SDK Scanning error: 20025

[simrick]

I am having the same problem since 2 days now. SDK Scanning error: 20025. Says it can't load the anti-rootkit upon boot, and would I like to run the scan without it. This is a brand new purchase of MBAM on this system 2 days ago. I've always had the free version until now. I uninstalled MBAM using the mbam-clean.exe tool, then reinstalled MBAM - no difference. On every reboot, when I go into the administrator account, it happens. I have 3 other non-admin accounts on the machine, if that  makes any difference.

W10Home v1511 (10586.494) i7, 8GB RAM, integrated graphics, Avast, CryptoPrevent. Everything is up-to-date, including the Avast update which just came out today.

[daledoc1]

Hi, @simrick

That error is usually resolved on an unifected system by a clean reinstall of MBAM.

If you already followed the instructions HERE for a clean reinstall from an Admin account, then we will need a bit more information in order to better assist you.

Please follow the advice here and then please ATTACH all 3 logs to your next post: Diagnostic Logs.  The 3 logs will be FRST. txt, Addition.txt and Checkresults.txt.

Thanks,

P.S. As each computer is unique, it would probably be less confusing if we can assist you in your own, separate thread. As such, the forum mod team might split off your post and the subsequent replies to a new topic. No worries, though.

Edited July 31, 2016 by daledoc1

[simrick]

1 hour ago, daledoc1 said:

Hi, @simrick

That error is usually resolved on an unifected system by a clean reinstall of MBAM.

If you already followed the instructions HERE for a clean reinstall from an Admin account, then we will need a bit more information in order to better assist you.

Please follow the advice here and then please ATTACH all 3 logs to your next post: Diagnostic Logs.  The 3 logs will be FRST. txt, Addition.txt and Checkresults.txt.

Thanks,

P.S. As each computer is unique, it would probably be less confusing if we can assist you in your own, separate thread. As such, the forum mod team might split off your post and the subsequent replies to a new topic. No worries, though.

Hi and thanks for your response.

No problem if I get split off to a separate thread, just let me know where to find it.

I am attaching the logs as requested. Please note that the Group Policy entries are a result of CryptoPrevent (also the Hosts entries). Oh, and it's a W10Pro OS (not Home).

Thanks for your help.

Addition.txt

CheckResults.txt

FRST.txt

[simrick]

I might add, I just rebooted again, and the error did not appear, so not sure if it has resolved itself or what. I purchased 3 subscriptions; I've got MBAM on a second HP system without issue.

[daledoc1]

Hi:

Thanks for the logs and the status update.

I do not see anything obvious to account for the behavior you reported.  It may have been a hiccup, but I have asked the forum staff to review your logs, in case I have missed something.

One proactive step you might consider would be to set mutual exclusions between MBAM and Avast.
The attached screen shot shows how to add the AV folder to MBAM exclusions (it's for Kaspersky, but the principle is the same; ignore the Carbonite entry).
And the MBAM files to exclude in Avast are listed below.

Thanks again,

---------------------------

Please exclude the following files from your Antivirus Software for your version of Windows:

For 32-bit versions of Windows XP, Windows Vista, Windows 7 & Windows 8 & Windows 10:

• C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
• C:\Program Files\Malwarebytes Anti-Malware\mbamdor.exe
• C:\Program Files\Malwarebytes Anti-Malware\mbampt.exe
• C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
• C:\Program Files\Malwarebytes Anti-Malware\mbamresearch.exe
• C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe

For 64-bit versions of Windows Vista, Windows 7 & Windows 8 & Windows 10:

• C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
• C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamdor.exe
• C:\Program Files (x86)\Malwarebytes Anti-Malware\mbampt.exe
• C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamresearch.exe
• C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
• C:\Program Files (x86)\Malwarebytes Anti-Malware \mbamscheduler.exe

Note: If you are using a software firewall besides the built in Windows Firewall, you'll need to exclude MBAM.EXE, MBAMSERVICE.EXE and MBAMRESEARCH.EXE from it, as well.
 
Note: Once that's done, please make sure that if either of those programs has any sort of web filter, that you add the following as a trusted site:

data-cdn.mbamupdates.com

 

Edited July 31, 2016 by daledoc1
Forgot the screen shot

[simrick]

Hi. Thanks for the suggestions. I've gone ahead and set the mutual exclusions, even though the problem seems to have resolved itself. I did notice, after setting them, the Avast taskbar icon appeared and began animating much faster that before the exclusions were in place.

So, thanks very much for your help, and please let me know if anyone from forum staff see anything in my logs. For now I'll consider this resolved.

Cheers!

[daledoc1]

Hi:

Yes, I have asked our forum staff to review your logs -- please be patient, as it is the weekend.

Until then, I'm glad you were able to resolve your issue.

Thanks for taking the time to let us know.

Cheers,

[AdvancedSetup]

Are you running any type of Drive or File encryption on this system?

You have some issues on the system, but they don't appear to be related to this issue, but should be corrected.

Error: (07/30/2016 11:27:02 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the APC Data Service service to connect.

Error: (07/30/2016 11:26:28 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The NetTcpActivator service depends on the NetTcpPortSharing service which failed to start because of the following error:
%%1058 = The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Let's try a full disk check and some clean up and see if that corrects it.

Open an Elevated Admin command prompt and type in the following.

CHKDSK   C:   /R

Then press the Y key if asked to run the disk check on reboot, then restart the computer and let it run.

Then after that please run the following.

 

Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and selectRun As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted:
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
  

 

 

 

[simrick]

Hi.

No encryption of any kind on this system.

Not sure what I can do about the APC Software - it's working (I just checked it).

Net Tcp port sharing is disabled in services. I believe this is the standard setting(?)

I ran a chkdsk scan from within the OS and it said no further action necessary. I will run the boot chkdsk after replying to the rest of your items.

I had run ADWCleaner on 7-28. I've run it again today and attached both the logs for you.

Sorry it's taken me so long to reply, but I did not get an email when you posted, and I only checked in here today, because the issue popped up again.

Thanks.

 

AdwCleaner[S3].txt

AdwCleaner[S4].txt

[simrick]

Here is the chkdsk info

 

Chkdsk was executed in scan mode on a volume snapshot.  

Checking file system on C:
Volume label is Win7.

Stage 1: Examining basic file system structure ...
                                                                                       
  400640 file records processed.                                                         File verification completed.
                                                                                       
  6921 large file records processed.                                                                                                                           
  0 bad file records processed.                                      
Stage 2: Examining file name linkage ...
                                                                                       
  480488 index entries processed.                                                        Index verification completed.
                                                                                                                                                                                
Stage 3: Examining security descriptors ...
Security descriptor verification completed.
                                                                                       
  39925 data files processed.                                            CHKDSK is verifying Usn Journal...
                                                                                       
  34062512 USN bytes processed.                                                            Usn Journal verification completed.

Windows has scanned the file system and found no problems.
No further action is required.

 390704127 KB total disk space.
 161535576 KB in 177838 files.
    126640 KB in 39926 indexes.
    517487 KB in use by the system.
     65536 KB occupied by the log file.
 228524424 KB available on disk.

      4096 bytes in each allocation unit.
  97676031 total allocation units on disk.
  57131106 allocation units available on disk.

----------------------------------------------------------------------

Stage 1: Examining basic file system structure ...

Stage 2: Examining file name linkage ...

Stage 3: Examining security descriptors ...

Windows has scanned the file system and found no problems.
No further action is required.

 

[simrick]

Just an FYI: after the system rebooted from ADWCleaner, I received this message, so I uninstalled MBAE, downloaded a fresh copy and reinstalled it.

[AdvancedSetup]

Since you say this just started and you also just installed an update for your antivirus, can you temporarily uninstall your antivirus, then reboot, then retest MBAM and let us know if the issue is still there or not. Then re-install your antivirus.

 

[simrick]

Hi.

Here are the results of the chkdsk at boot. I will now uninstall Avast. Just so you know: I have had this problem ever since activating MBAM Pro and enabling the Rootkit feature.

 

 

Checking file system on C:
The type of the file system is NTFS.
Volume label is Win7.

A disk check has been scheduled.
Windows will now check the disk.                         

Stage 1: Examining basic file system structure ...
  400640 file records processed.                                                         File verification completed.
  6921 large file records processed.                                      0 bad file records processed.                                      
Stage 2: Examining file name linkage ...
  480248 index entries processed.                                                        Index verification completed.
  0 unindexed files scanned.                                           0 unindexed files recovered to lost and found.                     
Stage 3: Examining security descriptors ...
Cleaning up 3168 unused index entries from index $SII of file 0x9.
Cleaning up 3168 unused index entries from index $SDH of file 0x9.
Cleaning up 3168 unused security descriptors.
Security descriptor verification completed.
  39805 data files processed.                                            CHKDSK is verifying Usn Journal...
  37513440 USN bytes processed.                                                            Usn Journal verification completed.

Stage 4: Looking for bad clusters in user file data ...
  400624 files processed.                                                                File data verification completed.

Stage 5: Looking for bad, free clusters ...
  57262758 free clusters processed.                                                        Free space verification is complete.

Windows has scanned the file system and found no problems.
No further action is required.

 390704127 KB total disk space.
 161005848 KB in 177390 files.
    126368 KB in 39806 indexes.
         0 KB in bad sectors.
    520875 KB in use by the system.
     65536 KB occupied by the log file.
 229051036 KB available on disk.

      4096 bytes in each allocation unit.
  97676031 total allocation units on disk.
  57262759 allocation units available on disk.

Internal Info:
00 1d 06 00 85 4f 03 00 eb 32 06 00 00 00 00 00  .....O...2......
16 08 00 00 fb 08 00 00 00 00 00 00 00 00 00 00  ................

Windows has finished checking your disk.
Please wait while your computer restarts.

 

[AdvancedSetup]

It's not a common issue so I'm trying to help determine what is causing it on your system.

Thanks

 

[simrick]

Yes, I appreciate that. Also, it seems to be intermittent, so difficult to put my finger on. Avast is now uninstalled; I have rebooted, and I have not had the error pop up. I've put MBAM Pro on 2 systems, both W10 upgraded from W7 (one Home, one Pro). Aside from Avast, I have CryptoPrevent and SuperAntiSpyware Free on both systems. This system is an ASUS, while the other is an HP. The HP system does not display this error, and the MBAM settings are the same. Very strange indeed! Both are W10 v1511; I have not put the Anniversary Update on them yet.

[AdvancedSetup]

Please try a couple of reboots, try a scan with MBAM and the rootkit scanner.

Then reboot and let me know if you see that error again while antivirus is uninstalled.

 

[simrick]

I've rebooted a few times, run an MBAM scan with Rootkit box checked, rebooted again; now I'm running a Defender scan. The error has not popped up, but it didn't pop up with Avast installed either today. But again, it's so intermittent it's difficult to tell if the problem is resolved.

[simrick]

Back again. Something was found by Defender that Avast didn't flag, even though I have it set to run daily quick scans and weekly full scans. It appears to be a trojan downloader.

https://www.virustotal.com/en/file/93e7947d185780656aee136a4e2e1365bd438a482794ed8c67c4116fd3a69a5a/analysis/1470630475/

This must have been the cause. It was in a limited user account, sitting on the desktop, still zipped up.

Thank you for your help. I am shocked that Defender has outdone Avast (smile). I think we will be okay now. I'll be back if the error pops up again.

[AdvancedSetup]

Okay, let us know. Take care for now then.

 

[AdvancedSetup]

Another potential issue seems to be an update to the CryptoPrevent tool you might want to look into further.

 

[simrick]

18 minutes ago, AdvancedSetup said:

Another potential issue seems to be an update to the CryptoPrevent tool you might want to look into further.

 

Interesting, although my situation is a bit different. These 2 computers have both had MBAM free on them since W7 days, upgraded through to W10, and are still on the November update, v1511. I only activated a subscription to MBAM recently and began to have problems after activation, with the Rootkit feature. So, if the Anniversary Update (v1607) is where the problem is showing up, it doesn't apply to these 2 systems, as they are both still on v1511. I have not rebooted since my last post, and am running an ESET Online Scan at the moment, so I will reboot a few times after it completes, and see if the problem is still there (although it's intermittent, so who knows when it may show up). But, if both computers are setup the same, why do I see this issue only on one system? It doesn't make sense to me, except perhaps for that zipped file I found on one user desktop.

Thank you for thinking of me and passing along the link to that thread.

[simrick]

Hi. Just an update. ESET scan came up clean. I rebooted a few times, reinstalled Avast, rebooted again, switched to a couple accounts; the error has not returned. I have not put back the exceptions for MBAM into Avast yet either. Will be back if it appears. Thanks.

[AdvancedSetup]

Well we'll chock it up to gremlins for now. Glad it seems to be working for you now.

Take care

Ron

 

[simrick]

Hi.

The error appeared again today. I'm undoing the CryptoPrevent policies for now and will see if that makes a difference.

[AdvancedSetup]

Okay, keep us updated.