Jump to content
Dave-H

MB 3.5.1 MBAE Service not installing on Windows XP?

Recommended Posts

Hi Dave,

Thank you for the update.
 

16 hours ago, Dave-H said:

The only anomaly still present, which is still there even after getting rid of EMET, is that the mbamchameleon service will not run as a boot start service, only as a system start service. I tried putting it back to boot start, and it no longer ran on system startup.

Please open Malwarebytes and click Settings > Protection > scroll down and ensure 'Enable self-protection module early start' is turned on.

Once done, please rerun the Malwarebytes Support Tool (Download link: https://downloads.malwarebytes.com/file/mbst) and click Advanced followed by Gather Logs. Upon completion, a file named mbst-grab-results.zip will be saved to your Desktop. Rename this file to mbst-grab-results-prereboot.zip.

Afterwards, please restart the computer. Once restarted, rerun the Malwarebytes Support Tool once more in the same manner. Rename the new mbst-grab-results.zip to mbst-grab-results-postreboot.zip.

Please attach both Zip files so we can take a look at what's going on.

Share this post


Link to post
Share on other sites

Thanks, I've done that and the logs are attached.
I also switched on the enhanced log collection function.

"Enable self-protection module early start" indicates that it is switched on.

Both the log gatherings were done with the mbamchameleon service startup type set in the registry to "system" (type 1) instead of "boot" (type 0) which is the default.

Cheers, Dave.
🙂

 

mbst-grab-results-prereboot.zip

mbst-grab-results-postreboot.zip

Share this post


Link to post
Share on other sites
Posted (edited)

Thank you for the files.

Please turn off the Enable self-protection module early start setting, wait 10 seconds and then turn the setting back on. Once done, rerun the Malwarebytes Support Tool, click Advanced, click Gather Logs and attach the newly created mbst-grab-results.zip (located on your desktop) in a new post.

Afterwards, please download Process Monitor using the link below:
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

  • Extract the downloaded file and run.
  • Once Process Monitor is running, return to Malwarebytes.
  • Turn off the Enable self-protection module early start setting, wait 10 seconds and then turn the setting back on.
  • Return to Process Monitor. Click File followed by Capture Events to stop the capture.
  • Click File followed by Save. Select a location to save the file and click OK.
  • Please zip up and attach the generated file. If it is too large to attach, please upload the file to WeTransfer.com and copy/paste the link into a post.
Edited by LiquidTension

Share this post


Link to post
Share on other sites

Hi, thanks and sorry for the delay in responding, I was very busy yesterday away from home most of the day!

I switched off  "Enable self-protection module early start", waited 10 seconds, and then it wouldn't turn on again!
Even after a reboot it's still off and won't switch on.

The normal self-protection on/off option is still apparently switched on.

The version of Process Monitor that you gave a link to doesn't work on Windows XP, it needs at least Vista.
I do already have version 3.50, which I suspect is the last that does work on XP, I assume that's OK for any further testing?

Cheers, Dave.
🙂

Share this post


Link to post
Share on other sites

Hi Dave,

Yes, that version should run OK on Windows XP. Whilst not being listed as a supported OS, Process Monitor runs fine on Windows XP for me.

Please run Process Monitor, reproduce the issue with enabling the setting, stop the Process Monitor capture and then attach the zipped up log file.

Share this post


Link to post
Share on other sites

Thanks, yes I looked again and the link you gave is to version 3.50 of course! D'oh!
I guess that is the last version, and runs fine on XP as you say, despite what they say.
I guess being part of Microsoft they're not allowed to acknowledge the existence of XP any more, in fact I'm surprised they haven't remove the reference to Vista now too!

Anyway, I ran Process Monitor, and then tried to switch on the "Enable self-protection module early start" option again, and still nothing appeared to happen.
I stopped the trace and saved the file.
It's here - https://www.4shared.com/file/VGdDwxZrda/Logfile.html

I don't know what it will show though, as I say the function seems to be completely non-functional at the moment.
Cheers, Dave.
🙂

Share this post


Link to post
Share on other sites

Hi again.
I've done a bit more experimenting, and I've managed to get things back to running as they were before.
It appears that the self-protection settings do simply change the start type of the mbamchameleon service.
If self-protection is completely switched off, the service is set to type 4 (disabled).
If it's on but not early start, the service is set to type 2 (automatic), and if the early start is on it's set to type 0 (boot).
That makes perfect sense, but it's that last configuration that doesn't work, the service will not start as a boot service.
Setting it manually to start type 1 (system) seems to work around this, and the service presumably still starts early enough for the early start setting to show as being on.
Why it won't start as a boot type service is a mystery though.
Cheers, Dave.
🙂

Share this post


Link to post
Share on other sites

Hi Dave,

I'm having trouble downloading the ProcMon log. Please could you upload it to WeTransfer: https://wetransfer.com/
Ensure link is selected as the send as type and copy/paste the generated link in a new post.
 

Quote

That makes perfect sense, but it's that last configuration that doesn't work, the service will not start as a boot service.

When the start type is set to 0 (Boot), is MBAMChameleon installed at startup or is the state Disabled?
Please set the start type to Boot, restart the machine and then run the following commands at the Command Prompt. Please attach the generated query.txt file found on your desktop.

sc query mbamchameleon > "%userprofile%\desktop\query.txt"
sc qc mbamchameleon >> "%userprofile%\desktop\query.txt"

 

Edited by LiquidTension

Share this post


Link to post
Share on other sites

Hi again and thanks.
I tried the 4Shared link and it worked fine for me, so I don't know what's wrong there.
Anyway, I have uploaded it to WeTransfer too now. The link is -

https://we.tl/t-u9fzUuVS2g

I set the mbamchameleon service to boot start in the registry, and when I restarted I again got the Windows System Log message that it had failed to start ("The following boot-start or system-start driver(s) failed to load: mbamchameleon.")
It is still set to start type 0 in the registry.
The "enable self-protection module" option in the MB interface is shown as off, and as before if I try to turn it on the interface just permanently freezes and has to be forcibly terminated.
However, after running your two commands, the Windows System Log now says that the service was started ("The mbamchameleon service was successfully sent a start control."), although the MB interface hasn't changed.

The query.txt file is attached.
Cheers, Dave.
🙂

query.txt

Share this post


Link to post
Share on other sites

Hi again.
I've just checked the Windows System Log again, and if the mbamchameleon service is logged as having failed to run, it does in fact then run according to the log, exactly five seconds later!
This delay is presumably what's causing the problem with the interface, as it thinks the service isn't running as it didn't start on boot, but when you try to run it by switching on the self-protection, it can't do it because the service is in fact running by then, and the consequence of trying to switch on a service already switched on causes the interface to crash!
It obviously isn't enabled properly anyway, as I can still change its startup type by editing the registry, which I shouldn't be able to do if it's working properly, as it's one of the registry keys which should be protected by it.
🙂

Share this post


Link to post
Share on other sites

Hi Dave,

Please run the Malwarebytes Support Tool and perform a clean reinstallation of Malwarebytes (Advanced > Clean).

Once done, open Malwarebytes and verify the "Enable self-protection module" setting is On. Run the two commands below:

sc query mbamchameleon > "%userprofile%\desktop\query1.txt"
sc qc mbamchameleon >> "%userprofile%\desktop\query1.txt"


Now turn "Enable self-protection early start" on. What happens? Please avoid manually changing the start type in the registry for now. Afterwards, run the two commands below:

sc query mbamchameleon > "%userprofile%\desktop\query2.txt"
sc qc mbamchameleon >> "%userprofile%\desktop\query2.txt"

 

Please attach query1.txt and query2.txt (found on your desktop).

Share this post


Link to post
Share on other sites

Thanks, but I have already done that procedure many tim

47 minutes ago, LiquidTension said:

Hi Dave,
Please run the Malwarebytes Support Tool and perform a clean reinstallation of Malwarebytes (Advanced > Clean).

Thanks, but I have already done that many times before, and the end result is always the same, I doubt that doing it again will be any different!
After the uninstall and clean the re-installation seems to go fine, but the self-protection module is shown as being completely turned off.
If I try to enable the self-protection module, the interface just immediately and permanently freezes.
I obviously can't alter the early start setting either as the main setting isn't switched on. It's shown as being on, but greyed out.
The only way I've found to fix this is to manually change the mbamchameleon service's start type from "boot" to "system" in the registry.
As I said earlier, the service is actually running eventually when it's set to "boot" but only after an initial error message in the Windows log that it had failed to start.
It's then logged as actually starting about 5 seconds after the error message was logged.
Cheers, Dave.
🙂

Share this post


Link to post
Share on other sites

BTW, we have now moved a long way from my original subject title for this thread!
Would it be possible to change it to something more general like "Malwarebytes Installation Problems on Windows XP"?
🙂

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.