Jump to content

denial

Members
  • Content Count

    14
  • Joined

Posts posted by denial

  1. Cannot edit post?

     

    Actually after computer reboot C:\Program Files\Malwarebytes\Anti-Ransomware\MBAMService.exe and its subprocess "C:\Program Files\Malwarebytes\Anti-Ransomware\mbarw.exe" --starttray are both running stable ... until i don't try to open the GUI - when it crashes.

     

    MBAE also running and not crashing (also GUI opens ok).

     

  2. Hello,

    maybe there is something wrong with the OS itself, as the MB support tool also crashes.

    Faulting application name: mb-support.exe, version: 1.6.0.774, time stamp: 0x5e863d65
    Faulting module name: d3d9.dll, version: 10.0.17763.1075, time stamp: 0x3cad74b1
    Exception code: 0xc0000005
    Fault offset: 0x00091691
    Faulting process id: 0x165c
    Faulting application start time: 0x01d61a6a6cd6363a
    Faulting application path: C:\Users\banik\AppData\Local\Temp\mwb786A.tmp\mb-support.exe
    Faulting module path: C:\WINDOWS\SYSTEM32\d3d9.dll
    Report Id: 8e28d439-240d-4d60-af94-431043dc48d6
    Faulting package full name:
    Faulting package-relative application ID:

    I was able to collect some dumps and logs manually:

    https://ulozto.net/file/fV0r3B12xFL1/mbarw-exe-1060-zip

    Yes, it seems it crashes everytime it is started, either after reboot automatically or later manually ...

    Other apps like chrome, firefox, vlc, totalcmd, etc. are running well so far.

    Thank you.

     

     

  3. Hello,

    after "automatic" update from notification to this latest beta from previous and computer reboot the program does not start anymore.

     

    Fault bucket 1530011795799486509, type 1
    Event Name: APPCRASH
    Response: Not available
    Cab Id: 0

    Problem signature:
    P1: mbarw.exe
    P2: 3.0.0.21
    P3: 5e485513
    P4: StackHash_4c4a
    P5: 0.0.0.0
    P6: 00000000
    P7: c00001a5
    P8: PCH_05_FROM_ntdll+0x00070C3C
    P9:
    P10:

    Attached files:
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D35.tmp.dmp
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D94.tmp.WERInternalMetadata.xml
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DB4.tmp.xml
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DC4.tmp.csv
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EDE.tmp.txt

    These files may be available here:
    \\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_mbarw.exe_d13a6142a5d7e1e82a9045b54dc162ded346cedc_97bbd66f_23234340

    Analysis symbol:
    Rechecking for solution: 0
    Report Id: a6112db8-0ad0-48e7-b966-fd8a4c687c7a
    Report Status: 268435456
    Hashed bucket: b3986408abf007d6553bb19f36c9302d
    Cab Guid: 0

     

    Faulting application name: mbarw.exe, version: 3.0.0.21, time stamp: 0x5e485513
    Faulting module name: d3d9.dll, version: 10.0.17763.1075, time stamp: 0x3cad74b1
    Exception code: 0xc0000005
    Fault offset: 0x00091691
    Faulting process id: 0x21d8
    Faulting application start time: 0x01d61a4685e5e085
    Faulting application path: C:\Program Files\Malwarebytes\Anti-Ransomware\mbarw.exe
    Faulting module path: C:\WINDOWS\SYSTEM32\d3d9.dll
    Report Id: 46eae816-2bc9-469d-9b09-b8a809d9f0af
    Faulting package full name:
    Faulting package-relative application ID:

     

     

    Fault bucket 2202658184339786967, type 5
    Event Name: BEX
    Response: Not available
    Cab Id: 0

    Problem signature:
    P1: mbarw.exe
    P2: 3.0.0.21
    P3: 5e485513
    P4: d3d9.dll
    P5: 10.0.17763.1075
    P6: 3cad74b1
    P7: 00091691
    P8: c0000409
    P9: 00000015
    P10:

    Attached files:
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7E1.tmp.WERInternalMetadata.xml

    These files may be available here:
    \\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_mbarw.exe_a855478e2c57cda3ac417d527181e1a21b53fa9_97bbd66f_073adb3c

    Analysis symbol:
    Rechecking for solution: 0
    Report Id: e29ff6e2-875e-4ad1-8679-8c4b9078dc92
    Report Status: 268435456
    Hashed bucket: d5b39c7d921010ef3e9169f2cf2e0cd7
    Cab Guid: 0

     

     

     

    Could you please advise

     

  4. Hello,

    i started today my old thinkpad after few months of not using it;  running Windows 7 SP1 and updated it to latest MS cumulative patch KB4493472

    I'm running AE 1.12.1.147 & AM 0.9.18.807 - 1.1.196 beta on Veracrypt 1.23-hotfix2 full disk encrypted boot partition.

    I noticed during disk intensive operations (e.g. Passmark Performace Test - particularly Disk Mark) the computer hangs. Not whole at once, but first the HDD LED goes off and apps start to hang one by one. It looks like apps which need disk access hang (e.g. web browser) and simple app like calculator continues to work. At the end i need to power off the laptop. In the windows system eventlog there is absolutely no related event saved. The SSD shows no hw errors.

    If i disable the anti-ransomware the hang situation does not seem to happen and before the months i was using the computer regularly it did not happen as well (with AR enabled).

    As the AM version is same, maybe it might be related to some recent windows patch

    I have no Sophos nor Avast nor any other antivirus installed (re known issues with this KB4493472: Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update. )

    I do not experience such issues on my other laptop running Windows 10 1803.

    Anyone with similar problem or some advice how to solve this issue?

    Maybe this MS patch affects Malwarebytes in a similar way like Sophos?

    Thanks.

     

  5. Hello,

     

    i believe my issue is same - related to this:

     

    https://trac.torproject.org/projects/tor/ticket/24709

     

    Torbutton: Unexpected error on new identity: [Exception... "Component returned failure code: 0x80520015 (NS_ERROR_FILE_ACCESS_DENIED) [nsIPrefService.savePrefFile]" nsresult: "0x80520015 (NS_ERROR_FILE_ACCESS_DENIED)" location: "JS frame :: chrome://torbutton/content/torbutton.js :: torbutton_do_new_identity :: line 1202" data: no]

    when i try to create a New Identity.
    However i found out, that also no settings are saved.

    I'm using Windows 7 SP1 64-bit, latest patches, and latest TorBrowser 7.0.11

    I deleted whole torbrowser folder and downloaded fresh installation file and installed it and same issue.
    I downloaded zipped torbrowser from another computer where it works and on my computer - same issue.

    I ran procmon and i think this is the related error:

    13:18:42,3674148 firefox.exe 6840 SetRenameInformationFile C:\Run\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js ACCESS DENIED ReplaceIfExists: True, FileName: C:\Run\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

    This is from a working computer:

    1:22:11.4822217 PM firefox.exe 3404 SetRenameInformationFile C:\Run\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js SUCCESS ReplaceIfExists: True, FileName: C:\Run\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

    Please note:
    i have no antivirus, i'm logged in/running all apps as administrator, the folder is writable, the disk is not full.

    Thanks.

    EDIT:
    I have just found out that when i disable malwarebytes antiransomware 0.9.18.807-1.1.129 ... then it is working.

     

  6. Hello,

     

    so i was able to replicate it using ARB 0.9.18.807-1.1.117

    the arwlogs zip is large to be attached to this message, so it is here https://mega.nz/#!GdERXKYK!spNZeGl0IM_ne5G83gTdRRxTybDH8Jop-5ihV9U0U9w

    and the full memory dump is here https://mega.nz/#!fYFlmIDB!_52fkXh1Ul8H2MZlSCzo8nOQsxInO_vXuw_jJFqsufw

    i have installed also anti exploit 1.10.1.41 but i disabled it before the crash.

     

    Thanks

     

    --

     

    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 7E, {ffffffffc0000005, fffff880014c70b2, fffff8800964f858, fffff8800964f0c0}

    Probably caused by : fltmgr.sys ( fltmgr!FltpCompleteCompletionNode+32 )

    Followup:     MachineOwner
    ---------

    2: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: ffffffffc0000005, The exception code that was not handled
    Arg2: fffff880014c70b2, The address that the exception occurred at
    Arg3: fffff8800964f858, Exception Record Address
    Arg4: fffff8800964f0c0, Context Record Address

    Debugging Details:
    ------------------


    DUMP_CLASS: 1

    DUMP_QUALIFIER: 402

    BUILD_VERSION_STRING:  7601.23915.amd64fre.win7sp1_ldr.170913-0600

    DUMP_TYPE:  0

    BUGCHECK_P1: ffffffffc0000005

    BUGCHECK_P2: fffff880014c70b2

    BUGCHECK_P3: fffff8800964f858

    BUGCHECK_P4: fffff8800964f0c0

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    FAULTING_IP: 
    fltmgr!FltpCompleteCompletionNode+32
    fffff880`014c70b2 488b4810        mov     rcx,qword ptr [rax+10h]

    EXCEPTION_RECORD:  fffff8800964f858 -- (.exr 0xfffff8800964f858)
    ExceptionAddress: fffff880014c70b2 (fltmgr!FltpCompleteCompletionNode+0x0000000000000032)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000000
       Parameter[1]: 0000000000000010
    Attempt to read from address 0000000000000010

    CONTEXT:  fffff8800964f0c0 -- (.cxr 0xfffff8800964f0c0)
    rax=0000000000000000 rbx=fffffa8006703430 rcx=fffffa8006703430
    rdx=0000000000000001 rsi=fffffa800679fc10 rdi=fffffa80067035e8
    rip=fffff880014c70b2 rsp=fffff8800964fa90 rbp=fffffa80067034e0
     r8=fffffa80067034e0  r9=0000000000000000 r10=0000000000000000
    r11=fffffa80067035c8 r12=fffffa800b1db100 r13=0000000000000001
    r14=fffff8800964fba8 r15=0000000000000001
    iopl=0         nv up ei pl zr na po nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    fltmgr!FltpCompleteCompletionNode+0x32:
    fffff880`014c70b2 488b4810        mov     rcx,qword ptr [rax+10h] ds:002b:00000000`00000010=????????????????
    Resetting default scope

    PROCESS_NAME:  System

    CURRENT_IRQL:  0

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_CODE_STR:  c0000005

    EXCEPTION_PARAMETER1:  0000000000000000

    EXCEPTION_PARAMETER2:  0000000000000010

    READ_ADDRESS:  0000000000000010 

    FOLLOWUP_IP: 
    fltmgr!FltpCompleteCompletionNode+32
    fffff880`014c70b2 488b4810        mov     rcx,qword ptr [rax+10h]

    BUGCHECK_STR:  0x7E

    DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

    ANALYSIS_SESSION_HOST:  PAD

    ANALYSIS_SESSION_TIME:  10-31-2017 22:57:13.0913

    ANALYSIS_VERSION: 10.0.10586.567 amd64fre

    LAST_CONTROL_TRANSFER:  from fffff880014cb8ab to fffff880014c70b2

    STACK_TEXT:  
    fffff880`0964fa90 fffff880`014cb8ab : fffffa80`06703430 fffffa80`067034e0 fffffa80`0679fc10 fffffa80`06703500 : fltmgr!FltpCompleteCompletionNode+0x32
    fffff880`0964fac0 fffff880`014f473d : fffffa80`067035e8 fffffa80`0bb48c10 fffff880`0d3b7640 fffffa80`06703430 : fltmgr!FltCompletePendedPostOperation+0xbb
    fffff880`0964fb10 fffff800`02ec6085 : fffff880`014f4680 fffff800`030642a0 fffffa80`0b04da00 fffffa80`06703430 : fltmgr!FltpSafeCompletionWorker+0xbd
    fffff880`0964fb70 fffff800`03156622 : 00000000`019ca1cc fffffa80`0b04da00 00000000`00000080 fffffa80`06133970 : nt!ExpWorkerThread+0x111
    fffff880`0964fc00 fffff800`02eadda6 : fffff880`009e5180 fffffa80`0b04da00 fffff880`009f00c0 fffffa80`060f7d50 : nt!PspSystemThreadStartup+0x5a
    fffff880`0964fc40 00000000`00000000 : fffff880`09650000 fffff880`0964a000 fffff880`0964f8a0 00000000`00000000 : nt!KiStartSystemThread+0x16


    THREAD_SHA1_HASH_MOD_FUNC:  f95e70e95128b606f690588d868d0f822c4ff374

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  2360c3d87223f87de6772785076c6656096377ec

    THREAD_SHA1_HASH_MOD:  e06a8e1d654fec570c2ad25485278673f5e4f7b8

    FAULT_INSTR_CODE:  10488b48

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  fltmgr!FltpCompleteCompletionNode+32

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: fltmgr

    IMAGE_NAME:  fltmgr.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7929c

    STACK_COMMAND:  .cxr 0xfffff8800964f0c0 ; kb

    FAILURE_BUCKET_ID:  X64_0x7E_fltmgr!FltpCompleteCompletionNode+32

    BUCKET_ID:  X64_0x7E_fltmgr!FltpCompleteCompletionNode+32

    PRIMARY_PROBLEM_CLASS:  X64_0x7E_fltmgr!FltpCompleteCompletionNode+32

    TARGET_TIME:  2017-10-31T21:55:50.000Z

    OSBUILD:  7601

    OSSERVICEPACK:  1000

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK:  272

    PRODUCT_TYPE:  1

    OSPLATFORM_TYPE:  x64

    OSNAME:  Windows 7

    OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS

    OS_LOCALE:  

    USER_LCID:  0

    OSBUILD_TIMESTAMP:  2017-09-13 16:55:13

    BUILDDATESTAMP_STR:  170913-0600

    BUILDLAB_STR:  win7sp1_ldr

    BUILDOSVER_STR:  6.1.7601.23915.amd64fre.win7sp1_ldr.170913-0600

    ANALYSIS_SESSION_ELAPSED_TIME: 4ef

    ANALYSIS_SOURCE:  KM

    FAILURE_ID_HASH_STRING:  km:x64_0x7e_fltmgr!fltpcompletecompletionnode+32

    FAILURE_ID_HASH:  {24880b1e-7557-860c-a16f-2fd44f3a308e}

    Followup:     MachineOwner
    ---------

    2: kd> lmvm fltmgr
    Browse full module list
    start             end                 module name
    fffff880`014bb000 fffff880`01507000   fltmgr     (pdb symbols)          C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\fltMgr.pdb\A008BBBF87CC421FA0E568076A16F4BA2\fltMgr.pdb
        Loaded symbol image file: fltmgr.sys
        Image path: \SystemRoot\system32\drivers\fltmgr.sys
        Image name: fltmgr.sys
        Browse all global symbols  functions  data
        Timestamp:        Sat Nov 20 10:19:24 2010 (4CE7929C)
        CheckSum:         0005452D
        ImageSize:        0004C000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

     

  7. Hello,

     

    today i noticed issue with anti ramsomware beta 797 and 807 - when i start Call of Duty Modern Warfare 3 - Multiplayer, i got always bluescreeen 7E, unless ARW is stopped or uninstalled.

    i was using both many months without any issue.

    could you please advise on this? i have now uninstalled it and the game works well.

    Thanks

     

    image.thumb.png.6ed7e9fab6e7a98b20d070f96f809bef.png

     

    103117-35895-01.dmp

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.