Jump to content

mbamservice memory ballooning

Recommended Posts

I normally sleep this desktop overnight. When Windows complained about memory I found that mbamservice private memory was at over 1GB. Rebooting restored it to a few hundred K but it is slowly enlarging again, currently at 457,340kB since yesterday and an overnight sleep. As per your instructions, scan log, FRST.txt and Addition.txt attached.




Link to post
Share on other sites




They call me TwinHeadedEagle around here, and I'll try to help your with your issue.




Before we start please read and note the following:

  • We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • I volunteer to help you, so please, do not ask for help for your company/business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
:excl: I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

:excl: There are no silly questions. Never be afraid to ask if in doubt!




  warning.gif Rules and policies


We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!


Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.



MGADiag.png Scan with MGADiag

Need to check one more thing.

  • Please download MGADiag by Microsoft and save it to your desktop.
  • Double-click on MGADiag.png icon to start the tool.
  • PressContinuewhen prompted.
  • When it has finished, press Copy.
  • Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.
  • Paste (Ctrl+V) this into notepad and save to your desktop.
  • Include that report in your reply.
Link to post
Share on other sites

mbam-old.png Uninstall outdated Malwarebytes' Anti-Malware

Please download MBAM-clean and save it to your desktop.

  • Right-click on mbam-clean.exe icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • It will ask you to reboot the machine - please do so.
After that follow my next instructions to download & install the newset MBAM version.

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and include its content in your next reply.
Link to post
Share on other sites

Let's check your PC again:

FRST.gif Scan with Farbar Recovery Scan Tool


Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    (XP users click run after receipt of Windows Security Warning - Open File).

  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please upload them into your next reply.
Link to post
Share on other sites

Yes, based on some errors, this is not malware problem, but perhaps hardware issue:

Error: (08/07/2015 05:09:45 PM) (Source: atapi) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Ide\IdePort2.

Error: (08/07/2015 05:09:45 PM) (Source: atapi) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Ide\IdePort2.

Error: (08/08/2015 05:06:32 PM) (Source: atapi) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Ide\IdePort2.

Error: (08/08/2015 05:06:32 PM) (Source: atapi) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Ide\IdePort2.

Error: (08/08/2015 05:06:32 PM) (Source: atapi) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Ide\IdePort2.

Link to post
Share on other sites

Let's try with check disk:

Use the Windows Error Checking utility (Check Disk), with the options to fix file system errors and scan the disk surface for errors, attempt recovery of data and repair the disk:

  • Click the "Windows Orb" Start button, then click Computer.
  • Right-click on the drive that you wish to check > Properties > Tools tab
  • In the "Error checking" section, click on Check now.
  • Place a checkmark in both boxes > Start.
  • If the disk you have chosen is the Windows system disk:
  • A message will notify you that a restart is necessary ask "Do you want to check for hard disk errors the next time you start your computer?".
  • Click Schedule disk check > OK and close all windows.
  • Re-start the computer. The disk will be checked when the system boots.
  • This will take some time to run and at times may appear stalled but just let it run.
  • When the disk check is complete, the system will re-start automatically and load Windows.
A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.

To open Event Viewer and view the log:

  • Click the "Windows Orb" Start button -> type "eventvwr" without the quotes -> press the key.
  • The Event Viewer window will open.
  • In the left pane, expand "Windows Logs" and then click on Application.
  • In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
  • Look in the Source column for "Wininit", with an entry corresponding to the date and time of the disk check.
  • Click on that Wininit entry to select it.
  • On the top main menu, click Action > Copy > Copy Details as Text.
  • Paste the contents into your next reply.
Link to post
Share on other sites



This morning I observed mbamservice.exe Private Bytes increase from 479,740 K to 501,478 K while viewing properties in Process Explorer. I have a screen dump of CPU useage, Private Bytes and I/O activity for the service as it happened.  I can post the image here if you wish...please let me know your preferred format.


Event context:


Up from overnight sleep. mbamservice.exe Private Bytes was 326,024 K

Ran Firefox web browser. Exited Browser.

Ran Second Life viewer (Firestorm.exe). Exited viewer.

Ran Reaper (A Digital Audio Workshop that uses dll plugins to emulate musical instruments). Exited Reaper.

mbamservice.exe Private Bytes was 479,740 K

Put PC to sleep for 10 seconds


mbamservice.exe Private Bytes was 479,740 K on startup from short sleep

Opened mbamservice.exe properties in Process Explorer and viewed Performance Graph for a few minutes.

While watching I saw the Private Value bytes change after a while and I obtained a screen dump.

mbamservice.exe Private Bytes was now 501,428

At this time I had no applications running except PaintshopPro opened to save the screendump after the event.


I repeated the sleep/startup procedure again and noticed a second smaller increment from 501,428 to 502,600 a few minutes after startup. I also captured this as a screen dump


I repeated this sleep/wake procedure several more times while running and exiting applications in between. No further increments occured.


As I was typing this the value rose from 501,428 K to 502,920 K. I did not notice this happening.


As you can see, it is difficult to replicate this reliably.


FYI... in Process Explorer I see I/O activity of 3.4 K from mbamservice.exe at 60 second intervals.

Link to post
Share on other sites



I've attached 2 gif files.


One is a Process Explorer screenshot of Private Bytes when I it increased after a brief spike of CPU activity.


I then set up Microsoft Perfmon.exe to monitor mbamservice Private Bytes useage over a more extended period of nearly 2 hours. PerfMon1.gif is the result. Note the increase from 361,472 K at the start to 373,584 K at the end of the period.


Note that after a short spike the Private Bytes value does not always return to its starting value. Some memory is never returned and these memory leaks are cumulative until reboot or Windows gives memory errors.


This problem does not occur on the 2 Win 8.1 laptops here.


Now I am aware of the problem I can work around it by rebooting every few days. A solution is not urgent for me and I will continue to work with you if you wish.





Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.