Jump to content

Malwarebytes Premium 3 hangs during scan at "Checking for updates..." and makes computer unresponsive/unusable


Recommended Posts

Sind a few days, every time I run a scan, the scan process hangs at "Checking for updates...". The step at which it checks for updates during the scan varies, (most of the time at Heuristic analysis) but as soon as it does, the scan process gets stuck.

Then it won't continue no matter how long I wait (tried 10 hours today) and the computer becomes completely unresponsive. Every action takes minutes to complete, like starting the task manager or any program. This gets even worse over time until nothing reacts anymore.

The same unresponsive behaviour also occurs randomly (without running a scan) after the computer was running for some hours, as long as Malwarebytes 3 is running in background.

When quitting Malwarebytes directly after reboot, it doesn't occur.

What I've already tried:

-clean reinstall, using the Malwarebytes Removal Tool

-full scan with KIS and Hitman Pro

-Junkware Removal Tool 

-AdwCleaner

They found a few smaller things, but not much at all. Mainly toolbars.

Nothing helped however. Then I did a downgrade to Malwarebytes 2. This version doesn't have the issue. The scan completes successfully with no threats found.

Any idea?

 

Link to post
Share on other sites

While mbam 3 was installed, I've just made another check - just to make sure. Same result again. This time it was stuck on the step "Checking startup files".

But the trigger is "Checking for updates"  every time. As long as it doesn't check for updates, the scan goes on. But at the last step, Heuristic analysis, it always checks for updates. 

 

Maybe that's the same reason why the issue appears "randomly" as long as mbam 3 is installed. Could be a background check for updates.

But I can update manually. After every reinstall I've updated the databanks and there wasn't any problem.

Edited by toni1982
Link to post
Share on other sites

  • Root Admin

Your system has some system issues shown in the Event Logs. Need to look at correcting these errors. We can do a full disk check and clean the temporary files and see if that helps any or not. If not then need to look at specific fixes for this.


Please click on the "Search the web and Windows" box.

win10search.jpg.ab49407705b2ffa8728339ae


Then type in CMD.EXE and when it shows on the start menu right click and select "Run as administrator"

 

cmd_prompt_run_as_administrator.jpg.252a

 

In the command prompt please type the following exactly.

CHKDSK  C:  /R

This will tell Windows to run a full disk check, however you'll get the following, telling you it cannot run because it's in use.

Press the Y key to tell it to run on the next restart of the computer.

 

Quote

Microsoft Windows [Version 10.0.10586]


(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>CHKDSK C: /R
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process.  Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N)

 

Then restart the computer and let it run.
Then find and copy the disk check entry from the Event Logs and paste back the results here.

How to Read Event Viewer Log for Chkdsk (Check Disk) in Windows 10

 

Application error:
==================
Error: (02/07/2017 05:27:38 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)
Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894. For more information, see Microsoft Windows TWinUI / Ready to Run.

Error: (02/07/2017 05:27:38 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)
Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894. For more information, see Microsoft Windows TWinUI / Ready to Run.

Error: (02/07/2017 05:27:37 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)
Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894. For more information, see Microsoft Windows TWinUI / Ready to Run.

Error: (02/07/2017 05:27:37 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)
Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894. For more information, see Microsoft Windows TWinUI / Ready to Run.

Error: (02/07/2017 04:03:40 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)
Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894. For more information, see Microsoft Windows TWinUI / Ready to Run.

Error: (02/07/2017 03:48:39 PM) (Source: Microsoft Windows CAPI2) (EventID: 257) (User:)
Description: The catalog database could not be initialized by the cryptographic service. "ESENT" error: -1032.

Error: (02/07/2017 03:48:39 PM) (Source: ESENT) (EventID: 490) (User:)
Description: CatalogDatabase (2956) CatalogDatabase: The attempt to open the file "C: \ WINDOWS \ system32 \ CatRoot2 \ {127D0A1D-4EF2-11D1-8608-00C04FC295EE} \ catdb" for read / write access is done with System error 32 (0x00000020): "The process can not access the file because it is being used by another process." Error -1032 (0xfffffbf8) when opening files.

Error: (02/07/2017 03:48:29 PM) (Source: Microsoft Windows CAPI2) (EventID: 257) (User:)
Description: The catalog database could not be initialized by the cryptographic service. "ESENT" error: -1032.

Error: (02/07/2017 03:48:29 PM) (Source: ESENT) (EventID: 490) (User:)
Description: CatalogDatabase (2956) CatalogDatabase: The attempt to open the file "C: \ WINDOWS \ system32 \ CatRoot2 \ {127D0A1D-4EF2-11D1-8608-00C04FC295EE} \ catdb" for read / write access is provided with System error 32 (0x00000020): "The process can not access the file because it is being used by another process." Error -1032 (0xfffffbf8) when opening files.

Error: (02/07/2017 03:48:19 PM) (Source: Microsoft Windows CAPI2) (EventID: 257) (User:)
Description: The catalog database could not be initialized by the cryptographic service. "ESENT" error: -1032.


System error:
=============
Error: (02/07/2017 05:27:38 PM) (Source: DCOM) (EventID: 10001) (User: TONI-PC)
Description: A DCOM server could not be started: Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider as Unavailable / Unavailable. Error:
& Quot; 2 & quot;
Occurred when this command was started:
"C: \ WINDOWS \ System32 \ BackgroundTaskHost.exe" -ServerName: BackgroundTaskHost.WebAccountProvider

Error: (02/07/2017 05:27:38 PM) (Source: DCOM) (EventID: 10001) (User: TONI-PC)
Description: A DCOM server could not be started: Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider as Unavailable / Unavailable. Error:
& Quot; 2 & quot;
Occurred when this command was started:
"C: \ WINDOWS \ System32 \ BackgroundTaskHost.exe" -ServerName: BackgroundTaskHost.WebAccountProvider

Error: (02/07/2017 05:27:37 PM) (Source: DCOM) (EventID: 10001) (User: TONI-PC)
Description: A DCOM server could not be started: Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider as Unavailable / Unavailable. Error:
& Quot; 2 & quot;
Occurred when this command was started:
"C: \ WINDOWS \ System32 \ BackgroundTaskHost.exe" -ServerName: BackgroundTaskHost.WebAccountProvider

Error: (02/07/2017 05:27:37 PM) (Source: DCOM) (EventID: 10001) (User: TONI-PC)
Description: A DCOM server could not be started: Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider as Unavailable / Unavailable. Error:
& Quot; 2 & quot;
Occurred when this command was started:

 

 

 

 

Link to post
Share on other sites

Just done as instructed. Strangely, there isn't any recent chkdsk log in the Event Viewer. Only the wininit log is shown.

The latest chkdsk log is from one month ago. At that time, I've used the regular disk error check that can be run from the drive properties -> Tools tab.

Here's the wininit log however: (unfortunately in german)

 

General:

Dateisystem auf C: wird überprüft.
Der Typ des Dateisystems ist NTFS.

Eine Datenträgerüberprüfung ist geplant.
Die Datenträgerüberprüfung wird jetzt ausgeführt.                         

Phase 1: Die Basisdatei-Systemstruktur wird untersucht...
  769536 Datensätze verarbeitet.                                                          Dateiüberprüfung beendet.
  16327 große Datensätze verarbeitet.                                      0 ungültige Datensätze verarbeitet.                                
Phase 2: Die Dateinamenverknüpfung wird untersucht...
  906814 Indexeinträge verarbeitet.                                                       Indexüberprüfung beendet.
  0 nicht indizierte Dateien überprüft.                                0 nicht indizierte Dateien wiederhergestellt.                      
Phase 3: Sicherheitsbeschreibungen werden untersucht... 
829 nicht verwendete Indexeinträge aus Index $SII der Datei 0x9 werden aufgeräumt.
829 nicht verwendete Indexeinträge aus Index $SDH der Datei 0x9 werden aufgeräumt.
829 nicht verwendete Sicherheitsbeschreibungen werden aufgeräumt.
CHKDSK komprimiert den Datenstrom für die Sicherheitsbeschreibung
Überprüfung der Sicherheitsbeschreibungen beendet.
  68640 Datendateien verarbeitet.                                        CHKDSK überprüft USN-Journal...
  36214896 USN-Bytes verarbeitet.                                                           Die Überprüfung von USN-Journal ist abgeschlossen.

Phase 4: Es wird nach fehlerhaften Clustern in Benutzerdateidaten gesucht...
  769520 Dateien wurden verarbeitet.                                                      Dateidatenüberprüfung beendet.

Phase 5: Es wird nach fehlerhaften, freien Clustern gesucht...
  5733899 freie Cluster verarbeitet.                                                       Verifizierung freien Speicherplatzes ist beendet.
Fehler in Volumebitmap werden berichtigt.

Es wurden Korrekturen am Dateisystem vorgenommen.
Es sind keine weiteren Aktionen erforderlich.

 142540799 KB Speicherplatz auf dem Datenträger insgesamt
 118441288 KB in 629504 Dateien
    284400 KB in 68643 Indizes
         0 KB in fehlerhaften Sektoren
    879511 KB vom System benutzt
     65536 KB von der Protokolldatei belegt
  22935600 KB auf dem Datenträger verfügbar

      4096 Bytes in jeder Zuordnungseinheit
  35635199 Zuordnungseinheiten auf dem Datenträger insgesamt
   5733900 Zuordnungseinheiten auf dem Datenträger verfügbar

Interne Informationen:
00 be 0b 00 03 a6 0a 00 93 2a 11 00 00 00 00 00  .........*......
ab 06 00 00 c3 78 00 00 00 00 00 00 00 00 00 00  .....x..........

Die Überprüfung des Datenträgers wurde abgeschlossen.
Bitte warten Sie bis der Computer neu gestartet wurde.
 

 

Details:

Dateisystem auf C: wird überprüft. Der Typ des Dateisystems ist NTFS. Eine Datenträgerüberprüfung ist geplant. Die Datenträgerüberprüfung wird jetzt ausgeführt. Phase 1: Die Basisdatei-Systemstruktur wird untersucht... 769536 Datensätze verarbeitet. Dateiüberprüfung beendet. 16327 große Datensätze verarbeitet. 0 ungültige Datensätze verarbeitet. Phase 2: Die Dateinamenverknüpfung wird untersucht... 906814 Indexeinträge verarbeitet. Indexüberprüfung beendet. 0 nicht indizierte Dateien überprüft. 0 nicht indizierte Dateien wiederhergestellt. Phase 3: Sicherheitsbeschreibungen werden untersucht... 829 nicht verwendete Indexeinträge aus Index $SII der Datei 0x9 werden aufgeräumt. 829 nicht verwendete Indexeinträge aus Index $SDH der Datei 0x9 werden aufgeräumt. 829 nicht verwendete Sicherheitsbeschreibungen werden aufgeräumt. CHKDSK komprimiert den Datenstrom für die Sicherheitsbeschreibung Überprüfung der Sicherheitsbeschreibungen beendet. 68640 Datendateien verarbeitet. CHKDSK überprüft USN-Journal... 36214896 USN-Bytes verarbeitet. Die Überprüfung von USN-Journal ist abgeschlossen. Phase 4: Es wird nach fehlerhaften Clustern in Benutzerdateidaten gesucht... 769520 Dateien wurden verarbeitet. Dateidatenüberprüfung beendet. Phase 5: Es wird nach fehlerhaften, freien Clustern gesucht... 5733899 freie Cluster verarbeitet. Verifizierung freien Speicherplatzes ist beendet. Fehler in Volumebitmap werden berichtigt. Es wurden Korrekturen am Dateisystem vorgenommen. Es sind keine weiteren Aktionen erforderlich. 142540799 KB Speicherplatz auf dem Datenträger insgesamt 118441288 KB in 629504 Dateien 284400 KB in 68643 Indizes 0 KB in fehlerhaften Sektoren 879511 KB vom System benutzt 65536 KB von der Protokolldatei belegt 22935600 KB auf dem Datenträger verfügbar 4096 Bytes in jeder Zuordnungseinheit 35635199 Zuordnungseinheiten auf dem Datenträger insgesamt 5733900 Zuordnungseinheiten auf dem Datenträger verfügbar Interne Informationen: 00 be 0b 00 03 a6 0a 00 93 2a 11 00 00 00 00 00 .........*...... ab 06 00 00 c3 78 00 00 00 00 00 00 00 00 00 00 .....x.......... Die Überprüfung des Datenträgers wurde abgeschlossen. Bitte warten Sie bis der Computer neu gestartet wurde.

 

 

Link to post
Share on other sites

  • Root Admin

That's fine. It did find and repair some minor stuff but nothing major.

Please restart the computer a couple more times. Then run a new FRST scan and make sure to place a checkmark in the Additions.txt check box and post back both new logs as attachments.

Thank

Ron

 

Link to post
Share on other sites

  • Root Admin

Though odd errors and in a perfect world you'd have no errors, I don't think these are currently causing any issues with our program. At least I would not expect them to.

 

 

As a temporary workaround, this security detection can be canceled by setting the DWORD value \ HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Contact the manufacturer of the application. The application error that caused this attempt should be fixed. The attempt was rejected with STATUS_ACCESS_DENIED to prevent the spread of security sensitive information to an anonymous caller.
 
Description: An anonymous session with established connection from TONI-PC has attempted to open an LSA policy handler on this computer.
Error: (02/10/2017 04:06:39 PM) (Source: LsaSrv) (Event ID: 6033) (User: NT AUTHORITY)

"C: \ WINDOWS \ System32 \ BackgroundTaskHost.exe" -ServerName: BackgroundTaskHost.WebAccountProvider
Occurred when this command was started:
& Quot; 2 & quot;
Error:Description: A DCOM server could not be started: Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider as Unavailable / Unavailable.
Error: (02/10/2017 04:06:48 PM) (Source: DCOM) (EventID: 10001) (User: TONI-PC)

"C: \ WINDOWS \ System32 \ BackgroundTaskHost.exe" -ServerName: BackgroundTaskHost.WebAccountProvider
Occurred when this command was started:
& Quot; 2 & quot;
Error:Description: A DCOM server could not be started: Windows.Security.Authentication.Web.Core.BackgroundGetTokenTask.ClassId.WebAccountProvider as Unavailable / Unavailable.
Error: (02/10/2017 04:06:52 PM) (Source: DCOM) (EventID: 10001) (User: TONI-PC)
=============
System error:


For more information, see Microsoft Windows TWinUI / Ready to Run.Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894.
Error: (02/10/2017 04:05:48 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)

For more information, see Microsoft Windows TWinUI / Ready to Run.Description: The following error occurred while activating the "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App" app: -2147024894.
Error: (02/10/2017 04:05:49 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)

For more information, see Microsoft Windows TWinUI / Ready to Run.Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894.
Error: (02/10/2017 04:05:49 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)

For more information, see Microsoft Windows TWinUI / Ready to Run.Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894.
Error: (02/10/2017 04:05:49 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)

For more information, see Microsoft Windows TWinUI / Ready to Run.Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894.
Error: (02/10/2017 04:05:49 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)

For more information, see Microsoft Windows TWinUI / Ready to Run.Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894.
Error: (02/10/2017 04:05:49 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)

For more information, see Microsoft Windows TWinUI / Ready to Run.Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894.
Error: (02/10/2017 04:05:49 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)

For more information, see Microsoft Windows TWinUI / Ready to Run.Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894.
Error: (02/10/2017 04:06:48 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)

For more information, see Microsoft Windows TWinUI / Ready to Run.Description: The following error occurred while activating the app "Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy! App": -2147024894.
Error: (02/10/2017 04:06:52 PM) (Source: Microsoft Windows Immersive Shell) (EventID: 5973) (User: TONI-PC)

Error code: 0x80070005.Description: 7.488: The EFS service could not provide a user for "corporate privacy".
Error: (02/10/2017 04:06:52 PM) (Source: Microsoft Windows EFS) (EventID: 4401) (User: TONI-PC)
==================
Application error:
Lsa \ TurnOffAnonymousBlock to 1.
 
This message is logged at most once per day.

 

Please try running the following.

 

1. Open a CMD Window as an Administrator on the target server and enter the following commands:

 

  • cd %windir%\system32\
  • lodctr /R
  • cd %windir%\sysWOW64\
  • lodctr /R

 

    Note: This should not affect performance on the machine. This command resyncs the counter values.

 

2. Open up Regedit and navigate to the following registry key:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfProc\Performance

 

3. Make sure that the value (if it exists) for the Disable Performance Counters is not 1.  If the entry does exist and the entry is 1, change it to 0 or delete that entry within the key.  ** PLEASE NOTE ** make sure you contact your system administrator before making changes to the registry, and make sure that you back it up before you delete it.

 

4. Restart the Windows Management service.

 




Note: After completing the Microsoft instructions, a reboot is required.

 

 

Link to post
Share on other sites

Did as instructed and installed mbam 3 after the restart. Unfortunately it didn't help. Again, the scan was running perfectly fine until the last step, Heuristic analysis, where it got stuck at "Checking for updates". Same result as before - it made the computer unresponsive and I had to use the reset button to restart it. 

Link to post
Share on other sites

I did some registry cleaning and tried it again. I usually don't use registry cleaning tools, but I thought I might give it a try.

At first it looked promising. The mbam 3 scan was faster and further then before. At Heuristic analysis, I've passed 400.000 checked files. I never came over 300.000 so far. 

But then it hapened. At about 500.000 files it did the update check again.

At first I thought it might still work, since I could still open the task manager. Normally, as soon as the update check occurs, the computer becomes unresponsive immedialtely.

But this time it was delayed. I could open the task manager about 20 times. (1-2 minutes) But then it still happened.

Why does it have to make an update check in the mid of the scan after all? It can't be that important, since the step, where it does it, varies.

And I did a manual update just a minute before. Can this update check can be disabled somehow?

 

Now I've installed mbam 2 together with the last version of Anti-Exploit. This setup works fine. 

But it would be better to get version 3 to work.

 

By the way, since yesterday, I have also another issue. I have a task planing software, called RoboTask. I can't open the program window anymore.

It runs perfectly fine in background - all task still work. But when trying to open it from system tray, the window briefly flashes and then disappears.

I can even view the preview of the window in the task bar. But it can't be restored. It just flashes up every time and disapperas. This happened all of a sudden.

I've tried everything - task switching, rebooting, reinstalling - nothing helps.

Could this be related to the mbam 3 issue? 

I did a test and tried to run every other program I have installed. No issues with anything else. Graphic and music software, games, tools, browsers - everything works as supposed. 

Only mbam 3 and robotask have issues.

Edited by toni1982
Link to post
Share on other sites

  • Root Admin

I wonder if the scheduled update is conflicting and causing an issue while a scan is in progress. Please try to remove the update task for now and try scanning and see if there are issues. If that corrects it then you'll need to keep timing in mind for that and I'll report that internally as an issue. 

Link to post
Share on other sites

It didn't work. I've removed the update task and I've also disabled auto-updates. But it still checked for updates at Heuristic analysis, what expectedly led to the "freeze".

All opened windows can still be accessed and scrolled, but this state is frozen. You can switch menus, or tabs, but everything that needs to be loaded doesn't load. You can't run programs, ctrl+alt+del doesn't work, the start menu doesn't open... the only option is a force shutdown/restet. (what I have to do right after sending this post)

Link to post
Share on other sites

I've downgraded to version 2 again. I skipped reinstallig and testing Anti-Exploit standalone, since I'm pretty shure that the freeze while on mbam 2 was because of this.

And I don't want to do more force shutdowns. 

As far as I know, the implementation of Anti-Exploit was one of the main changes from mbam 2 to 3. 

Edited by toni1982
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.