Jump to content

Windows 10 New Install and Malwarebytes 3.0.6 Conflict


Recommended Posts

I added a post to a previous thread about this, but at the suggestion of the Admin here, I am starting my own thread. 

My system is a i7-4790K with a Gigabyte Z97x-UD3H (rev. 1.2) motherboard
Graphics is a Nvidia GeForce GTX 750 Ti
16 MB (8x2) DDR3 1600 MT/s RAM

I had numerous problems with the previous install of Win 10 after installing Mbam 3, so I downloaded the ISO and reinstalled Windows 10 clean after deleting all existing partitions and formating my HD. The only thing copied back onto the system are my personal data files, not the entire 'User' directory. 

I installed only the Windows 10 and it's automatic Updates, Office 365, Malwarebytes. There is no other software on my system. 

Event Viewer showed problem after problem. I blamed the Nvidia drivers. I blamed the Office install. I searched for solutions online. It took til my 3rd Windows Reset to think it might be Mbam, because I'd already used it for years (and have a lifetime license) with no issues.

The problem are mainly bluescreening in the middle of doing something, without a detectable pattern, on my computer. This could be simply reading a forum, opening a file, etc. The most frequent Event Viewer System errors are (many instances of each below):
Error 10016 - The application- specific permission settings do not grant Local Activation permission for the COM server application with CLSID) 

Critical - The system has rebooted without cleaning shutting down first. This error could be caused if the system stopped responding, crashed or lost power unexpectedly. 

Warning: File System Filter 'wcifs' failed to attach to volume \device\harddiskvolumeshadowcopy3' None standard final status of 0xc00000d. This filter and/or its supporting applications should handle this condition. 

Error 10010 Distributed COM - The server Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassID.WebAccountProvider did not register with DCOM within the required timeout.

Error 1001 - The computer has rebooted from a bugcheck. Saved in Memory Dump. 

Error - The previous system shutdown at 5:15 (etc) was unexpected. 

1000 Application Error - Faulting application name: svchost.exe_stisvc ver etc

I ran sfc /scannow and DISM /online /cleanup-image /restore health repeatedly.

The SFC logs are full of ownership and 'primitive installer' errors... pages worth with every scan, but otherwise no problems.

The DISM completes, but doesn't seem to repair anything.

The most recent system Reset was yesterday 2/27/17, I kept my files (no software anyway).  

The 3 recurring blue screen messages (could not keep the newly reset computer on for more than an hour before it would bluescreen to one of the below):

Driver Page Fault in Freed Special Pool (failed tcpip.sys)
Kernel Security Check Failure 
IRQ Not Less or Equal 

I have since excluded both Defender folders in Malwarebytes (in Programs).

I have excluded this list of Malwarebytes files from Defender:

C:\Program Files\Malwarebytes\Anti-malware\mbamservice.exe

C:\Windows\System32\Drivers\mbam.sys

C:\Windows\System32\Drivers\mwac.sys

C:\Windows\System32\Drivers\mbamchameleon.sys

C:\Windows\System32\Drivers\mbamswissarmy.sys

C:\Windows\System32\Drivers\mbae64.sys

C:\Windows\System32\Drivers\farflt.sys

Below were suggestions from a different forum:

 C:\Program Files\Malwarebytes\Anti-Malware\MbamPt.exe

 C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe

 C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe

 C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe

 C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

 

I just bluescreened again after the above exclusions (driver page fault in freed special pool - failed tcpip.sys). I then disabled the mbam Web Protection and Exploit Protection modules. So far so good, no more bluescreening, but the system hasn't been running very long since. 

 

The most recent bluescreen happened right after I turned on my printer and let windows find the driver for it, all the issues prior, no printer was installed, no other devices or software except Windows 10, Office 365, and Malwarebytes 3.0.6. 

 

I would like to try your beta, already downloaded it. I am going to assume the best way to install is to uninstall mbam via the add/remove programs and then install the beta? I'm going to try that. I'd be happy to help you with reports if you let me know what to do. I'm no programmer, I know just enough to mess my system up and google issues. 

 

 

Edited by happypuppy
Link to post
Share on other sites

Ouch!  Sorry you didn't get answers here.  From what I saw on your comments on my own thread, you had to do some pretty deep digging to get things fixed (*crosses fingers, hopes it stays that way*).  Pondering your dilemma (but not urging you to try anything now that it's working), I'll ask:

- do you know whether you installed the 32-bit or 64-bit O365?  Microsoft doesn't make it easy to get--and to install--the 64-bit version, so I figure you'll know if you did.

- Actual Microsoft rootkits?  Not sure what you're meaning by that, but are you getting at low-level, sub-OS Microsoft stuff that kicks off your machine's startup after the POST?  That's always possible.  Usually I'd focus on that tcpip.sys message, but your background info supports the DCOM solution you did.  The only other thing I can see is when the hardware is only so-so at supporting UEFI and you do a UEFI install.  Your hardware is pretty new, so that shouldn't be a problem though.

Let me know if you've got further thoughts regarding that 'Microsoft rootikits' bit.  But...I'm just some other user here, I'm betting there's guys officially connected to MB who'll also know more about what goes on under the covers.  A/V typically inserts itself in the OS load process at a low level in order to protect you as deeply as possible.  Don't know if it quite works that way any more now that Microsoft made some low-level changes to the OS, but I can say that Windows 10 was a pretty big overhaul, top to bottom...

Link to post
Share on other sites

On 2/27/2017 at 8:44 PM, happypuppy said:

I just helped my mom reinstall a Windows 7 system, and Malwarebytes 3.0 works FLAWLESSLY with all settings turned on, and Windows Security Essentials as the antivirus. Not one problem with it. I was wondering, could perhaps the problem with Windows 10 be from actual microsoft rootkits? 

It is amazing what a CLEAN install of any Windows can achieve Especially if you are on an UPGRADE of Win 10 and have never clean installed.

Personally if I get a Win 10 PC  in my shop that is still running on an Upgrade I clean install it in 99% of cases. That is most likley why my hundreds of MB installs did not have issues with MB 3.0.

Link to post
Share on other sites

Repasting my 'solution' from Winter's thread:

After tons of further research into my very varied bluescreens, I think I solved the entire problem. I found it here:
https://answers.microsoft.com/en-us/windows/forum/windows8_1-hardware/cryptographic-services-failed-while-processing-the/c4274af3-79fb-4412-8ca5-cee721bda112 

The 2nd post outlines the solution, and while this solution appears in many different articles and forums, this one explains exactly why it works and how to make it work. Essentially, it's taking YOUR OWN numerical descriptor for NT Authority/Service and adding it to the MSLLDP descriptor (via sc sdset MSLLDP ). 

This, and shutting down the Verifier that I forgot I had turned on last week, completely and utterly fixed all my issues in Event Manager. 

So my 'fix' was
1. add exclusions for all of Malwarebytes processes to Defender. Added exclusions for Defender in Malwarebytes. 
2. Make sure Verifier is off if you turned it on.
3. added NT Authority/Service to the MSLLDP descriptor


This allowed Win 10, Office, Malwarebytes to work together. 

I am so curious why Windows 10 did not automatically include this setting, and I can't seem to find the answer to it. I thought perhaps it may be a dangerous setting but then why wouldn't they 'fix' the issues that omitting it creates? 

I decided to do it because NT Authority\System and NT Authority\Interactive already has ownership of the MSLLDP, just no access to Service, which makes the system error and bluescreen repeatedly. 

I did not install the Malwarebytes beta for the DCOM, the above already fixed the DCOM. Unless Malwarebytes released a fix in an update I didn't know about. Either way, it's all working! 
 

Link to post
Share on other sites

Porthos,

I want to mention again that these problems stemmed from a COMPLETELY clean install of Windows 10 Pro, Anniversary Edition.

- I deleted ALL existing C partitions including System. I then formatted C: before installing Win 10 Pro off of USB, with a fresh Media Creator ISO from https://www.microsoft.com/en-us/software-download/windows10 .

Then I downloaded Office 365 from my Microsoft Account, and installed Malwarebytes 3 from Malwarebytes.com. I didn't even download Nvidia drivers, I just let Windows do it by itself. Further, I didn't bother installing a single Motherboard driver, since that led to problems in one of my earlier installs. Microsoft installed the Intel drivers.

These crashes happened on a completely 100% fresh system with nothing but Microsoft drivers and Microsoft Office downloaded from Microsoft, and Mbam. I'm now more inclined to think that Office and Microsoft programmers do not communicate with each other.

 

Winter,

I got the ISO number from my Powershell - (DISM /Get-WimInfo blah blah). To make sure no one updated Windows since my Media Creator download from 2/16, I downloaded it again to check from here: https://www.microsoft.com/en-us/software-download/windows10

Brand new downloaded WIM from 2/28

Index : 1

Name : Windows 10 Pro

Description : Windows 10 Pro

Size : 15,395,521,864 bytes

WIM Bootable : No

Architecture : x64

Hal : acpiapic

Version : 10.0.14393

ServicePack Build : 0

ServicePack Level : 0

Edition : Professional

Installation : Client

ProductType : WinNT

ProductSuite : Terminal Server

System Root : WINDOWS

Directories : 21589

Files : 118172

Created : Sun, 11, 20, 2016 - 3:03:08 PM

Modified : Tue, 2, 28, 2017 - 6:22:08 PM

Languages :

        en-US (Default)

 

Above is the 1607 "Anniversary Update"

Version of Win 10

Fast ring:

July 18, 2016

Slow ring:

July 20, 2016

Release preview:

July 28, 2016


Windows 10 then updated to KB3213986, plus flash player plus malicious software removal tool.

So I am THINK my architecture was x64 to begin with. I especially think this because in one of my previous resets, I attempted to install the 2012 Windows Essentials Photo Gallery (which I really liked), and that proceeded to download a whole bunch of additional Net Frameworks, which I assume are for x32 architecture... (I did NOT try to install it again, and probably won't). 

My system was free of any Net Framework installs until I installed the SDK addon to try to read my own dump files. I never created a batch file to read it tho, because all my problems ended with above MSLLDP fix and shutting down my still running Verifier, doh).

Aside: I'm not fully clear on where they source the image from in this formula for either windbg or kd: 

windbg -y SymbolPath -i ImagePath -z DumpFilePath

kd -y SymbolPath -i ImagePath -z DumpFilePath

- What constitutes 'image path'? mounted or unmounted ISO? In the sample file, they gave a website for the Image file, wouldn't that slow down running it? I also read that you don't need the symbols, I did download the symbols for my version, but not sure where or whether to install it. (sorry, you did mention you were a Programmer, so forgive my attempt to pick your brain a bit:p)

I do have a curious issue, which makes me wonder if in fact there's some cross 32 files in there (or maybe because there isn't, it's finding problems). When I ran SFC /scannow... I have literally no report except for Primitive installers Committed for Repair, Duplicate ownership entries, service not owned but called for in SDDL. I can't find any helpful info about what causes this. Could that have been the Verifier? 

Today, I ran sfc, after no more Event Viewer error messages, and there are NO MORE Primitive Installer entries. Since my system is completely functional (and ridiculously FAST now), I guess I won't worry about it til I have another problem. But if you know why I had all those Primitive installer lines, I'd like to know the reason.

As for Microsoft... I don't recall there being a UnistackSvcGroup in previous Windows Installs. Take a look in Task Manager > Services, scroll to end of page. Don't those descriptions look a bit redundant or odd to you, considering that all that User Data they now have all those services for were handled just fine in WIn 7 with existing services? As I said, I'm not a Programmer, but I'm fairly good at detecting patterns and oddities. That entire group doesn't make sense, and no explanations I've found online explain them very well either. That, and in the course of fixing my system, I discovered the hard way that the ENTIRE debugging folder is GONE from Explorer, can only be accessed from the Admin command prompt, and even then, very indirectly via cd, one directory at a time. That then makes me wonder exactly what other folders/files they hid. 

Edited by happypuppy
Link to post
Share on other sites

Hrm...this is all interesting stuff that I'll have to look into a bit more.  I'm not familiar with the UnistackSvcGroup and I don't see it on the machine I'm currently on.

I can give you some info, though.

First, in my post I was asking whether you had installed the 32-bit or 64-bit OFFICE, not Windows.  Easiest way to confirm this is to open Word, go to File --> Account --> About Word and the pop-up will say which "bitness".  64-bit is more trouble-prone, thus usually the only way to even get the thing is to go looking for the manual installer on their site, the go into "choose additional language and install options", drill down and specifically choose 64-bit...and even then, running the installer usually contains 32 and 64 bit and may default to 32 if you don't dig into the 64-bit folder and manually run the 64-bit setup.  Annoying...and if you use any sidecar (non-core) Office apps like Project or Visio, they would then also have to be 64-bit of the installer will crank at you and refuse to do it.

Second, to answer your question, I *think* the 'image path' would be a mounted ISO.  This doesn't necessarily mean a performance hit--if the ISO's in an actual CD/DVD ROM drive, sure, but if it's from your hard drive, it runs as well as the hard drive does.  Your fastest, sweetest Win 10 install experience is booting the machine from USB using the Windows ISO Download Tool to create a bootable USB drive, then doing a clean install--my last one was 10 minutes end to end!  If you're referring to 'image' as in, 'I'm running the debugger tool and I need to manually point it to the symbols and it wants me to map that to an image path'...that's a different animal and it's just been a very long time since I've done that.  I'd have to read up to remember.

Third, I think you installed Windows 10 in the best possible way:  you went out there to the site, used the media creation tool, and pulled down the latest.  Don't be surprised if those still have updates to apply--the 'latest' ISO isn't always perfect. ;-)  I'm sure Win 10 installed itself in 64-bit version.

Fourth, I do install the .NET Framework whenever I have a new machine just because I typically find I need it.  You don't have to, of course...but if you do, all it does is put the Framework's .dlls on your machine, then put some services in that sit idle and wait to be fired up in order to execute instructions - in other words, having it on there shouldn't ding performance...it just means one more thing that Windows Update might have to patch from time to time.

Fifth, the missing debugging folder:  have you checked the file & folder options in Windows to be sure it is showing hidden files and folders and protected operating system files?  If you open the File Explorer, click View at the top of the ribbon, then click Options --> Change Folder and Search Options, a familiar dialog box pops up and its View tab lets you specify that you want to see hidden files, folders, drives, protected operating system files, etc.  You want to do this with your C:\ drive or "This PC" selected in the file explorer so it'll apply that setting downward from the top. ;-)  A typical telltale that you're not seeing the hidden files & folders if if you can't see C:\Users\[user name]\AppData when looking around with the File Explorer.

Also not sure what to tell you about the System File Checker bit.  I can tell you that 64-bit Windows runs the 32-bit stuff in a smaller and separate space:  you have the 64-bit 'whole enchilada' of all the resources that can handle all the hardware, then there's a virtualized 32-bit space with the 32-bit stuff runs in the limited space that is 32-bit (for example, 32-bit can only access roughly 4GB or less of RAM).  C:\Windows\System32 is your 32-bit stuff, then C:\Windows SysWOW64 is the 64-bit space.  "SysWOW64" is short for "Windows on Windows"...and C:\Windows\WinSxS..."SxS" is short for "Side by Side", as in "these things run next to each other".

Sorry for the wall of information with some gaps, but I do hope this info is useful to you!  I'll see if I can learn anything about the SFC and debugger bits if I have some time this evening...

 

~Winter

 

Link to post
Share on other sites

Whoa... what a great and helpful post, Winter. 

Re:  Office... I checked. I have the 32 bit version >.<. I'm not clear from your post, but should I remove this and download the 64 bit version? Is this a potential cause of my conflicts? I'm confused because you mention that the 64 bit version also downloads 32 bit files, and that the 64 bit is also problematic. So should I delete the 32 and reinstall the 64 bit (I'll find it)? 

Re: Hidden Files - yes, Explorer is checked for 'Hidden Files". Otherwise I couldn't go messing with my AppData or poking around the windows system as I've been doing. That folder, from the downloaded SDK kit is now there. I can't explain this, since I refreshed the folder after install, including rebooting, and it wasn't there yesterday, yet I found it via admin command prompt yesterday. Here's the directory it should be in, and today there it is, odd: 

 c:\program files (x86)\Windows Kits\10\Debuggers\x64

Re: Primitive Installer Committed for Repair. I THINK this is now resolved, it did not appear in the latest sfc scan log. I did 2 things yesterday, I disk cleaned all extra temp files, logs, junk away. And as mentioned, I disabled the Verifier. I think one of those may have eliminated the SFC primitive installer issue, but can't tell which (likely Verifier). 

Re: Debugger. I decided to throw up my hands and stop trying to use the windows addressing way of viewing my mini dump, and downloaded WhoCrashed. After running that through not only Malwarebytes and Defender, I uploaded it to VirusTotal too. Then I installed it. The first thing I did was attempt to crash my computer with the included Crash Test ... and... it won't crash. It WILL NOT crash. Maybe I did the settings wrong, I have no clue what the "Parameters" 1 and 2 should be set to, so I left them zero. No joy, nothing happened. Then, I changed them to 1 and 2, and again, nothing happened. My system refuses to crash. I guess I won't know if the program works til it eventually crashes by itself.

I'm giving up on Windows buggy and absurdly hard to use Debuggers for now (you know how much easier life could be if they'd simply tell us IN THE BLUESCREEN which driver or file was causing the bluescreen? Windows obviously knows, since they made a debugger to read the minidump? As an aside, they should let me redesign Windows for people who actually use it, instead of endless annoyance and frustration. I'll bet dealing with Windows' horrible design is how hackers are born, since by the time I understand what's going on, I'll likely be able to do just that (I'm kidding, not sure I can maintain interest in the face of no issues left to solve). The moment someone comes out with a simple and useful GUI for the masses, Microsoft is going bankrupt (- I'm now writing for an audience if UnistackSvcGroup is really Msft spying on me *laf*). 

Re: UnistackSvcGroup - your response about not having this disturbed the heck out of me, especially since you probably have far more installed on your computer than I do ... I'm uploading a cut and paste from my screen for you to see... you do NOT have this?! Please check your system again. Is that possible? What is this then? The NSA trying to steal my cat meme's?  

Thank you for your help! 

unistacksvcgroup.png

Link to post
Share on other sites

  • 3 weeks later...

I have been having issues with ad popups, so I just purchased 2 year Malwarebytes, installed on windows 10 tablet.  Message to reboot after quarantined issues, and cannot sign in anymore.  Currently running in mode that will not access most of my programs.  Please help.

Link to post
Share on other sites

6 hours ago, mcavery said:

I have been having issues with ad popups, so I just purchased 2 year Malwarebytes, installed on windows 10 tablet.  Message to reboot after quarantined issues, and cannot sign in anymore.  Currently running in mode that will not access most of my programs.  Please help.

Open Malwarebytes an turn off self protection in settings and reboot.

Link to post
Share on other sites

  • 2 months later...

I did three clean installs of the Anniversary upgrade, 64 bit, because of a memory error on restart and shutdown. Never had a problem. This last upgrade, I disabled all my security

programs and that problem never came back. Soooo...it was either the security programs or Microsoft fixed something causing the error.

Happiness is Windows !!!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.