Jump to content
Sunflour

MBAMSwissArmy.sys is corrupt, startup repair fails

Recommended Posts

Hello,

I restarted my laptop a few days ago, the battery icon was missing and I figured it’s time for a restart. Once it restarted, the automatic repair failed. “Startup repair couldn’t fix your PC” gives the option for the log file SrtTrail.txt. I have tried booting it in all safe modes, disabled early anti-malware option, low resolution video and none of those startup settings options worked. I was able to open up command prompt and notepad. First thing I did was copy my files to a couple of external hard drives. Feeling more secure that I wasn’t about to lose all my data I tried to fix the issue. I was able to open the log file, everything looks good except

“Boot Critical File C:\windows\system32\drivers\mbamswissarmy.sys is corrupt.

Repair action: File repair

Result: Failed Error Code 0x57

Repair action: System flies integrity check and repair

Result: Failed Error Code 0x57” 

A quick search of the internet says mbamswissarmy.sys is a Malwarebytes file and it looks like I’m not the only one this has happened to.

I do not have any recovery discs or access to another PC at the moment.  I have not yet tried Reset this PC. Can I delete the driver from the command prompt? Is this wise? Should I try to do the reinstall Windows/keep personal files option? A system restore, or wait it out until I can get access to another PC with a USB?

Many thanks in advance.

Edit: I’m using Windows 10

Edited by Sunflour

Share this post


Link to post
Share on other sites

Sorry for the delay in responding - very busy right now.
I can make suggestions about removing the driver, but I'd suggest first posting over in the MalwareBytes 3 forums:  https://forums.malwarebytes.com/forum/41-malwarebytes-3/

The experts there may have some better understanding of the inner workings of this driver.

Share this post


Link to post
Share on other sites

The corruption of this driver is a known issue that does happen under some conditions.  I do believe the resolution is to remove or at least rename the driver so that it doesn't load thus preventing the crash/BSOD when you try to boot.  If you can do that, the system should start normally and Malwarebytes should be able to function properly again (if it needs the driver again in the future, I believe that the program itself will re-create it so you shouldn't need to reinstall Malwarebytes).

Share this post


Link to post
Share on other sites

If you delete the driver using the Command Prompt - what happens if the system decides it can't boot to the recovery mode?

The first step here is to backup the data/image the hard drive - so, in case of disaster, you're able to recover the system to it's original state

Here's some links on how to disable a driver from the command prompt:  https://www.google.com/search?q=disable+a+driver+from+the+command+prompt&ie=utf-8&oe=utf-8

Also, you can try renaming the driver (from .sys to .BAD for example) and see if that works.
BUT - if that breaks the boot sequence then you'll have to figure a way to get into the file system and rename the file back to .sys (most likely from a bootable Windows installation USB stick:  https://www.microsoft.com/en-us/software-download/windows10

Edited by usasma

Share this post


Link to post
Share on other sites

If deleting the file would break the boot sequence then I'd simply boot the system to an offline disc with offline registry hive editing capabilities, delete the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MBAMSwissArmy registry key so the system no longer tries to load the driver, then restart the system normally.  MS Sysinternals Autoruns can do this if integrated into a boot disc as can many other tools as well as any offline registry hive editing application.  Without that key, the system cannot try to load the driver and thus the boot sequence will be preserved (in fact, it might be a good idea if Malwarebytes could implement a fix for this which performs this very task in scenarios where the file on disk is 0 bytes, assuming that's what's causing this issue as it has been in all the other threads I've seen with this issue).

Also, if you can access the command prompt you can delete the key using the following command:

reg delete /f HKLM\SYSTEM\CurrentControlSet\services\MBAMSwissArmy

Malwarebytes might not work and may require a reinstallation afterwards, but the system will boot.

Share this post


Link to post
Share on other sites

I have no experience with deleting MalwareBytes drivers - but have had problems when deleting antivirus drivers.

I've learned:
- Never delete; always rename or disable instead.  That way you have a way out if the procedure causes more problems.  If you can't rename/disable - then make a copy/backup of what you're trying to rename/disable.
- Always backup your data and system state.  At some point you may take a chance with a fix - and it fails and destroys everything.  Backups and disk images are essential!
- If you can safely get into the system by removing a problem program, then do it!  You can always reinstall the program later on.
- Once back in the system, use a program such as RevoUninstaller to remove all traces of the problem program.
- Keep it simple!  The more complicated the fix, the more likely that something will mess up.  Work within you comfort zone if the system is essential to you.  This isn't the time to take chances if you're trying to save your system.  For me, it takes me at least a week of my spare time to setup a system the way that I want it - so a system repair is preferable to a system reset.

Here's the steps that I usually suggest when removing a driver:

1)   Create a Restore Point using System Restore


2)   Create a Repair disc (Recovery Drive in Win8.1/10):
Win 7 - Go to Start...All Programs...Maintenance...Create a System Repair Disc
Win 8 - Press "WIN" and "R" to open the Run dialog...type "RECDISC" (without the quotes) and press ENTER
Win 8.1 - Go to the Start Screen and type in "recoverydrive" (one word, without the quotes).  That will start the recovery drive process.  You will need a USB drive of at least 512 mB - and all data will be erased off of it.  If copying the recovery partition the drive size will be much, much larger (16 - 32 gB drive required).
Win 10 - Go to Start (press the "Win" key) and type in "recoverydrive" (one word, without the quotes).  That will start the recovery drive process.  You will need a USB drive of at least 512 mB - and all data will be erased off of it.  If copying the recovery partition the drive size will be much, much larger (16 - 32 gB drive required).
3)   Test the System Repair disc/Recovery Drive to make sure that you can get to the System Restore entry when you boot from the disk/drive (you may also want to try actually using System Restore to make sure that it works)
4)   Download this free program (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) and use it to disable any instances of mbamswissarmy.sys that are starting (or any other MalwareBytes entries) (DO NOT DELETE - only disable by removing the checkmark in the left hand column)
5)   Check in Device Manager (to include showing hidden devices from the View menu item) and ensure that any instances of mbamswissarmy.sys (or any other MalwareBytes entries) are "Uninstalled" (DO NOT DISABLE THESE).
6)   Check in the Services applet (services.msc) to be sure any instances of mbamswissarmy.sys or any other MalwareBytes entries are disabled.
7)   EXPERIMENTAL STEP (only try if you're certain of your abilities - I have not tried this step myself).  Search the registry (use regedit.exe) to locate any entries that have the driver name (mbamswissarmy.sys) or the program name (MalwareBytes).  Delete these keys (it's advisable to back them up first - but you've also backed up the entire registry when creating a System Restore point in step 1.  Alternatively, you can set the values in these keys to DISABLED (but the "how" of this is beyond the scope of this guide).
8)   Go to C:\Windows\System32\drivers and rename the mbamswissarmy.sys driver to mbamswissarmy.BAD (search the hard drive for it if it's not in C:\Windows\System32\drivers).
Also search the system to see if there are any other instances of the mbamswissarmy.sys driver in other locations - and rename them to mbamswissarmy.BAD also.
9)   Test to be sure that the device is working OK and that any BSOD's/errors have stopped.


In the event that the system doesn't boot:

1)   Boot from the System Repair disc/Recovery Drive and use the Command Prompt option to rename mbamswissarmy.BAD to mbamswissarmy.sys (the code below is only an example if the driver is, in fact, located in C:\Windows\System32\drivers.  If not, then you must navigate to the proper directory on your own!).

2)   Boot from the System Repair disc/Recovery Drive and use the System Restore option to restore the system to a point before the changes were made.

Good luck!
ren C:\Windows\System32\drivers\mbamswissarmy.BAD C:\Windows\System32\drivers\mbamswissarmy.sys

Share this post


Link to post
Share on other sites

That driver isn't used by Malwarebytes protection so it doesn't actually need to load on boot.  It's used for scanning/remediation as a part of the scan engine and rootkit scanning in particular (both the older DDA [Direct Disk Access] as well as the newer anti-rootkit scanning) and gets called for cleanup on boot after something is scheduled to be removed following a scan/quarantine event.  It's neither essential to the system booting or Malwarebytes protection functioning (I deleted the file on my own system to test, exited Malwarebytes, stopped the driver from running in memory (NET STOP command), launched Malwarebytes once more all with the file deleted/not in memory and Malwarebytes did indeed re-create the file on disk as I expected).

This is how Malwarebytes works.  When a driver is missing, it creates a new copy on disk, however if the file already exists, and in this case is corrupted, it doesn't/can't so you end up with the BSOD issue.  All you need to do is stop Windows from trying to load that corrupted driver on boot.  Once you do that, Malwarebytes should take care of itself (no reinstall required).

Share this post


Link to post
Share on other sites

Apologies to Sunflour if this has taken your topic off track. 

And thanks to exile360 for the easy to understand explanation of the internal workings of Malwarebytes as it applies to this situation!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.