Please help per thread: http://www.malwarebytes.org/forums/index.php?showtopic=34815 Original Message: ==================== Hello, I recently put my old T21 ThinkPad back in service. Its OS is Windows 2000 Pro SP4. Several days ago I downloaded and installed MBAM v1.42, I updated the defs, and I ran a full scan. No problems and no malware was detected. This morning I decided to go to the Windows Update site to get caught up on security patches. It needed 76 of them. I downloaded and installed them all, then ran Microsoft Security Analyzer to verify all was well. All patches were successfully installed. This afternoon, I updated MBAM and tried to run a new scan. The scan stalled after 16 seconds and would not resume. I spent the rest of the afternoon trying to troubleshoot the matter. I tried multiple quick scans and multiple full scans. Each one would stall at some point between 9 and 20 seconds after it started. The MBAM GUI interface would virtually freeze (no buttons would respond) and the scan would remain paralyzed indefinitely. The only thing that worked to get out of it (aside from killing the process in task manager) is clicking the X button in the upper right corner of the interface window -- in that it would bring up the "Not Responding - End Program" dialog. The frozen MBAM would easily terminate from that dialog. During my testing sessions I noticed in task manager that two instances of rundll32.exe were running. I found that terminating one of them would allow a newly launched instance of MBAM to easily and consistently complete either a full or a quick scan. And the results of these MBAM scans is consistently that no malware objects are detected. There is currently no AV software installed on this ThinkPad. I was planning on installing Nod32 on it tomorrow, but I'd like to get this MBAM matter sorted first if I could. There is an older version of Sygate Pro firewall (v5) installed on it though. Any help or suggestions will be much appreciated. Thank you Added comment: I've observed yet another: Unchecking "Always scan memory objects" will also eliminate this scan stalling issue. So I can get the scans to complete by either terminating one of the two running rundll32.exe processes (and I've discovered that it must be a particular one of them that's stopped in order to eliminates the problem; terminating the other one makes no difference), OR I can deactivate the memory objects scanning function in MBAM. ==================== DDS.txt Contents: ==================== DDS (Ver_09-12-01.01) - FAT32x86 Run by Administrator at 6:20:34.91 on Tue 12/29/2009 Internet Explorer: 6.0.2800.1106 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.383.258 [GMT -8:00] ============== Running Processes =============== C:\WINNT\system32\ibmpmsvc.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\PGPsdkServ.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\SPF\Smc.exe C:\Program Files\UPHClean\uphclean.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\Program Files\Network Associates\PGP for Windows 2000\PGPservice.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\tp4serv.exe C:\WINNT\system32\ltmsg.exe C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE C:\WINNT\system32\RunDll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe C:\WINNT\system32\PRPCUI.exe C:\Program Files\The Cleaner\tcm.exe C:\WINNT\system32\RunDll32.exe C:\Program Files\Intel\Intel PSNCU\CpuNumber.exe C:\CFGSAFE\AUTOCHK.EXE C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\OLYMPUS\OLYMPUS Viewer\Ov_Monitor.exe C:\Program Files\Network Associates\PGP for Windows 2000\PGPtray.exe C:\Install\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uInternet Settings,ProxyOverride = *hotmail*;*services.msn*;*yahoo* BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll uRun: [intelProcNumUtility] "c:\program files\intel\intel psncu\CpuNumber.exe" /nosplash mRun: [TrackPointSrv] tp4serv.exe mRun: [LTWinModem1] ltmsg.exe 9 mRun: [tourpath] regedit /s c:\winnt\tour.reg mRun: [TPTRAY] c:\progra~1\thinkpad\utilit~1\TP98TRAY.EXE mRun: [bMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor mRun: [TpHotkey] c:\progra~1\thinkpad\utilit~1\tphkmgr.exe mRun: [PRPCMonitor] PRPCUI.exe mRun: [smcService] c:\progra~1\spf\Smc.exe -startgui mRun: [tcmonitor] c:\program files\the cleaner\tcm.exe mRun: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\pgptray.lnk - c:\program files\network associates\pgp for windows 2000\PGPtray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autochk.lnk - c:\cfgsafe\AUTOCHK.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adsubt~1.lnk - c:\program files\adsubtract\adsub.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\olympu~1.lnk - c:\program files\olympus\olympus viewer\Ov_Monitor.exe DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261846091336 DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37866.4440740741 DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} - hxxp://windowsupdate.microsoft.com/R970/V31Controls/x86/nt5/en/actsetup.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab TCP: {E573382F-E9C7-44E0-AB68-0B8325781D7D} = 209.210.176.8,209.210.176.9 ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\jr5w84pf.default\ ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R1 TPPWR;TPPWR;c:\winnt\system32\drivers\TPPWR.SYS [2001-7-11 11776] R2 IntelPND;IntelPND;c:\winnt\system32\drivers\IntelPND.sys [2001-7-15 18528] R2 PGPsdkServ;PGPsdkService;c:\winnt\system32\PGPsdkServ.exe [2001-9-20 65536] R2 PGPService;PGPService;c:\program files\network associates\pgp for windows 2000\PGPservice.exe [2001-9-20 249856] R2 PRPC;PRPC;c:\winnt\system32\drivers\prpc.sys [2001-7-11 12182] R2 SVKP;SVKP;c:\winnt\system32\SVKP.sys [2005-11-5 2368] R2 V7;V7;c:\winnt\system32\drivers\V7.SYS [2001-7-11 7196] R3 MBAMSwissArmy;MBAMSwissArmy;c:\winnt\system32\drivers\mbamswissarmy.sys [2009-12-29 38224] R3 ne2000;Novell/Eagle NE2000 Adapter Driver;c:\winnt\system32\drivers\ne2000.sys [2001-7-20 16016] R3 S3GSavageMX;S3GSavageMX;c:\winnt\system32\drivers\s3gsavm.sys [2003-1-24 88576] R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\winnt\system32\drivers\tp4track.sys [1980-1-1 8991] S3 ec2t;Linksys Combo PCMCIA EthernetCard NT Driver;c:\winnt\system32\drivers\ec2t.sys [1980-1-1 26944] =============== Created Last 30 ================ 2009-12-29 14:19:21 16384 ----a-w- c:\winnt\system32\Perflib_Perfdata_2e0.dat 2009-12-29 14:16:14 0 ----a-w- c:\documents and settings\administrator\defogger_reenable 2009-12-29 13:56:20 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys 2009-12-29 13:56:17 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys 2009-12-29 13:56:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-29 13:01:52 0 d-----w- c:\program files\StartUp Control 2009-12-28 21:00:05 0 d-----w- c:\program files\UPHClean 2009-12-28 16:50:59 744716 ---h--w- c:\winnt\ShellIconCache 2009-12-28 16:08:41 0 d-----w- C:\d27cc7383e44beeb149067 2009-12-28 16:08:16 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2 2009-12-28 15:13:34 0 d-----w- c:\program files\Microsoft Baseline Security Analyzer 2 2009-12-28 14:56:13 69904 ----a-w- c:\winnt\system32\dllcache\browser.dll 2009-12-28 14:56:13 69904 ----a-w- c:\winnt\system32\browser.dll 2009-12-28 14:56:13 442640 ----a-w- c:\winnt\system32\ipnathlp.dll 2009-12-28 14:56:13 442640 ----a-w- c:\winnt\system32\dllcache\ipnathlp.dll 2009-12-28 14:56:13 167184 ----a-w- c:\winnt\system32\WINTRUST.DLL 2009-12-28 14:56:13 167184 ----a-w- c:\winnt\system32\dllcache\wintrust.dll 2009-12-28 14:56:12 255248 ----a-w- c:\winnt\system32\h323.tsp 2009-12-28 14:56:12 255248 ------w- c:\winnt\system32\dllcache\h323.tsp 2009-12-28 14:54:45 155408 ----a-w- c:\winnt\system32\dllcache\mtstocom.exe 2009-12-28 14:50:13 107792 ----a-w- c:\winnt\system32\dllcache\tshoot.ocx 2009-12-27 00:08:40 57344 ----a-w- c:\winnt\uneng.exe 2009-12-27 00:08:40 0 d-----w- c:\program files\common files\Adaptec Shared 2009-12-26 21:02:59 0 d--h--w- c:\winnt\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$ 2009-12-26 21:00:19 957 ----a-w- c:\winnt\setup.inf 2009-12-26 21:00:19 283 ----a-w- c:\winnt\setup.rpt 2009-12-26 21:00:15 0 d-----w- c:\winnt\mui 2009-12-26 18:57:51 0 d-----w- C:\0dd5435c07f835984914c35fb815 2009-12-26 16:50:23 21728 ----a-w- c:\winnt\system32\wucltui.dll.mui 2009-12-26 16:50:23 17632 ----a-w- c:\winnt\system32\wuaueng.dll.mui 2009-12-26 16:50:23 15072 ----a-w- c:\winnt\system32\wuaucpl.cpl.mui 2009-12-26 16:50:22 15064 ----a-w- c:\winnt\system32\wuapi.dll.mui 2009-12-26 16:50:22 0 d-----w- c:\winnt\system32\SoftwareDistribution 2009-12-26 01:22:47 65240 ----a-w- c:\winnt\system32\drivers\avgntflt.sys 2009-12-25 23:50:05 0 d-----w- c:\program files\CCleaner 2009-12-25 22:37:49 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes 2009-12-25 22:37:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-12-25 21:26:11 0 d-----w- c:\winnt\winsxs 2009-12-25 19:54:37 499712 ----a-w- c:\winnt\system32\MSVCP71.dll 2009-12-25 19:54:37 348160 ----a-w- c:\winnt\system32\MSVCR71.dll 2009-12-25 19:54:37 1060864 ----a-w- c:\winnt\system32\MFC71.dll ==================== Find3M ==================== 2009-12-27 00:08:42 58000 ----a-w- c:\winnt\system32\drivers\cdr4_2k.sys ==================== NOTE: I'm unable to find a way to attach the attach.zip file (containing attach.txt and ark.txt). Perhaps I can do it on a reply. Thank you