Boot Problem with MBAM 1.43 Pro

[whatmeworry?]

In the past, I had some problems with MBAM Pro making my WinXP Pro computer unable to complete the boot process, but with version 1.42, the problem finally seemed to be solved. I was able to have MBAM start with Windows, but with a 1-minute delayed startup, and all was well. I should add that I had put all the suggested exclusion statements into McAfee Enterprise 8.7. Well, along came version 1.43, which came automatically through the update process. After version 1.43 was installed, I was told to restart my computer. I did so, and it hung on reboot. I tried once again to start it, and it started fine, so I hoped that all was well. Apparently it wasn't. Today, my computer again hung as it was booting, though a bit further along than in the past. I forced a shut down and tried again. Same result. I again forced a shut down and went into Safe Mode, where I removed MBAM from my computer. I then rebooted successfully.

I should add that I've run MBAM Quick Scans just about every day, and they revealed no problems. I'm tempted to reinstall MBAM and not let it start at start-up but rather start it manually, which is what I did when I was running version 1.41. On the other hand, if there's a serious problem with version 1.43, perhaps I should leave MBAM off until the problem is fixed. Please advise.

[Maurice Naggar]

Hello,

I suggest 2 things to try:

From Start menu, select RUN then type in to the text box

MSCONFIG

and press Enter

Next, click on the tab BOOT.ini

Look at the Boot Options block

Make sure that Safeboot and Network are clear (NOT selected)

If there is something checked (with a tickmark) let me know which.

I DO want you to check the box /BOOTLOG

Apply and press OK. Restart the system.

Now start in Normal mode.

The Bootlog option will have Windows posting the processes that start as Windows is loading.

The log may prove useful IF in future there's a hitch in startup.

This setting may be un-done later, once the issue is resolved.

Second, and I believe the more useful, as of now.

A) Make sure you have saved your MBAM license key and ID --from the document you got after MBAM purchase. Otherwise, check the About Tab in MBAM.

B: Download and run the MBAM Clean utility.

It should prompt you to Restart the system. Do so. If there's no prompt, do Logoff and Restart fresh.

C) Install version 1.43 and enter your license key info. Set Protection module on.

Download link

http://www.malwarebytes.org/mbam.php

D) Logoff and restart the system once more.

Tell us the results.

If there's a hitch in startup, use either Safe mode or Safe Mode with Networking, and get a copy of the NTBTLOG.TXT in C:\Windows folder (some system maybe have Windows in \WINNT)

There's also a possibility you'll need to review your startup apps, plus what firewall and antivirus and other anti-malware apps are installed.

[whatmeworry?]

Maurice, thanks VERY much for your response. I did as you instructed. As I feared, reinstalling MBAM, setting the Protection module, and then restarting the computer caused the boot process to fail to complete. I went into Safe Mode and saw that I do have a copy of NTBTLOG.TXT in spite of getting some perplexing Access Denied popup messages when I tried to Apply the setting /BOOTLOG (even though I do have administrator status). I should add that I checked only the /BOOTLOG box, and none of the others were checked. While I was in Safe Mode, I also changed MBAM's setting so that it will no longer start at startup. I then restarted the computer and the boot process was normal.

If you think it would be helpful, I can either PM or email you a copy of the NTBTLOG.TXT file. It's 1.22 MB and almost 14,000 lines long (!), so I don't want to post it on the forum. As for reviewing my startup apps, firewall, antivirus, and other anti-malware apps, let me say that they're all exactly the same as they were when I was running MBAM 1.42, which started at (delayed) startup with no problem. FWIW, let me say that I try not to have in the startup menu any apps that I don't feel I need at startup. My firewall is Agnitum Outpost Pro, which has not had a problem with MBAM in the past, as far as I know. My anti-virus is McAfee Enterprise Edition 8.7, which definitely HAS had problems with MBAM. Some time ago, I added the following four lines of exclusion to McAfee, as per instructions on this forum:

C:\Documents and Settings\All Users\Application Data\Malwarebytes\ (including subfolders)

C:\Program Files\Malwarebytes' Anti-Malware\ (including subfolders)

C:\WINDOWS\system32\drivers\mbam.sys

C:\WINDOWS\system32\drivers\mbamswissarmy.sys

That, plus a delayed startup, worked for MBAM version 1.42 but apparently not for 1.43.

The only other anti-malware program that runs at startup is WinPatrol PLUS, which also was not a problem with MBAM 1.42.

Please let me know whether you want to see the NTBTLOG.TXT file, and, if so, how best to get it to you.

Again, many thanks.

[Maurice Naggar]

Let me suggest, since you're an MBAM customer, you can contact the help desk at support@malwarebytes.org

and give them a reference link to this topic, and seek their assistance with this case.

Try adding explicit exclusions for these 2 components of MBAM to the list of McAfee exclusions (try it even if you did exclude the folder)

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

In the meantime, regarding the boot log file, you may try this:

Delete the NTBTLOG.txt

then Logoff and restart the system.

A new one (much smaller) should be created.

Attach that in a reply, using the browse and attachment feature.

[whatmeworry?]

Let me suggest, since you're an MBAM customer, you can contact the help desk at support@malwarebytes.org

and give them a reference link to this topic, and seek their assistance with this case.

Thanks very much, Maurice, for your response. I added the two extra exclusion lines, and I tried to get a bootlog after putting MBAM back into the startup menu, but I wasn't successful in getting it there. Frankly, I'd be just as happy to start it manually after the bootup completes. However, there's one new wrinkle. Although all my quick scans up through yesterday revealed no problem, I just ran a quick scan now and, in the heuristic scan, one alledged malware item turned up: Malware.Trace Registry Key HKEY_CLASSES_ROOT\WR. I have no idea what to do about this. The only malware that any security software has found on my computer in years have all turned out to be false positives (including a disastrous one from MBAM that resulted in my having to reinstall Windows). So I'm not sure whether this is another false positive. I'm especially dubious because it came so late in the extra heuristics scan.

I'd welcome your advice.

[Maurice Naggar]

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Please post there Gmer.txt log

the DDS logs

plus the latest MBAM scan log

Don't post your logs here.

[whatmeworry?]

Please print out, read and follow the directions here, skipping any steps you are unable to complete.

Thanks, Maurice. I've now run a full scan with my antivirus program and an MBAM quick scan with the most recent definitions. Both scans come up clean. Since that's the case, and since I'm not having any problems with my computer except an all-too-familiar problem getting MBAM to work at startup, I think my best bet is simply to start MBAM manually after the boot process completes.

Thanks again for your help.

[Maurice Naggar]

That's up to you, of course. Y.W.

Don't forget you have the option to contact the helpdesk.

[marktreg]

Hi whatmeworry?,

If you're sure it's not malware related, I don't mind having a go at trying to find the problem for you. If you want me to have a go, please tell me what icons you have in your system tray after a successful boot up. And also please do this:

Download the latest version of Sysinternals Autoruns from here.

• Save Autoruns.exe to your desktop and double-click it to run it.
  
• Once it starts, please press the Esc key on your keyboard.
  
• Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures
  
• Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  
• When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
  
• Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  
• Attach the Autoruns.zip file you just created to your next reply
  

[whatmeworry?]

If you're sure it's not malware related, I don't mind having a go at trying to find the problem for you. If you want me to have a go, please tell me what icons you have in your system tray after a successful boot up. And also please do this:

[*]Attach the Autoruns.zip file you just created to your next reply

Thanks very much, Mark, for your offer to help. If you're referring to my normal bootup that doesn't include Malwarebytes, here's the list of programs that normally appear in the system tray after a successful bootup, and also the Autoruns.zip file:

McAfee Enterprise Edition antivirus

Outpost Firewall Pro 2009

Volume (i.e., the icon I use to adjust sound volume)

Wireless Network Connection

WinPatrol PLUS

Local Area Connection (which I never use, but I haven't managed to get rid of it)

LaunchBar Commander

MultiG

and two programs on delayed startup:

Vista Start Menu (an alternative to the normal start menu--not related to Vista)

Palm Hotsync

AutoRuns.zip

[marktreg]

Thanks whatmeworry?,

I will have a look at the AutoRuns.arn file tomorrow and post back then. I like doing things like this. It's quite interesting.

Anyway, I'm off to bed now. Goodnight.

[whatmeworry?]

Thanks very much, Mark. I really appreciate your offer to help, and I look forward to learning what you find out.

Oh, one more thing--I left out one program that starts at startup--Directory Opus 9. The icon is theoretically in the system tray, but I set it to always hide. It's there, but I don't see it unless I look for it among the hidden icons.

[marktreg]

Hi whatmeworry?,

I've had a look at your AutoRuns.arn file. And I must be honest and say that nothing obvious is immediately jumping out at me. But there are certainly a few things we can try if you want to give it a go.

The first thing is to add all these individual files to your exclusions/trusted file lists in McAfee, Outpost Firewall and, even though it's not actually running at startup, I would also exclude them in SUPERAntiSpyware as well.

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware\rules.ref

C:\Windows\System32\drivers\mbam.sys

C:\Windows\System32\drivers\mbamswissarmy.sys

If that doesn't work, please try this:

You also have Lavasoft Ad-Aware which is running lsdelete.exe at Boot Execute and automatically running the Ad-Aware service in the background. In another thread here, a program running at Boot Execute was clashing with MBAM's protection module at startup. So I would suggest that you uninstall Lavasoft Ad-Aware and see if it has any effect on the problem. You already have MBAM and SUPERAntiSpyware, which are both far better programs than Ad-Aware, so hopefully that shouldn't be a problem.

There are also several other things we can try, but I think it would be better if you tried these first and then attached a new AutoRuns.arn file afterwards if the problem has not gone away.

Finally, for now anyway, a couple of questions. You have MSConfig running at Logon. What have you configured it to do?

For your delayed startup programs, is that anything to do with MSConfig, or are you using WinPatrol to delay them?

Best of luck, mate.

[whatmeworry?]

Hi, Mark. Thanks very much for your response. I tried to add the exclusions you suggested to the programs you named, but with only partial success. Adding them to McAfee was no problem, though I suspect that I've now got some overlap between folders I'd already told McAfee to exclude and specific files I've now added. I don't imagine that will cause any problems. I was able to add the Malwarebytes folder to SuperAntiSpyware's exclusions, but for some reason that section was only for folders, and the part that I thought would accept files wouldn't accept anything. Perhaps only the commercial version permits this, I don't know. Since I rarely use SAS, and it doesn't start at startup, I don't imagine this matters much. As for Outpost, sigh, I have to admit that I'm still feeling my way around this program, and I couldn't find where I could add exclusions. The places where I could add them (web control and anti-spyware) are sections that I chose from the start not to use or include--I use only the firewall, and the other parts don't even load, I think. However, though I couldn't find where to put exclusions in the firewall, I should note that I had no problem using Outpost with version 1.42 of MBAM--there was no conflict. As for Ad-Aware, I had been thinking of zapping that program, and you gave me the push I needed. It's now off my computer.

As for the questions you asked, I think MSCONFIG turned up at startup because Maurice Naggar had me doing some troubleshooting using BOOT.ini (see earlier messages in this thread). I think MSCONFIG is now back to normal. And yes, I used WinPatrol to arrange for the two delayed startup entries.

OK, now for the bad news. There's still a problem. Having done the above, I then set MBAM to start with Windows and then rebooted. Once again, the boot process hung. I couldn't do anything except force a shutdown. I then went into Safe Mode, set MBAM **NOT** to start with Windows, and rebooted. All was well.

To be honest, I don't know whether it's worth your time or mine to keep trying to solve this. Clearly, a number of people have reported problems since upgrading to MBAM 1.43. Their problems tended to be somewhat different from mine, but I suspect that some change in 1.43 may have been responsible for a lot of these issues. Or maybe it's just the phases of the moon.

Anyway, I ran autoruns again, and I've attached the new file. But as I said, perhaps we should just assume that the problem I'm having with MBAM is yet another of Life's Mysteries. I don't mind starting MBAM manually.

Though the problem remains, I'm VERY grateful to you for attempting to help.

AutoRuns.zip

[marktreg]

OK, my friend, we'll leave it there then. It could possibly have turned into a really long job anyway if we had to do tests that involved disabling individual drivers and whatnot. So, if you're happy as it is, then so am I.

All the best,

~Mark.

[whatmeworry?]

Well, believe it or not, I may have some good news. I decided to try again to delay MBAM's startup. Since the 1-minute delay that had worked in 1.42 didn't work in 1.43 (that failure was what started this thread), I decided to try 2 minutes. That seems to work, though the whole boot process seems a bit longer and more finicky. I think I'll keep this arrangement for now, but I may just decide that things go more smoothly when I start MBAM manually. Anyway, I thought I'd report this piece of good news.

Again, thanks to both Mark and Maurice for your help and your patience.