EventVWR: MBAM (Premium) "Stopped Working"

[PointFive]

MBAM event "Stopped Working". 

 

My search of this FORUM found nothing similar.

 

Event Viewer: "Critical Event" #1000 Application Failure (by MBAM - see attached in M-B.txt file)

 

Frequency: The Reliability Monitor also reports this failure occurring about once every other day.  Timing of event: System is shutdown every night and event occurs during daily startup (exact start time varies from day-to-day).

 

I've run all  MBAM scans from Dashboard (including Rootkit) Result: nothing is found SEE MBAM-log.TXT attached.

  MBAM PREMIUM  version 2.2.0 1024, updated daily with the daily scheduled scan.

  MBAM non-default options also selected:  1) Enable Self-protection and 2) Early Start.

 

Kaspersky Anti-Virus installed and updated. Result: Nothing.

 

Ran Kasperky's TDSSKiller.exe SCAN.  Result: nothing.

 

 

 

Environment:

Win 8.1, on automatic update.

MBAM 2.2.0 1024 Premium

Kaspersky Anti-Virus, active updated daily.

Macrium Reflect imaging system installed (opens during startup with a choice of Windows 8.1 or Macrium's System)

Windows File History enabled and working and backing selected data files to dedicated USB drive.

Disk Mgt. lists 500mb EFI Sys Partition. / 40 mb OEM partition. /  490 mb recovery partition. / OS(C:) NTFS-Primary Partition / 8.33 GB-Recovery partition. All healthy

Dell XPS 8700, 1TB disk (lightly loaded), 3Gb Memory, Nvidia card.

M-B.txt

MBAM-log.txt

[Firefox]

Hello and Welcome to Malwarebytes

Let's try this first....

• Please follow the steps in this pinned topic to uninstall your current version of MBAM and reinstall the latest build - MBAM Clean Removal Process 2x
• If that does not correct the issue, then please read the following and attach to your next reply the 3 requested logs - Diagnostic Logs (the 3 logs are: FRST.txt, Addition.txt and CheckResults.txt)
• NOTE: More info about v2.2.0 HERE; User Guide ONLINE; User Guide PDF; FAQ: Common Questions, Issues, and their Solutions

Please let us know how it goes.

Thank You,

Firefox

[PointFive]

It stopped working when I restarted it yesterday following the instructions.

It stopped working today when I started it for the first time.

Attached are the three LOGs.

 

EVENT VIEWER DETAILS:

Log Name:      Application
Source:        Application Error
Date:          12/2/2015 2:30:18 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Office
Description:
Faulting application name: mbam.exe, version: 2.3.125.0, time stamp: 0x5612a56b
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18007, time stamp: 0x55c4bc8e
Exception code: 0xc0000142
Fault offset: 0x0009d4f2
Faulting process id: 0x1630
Faulting application start time: 0x01d12d37dba97532
Faulting application path: C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
Faulting module path: KERNELBASE.dll
Report Id: 1e2dea95-992b-11e5-82a5-543530cc0b94
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-02T19:30:18.000000000Z" />
    <EventRecordID>51217</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Office</Computer>
    <Security />
  </System>
  <EventData>
    <Data>mbam.exe</Data>
    <Data>2.3.125.0</Data>
    <Data>5612a56b</Data>
    <Data>KERNELBASE.dll</Data>
    <Data>6.3.9600.18007</Data>
    <Data>55c4bc8e</Data>
    <Data>c0000142</Data>
    <Data>0009d4f2</Data>
    <Data>1630</Data>
    <Data>01d12d37dba97532</Data>
    <Data>C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe</Data>
    <Data>KERNELBASE.dll</Data>
    <Data>1e2dea95-992b-11e5-82a5-543530cc0b94</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>

FRST.txt

Addition.txt

CheckResults.txt

[AdvancedSetup]

The logs seem to indicate that there may be something going on with your hard drive or disk controller.

 

I would recommend doing a Full Disk Check.

 

Click on your start panel and click the more to show all your icons and look for the COMMAND PROMPT and right click it and choose "Run as administrator"

Then in the DOS console type the following.

 

CHKDSK C:  /R

 

It will say it cannot lock the drive. Press the Y key to run it after a restart. Then restart the computer and let it run.

 

Then do an MBAM Clean Removal process and let us know if you're still having an issue or not.

 

Please uninstall your current version of MBAM and reinstall the latest version. MBAM Clean Removal Process 2x

 

If the problem persists then restart the computer 2 more times and then run a new set of Diagnostic logs and make sure you place a check mark on the Additions.txt check box for FRST to get that log too and post back all new logs.

 

Thanks

[PointFive]

Thank you.

 

I ran chkdsk C: /R    from Command Prompt (Admin) as you advised.

 

see attached chkdsk results from Event1000 titled   Wininit .   

 

I restarted the PC twice, then I started looking around and found the following under \WinLogs \Security   which alarmed me, somewhat:

Event  4648 "A logon was attempted using explicit credentials"

Event  4738 "A user account was changed"     Note: One user.  I didn't change any users.

Event  4672 "Special privileges assigned to new logon"

Event  4797 "An attempt was made to query the existence of a blank password for an account.   This one occurred 12 times today.

 

From my review of this Security file, all of these events occurred more than once each day, occurred in the order I listed them and this sequence has been happening for quite some time, for as long as MBAM has been stopping per the Event Viewer.

 

Is this a clue?

 

Thanks in advance,

Paul

Chkdsk-wininit.txt

[AdvancedSetup]

Difficult to say without a lot of analysis but events like that are pretty typical of system processes and typically nothing to be alarmed about.

 

Did you do the MBAM CLEAN process? Is the program still crashing?

[PointFive]

Restarted and immediately ran Kaspersky A-V FULL SCAN with all the positive options checked and it found: Trojan.Win32.Menti.gen.silent.xxxxxxxx674_2 buried in my PaperPort app Kaspersky quarantined it.  Why Kasp never found anything before is beyond my understanding, except it not running at startup.

 

I have run the :MBAM clean process" 2x and MBAM has not stopped since the first time I ran the "MBAM clean process" (as above).

 

Please look at the attached LOG files.

 

Thank you for your help.

 

 

Also, should MBAM's three apps be listed as 32 bit in the Task Manager or DID I do something wrong?

 

Paul

CheckResults.txt

Addition.txt

FRST.txt

[AdvancedSetup]

Well you have a couple of odd errors still in the logs for services. Not malware related but you may want to search Google or the Windows Support forums to see if you can find a fix for them.

Error: (12/04/2015 10:32:40 AM) (Source: Perflib) (EventID: 1008) (User: )

Description: BITSC:\Windows\System32\bitsperf.dll4

and a couple others.

Otherwise it looks okay from a malware security point of view. Yes MBAM is a 32-bit program with 64-bit drivers so what you see is correct.

If there is nothing else we should be done here so let me know.

Thanks