Random "unable to connect the service" messages

[hexaae]

Sometimes randomly after I quit MWB, and then try to re-launch it I get the error "Unable to connect the service" (?). All I did in these cases was a reboot and everything went back to normal, but still happened a pair of times in a week.... I don't think I'm infected (I did nothing dangerous), and Windows Defender does not report anything strange...

I've noticed Service is actually without options (Restart, Stop...):

Attached my mbst-grab-results...

 

mbst-grab-results.zip

[AdvancedSetup]

Thank you for the logs @hexaae

The logs indicate the computer is either infected or has some damage from a previous infection.

Let's go ahead and do some scans to make sure nothing is found still active on the system.

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

Thank you

 

[hexaae]

Ok will do...

I made a scan in the meanwhile with F-Secure online and did not detect anything... Also Defender quick scan didn't find anything. Are you sure?
After I got it first time the other week and rebooted, I started a MWB full scan and found nothing BTW...

Edited April 4, 2022 by hexaae

[hexaae]

Can I disconnect from the Net while Microsoft Safety Scanner is scanning to be safer?

[AdvancedSetup]

No, Microsoft needs to be connected

[hexaae]

It found nothing (2 false positives, I didn't run in the last 5 months at least). Attached. The strange thing is that while running it said "Detected infected files: 29" (scanned more than 800'000), but the final log is just this attached. What does it mean? It deleted/removed those other files without logging? WHAT FILES detected as the 29??? I hope it didn't delete important false positive files without logging...

 

Can you please explain what did you see in mbst-grab-results.zip to say this (so I can double-check those things you found suspicious)?

Quote

The logs indicate the computer is either infected or has some damage from a previous infection.

 

My suspect:
since it always happened only AFTER I quit MWB (it happened just a pair of times in the last 2-3 weeks and I use MWB Premium every day), my suspect is that's just a bug in MWB/Windows: if you notice the service from the picture above says: "Service status: Stopping..." ("Arresto in corso" in Italian) and is stuck there, which explains why it fails to re-launch MWB, and why if I reboot it starts working again (with real-time and rootkit protection on, and everything perfectly running as usual)... and then full MWB scan says there is nothing. The problem happened just a pair of times only after I manually quit MWB from the traybar and then tried to re-launch it.

Currently checking also with ESET Online Scanner...

msert.log

Edited April 5, 2022 by hexaae
added Ita translation

[hexaae]

ESET Online full scan (both C: and D:, 1M+ files!) also found nothing.

Edited April 5, 2022 by hexaae

[hexaae]

I finally rebooted PC. Everything back to normal and MWB service running fine. Full MWB Premium scan attached found nothing.

MWB results.txt

Edited April 5, 2022 by hexaae

[hexaae]

Just noticed that after manually quitting MWB from Windows 10 traybar (to test if happened again) it logged this error:

Descrizione
Percorso dell'applicazione che ha generato l'errore:    C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

Firma del problema
Nome evento problema:    APPCRASH
Nome applicazione:    mbamtray.exe
Versione applicazione:    4.0.0.1250
Timestamp applicazione:    62023b8a
Nome modulo con errori:    Qt5Core.dll
Versione modulo con errori:    5.14.1.0
Timestamp modulo con errori:    603971ce
Codice eccezione:    c0000005
Offset eccezione:    0000000000219dc5
Versione SO:    10.0.19043.2.0.0.256.48
ID impostazioni locali:    1040
Informazioni aggiuntive 1:    47ff
Ulteriori informazioni 2:    47ff1f85764ba318c5732db295c7709d
Ulteriori informazioni 3:    9d43
Ulteriori informazioni 4:    9d437f5bf4fafe3bd0dadd96a8df2ac8

But I can't reproduce if I re-run and quit again MWB... Mmmh, something is unstable in the UI/service components after latest MWB updates IMHO.
 

Edited April 5, 2022 by hexaae

[Porthos]

4 hours ago, hexaae said:

something is unstable in the UI/service components after latest MWB updates IMHO.

I just want to add you are 3 full versions behind in full program updates.

[hexaae]

3 minutes ago, Porthos said:

I just want to add you are 3 full versions behind in full program updates.

Oh... I expected it to check program updates automatically (as it always did). I have all updates options enabled... 

Isn't this last version?

Edited April 5, 2022 by hexaae

[Porthos]

5 minutes ago, hexaae said:

Oh... I expected it to check program updates automatically (as it always did). I have all updates options enabled... 

It does but updates are metered out.

5 minutes ago, hexaae said:

Isn't this last version?

4.5.7 is the current version.

[hexaae]

Thank you for the heads-up, I manually entered Settings > Information tab and clicked on Search for updates... and it actually got updated to 4.5.7 (why it didn't this automatically?)

[Porthos]

5 minutes ago, hexaae said:

Information tab and clicked on Search for updates... and it actually got updated to 4.5.7 (why it didn't this automatically?)

The company has program updates pushed through the normal updater (the one that checks for database updates) metered in such a way that it is throttled so not every user is offered the new build once it has been released, so it becomes a matter of probability and is somewhat random.  This means that you might be offered it early, or it might take a really long time before it is offered to you, it just all depends.  Basically a luck of the draw kind of deal.

[hexaae]

1 minute ago, Porthos said:

This means that you might be offered it early, or it might take a really long time before it is offered to you, it just all depends.  Basically a luck of the draw kind of deal.

Exactly my experience. Thanks, now I know it's better to manually check in Settings > Information > Search for updates every now and then.

[hexaae]

P.S.

From Release History & News – Malwarebytes Support

• MBAM-6138: MBAMService was stuck in a Stopped or Pending state. (4.5.6)
• MBAM-6181: Program Tray icons freezing or crashing. (4.5.5)

which match perfectly with my issue here... 😟

[AdvancedSetup]

Can you please do the following? Let's do a CLEAN removal and reinstall of the Malwarebytes program files. Then we'll review the logs again.

As I said, it may have just been damage or at least unexpected items shown in the logs. Will review again to double-check after you follow the directions below.

 

 

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
• NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

[hexaae]

I quitted Malwarebytes.

I ran MBST and selected CLEAN. It removed MWB, then asked me to reinstall it (no reboot in the process), so I proceeded and after MWB re-installation I clicked on Complete button in the window of MWB installer that didn't go away by itself. At this point MBST popped up a warning "Installation aborted" (?!!!!). Then asked me to install MWB Privacy VPN... (?)

Repeated the CLEAN process. This time removed MWB and asked me to reboot. After restart MBST auto-started again on login and I reinstalled MWB again. Once again clicking Complete button in the installer generated a "Installation aborted" warning from MBST (!??)... I ignored further MWB Privacy VPN install request again...

Then i generated the zip.

...Anyway here are the logs and requested files.

mbst-clean-results.txt mbst-grab-results.zip

Edited April 5, 2022 by hexaae

[AdvancedSetup]

Are you using Microsoft OneDrive?

Please double-check what this file is doing and if you still want or need it. You have Windows Script calling a PowerShell file that is typically a sign of possible infection. PowerShell is already much more powerful than VBS and does not need it.

HKU\S-1-5-21-2197210833-2190798041-2317798482-1002\...\Run: [Xvid] => WScript "C:\Program Files (x86)\Xvid\CheckUpdateLauncher.vbs" "C:\Program Files (x86)\Xvid\CheckUpdate.ps1"

 

 

 

Edge Notifications: HKU\S-1-5-21-2197210833-2190798041-2317798482-1002 -> hxxps://chat.kenamobile.it; hxxps://forum.affinity.serif.com; hxxps://gocdkeys.it

Edge Notifications: Default -> hxxps://community.windows.com; hxxps://kiwiirc.com; hxxps://mail.yandex.com; hxxps://meet.google.com; hxxps://steamcommunity.com; hxxps://web.whatsapp.com; hxxps://wp.aliexpress.com; hxxps://www.byoblu.com

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

Please exit out of Malwarebytes from the task tray and close all open browsers and applications and run the following fix.

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

 

Thanks

 

Edited April 5, 2022 by AdvancedSetup
Updated info

[hexaae]

Thank you for support. I'll divide the arguments in paragraphs for convenience:

a. yes I installed XVid years ago from the official site... and never noticed strange behaviour: Xvid - CheckUpdate.exe - Program Information (bleepingcomputer.com)

It's not trustworthy? I can exclude it from AutoRuns of course... I attached those two scripts anyway.

 

b. those Edge push notifications are ok for me (yes I remember them and I'm aware) and never experienced strange popups or adware issues.

c. about the script: DISM and sfc /scannow are ok, already checked and they didn't report strange errors...
I really don't want to RESET all other mentioned programs and cache... should I really do that? It's a bit exaggerated in my humble opinion as I never encountered problems. Really, besides this strange behaviour that brought me here opening this thread (please, consider I was using an old MWB 4.5.4) with the randomly stuck MBAMService on manually quitting MWB and some random crashes of mbamtray.exe I've never seen nothing suspicious on this PC (and I'm the kind of tech savvy guy using always UAC at max level, sandboxed apps on first download with VBox, I usually don't use cracks and pirated software etc.). 

If there's nothing else suspicious from my mbst-grab-results I'd prefer to leave things as they are, hoping the new MWB 4.5.7 fixed once and for all my small issue with your anti-malware.

XVid-scripts.zip

Edited April 5, 2022 by hexaae

[AdvancedSetup]

Those scripts don't appear to be doing anything bad. But, it's not using the EXE that Bleepingcomputer showed either.

Not sure when/where/why/ etc. they changed to that method but that software is also from 21 years ago. I used it myself way back when. Have not downloaded or used it myself though in probably the last decade. Regardless, seems harmless.

You also need to check on this one to see what it's doing.

%USERPROFILE%\init.cmd

You can open in notepad or use the command TYPE in DOS

 

As far as running the clean up - again - that's up to you. I've been doing Enterprise and Consumer computer support now for thirty years and simply trying to help you clean up and maintain the computer.

 

If you're happy and would rather not run that's okay, it's your computer. Just let me know and I'll go ahead and close up the topic.

Cheers

 

[hexaae]

Yep, indeed was an old codec solution... thanks, I'll probably uninstall it as I don't think is even needed today with Win 10.

init.cmd is ok too, I created it to define some handy CMD aliases:

 

Forgive my limited English (not my native tongue): didn't want to sound disrespectful. Of course I opened this thread because I know you're experienced professionals and could help me.
However after those checks it's ok for me (if you tell me there's nothing else suspicious from my logs) as I'm quite confident it wasn't a malware issue but just a problem with old MWB perfectly running but not re-launching sometimes because MBAMService was stuck as mentioned in one of your changelogs.

Will report and continue (?) this thread if it happens again or I notice other strange things, thank you for your time and patience!

Edited April 5, 2022 by hexaae

[AdvancedSetup]

No disrespect taken. 😀

The logs do not indicate any obvious ongoing threats or issues.

You have an immense amount of applications set in compatibility mode which is odd to see, but again, that doesn't mean anything is wrong.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run. If wanted you can manually do this as well, don't have to run this tool.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• Please attach that file to your next reply. (not compulsory)

 

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

[hexaae]

Quote

You have an immense amount of applications set in compatibility mode which is odd to see

Correct. I use them mainly to fix old games through MS Application Compatibility Tool... I have created many "fix-it" guides on Steam too ;)

I'll remove files manually "the old way" thank you (didn't know KpRm!).

Thanks for the advices too (I already use KeePass, I'm the Italian translator :))...

Keep up the good work (and please add wildcards for exclusions in MWB ASAP! :D)

P.S.
About exclusions... is there a way to backup and restore them (URLs and local file locations) after a MWB reinstall?

Edited April 5, 2022 by hexaae

[AdvancedSetup]

Wildcards are likely to never come to the product as that would easily lead to an infection.

No, there currently is no way to backup your settings. However, we do have an open project ticket to add such a feature in the future. Just not sure when that will be.

 

Great to hear you work to provide help on Keepass. Excellent product I've been using for about fifteen years myself.

Take care and stay safe out there

Have a great week as well

Cheers