MEROWE360

OK, GT500, it is a real headache ! I did what you said and it did not find anything after it restarts and checks. Then I have still the pop up : "DDA failed to read code error 2" and Debugview did not work this time. I don't know more what to think ! Thanks for your help !

Hallo GT500, I did what you said and here's the log but when it poped up (this time, it was "DDA failed to read : error code : 2") I did not click OK inside the pop up. Should I ? I only waited for 2-3 minutes and saved the log. I add OA is my firewall, Online Armor, it seems to deny a lot! But all the lines mbam, in "Programms"(of OA) : mbam.exe, mbamgui.exe and mbam.sys are "allowed". 00000000 0.00000000 OADriver.sys: CmdLine(PID = 1444, /S /C {E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} /I {10DF43C8-1DBE-11D3-8B34-006097DF5BD4} /X 0x401) 00000001 1.86237442 Ping: 2 00000002 2.59609723 OADriver.sys: CmdLine(PID = 3428, "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /developer) 00000003 2.82485867 OADriver.sys: OpenProcess - ACCESS_DENIED, 2644 -> 628 (watched) 00000004 2.83504200 OADriver.sys: OpenProcess - ACCESS_DENIED, 2644 -> 3428 (watched) 00000005 3.86504960 OADriver.sys: OpenProcess - ACCESS_DENIED, 2644 -> 628 (watched) 00000006 3.94519329 OADriver.sys: OpenProcess - ACCESS_DENIED, 2644 -> 3428 (watched) 00000007 12.81229305 OADriver.sys: OpenProcess - ACCESS_DENIED, 2644 -> 628 (watched) 00000008 12.82769966 OADriver.sys: OpenProcess - ACCESS_DENIED, 2644 -> 3428 (watched) 00000009 21.80319786 OADriver.sys: OpenProcess - ACCESS_DENIED, 2644 -> 628 (watched) 00000010 21.80364037 OADriver.sys: OpenProcess - ACCESS_DENIED, 2644 -> 3428 (watched) 00000011 23.50392723 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000012 23.50394440 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000013 23.50395203 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000014 23.50396156 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000015 23.50397110 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000016 23.50398445 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000017 23.50399208 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000018 23.50400162 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000019 23.50401115 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000020 23.50401878 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000021 23.50403023 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000022 23.50403976 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000023 23.50405121 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000024 23.50406265 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000025 23.50407600 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000026 23.50408745 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000027 23.50409508 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000028 23.50410461 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000029 23.50411415 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000030 23.50412560 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000031 23.50413322 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000032 23.50414276 MBAMSwissArmy!GetFATDirectoryEntryByName: Data corruption in cluster 2, status 0xc0000001 00000033 23.50769615 MBAMSwissArmy!EnumerateFATDirectory: OpenFATClusterByName( "C:\WINDOWS\system32" ) failed with status 0xc0000034 00000034 23.50770760 MBAMSwissArmy!HandleIoctlEnumerate: EnumerateDirectory( "C:\WINDOWS\system32" ) failed on query operation with status 0xc0000034 00000035 68.51792908 RegisterUserApp() PID: 604, hEvent: 280 00000036 92.07218933 Ping: 2 00000037 158.64753723 RegisterUserApp() PID: 604, hEvent: 280 00000038 181.75108337 Ping: 2 Thanks to you, GT500.

Thanks for your help, GT500 and noknojon. I followed your instructions, noknojon, step by step and I also disabled my real-time protection (AV,...) GT500, but when I tried to use MBAM in the Developer Mode, the same message poped up : "DDA failed to read, error code 2" ! Then I did it again (un/re-install) but I also used Regseeker>>search>>malwarebytes and delete what it found (Regseeker works fine with XP). Now when I use MBAM in the D.M. it pop up : "SwissArmy failed to initialize, error code:0" but it does not show up when I run a regular scan. mbamswissarmy.sys is in its place next to mbam.sys in C:\Windows\system32\drivers\ I also made sfc /scannow and it didn't say anything but I find a file "Found" in C:\ with 2 files .CHK "discovered when your disk was checked" (16Ko each). The fact is I didn't update my drivers for the moment !! I will try to have more information about that. Thanks to you two.

Hallo noknojon ! And thank you for your answer. The reason why I used the Developer Mode is just that I discovered it ! I wanted to try and see. Then I tried to understand why it pops up. My English is a little poor, sorry : You say "error code 1" but I had error code 2. There is also the word "device" : what is the link with my problem ? You speak about "drivers" and "update" if I understand. It's a fact that I used the soft DriverMax a few weeks ago. It showed me that I have 3 drivers needing an update. I wanted to do so but I read on a forum that it is not necessary to update drivers and that it can provide some problems sometimes. I have an old computer and it's working well; I chose not to take the risk. Is it why MBAM does not work very well ? You say : "The free version will usually give the same error codes as the paid version" That's a good information ! Thank you.

Sorry GT500 I forgot to say it : I have Windows XP Home (SP3) and my computer have a 32-bit edition of Windows.

Hallo ! I have the free version of MBAM and I ran a scan in the developper mode; I got this message "SwissArmy failed to initalize error code:0" It does not show up when I run a regular scan. Is it normal, is a limitation of the free version ? I've already read this : "SwissArmy is the name for the driver Malwarebytes uses to do Direct Disk Access (DDA). That error message means that the driver could not load. Without swissarmy being able to load, MBAM loses some detection abilities, with non static named rootkits, and it also looses the ability to break a files header on the fly to kill it." Then I uninstalled MBAM and installed it again : now if I run in the developper mode, I have this message : "DDA failed to read, error code : 2" It does not show up when I run a regular scan. I just would like to know if it is normal or if there's any problem with my computer. Thanks for your answer.

Sorry, I forgot to attach the file SYSTEM32.zip SYSTEM32.zip

Hallo from FRANCEhttp://forums.malwarebytes.org/style_emoticons/default/rolleyes.gif Malwarebytes' Anti-Malware says this file is a Trojan.Agent but I think it could be a false positive because a test on the site virustotal.com gives as result : 0/40 !! The file : C:\Documents and Settings\"name of the user"\Application Data\SYSTEM32.dll Please have a look and let me know. I add : I am a basic user and I don't speak so good English, sorry! http://forums.malwarebytes.org/style_emoti...ult/biggrin.gif mbam_log_2010_01_27__20_15_54_.zip