Malwarebytes stops working mid-way through scan

[GoodMorningCaptain]

Hello. I just purchased Malwarebytes premium 3.0, and every time I run a full scan, it gets hung up mid-way through, and then I receive a dialogue box from Windows saying that it has stopped working. It always happens while it's scanning a file in my Windows/Installer folder, but it's never the same file. I ran Rkill, and it found one process to terminate:

C:\Windows\SysWOW64\ACEngSvr.exe (PID: 1148) [WD-HEUR]

And also said the following:

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Automatic

Do I have a Trojan (SysWOW64, for instance) on my system that's preventing MalwareBytes from working correctly? And if not, why does it keep crashing?

Thanks for your help!

[kevinf80]

Hello GoodMorningCaptain and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... ACEngSvr.exe is part of ACEngSvr Module and developed by ASUSTeK, ACEngSvr.exe is usually located in the 'C:\Windows\SysWOW64\' folder. None of the anti-virus scanners at VirusTotal reports anything malicious about ACEngSvr.exe. Continue as follows: Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop: Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK. Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu. Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen. NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop. Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties" In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK" Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location..... Next, Follow the instructions in the following link to show hidden files: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Next, Please create an mbam-check log: Download mbam-check.exe from here: https://downloads.malwarebytes.org/file/mb3_check and save it to your desktop Double-click on mbam-check.exe to run it, it should then open a log file Please do not copy and paste the entire contents of the log into your next post, instead, please attach the log CheckResults.txt file which should now be located on your desktop to your next post. Attach the log to your reply. Let me see those logs... Thank you, Kevin..

[GoodMorningCaptain]

Hi Kevin,

Thanks so much for your help! I've attached the Addition.txt doc and the FRST.txt doc (received from the Farbar tool), and the CheckResults.txt file (from mbam-check).

Please let me know what you think!

Thanks,

The Captain

 

Addition.txt

FRST.txt

MB-CheckResult.txt

[kevinf80]

Uninstall SuperAntiSpyware, instructions and removal utility here: http://www.techspot.com/downloads/5397-superantispyware-uninstaller.html Re-Boot when complete.. Next, Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Download AdwCleaner by Xplode onto your Desktop.   Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan Scan within Archives are both on.... Leave all other settings to default.. Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... Regardless if Malwarebytes completes or not, also run the following: Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress....   Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Let me see those logs in your reply, also tell me if there are any remaining issues or concerns... Thank you, Kevin...

fixlist.txt

[GoodMorningCaptain]

Hi Kevin,

• Uninstalled SuperAntiSpyware, no problem
• Downloaded fixlist.txt and ran FRST. Log file is attached.
• Had some big problems with AdwCleaner. Downloaded it and put it on my Desktop, in its own folder. Double-clicked on it, and the attached "catastrophic_failure" dialog box appeared. I had to close out of that dialog box about a dozen times before I could finally start the scan.
• The first scan I attempted crashed, and the attached "Not_Working" dialog box appeared. I restarted AdwCleaner, the catastrophic_failure dialog box appeared a dozen times again, but this time AdwCleaner didn't crash. Instead, it seemed to be caught in a loop. It completed the first scan (the bar filled with green), and it found one threat, a FLV player I'd downloaded. But then it went through the scan again, and this time found 3 threats, all the same FLV player (see attached Cleaner image). Then it started through the scan a third time, and found six threats, again the same FLV player.
• Since it seemed to be caught in a loop, and I didn't know if the FLV player was spyware that was replicating itself because of the interference from AdwCleaner, I stopped the scan. I never got to the "Waiting for action.Please uncheck elements you want to keep" part.

What should I do? Why did I get the catastrophic error? is AdwCleaner supposed to keep checking like that, or was the FLV player a sort of spyware that was replicating itself?

Thanks for your help!

The Captain

Fixlog.txt

[GoodMorningCaptain]

Hi Kevin,

Some additional info to my post above:

The FLV player cited in the scan mentioned above is the Applian FLV Player. I found the following warning about it on Security Stronghold:

https://www.securitystronghold.com/gates/remove-applian-flv-player.html

Should I use Spyhunter to remove it?

Thanks,

The Captain

[GoodMorningCaptain]

Hi Kevin,

Here's a lively discussion about the Applian FLV Player. The consensus seems to be that it packs a lot of junk software with it:

http://en.community.dell.com/support-forums/virus-spyware/f/3522/t/19636559

I don't know which version I downloaded (it doesn't say in the properties). It has an uninstall exe file, but based on the discussion linked above, it seems that the junk software that comes with it causes most of the problems, so I don't know if uninstalling it would do the trick.

Let me know what you think. Thanks!

The Captain

[kevinf80]

I do not recommend using SpyHunter, do the following instead...

Please download Zemana AntiMalware and save it to your Desktop.   Install the program and once the installation is complete it will start automatically. Without changing any options, press Scan to begin. After the short scan is finished, if threats are detected press Next to remove them. Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.   Open Zemana AntiMalware again. Click on icon and double click the latest report. Now click File > Save As and choose your Desktop before pressing Save. Attach saved report in your next message. Next, Emsisoft Emergency Kit Click Here to download Emsisoft Emergency Kit. The download will automatically start after a moment. Save EmsisoftEmergencyKit.exe to your Desktop. Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8/10 users: Accept UAC warning if it is enabled). A screen like this will appear:   Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\). Once the extraction is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.   Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:   Choose Yes, then wait for EEK to finish updating. Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes. Wait for the scan to finish.   If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected. If Emsisoft Emergency Kit asks to reboot, please do so immediately. The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.   Please Copy and Paste the contents of the scan log in your next reply. Next, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Let me see those logs in your reply.... Thank you, Kevin...

 

[GoodMorningCaptain]

Hi Kevin,

• Downloaded and ran Zemana AntiMalware. It didn't find anything. Restarted anyway. Log is attached.
• Downloaded Emisoft Emergency Kit. It didn't put a shortcut on my desktop. From the C:\EEK folder, it gave me two exe files to choose from: start emergency scan kit, and start commandline scanner. I double-clicked on start emergency scan kit, and it gave me a dialog box error message saying This program cannot be run on Windows versions prior to Windows 7. So it simply didn't run. My operating system is Windows Vista 64-bit. According to this Wikipedia page, Vista came before Windows 7:

https://en.wikipedia.org/wiki/Timeline_of_Microsoft_Windows

What should I do?

Thanks,

The Captain

 

2017.02.16-04.13.02-i0-t92-d0.txt

[kevinf80]

Apologiies, didn`t realize EEK would not run on Vista.... Run the following instead....

Scan with HitmanPro In any case don't remove on your own anything that Hitman Pro detects! This scanner is really good for checking, it has however been known for deleting files instead of curing them, in some cases this may render the machine unbootable. Any removals will be done manually after careful analysis of the scan results! Please download HitmanPro by SurfRight and save it to your desktop. Temporary disable your AntiVirus and AntiSpyware protection - instructions here.   Right-click on icon and select Run as Administrator to start the tool. If the program won't run please run it while holding down the left CTRL key until it's loaded! Click on the Next button. You must agree with the terms of EULA (if asked). Check the box beside No, I only want to perform a one-time scan to check this computer. Click on the Next button. The program will start to scan the computer. It would only take several minutes. When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore. If there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro!Navigate to C:\ProgramData\HitmanPro\Logs, open the report and include it it your next reply. Click on the Next button. Click on the Save Log button. Save that file to your desktop. Please include that logfile in your next reply. Don't forget to re-enable your security! Next, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Post those logs in your next reply, also tell me if there are any remaining issues or concerns.... Thank you, Kevin...

[GoodMorningCaptain]

Hi Kevin,

• Downloaded and ran HitmanPro. It didn't find any threats, and only marked FRST and Zemana as suspicious. Log is attached.
• Ran FRST scan. FRST.txt and Addition.txt are attached.

Do I still need all these programs (like Zemana), or can I uninstall some of them?

Thanks for your help,

The Captain

HitmanPro_20170216_2047.log

FRST.txt

Addition.txt

[GoodMorningCaptain]

Hi Kevin,

One frustrating thing that's happened since running HitmanPro is all my image thumbnails have disappeared, and now only show generic icons. I restarted, but it didn't solve the problem. I went into Control Panel, but it has the correct setting (always show icons never thumbnails is unchecked, see image below). When I check and then uncheck the always show... box, the thumbnails appear for a second, then revert back to a system icon again. How can I get my thumbnails back?

btw - I still have all the anti-malware programs you recommended on my system. Can I start uninstalling them (HitmanPro doesn't have an uninstall, because I chose the run once option. Can I simply delete the exe file and ProgramData folder?)?

Thanks,

The Captain

[GoodMorningCaptain]

Hi Kevin,

Tried a few other things to get my thumbnails back, to no avail. For instance, this:

http://www.pcmag.com/article2/0,2817,2332312,00.asp

And this:

http://www.winhelponline.com/blog/clear-thumbnail-cache-windows/

The PC Mag article suggests that sometimes thumbnails revert to system icons if there's a change in a particular registry. I noticed the anti-malware programs I've been running focus intensely on registries. Is there a way to reset a registry to get my thumbnails back? 

When I ran HitmanPro, it didn't find any threats, and everything was set to ignore when I closed. Yet my thumbnails disappeared at the moment (?)

Thanks,

The Captain

[kevinf80]

To uninstall programs use the following tool: Download GeekUninstaller from here: http://www.geekuninstaller.com/download (Choose free version) Save Geek.zip to your Desktop. (Visit the Home page at that link for necessary information) Extract Geek Uninstaller and save to your Desktop. There is no need to install, the executable is portable and can also be run from a USB if required. Run the tool, the main GUI will populate with installed programs list, Left click on Program name to highlight that entry. Select Action from the Menu bar, then Uninstall from there follow the prompts. If Uninstall fails open the "Action" menu one more time and use "Force Removal" option Next, Download Portable Windows Repair (all in one) from one of the following: www.tweaking.com/files/setups/tweaking.com_windows_repair_aio.zip http://www.majorgeeks.com/mg/getmirror/tweaking_com_windows_repair_portable,1.html https://www.bleepingcomputer.com/download/windows-repair-all-in-one/ Unzip the contents into a newly created folder on your desktop. Boot your system to Safe mode, instructions here: https://support.microsoft.com/en-gb/help/12376/windows-10-start-your-pc-in-safe-mode Open the Tweaking.com folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator" From the main GUI do the following: Select Tab 5 to make Registry backup, use the recommended option... When complete select "Repairs" tab, from there select "Open Repairs" tab.. From that window select the default option and checkmarck "Select All" box. When ready select "Start Repairs" tab.... When complete re-boot your system, see if there is any improvement... Logs are saved to the Tweaking.com folder on your Desktop, the one to post is _Windows_Repair_Log.txt Does that make any difference...? Thank you, Kevin...

[GoodMorningCaptain]

Hi Kevin,

Windows repair fixed the thumbnails! Log is attached.

I tried running Malwarebytes, but it still stopped mid-way. What should I try next?

Thanks for your help!

The Captain

_Windows_Repair_Log.txt

[kevinf80]

Use GeekUninstaller (instructions in reply ID 14) and remove Malwarebytes. Re-boot when completed.....

Next,

Download Malwarebytes version 3 from the following link: https://malwarebytes.app.box.com/s/bfii1z29ca68cwr0j5l46a1igxnk7ia2 Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions.... When the install completes and is updated do the following: Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...   Does MB now complete...?

 

Edited February 19, 2017 by kevinf80

[AdvancedSetup]

Hello @GoodMorningCaptain

Kevin is out on vacation for a couple more days. If there is something more you need before he gets back please let me know.

Thanks

Ron

 

[kevinf80]

Hello again GoodMorningCaptain,

I`m back of vacation, can you give me an update on the current status of your system. also tell me if there are any remaining issues or concerns....

Thank you,

Kevin...

[GoodMorningCaptain]

Hi Kevin,

• I uninstalled Malwarebytes using Geek uninstaller
• There is nothing to download at this link: https://malwarebytes.app.box.com/s/bfii1z29ca68cwr0j5l46a1igxnk7ia2
• It says "This shared file or folder link has been removed."

What should I do?

Thanks,

The Captain

[AdvancedSetup]

Sorry for stepping in but the latest beta build can be found from this link.

Which currently has this link, though this link may change in the future, so the forum post is where one should look for updates to this beta build.

https://malwarebytes.box.com/s/d15nhbepqn0kdzc0iacrzypyic1gbkam

Thank you again

Ron

 

 

[GoodMorningCaptain]

Thanks, Ron. I downloaded the new Malwarebytes from the link you provided, made sure "Scan for Rootkits" and "Scan within Archives" were both on, and hit Scan Now.

As before, it stopped scanning when it got to the C:\Windows\Installer folder.

Do you or Kevin have a hunch about what's going wrong? Is it Malware/Spyware? Is something else malfunctioning?

Thanks,

The Captain

[kevinf80]

Hello again GoodMorningCaptain,

Run the following for me and post the produced log:

Download and save RogueKiller to your Desktop from this link: https://www.fosshub.com/RogueKiller.html/setup.exe Right click setup.exe and select Run as Administrator to start installing RogueKiller. At the next window Checkmark "Install 32 and 64 bit versions, then select "Next" In the next window skip Licence I.D. and Licence Key, select "Next" In the next window make no changes and select "Next" In the next window leave both "Additional Shortcuts" checkmarked, then select "Next" In the next window make no changes and select "Install" RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish. RogueKiller will launch. Accept UAC, then read and accept "User Agreements" In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes select "Open Report" In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply   Thank you,   Kevin

 

[GoodMorningCaptain]

Hi Kevin,

Downloaded and ran RogueKiller. It found two items it advised me to remove. Since you didn't expressly recommend I remove anything, I didn't remove them, and only exported the report. It's attached.

Please let me know if you have any questions.

Thanks,

The Captain

RK.txt

[kevinf80]

Thanks for the RK log, continue..

Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC.. In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked...   [Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{51E925B3-B318-4E29-9132-3ECA739EF89F} (C:\ProgramData\{698E0848-6D29-4305-80DC-E8D609260CE2}\p2pcollab.dll) -> Found [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1542587960-3290668355-4222242642-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1542587960-3290668355-4222242642-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1542587960-3290668355-4222242642-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02252017005912051\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1542587960-3290668355-4222242642-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-02252017005912051\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found Checkmark (tick) the following against File] entries, ensure that all other entries are not Checkmarked [PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FLV Player -> Found Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.   Let me see that log, also try MB once more. If MB will not run and an error is produced please post that screen shot...   Thank you,   Kevin...

Edited February 27, 2017 by kevinf80

[GoodMorningCaptain]

Hi Kevin,

Ran RogueKiller again and removed the items you recommended. When I did, RK said "error" for this item, but seemed to remove the others:

[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{51E925B3-B318-4E29-9132-3ECA739EF89F} (C:\ProgramData\{698E0848-6D29-4305-80DC-E8D609260CE2}\p2pcollab.dll) -> Found

Log is attached (RK2.txt).

Ran Malwarebytes after RK. It seemed to find a lot more files to scan than before, but it still stopped working when it got to the C:\Windows\Installer folder (see attached error message).

Please let me know if you have any questions.

Thanks,

The Captain

ps: do you know of a free FLV player I could download that's safe?

RK2.txt