Jump to content

Exploit Protection Still Deactivating On XP 32bit After Update


Recommended Posts

Hi,

I have read through the 29 pages of incident posts related to the database issue today, and read the sticky discussing the error and it's fix.

Unfortunately, I am running a 32bit version of Windows XP SP3 and am still, after updating and restarting my computer, getting the same thing going on. I believe I have another issue as well which may be causing it, and that your DB compilation error today may well be an extreme coincidence:

When right-clicking on the MBAM icon in the system tray, I was at first able to select the "Exploit Protection: Off" option, in an attempt to reactivate it. After that time, it has become grayed out so it is no longer an option. I have also been getting consistent system freezes and eventual BSOD whenever MBAM attempts to run a scheduled scan. I am able to run a scan from the interface, but the systems hangs (video and all) on the "making preparations for scan" (forgot exactly what it is labeled) for about 30 seconds. It then continues and finds nothing. But when the scheduler attempts to run a scan, I get the same system freeze for about 40 seconds, followed by a release of the freeze for about 5 seconds (all inputs made during the freeze get buffered and executed during this time window), then another freeze of about 10 seconds followed by BSOD; Exact same process every time.

These are some of the symptoms I am experiencing with my system of late:

  • I am unable to get my system to create a dump file at BSOD (after having spent hours exhaustively going through every advanced remedy available on the net, including adjusting page file sizes & locations, etc.), so am unable to read the dump with BSOD Dump Viewer.
  • Malwarebytes Anti-Rootkit will install but will not successfully complete a scan without generating the same system hang and subsequent BSOD as described in previous item (also occurs in Safe Mode).
  • I am unable to successfully execute a System Restore to any restore point. It fails on startup every time, telling me that it failed and that no changes have been made.
  • Sometimes getting a Data Execution Protection error window on startup involving spoolsv.exe. (The module does appear to successfully load, despite the error warning.)
  • Delayed start of Windows Network Connections icon (the two little computer screens showing data in/out in the system tray). It takes about 30 seconds for it to appear after all other startup processes have completed.
  • Unable to open Network Connections window until the previous item finally resolves. Also, any attempts to execute web browser apps are buffered and their execution is delayed until the previous item resolves.
  • TCPIP.SYS is coming up as UNSIGNED on various scan logs, although no malware or virus signature is detected when scanning it.

 

I have upgraded to the latest version of ESET NOD32 Antivirus (last XP compatible version is V9) and performed a deep scan and found nothing.

I have also deep scanned with Malwarebytes v3.1.2 and found nothing.

I've run every scanner recommended here and examined the logs. The most dubious thing I've found in them is the unsigned TCPIP.SYS file.

I've run GMER, Junkware Removal Tool, RKill, Sophos Virus Removal Tool, TDSSKiller, MiniToolbox, AdwCleaner. Nothing was found.

As a last resort, I ranComboFix. It found some fairly benign things and fixed them, but nothing has changed.

 

Any help would be appreciated. Thanks!

Link to post
Share on other sites

@108

Hi and Welcome,

My name is Porthos and I will assist you to the best of my ability. If I can't guide you after you post the logs, I will find a staff member who can better assist you. 

 

  • Any screenshot(s) of error messages(s) or other incorrect behavior
  • Create and obtain an mb-check log
    1. Download MB-Check and save to your desktop
    2. Double-click to run MB-Check and within a few second the command window will open, then click "OK" 
    3. This will produce one log file on your desktop: mb-check-results.zip
      • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area
  • Create and obtain Farbar Recovery Scan Tool (FRST) logs
    1. Download FRST and save it to your desktop
      Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
    2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
    3. Press the "Scan" button
    4. This will product two files in the same location (directory) as FRST: FRST.txt and Addition.txt
      • Attach both of these logs to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the files to the attachment area

 

Please consider selecting the "Follow/Following" button, near the upper-right corner of your topic, to receive timely email notifications about updates to your topic.

Link to post
Share on other sites

I'm not sure about the BSOD, but let's try to resolve the Exploit Protection issue first. For starters, please try downloading the latest installer from https://downloads.malwarebytes.com/file/mb3 and installing it over top of your existing installation (no need to uninstall first). Then reboot and let me know if Exploit Protection is working

Link to post
Share on other sites

Hi... Not complaining or anything; I very much appreciate y'all's helpful forum here and the effort you put in. But can you tell me what the average turn-around time is on these support request back/forths? I'd just like to know how often I can expect to receive a reply to my log submissions, etc.

Thanks.

Link to post
Share on other sites

54 minutes ago, 108 said:

"I'd just like to know how often I can expect to receive a reply to my log submissions, etc."

 

Hello @108:

Since you may have not already done so by now, please consider selecting the "Follow" button, near the upper-right corner of your topic, to receive timely notifications regarding replies from @dcollins.

Thank you.

 

Link to post
Share on other sites

@108 it all depends on what needs to be done to troubleshoot the issue. Ideally we like to have these answered as quick as possible, but some issues take a bit longer to research.

In your case, can you please open Task Manager (press Ctrl + Shift + Esc or right click the taskbar and choose Task Manager), then go to the Performance Tab and take a screenshot and upload the screenshot? Thanks!

Edited by dcollins
Link to post
Share on other sites

wuaueng.dll is wanting to take up 25% of the CPU for unknown reasons, likely related to this overall issue. So I included 2 screenshots of the Task Manager Performance tab, one before killing the process and one afterwards. I am also including a screenshot of the Process Explorer Properties window for the svchost.exe hosting the offending .dll, just in case it might help.

 

WTM Performance (before wuaueng.dll kill).jpg

svchost.ese-1562 (netsvcs) Properties.jpg

WTM Performance (after wuaueng.dll kill).jpg

Link to post
Share on other sites

wuaueng is Windows Update Agent. It could be related, but most likely isn't. We believe we have found a bug that could cause this issue and are working on a fix for it.  This issue is usually caused by low RAM, but it looks like you should have enough RAM to run this. If you shutdown wuaueng, are you able to start Exploit Protection properly?

Link to post
Share on other sites

No, it just stops the constant 25% CPU usage, is all. I have not found a fix for the MBAM issue.

The curious thing about the wuaueng issue is that I've disabled Automatic Updates, both in the Control Panel and in Services, yet wuaueng keeps running at startup and runs perpetually, doing it's 25% thing. No bueno. Nothing changes in my settings between reboots (the WU service is still showing "disabled" and is not running) either.

Thanks.

Edited by 108
Link to post
Share on other sites

Hi

I had the same thing with my computer and malwarebytes. The protection was deactivated. The log-files of my firewall shows that malwarebyte made this connections

https://keystone.mwbsys.com/api/v1/installations/check.json

https://telemetry.malwarebytes.com/api/v2/streams/client/record

https://hubble.mb-cosmos.com/hashes

and after that the Exploit Protection has been switched Off.

It goes in line with that thread:
https://forums.malwarebytes.com/topic/170063-my-firewall-reports-the-keystonemwbsyscom-trying-to-spy-on-my-computer/


To last - This is a very high security risc. First a virus can block that addresses and after that malwarebytes will made a shutdown of the protection and after that the virus can do anything.
Sorry this is very stupid behavior and you should consider an other license check.

Link to post
Share on other sites

@beaniecap the post you linked is two years old, and we no longer utilize that same technology. Missing a check-in to keystone shouldn't cause your Exploit Protection to falter. We can help you troubleshoot this error, but I'd recommend making a new thread with the requested logs below.

@108 as I mentioned, we believe we have identified an issue where this could happen on older machines running XP and are looking at a solution. Unfortunately we don't have a workaround at this time.

Link to post
Share on other sites

So... What's the deal? Am I to sit an wait until the end of time here, hoping for the off chance that someday someone will respond back to this thread with a fix, or are you going to help me with my issue? I obviously have more going on than just the MB issue. I don't know... I'm somewhat perplexed that you just left me hanging here with nebulous information as to how I can expect this to proceed. Some definitive instruction would be very much appreciated; It's been over a week now.

I do appreciate the free help y'all provide here, I just don't feel I've been "helped." I feel like I've wasted over a week with you guys here for no reason, and with no explanation.

Edited by 108
Link to post
Share on other sites

Ah, that would explain things a bit. :-) Thanks.

This is the result I got with each of the 13 attempts (from the Chameleon.chm page):

 

MBAM-Chameleon ver. 3.1.33.0
Press any key to continue
Driver is already installed.
Enabling driver...
...Done!
Malwarebytes Anti-Malware not found
Trying to run mbam-setup, please wait...
mbam-setup not found
Trying to download it from the web, please wait...
Download failed, retry...
Download failed, retry...

Can't download mbam-setup
Failed to run mbam-setup

InitialDriverState = 1
Leaving protection driver enabled...
Press any key to continue

Edited by 108
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.