2.0.3.1025 Causing BSOD Crash every few days

[jt25741]

Hello,

 

I can really use some help.  My system was crashing every few days at nights (during scans)...     I thought it was virus but the system kept coming up clean from most programs save a single one from AVG which seems to be a known false-positive from that one.

 

But then I then finally looked at the dumps that were generated at each crash, and found MBAMSwissArmy.sys as driver that caused Kernel_Mode_Exeception_Not_Handled.          This is the cause of my trouble......and the system only BSOD like this during a scheduled scan (late at night).       I have multiple dump files, but attached one of the more recent sets.

 

I am trying to see if shutting off scanning within archives helps work around the bug (latest tweak).    Any help hugely appreciated to get to the bottom of MBAM instability.        I have been using it for many many years --- and this is the first time I have had such instability for any of its components.   The system is XP Pro 32bit SP3 fully patched.

 

Jim

[daledoc1]

Hi:
 
BSOD are most often caused by hardware problems, driver problems or some types of serious malware (rootkits).

On an older, XP machine, it could certainly be any of these.
 
We would need more information in order to help sort this out.
Routine troubleshooting starts with the following steps:

• Please carefully follow the steps in this pinned topic to uninstall your current version of MBAM and reinstall the latest build - MBAM Clean Removal Process 2x
• If that does not correct the issue, then please read the following and post back attached to your next reply the 3 requested logs - Diagnostic Logs (the 3 logs are: FRST.txt, Addition.txt and CheckResults.txt)
• NOTE: There is an FAQ section with valuable information located here - Common Questions, Issues, and their Solutions

Depending on how that turns out, the staff might need to collect additional information (e.g. Windows crash dumps), and/or refer you to a different area of the forum for deeper scans and diagnostics.
But the steps above will provide a good starting point.

 

>>If you already have the Windows mini-dumps, you can ZIP and attach them to your next reply, if you wish.
 
Thanks,

[jt25741]

Daledoc1,

 

Thanks for your speedy reply.   Perhaps you missed it in my prior post, but I did already attach the minidump sample.  Can you please look for it and let me know if it somehow didn't go through the forum post?

 

I had already done the clean reinstall prior to my post because I have been personally troubleshooting this for a couple of weeks when the smoking gun of the dump I sent consistently is pointing to MBAM.     

 

I will load the reporting tool and send those shortly...but the dumps are of considerable concern....as this should not happen with any program.

 

Thanks

[daledoc1]

Hi:

 

Sorry, but there is no attachment in your original post.

Let us know if you need help with attaching the files here to your replies (the process is not overly intuitive, especially for forum newcomers).

If they are too large to attach, let us know, and we will provide instructions for uploading to a recommended file share service.

 

The reason for requesting a proper clean reinstall is to provide a known, "clean" starting point for troubleshooting (folks sometimes have reinstalled, but not by following the recommended "best practices" in this pinned topic: MBAM Clean Removal Process 2x).

We would also need to see the 3 requested Diagnostic Logs.

 

Please attach those logs and the mini-dumps when you are ready.

 

Thanks for your patience,

 

[jt25741]

Sorry Daledoc not sure what I did wrong but probably not starting with coffee was part of it...... reattempting attachment of minidump from MBAM scan.   Attaching other files.     The minidump is a zip file containing the minidump bundle.

 

 

Addition.txt

FRST.txt

[daledoc1]

Thanks for those.

 

Do you also have the checkresults.txt from mbam-check?

Also: I don't see an antivirus program on this computer. Is there an AV installed? (MBAM is not an AV.)

 

Once we have all of those, we'll need to wait for one of the staff or experts to review them.

Please be patient, as it is the weekend.

 

Thanks very much,

[jt25741]

Hello Daledoc,

 

Sorry....attached checkresoults.txt here.

 

At this time no protection is running except for MBAM.     In the recent past I had loaded GMER, HitmanPro, NPE, Sophos and others without detection.       I had removed all of these when I finally was able to take a look at the dump files that were created with each crash pointing to the topic of this post.

 

Thanks so much

 

Jim

CheckResults.txt

[daledoc1]

Thanks for that last log.

 

Until someone has a chance to review them, it might be worth trying the original suggestion in the original reply, a clean reinstall (your log shows that MBAM was last installed several weeks ago).

 

Also: if you temporarily uninstall MBAM, do the BSODs stop?

 

Having said that, it appears that you are running XP, which is no longer supported by MS for security patches, and that you have no real-time anti-virus (AV) on the system.  That's a pretty risky strategy in terms of vulnerability to malware.

MBAM is not an AV, so one needs to have an anti-virus as a primary layer of security software.  MBAM is designed to provide complementary protection alongside a robust AV, either free or paid.

So, as you have no real-time AV, the troubleshooting step of temporarily uninstalling MBAM to see if the BSOD resolves probably isn't advisable at this time. When you get this sorted, you'll definitely want to install an anti-virus.

 

Please wait for one of the staff or experts to review the logs and to make further recommendations.

 

Thanks again for your patience.

[jt25741]

Hi Daledoc,

 

This problem has been persisting for a few weeks..... so reinstallations started around then.         Yes, the only time BSOD occurs is when MBAM runs.   If MBAM does not run, the BSOD dont happen.   This makes sense since the only signature for crash in the dumps is MBAMSwissArmy.sys.     A pretty tight correlation.

 

Understood about EOS for XP.     This system is a static server that doesnt get used as a desktop.    Programs/services running it it are largely static and unchanged over time...and it functions as a  file/print service for home use.      It has been rock-solid and right-sized for this limited use modality and I have no intention of changing it in the short term.      Once I get around the current issue.....I hope things will resort back to a system that runs for months and months with no intervention as it has been for years.

 

I appreciate the links on AV, am aware of support issues with XP.    After this is resolved I will layer another AV ontop just for safety sake.

 

I am looking forward to further instruction based on the dump signature and other files.

 

Thanks 

[jt25741]

I am getting no response back on this forum regarding the dump analysis.... I also created a support case earlier....and after nearly a month they suggested I post here .  I said I did..but still no response from escalation engineers regarding the dump signatures.

 

An update is that after completely removing MBM using the removal tool...system is as stable as it always has been.    I am using a different tool for malware for now...until I can get a fix from MBAM.

[KenW]

There is a new version out since you are not online 2.04.1028

[jt25741]

Ken is this comment for me...or the other person tagging on to my thread?      Are  you implying my problem was analyzed and fixed in this new release?    Or has anyone looked at the data collected last month?

[daledoc1]

@jt25741

 

I'm very sorry about the delay -- it appears that your thread was inadvertently overlooked over the recent holiday and the thread has become rather "busy".

 

I have escalated your topic to the forum staff.

Thanks for your patience, as we await a reply from them, after they have a chance to review your logs.

 

EDIT: Alternatively, you might wish to try a CLEAN UPGRADE to version 2.0.4.1028, which was just released yesterday.

If doing so does NOT resolve your BSOD issue, then we would need to see a fresh set of Diagnostic Logs, and any new Windows minidumps, please.

(Please be sure to place a check-mark in the "Addition.txt" option before running FRST again.)

 

Thanks again,

[KenW]

jt25741 it was for you. A new version came out yesterday, but don't know what was fixed. They should post new version info here in case it was missed by update or "what ever".

[jt25741]

Thanks Ken....I will wait for the dump analysis and recommendation that comes from earlier posts before loading this.     System is so pleasant in the meantime when it doesn't crash without MBAM loaded.      I will reload a version that addresses, or proposes to address the problem I had been experiencing.   

 

Thanks again for everyones help.

[Firefox]

jt25741 Not saying this will fix your issue but won’t hurt to try it...

You seem to have explorer.exe and rundll32.exe running in compatibility mode; you need to remove those...

Please backup your registry first, then run REGEDIT.EXE and browse to the key below and remove the entries.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Remove these two entries.. (or all of them for that matter)
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe


Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
• Make sure that at least the first two check boxes are selected.
• Click on OK
• Then click on YES to create the folder.
• Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

[AdvancedSetup]

The crash dump does show that our driver attempted to run and crashed. Unfortunately it does not list the exact reason.

Please do as Firefox has said above. Those cannot run in compatibility mode as it will cause problems.

Then do as Daledoc1 and Ken has suggested and do a Clean Removal and reinstall the latest version. Then restart the computer and let us know if you continue to have an issue or not and we'll go from there.

Thank you

[jt25741]

The crash dump does show that our driver attempted to run and crashed. Unfortunately it does not list the exact reason.

Please do as Firefox has said above. Those cannot run in compatibility mode as it will cause problems.

Then do as Daledoc1 and Ken has suggested and do a Clean Removal and reinstall the latest version. Then restart the computer and let us know if you continue to have an issue or not and we'll go from there.

Thank you

 

 

Can you please expand on compatibility mode and what would cause this?     I have processes running such as Google Picasa auto updater that leverage iexplorer to function.    Although I dont use IE, if I remove it applications that do will not function.   So I wanted more information before I cause trouble for myself by deleting these seemingly core applications.

[Firefox]

The process we are talking about is explorer.exe and not iexplorer.exe.  If you click on the links I listed you can see what the difference is.

 

You can not have explorer.exe running in compatibility mode as your Windows will have issues.

[jt25741]

Got it.    I am not sure what caused that modification, but I removed them from the registry --- and rebooted.  Everything seems similarly stable.    Since I removed MBAM, system hasn't crashed (for over 2 weeks now).      So I will make sure things are similarly completely stable now with this registry change before introducing MBAM again.    I will wait several days.     When I removed MBAM some time ago, I did use the clean method...so it is completely gone from system.     Once things are stable, I will layer the latest version on again and try it one more time before I give up on it.

 

Thanks for your help and identifying this bad config with explorer.exe in compatibility mode.

 

 

[Firefox]

No problem, when you go ahead and re-install Malwarebytes, let us know and if you still have issues give us some fresh logs with Malwarebytes installed and we can see what's up.

[shadowwar]

Just wanted to let you know i had dev look at your crash dump and they said this was already fixed for 2.1 release due in about a month. It can also be related to what was fixed also above. You can test if scans crash with the current MBAR as this has the fix in it already.

[jt25741]

That is positive news.... thank you.   In that BSOD put strain on this system that stays up 24/7 for home media server that people count on, I tend to be conservative with it.   I will wait for the 2.1 release that may completely address the problem and surely reinstall and retest to verify fix.     I am curious....is it related to MBAM trying to scan USB volumes that may sleep and require time before awakening, and not handling that condition?      

 

Best to you all and thanks for the help.

[shadowwar]

I didnt get that information from dev as they are in head down mode to get 2.1 ready. Just from what i saw quickly it does have to do with certain file conditions so it is possible. They had fixed this from another QA report but they said it isnt that common and we dont have many tickets on it.

[AdvancedSetup]

A little bit of an old topic but I will go ahead and move your topic into our new BSOD forum so if you get this notice in email and are still having issues with MBAM then our new team ay be able to help you in the BSOD forum.