Jump to content

MWBAM doesn't stay resident


Recommended Posts

Hi,

I wish to delay start MWBAM using the program Startup Delayer, hence I've disabled the option of starting MWBAM when windows (win 8 pro) starts (right click MWBAM icon and untick "Start with Windows"). On the Protection tab I only enabled "Enable filesystem protection".

If I start MWBAM when I start windows the program remains resident and the icon appears in the notification area. Starting MWBAM via Startup Delayer brings up MWBAM but when I exit it it doesn't appear in the notification area. On restarting and checking the Protection tab I note that "Enable filesystem protection" is now unticked. Ticking this option, rebooting, waiting for MWBAM to start, exiting MWBAM, restarting MWB and checking the Protection tab again shows that "Enable filesystem protection" is unticked. It doesn't matter how many times I ensure the option is ticked, on restart it is unticked.

This apparent unticking of the "Enable filesystem protection" also occurs if you exit MWBAM by an appropriate right click command on the notification icon, after checking that "Enable filesystem protection" is ticked and "Start with Windows" unticked. Restart MWBAM, go to the Protection tab, and the "Enable filesystem protection" option is unticked.

I've used mbam-clean, reboot, reinstall and still have the same problem.

Any ideas, anyone?

Neil

Link to post
Share on other sites

Hello and welcome:

I'm not sure how that 3rd-party program (Startup Delayer) might be interfering with things.

Since you've already tried a cleain reinstall, until one of the MBAM staff arrives, please run the mbam-check and DDS tools.

Please post back with the following logs as attachments to your next reply:

  • Checkresults.txt from mbam-check
  • A couple of protection logs, if you have them
  • DDS.txt from DDS
  • Attach.txt from DDS

They'll provide a bit of info about what's going on with your system and may point to a solution for you.

Thanks,

daledoc1

--------------------

Step 1 -- Create an mbam-check log:

Download mbam-check.exe from HERE and save it to your desktop.

Double-click on mbam-check.exe to run it, it should then open a log file.

Please attach to your next reply the CheckResults.txt file which should now be located on your desktop.

Then, if you can, please also upload your 3 most recent Protection module logs:

In Windows Vista/7, these logs are located in: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs

(I'm not sure of the file path for the protection logs in Win8, but I assume it's the same?)

Step 2 -- Run DDS and create 2 logs:

Download DDS from one of the locations below and save it to your Desktop:

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once it is downloaded, you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool, on Vista or Win 7 right click and select Run as administrator

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.


  • When done, DDS will open two (2) logs:

    1. DDS.txt
    2. Attach.txt

  • Save both reports to your desktop
  • Please attach both of the following logs to your next reply: DDS.txt and Attach.txt
    --->You can ignore the note about zipping the Attach.txt file in most cases.

Link to post
Share on other sites

  • Root Admin

More than likely your main issue is that you have Malwarebytes (and some other programs) running in compatibility mode.

I would recommend removing all of them from compatibiltiy mode and see how things work.

As you can see from your Event Logs the Roxio is also having issues and Dragon

Compatibility Flag Settings (Any MBAM file listings should be removed):

=======================================================================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers

C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exeREG_SZ ELEVATECREATEPROCESS

D:\Temp\mp730mpsvst505en.exe REG_SZ ~ WIN7RTM

C:\AcroPro.msi REG_SZ ~ MSIAUTO

C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exeREG_SZ ~ RUNASADMIN

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeREG_SZ ~ RUNASADMIN

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers

C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exeREG_SZ ELEVATECREATEPROCESS

C:\Program Files (x86)\Roxio Creator NXT\Roxio Central\RoxioCentralFx.exeREG_SZ ELEVATECREATEPROCESS

C:\Program Files (x86)\DVDFab 8 Qt\DVDFab.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFabDVD2DVD.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFabDVD2Mobile.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFabBluRay2BluRay.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFabFile2Mobile.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFabFileMover.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFabBluRay2Mobile.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFabBluRay2Mobile3D.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFabBluRay2DVD.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFab2Dto3D.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFabAddonDVD.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFabAddonBluRay.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFabFile2DVD.exeREG_SZ DisableNXShowUI

C:\Program Files (x86)\DVDFab 8 Qt\Options\DVDFabFile2BluRay.exeREG_SZ DisableNXShowUI


==== Event Viewer Messages From Past Week ========
.
18/11/2012 5:38:56 AM, Error: Service Control Manager [7023] - The Roxio Hard Drive Watcher 14 service terminated with the following error: The class is configured to run as a security ID different from the caller
18/11/2012 5:38:19 AM, Error: Microsoft-Windows-Kernel-General [6] - An I/O operation initiated by the Registry failed unrecoverably.The Registry could not flush hive (file): ''.
17/11/2012 4:10:31 PM, Error: Service Control Manager [7022] - The NETGEARGenieDaemon service hung on starting.
17/11/2012 4:02:50 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {7022A3B3-D004-4F52-AF11-E9E987FEE25F} and APPID {ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D} to the user Spock\Neil SID (S-1-5-21-1839546594-433731340-667585501-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
17/11/2012 11:05:58 AM, Error: Service Control Manager [7030] - The Dragon Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
16/11/2012 4:59:36 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer BONES that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B92FBF4E-15EA-4971-8D79-410443D58416}. The master browser is stopping or an election is being forced.
14/11/2012 7:16:31 PM, Error: Service Control Manager [7034] - The Soluto PCGenome Core Service service terminated unexpectedly. It has done this 1 time(s).
13/11/2012 7:10:54 PM, Error: Service Control Manager [7030] - The RoxMediaDB14 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
13/11/2012 7:10:54 PM, Error: Service Control Manager [7030] - The Roxio Hard Drive Watcher 14 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
.
==== End Of File ===========================

Link to post
Share on other sites

Yes, I can investigate the compatability mode issue. I should state that all programs were installed as per their installation programs, I have not changed any installation program's compatability mode or altered the compatability of the indicated programs after installation. To me this strongly suggests that the compatability mode was set by the installer or by other means when the programs were installed or first run. One has to ask if this is a lazy way for some companies of ensuring their software works under windows 8?

N

Link to post
Share on other sites

  • Root Admin

Well I know that our installer does not do it as it is problematic for our software. Cannot speak for other companies, but it could be that the OS sees something that triggers it to do it based on your own computer settings possibly.

Please remove and reboot and let us know if the issue continues.

Thanks

Link to post
Share on other sites

  • Root Admin

Please do the following and let us know if this corrects the issue for you or not. Make sure that there is not compatibility settings once completed either.

  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
      You can also look up your ID and Key from the Registry and copy and paste it to a Notepad document before running the mbam-clean utility.
      Location for Windows x86

      HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes' Anti-Malware

      Location for Windows x64

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Malwarebytes' Anti-Malware

      If you cannot locate your registration in the Registry and no longer have access to your order number you can contact Cleverbridge to obtain information about your order and registration information.
      Cleverbridge customer service
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or ask and we'll explain how to do it.

Link to post
Share on other sites

Ok, yet again clean deleted anti-malware and reinstalled, as per previous post, ensuring ESET disabled as required and a scan exclusion placed on anti-malware folder. I only ensured that there was no compatability issue with anti-malware, all other programs remain as they were installed with or without any compatability set. I have only ever altered the compatability of anti-malware when I first had this issue, I have never changes any compatability issues with other programs.

So now the reuslts are:

(a) if filesystem and wb protection on with start with windows option, then everthing is happy on boot.

(b) if filesystem protection on with start with windows options, then when boot both filesystem and web protection now set.

© if filesystem [protection on and start with windows off, then on boot and anti-malware execution the filesystem protection is off and the program doesn't stay resident when I exit. I can set filesystem protection on prior to exit and the program remains resident.

So I still have the problem that not starting with windows doesn't hold the protection options when I go to run the program.

Has anyone else with Win 8 64-bit disabled start with windows option and rebooted to see if there filesystem and web protection options stick when they start the program manually?

N

Link to post
Share on other sites

Hello :)

I'm think I might understand what's going on. Let me explain how each option in the Protection tab (pictured below) works and then let me know if my explanations fit with the behaviors you're seeing:

post-2103-0-11164200-1353318067.png

Enable filesystem protection - This setting does not affect the startup behavior for the protection module at all, including whether or not filesystem protection starts with Windows. It only turns on the filesystem protection right now if you check the box or disables it right now if you uncheck the box.

If you check this box after having exited the protection module completely (using the Exit option in the tray menu) or if the tray menu is not running because the Start protection module with Windows setting is disabled, then it will start the tray as well as enable whichever components you have set to start when the protection module starts (see below).

Enable malicious website blocking - Precisely the same as above except for Website blocking instead of filesystem protection, including how it affects enabling both components of the tray (i.e. the protection module) is not running when you check the box.

Start protection module with Windows - This controls whether or not the tray will load when Windows boots, it will not automatically start either of the individual protection components (filesystem protection or website blocking) unless they are set to start when the protection module starts (see below).

Start file execution blocking when protection module starts - This setting tells the protection module whether or not it is supposed to enable filesystem blocking when the protection module starts, this includes when the protection module starts with Windows as well as when you enable the protection module manually by checking the box next to Enable malicious website blocking. The only time this will not be honored is if you actually check the box next to Enable filesystem protection, but that still has no affect on whether or not filesystem protection starts on boot.

Start malicious website blocking when protection module starts - Exactly the same as above, except for website blocking instead of filesystem protection.

I hope that helps to clear things up. Please let me know if you need any further clarification or if the behavior you're seeing is different from what I described.

Link to post
Share on other sites

Hi Exile, the mind is a little confused now. On my previous PC I had (with reference to the screen shot above), items 1 and 4 ticked and the delayer program ran mabamgui /starttray. This worked.

Now, in Win 8, I set the same items and start the program with mabamgui /starttray but I get the dreaded UAC popup first, and now I'm thinking it is this popup which then stops the /starttray option from happening, and so the protection starting. Does this sound about right?

I'll try the cheat method of avoiding the UAC popup by running mabamgui /starttrayt with highest privileges and see what happens.

Link to post
Share on other sites

Yes, that sounds correct. In Malwarebytes Anti-Malware 1.65.1, we no longer use the /starttray function in the same way. You'll get a UAC prompt because when you exit the tray, the service (MBAMService) no longer continues to run the way it used to. Instead, it terminates as well so that it does not remain resident on your system when you've exited the protection module.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.