Jump to content

MBAM Free vs Jetico's BestCrypt

Recommended Posts

I reported this back in December 2014 via Malwarebytes customer support, but heard nothing. While discussing another issue with Antiransomware beta on the forums, this came up and a moderator suggested I start a topic on it over here.

Whenever I perform a scan with Malwarebytes Anit-malware Free and have a Bestcrypt volume mounted, when the scan progress bar just reaches the "scanning for rootkits" circle, the machine warm boots.

The machine is a Lenovo ThinkPad E531 688528U running Windows 7 SP1 Ultimate 64-bit, with 16 GB of RAM. The boot drive is a SAMSUNG 840 EVO MZ-7TE1T0BW 2.5" 1TB SATA III MLC Internal Solid State Drive (SSD) with it's self encryption active, and the secondary drive is a Transcend TS256GMTS400 256 GB SATA III 6Gb/s MTS400 42 mm M.2 SSD Solid State Drive (SSD) with it's self encryption active.

This crash happens every time Malwarebytes Anit-malware Free is run if a Bestcrypt volume is mounted. Other AV products don't seem to have this issue with Bestcrypt. The Perfmon & SysnativeFileCollectionApp files are attached.



Link to post
Share on other sites

Your CD-ROM drive is disabled.  Is this deliberate?  If so, why did you disable it?
This may be the Roxio DVD-ROM emulator listed in Device Manager
If this is not a physical DVD drive, then please re-enable it and then update the program associated with it to the latest compatible version for your system.

Only 275 Windows Update hotfixes installed.  Most systems with SP1 have 300-400 or more.  Please visit Windows Update and get ALL available updates (it may take several trips to get them all).
The actual number is not important.  Rather it's important that you checked manually, installed any available updates, and didn't experience any errors when checking or updating.

You have an Alfa 11n USB Wireless LAN Utility installed on your system.  Do you have a wireless USB device attached to the system?  If so:


I do not recommend using wireless USB network devices.

These wireless USB devices have many issues with Win7 and later systems - using older drivers with them is almost certain to cause a BSOD.
Should you want to keep using these devices, be sure to have the latest W7/8/8.1/10 drivers - DO NOT use older drivers!!!
An installable wireless PCI/PCIe card that's plugged into your motherboard is much more robust, reliable, and powerful.

Do you have Daemon Tools (or Alcohol % software) installed?
The spbp.sys is most often a dynamic driver created by these programs (and it's present in the lone memory dump).
These programs are known to cause BSOD's on some Windows systems.

Daemon Tools (and Alcohol % software) are known to cause BSOD's on some Windows systems (mostly due to the sptd.sys driver, although I have seen both dtsoftbus01.sys and dtscsibus.sys blamed on several occasions).


Please un-install the program, then use the following free tool to ensure that the troublesome sptd.sys driver is removed from your system (pick the 32 or 64 bit system depending on your system's configuration):  New link (15 Aug 2012): 

http://www.duplexsecure.com/downloads (pick the appropriate version for your system and select "Un-install" when you run it).
Alternate link:  http://www.disc-tools.com/download/sptd
Manual procedure here:  http://daemonpro-help.com/en/problems_and_solutions/registry_and_sptd_problems.html

NOTE:  The uninstaller may not find the SPTD.sys driver.  Don't worry about it, just let us know in your post.

In the event that this does not stop the BSOD's, please run Driver Verifier according to these instructions:  http://www.carrona.org/verifier.html
If using a disk cleaner (such as CCleaner), please stop while we're troubleshooting.



The following is for information purposes only.
The following information contains the relevant information from the blue screen analysis:






**************************Mon May  9 16:30:43.447 2016 (UTC - 4:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\050916-17737-01.dmp]


Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64


Built by: 7601.23392.amd64fre.win7sp1_ldr.160317-0600
System Uptime:0 days 2:11:33.337
Probably caused by : ntkrnlmp.exe ( nt!ExInterlockedInsertTailList+3a )
BugCheck 1E, {ffffffffc0000005, fffff800044ca5ca, 1, 0}
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff800044ca5ca, The address that the exception occurred at
Arg3: 0000000000000001, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception
BUGCHECK_STR:  0x1E_c0000005_R
PROCESS_NAME:  mbam.exe
CPUID:        "Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz"
MaxSpeed:     2200
CurrentSpeed: 2195
  BIOS Version                  HEET48WW (1.29 )
  BIOS Release Date             03/13/2015
  Manufacturer                  LENOVO
  Product Name                  688528U



3rd Party Drivers:

The following is for information purposes only.
My recommendations were given above. The drivers that follow belong to software or devices that were not developed by Microsoft.
Any drivers in red should be updated/replaced/removed.
You can find links to the driver information and where to update the drivers in the section after the code box:




**************************Mon May  9 16:30:43.447 2016 (UTC - 4:00)**************************
	mdmxsdk.sys                        Mon Jun 19 17:27:26 2006 (449716BE)
	pnetmdm64.sys                      Wed Mar  7 13:13:19 2007 (45EF00BF)
	c2scsi64.sys                       Tue May 19 17:07:19 2009 (4A131F87)
	intelppm.sys                       Mon Jul 13 19:19:25 2009 (4A5BC0FD)
	spbp.sys                           Sun Oct 11 16:55:14 2009 (4AD24632)
	amdxata.sys                        Fri Mar 19 12:18:18 2010 (4BA3A3CA)
	MxEFUF64.sys                       Thu Oct 20 12:24:05 2011 (4EA04B25)
	tvtvcamd.sys                       Tue Nov 29 22:48:06 2011 (4ED5A776)
	psadd.sys                          Mon Dec 26 20:09:28 2011 (4EF91AC8)
	iwdbus.sys                         Sat Apr 14 17:16:13 2012 (4F89E91D)
	PxHlpa64.sys                       Tue Apr 24 13:26:29 2012 (4F96E245)
	iusb3hub.sys                       Mon May 21 03:21:36 2012 (4FB9ED00)
	iusb3xhc.sys                       Mon May 21 03:21:40 2012 (4FB9ED04)
	iusb3hcs.sys                       Mon May 21 03:23:42 2012 (4FB9ED7E)
	iaStor.sys                         Tue Jun 12 18:39:07 2012 (4FD7C50B)
	PDFsFilter.sys                     Thu Aug 23 17:57:13 2012 (5036A739)
	CHDRT64.sys                        Thu Sep 20 02:11:21 2012 (505AB389)
	HECIx64.sys                        Mon Dec 17 14:32:21 2012 (50CF7345)
	speedfan.sys                       Sat Dec 29 15:59:35 2012 (50DF59B7)
	CMUACWO.sys                        Tue Feb 19 04:34:50 2013 (5123473A)
	npf.sys                            Thu Feb 28 20:31:24 2013 (513004EC)
	Tppwr64v.sys                       Wed Apr 17 08:14:17 2013 (516E9219)
	iBtFltCoex.sys                     Thu Apr 18 10:17:24 2013 (51700074)
	Unknown_Module_fffff880`06a0a000   Tue Apr 30 04:47:50 2013 (517F8536)
	usb3Hub.sys                        Fri Jun 14 09:49:08 2013 (51BB1F54)
	VClone.sys                         Wed Jul 24 11:02:46 2013 (51EFEC96)
	AMPPAL.sys                         Mon Jul 29 06:55:01 2013 (51F64A05)
	pikbd.sys                          Sat Nov 30 07:29:27 2013 (5299DA27)
	btmhsf.sys                         Tue Dec 10 15:20:57 2013 (52A777A9)
	ElbyCDFL.sys                       Mon Feb 10 12:59:42 2014 (52F9138E)
	RtsP2Stor.sys                      Tue Feb 11 04:53:49 2014 (52F9F32D)
	rawdsk3.sys                        Tue Feb 11 16:10:17 2014 (52FA91B9)
	SynTP.sys                          Mon Apr  7 13:32:06 2014 (5342E116)
	Smb_driver_Intel.sys               Mon Apr  7 13:39:00 2014 (5342E2B4)
	mhk.SYS                            Thu Jun 19 07:12:58 2014 (53A2C5BA)
	moh.SYS                            Thu Jun 19 07:13:27 2014 (53A2C5D7)
	BC_3DES.SYS                        Fri Aug  1 05:20:36 2014 (53DB5BE4)
	BC_BF128.SYS                       Fri Aug  1 05:20:55 2014 (53DB5BF7)
	BC_BF448.SYS                       Fri Aug  1 05:21:10 2014 (53DB5C06)
	BC_BFish.SYS                       Fri Aug  1 05:21:19 2014 (53DB5C0F)
	BC_CAST.SYS                        Fri Aug  1 05:21:28 2014 (53DB5C18)
	BC_DES.SYS                         Fri Aug  1 05:21:37 2014 (53DB5C21)
	BC_Gost.SYS                        Fri Aug  1 05:21:54 2014 (53DB5C32)
	BC_IDEA.SYS                        Fri Aug  1 05:22:02 2014 (53DB5C3A)
	BC_RC6.SYS                         Fri Aug  1 05:22:10 2014 (53DB5C42)
	BC_SERP.SYS                        Fri Aug  1 05:22:30 2014 (53DB5C56)
	BC_TFISH.SYS                       Fri Aug  1 05:22:39 2014 (53DB5C5F)
	IntcDAud.sys                       Tue Sep  9 08:13:01 2014 (540EEECD)
	SCDEmu.SYS                         Wed Oct  8 09:09:34 2014 (5435378E)
	Rtlh64.sys                         Tue Nov 18 21:24:13 2014 (546BFF4D)
	ElbyCDIO.sys                       Wed Dec 17 18:30:51 2014 (5492122B)
	Netwsw01.sys                       Thu Dec 18 17:07:33 2014 (54935025)
	ApsHM64.sys                        Fri Mar 20 02:49:44 2015 (550BC308)
	Apsx64.sys                         Fri Mar 20 02:52:38 2015 (550BC3B6)
	WRkrn.sys                          Wed Jul 22 11:20:08 2015 (55AFB4A8)
	igdkmd64.sys                       Mon Aug 17 11:34:01 2015 (55D1FEE9)
	SamsungRapidDiskFltr.sys           Fri Sep  4 02:36:11 2015 (55E93BDB)
	SamsungRapidFSFltr.sys             Fri Sep  4 02:36:14 2015 (55E93BDE)
	MBAMSwissArmy.sys                  Wed Dec  9 23:34:27 2015 (566900D3)
	AnyDVD.sys                         Mon Dec 28 07:52:15 2015 (5681307F)
	fsh.sys                            Tue Feb  9 00:17:58 2016 (56B97686)
	bcbus.sys                          Tue Feb  9 04:46:21 2016 (56B9B56D)
	wdfsd.sys                          Mon Feb 22 23:50:28 2016 (56CBE514)
	bcfnt.sys                          Thu Feb 25 07:23:02 2016 (56CEF226)
	dump_bcfnt.sys                     Thu Feb 25 07:23:02 2016 (56CEF226)
	BC_RIJN.SYS                        Mon Feb 29 01:25:44 2016 (56D3E468)
	farflt.sys                         Fri Mar  4 11:29:19 2016 (56D9B7DF)
	btmaux.sys                         Tue Mar 29 04:53:19 2016 (56FA427F)
	ax88179_178a.sys                   Wed Apr  6 02:58:22 2016 (5704B38E)
	ibmpmdrv.sys                       Wed Apr 20 22:32:39 2016 (57183BC7)
	VBoxNetLwf.sys                     Thu Apr 28 09:04:58 2016 (57220A7A)
	VBoxUSBMon.sys                     Thu Apr 28 09:04:58 2016 (57220A7A)
	VBoxNetAdp6.sys                    Thu Apr 28 09:04:58 2016 (57220A7A)
	VBoxDrv.sys                        Thu Apr 28 09:05:52 2016 (57220AB0)


c2scsi64.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
tvtvcamd.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
CMUACWO.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
Unknown_Module_fffff880`06a0a000 - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
BC_BF128.SYS - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
BC_IDEA.SYS - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
bcbus.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
bcfnt.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
dump_bcfnt.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
farflt.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
ax88179_178a.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.

Edited by usasma
Double spacing removed
Link to post
Share on other sites

Roxio DVD-ROM was uninstalled from this system long ago. However Roxio is notorious for their uninstaller leaving their virtual drive behind. Subsequent installs of Roxio performed in an attempt at removing their virtual DVD drive never worked. So it's stuck on the system. There is also a copy of Virtual Clone Drive, which does get used. If you know of a way to get rid of ghost copies of Roxio's virtual DVD drive, I'd appreciate it. Modern version of Roxio don't even recognize it.

The system has all Windows updates, according to Microsoft. 

The Alfa driver is because occasionally I need a high power USB wireless adapter. That adapter isn't plugged into the system.

Neither Daemon Tools nor Alcohol software are on this system. A full scan of the computer does not find a file named "spbp.sys" anywhere. Can you tell from the dump file where it is located?

Link to post
Share on other sites

Will the Roxio device uninstall if you right click on it in Device Manager and select "uninstall"?

I would uninstall the Alfa driver (while we're troubleshooting) just in case it's causing a problem.
If needed, you can install it fairly quickly (and then uninstall it again until we're done).
If you don't wish to do that, then please enable it and ensure that it's updated - then disable it again.

The spbp.sys driver was located in C:\Windows\System32\drivers
But, as is usual with this driver (if it is from this program), there's not any info available on it.

SPTD.sys is a different driver than spbp.sys. 
- SPTD.sys is a driver used in Daemon Tools and it's always visible if searching for it on your hard drive - or if it's present in a memory dump. 
To further confuse matters, they stopped using this driver several years ago - so the newer problems present with different drivers.
- Drivers that start with sp and contain 4 letters are most often associated with a dynamic driver that Daemon Tools uses - then it goes away when the program closes.  Sometimes they appear in the memory dumps, but there's no other evidence of them.  They may not be associated with Daemon Tools - but we have no other evidence of them being associated with any other product (take a look at them in my Driver Reference Table here:  http://www.carrona.org/dvrref.php  The entries start at sp--.sys )

Right now I'm focusing on the oldest drivers (those dating from 2006/7/9)
The intelppm.sys driver is excluded, as this is the most recent version available for W7 systems.
The selection criteria is simply because they're older than the rest.
Please try to update them or uninstall the programs that they are associated with - you can find more info on the drivers by using the links below.

If using a disk cleaning utility (such as CCleaner), please stop while we're troubleshooting.
A lone memory dump isn't usually very helpful in complicated cases like this.

Please run Driver Verifier according to these instructions:  http://www.carrona.org/verifier.html
Then cause the system to crash (as you described above).  Make it crash at least 3 times.
Then please zip up the contents of the C:\Windows\Minidump folder and upload it with your next post.
If unable to zip it up there, please copy it to your Desktop and zip it up there.


Link to post
Share on other sites

Telling the Device Manager to uninstall the Roxio virtual DVD drive does not work. It does not present the option to delete all of the files, so while it uninstalls it, the next time the system is booted, it comes back.

OK, I found SPTD.sys. Nothing shows up in Process Explorer as using it, and the system allowed me to rename it to SPTD.sys.bak. After a reboot, everything seems normal.

I don't use CCCleaner, however the system has Iolo's System Mechanic on it.

Not sure when I'll have time to run the Driver Verifier since the instructions indicate one has to run it for up to 36 hours. Since only MBAM Free crashes the machine and only when a Bestcrypt volume is mounted, it's not a high enough priority for me to tie up my machine for a day or two (I use it for my work). Maybe on the weekend.

Link to post
Share on other sites

Have you tried a tool like Revo Uninstaller or Total Uninstall to track the installation - then use it's information to manually yank this thing out by the roots?

There's an SPTD.sys removal tool listed in the links in the canned speech I gave earlier
Here it is again:  http://www.duplexsecure.com/downloads
I don't know if renaming it will stop it, but it's worth a shot.

CCleaner was just an example.  Anything that cleans out reports/memory dumps shouldn't be used while we're troubleshooting.

The 36 hour thing is a guesstimate on my part.  As you can force a crash with MBAM Free and a mounted Bestcrypt volume - you can just crash the system 3 times, turn Driver Verifier off, then gather up the memory dumps, zip them up and upload them.


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.