Jump to content

Problem in Event Viewer: source MBAMChameleon


Recommended Posts

found several (lots) entries as follows,

 

Failed to verify the digital signature for \\??\c:\Program Files(x86)  Norton Security Suite\Engine\21.1.0.18\WSCStub.exe

Also fails for \\??\c:\program files\windows defender\mpcmdrun.exe

                                                                                                         

Why is MBAMChameleon running anyway? I thought that only ran to hide from malware.

Source: MBAMChameleon

 

 Log Name:      System

Source:        mbamchameleon
Date:          4/3/2014 5:51:07 AM
Event ID:      61440
Task Category: (4096)
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Toshiba
Description:
Failed to verify the digital signature for \Device\HarddiskVolume4\PROGRAM FILES (X86)\NORTON SECURITY SUITE\ENGINE\21.1.0.18\WSCSTUB.EXE 
Event Xml:
  <System>
    <Provider Name="mbamchameleon" />
    <EventID Qualifiers="16384">61440</EventID>
    <Level>4</Level>
    <Task>4096</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-04-03T09:51:07.415984300Z" />
    <EventRecordID>72354</EventRecordID>
    <Channel>System</Channel>
    <Computer>Toshiba</Computer>
    <Security />
  </System>
  <EventData>
    <Data>
    </Data>
    <Data>\Device\HarddiskVolume4\PROGRAM FILES (X86)\NORTON SECURITY SUITE\ENGINE\21.1.0.18\WSCSTUB.EXE</Data>
    <Binary>00000000020028000010000000F00040F10F00000D0000C000000000000000000000000000000000</Binary>
  </EventData>
</Event>
Link to post
Share on other sites

As I am not on the development team I can not say why MBAMChameleon is running, but maybe it could be running if you have Enable Self Protection.... I may be corrected by someone on staff if that is correct. As for the errors, lets get some logs to see if we can find out what's going on, someone on staff will review them and get back to you.....

STEP 1

NOTE: If you have Win8/8.1 Skip Step 1 and go to Step 2 as DDS does not work on Win8/8.1

Please run the DDS scanner and send back both logs as attachments to your next reply.

Download DDS from one of the locations below and save it to your Desktop:

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool.

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop
  • Please include both of the following logs in your next reply as an attachment: DDS.txt and Attach.txt
  • You can ignore the note about zipping the Attach.txt file and just post it or attach it.
STEP 2

Please run mbam-check and send back the log as an attachment to your next reply.

  • Download mbam-check.exe from HERE and save it to your desktop
  • Double-click on mbam-check.exe to run it, it should then open a log file
  • Please do not copy and paste the entire contents of the log into your next post; instead please attach to your next reply the CheckResults.txt log file which should now be located on your desktop.
STEP 3

Please run the FRST tool and send back both logs as attachments to your next reply.

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system - that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your next reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your next reply.
Link to post
Share on other sites

  • Staff

Hello Johnf25.

See my post in the Beta area, as well as in MBAR forum, which uses the same type of mbamchameleon driver

This is normal and expected in some cases. Chameleon (mbamchameleon driver) is checking digital signatures/certificates of processes in memory. When it is unable to verify, it is logged as an Information event. It's not an issue of concern in this case.

As to why mbamchameleon is running, Firefox has the right idea. If you're using MBAM 2.0 and self-protection is enabled, that is the mbamchameleon driver.

Link to post
Share on other sites

Thanks for the information, you were right (both of you) I have set self protection and self protect early start.

I had just got done running the programs you suggested (FireFox) when I received email from MalwareBytes Staff.

Reports not needed now, but boy do they collect a lot  info.

Link to post
Share on other sites

Well I am happy to hear you got it all figured out.... Thanks for following up and letting us know...

 

Yes those tools do collect quite a bit of info, but sometimes needed in order to fix issues.  Gives us a good look at the computer without physically sitting in front of it.

 

Should you have any further questions don't hesitate to ask.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.