Jump to content

Problems with Malwarebytes 3.06.1469 BETA component package version: 1.0.69 - Web Protection and Enable Self Protection Module Early Start


Recommended Posts

I've raised other issues in other posts but a different set of problems emerged this morning.

After booting, I had the warning that Web Protection was disabled. Couldn't start it and had to close and restart MB to get that reinstated. Tnen I noticed when reviewing the settings under the Protection Tab, enable Self Protection Module Early Start is OFF and will not allow me to set it ON.

Requested logs are attached:-

Windows 7 SP1 x64
Malwarebytes 3.0.6.1469 CU3 Premium
Avast Free 17.1.2286
CryptoPrevent 8.0 Premium
Tweaking.com Registry Backup 
3.5.3
Casper 10 Backup 

logs.zip

FRST.txt

Addition.txt

MB-CheckResult.txt

Link to post
Share on other sites

9 hours ago, Jekko said:

Hello TempLost,

Do you see Web Protection turn off regularly?  Are you able to turn self-protection on/off from the protection tab (Not only early start)?

 

9 hours ago, Jekko said:

Also question from our developers: Does the file C:\Windows\System32\drivers\mbamchameleon.sys exist?

Hi Jekko,

I'm in France - so I think we're on pretty different time zones, hence my late reply.

MB 3.0 has been running pretty well of late and Web Protection has not been turning off recently until this reported incident. When I booted up this morning, the system tray icon reported all well, but then I got the Web Protection warning again within minutes. I had to close down MB from the System Tray icon and restart it and now all protection is reported as back on.

I just tried to turn Web Protection OFF and then ON again from the Protection Tab and that worked OK, but I was not able to turn off Self Protection Model Early Start in the same way (not that I want to - just a test).

The file C:\Windows\System32\drivers\mbamchameleon.sys does not exist.

On another point, AVAST reported the MB forum page as a threat this morning!

If I can provide any other information to help solve these problems, please let me know............

RTPL Off.JPG

Avast Threat.JPG

Edited by TempLost
Link to post
Share on other sites

1 hour ago, Jekko said:

@TempLost,

Thank you for the reply.  Please try turning off self-protection, then turn it on again.  This should replace mbamchameleon.sys.  Then attempt to turn on self-protection early start.  If that does not turn on still, that means something is blocking mbam from replacing mbamchameleon.sys.

When I just booted up, Enable Self Protection was ON, Early Start was OFF. Neither setting could be changed. I closed MB and then restarted it - both settings were then ON but still could not be changed. mbamchameleon.sys is still missing. I'm going to uninstall MB again and try to reinstall with CryptoPrevent protection disabled and Avast shields also turned off and see if that makes any difference.

Link to post
Share on other sites

19 hours ago, Jekko said:

Also question from our developers: Does the file C:\Windows\System32\drivers\mbamchameleon.sys exist?

I don't have this file present on my system with version 3, I think that its only available for version 2x but I could be wrong...  I do not have any issues with v3 on my VM at the moment.

Link to post
Share on other sites

29 minutes ago, Jekko said:

Ok.  Thanks for the reply.  Please keep us updated :)

Reinstalled as in my last post but no change - cannot disable self protection module - no sign of  mbamchameleon.sys. I'll stick with MB for now and hope you can fix it.

 

chameleon.JPG

Edited by TempLost
Addition
Link to post
Share on other sites

  • Staff

Could you try the following?

  1. Open cmd.exe with admin credentials and run the command: net stop mbamservice
  2. Delete the file C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json
  3. Open MBAM.

Adversely, if you do not know how to do those steps, I am also attaching a file "SP_Replace.bat" which will do those steps listed.  You will need to run SP_Replace.bat as administrator for it to work correctly.

After doing those steps, and MBAM is running again, please check if MBAMChameleon.sys has been replaced.

SP_Replace.zip

Link to post
Share on other sites

36 minutes ago, Jekko said:

Could you try the following?

  1. Open cmd.exe with admin credentials and run the command: net stop mbamservice
  2. Delete the file C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json
  3. Open MBAM.

Adversely, if you do not know how to do those steps, I am also attaching a file "SP_Replace.bat" which will do those steps listed.  You will need to run SP_Replace.bat as administrator for it to work correctly.

After doing those steps, and MBAM is running again, please check if MBAMChameleon.sys has been replaced.

SP_Replace.zip

No difference, I'm afraid - and no sign of MBAMChameleon.sys. I ran the .bat file as Administrator.

Link to post
Share on other sites

1 hour ago, Jekko said:

Yes, that is the correct path.

C:\Windows\System32\drivers

Interesting, using UltraFileSearch I did a search for the file MBAMChameleon.sys on the entire C: drive and the file is not found, but going directly to the folder I do see the file.

So I do have that file present then, sorry for the confusion... 

Link to post
Share on other sites

7 hours ago, Jekko said:

@TempLost

Do you still see self-protection enabled in the UI?

Can you rename the shortcut for MBAM on desktop?  This would prove to us if chameleon is protecting MBAM's files correctly.

I've just booted up the computer and MB doesn't report any errors. On the protection tab, Enable Self Protection and Enable Self Protection Early Start are both shown as enabled BUT it's not possible to turn them off, although other settings can be modified. Chameleon is nowhere to be seen. 

When I try to rename MB desktop shortcut, I get a warning that Administrator Permission is required. When I give that permission, the new name is applied.

If I tried to do another clean reinstall, (1) how should I ensure all traces of Malwarebytes have been eradicated bearing in mind that I had MBAM 2 Premium installed and AntiExploit Free as well as all the versions of MB 3.0 and (2) would it be advantageous to install in Safe Mode?

I have to go out later for most of the day, so might be slow in responding to any replies. 

Link to post
Share on other sites

Rebooted and restarted MB 3.0. Both Self Protection options now ON but cannot change them. All RTP still reported as working correctly.

Restarted MB 3.0 and Self Protection is still ON although Early Start Protection now OFF - cannot change. 

Edited by TempLost
Additional Info
Link to post
Share on other sites

  • Staff

Thanks for the logs @TempLost.  Your cooperation has been great!  For some reason it looks like mbamchameleon.sys is being blocked when it should be created.  Could you try the following?

  1. Download ProcessMonitor.
  2. Run ProcessMonitor.
  3. Run SP_Replace.bat as Administrator.
  4. Wait for MBAM's UI to open.
  5. Turn on/off self-protection in MBAM's Protection Settings.
Link to post
Share on other sites

36 minutes ago, Jekko said:

Thanks for the logs @TempLost.  Your cooperation has been great!  For some reason it looks like mbamchameleon.sys is being blocked when it should be created.  Could you try the following?

  1. Download ProcessMonitor.
  2. Run ProcessMonitor.
  3. Run SP_Replace.bat as Administrator.
  4. Wait for MBAM's UI to open.
  5. Turn on/off self-protection in MBAM's Protection Settings.

Thanks, Jekko, Even though things aren't completely right with MB 3.0 yet, I'm sure you'll get there in the end - it's in our interest as customers to be as helpful as we can in providing what feedback we can to help you solve the issues.

I'm not quite sure what I'm supposed to be doing with Process Monitor when I run it. Can it generate a report and, if so, how do I do that and do I then ZIP it and put in a post after I go through the steps you have set out?

Also, it may not be possible to turn OFF / ON Process Monitor as it's generally unresponsive - but I'll try!

Edited by TempLost
additional inf
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.