Jump to content
dculp

Can't start mbam.exe (no user interface)

Recommended Posts

While browsing, a popup said that my computer had been hijacked. I immediately rebooted my computer and ran my antivirus software (ESET) which didn't find any problems. I then tried to run mbam.exe as administrator. I accepted the popup about allowing the program to make changes to my computer but afterwards the mbam UI didn't appear. I then rebooted into safe mode with networking. The mbam UI then ran successfully and didn't detect any threats. However, all protections were off and couldn't be turned on, either individually or by restore defaults.

Note - Immediately after normal rebooting (not safe mode), the Windows Task Manager showed that the mbam process was not running. However, after attempting to start mbam.exe the Task Manager showed that the mbam process was running but mbam didn't show in the applications tab.

At this point I'm not sure that Malwarebytes is protecting me.

Attached is the log file mbst-grab-results.zip from mb-support-1.4.0.615.exe.

Windows 7 Pro, mbam.exe v. 3.7.1.2.839

Thanks,
Don C.

mbst-grab-results.zip

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Share this post


Link to post
Share on other sites

nasdaq --

Attached in Fixlog.txt (after rebooting).

No change from previous condition (still unable to start mbam.exe). (BTW, I seldom run mbam.exe explicitly so I don't know if the current problem existed before the hijack attempt.)

Next steps?

 

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

The Fixlog.txt is incomplete.

Please open the file and copy the contents.

post it in your next reply.

 

Share this post


Link to post
Share on other sites

I have searched both C: (system) and D: (most programs). There is only one Fixlog.txt which is the one that I uploaded.

6/18/2019 - Starting again from scratch --

  1. I downloaded FRST64.exe to C:\Users\dculp\AppData\Local\Temp\mwbEEF9.tmp (the 4th line of mbst-check-results.txt that I had uploaded on my first post). I also copied Fixlist.txt to the same folder.
  2. I ran FRST64.exe as administrator, accepted all checked defaults, and clicked Fix once.
  3. Shortly FRST64 displayed --

    "Farbar Recovery Scan Tool (x64) Version: 15-06-2019
    Fix completed. "Fixlog.txt" is saved in the same directory FRST is located.
    The computer needs a restart. Please close all open windows. Note that you will not get any notification from the tool after restart.
    Click OK to restart."

    OK

  4. The computer rebooted.
  5. A new Fixlog.txt (per the datestamp) was now in the above folder. FRST64.exe and Fixlist.txt were no longer there or anywhere else on C: .

    Fixlog.txt --
    "dculp => 226463766 B
    RecycleBin => 0 B
    EmptyTemp: => 229.7 MB temporary data Removed.
    ================================
    The system needed a reboot.
    ==== End of Fixlog 15:19:40 ===="

Should I just try reinstalling Malwarebytes? Other?
 

Share this post


Link to post
Share on other sites

Hi,

Your E-set security program may have deleted the Farbar program.

Download it it Again.

Keep an eye on the notification from E-set, to make sure the program is accepted.

Run the Farbar program and run the Fix again.

Post the Fixlog.txt if you can.

Let me know if the problem is solved or not.

 

Share this post


Link to post
Share on other sites

My C: drive has a root folder FRST (apparently created by FRST, not me). It has subfolders Hives, Logs, and Quarantines. The Logs subfolder has the following files -

Addition_16-06-2019 06.18.28.txt (attached)
ct.ini (2 lines -- [Run] and ct=2)
Fixlog_16-06-2019 15.11.48.txt
Fixlog_18-06-2019 15.21.26.txt (most recent, attached)
FRST_16-06-2019 06.18.28.txt (attached)

The third line of FRST_16-06-2019 06.18.28 is "Running from C:\Users\dculp\AppData\Local\Temp\mwbEEF9.tmp". Before running FRST, I first copy FRST64.exe and fixlist.txt to this folder. I also delete any old Fixlog.txt from this folder. There is nothing else in this folder. I then run FRST64.exe from this folder with the Fix option (after accepting the default checkboxes).

Before running FRST64.exe, should there be any other folders or files in C:\Users\dculp\AppData\Local\Temp\mwbEEF9.tmp? Should FRST64.exe be in this folder or can it be run from anywhere? (Note - ESET didn't object to downloading FRST64.exe or to running it. I have a spare copy of FRST64.exe in case it is eventually deleted from this folder.)

Should I try running Scan and then Fix?

I wonder if Windows or FRST (not ESET) is deleting the files in the mwbEEF9.tmp folder (especially since this is a tmp folder within a Temp folder).

Addition_16-06-2019 06.18.28.txt Fixlog_18-06-2019 15.21.26.txt FRST_16-06-2019 06.18.28.txt

Share this post


Link to post
Share on other sites

Perhaps Fixlog is being aborted because FRST64.exe is deleted on the reboot so that it can't complete Fixlog.

Share this post


Link to post
Share on other sites

You should not be running any programs from a temporary folder.

Create a folder and place the Farbar program in that folder.

The best place would be in C:\Desktop\the name of the folder you have created. You can use the name FRST_Farbar

My fix does clean all the Temporary folders. This is why it's been deleted.

Run the program again and post fresh logs. 

Let me know of any issues.

Share this post


Link to post
Share on other sites

After running FRST the results are unchanged -- can't start mbam.exe with normal Windows boot but mbam.exe runs and scans OK if boot to safe mode + networking. With normal Windows boot I tried disabling all protections in my ESET security but no change.

Below is the info from Fixlog.txt.

=================================================================================================

Fix result of Farbar Recovery Scan Tool (x64) Version: 19-06-2019
Ran by dculp (20-06-2019 14:30:52) Run:3
Running from C:\FRST_Farbar
Loaded Profiles: dculp (Available Profiles: dculp)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
HKLM\...\Winlogon: [Shell] explorer.exe [2871808 2012-11-30] (Microsoft Windows -> Microsoft Corporation)
HKLM-x32\...\Winlogon: [Shell] explorer.exe [2871808 2012-11-30] (Microsoft Windows -> Microsoft Corporation)
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
CHR StartupUrls: Default -> "hxxp://
www.google.com/ig/redirectdomain?brand=CKMB&bmod=CKMB"
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - D:\Program files\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
CustomCLSID: HKU\S-1-5-21-1750345208-380253357-1962161537-1000_Classes\CLSID\{004B49B7-11B9-5058-AA22-08DD0A3ADC4B}\InprocServer32 -> {1F2776C4-9468-D082-92E6-56EE85889A47} => No File
CustomCLSID: HKU\S-1-5-21-1750345208-380253357-1962161537-1000_Classes\CLSID\{004B49B7-11B9-5058-FF22-08DD093ADC4B}\InprocServer32 -> {1FBB964C-9468-D082-1A06-CAEE85889A47} => No File
CustomCLSID: HKU\S-1-5-21-1750345208-380253357-1962161537-1000_Classes\CLSID\{DD0822AA-3A0A-4BDC-B749-4B00B9115850}\InprocServer32 -> {504A8032-9468-D082-6410-3BA185889A47} => No File
CustomCLSID: HKU\S-1-5-21-1750345208-380253357-1962161537-1000_Classes\CLSID\{DD0822FF-3A09-4BDC-B749-4B00B9115850}\InprocServer32 -> {504A996F-9468-D082-3909-3BA185889A47} => No File
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Computer Aided Resonator Design (CARD).lnk -> F:\Temp2\CARD-14.31\CARD.BAT (No File)

*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value restored successfully
HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => not found
HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => not found
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => not found
HKLM\Software\Wow6432Node\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => not found
"HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}" => not found
HKLM\Software\Classes\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => not found
"Chrome StartupUrls" => not found
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki => not found
HKU\S-1-5-21-1750345208-380253357-1962161537-1000_Classes\CLSID\{004B49B7-11B9-5058-AA22-08DD0A3ADC4B} => not found
HKU\S-1-5-21-1750345208-380253357-1962161537-1000_Classes\CLSID\{004B49B7-11B9-5058-FF22-08DD093ADC4B} => not found
HKU\S-1-5-21-1750345208-380253357-1962161537-1000_Classes\CLSID\{DD0822AA-3A0A-4BDC-B749-4B00B9115850} => not found
HKU\S-1-5-21-1750345208-380253357-1962161537-1000_Classes\CLSID\{DD0822FF-3A09-4BDC-B749-4B00B9115850} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => not found
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast => not found
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => not found
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Computer Aided Resonator Design (CARD).lnk" => not found

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7772488 B
Java, Flash, Steam htmlcache => 1088 B
Windows/system/drivers => 12690 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 2494 B
dculp => 145481436 B

RecycleBin => 0 B
EmptyTemp: => 154.2 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 14:33:21 ====

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites

nasdaq --

Generally after exiting Chrome I'm able to restore my previous session (many open windows and tabs) when I restart Chrome. However, after running your tests with your fixlist.txt I wasn't able to do this and the previous history list was gone. I don't know if this was related to your tests but, if so, you should warn of this possibility beforehand. In any case, thanks for your efforts.

This problem has been resolved here (https://forums.malwarebytes.com/topic/248677-cant-start-mbamexe/).

Don C.

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.