Jump to content
B-boy/StyLe/

Beta 4 Feedback

Recommended Posts

Hi,

I am currently testing the new beta and it is great (despite the animation transitions are a bit slow in my opinion).

I noticed the following in the Event Viewer after installing it and running a threat scan and a custom scan with it:

Quote

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-1664574625-2511953615-2869871748-1001-09192019123206829-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-1664574625-2511953615-2869871748-1001-09192019123207656-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-1664574625-2511953615-2869871748-1001-09192019123212327-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-1664574625-2511953615-2869871748-1001-09192019123714124-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-1664574625-2511953615-2869871748-1001-09192019123714846-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-1664574625-2511953615-2869871748-1001-09192019124234811-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-1664574625-2511953615-2869871748-1001-09192019124235713-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

Keep up the good work!

Regards,
Georgi

Share this post


Link to post

Hi Georgi,

Thanks for the report. This is similar to a defect we already have filed, that results in the temp user hives we load at service startup/during scans to stick around after the service is stopped.

To confirm this is the same issue, please could you do the following:


Thanks!

Edited by LiquidTension

Share this post


Link to post

Hi LiquidTension,

Here we go (The EventViewer logs are included in the archive):

Hope this will shed some light on the issue.

 

 

And here are some dump files from the Malwarebytes Support Tool crashes:

mb-support.exe.dmps.zip

Quote

Description
Faulting Application Path:    C:\Users\FFreestyleRR\Appdata\Local\Temp\7zSA841.tmp\mb-support.exe

Problem signature
Problem Event Name:    APPCRASH
Application Name:    mb-support.exe
Application Version:    1.5.1.681
Application Timestamp:    5d794f67
Fault Module Name:    KERNELBASE.dll
Fault Module Version:    6.3.9600.19425
Fault Module Timestamp:    5d26ae6e
Exception Code:    e0434352
Exception Offset:    00034e28
OS Version:    6.3.9600.2.0.0.256.4
Locale ID:    1026
Additional Information 1:    ac05
Additional Information 2:    ac0507478d1c5bd693cfc4fe3987e900
Additional Information 3:    ac05
Additional Information 4:    ac0507478d1c5bd693cfc4fe3987e900

Extra information about the problem
Bucket ID:    50c64874e24f38b57f7dacacdc68cbff (2269159645696805887)

 

Btw: I don't know why but Malwarebytes Support Tool downgraded from 1.5.1 to 1.4.3 when ran it.

Regards,
Georgi

Edited by B-boy/StyLe/
Attached file removed

Share this post


Link to post

Thanks for providing the logs. I've sent you a PM regarding the event log errors.

Regarding the mb-support crash - I'm getting a 403 error trying to access the uploaded dump file. If it's not too large, you could try zipping it and attaching directly to your post.

What was the order of events when you ran the Support Tool? How many times did you attempt to run it and when exactly did the crash occur?

Share this post


Link to post

Hi LT,

You have a PM as well.

As for the Malwarebytes Support Tool I ran it to collect the logs and I noticed that it downgraded to version 1.4.3.687 for some reason.

I opened the %temp% folder and tried to run the 1.5.1 (of course I already closed the previous version) and then I got the "unknown software exception" error:

jUGayWg.png

I am curious is the 1.5.1 version not compatible with Windows 8.1 or the problem is somewhere else?

Thanks again for your help!

Regards,
Georgi

Share this post


Link to post

MBST 1.5.1 is compatible with Windows 8.1. The reason it downgraded to 1.4.3 is because your OS version was not detected correctly. We're looking into this further. None of the 8.1 machines tested on have encountered this issue.

Regarding the crash - did you try to run manually run mb-support.exe 1.5.1 from a folder named 7z{random characters}.tmp? If so, the crash is expected as mb-support.exe is not intended to be run manually from this location.

Edited by LiquidTension

Share this post


Link to post
8 minutes ago, LiquidTension said:

MBST 1.5.1 is compatible with Windows 8.1. The reason it downgraded to 1.4.3 is because your OS version was not detected correctly. We're looking into this further. None of the 8.1 machines tested on have encountered this issue.

I understand. Thanks for letting me know.

Btw I disabled both Kaspersky Free AV and Comodo Firewall to avoid possible interference between them and your tool but they were not the culprit.

8 minutes ago, LiquidTension said:

Regarding the crash - did you try to run manually run mb-support.exe 1.5.1 from a folder named 7z{random characters}.tmp? If so, the crash is expected as mb-support.exe is not intended to be run manually from this location.

Yes! That was how I proceeded.

Regards,
Georgi

Edited by B-boy/StyLe/

Share this post


Link to post

Hi LT,

 

I installed and ran the latest version you sent me (I uninstalled the old version, rebooted and used the Malwarebytes Support Tool to clean the remnants before installing the new one) but unfortunately I noticed the same errors in the Event Viewer => System

Quote

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-1664574625-2511953615-2869871748-1001-09242019010519884-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-1664574625-2511953615-2869871748-1001-09242019010519075-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-1664574625-2511953615-2869871748-1001-09242019010222835-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-1664574625-2511953615-2869871748-1001-09242019010222206-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

Also there is a new one in the Application area:

Quote

Faulting application name: MBAMInstallerService.exe, version: 4.0.0.93, time stamp: 0x5d84e8af
Faulting module name: combase.dll, version: 6.3.9600.19345, time stamp: 0x5ca8ccd8
Exception code: 0xc0000005
Fault offset: 0x0000000000037d03
Faulting process id: 0x1984
Faulting application start time: 0x01d5725a8fd9f6f5
Faulting application path: C:\Program Files\Malwarebytes Anti-Malware\MBAMInstallerService.exe
Faulting module path: C:\Windows\SYSTEM32\combase.dll
Report Id: d28fc6e0-de4d-11e9-8895-7085c25b66b8
Faulting package full name:
Faulting package-relative application ID:

Best regards,
G.

Share this post


Link to post

Thanks for testing. We'll need some additional information as this appears to be a different issue.

From the logs you provided earlier, the errors appear to occur at each service start. Just to verify, could you quit Malwarebytes using the notification area icon -> wait ~30 seconds -> relaunch Malwarebytes and confirm new event log errors are present.

If nothing new is logged, it might require a reboot to trigger. Try rebooting the machine and check if anything new is logged.

Share this post


Link to post

Hi LT,

I noticed the same thing. The issue only appears when starting  Malwarebytes (since I am testing the free version only for second opinion scanner and I don't have the real-time protection and that's why I don't need it to be started in the background all the time I close the application from the tray icon when the scan is done).

It happened from a time to time with the 3x version but not every time like with the 4x Beta. :)

Ok, I started MBAM again and I monitored the System logs. I hit the refresh button and the error appeared again. I attached the new System.evtx just in case it is useful for you.

Also no rush here. Take your time. :)

Regards.
G.

 

 

Edited by B-boy/StyLe/
Attached file removed

Share this post


Link to post

Thanks for confirming!

Please do the following:

  • Open Malwarebytes.
  • Click Settings.
  • Enable the Enhanced Event Log Data setting.
     

Afterwards, please run Process Monitor, let it start capturing events and then proceed with the following:

  • Quit Malwarebytes.
  • Wait 20-30 seconds.
  • Relaunch Malwarebytes.
  • Once the Malwarebytes UI is open, stop the Process Monitor capture.
  • Save the Process Monitor capture to a PML file.

 

Please zip up and send the following:

  • The Process Monitor PML file.
  • Exported System and Application event logs.
  • A new mbst-grab-results.zip generated by the Support Tool.

Share this post


Link to post

Here we go:

 

 

Edited by B-boy/StyLe/
Attached files removed

Share this post


Link to post

Thanks for that data!

There's indication this may possibly be related to your NVIDIA GeForce Experience. Could you try disabling this and see what impact it has?
It might actually be better to perform a clean boot (excluding MBAMService) and check the results of that.

Does using a different user account make a difference?
If you create a new user account, but still login and use your current account, do you see errors in relation to both user account SIDs or just the current user account SID?
What happens if you login to and use the new user account?

Share this post


Link to post

Hi LT,

I am sorry for the delay but I was swamped with work the last 2 weeks. I will proceed with the steps as soon as possible. I was able only to test the issue with GeForce Experience disabled (a clean boot was performed) and that didn't resolve the problem. Next I will fully uninstall GeForce Experience to see if there will be any difference and will let you know.

Also I will create a new user account to see if the issue occurs there.

In the meantime I noticed that there is a new BETA build. Should I use it instead?

 

Regards,
Georgi

Share this post


Link to post

Thanks for the update. We haven't been able to reproduce this error and have not seen it on any other machines, so are having a difficult time making any progress with this.

Could you do the following please:

  • Ensure enhanced event log data is enabled in the Malwarebytes settings.
  • Quit Malwarebytes using the notification area icon and wait ~30 seconds.
  • Rerun the Malwarebytes Support Tool -> Advanced -> Gather Logs and attach the generated mbst-grab-results.zip.
  • Download Handle: https://docs.microsoft.com/en-us/sysinternals/downloads/handle
    • Extract the contents. Open an elevated Command Prompt and change directory to where you extracted the Handle files.
    • Run the following and attach the generated file.
      handle64.exe >> "%userprofile%\desktop\handle_output.txt"

---------

I know you've already tried a clean boot, but would be willing to temporarily uninstall Kaspersky, reboot and check if the issue is still exhibited? Quite often, AVs either aren't fully disabled with a clean boot or re-enable themselves.

Edited by LiquidTension

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.