Jump to content

Weird MBAM scanning by secondary users, uses up entire CPU cores


Recommended Posts

Hey there,

I was sent here by Ron after Lews describing my issue in the general help forum. The situation is, I have MBAM installed on a computer being used as a Media Center PC - our cable TV runs through it and it acts as a DVR, besides its other duties as a general media server. Media Center Extenders (thin clients) then connect to this PC and act as cable boxes. Each extender is assigned its own user by Windows, named in the form McxN-NAMEOFPC. The problem is, each time an Extender connects to watch either live or recorded TV, an instance of mbam.exe *32 begins with it, and immediately uses up 20-25% of CPU, on a modern 4-core machine. Sometimes, even two instances of mbam.exe *32, each using up 20-25% of CPU, will start on the same extender account. This happens both when MBAM starts up with Windows, and if MBAM is started later. It also happens if MBAM malware and web protection is turned off - upon the next loading of MBAM, with Windows or later, the mbam.exe *32 instances still pop up with the start of the MBAM suite.

We have gone through it in the other thread, and determined that we need to use more advanced tools to figure out what is going on here. Here is the original thread. My logs and screenshots can all be found there - I can re-post them if necessary. Thanks in advance!

Link to post
Share on other sites

  • Root Admin

One you reach 100 posts you can edit your topics. Unfortunately due to abuse by others we had to implement this limit.

 

Please right click over the MBAM tray icon and uncheck the Malware Protection and the Malicious Website Protection. Then click the Exit button.

Next follow the directions below to start a monitoring log.

 

Create a Process Monitor Log:
 

  • Create a new folder on your desktop called Logs
  • Please download Process Monitor from here and save it to your desktop
  • Double-click on Procmon.exe to run it
  • In Process Monitor, click on File at the top and select Backing Files...
  • Click the circle to the left of Use file named: and click the ... button
  • Browse to the Logs folder you just created and type MBAM Log in the File name: box and click Save
  • Exit Process Monitor and open it again so that it starts creating the logs
  • Now launch MBAM again and let it run and check if the same CPU usage goes up under the other account.
  • Close Process Monitor
  • Right-click on the Logs folder on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Please attach the Logs.zip file you just created to your next reply

 

 

 

Link to post
Share on other sites

 

  • Now launch MBAM again and let it run and check if the same CPU usage goes up under the other account.

 

Maybe I haven't been clear - mbam.exe *32 continues to run under that user even after I close MBAM the normal way. The app doesn't go away until the Media Center Extender logs off, or I manually kill it in TaskMon.

Anyway - here's the ProcMon log. It got kind of big, so I put it up on mega.

 

https://mega.co.nz/#!3Rp0SZ5J!jvtBamjxjkoyX0DyLYqnXmFhYfP68ZAQL1LWa2q51R0

Link to post
Share on other sites

  • Root Admin

Not sure - site not opening for me. The process monitor should hopefully help us see more of what's going on.

 

Please see if this method works. Also make sure you zipped the log file.

 

 

 

Upload File(s) to WeTransfer:
 

  • Visit WeTransfer.com
  • Click on I Agree
    4ENbg3P.png
  • Click on the icon on the lower left indicated in the below image
    qKOjzXD.png
  • Select the Link option
    Cyzhcx1.png
  • Click on +Add Files
    CvZMyrC.png
  • Browse to the location of the file and double-click on it or click once on it and select Open
    S5Ty834.png
  • Click on Transfer
    8eYfZGi.png
  • Once the transfer completes, click on Copy link
    fkb0tkR.png
  • Once you receive the Copied! message as indicated below, paste the link into your next reply
    ndpEstA.png
Link to post
Share on other sites

  • Root Admin

Well what I find odd is that the log indicates that MBAM is being launched in the task tray by the Extender account
 
This account: Media\Mcx4-MEDIA
ran the following "C:\Program Files (x86)\MBAM\mbam.exe" /starttray
none of the other accounts are running it.
 
 
That command is typically only used/set by the account used to install the program. Are you sure you're not able to interactively logon or use that account?
The previous FRST log shows the accounts below and seem to indicate that the GUEST account is enabled which normally is disabled by default and in normal operations would never be enabled.
But some could use it for visitors or guests you want to allow to use your computer but leaving it enabled all time is not really recommended.
 
http://technet.microsoft.com/en-us/magazine/ff687018.aspx
http://www.howtogeek.com/170269/how-to-let-someone-else-use-your-computer-without-giving-them-access-to-all-your-stuff
 
 
Admin (S-1-5-21-846596023-101979245-2879597240-1000 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-846596023-101979245-2879597240-500 - Administrator - Disabled)
Guest (S-1-5-21-846596023-101979245-2879597240-501 - Limited - Enabled)
Mcx1-MEDIA (S-1-5-21-846596023-101979245-2879597240-1001 - Limited - Enabled) => C:\Users\Mcx1-MEDIA
Mcx2-MEDIA (S-1-5-21-846596023-101979245-2879597240-1002 - Limited - Enabled) => C:\Users\Mcx2-t iMEDIA
Mcx3-MEDIA (S-1-5-21-846596023-101979245-2879597240-1003 - Limited - Enabled) => C:\Users\Mcx3-MEDIA
Mcx4-MEDIA (S-1-5-21-846596023-101979245-2879597240-1004 - Limited - Enabled) => C:\Users\Mcx4-MEDIA
Mcx5-MEDIA (S-1-5-21-846596023-101979245-2879597240-1005 - Limited - Enabled) => C:\Users\Mcx5-MEDIA
 
 
It also shows that this account:  Media\Admin is using uTorrent and MBAM is monitoring it (it monitors both network and file activity caused by uTorrent) to disable would need uTorrent added to the exclusion under Web Exclusions and then Processes
 
Again though what is odd is that one would expect MBAM to be running from and installed by this account: Media\Admin but does not seem to be for some reason as yet unknown.
 
You also appear to have run Process Monitor from your web browser. Better would be to save the file to it's own folder but I suppose my instructions didn't say to do so.
 
You have a lot of junk running from Temp as well that I'd recommend cleaning out but that's not the root of the issue here.
 
At the moment there is not enough information to determine why the media account is running MBAM and not your main admin account.
 
 
Please try the following. Click on START and type in CMD.EXE and when it shows on the menu right click and choose "Run as administrator" then at the command prompt type the following exactly and post back the results.
 
 

DIR  /q "C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe"

 
NEXT,
 
Please download the correct version of SystemLook for your computer and save it to your desktop.
You can check here if you're not sure if your computer is 32-bit or 64-bit

SystemLook 32-bit x86 | or | SystemLook 64-bit x64

  • If using Windows XP just double click on SystemLook.exe to run it.
  • For all other versions of Windows, right click over SystemLook.exe or SystemLook_x64.exe and choose Run as administrator to run it
  • Copy the contents of the following code box into the main text field - including the colon characters.
    :regfindmbam
  • Click the Look button to start the scan
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop named SystemLook.txt
Link to post
Share on other sites

Hey, thanks for replying.

 

 

Well what I find odd is that the log indicates that MBAM is being launched in the task tray by the Extender account
 
This account: Media\Mcx4-MEDIA
ran the following "C:\Program Files (x86)\MBAM\mbam.exe" /starttray
none of the other accounts are running it.
 
 
That command is typically only used/set by the account used to install the program. Are you sure you're not able to interactively logon or use that account?

 

 

Aha. No, I definitely cannot log-on to that account, or any of the other Mcx accounts. I have no idea what the password for it is. Using blank didn't work, using my admin password didn't work.

 

 

 

The previous FRST log shows the accounts below and seem to indicate that the GUEST account is enabled which normally is disabled by default and in normal operations would never be enabled.
But some could use it for visitors or guests you want to allow to use your computer but leaving it enabled all time is not really recommended.
 
http://technet.microsoft.com/en-us/magazine/ff687018.aspx
http://www.howtogeek.com/170269/how-to-let-someone-else-use-your-computer-without-giving-them-access-to-all-your-stuff

 

This is getting weirder and weirder. I never enabled the Guest account via the GUI as in the howtogeek article. The only thing I did do was enable my Public folder and disable password-protected sharing. (Screenshots attached.)

I did this I could share some of my media folders with Read-Only permissions to anybody on the local network without having them log in. Once I do that, I can use the credential 'Guest' on, for example, my iPad, to get ro access to these folders. I have to assume then that turning off password-protected sharing also enables this 'Guest' account to some degree. But I don't think it can do anything else. I tried logging in as Guest using RDP and it said that account wasn't authorized for remote login (as it should).

 

Admin (S-1-5-21-846596023-101979245-2879597240-1000 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-846596023-101979245-2879597240-500 - Administrator - Disabled)
Guest (S-1-5-21-846596023-101979245-2879597240-501 - Limited - Enabled)
Mcx1-MEDIA (S-1-5-21-846596023-101979245-2879597240-1001 - Limited - Enabled) => C:\Users\Mcx1-MEDIA
Mcx2-MEDIA (S-1-5-21-846596023-101979245-2879597240-1002 - Limited - Enabled) => C:\Users\Mcx2-t iMEDIA
Mcx3-MEDIA (S-1-5-21-846596023-101979245-2879597240-1003 - Limited - Enabled) => C:\Users\Mcx3-MEDIA
Mcx4-MEDIA (S-1-5-21-846596023-101979245-2879597240-1004 - Limited - Enabled) => C:\Users\Mcx4-MEDIA
Mcx5-MEDIA (S-1-5-21-846596023-101979245-2879597240-1005 - Limited - Enabled) => C:\Users\Mcx5-MEDIA
 
 
It also shows that this account:  Media\Admin is using uTorrent and MBAM is monitoring it (it monitors both network and file activity caused by uTorrent) to disable would need uTorrent added to the exclusion under Web Exclusions and then Processes

 

In fact the uTorrent process is already there under the Web Exclusions list. (Screenshot attached.) Should I also add the uTorrent program and AppData paths to the malware exclusions list? In any case, I'm not sure that either list 'means anything' to the MBAM process started by any of the Media Center accounts though, especially given that those processes start regardless of whether I turn malware and web protection on or not, as long as mbam.exe is started by Media\Admin at some point. My usage of uTorrent in any case does not generate nearly enough activity for a scan, or whatever it is that MBAM is doing, to take up an entire CPU core.

 

  

Again though what is odd is that one would expect MBAM to be running from and installed by this account: Media\Admin but does not seem to be for some reason as yet unknown. 

 

It was in fact installed by that account. None of the Mcx accounts existed until after I installed MBAM. So again. Very weird! Heh.

 

You also appear to have run Process Monitor from your web browser. Better would be to save the file to it's own folder but I suppose my instructions didn't say to do so. 

 

I'm not really sure what you mean 'from the browser'. I have the SysInternals Suite installed at C:\usr\bin and ran it from there.

 

You have a lot of junk running from Temp as well that I'd recommend cleaning out but that's not the root of the issue here. 

 

You mean, "%USERPROFILE%\AppData\Local\Temp" I guess. There is a lot of crap in there, but I don't know what they all are, so I'm not sure what I should be getting rid of - let me know and I'll look into it.

 

 

At the moment there is not enough information to determine why the media account is running MBAM and not your main admin account.
 
 
Please try the following...

 

 

Will try to do that tomorrow and report back. Gn, thanks again...

post-181480-0-46011500-1421402430_thumb.

post-181480-0-04577500-1421402431_thumb.

post-181480-0-52601900-1421402431_thumb.

Link to post
Share on other sites

Okay, please report back the other items and I'll try to check back with you again tomorrow.

Ron

 

DIR  /q "C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe"

 

Please try the following. Click on START and type in CMD.EXE and when it shows on the menu right click and choose "Run as administrator" then at the command prompt type the following exactly and post back the results.

 

DIR  /q "C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe"

 

On my system that exact command will do precisely nothing because I decided to install to "C:\Program Files (x86)\MBAM" instead of "C:\Program Files (x86)\Malwarebytes Anti-Malware". Running the modified command simply yields the following:

 

 Volume in drive C is Win7
 Volume Serial Number is 369B-C3EA
 
 Directory of C:\Program Files (x86)\MBAM
 
11/21/2014  06:12 AM         7,229,752 BUILTIN\Administrators mbam.exe
               1 File(s)      7,229,752 bytes
               0 Dir(s)  203,286,056,960 bytes free
 

 

 

 

NEXT,

 

Please download the correct version of SystemLook for your computer and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

SystemLook 32-bit x86 | or | SystemLook 64-bit x64

  • If using Windows XP just double click on SystemLook.exe to run it.
  • For all other versions of Windows, right click over SystemLook.exe or SystemLook_x64.exe and choose Run as administrator to run it
  • Copy the contents of the following code box into the main text field - including the colon characters.

    :regfind

    mbam

  • Click the Look button to start the scan
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop named SystemLook.txt

 

Log is attached.

SystemLook.txt

Link to post
Share on other sites

  • Root Admin

Did you install the Trolltech software a while ago?

Please disable the Self Protection in MBAM and the restart the computer.

Then do another clean removal but at this time do not reinstall MBAM

Please uninstall your current version of MBAM - but don't reinstall yet. MBAM Clean Removal Process 2x

Then restart your computer 2 more times. Then run FRST again and make sure you place a check mark in the Additions.txt check box and post back both new logs.

Also please run the SystemLook again and post back the new log.

Link to post
Share on other sites

Did you install the Trolltech software a while ago?

Please disable the Self Protection in MBAM and the restart the computer.

 

The self-protection module was never turned on, not sure if I mentioned that.

 

Then do another clean removal but at this time do not reinstall MBAM

 

 

This sentence seems out of order. I'm not sure what I should be doing a 'clean removal' with, heh.

Link to post
Share on other sites

As best I can tell, you're asking me to reinstall, but to make sure to run mbam_clean and restart a few times...right?

 

Googling, Trolltech is formerly the parent company of the makers of Qt. Am not sure if any of the software I've installed uses Qt, but that's the only thing I could think of that could account for its presence.

Link to post
Share on other sites

Upon reinstall, mbam.exe still starts for each Media Center Extender. However, except for a brief spike in CPU usage by mbamservice.exe (run by SYSTEM), it doesn't use up CPU. That's enough for me.

I decided this time to install to the default directory instead of C:\Program Files (x86)\MBAM. Interestingly though, upon running SystemLook again, some references to the old directory showed up...along with those references to Trolltech. Now I didn't install Qt standalone, but on my initial installation, I did install MBAM 1.7 off a disk - one of a few 'lifetime' licenses I bought a few years ago but never used. Figured I'd need to install that way and couldn't just used the old key with 2.0 without installing first. Maybe that has something to do with it?

 

In any case, the latest logs are attached. Thanks for your help Ron, much appreciated!

latest_logs.7z

Link to post
Share on other sites

  • Root Admin

Sorry for any confusion. Want I wanted to do was uninstall MBAM from control panel. Then run MBAM CLEAN to remove any other left over elements. Then run SystemLook again to find further entries for MBAM and then we'd manually clean them out.

Bottom line at this point is I'm not sure how or why MBAM would be kicked off by the other account. It could be running but it should show that it's running under your System account or your admin account. Yet the log from monitoring showed it was being run under one of the Extender accounts. I don't see how that should be happening. If it was an interactive account and the user launched it manually then I could see it but an automated account shouldn't know about calling MBAM. Thus why I wanted to fully clean out all possible entries of MBAM before a reinstall.

Let me know if you're okay with it now or if you'd still like to investigate further or not. This is a bit uncharted territory as I've never seen this reported before.

Link to post
Share on other sites

Sorry for any confusion. Want I wanted to do was uninstall MBAM from control panel. Then run MBAM CLEAN to remove any other left over elements. Then run SystemLook again to find further entries for MBAM and then we'd manually clean them out.

Bottom line at this point is I'm not sure how or why MBAM would be kicked off by the other account. It could be running but it should show that it's running under your System account or your admin account. Yet the log from monitoring showed it was being run under one of the Extender accounts. I don't see how that should be happening. If it was an interactive account and the user launched it manually then I could see it but an automated account shouldn't know about calling MBAM. Thus why I wanted to fully clean out all possible entries of MBAM before a reinstall.

Let me know if you're okay with it now or if you'd still like to investigate further or not. This is a bit uncharted territory as I've never seen this reported before.

 

Aight, you've convinced me :) Latest logs (after uninstall and MBAM clean) are attached.

1-19-2015_1256-0500.7z

Link to post
Share on other sites

  • Root Admin

Though not related to your issue I'd recommend running this fix from Microsoft which will basically disable this event from showing in the Event Logs and filling it with nonsense.

Event ID 10 is logged in the Application log
http://support.microsoft.com/kb/2545227

Please read the following article cocerning the use of MSCONFIG
Msconfig Is Not A Startup Manager

Please reset back to NORMAL and if wanted use another method to control objects.


Also not related but some believe this to be a sign of a bad hard drive. I myslef believe that in some cases security software such as antivirus can also possibly cause this.

Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-19 00:05:21.220



Doing a full disk check though should also be considered
CHKDSK (disk in question) /R

Please note though that if this is an external drive and a large drive it could take days to complete a full scan and may not be the issue.


Please backup your registry first and then manually go find MBAM as shown in the logs and remove the entries from the Registry. Then any file or folder left over on the drive as well for MBAM.
Then double check your TASKS and make sure you have no tasks for MBAM either.

If you need assistance on removing any registry items let me know.

 

Link to post
Share on other sites

Though not related to your issue I'd recommend running this fix from Microsoft which will basically disable this event from showing in the Event Logs and filling it with nonsense.

Event ID 10 is logged in the Application log

http://support.microsoft.com/kb/2545227

...

Please read the following article cocerning the use of MSCONFIG

Msconfig Is Not A Startup Manager

Please reset back to NORMAL and if wanted use another method to control objects.

...

Doing a full disk check though should also be considered

CHKDSK (disk in question) /R

...

Please backup your registry first and then manually go find MBAM as shown in the logs and remove the entries from the Registry. Then any file or folder left over on the drive as well for MBAM.

...

If you need assistance on removing any registry items let me know.

 

OK, have done all of that. Installed the MS FixIt. Ran Chkdsk, HDD appears to be clean, so let's blame ESET Nod32 for mucking something up in the background. I set msconfig to normal startup, won't use it for startup control anymore. Thanks for the advice.

 

Unfortunately, I couldn't delete any of the keys in the registry in HKLM ending in 'LEGACY_MBAMSWISSARMY'. When I tried, I got an error that said "Cannot delete LEGACY_MBAMSWISSARMY: Error while deleting key." When I tried to delete any of the subvalues, I got an error that said "Unable to delete all specified values". Not sure what to do about this or how to proceed.

 

SystemLook 30.07.11 by jpshortstuff
Log created at 16:34 on 19/01/2015 by Admin
Administrator - Elevation successful
 
========== regfind ==========Searching for "mbam"[HKEY_CURRENT_USER\Software\Sysinternals\Process Monitor]"Logfile"="C:\Users\Admin\Desktop\Logs\MBAM Log.PML"[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBAMSWISSARMY][HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBAMSWISSARMY\0000]"Service"="MBAMSwissArmy"[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MBAMSWISSARMY\0000]"DeviceDesc"="MBAMSwissArmy"[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MBAMSWISSARMY][HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MBAMSWISSARMY\0000]"Service"="MBAMSwissArmy"[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MBAMSWISSARMY\0000]"DeviceDesc"="MBAMSwissArmy"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBAMSWISSARMY][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBAMSWISSARMY\0000]"Service"="MBAMSwissArmy"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MBAMSWISSARMY\0000]"DeviceDesc"="MBAMSwissArmy"[HKEY_USERS\S-1-5-21-846596023-101979245-2879597240-1000\Software\Sysinternals\Process Monitor]"Logfile"="C:\Users\Admin\Desktop\Logs\MBAM Log.PML"-= EOF =-

 

Separately: in the middle (not while I was actually deleting anything, just browsing) the computer power totally cut out. I had experienced my computer randomly rebooting before (manifested in a TV show freezing now and then) but I thought this was Media Center crashing or something. Apparently not. I guess I have a short somewhere? Or a bad PSU? It's, surprisingly, not a problem I've encountered before...

 

Then double check your TASKS and make sure you have no tasks for MBAM either.

 

I didn't know what you meant by this but I opened the Windows Task Scheduler and peeked to see if there was any reference to MBAM left. There were, and I got rid of them. 

Link to post
Share on other sites

  • Root Admin

Though not related to the issue I created a video a while back that demonstrates how to take ownership of Registry key. Please watch that video and it will show you how to take back ownership and thus be able to remove those keys.

 

https://forums.malwarebytes.org/index.php?/topic/124715-runtime-error-0-440-and-339-automation-errors/

 

Once you've done that then reboot the computer again and run a new FRST scan and make sure you place a check mark in the Additions.txt check box and post back both logs.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.