Scan locks up

[TOH]

Do you also need the MBAMService.exe file dump or just the c:\mb_crashdumps?

[Benno1024]

dcollins - you might have him disable the Self Protection, which is likely preventing the process from being attached to for the dump.

[dcollins]

4 minutes ago, TOH said:

Do you also need the MBAMService.exe file dump or just the c:\mb_crashdumps?

Just the dumps please

Just now, Benno1024 said:

dcollins - you might have him disable the Self Protection, which is likely preventing the process from being attached to for the dump.

Not a bad idea, but unfortunately that won't help here. Thanks for the idea though

[TOH]

I waited 10 minutes after the scan stopped and the mb_crashdumps folder is empty

[Benno1024]

I'd try this --

Quit mbam3 from the system tray, and make sure mbamservice is NOT running.

Download ProcDump from sysinternals:

https://download.sysinternals.com/files/Procdump.zip

Unzip it, then open an Admin-elevated command prompt, go to the directory which contains procdump.exe, and enter this command: 

     procdump.exe -e -w mbamservice.exe

 

Keep that window open, maybe minimize it.

Then start MBAM3 and do the scan (reproduce the error).  Check for a dump file (.dmp) in the same directory that procdump was run from.

 

[dcollins]

Just now, Benno1024 said:

I'd try this --

Quit mbam3 from the system tray, and make sure mbamservice is NOT running.

Download ProcDump from sysinternals:

https://download.sysinternals.com/files/Procdump.zip

Unzip it, then open an Admin-elevated command prompt, go to the directory which contains procdump.exe, and enter this command: 

     procdump.exe -e -w mbamservice.exe

 

Keep that window open, maybe minimize it.

Then start MBAM3 and do the scan (reproduce the error).  Check for a dump file (.dmp) in the same directory that procdump was run from.

 

Good idea here. Thanks for the recommendation. @TOH would you be willing to try these steps? Let me know if any clarification is needed for these steps.

[TOH]

I will need help with those instructions, can you logon to my PC?

[dcollins]

I'm checking with our other support members to see about remoting in, in the meantime, let's try @Benno1024's solution above first since it should be a quick one. Inside of MB3, can you go to Settings -> Protection and make sure the Enable Self-Protection Module is disabled? I've attached a screenshot of the setting.

Once you disable that setting, then try running another scan, waiting 5-10 minutes after the process hangs, and then seeing if there are any files under c:\mb_crashdumps. Thanks!

[TOH]

Ok, will do. By the way, malware protection shut itself off again.

[TOH]

Self protection module is off.

I ran the scan again and waited 10 minutes after the scan stopped and the mb_crashdumps folder is empty.

[Jekko]

@TOH,

Try these steps for running Procdump.

1. Download the following Procdump.zip file: Procdump.zip
2. Place procdump.zip in C:\
3. Extract procdump.zip.
4. Check that the extracted files are in the directory "C:\Procdump"
5. Right click "mbamservice_procdump.bat" and select Run as administrator.
   • If you did the steps correctly you will see the following:
     
6. Run a threat scan with MBAM 3.0.
7. When MBAMSERVICE.exe crashes it should close that command window and generate a memory dump file in "C:\Procdump".

Please follow these directions because "mbamservice_procdump.bat" needs to be run in the directory "C:\Procdump" for it to work correctly.

[TOH]

When I tried to run the bat file as administrator, I got the following error message and it did not run:

[dcollins]

1. Delete the existing C:\Procdump folder
2. Right click C:\Procdump.zip and choose Properties
3. At the bottom of the properties window, click the Unblock button as shown in the attached screenshot
4. Then follow the rest of the instructions from @Jekko starting with step 3

 

[TOH]

I ran the scan which hung up again and presume that you want the dump file so here it is:

MBAMService.exe_161221_141609.dmp

[dcollins]

Thanks a lot @TOH, we'll get this to our development team to check out.

[Jekko]

Agreed.  Thanks for being patient with us @TOH.  We'll keep you informed with our progress.

[dcollins]

@TOH it looks like we still need some more data, sorry to keep pestering you. Can you find the folder C:\PROGRAMDATA (the ProgramData folder may be hidden, but you should be able to type it in and get there) and zip the entire AOL Downloads folder? You should just need to right click that file and choose Send to -> Compressed (Zipped) folder. It should create a .zip file that I'd like you to upload here. That file may be too large to upload here, and if it is, please upload the file to wetransfer.com using the instructions I mentioned before and email it to me. Thanks again!

[TOH]

I just sent the AOL Downloads folder (700MB) to your email via wetransfer since it was too large to send via this forum.

[dcollins]

Thanks @TOH, it's a large file but hopefully this will help us figure out what's going on

[dcollins]

Good news @TOH, with that zip file you uploaded I am able to replicate this issue! That means that while we don't have a solution for you at this exact moment, we should be able to figure one out without needing you to run a bunch of things for us! I won't jump the gun and say we're done yet, but hopefully we should be good. You've been a great help!

I know we've had you change a lot of settings, so just to make sure you're back in working order, I'd recommend doing the following things to clean up where left off:

1. Download the attached zip file and run the .reg file inside of there. This will disable the localdumps we setup earlier.
2. Delete C:\mb_crashdumps
3. Delete C:\Procdump and C:\Procdump.zip
4. In Malwarebytes 3.0, go to Settings -> Application and disable the Event Log Data option

This should put you right back where you were when you started using Malwarebytes 3. For the time being, it's probably best to keep that exclusion on C:\ProgramData\AOL Downloads until we get the issue resolved as well. Feel free to let me know if you have any more questions.

disable_localdumps.zip

[TOH]

I have completed the 4 steps outlined above.

Can I also delete all the folders and files created (see below) in the past 7 days for this fix attempt or are some still needed?

 

[dcollins]

Yep, assuming those screenshots are ones you took for us, you should be good to clear just bout everything. I don't know what those three RTF documents are at the top "ExelixisInc.rtf" so I can't say if you should delete those or not though.

[TOH]

Should I enable the self protection module in the Protection tab or leave it off?

[Jekko]

Please keep it enabled.  It will protect your Malwarebytes files from being modified or deleted.

The Engineering team has identified which file is causing this issue.  "AOL Downloads\<subfolder>\comps\vwpt\Vwpt.exe"

Until we can fix this, as @dcollins mentioned, please keep your exclusion for the AOL Downloads folder.

Thank you so much for your help with us on this issue!

[TOH]

Can I delete viewpoint.exe and related files from my PC or are they needed for AOL to operate?