Jump to content


  • Content Count

  • Joined

Posts posted by denial

  1. Cannot edit post?


    Actually after computer reboot C:\Program Files\Malwarebytes\Anti-Ransomware\MBAMService.exe and its subprocess "C:\Program Files\Malwarebytes\Anti-Ransomware\mbarw.exe" --starttray are both running stable ... until i don't try to open the GUI - when it crashes.


    MBAE also running and not crashing (also GUI opens ok).


  2. Hello,

    maybe there is something wrong with the OS itself, as the MB support tool also crashes.

    Faulting application name: mb-support.exe, version:, time stamp: 0x5e863d65
    Faulting module name: d3d9.dll, version: 10.0.17763.1075, time stamp: 0x3cad74b1
    Exception code: 0xc0000005
    Fault offset: 0x00091691
    Faulting process id: 0x165c
    Faulting application start time: 0x01d61a6a6cd6363a
    Faulting application path: C:\Users\banik\AppData\Local\Temp\mwb786A.tmp\mb-support.exe
    Faulting module path: C:\WINDOWS\SYSTEM32\d3d9.dll
    Report Id: 8e28d439-240d-4d60-af94-431043dc48d6
    Faulting package full name:
    Faulting package-relative application ID:

    I was able to collect some dumps and logs manually:


    Yes, it seems it crashes everytime it is started, either after reboot automatically or later manually ...

    Other apps like chrome, firefox, vlc, totalcmd, etc. are running well so far.

    Thank you.



  3. Hello,

    after "automatic" update from notification to this latest beta from previous and computer reboot the program does not start anymore.


    Fault bucket 1530011795799486509, type 1
    Event Name: APPCRASH
    Response: Not available
    Cab Id: 0

    Problem signature:
    P1: mbarw.exe
    P3: 5e485513
    P4: StackHash_4c4a
    P6: 00000000
    P7: c00001a5
    P8: PCH_05_FROM_ntdll+0x00070C3C

    Attached files:

    These files may be available here:

    Analysis symbol:
    Rechecking for solution: 0
    Report Id: a6112db8-0ad0-48e7-b966-fd8a4c687c7a
    Report Status: 268435456
    Hashed bucket: b3986408abf007d6553bb19f36c9302d
    Cab Guid: 0


    Faulting application name: mbarw.exe, version:, time stamp: 0x5e485513
    Faulting module name: d3d9.dll, version: 10.0.17763.1075, time stamp: 0x3cad74b1
    Exception code: 0xc0000005
    Fault offset: 0x00091691
    Faulting process id: 0x21d8
    Faulting application start time: 0x01d61a4685e5e085
    Faulting application path: C:\Program Files\Malwarebytes\Anti-Ransomware\mbarw.exe
    Faulting module path: C:\WINDOWS\SYSTEM32\d3d9.dll
    Report Id: 46eae816-2bc9-469d-9b09-b8a809d9f0af
    Faulting package full name:
    Faulting package-relative application ID:



    Fault bucket 2202658184339786967, type 5
    Event Name: BEX
    Response: Not available
    Cab Id: 0

    Problem signature:
    P1: mbarw.exe
    P3: 5e485513
    P4: d3d9.dll
    P5: 10.0.17763.1075
    P6: 3cad74b1
    P7: 00091691
    P8: c0000409
    P9: 00000015

    Attached files:

    These files may be available here:

    Analysis symbol:
    Rechecking for solution: 0
    Report Id: e29ff6e2-875e-4ad1-8679-8c4b9078dc92
    Report Status: 268435456
    Hashed bucket: d5b39c7d921010ef3e9169f2cf2e0cd7
    Cab Guid: 0




    Could you please advise


  4. Hello,

    i started today my old thinkpad after few months of not using it;  running Windows 7 SP1 and updated it to latest MS cumulative patch KB4493472

    I'm running AE & AM - 1.1.196 beta on Veracrypt 1.23-hotfix2 full disk encrypted boot partition.

    I noticed during disk intensive operations (e.g. Passmark Performace Test - particularly Disk Mark) the computer hangs. Not whole at once, but first the HDD LED goes off and apps start to hang one by one. It looks like apps which need disk access hang (e.g. web browser) and simple app like calculator continues to work. At the end i need to power off the laptop. In the windows system eventlog there is absolutely no related event saved. The SSD shows no hw errors.

    If i disable the anti-ransomware the hang situation does not seem to happen and before the months i was using the computer regularly it did not happen as well (with AR enabled).

    As the AM version is same, maybe it might be related to some recent windows patch

    I have no Sophos nor Avast nor any other antivirus installed (re known issues with this KB4493472: Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update. )

    I do not experience such issues on my other laptop running Windows 10 1803.

    Anyone with similar problem or some advice how to solve this issue?

    Maybe this MS patch affects Malwarebytes in a similar way like Sophos?



  5. Hello,


    i believe my issue is same - related to this:




    Torbutton: Unexpected error on new identity: [Exception... "Component returned failure code: 0x80520015 (NS_ERROR_FILE_ACCESS_DENIED) [nsIPrefService.savePrefFile]" nsresult: "0x80520015 (NS_ERROR_FILE_ACCESS_DENIED)" location: "JS frame :: chrome://torbutton/content/torbutton.js :: torbutton_do_new_identity :: line 1202" data: no]

    when i try to create a New Identity.
    However i found out, that also no settings are saved.

    I'm using Windows 7 SP1 64-bit, latest patches, and latest TorBrowser 7.0.11

    I deleted whole torbrowser folder and downloaded fresh installation file and installed it and same issue.
    I downloaded zipped torbrowser from another computer where it works and on my computer - same issue.

    I ran procmon and i think this is the related error:

    13:18:42,3674148 firefox.exe 6840 SetRenameInformationFile C:\Run\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js ACCESS DENIED ReplaceIfExists: True, FileName: C:\Run\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

    This is from a working computer:

    1:22:11.4822217 PM firefox.exe 3404 SetRenameInformationFile C:\Run\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js SUCCESS ReplaceIfExists: True, FileName: C:\Run\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

    Please note:
    i have no antivirus, i'm logged in/running all apps as administrator, the folder is writable, the disk is not full.


    I have just found out that when i disable malwarebytes antiransomware ... then it is working.


  6. Hello,


    so i was able to replicate it using ARB

    the arwlogs zip is large to be attached to this message, so it is here https://mega.nz/#!GdERXKYK!spNZeGl0IM_ne5G83gTdRRxTybDH8Jop-5ihV9U0U9w

    and the full memory dump is here https://mega.nz/#!fYFlmIDB!_52fkXh1Ul8H2MZlSCzo8nOQsxInO_vXuw_jJFqsufw

    i have installed also anti exploit but i disabled it before the crash.






    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *

    Use !analyze -v to get detailed debugging information.

    BugCheck 7E, {ffffffffc0000005, fffff880014c70b2, fffff8800964f858, fffff8800964f0c0}

    Probably caused by : fltmgr.sys ( fltmgr!FltpCompleteCompletionNode+32 )

    Followup:     MachineOwner

    2: kd> !analyze -v
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *

    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Arg1: ffffffffc0000005, The exception code that was not handled
    Arg2: fffff880014c70b2, The address that the exception occurred at
    Arg3: fffff8800964f858, Exception Record Address
    Arg4: fffff8800964f0c0, Context Record Address

    Debugging Details:



    BUILD_VERSION_STRING:  7601.23915.amd64fre.win7sp1_ldr.170913-0600

    DUMP_TYPE:  0

    BUGCHECK_P1: ffffffffc0000005

    BUGCHECK_P2: fffff880014c70b2

    BUGCHECK_P3: fffff8800964f858

    BUGCHECK_P4: fffff8800964f0c0

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    fffff880`014c70b2 488b4810        mov     rcx,qword ptr [rax+10h]

    EXCEPTION_RECORD:  fffff8800964f858 -- (.exr 0xfffff8800964f858)
    ExceptionAddress: fffff880014c70b2 (fltmgr!FltpCompleteCompletionNode+0x0000000000000032)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000000
       Parameter[1]: 0000000000000010
    Attempt to read from address 0000000000000010

    CONTEXT:  fffff8800964f0c0 -- (.cxr 0xfffff8800964f0c0)
    rax=0000000000000000 rbx=fffffa8006703430 rcx=fffffa8006703430
    rdx=0000000000000001 rsi=fffffa800679fc10 rdi=fffffa80067035e8
    rip=fffff880014c70b2 rsp=fffff8800964fa90 rbp=fffffa80067034e0
     r8=fffffa80067034e0  r9=0000000000000000 r10=0000000000000000
    r11=fffffa80067035c8 r12=fffffa800b1db100 r13=0000000000000001
    r14=fffff8800964fba8 r15=0000000000000001
    iopl=0         nv up ei pl zr na po nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    fffff880`014c70b2 488b4810        mov     rcx,qword ptr [rax+10h] ds:002b:00000000`00000010=????????????????
    Resetting default scope

    PROCESS_NAME:  System


    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_CODE_STR:  c0000005

    EXCEPTION_PARAMETER1:  0000000000000000

    EXCEPTION_PARAMETER2:  0000000000000010

    READ_ADDRESS:  0000000000000010 

    fffff880`014c70b2 488b4810        mov     rcx,qword ptr [rax+10h]




    ANALYSIS_SESSION_TIME:  10-31-2017 22:57:13.0913

    ANALYSIS_VERSION: 10.0.10586.567 amd64fre

    LAST_CONTROL_TRANSFER:  from fffff880014cb8ab to fffff880014c70b2

    fffff880`0964fa90 fffff880`014cb8ab : fffffa80`06703430 fffffa80`067034e0 fffffa80`0679fc10 fffffa80`06703500 : fltmgr!FltpCompleteCompletionNode+0x32
    fffff880`0964fac0 fffff880`014f473d : fffffa80`067035e8 fffffa80`0bb48c10 fffff880`0d3b7640 fffffa80`06703430 : fltmgr!FltCompletePendedPostOperation+0xbb
    fffff880`0964fb10 fffff800`02ec6085 : fffff880`014f4680 fffff800`030642a0 fffffa80`0b04da00 fffffa80`06703430 : fltmgr!FltpSafeCompletionWorker+0xbd
    fffff880`0964fb70 fffff800`03156622 : 00000000`019ca1cc fffffa80`0b04da00 00000000`00000080 fffffa80`06133970 : nt!ExpWorkerThread+0x111
    fffff880`0964fc00 fffff800`02eadda6 : fffff880`009e5180 fffffa80`0b04da00 fffff880`009f00c0 fffffa80`060f7d50 : nt!PspSystemThreadStartup+0x5a
    fffff880`0964fc40 00000000`00000000 : fffff880`09650000 fffff880`0964a000 fffff880`0964f8a0 00000000`00000000 : nt!KiStartSystemThread+0x16

    THREAD_SHA1_HASH_MOD_FUNC:  f95e70e95128b606f690588d868d0f822c4ff374

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  2360c3d87223f87de6772785076c6656096377ec

    THREAD_SHA1_HASH_MOD:  e06a8e1d654fec570c2ad25485278673f5e4f7b8

    FAULT_INSTR_CODE:  10488b48


    SYMBOL_NAME:  fltmgr!FltpCompleteCompletionNode+32

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: fltmgr

    IMAGE_NAME:  fltmgr.sys


    STACK_COMMAND:  .cxr 0xfffff8800964f0c0 ; kb

    FAILURE_BUCKET_ID:  X64_0x7E_fltmgr!FltpCompleteCompletionNode+32

    BUCKET_ID:  X64_0x7E_fltmgr!FltpCompleteCompletionNode+32

    PRIMARY_PROBLEM_CLASS:  X64_0x7E_fltmgr!FltpCompleteCompletionNode+32

    TARGET_TIME:  2017-10-31T21:55:50.000Z

    OSBUILD:  7601




    SUITE_MASK:  272



    OSNAME:  Windows 7

    OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS


    USER_LCID:  0

    OSBUILD_TIMESTAMP:  2017-09-13 16:55:13

    BUILDDATESTAMP_STR:  170913-0600

    BUILDLAB_STR:  win7sp1_ldr

    BUILDOSVER_STR:  6.1.7601.23915.amd64fre.win7sp1_ldr.170913-0600



    FAILURE_ID_HASH_STRING:  km:x64_0x7e_fltmgr!fltpcompletecompletionnode+32

    FAILURE_ID_HASH:  {24880b1e-7557-860c-a16f-2fd44f3a308e}

    Followup:     MachineOwner

    2: kd> lmvm fltmgr
    Browse full module list
    start             end                 module name
    fffff880`014bb000 fffff880`01507000   fltmgr     (pdb symbols)          C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\fltMgr.pdb\A008BBBF87CC421FA0E568076A16F4BA2\fltMgr.pdb
        Loaded symbol image file: fltmgr.sys
        Image path: \SystemRoot\system32\drivers\fltmgr.sys
        Image name: fltmgr.sys
        Browse all global symbols  functions  data
        Timestamp:        Sat Nov 20 10:19:24 2010 (4CE7929C)
        CheckSum:         0005452D
        ImageSize:        0004C000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4


  7. Hello,


    today i noticed issue with anti ramsomware beta 797 and 807 - when i start Call of Duty Modern Warfare 3 - Multiplayer, i got always bluescreeen 7E, unless ARW is stopped or uninstalled.

    i was using both many months without any issue.

    could you please advise on this? i have now uninstalled it and the game works well.






  8. that means if i run normal chrome ("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe") and chrome portable ("c:\portable\chrome\GoogleChromePortable.exe") at the same time


    [where the GoogleChromePortable.exe is not in the list of Shields]

    [the child processes of chrome portable are still named chrome.exe - no matter of the name of the parent process]


    and the "Shielded applications" counter shows 1, it means BOTH are protected?

    ^i think the are NOT, or?





    or do i need to rename the latter to something like firefoxportable.exe to see 2 shielded applications ?



  9. Hello,


    i'm using various browsers with MBAE


    i have now running chrome, waterfox and tor browser and MBAE shows 4 shielded applications.


    when i start additionaly chrome portable via GoogleChromePortable.exe or Portable_Cr64.exe (based on different chrome version), the number of shielded applications in MBAE is still shown 4.


    i tried to rename the chrome portable executable file to opera.exe or chrome.exe, but still no change in number of shielded applications.


    with this behaviour, are both chrome browsers (normal & portable) protected at the same time or NOT ?







    aha, when i renamed chrome portable executable to firefoxportable.exe and started it, MBAE now shows 5 shielded applications !

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.