS_NAME: mbamservice.exCURRENT_IRQL: 0LAST_CONTROL_TRANSFER: from fffff80379d3305e to fffff80379bde9a0STACK_TEXT:ffffd000`31106108 fffff803`79d3305e : 00000000`00000019 00000000`00000020 ffffe001`210a4ce0 ffffe001`210a4d00 : nt!KeBugCheckExffffd000`31106110 fffff800`281c1819 : 00000000`00000008 00000000`00000000 ffffd000`31106300 00000000`00000002 : nt!ExDeferredFreePool+0x7eeffffd000`31106200 fffff800`282dff0a : ffffe001`210b3840 00000000`00000001 00000000`00000000 ffffe001`1d1134c0 : tcpip!IppInspectBuildHeaders+0x5e9ffffd000`311064f0 fffff800`2b629135 : 00000000`00000008 ffffd000`00000014 ffffe001`20f2e6f0 ffffe001`20f2e714 : fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+0x1beffffd000`311065a0 00000000`00000008 : ffffd000`00000014 ffffe001`20f2e6f0 ffffe001`20f2e714 ffffe001`20f2e704 : mwac+0x6135ffffd000`311065a8 ffffd000`00000014 : ffffe001`20f2e6f0 ffffe001`20f2e714 ffffe001`20f2e704 ffffe001`00000011 : 0x8ffffd000`311065b0 ffffe001`20f2e6f0 : ffffe001`20f2e714 ffffe001`20f2e704 ffffe001`00000011 00000000`00000000 : 0xffffd000`00000014ffffd000`311065b8 ffffe001`20f2e714 : ffffe001`20f2e704 ffffe001`00000011 00000000`00000000 00000000`00000000 : 0xffffe001`20f2e6f0ffffd000`311065c0 ffffe001`20f2e704 : ffffe001`00000011 00000000`00000000 00000000`00000000 ffffe001`00000000 : 0xffffe001`20f2e714ffffd000`311065c8 ffffe001`00000011 : 00000000`00000000 00000000`00000000 ffffe001`00000000 ffffe001`00000000 : 0xffffe001`20f2e704ffffd000`311065d0 00000000`00000000 : 00000000`00000000 ffffe001`00000000 ffffe001`00000000 00000000`00000000 : 0xffffe001`00000011STACK_COMMAND: kbFOLLOWUP_IP:fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+1befffff800`282dff0a 85c0 test eax,eaxSYMBOL_STACK_INDEX: 3SYMBOL_NAME: fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+1beFOLLOWUP_NAME: MachineOwnerMODULE_NAME: fwpkclntIMAGE_NAME: fwpkclnt.sysDEBUG_FLR_IMAGE_TIMESTAMP: 545054f3FAILURE_BUCKET_ID: X64_0x19_20_fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+1beBUCKET_ID: X64_0x19_20_fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+1beFollowup: MachineOwner--------- Link to post Share on other sites More sharing options...
zounce Posted November 23, 2014 Author ID:911604 Share Posted November 23, 2014 Since you have asked for diagnostic logs in previous posts here are mine attached. Please help me with this.Addition.txtFRST.txtCheckResults.txt Link to post Share on other sites More sharing options...
1PW Posted November 23, 2014 ID:911620 Share Posted November 23, 2014 Hello zounce: Unfortunately a run with mbam-check, while MBAM2 is not installed, yields only a limited amount of useful information.Please perform the following steps only in Windows Normal boot mode:Despite already having done so, please run mbam-clean-2.1.1.1001.exe again followed by the mandatory system restart.Then, please download mbam-setup-2.0.3.1025.exe only from here and only to an Administrator's desktop. Please execute the MBAM installer by single right-clicking mbam-setup-2.0.3.1025.exe and left-clicking Run as administrator and install only to the system's default C:\Program Files (x86)\ directory.Following a successful install, please activate your license, if available, and update to the latest MBAM database followed by a Threat Scan.If your original issue returns, then please run mbam-check while MBAM2 is still installed, and attach your report's text file in a reply to this thread.Thank you. Link to post Share on other sites More sharing options...
gonzo Posted November 23, 2014 ID:911633 Share Posted November 23, 2014 Doing a cursory read of your report, I spotted the words "Terminal Server". If you're running Terminal Server, you will get this on a regular basis. Malwarebytes cannot run on Terminal Server because of the way TS is implemented. Severe memory leaks will occur, and you will run out of RAM. This all goes back to whether my assumption of your environment is correct or not though. Link to post Share on other sites More sharing options...
zounce Posted November 26, 2014 Author ID:912745 Share Posted November 26, 2014 Doing a cursory read of your report, I spotted the words "Terminal Server". If you're running Terminal Server, you will get this on a regular basis. Malwarebytes cannot run on Terminal Server because of the way TS is implemented. Severe memory leaks will occur, and you will run out of RAM. This all goes back to whether my assumption of your environment is correct or not though.Okay, it came back today. What is this "Terminal Server" and how do I stop running it?Attached is the Mbam check fileCheckResults.txt Link to post Share on other sites More sharing options...
zounce Posted November 26, 2014 Author ID:912746 Share Posted November 26, 2014 Doing a cursory read of your report, I spotted the words "Terminal Server". If you're running Terminal Server, you will get this on a regular basis. Malwarebytes cannot run on Terminal Server because of the way TS is implemented. Severe memory leaks will occur, and you will run out of RAM. This all goes back to whether my assumption of your environment is correct or not though.Doing a quick google said something about remote server so I unchecked http://puu.sh/d5YXV/3dedb700d5.png this box. Is this what you meant? Link to post Share on other sites More sharing options...
1PW Posted November 26, 2014 ID:912839 Share Posted November 26, 2014 Hello zounce: Please read your P.M. Thank you. Link to post Share on other sites More sharing options...
gonzo Posted November 26, 2014 ID:912930 Share Posted November 26, 2014 I just went through the files which were posted. It looks like Windows 8.1 is your operating system, so references to Terminal Server appear just to be internals to the system itself. It looks like you can ignore what I said earlier about Terminal Server. While the information is accurate, it also does not apply to you. Sorry to have created any confusion. Link to post Share on other sites More sharing options...
zounce Posted November 26, 2014 Author ID:912951 Share Posted November 26, 2014 I just went through the files which were posted. It looks like Windows 8.1 is your operating system, so references to Terminal Server appear just to be internals to the system itself. It looks like you can ignore what I said earlier about Terminal Server. While the information is accurate, it also does not apply to you. Sorry to have created any confusion.Okay, I've posted the mbam check, what now? Link to post Share on other sites More sharing options...
1PW Posted November 26, 2014 ID:912962 Share Posted November 26, 2014 Hello zounce: The logs indicate the computer might still be infected and malware removal actions are not permitted in this sub-forum. I recommend following the advice from the topic: Available Assistance for Possibly Infected Computers and have one of the Malware Removal Experts assist you with your issue. If, as recommended, you do open a topic in Malware Removal Help, please make reference to this thread. If you would like to get off to a very fast start, the Malware Removal Experts would appreciate it if you would also Copy and Paste (not attach) both the FRST.txt and the Addition.txt output diagnostic reports from only Log Set 1 into your new topic. Thank you. Link to post Share on other sites More sharing options...
zounce Posted November 26, 2014 Author ID:912970 Share Posted November 26, 2014 What part shows its infected? Link to post Share on other sites More sharing options...
zounce Posted November 27, 2014 Author ID:913126 Share Posted November 27, 2014 Look, if you're saying my computer is infected how come I've scanned with MBAM, Avast and Adwcleaner and deleted everything it found? I did a rescan with adwcleaner and deleted roobot64.exe, but that's it. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 27, 2014 Root Admin ID:913334 Share Posted November 27, 2014 We're not saying the computer is infected but it does need to be further scanned and analyzed to try to determine why you're having an issue and we cannot run those scans in this section of the forum is all. Please post a new topic in the requested forum and someone will help you look at this further. Thank you. Link to post Share on other sites More sharing options...
zounce Posted November 28, 2014 Author ID:913405 Share Posted November 28, 2014 We're not saying the computer is infected but it does need to be further scanned and analyzed to try to determine why you're having an issue and we cannot run those scans in this section of the forum is all. Please post a new topic in the requested forum and someone will help you look at this further.Thank you.I have and haven't got a single response. Link to post Share on other sites More sharing options...
1PW Posted November 28, 2014 ID:913407 Share Posted November 28, 2014 Hello zounce: It's a Thanksgiving holiday in the USA where some of the Malware Removal Helpers live and they may wish to spend time with their families. The general rule is, your post may not be answered for up to 48 hours. At that time you may notify a forum Moderator. In the meantime please do not bump your post over there. Thank you. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now