High CPU consumption

[Nazareno]

Hi. I have a problem with anti-ransomware beta. It consumes 24 or 25% of the CPU. I hope someone can help me. Thank you very much in advance.
Greetings.

MalwarebytesARW.zip

[1PW]

Hello @Solitario:

The Malwarebytes' developers/staffers/helpers must have good data for a quality fault analysis.  Thank you for the data archive.  The Malwarebytes' developers/staffers have written a recently updated data gathering tool to assist their analysis.  Please download/run the following Malwarebytes written data gathering support tool, on the system in question, freshly restarted in the Windows NORMAL boot mode:

1. Download the trusted, Malwarebytes authored arwlogs.exe utility/tool and save to a system Administrator's desktop of the system in question.
2. arwlogs.exe is an information gathering tool that neither installs nor does it make system/registry hive changes.
3. Single right-click the   arwlogs.exe icon and select   Run as administrator.
4. If a Windows User Account Control (UAC) alert/prompt for arwlogs.exe appears, select the "Yes" button to continue.
5. If a Windows SmartScreen warning alert/prompt for arwlogs.exe appears, select "More info" then select the "Run anyway" button to continue.
6. A Command window will appear and its contents may be mostly ignored.
7. When "Press any key to continue . . . " appears at the bottom of the Command window, type an Enter key to close the window.
8. A zipped archive (yyyy-mm-dd-{COMPUTERNAME}.zip) should have been generated to the system Administrator's desktop.
9. Delete arwlogs.exe from the Administrator desktop.
10. Attach the above zipped archive to your next reply in this topic.

Although more data may be required, after the requested data is posted, the Malwarebytes' team can commence their analysis.  Thank you always for your assistance.

Edited May 27, 2017 by 1PW

[Nazareno]

Thank you very much for the reply. Attached as requested.

2017-05-27-EMANUEL.zip

[1PW]

Hello @Solitario:

A cursory examination of the data logs did not produce an immediate reason for increased CPU use.  Rather than a simple re-install of MBARW BETA, please consider a clean install of MBARW BETA 8 (v0.9.17.661) that guarantees the highest integrity and file/directory ownership:

1) Please delete any previous copies of the MBARW_Setup.exe file(s) from the system in question.
2) Close all open user applications followed by a conventional Windows-based uninstall of Malwarebytes Anti-Ransomware through the Windows system Control Panel.
3) If MBARW Beta was uninstalled successfully, all of the possible following sub-directories will have been deleted from a typical Windows 10 x64 system:

   "%ProgramFiles%\Malwarebytes\"                      
   "%ProgramData%\MalwarebytesARW\"

4) If any of the above sub-directories remain, please delete them manually.  If necessary, any remaining/uninstalled sub-directory may need to be deleted in the Windows 10 Safe mode.
5) Execute a conventional Windows restart to the Normal Windows boot mode and log-in through an Administrator's account. <===IMPORTANT!
6) Using an Administrator's account only, download a fresh MBARW_Setup.exe file and save to the Administrator's Desktop from the New version - BETA 8 - now available! topic.
7) Single right-click the saved MBARW_Setup.exe file and left-click   Run as administrator from the context menu and continue.
8) Upon a successful clean install, please restart the computer in a conventional manner to the Windows 10 Normal boot mode.

Please reply to your topic with the status of your reported issue.  Thank you for testing the perpetual MBARW BETA and your valued feedback.

VT analysis of a known good MBARW_Setup.exe download from Malwarebytes' CDN: https://www.virustotal.com/file/d083b763222c24669a03fb6db66d300ec99ae2ff7d43b581fbef4f5a2ac05578/analysis/1495802106/

 

Edited May 27, 2017 by 1PW

[Nazareno]

thank you very much. Clean installation already done.

 

Edited May 27, 2017 by Solitario

[1PW]

Hello @Solitario:

I agree that the Windows 10's MBAM Service CPU use should be at 0% on an otherwise idle system.

The data produced by the Farbar Recovery Scan Tool (FRST64) logs may be of further troubleshooting assistance.

1. Please download FRST64.exe to an Administrator's desktop only.
2. Single right-click the icon and select Run as administrator to start the tool in the passive reporting mode.
3. If a Windows User Account Control (UAC) alert/prompt window for FRST64.exe appears, select the "Yes" button to continue.
4. If a Windows SmartScreen warning alert/prompt window for FRST64.exe appears, select "More info" then select the "Run anyway" button to continue.
5. When the FRST's (x64) GUI opens, left-click "Yes" button in the Disclaimer of warranty window.
6. Please do not uncheck any Whitelist boxes.  Ensure that only the Optional Scan's Addition.txt box is checked.
7. Select the "Scan" button and wait until the tool has run to completion.  (About 3-5 minutes or less.)
8. The FRST64 tool should have written two log files to the Administrator's desktop (FRST.txt and Addition.txt) and will also open them with the system's default text editor.
9. Close the two FRST text report windows and the FRST (x64) GUI window.
10. Only attach the two (2) separate text (.txt) files to your next reply to this topic.
    

Thank you for your help.

[Nazareno]

FRST.txt

Addition.txt

[1PW]

Hello @Solitario:

Thank you for the perfect FRST logs.

As you may have read, the Windows Event Logs show that two MBARW files (mbarw.exe and MB3Service.exe) may be indirectly involved in Windows detected 0xc0000005 (Access Violation) application errors.

Question:  Is the MBAM Service/MB3Service CPU utilization percentage high, as you have illustrated, at all times?

As an extremely brief test, please temporarily suspend the Kaspersky product(s) from operating and then check to see if the MBAM Service CPU utilization percentage normalizes and then return all to normal operation.  Follow by replying to this forum topic with the results of that brief test.

A request will has been made to Malwarebytes' management for escalation regarding the system's issue.  Please understand that the U.S.A. (where much of the management and MBARW technical expertise lives) is celebrating a long weekend involving a federal holiday (Memorial Day).

Thank you for your patience and understanding.

Edited May 28, 2017 by 1PW
Escalated

[Nazareno]

With kaspersky disabled, consumption is the same. Consumption of the process is high at all times.

[Nazareno]

Find the solution. The process was blocked by Comodo firewall. Unlock it and the CPU returned to normal. I attach an image. Many thanks for your attention.
Greetings.

 

[1PW]

Hello @Solitario:

Thank you for the good news update.