Jump to content

Recommended Posts

Is there any plan to fix these problems?

I still see MBAMService hang around after running a full scan and exiting the UI.  And after forcibly stopping the service it sometimes comes back on its own.

If I scan just one item, which automatically starts the service, after closing the software through the tray icon it cleans itself up and the service exits.  Why not after a full scan?

Also, why does it regularly log errors about registry copies being recovered? 

I don't want regular system errors logged, and I don't want any of MalwareBytes software hanging around all the time, soaking up system resources for no reason.

Quote

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-18-0XXXXXXXXXXXXXXXXX4-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-3XXXXXXX2-1XXXXXXXX6-6XXXXXXXX9-4XX2-0XXXXXXXXXXXX6-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

 This seems like a messy implementation.  It's hard to want to trust software that has these kinds of implementation problems...

-Noel

Link to post
Share on other sites

OK, I'm reporting back.  A scan with the 3.1.1.1722 beta performs no differently w/regard to the issues I've reported here:

1.  It logged two Errors in the System event event log:

Quote

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-18-XXXXXXXXXXXXXXXXX-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

{Registry Hive Recovered} Registry hive (file): '\??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX-XXXXXXXXXXXXXXXXX-ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.

2.  As before, the MBAMService.exe becomes stuck, apparently in a "Stopping" state and unable to accept more controls, after the scan UI and tray icon have been exited via normal means.

http://Noel.ProDigitalSoftware.com/ForumPosts/Win81/MBAMService1.png

http://Noel.ProDigitalSoftware.com/ForumPosts/Win81/MBAMService2.png

A subsequent attempt to scan fails with the message "Unable to connect to service".

http://Noel.ProDigitalSoftware.com/ForumPosts/Win81/MBAMService3.png

Forcibly closing MBAMService.exe results in an error message (shown below) being logged, then the auto-restart of both MBAMService.exe and mbamtray.exe, then the service will successfully auto-exit if the tray icon is again closed.

Quote

The Malwarebytes Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

You folks have to understand that some of us don't want the service or tray icon running all the time!

-Noel

Link to post
Share on other sites

Just to clarify, when you quit Malwarebytes you're right clicking the system tray icon and choosing Quit Malwarebytes? If so, can you please restart your computer, go to Malwarebytes -> Settings -> Applications and turn on Event Log Data. Then try to right click the system tray icon and choose quit malwarebytes. Give it at least 30 seconds, and then please zip up the c:\ProgramData\Malwarebytes\MBAMService\logs folder and upload it here as a reply. Thank you

Link to post
Share on other sites

Yes, exactly.  Thank you for following up with me.

I have done as you asked:

1.  Enabled the logging.

2.  Ran a Threat Scan, which completed in about 6 minutes.

3.  I noted that the "registry corruption" errors were logged in the System event log.

4.  Exited the MalwareBytes UI via the X caption button in the upper-right corner.

5.  Right clicked on the M in the system tray and chose Quit Malwarebytes.

6.  Verified that MBAMService.exe did not auto-exit and entered a state where it is not accepting controls.

I will PM you a link to a zip file containing the logs. 

-Noel

Link to post
Share on other sites

Couple more questions:

  • How long did you wait after the threat scan finished to quit Malwarebytes from the tray?
  • If you wait longer, does it change how the service responds?
  • If you don't run a threat scan, does this issue still happen?
  • After the service hangs, can you create a memory dump? You can do this by opening task manager, finding mbamservice.exe, and clicking Create Dump file. If you do not have Windows 8+, you may need to use a separate tool like ProcessExplorer from Sysinternals
Link to post
Share on other sites

I probably waited only 5 or 10 seconds, with the thinking being generally "the scan is done, nothing bad was found, now I want to exit MBAM and move on to other work".

I'll try it again and wait longer between the operations.  Keep in mind this is a VERY fast workstation with a high performance I/O subsystem, so waiting is not usually necessary with much of anything.

Based on info from before, if I don't run a threat scan, or even if I scan just one file, then exiting by right-clicking the tray icon and choosing "Quit MalwareBytes" causes the successful exit of the service.  But I've just tested again to be sure...

Observations:

  • If I right-click a file in Explorer and choose "Scan with Malwarebytes", the UI opens, does the scan successfully, then I exit the UI and can successfully exit all the MBAM software (including the service) by right-clicking the tray icon and choosing "Quit MalwareBytes".
     
  • If I start Malwarebytes then choose Scan Now, it does the scan successfully after a few minutes then I exit the UI and can exit the tray icon executable, but the service does NOT exit on its own.

I tried waiting a long time (10 minutes) after the threat scan finishes to close the UI and tray applications and this doesn't seem to affect the behavior of the second item above.

-Noel

Link to post
Share on other sites

2 hours ago, NoelC said:

You folks have to understand that some of us don't want the service or tray icon running all the time!

Do you want real-time protection? Tray and service have to be on. Are you just wanting manual scans from time to time?

Link to post
Share on other sites

Quote

Do you want real-time protection?

Absolutely not.  I am only interested in a manual scan as a double check to back up my other methods of keeping malware-free. 

My evaluation has shown that MBAM "real time protection" introduces unacceptable performance overhead on a system that's not exposed to malware normally anyway.

-Noel

Edited by NoelC
Link to post
Share on other sites

45 minutes ago, NoelC said:

Absolutely not.  I am only interested in a manual scan as a double check to back up my other methods of keeping malware-free. 

My evaluation has shown that MBAM "real time protection" introduces unacceptable performance overhead on a system that's not exposed to malware normally anyway.

-Noel

 
 

Answered my own question nevermind.  

Edited by Porthos
Link to post
Share on other sites

I believe dcollins has gone home for the day, but I can provide the instructions you need.  I'm basing these instructions on Windows 7 as that's what I have, however they should be similar if not identical in your own version of Windows.  If they do differ greatly from what you observe on your own system and you're unsure how to proceed, please let me know the version of Windows you're using and I'll do my best to locate the appropriate info on how to perform these tasks in your version of Windows.

  • First, please replicate the issue you reported so that the process is in a hung state trying to stop

  • Next, open Task Manager by pressing CTRL+Shift+Esc on your keyboard and find the stuck Malwarebytes process in the list of running programs/processes and right-click on it then select Create Dump File

  • Once that's done and you receive a message from Task Manager stating that the dump has been created and listing where it is located, go to the folder where it was created and move it to your desktop or any other location where you will be able to easily find it

  • Right-click on the dump file and hover your mouse over Send to... and choose Compressed (zipped) folder and either attach the zipped dump file to your next reply or, if it is too large, hang on to it for now and wait for Devin to return so that he can provide you with his preferred location for large uploads

Edited by exile360
Link to post
Share on other sites

  • 1 month later...
4 hours ago, lazarhead said:

So I'm having the same issue and yes on Win7. Any news? Any update that fixes it starting again?

Let us get a clean install of the current version.

We have another tool called MB-Clean which will automate the whole process for you.

 Tool can be found at https://downloads.malwarebytes.com/file/mb_clean

1. After downloading the tool run the tool.

2. The tool will automatically clean up the older possibly damaged installation and will ask you for a restart.

3. Restart your system and then the MB-Clean tool will prompt you to re-install the latest product .

4. Click on "Yes" to reinstall MB 3.×.

5. Now you will have the latest product installed.

Please let me know if you are still seeing issues after the latest product install.

 

Link to post
Share on other sites

9 hours ago, lazarhead said:

Scratch that, it doesn't work. Comes back.

To figure out what is going on we need some diag logs.

  • Use mb-check to gather MB3 logs:
    1. Download mb-check from here and save to your desktop
    2. Run mb-check and within a few second the command window will open and then close
    3. This will produce one log file on your desktop: mb-check-results.zip
    4. Attach this log file to your post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area
  • Create and obtain Farbar Recovery Scan Tool (FRST) logs
    1. Download FRST and save it to your desktop
      1. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
    2. Double-click to run and when the tool opens click Yes to the disclaimer
    3. Press Scan button
    4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
      1. Attach both of these logs to your post by clicking on the "Drag files here to attach, or choose files..." or simply drag the files to the attachment area
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.