Jump to content

Recommended Posts

All logs are attached. 

 

I've narrowed the issue down to a single, reproducible problem.

 

If I try to launch MBAM's GUI from the system Tray Icon. (the one that shows up when you enable realtime protection), it says my database is corrupt or missing.

 

If I launch MBAM's GUI directly from MBAM.exe, or its respective shortcut on my desktop, it works fine.

 

At first I thought the Onclick() event associated to the system tray icon was causing my rules.ref to delete, however upon setting rules.ref to read-only, the file remains yet I still get a "Corrupt or Missing" error message. This test makes me conclude that this method of opening MBAM's GUI starts the program in a way that cannot read my rules.ref file.

 

My system is slightly modified, but I don't see how this could be related. I symlinked my program files (x86) folder to D:\ . I installed MBAM to C:\MalwareBytes\ as a precaution which does not resolve the issue.

 

 

ComboFix.txt

dds.txt

attach.txt

Link to post
Share on other sites

Hello and :welcome:

Your logs show you are running Malwarebytes Anti-Malware version 2.00.0.0504 which is in beta at the moment.

Any issues with this version need to be reported in that section of the forum HERE, you seem to have posted in the Malwarebytes Anti-Malware Help which is for help with the current version of Malwarebytes....

 

Thanks for understanding....

Link to post
Share on other sites

Hi, again, bilago:

 

OK, this is getting a bit confusing. :(

As it stands, to summarize, it appears that you have all of the following for the same issue:

It also appears that you have run some powerful malware removal tools (Combofix), as you posted a log here: https://forums.malwarebytes.org/index.php?showtopic=143490#entry799220 ???

 

>>Do you still have an open ticket with support team at the help desk?

 

As it seems that you have made system changes (reverting back to version 1.75 of MBAM PRO?) since running the logs you posted earlier, it would probably be a good idea to reorganize and start fresh with a new set of logs run on the system as it is now. ;)

 

Without making any new changes, I would suggest that you please follow my original instructions in this reply in your other thread >>HERE<<.

Then, please post back here with BOTH FRST logs, BOTH DDS logs and the checkresults log from mbam-check attached to your next reply.

Then, please wait for AdvancedSetup, Firefox and/or one of the other staff/experts to review these current logs.

They will advise you further when they have done so. :)

 

Hope this helps,

 

daledoc1

Link to post
Share on other sites

To clear up your confusion:

 

Yes, I created a new Topic based off that other thread as you suggested...

Yes I reverted back to 1.75 since I have more issues than a corrupt database with the beta

Yes, I have a ticket with help desk, but the agent is trying to defer me to this forum instead of one on one help

Yes, The agent asked me to run ComboFix on my computer.

 

I re-ran all the scans. These reflect my current system setup.

 

Let me know if there is any other clarifications you need.

 

Addition.txt

attach.txt

CheckResults.txt

dds.txt

FRST.txt

Link to post
Share on other sites

  • Root Admin

Well as I posted in the other topic, you're running MBAM in an unsupported fashion.  If you want the prorgram to work correctly I would highly suggest that you run it completely from the C: volume as intended.

Looking at your logs I see that you have No restore points on the system which is not good.  You should have mutiple Restore Points on the system.


You're runing uTorrent Peer2Peer software which is okay but it runs all the time when the computer is running which consumes a lot of resources even if  you think you're not actively using it.

D:\Users\Bill\AppData\Roaming\uTorrent\nssm.exe
D:\Users\Bill\AppData\Roaming\uTorrent\uTorrent.exe

You or someone installed Windows on this custom built system less than a year ago.  
My advice, pick one of the drives and format it and create a new C: volume partion and reinstall Windows on it.  The days of splitting up and using all sorts of partitions is pretty much old school.  With 4TB drives these days and SSD drives with a very low cost are the way to go.
Remove all the synlink junk and use the computer normally and I think you'll spend a lot less time babysitting the system and actually doing things more fun or productive with the system.
You can install applications to another drive such as D:\Program Files (x86) but don't go trying to custom configure and move certain files to another drive as it really is just looking to cause more maintenance issues that suck up your time for no real value.

Install Date: 4/10/2013 1:45:05 PM

You obviously have drives to use - so again my advice, copy/move and consolidate drives and pick one to fdisk, format, and install Windows again to use but use a much larger size than 30GB

C: is FIXED (NTFS) - 30 GiB total, 6.305 GiB free.
D: is FIXED (NTFS) - 1863 GiB total, 748.362 GiB free.
E: is FIXED (FAT32) - 233 GiB total, 103.675 GiB free.
F: is CDROM (CDFS)
G: is CDROM ()
H: is FIXED (NTFS) - 1865 GiB total, 914.76 GiB free.
I: is FIXED (NTFS) - 929 GiB total, 419.983 GiB free.


You have a proxy set which is okay as long as you're aware of it.  If not then you should remove it.
FF NetworkProxy: "http", "107.23.180.148"
FF NetworkProxy: "http_port", 8080


As you can see from the Event Logs the system is either damaged, software conflict, infected, or simply screwed up from all the custom tweaking you or someone has done on this system.
Again up to you as it's your computer but speaking for myself I certainly would not want to waste my time maintaining it the way you currently have it configured.

==== Event Viewer Messages From Past Week ========
.
3/4/2014 8:16:32 AM, Error: Service Control Manager [7023]  - The Peer Name Resolution Protocol service terminated with the following error:  %%-2140995069
3/4/2014 8:16:32 AM, Error: Service Control Manager [7001]  - The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:  %%-2140995069
3/4/2014 8:16:32 AM, Error: Microsoft-Windows-PNRPSvc [102]  - The Peer Name Resolution Protocol cloud did not start because the creation of the default identity failed with error code: 0x80630203.
3/4/2014 7:55:35 AM, Error: Service Control Manager [7023]  - The WinDefend service terminated with the following error:  %%-2147024894
3/4/2014 7:55:34 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  iZ3DInjectionDriver
3/4/2014 10:37:21 AM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {8BC3F05E-D86B-11D0-A075-00C04FB68820}  and APPID  {8BC3F05E-D86B-11D0-A075-00C04FB68820}  to the user Bill-PC\Guest SID (S-1-5-21-1338594204-595557290-1314017537-501) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
3/3/2014 8:21:51 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.167.838.0).
3/3/2014 11:48:08 AM, Error: Service Control Manager [7000]  - The MBAMScheduler service failed to start due to the following error:  The system cannot find the file specified.
3/3/2014 10:41:26 AM, Error: Service Control Manager [7000]  - The MBAMService service failed to start due to the following error:  The system cannot find the file specified.
.
==== End Of File ===========================




I'm sorry but as said - you're running our program in an unsupported fashion and in fact (IMHO) running your computer in a much less than optimal configuration and a reinstall of Windows to a normal install with a drive of at least 300GB for the C: volume would be my recommendation.

Thanks
 

Link to post
Share on other sites

Thanks for your feedback.

 

Perhaps you don't see the benefit of segregating your OS files from Your documents and programs, but that debate isn't going help figure out the source of the issue with MBAM.

 

To clarify, MBAM is 100% residing on my Hard disk C:\.

 

I'm also aware of those Event logs... none of them indicate any real issue... 

3/4/2014 8:16:32 AM, Error: Service Control Manager [7023]  - The Peer Name Resolution Protocol service terminated with the following error:  %%-2140995069

3/4/2014 8:16:32 AM, Error: Service Control Manager [7001]  - The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:  %%-2140995069
3/4/2014 8:16:32 AM, Error: Microsoft-Windows-PNRPSvc [102]  - The Peer Name Resolution Protocol cloud did not start because the creation of the default identity failed with error code: 0x80630203.
That is because I have disabled homegroups

 

3/4/2014 7:55:35 AM, Error: Service Control Manager [7023]  - The WinDefend service terminated with the following error:  %%-2147024894

3/3/2014 8:21:51 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.167.838.0).

That is because I have Windows defender turned off.

 

3/4/2014 7:55:34 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  iZ3DInjectionDriver

That is because I turned off the iZ3D device driver (third party 3d video conversion software)

 

3/4/2014 10:37:21 AM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {8BC3F05E-D86B-11D0-A075-00C04FB68820}  and APPID  {8BC3F05E-D86B-11D0-A075-00C04FB68820}  to the user Bill-PC\Guest SID (S-1-5-21-1338594204-595557290-1314017537-501) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

That is because I set extremely strict Group policy restrictions for the guest account (helps prevent people from getting my computer infected) Note: The issues I have with MBAM are on the admin account, not the guest.

 

3/3/2014 11:48:08 AM, Error: Service Control Manager [7000]  - The MBAMScheduler service failed to start due to the following error:  The system cannot find the file specified.
3/3/2014 10:41:26 AM, Error: Service Control Manager [7000]  - The MBAMService service failed to start due to the following error:  The system cannot find the file specified.

That is probably left over remnants while going to and from MBAM 2.0

 

I have no problems or have to do any special maintenance on my system... Every piece of software I've run - new or legacy works great, but MBAM...

 

The tone of your reply , and the reply of the one on one agent seem to be grasping for excuses to not help resolve the issue. Windows natively runs multiple symlinks by default on the Windows Operating system (WinSXS is a great example). To point to irrelevant event logs and point to the use of different partitions to store different types of data seems to be more of a brush off than actual troubleshooting.

Link to post
Share on other sites

  • Root Admin

Perhaps you don't see the benefit of segregating your OS files from Your documents and programs

Actually I do as well as does Microsoft and why they do support folder redirection by Registry/GPO changes, not Symlink redirection of core folders. They do not support and neither do we from the segregation method you've chosen for Programs.

 

Your logs also indicate possible piracy of the OS.  Hosts: 127.0.0.1 validation.sls.microsoft.com

There is no specific tone, only that yes you have tweaked the system to the point that Microsoft would not support you either and we will not spend countless hours trying to figure out where/what/or how the program is broken by such a change. 

 

I know this is a year old.. but I'm having the same issue and I also symlinked program files from C: to D:

You have installed to C:\MalwareBytes which by default would automatically place the rules and other files on the C: drive as well

But the logs show that it is located here: D:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware

One has to assume this is due to the symlink changes you've made.

 

I'm not trying to be difficult but we have well over 50 million users (without tweaked systems) that are working just fine so ask yourself where you think the installation issue resides.

Link to post
Share on other sites

FWIW, I have a dual SSD based computer and I've been installing Windows such that

 

  • %systemroot%
  • %programfiles% &
  • %programfiles(x86)% 

 

get installed to C: while 

 

  • %ProgramData% &
  • \Users 

 

get installed to D: by using the tutorial located at http://www.sevenforums.com/tutorials/285983-user-profile-customize-during-installation.html

 

I then move all my special folders (Documents, Downloads, Pictures, etc.) to my first mechanical drive, E:

 

The added benefit is that in the even of a system reinstall, all of the program settings in \Users and %ProgramData% can be easily retained, making setting up programs again a real simple snap.

 

The added benefit is that there is no symlinking / junctions involved.

 

Perhaps you could take a look at this....

Link to post
Share on other sites

You really should do fact checking before making claims for other companies and "what they support".

If you honestly dont think M$ supports Symlinking, go ahead and take a look at
http://msdn.microsoft.com/en-us/library/windows/desktop/aa365680(v=vs.85).aspx

The symlinks are only there for badly programmed software that look for hard C:\ paths. All two folders that are moved off drive C:\ are done via registry changes. I could delete all the symlinks right now, and windows will function perfectly.

 

The reason the logs show that rules.ref is on Drive D:\, is because I moved the reference of programdata in the registry as a test to see if MBAM didn't like its current location of c:\programdata

 

You're making it quite clear that you lead a very close minded approach to Windows and to troubleshooting for this company, which is not much of an issue since this site is geared towards malware removal, not Development support. 

 

The fact that MBAM isn't touching a single symlinked folder and that the issue only happens once real-time file protection is enabled, that there is a pretty major design flaw in the development of this software, as the one on one agent has even stated himself. You might as well be blaming my Bluetooth mouse at this point.

 

I understand that some of you are volunteers helping out, and you deal with a lot of users on here who cant navigate their own way outside of a web browser. Even still, solutions such as "reinstall windows", "stop doing 'xxxx' because I don't understand how it works" isn't troubleshooting. I gave very specific, reproducible steps that causes an error with the software. At this point this thread just needs to be directed to someone who can note this as a software bug and create a ticket with development to investigate.

Link to post
Share on other sites

  • Root Admin

No one said that Microsoft does not support Symbolic Links. They don't support carving up the location of core folders.

 

I'm sorry if you're not happy with the program or our level of support does not meet your expectations.  You can submit for a refund on the product if you like.

 

Thank you.

Link to post
Share on other sites

  • 2 months later...

I have exact same problem.  I have "Program Files" and "Program Files (x86)" located on another drive using symbolic link. Those are the two symbolic links that I have created.

 

Malwarebytes was working fine using these symbolic links until I upgraded to 2.0. The upgrade processes was successful, but afterwards Malwarebytes fails exactly like described in the first post. 

 

As a professional tester who's worked at MS for over a decade, it would be nice if Malwarebytes could repro the issue by creating a symbolic link to another drive for "C:\Program Files (x86)" and "C:\Program Files" so they have a better technical understanding why this is failing after a successful installation of Malwarebytes 2.0. I could speculate why I think its failing, but I think it best for the dev & test team to investigate the failure, and either fix it, or officially state that symbolic links are not supported.  

 

A good justification for understanding why Malwarebytes is failing is so dev teams knows there is no security risk involving symbolic links. Since Malwarebytes is failing for reasons unknown related to symbolic links, its opportunity for an exploit to be discovered.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.