Threat scan takes very long time

[pgovotsos]

Hello,

 

As the subject says, something is very wrong in MBAM land. A threat scan took over 25 hours to complete. On this same machine, 1.75 did a complete scan in under a half hour. This can't be correct! If more information will help, please ask.

 

Thanks

 

[daledoc1]

Hello and welcome back:

 

25 hours is definitely not right for that number of files for a Threat scan.

 

Let's try this:

• Please try the following and let us know if this corrects your issue or not. MBAM Clean Removal Process 2x
• Please try installing the new beta which has corrected some previously reported issues: - Malwarebytes Anti-Malware 2.0.2 Public Beta
• If that does not correct the issue, then please read the following and post back the requested logs. - Diagnostic Logs
• NOTE: There is an FAQ section with valuable information located here: - Common Questions, Issues, and their Solutions

Also: you might want to set mutual exclusions between MBAM and your anti-virus (AV) -- let us know if you need help with that.

 

Thank You,

 

daledoc1

[pgovotsos]

I'll work on 1 - 4 but in the meantime, what do you mean by  setting mutual exclusions between MBAM and AV? Do mean some way to automatically have one turn the other off when it's doing something or something else? I currently have MBAM 2 Premium and Eset Nod32 7.x. Both are resident.

 

Thanks

[pgovotsos]

PS I'm already running 2.0.2.1012

[pgovotsos]

Do you run MBAM before generating both log sets or do you do the farbar ones (frst and addition), run MBAM, then mbam-check? Just checking since one of the farbar reports is named frst.

 

Thanks

[daledoc1]

If your install of 2.0.2.1012 was not a CLEAN upgrade (removing the previous version with the removal tool first), then you might try that first.

Just use the steps here, but when you get to the reinstall part, use a fresh download of the latest beta from here.

 

"Mutual exclusions" means configuring both MBAM and your AV (Eset NOD 32) to "ignore" each other, so that they won't get in each others' way.

 

But it might be a good idea just to get some diagnostic logs for the staff to review -- that might be the most efficient way to get you back up and running...

 

FRST stands for Farbar Recovery System Tool, not for "first".

It does not matter if you run mbam-check first or if you run FRST first.

You do not need to "run MBAM" or run an MBAM scan again yet, at this time.

Just follow the instructions here: Diagnostic Logs.

It might help to print them out for reference?

 

When you have run both tools, there will be 3 logs on your desktop -- just attach them all to your next reply here.

 

Thanks,

 

daledoc1

[pgovotsos]

I did the clean install & rebooted. Surprisingly the clean tool did NOT remove everything. The program files [x86)\malwarebytes directory remained. There was a .tmp file that looks like it's a DLL still there. It didn't remove the licensing info, exclusions, or quarantine.

When I reinstalled, it came up already licensed,the exclusions were still there, in the history tab it showed one file that had been previously quarantined. Strange thing about the exclusions - each time I looked at that setting it replicated them. It's now showing 3 copies of the exclusions.

I disabled nod32 and ran a threat scan. 15 hours later it's still running. When it completes I'll post the logs.

[daledoc1]

Hi:

 

As long as you disabled MBAM Self-Protection from the Advanced Settings before you ran the tool and rebooted after running it, you should be fine.  AFAIK, it doesn't delete every single file and folder, because doing so with interfere with function of some other MBAM products.

 

As for the "multiple exclusions", yes, that is a known cosmetic bug.  It's on the list for fix with a future release.

 

Thanks,

 

daledoc1

[pgovotsos]

Hi,

 

Attached are the 3 files. Thanks for your help! Let me know if there's anything else I can give you.

 

Thanks,

Panagiotis

 

 

Addition.txt

CheckResults.txt

FRST.txt

[AdvancedSetup]

The program services are crashing for MBAM for some reason. I don't see anything specific that would cause this in the current logs.

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

[pgovotsos]

Attached is the result.txt file. Also, FWIW a hyper scan took 1 hour 46 minutes.

 

Thanks

Result.txt

[Maurice Naggar]

<kibbitz>

I will leave the parsing of the MiniToolbox report for Ron.

But I do see that there have been a few abends of mbam logged.

 

I am going to provide a couple of tips for the long term  ( presuming the installation of the Anti-Malware is ok )

First long term suggestion, set the proper Exclusions  ( whitelist setting, if you will) for our Anti-Malware into the ESET.

On ESET Endpoint Security this is the general procedure:

Start ESET.

choose the SETUP sub-menu >> then "enter advanced setup"

then pick COMPUTER and expand that window ( tree list)

click on Excluisons by path

Then click add and give it the location of the folder of Program Files that has our program.  This next snapshot shows for a 64-bit version of Windows.

 

For 64 bit versions of Windows Vista or Windows 7 or Windows 8:

C:\Program Files (x86)\Malwarebytes Anti-Malware\*.*

 

For 32-bit Windows Vista or Windows 7 or Windows XP:

C:\Program Files\Malwarebytes Anti-Malware\*.*

 

 

My second long term suggestion would be to turn off scanning of archive files, like in the second graphic below

If your system has lots & lots of zip / rar / compressed files, leave the task of scanning those up to your antivirus program, which is better suited for that type of task.

[pgovotsos]

OK. I set the exclusion in Eset and turned off archive scanning in MBAM - I hadn't even noticed it was on - I guess it must be default.

 

I know scanning archives would affect the Threat Scan (that's the equivalent of Full scan in 1.75 right?), but Hyper Scan (the equivalent of Flash in 1.75?) shouldn't be affected by the archive setting since it doesn't scan the whole drive right?

 

Are there any exclusions for Eset that I should set in MBAM?

 

As a side question, if Threat Scan = Full Scan (1.75) and Hyper Scan = Flash Scan (1.75), is there an equivalent to Quick Scan (1.75)?

 

Thanks for all your help!

[pgovotsos]

Sorry, forgot to add a question. You said to exclude the entire Malwarebytes directory. In another post, one of the staff listed several individual files to exclude. Obviously excluding the directory excludes the individual files, but would there be any reason to _just_ exclude the files and not the whole directory?

[AdvancedSetup]

You're getting errors writing to the registry so something appears to be blocking that. You also have side-by-side errors affecting many of your programs.

 

I would first suggest doing a Full disk check and see if that helps at all or not.

 

 

 

Please run a Full Disk Check on your system drive.  If needed here are some links on how to run a Disk Check.

On Windows 7 the disk check log is in the Event Logs under Application with a heading source of  Wininit

How to Run Disk Check in Windows 7

How to Run Check Disk at Startup in Vista or Windows 7

How to Read the Event Viewer Log for Check Disk (chkdsk) in Vista, Windows 7, and Windows 8
 

Once the disk check is done (it should take at least 10 minutes to run but could take hours to complete) go into the Event Logs and find the entry and copy/paste the results back here.

 

[pgovotsos]

Ran chkdsk and the log is attached. Ran a hyper scan and noticed something interesting. It ran faster than before "only" 1 hr 41 min but the interesting thing is that all the scans up to and including startup objects ran in about 1 minute. The heuristic scan took 1 hr 40 min. I ran the hyper scan a couple more times after a reboot and after using the computer for a while. The times were all about the same. Is there anything I can do to find out why heuristics took so long?

 

As an aside, could you ask the GUI people to make the column that lists the tests running a little wider so the user could actually read everything there?

chkdsk.txt

[daledoc1]

 

As an aside, could you ask the GUI people to make the column that lists the tests running a little wider so the user could actually read everything there?

 

That's a known cosmetic bug for which we hope to get a fix soon -- you can actually use the sliders to move and widen the columns and their headers.

It won't "stick" when you close the application.

But as long as there are no scan detections, it's only a "cosmetic" and moot issue, I suppose.

 

As for the other, more significant issues you have reported, I'll need to defer to staff and the experts,

 

daledoc1

[pgovotsos]

bump

[daledoc1]

Hi:

 

Sorry - the forum has been quite busy and it appears that your post was missed.

 

Just to catch up, can you please tell us: What is the current issue you are experiencing with MBAM at this time?

 

Thanks,

[pgovotsos]

Hi,

The issue is that scans are taking an extremely long time to complete - Hyper Scan 1 hr 45 min, Threat Scan 24+ hrs.

Advanced setup asked for the logs from several tools. The place we're at now is waiting for an examination of that data.

[daledoc1]

OK.

 

I see the logs from MiniToolbox here, and from the chkdsk here.

If you would, please re-run the other 2 tools (I know you've already run them previously) and post back with those fresh logs: Diagnostic Logs (there will be only 2 logs this time).

 

I apologize for the delay -- Thanks for your patience over this busy, long holiday weekend,

[pgovotsos]

No problem at all - I'm just grateful that you all are willing to take the time to work with me!

I'm with family as well so I won't have time to sit down with it until tomorrow evening.

Thanks again for your help!

[Maurice Naggar]

FYI:   As to your Chkdsk log, as you can see.......from this snippet....  it was worth doing it.

 

CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.
 

[pgovotsos]

Attached are all the log files.

Addition.txt

CheckResults.txt

FRST.txt

Result.txt

Shortcut.txt

[pgovotsos]

I also ran chkdsk again and the log is attached.

chkdsk log.txt