Malwarebytes Crashing on boot up

Triple Helix · Jun 10, 2013

Hello everyone,

I was in contact with MBAM support and they could not give me a good reason for Crashing on boot up and I don't have it set to Run in realtime I have a Dump file for MBAM maybe you can see more than meets the eye? It might have something to do with Webroot SecureAnywhere?

TIA,

Daniel

I think I posted in the wrong forum sorry.

View attachment mbamgui.exe.2444.rar

usasma · Jun 11, 2013

I don't see anything in the dump analysis - but I'm not very good at app crashes:

Code:

Microsoft (R) Windows Debugger Version 6.2.9200.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Owner\Downloads\mbamgui.exe.2444\mbamgui.exe.2444.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols;srv*c:\SymcachePublic*http://ctxsym.citrix.com/symbolsad/symbols
Executable search path is: 
Windows 7 Version 7601 (Service Pack 1) MP (8 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Mon Jun 10 11:31:49.000 2013 (UTC - 4:00)
System Uptime: not available
Process Uptime: 0 days 0:00:27.000
....................................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(98c.a94): Unknown exception - code 40000015 (first/second chance not available)
eax=00000000 ebx=0497ed54 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=7775013d esp=0497ecdc ebp=0497ed04 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!NtWaitForMultipleObjects+0x15:
7775013d 83c404          add     esp,4
0:002> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
KERNELBASE!RaiseException+58
7575c41f c9              leave

EXCEPTION_RECORD:  0497f45c -- (.exr 0x497f45c)
ExceptionAddress: 7575c41f (KERNELBASE!RaiseException+0x00000058)
   ExceptionCode: e06d7363 (C++ EH exception)
  ExceptionFlags: 00000001
NumberParameters: 3
   Parameter[0]: 19930520
   Parameter[1]: 0497f880
   Parameter[2]: 00f21cd8
unable to find C-Runtime symbols, even with unqualified search

DEFAULT_BUCKET_ID:  STATUS_FATAL_APP_EXIT

PROCESS_NAME:  mbamgui.exe

ERROR_CODE: (NTSTATUS) 0x40000015 - {Fatal Application Exit}  %hs

EXCEPTION_CODE: (NTSTATUS) 0x40000015 (1073741845) - {Fatal Application Exit}  %hs

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  mbamgui.exe

CONTEXT:  0497f4ac -- (.cxr 0x497f4ac)
eax=0497f794 ebx=00000008 ecx=00000003 edx=00000000 esi=00000000 edi=00000000
eip=7575c41f esp=0497f794 ebp=0497f7e4 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x58:
7575c41f c9              leave
Resetting default scope

LAST_CONTROL_TRANSFER:  from 00ef857e to 7575c41f

FAULTING_THREAD:  ffffffff

PRIMARY_PROBLEM_CLASS:  STATUS_FATAL_APP_EXIT

BUGCHECK_STR:  APPLICATION_FAULT_STATUS_FATAL_APP_EXIT

STACK_TEXT:  
0497f794 7575c41f kernelbase!RaiseException+0x58
0497f7ec 00ef857e mbamgui+0x3857e
0497f824 00ec6f84 mbamgui+0x6f84
0497f8bc 76ff33aa kernel32!BaseThreadInitThunk+0xe
0497f8c8 77769ef2 ntdll!__RtlUserThreadStart+0x70
0497f908 77769ec5 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 000000000497F4AC ; kb ; dps 497f794 ; kb

FOLLOWUP_IP: 
mbamgui+3857e
00ef857e ??              ???

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  mbamgui+3857e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: mbamgui

IMAGE_NAME:  mbamgui.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  512fc066

FAILURE_BUCKET_ID:  STATUS_FATAL_APP_EXIT_40000015_mbamgui.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_STATUS_FATAL_APP_EXIT_mbamgui+3857e

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/mbamgui_exe/1_70_0_0/512fc066/mbamgui_exe/1_70_0_0/512fc066/40000015/0003b525.htm?Retriage=1

WATSON_IBUCKET:  -816565456

WATSON_IBUCKETTABLE:  1

Followup: MachineOwner
---------

0:002> .cxr 0x497f4ac
eax=0497f794 ebx=00000008 ecx=00000003 edx=00000000 esi=00000000 edi=00000000
eip=7575c41f esp=0497f794 ebp=0497f7e4 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
KERNELBASE!RaiseException+0x58:
7575c41f c9              leave
0:002> .exr 0x497f45c
ExceptionAddress: 7575c41f (KERNELBASE!RaiseException+0x00000058)
   ExceptionCode: e06d7363 (C++ EH exception)
  ExceptionFlags: 00000001
NumberParameters: 3
   Parameter[0]: 19930520
   Parameter[1]: 0497f880
   Parameter[2]: 00f21cd8
unable to find C-Runtime symbols, even with unqualified search

That being said, I've had more problems with WebRoot SecureAnyWhere than with any other popular protection problem.
Test by removing WebRoot and see if that stops it.

Good luck!

mgrzeg · Jun 11, 2013

You can find the WRusr on the stack, but I'm not sure if it's directly connected to the problem. Just as usasma said - remove WebRoot and see if it helps.

Code:

0:002> !teb
TEB at 7efd7000
    ExceptionList:        0497ed90
    StackBase:            04980000
    StackLimit:           0497d000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 7efd7000
    EnvironmentPointer:   00000000
    ClientId:             0000098c . 00000a94
    RpcHandle:            00000000
    Tls Storage:          7efd702c
    PEB Address:          7efde000
    LastErrorValue:       0
    LastStatusValue:      c0000034
    Count Owned Locks:    0
    HardErrorMode:        0
0:002> dds 0497d000 04980000
[CUT]
0497ecd4  ????????
0497ecd8  0497ed04
0497ecdc  7775013d ntdll!NtWaitForMultipleObjects+0x15
0497ece0  720e87a9 WRusr+0x187a9
0497ece4  00000002
0497ece8  0497ed54
0497ecec  00000001
0497ecf0  00000000
0497ecf4  00000000
0497ecf8  00000002
0497ecfc  00000000
0497ed00  00000000
0497ed04  0497eda0
0497ed08  757615e9 KERNELBASE!WaitForMultipleObjectsEx+0x100
0497ed0c  00000002
0497ed10  0497ed54
0497ed14  00000001
0497ed18  00000000
0497ed1c  00000000
0497ed20  8b622535
0497ed24  00000002
0497ed28  0497edcc
0497ed2c  0497edc8
0497ed30  00000024
0497ed34  00000001
0497ed38  00000000
0497ed3c  00000000
0497ed40  00000000
0497ed44  00000000
0497ed48  00000000
0497ed4c  00000000
0497ed50  00000000
0497ed54  0000010c
0497ed58  000000e8
0497ed5c  00730079
0497ed60  004f0057
0497ed64  00360057
0497ed68  005c0034
0497ed6c  00650057
0497ed70  00460072
0497ed74  00750061
0497ed78  0074006c
0497ed7c  0065002e
0497ed80  00000002
0497ed84  00000000
0497ed88  0497ed20
0497ed8c  00000000
0497ed90  0497ee60
0497ed94  75786ff0 KERNELBASE!_except_handler4
0497ed98  fa8d402d
0497ed9c  00000000
0497eda0  0497ede8
0497eda4  76ff1a2c kernel32!WaitForMultipleObjectsExImplementation+0xe0
0497eda8  0497ed54
0497edac  0497edc8
0497edb0  00000000
0497edb4  ffffffff
0497edb8  00000000
0497edbc  00170000
0497edc0  000000e8
0497edc4  00000000
0497edc8  0000010c
0497edcc  000000e8
0497edd0  006f0064
0497edd4  00730077
0497edd8  0053005c
0497eddc  00730079
0497ede0  004f0057
0497ede4  00360057
0497ede8  0497ee04
0497edec  76ff4220 kernel32!WaitForMultipleObjects+0x18
0497edf0  00000002
0497edf4  7efde000
0497edf8  00000000
0497edfc  ffffffff
0497ee00  00000000
0497ee04  0497ee70
0497ee08  770180c4 kernel32!WerpReportFaultInternal+0x186
0497ee0c  00000002
0497ee10  0497ee38
0497ee14  00000000
0497ee18  ffffffff
0497ee1c  8b6226dd
0497ee20  00000000
0497ee24  00000000
0497ee28  0497ef34
0497ee2c  0000000c
0497ee30  00000000
0497ee34  00000001
0497ee38  0000010c
0497ee3c  000000e8
0497ee40  00000000
0497ee44  00170000
0497ee48  80004005
0497ee4c  000000e8
0497ee50  000000ec
0497ee54  0000010c
0497ee58  0497ee1c
0497ee5c  8b622625
0497ee60  0497ef10
0497ee64  77094123 kernel32!_except_handler4
0497ee68  f8f44855
0497ee6c  00000000
0497ee70  0497ee84
0497ee74  77017f83 kernel32!WerpReportFault+0x70
0497ee78  0497ef34
0497ee7c  00000001
0497ee80  00000001
0497ee84  0497ee94
0497ee88  77017878 kernel32!BasepReportFault+0x20
0497ee8c  0497ef34
0497ee90  00000001
0497ee94  0497ef20
0497ee98  770177f7 kernel32!UnhandledExceptionFilter+0x1af
0497ee9c  0497ef34
0497eea0  00000001
0497eea4  8b62278d
0497eea8  00000000
0497eeac  770c030c kernel32!BasepUEFLock
0497eeb0  00000003
0497eeb4  00000000
0497eeb8  00000000
0497eebc  00000000
0497eec0  00000000
0497eec4  00000000
0497eec8  00000000
0497eecc  00000000
0497eed0  00000000
0497eed4  00000000
0497eed8  00000000
0497eedc  00000000
0497eee0  00000000
0497eee4  00000000
0497eee8  00000000
0497eeec  00000000
0497eef0  00000000
0497eef4  00000001
0497eef8  00000000
0497eefc  00000000
0497ef00  00000006
0497ef04  00000000
0497ef08  0497eea4
0497ef0c  00000000
0497ef10  0497f28c
0497ef14  77094123 kernel32!_except_handler4
0497ef18  f8f4b095
0497ef1c  fffffffe
0497ef20  0497f25c
0497ef24  00efc6af mbamgui+0x3c6af
0497ef28  00000000
0497ef2c  00efd218 mbamgui+0x3d218
0497ef30  0497f35c
0497ef34  0497ef3c
0497ef38  0497ef8c
0497ef3c  40000015
0497ef40  00000001
0497ef44  00000000
0497ef48  00efb525 mbamgui+0x3b525
0497ef4c  00000000
0497ef50  00000000
0497ef54  00000000
0497ef58  00000000
0497ef5c  00000000
0497ef60  00000000
0497ef64  00000000
0497ef68  00000000
0497ef6c  00000000
0497ef70  00000000
0497ef74  00000000
0497ef78  00000000
0497ef7c  00000000
0497ef80  00000000
0497ef84  00000000
0497ef88  00000000
0497ef8c  00010001
0497ef90  00000000
0497ef94  0497eff4
0497ef98  75761ac0 KERNELBASE!GetModuleHandleForUnicodeString+0xad
0497ef9c  8b62274d
0497efa0  00000000
0497efa4  725942d8 mbamnet+0x1742d8
0497efa8  00000002
0497efac  00000000
0497efb0  00000000
0497efb4  00000000
0497efb8  00000000
0497efbc  76fe0000 kernel32!_imp__DebugBreak <PERF> (kernel32+0x0)
0497efc0  0497ef9c
0497efc4  00000000
0497efc8  0497f440
0497efcc  75786ff0 KERNELBASE!_except_handler4
0497efd0  fa8d406d
0497efd4  fffffffe
0497efd8  75761ac0 KERNELBASE!GetModuleHandleForUnicodeString+0xad
0497efdc  7578739e KERNELBASE!_SEH_epilog4_GS+0xa
0497efe0  75761cfb KERNELBASE!BasepGetModuleHandleExW+0x233
0497efe4  8b623cc5
0497efe8  00000000
0497efec  028f1f58
0497eff0  72420000 mbamnet
0497eff4  001a0018
0497eff8  725942d8 mbamnet+0x1742d8
0497effc  0497f470
0497f000  00000000
0497f004  00000000
0497f008  00000000
0497f00c  02080000
0497f010  0497f22c
0497f014  02080000
0497f018  0497002b
0497f01c  00000053
0497f020  76fe002b kernel32!_imp__DebugBreak <PERF> (kernel32+0x2b)
0497f024  0000002b
0497f028  00efd218 mbamgui+0x3d218
0497f02c  770c030c kernel32!BasepUEFLock
0497f030  00000003
0497f034  00000000
0497f038  00000000
0497f03c  0497ef8c
0497f040  0497f29c
0497f044  00efb525 mbamgui+0x3b525
0497f048  00000023
0497f04c  00000202
0497f050  0497f260
0497f054  0000002b
0497f058  00000000
0497f05c  00000000
0497f060  00000000
0497f064  00000000
0497f068  00000000
0497f06c  00000000
0497f070  00000000
0497f074  00000000
0497f078  00000000
0497f07c  00000000
0497f080  00000000
0497f084  00000000
0497f088  00000000
0497f08c  00000000
0497f090  00000000
0497f094  00000000
0497f098  00000000
0497f09c  00000000
0497f0a0  00000000
0497f0a4  00000000
0497f0a8  00000000
0497f0ac  00000000
0497f0b0  00000000
0497f0b4  00000000
0497f0b8  00000000
0497f0bc  00000000
0497f0c0  00000000
0497f0c4  00000000
0497f0c8  8b623861
0497f0cc  0497f520
0497f0d0  76ff3362 kernel32!_BaseDllInitialize+0x92
0497f0d4  00000002
0497f0d8  00000000
0497f0dc  0497f5b0
0497f0e0  0497f534
0497f0e4  76ff3377 kernel32!_BaseDllInitialize+0x2cf
0497f0e8  00000000
0497f0ec  00000000
0497f0f0  01092ce0
0497f0f4  00000000
0497f0f8  76fe0000 kernel32!_imp__DebugBreak <PERF> (kernel32+0x0)
0497f0fc  00000000
0497f100  00000000
0497f104  00000000
0497f108  00000000
0497f10c  00000000
0497f110  00000000
0497f114  00000000
0497f118  00000000
0497f11c  00000000
0497f120  00000000
0497f124  00000000
0497f128  00000000
0497f12c  00000000
0497f130  00000000
0497f134  00000000
0497f138  00000000
0497f13c  00000044
0497f140  02a94188
0497f144  02c10000
0497f148  02a94fe0
0497f14c  00000000
0497f150  00000000
0497f154  00000000
0497f158  00000000
0497f15c  00000187
0497f160  0497f24c
0497f164  00000044
0497f168  00000044
0497f16c  77762c8f ntdll!RtlpAllocateHeap+0xc78
0497f170  02a94190
0497f174  00000000
0497f178  77763cc3 ntdll!RtlpAllocateHeap+0xe73
0497f17c  7314e5e2
0497f180  00000002
0497f184  02c103a4
0497f188  02c10000
0497f18c  02c10150
0497f190  00000000
0497f194  00000000
0497f198  02c12a48
0497f19c  00000000
0497f1a0  02c12a94
0497f1a4  00000000
0497f1a8  00000187
0497f1ac  00000000
0497f1b0  02c12a48
0497f1b4  0000014b
0497f1b8  02a87ec8
0497f1bc  00000000
0497f1c0  000001cb
0497f1c4  00000000
0497f1c8  00000080
0497f1cc  00000000
0497f1d0  00000000
0497f1d4  00000000
0497f1d8  00000000
0497f1dc  00000000
0497f1e0  02000002
0497f1e4  02c1ff90
0497f1e8  57000453
0497f1ec  00000000
0497f1f0  00000000
0497f1f4  00000000
0497f1f8  000007ff
0497f1fc  00000000
0497f200  1f000c13
0497f204  02c1d1c0
0497f208  00000001
0497f20c  00000000
0497f210  0000000a
0497f214  0000000c
0497f218  02a94190
0497f21c  02a94190
0497f220  7774fbca ntdll!ZwQueryVirtualMemory+0x12
0497f224  7575ef1f KERNELBASE!VirtualQueryEx+0x1d
0497f228  ffffffff
0497f22c  00efd218 mbamgui+0x3d218
0497f230  00000000
0497f234  0497f274
0497f238  0000001c
0497f23c  0497f254
0497f240  0497f258
0497f244  7575efeb KERNELBASE!VirtualQuery+0x15
0497f248  0497f29c
0497f24c  00efda8b mbamgui+0x3da8b
0497f250  0000001e
0497f254  0497f29c
0497f258  8b7704ef
0497f25c  0497f29c
0497f260  00efb525 mbamgui+0x3b525
0497f264  00000003
0497f268  40000015
0497f26c  00000001
0497f270  00eff92a mbamgui+0x3f92a
0497f274  8b77042f
0497f278  00efd218 mbamgui+0x3d218
0497f27c  770c030c kernel32!BasepUEFLock
0497f280  0497f35c
0497f284  0497f274
0497f288  00000020
0497f28c  0497f31c
0497f290  00efccc0 mbamgui+0x3ccc0
0497f294  8f12ef63
0497f298  fffffffe
0497f29c  0497f2a4
0497f2a0  00efd254 mbamgui+0x3d254
0497f2a4  0497f32c
0497f2a8  7703003f kernel32!UnhandledExceptionFilter+0x127
0497f2ac  0497f35c
0497f2b0  8b623b81
0497f2b4  00000000
0497f2b8  0497f35c
0497f2bc  00000000
0497f2c0  0497f2cc
0497f2c4  00f00e00 mbamgui+0x40e00
0497f2c8  00f2e318 mbamgui+0x6e318
0497f2cc  0497f304
0497f2d0  00efdb9f mbamgui+0x3db9f
0497f2d4  0000000c
0497f2d8  00efdb88 mbamgui+0x3db88
0497f2dc  00000011
0497f2e0  00000000
0497f2e4  0497f45c
0497f2e8  00000000
0497f2ec  0497f2dc
0497f2f0  00000001
0497f2f4  0497f388
0497f2f8  00efccc0 mbamgui+0x3ccc0
0497f2fc  8f12efd3
0497f300  00000001
0497f304  00000000
0497f308  00000000
0497f30c  00000006
0497f310  00000000
0497f314  0497f2b0
0497f318  00000024
0497f31c  0497f388
0497f320  77094123 kernel32!_except_handler4
0497f324  f8f4b095
0497f328  fffffffe
0497f32c  0497f900
0497f330  777a74df ntdll!__RtlUserThreadStart+0x62
0497f334  0497f35c
0497f338  777a73bc ntdll!_EH4_CallFilterFunc+0x12
0497f33c  00000000
0497f340  0497f900
0497f344  7775c530 ntdll! ?? ::FNODOBFM::`string'+0xb5e
0497f348  0497f370
0497f34c  777a7261 ntdll!_except_handler4+0x8e
0497f350  00000000
0497f354  00000000
0497f358  00000000
0497f35c  0497f45c
0497f360  0497f4ac
0497f364  7775c540 ntdll! ?? ::FNODOBFM::`string'+0xb6e
0497f368  00000001
0497f36c  00f6d80e
0497f370  0497f394
0497f374  7778b459 ntdll!ExecuteHandler2+0x26
0497f378  fffffffe
0497f37c  0497f8f0
0497f380  0497f4ac
0497f384  0497f430
0497f388  0497f8a4
0497f38c  7778b46d ntdll!ExecuteHandler2+0x3a
0497f390  0497f8f0
0497f394  0497f444
0497f398  7778b42b ntdll!ExecuteHandler+0x24
0497f39c  0497f45c
0497f3a0  0497f8f0
0497f3a4  0497f4ac
0497f3a8  0497f430
0497f3ac  777a71d5 ntdll!_except_handler4
0497f3b0  00000000
0497f3b4  0497f45c
0497f3b8  0497f8f0
0497f3bc  7778b3ce ntdll!RtlDispatchException+0x127
0497f3c0  0497f45c
0497f3c4  0497f8f0
0497f3c8  0497f4ac
0497f3cc  0497f430
0497f3d0  777a71d5 ntdll!_except_handler4
0497f3d4  00000000
0497f3d8  0497f45c
0497f3dc  00000000
0497f3e0  fffffffe
0497f3e4  77763cc3 ntdll!RtlpAllocateHeap+0xe73
0497f3e8  77763cee ntdll!RtlAllocateHeap+0x23a
0497f3ec  00000214
0497f3f0  00000220
0497f3f4  028f1f52
0497f3f8  028f1f50
0497f3fc  00000000
0497f400  00000214
0497f404  72420000 mbamnet
0497f408  00000178
0497f40c  00000180
0497f410  01108d7a
0497f414  01108d78
0497f418  0497f5b0
0497f41c  00000000
0497f420  00000002
0497f424  01000214
0497f428  0497f370
0497f42c  00d48b12
0497f430  00000000
0497f434  0000004d
0497f438  04980000
0497f43c  0497e000
0497f440  0097f48c
0497f444  0497f7e4
0497f448  77740133 ntdll!KiUserExceptionDispatcher+0xf
0497f44c  0097f45c
0497f450  0497f4ac
0497f454  0497f45c
0497f458  0497f4ac
0497f45c  e06d7363
0497f460  00000001
0497f464  00000000
0497f468  7575c41f KERNELBASE!RaiseException+0x58
0497f46c  00000003
0497f470  19930520
0497f474  0497f880
0497f478  00f21cd8 mbamgui+0x61cd8
0497f47c  02c1f790
0497f480  0497f880
0497f484  00000008
0497f488  0061001f
0497f48c  0000000e
0497f490  00000003
0497f494  00000000
0497f498  00000018
0497f49c  02c1f4d0
0497f4a0  0497f7f8
0497f4a4  00efa032 mbamgui+0x3a032
0497f4a8  02c10000
0497f4ac  0001003f
0497f4b0  00000000
0497f4b4  00000000
0497f4b8  00000000
0497f4bc  00000000
0497f4c0  00000000
0497f4c4  00000000
0497f4c8  0000027f
0497f4cc  00000000
0497f4d0  0000ffff
0497f4d4  00000000
0497f4d8  00000000
0497f4dc  00000000
0497f4e0  00000000
0497f4e4  00000000
0497f4e8  00000000
0497f4ec  00000000
0497f4f0  00000000
0497f4f4  00000000
0497f4f8  00000000
0497f4fc  00000000
0497f500  00000000
0497f504  00000000
0497f508  00000000
0497f50c  00000000
0497f510  00000000
0497f514  00000000
0497f518  00000000
0497f51c  00000000
0497f520  00000000
0497f524  00000000
0497f528  00000000
0497f52c  00000000
0497f530  00000000
0497f534  00000001
0497f538  0000002b
0497f53c  00000053
0497f540  0000002b
0497f544  0000002b
0497f548  00000000
0497f54c  00000000
0497f550  00000008
0497f554  00000000
0497f558  00000003
0497f55c  0497f794
0497f560  0497f7e4
0497f564  7575c41f KERNELBASE!RaiseException+0x58
0497f568  00000023
0497f56c  00000212
0497f570  0497f794
0497f574  0000002b
0497f578  0000027f
0497f57c  00000000
0497f580  00000000
0497f584  00000000
0497f588  00000000
0497f58c  00000000
0497f590  00001f80
0497f594  0000ffff
0497f598  00000000
[CUT]
0:002> lmvm WRusr
start    end        module name
720d0000 720fc000   WRusr    T (no symbols)           
    Loaded symbol image file: WRusr.dll
    Image path: C:\Windows\System32\WRusr.dll
    Image name: WRusr.dll
    Timestamp:        Fri Jun 07 01:37:56 2013 (51B11D54)
    CheckSum:         000303E0
    ImageSize:        0002C000
    File version:     8.0.2.150
    Product version:  8.0.2.150
    File flags:       8 (Mask 3F) Private
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:002> ~* kbn
   0  Id: 98c.990 Suspend: 1 Teb: 7efdd000 Unfrozen
 # ChildEBP RetAddr  Args to Child              
00 00d0f774 7588790d 00d0f7b4 000100a4 00000000 user32!NtUserGetMessage+0x15
01 00d0f790 00ec40d0 00d0f7b4 000100a4 00000000 user32!GetMessageW+0x33
WARNING: Stack unwind information not available. Following frames may be wrong.
02 00d0f7d4 00ec3eb0 8f300f67 00000000 00000000 mbamgui+0x40d0
03 00d0f9d4 00ef807d 00ec0000 00000000 01090e08 mbamgui+0x3eb0
04 00d0fa64 76ff33aa 7efde000 00d0fab0 77769ef2 mbamgui+0x3807d
05 00d0fa70 77769ef2 7efde000 7753ed1e 00000000 kernel32!BaseThreadInitThunk+0xe
06 00d0fab0 77769ec5 00ef80d0 7efde000 00000000 ntdll!__RtlUserThreadStart+0x70
07 00d0fac8 00000000 00ef80d0 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b
   1  Id: 98c.a8c Suspend: 1 Teb: 7efda000 Unfrozen
 # ChildEBP RetAddr  Args to Child              
00 03ebdb88 75757a56 000000e0 00000000 00000000 ntdll!ZwFsControlFile+0x15
01 03ebdbcc 00ecb48a 000000e0 00000000 00000000 KERNELBASE!ConnectNamedPipe+0x5d
WARNING: Stack unwind information not available. Following frames may be wrong.
02 03ebdbd8 00000000 00000008 00000000 03ebfc24 mbamgui+0xb48a
#  2  Id: 98c.a94 Suspend: 0 Teb: 7efd7000 Unfrozen
 # ChildEBP RetAddr  Args to Child              
00 0497ed04 757615e9 00000002 0497ed54 00000001 ntdll!NtWaitForMultipleObjects+0x15
01 0497eda0 76ff1a2c 0497ed54 0497edc8 00000000 KERNELBASE!WaitForMultipleObjectsEx+0x100
02 0497ede8 76ff4220 00000002 7efde000 00000000 kernel32!WaitForMultipleObjectsExImplementation+0xe0
03 0497ee04 770180c4 00000002 0497ee38 00000000 kernel32!WaitForMultipleObjects+0x18
04 0497ee70 77017f83 0497ef34 00000001 00000001 kernel32!WerpReportFaultInternal+0x186
05 0497ee84 77017878 0497ef34 00000001 0497ef20 kernel32!WerpReportFault+0x70
06 0497ee94 770177f7 0497ef34 00000001 8b62278d kernel32!BasepReportFault+0x20
07 0497ef20 00efc6af 00000000 00efd218 0497f35c kernel32!UnhandledExceptionFilter+0x1af
WARNING: Stack unwind information not available. Following frames may be wrong.
08 0497f25c 00efb525 00000003 40000015 00000001 mbamgui+0x3c6af
09 0497f29c 00efd254 0497f32c 7703003f 0497f35c mbamgui+0x3b525
0a 0497f2a4 7703003f 0497f35c 8b623b81 00000000 mbamgui+0x3d254
0b 0497f32c 777a74df 0497f35c 777a73bc 00000000 kernel32!UnhandledExceptionFilter+0x127
0c 0497f334 777a73bc 00000000 0497f900 7775c530 ntdll!__RtlUserThreadStart+0x62
0d 0497f348 777a7261 00000000 00000000 00000000 ntdll!_EH4_CallFilterFunc+0x12
0e 0497f370 7778b459 fffffffe 0497f8f0 0497f4ac ntdll!_except_handler4+0x8e
0f 0497f394 7778b42b 0497f45c 0497f8f0 0497f4ac ntdll!ExecuteHandler2+0x26
10 0497f3b8 7778b3ce 0497f45c 0497f8f0 0497f4ac ntdll!ExecuteHandler+0x24
11 0497f444 77740133 0097f45c 0497f4ac 0497f45c ntdll!RtlDispatchException+0x127
12 0497f444 7575c41f 0097f45c 0497f4ac 0497f45c ntdll!KiUserExceptionDispatcher+0xf
13 0497f7e4 00ef857e e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
14 0497f81c 00ec6f84 0497f880 00f21cd8 8b770e83 mbamgui+0x3857e
15 0497f8b4 76ff33aa 00000000 0497f900 77769ef2 mbamgui+0x6f84
16 0497f8c0 77769ef2 00000000 7314eeae 00000000 kernel32!BaseThreadInitThunk+0xe
17 0497f900 77769ec5 00ec6ab0 00000000 00000000 ntdll!__RtlUserThreadStart+0x70
18 0497f918 00000000 00ec6ab0 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b
   3  Id: 98c.a98 Suspend: 1 Teb: 7efaf000 Unfrozen
 # ChildEBP RetAddr  Args to Child              
00 054bfdc8 75763bc8 00000000 054bfe0c 8abe36a5 ntdll!NtDelayExecution+0x15
01 054bfe30 75764498 000927c0 00000000 00000000 KERNELBASE!SleepEx+0x65
02 054bfe40 00ec7475 000927c0 8aab08e3 00000000 KERNELBASE!Sleep+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
03 00000000 00000000 00000000 00000000 00000000 mbamgui+0x7475

Optionally, you can create full dump using procdump:
procdump -ma -e -x "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe"
and try to analyze it in WinDbg

m.g.

Triple Helix · Jun 11, 2013

OK great and thanks I will talk to Webroot Development to get this issue fixed as in the scan log of WSA mbamgui.exe is being monitored!

Thanks so much,

Cheers,

Daniel

Mon 10-06-2013 11:31:22.0182 Monitoring process C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [D1D5DAB39DCB4BE0359943738D87409B]. Type: 3 (3217)
Mon 10-06-2013 11:31:22.0182 Monitoring process C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [D1D5DAB39DCB4BE0359943738D87409B]. Type: 4 (3217)
Mon 10-06-2013 11:31:22.0182 Monitoring process C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [D1D5DAB39DCB4BE0359943738D87409B]. Type: 8 (3217)
Mon 10-06-2013 11:31:23.0212 Monitoring process C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [D1D5DAB39DCB4BE0359943738D87409B]. Type: 3 (3217)
Mon 10-06-2013 11:31:23.0212 Monitoring process C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [D1D5DAB39DCB4BE0359943738D87409B]. Type: 4 (3217)
Mon 10-06-2013 11:31:23.0212 Monitoring process C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [D1D5DAB39DCB4BE0359943738D87409B]. Type: 8 (3217)
Mon 10-06-2013 11:31:25.0215 Monitoring process C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [D1D5DAB39DCB4BE0359943738D87409B]. Type: 3 (3217)
Mon 10-06-2013 11:31:25.0215 Monitoring process C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [D1D5DAB39DCB4BE0359943738D87409B]. Type: 4 (3217)
Mon 10-06-2013 11:31:25.0225 Monitoring process C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [D1D5DAB39DCB4BE0359943738D87409B]. Type: 8 (3217)
Mon 10-06-2013 11:31:30.0238 Monitoring process C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [D1D5DAB39DCB4BE0359943738D87409B]. Type: 3 (3217)
Mon 10-06-2013 11:31:30.0238 Monitoring process C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [D1D5DAB39DCB4BE0359943738D87409B]. Type: 4 (3217)
Mon 10-06-2013 11:31:30.0238 Monitoring process C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [D1D5DAB39DCB4BE0359943738D87409B]. Type: 8 (3217)

Triple Helix · Jun 11, 2013

Just to report Webroot is going to Whitelist this file so it doesn't monitor it anymore and that should do it.

Thanks Again,

Daniel

Search

Search

Malwarebytes Crashing on boot up

Triple Helix

Microsoft MVP
Contributor

usasma

Retired Admin

mgrzeg

BSOD Kernel Dump Senior Analyst

Triple Helix

Microsoft MVP
Contributor

Triple Helix

Microsoft MVP
Contributor

Malwarebytes Crashing on boot up

Triple Helix

Microsoft MVPContributor

usasma

Retired Admin

mgrzeg

BSOD Kernel Dump Senior Analyst

Triple Helix

Microsoft MVPContributor

Triple Helix

Microsoft MVPContributor

Microsoft MVP
Contributor

Microsoft MVP
Contributor

Microsoft MVP
Contributor