Jump to content

Recommended Posts

I drafted this report in this topic, but I think it deserves a topic of it's own for better visibility, especially as I discovered more issues.

1.It doesn't autostart after reboot to perform post-reboot cleanup despite being logged on as admin both before and after reboot and UAC being already set to defaults since the very beginning . I was able to manually start post reboot cleanup using Autoruns tool. There I saw MBST autostart entry is in a Run key under HKCU. I don't remember exactly when and where but I read somewhere that Windows refuses to autostart programs that have admin rights flag set, especially if they try to run from HKCU. This is the case for support tool. Both downloaded executable and unpacked executable to admin user temp folder have admin rights flag set. Still reproducible with release 1.7.0.

2. If I allow Support tool to install MBAM after cleanup, it installs the very old MBAM legacy 3.5.1 for XP. I saw this even with MBST 1.6.2 and now version 1.7.0. Screenshot attached.

3. MBST doesn't actually run FRST during logs collection, it just scrapes C:\FRST\Logs and grabs what's in there. If FRST never ran or its logs were deleted, logs would be incomplete. To have full logs you have to manually download and run FRST scan with default settings before running MBST. This is either a failure of MBST to grab and run FRST or UI is misleading about Run FRST step. Still reproducible with release 1.7.0.

4. Cleanup is incomplete. Still reproducible with release 1.7.0. This has been reported by other users in other topics. Mainly I spotted these locations not being deleted:

- These are created for every user account who opened Malwarebytes UI

%LOCAALAPPDATA%\mbam\
%Temp%\mbam\

- Created on admin account with which credentials Malwarebytes is uninstalled

%Temp%\MBAMInstallerService.exe

 

nbst-installs-mbam-legacy.png

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Greetings,

I've never heard of the Support Tool displaying several of the issues you describe; I would like you to post in our malware removal section for more advanced diagnostics, not because I believe your system is infected, but because they are able to use more advanced methods and tools for diagnosing and fixing issues than those available to use in this part of the forums.  To do so, please follow the instructions in this topic then create a new topic in our malware removal area by clicking here and a malware removal specialist will guide you in checking and hopefully finding the cause of these issues and fixing it.

Link to post
Share on other sites

Quote

1.It doesn't autostart after reboot to perform post-reboot cleanup despite being logged on as admin both before and after reboot and UAC being already set to defaults since the very beginning . I was able to manually start post reboot cleanup using Autoruns tool. There I saw MBST autostart entry is in a Run key under HKCU. I don't remember exactly when and where but I read somewhere that Windows refuses to autostart programs that have admin rights flag set, especially if they try to run from HKCU. This is the case for support tool. Both downloaded executable and unpacked executable to admin user temp folder have admin rights flag set. Still reproducible with release 1.7.0.

The Support Tool only uses an HKCU\...\Run value as a backup. The default startup mechanism is a scheduled task. The Run value is created when the scheduled task creation fails. Are you performing a Clean/Repair in Safe Mode?
 

Quote

2. If I allow Support tool to install MBAM after cleanup, it installs the very old MBAM legacy 3.5.1 for XP. I saw this even with MBST 1.6.2 and now version 1.7.0. Screenshot attached.

Your OS version is being interpreted as Windows Vista or lower. We will look into this.
Are there any compatibility flags set on the downloaded mb-support-{version}.exe file (or the browser with which you downloaded the file)?
 

Quote

3. MBST doesn't actually run FRST during logs collection, it just scrapes C:\FRST\Logs and grabs what's in there. If FRST never ran or its logs were deleted, logs would be incomplete. To have full logs you have to manually download and run FRST scan with default settings before running MBST. This is either a failure of MBST to grab and run FRST or UI is misleading about Run FRST step. Still reproducible with release 1.7.0.

It does, but only if the FRST executable is successfully downloaded when the tool is first launched. In your case, the file is not being downloaded successfully due to a network issue so FRST is not run when you gather logs.
 

Quote

4. Cleanup is incomplete.

The %LOCAALAPPDATA%\mbam path is included as part of cleanup and in most cases is successfully cleaned up. We are however aware of a couple of issues and have defects filed, which we hope to address in a future update. The %Temp%\mbam and %Temp%\MBAMInstallerService.exe paths are intentionally not included as part of cleanup, so it's expected to see these paths remain.

Edited by LiquidTension
Link to post
Share on other sites

20 hours ago, LiquidTension said:
Quote

1.It doesn't autostart after reboot to perform post-reboot cleanup despite being logged on as admin both before and after reboot and UAC being already set to defaults since the very beginning . I was able to manually start post reboot cleanup using Autoruns tool. There I saw MBST autostart entry is in a Run key under HKCU. I don't remember exactly when and where but I read somewhere that Windows refuses to autostart programs that have admin rights flag set, especially if they try to run from HKCU. This is the case for support tool. Both downloaded executable and unpacked executable to admin user temp folder have admin rights flag set. Still reproducible with release 1.7.0.

The Support Tool only uses an HKCU\...\Run value as a backup. The default startup mechanism is a scheduled task. The Run value is created when the scheduled task creation fails. Are you performing a Clean/Repair in Safe Mode?

No.

20 hours ago, LiquidTension said:
Quote

2. If I allow Support tool to install MBAM after cleanup, it installs the very old MBAM legacy 3.5.1 for XP. I saw this even with MBST 1.6.2 and now version 1.7.0. Screenshot attached.

Your OS version is being interpreted as Windows Vista or lower. We will look into this.
Are there any compatibility flags set on the downloaded mb-support-{version}.exe file (or the browser with which you downloaded the file)?

No. I checked with right click - Properties - Compatibility on both web browser shortcuts on Start and desktop respectively and on mb-support-1.7.0.827.exe. I even checked the unpacked mb-support.exe from %Temp%\mwb*.tmp\.

20 hours ago, LiquidTension said:
Quote

3. MBST doesn't actually run FRST during logs collection, it just scrapes C:\FRST\Logs and grabs what's in there. If FRST never ran or its logs were deleted, logs would be incomplete. To have full logs you have to manually download and run FRST scan with default settings before running MBST. This is either a failure of MBST to grab and run FRST or UI is misleading about Run FRST step. Still reproducible with release 1.7.0.

It does, but only if the FRST executable is successfully downloaded when the tool is first launched. In your case, the file is not being downloaded successfully due to a network issue so FRST is not run when you gather logs.

I wonder where it downloads FRST from. If I'd have the link I could test it with other DNS servers. Maybe a glitch with Cloudflare DNS.

20 hours ago, LiquidTension said:
Quote

4. Cleanup is incomplete.

The %LOCAALAPPDATA%\mbam path is included as part of cleanup and in most cases is successfully cleaned up. We are however aware of a couple of issues and have defects filed, which we hope to address in a future update. The %Temp%\mbam and %Temp%\MBAMInstallerService.exe paths are intentionally not included as part of cleanup, so it's expected to see these paths remain.

Thanks for clarifying that it's a known issue.

 

In the meantime the annex thread ended with no evidence that anything is obviously wrong at my end.

Link to post
Share on other sites

2 hours ago, pal1000 said:

I checked with right click - Properties - Compatibility on both web browser shortcuts on Start and desktop respectively and on mb-support-1.7.0.827.exe.

Did you also check by clicking the Change settings for all users to ensure none of the boxes in that list were checked/enabled?  I ask because there are 2 places compatibility settings are stored; both under HKCU (which the items on the first/primary Compatibility tab apply to), as well as HKLM (which apply to all users under that menu).

Link to post
Share on other sites

1 hour ago, exile360 said:

Did you also check by clicking the Change settings for all users to ensure none of the boxes in that list were checked/enabled?  I ask because there are 2 places compatibility settings are stored; both under HKCU (which the items on the first/primary Compatibility tab apply to), as well as HKLM (which apply to all users under that menu).

Nice try but no boxes are checked there either for any potential files I mentioned above.

Link to post
Share on other sites

  • Root Admin
6 hours ago, pal1000 said:

In the meantime the annex thread ended with no evidence that anything is obviously wrong at my end.

It was ended but for clarification you run your setup vastly different than any computer I've seen anyone run before and obviously no one is going to attempt to set up their computer like that just for testing. As I said in the other topic, I have no proof those settings will cause an issue but neither you or I have the opposite proof that it does not cause an issue. I can almost guarantee you though if you formatted the drive and installed Windows 10 fresh and left everything the way it comes from a default install that Malwarebytes would run without an issue. I realize you're not going to do that but you also have to realize that we're not going to setup a computer like yours and spend dozens of hours trying to make our program work in a non-default setup. If there is something simple, obvious we find wrong okay we'll be more than happy to look at fixing it for everyone as in one of the issues that @LiquidTension already mentioned.

At this point further input would be needed by @LiquidTension as to what further information or tests he'd like to perform.

Thank you again

 

 

 

Link to post
Share on other sites

  • 2 weeks later...
On 8/4/2020 at 5:45 PM, pal1000 said:

3. MBST doesn't actually run FRST during logs collection, it just scrapes C:\FRST\Logs and grabs what's in there. If FRST never ran or its logs were deleted, logs would be incomplete. To have full logs you have to manually download and run FRST scan with default settings before running MBST. This is either a failure of MBST to grab and run FRST or UI is misleading about Run FRST step. Still reproducible with release 1.7.0.

Tests I made clearly indicate that one of the tweaks I made to my system was responsible for this one. See https://github.com/pal1000/pal1000.github.io/commit/9ba400c0521a949ece3da93cfea9f0bb26832363

I then found batcmd.com website which has a very comprehensive catalog with information about Windows services all the way from XP to Windows 10 Version 2004, including default startup type, the exact kind of information to recover from this kind of problem.

Link to post
Share on other sites

On 8/4/2020 at 5:45 PM, pal1000 said:

1.It doesn't autostart after reboot to perform post-reboot cleanup despite being logged on as admin both before and after reboot and UAC being already set to defaults since the very beginning . I was able to manually start post reboot cleanup using Autoruns tool. There I saw MBST autostart entry is in a Run key under HKCU. I don't remember exactly when and where but I read somewhere that Windows refuses to autostart programs that have admin rights flag set, especially if they try to run from HKCU. This is the case for support tool. Both downloaded executable and unpacked executable to admin user temp folder have admin rights flag set. Still reproducible with release 1.7.0.

This was also caused by certain services being disabled.

Link to post
Share on other sites

  • 2 weeks later...
On 8/4/2020 at 5:45 PM, pal1000 said:

2. If I allow Support tool to install MBAM after cleanup, it installs the very old MBAM legacy 3.5.1 for XP. I saw this even with MBST 1.6.2 and now version 1.7.0.

And finally this was also caused by those services being disabled. MB 4.2.0.82 Component 1.0.1025 hitting general availability gave me the opportunity to test this.

 

This thread can be closed as all issues reported has been dealt with at my end with the exception of incomplete cleanup issue, which was known to Malwarebytes before this topic started. I wonder if Support tool should have a fix for LanmanWorkstation service. I am inclined to believe Malwarebytes relies on some SMB loopback communication. IP Helper may also be involved, but I don't see how.

Link to post
Share on other sites

I always disable all SMB functionality in Windows (and always have; this is how I was immune to WannaCry/WannaCrypt0r and the associated EternalBlue SMB exploit used to propagate it across Windows networks) and I have the Workstation service (also known as LanmanWorkstation) disabled.  I also have IP Helper disabled along with numerous other services I don't want or need to be active.  That said, it is indeed possible that one or more of the services you had disabled caused the program to have issues; it just wasn't likely either of those.

Link to post
Share on other sites

I had most of those services disabled (and just went ahead and disabled the rest as I realized I didn't need them; I use a system on a single device network, so no need for sharing/scraping/publishing any resources for discovery or sharing, and I disable all file/device sharing/discovery anyway through the other functions and services associated with it).

That said, it's been a while since I've run the tool so I just ran it again and found the same as you; no FRST download/logs (it looks like it skipped that step as it created the logs very quickly, indicating that it didn't even try to download FRST).  I guess they're using one of those services to download and run FRST.  I already reported your findings to the Product team so they're aware of the issue, whatever the root cause.  I'm sure they'll have QA try disabling the reported services one by one until they find the culprit, then it will be up to the Devs to determine if there's another way to perform the download without requiring the service causing it and decide whether or not to do so per the decision of the Product team.

Edited by exile360
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.