Jump to content

Recommended Posts

I'll start by noting that this issue does not exist on one machine, but several machines which are all on the same domain.  However, not every machine on the domain has this issue.  The machines all use either Windows 7 or Windows 10.

Malwarebytes does not freeze.  What happens is at some point during any point after scanning "startup items" the scan will suddenly appear stuck as the "number of objects scanned" will stop increasing.  The scan timer will keep ticking the entire time, but no progress is being made.  I can pause the scan, and when I resume the scan there is no change in progress.  The graphic with the spinning green arrows keeps going as normal even with no progress being made.  I can let the scan keep going all night, and when I come back the next day the scan will still be stuck at the same spot as before.  Upon finally hitting cancel, the scan acts like something is happening, but nothing ever happens.  I am forced to go into task manager and end process on "malwarebytes service" in order to perform another scan.  I am able to navigate through all of the other various menus within the program during a scan, etc.  The scan is never stuck on the same file, file type, etc.  Sometimes it will sit on "Scanning startup items" or "scanning file system" or during "registry items" or even during "heuristics analysis", but the number of objects scanned does not increase.

The only way Malwarebytes can complete a scan is by going to the custom scan menu, choosing the custom scan option, and unchecking "Scan Startup and Registry settings."

I can deselect all other options other than startup and registry settings, and the scan will become stuck during "heuristics analysis".

So far I am still able to complete a threat scan on three different machines out of many that cannot.  All machines can complete a scan by unchecking startup and registry settings from the scan.  One of these three machines is running Windows 7, while the other two are running Windows 10.  Windows and all other programs are up to date.  I've tried excluding as well as completely uninstalling and purging the antivirus since that is the only program other than Windows/Microsoft office/adobe reader that is consistent between all machines (removing any or all of these programs does not change the outcome either), but that did not change the outcome of the scan.  The antivirus has since been reinstalled.

 

I'm running out of ideas.  Any ideas and help is appreciated.  I have tried using 3.2 beta version as well, and there is no change in the outcome of the scan.

mb-check-results.zip

Share this post


Link to post
Share on other sites

On this comptuer mbam.exe has crashed along with many other issues. In most cases Kaspersky antivirus works alongside Malwarebytes, but it's possible it need exclusions setup.

 

 

==================== Event log errors: =========================

Application errors:
==================
Error: (08/17/2017 01:37:43 PM) (Source: SideBySide) (EventID: 74) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\x64\kldw.exe".Error in manifest or policy file "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\x64\kesruntime140.DLL" on line 2.
The requestedPrivileges element is not allowed in component manifest.

Error: (08/17/2017 01:36:46 PM) (Source: SideBySide) (EventID: 74) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\x64\kldw.exe".Error in manifest or policy file "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\x64\kesruntime140.DLL" on line 2.
The requestedPrivileges element is not allowed in component manifest.

Error: (08/17/2017 01:31:06 PM) (Source: Group Policy Shortcuts) (EventID: 8194) (User: NT AUTHORITY)
Description: The client-side extension could not apply user policy settings for 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' because it failed with error code '0x80070003 The system cannot find the path specified.'%apply00790275

Error: (08/17/2017 01:30:55 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamservice.exe, version: 3.1.0.479, time stamp: 0x58f6af02
Faulting module name: mbamservice.exe, version: 3.1.0.479, time stamp: 0x58f6af02
Exception code: 0xc0000005
Fault offset: 0x0000000000065d25
Faulting process id: 0x2054
Faulting application start time: 0x01d31786f4e4b43f
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
Report Id: 64fc3df9-c8ca-4bd8-9423-af22a8863f55
Faulting package full name: 
Faulting package-relative application ID:

Error: (08/17/2017 10:37:41 AM) (Source: Perflib) (EventID: 1023) (User: )
Description: Windows cannot load the extensible counter DLL rdyboost. The first four bytes (DWORD) of the Data section contains the Windows error code.

Error: (08/17/2017 10:37:41 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.

Error: (08/17/2017 10:28:16 AM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0

Error: (08/16/2017 03:27:52 PM) (Source: Group Policy Shortcuts) (EventID: 8194) (User: NT AUTHORITY)
Description: The client-side extension could not apply user policy settings for 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' because it failed with error code '0x80070003 The system cannot find the path specified.'%apply00790275

Error: (08/16/2017 03:23:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SystemSettingsBroker.exe, version: 10.0.15063.0, time stamp: 0x9ce1da64
Faulting module name: ntdll.dll, version: 10.0.15063.447, time stamp: 0xa329d3a8
Exception code: 0xc0000005
Fault offset: 0x000000000003bbdf
Faulting process id: 0xb3c
Faulting application start time: 0x01d316cd7826212b
Faulting application path: C:\Windows\System32\SystemSettingsBroker.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: a00764b8-ce42-4ad4-90ec-dc8ba70cb012
Faulting package full name: 
Faulting package-relative application ID:

Error: (08/16/2017 01:22:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 3.0.0.1068, time stamp: 0x59125ef2
Faulting module name: Qt5Core.dll, version: 5.6.2.0, time stamp: 0x58ed4d4f
Exception code: 0xc0000005
Fault offset: 0x0018da93
Faulting process id: 0x2370
Faulting application start time: 0x01d316bc8e40dc33
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: bf368551-748e-4e32-a08b-960204efc5a2
Faulting package full name: 
Faulting package-relative application ID:


System errors:
=============
Error: (08/17/2017 03:47:30 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (08/17/2017 03:10:21 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain NCIMFG due to the following: 
We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.


This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (08/17/2017 03:09:31 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (08/17/2017 01:37:45 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Malwarebytes Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (08/17/2017 01:32:01 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (08/17/2017 01:32:01 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (08/17/2017 01:32:01 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NCIMFG)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (08/17/2017 01:31:44 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (08/17/2017 01:31:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CldFlt service failed to start due to the following error: 
The request is not supported.

Error: (08/17/2017 01:27:38 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

 

Ignoring the many other errors, please try the following on this computer.

Run the MB-Clean process from this topic and reboot the computer after the install even though it won't ask you to.

Then try a new Threat Scan and let me know if that works or not.

Thanks

Ron

 

 

Share this post


Link to post
Share on other sites

Unfortunately, nothing appears to have changed.  After starting a threat scan it's been stuck scanning startup items.  At the time of this post it's over 20 minutes with the same number of items scanned.

 

 

malwarebytes_stuck.jpg

mb-clean-results.txt

Share this post


Link to post
Share on other sites

On this same computer, can you temporarily uninstall Kaspersky antivirus. Then reboot again and try the Malwarebytes scan again.

If it hangs again, please follow the directions from the post below and provide those new updated logs.

Thanks

Ron

Share this post


Link to post
Share on other sites
2 minutes ago, thejayroh said:

Uninstalling Kaspersky (using Kaspersky's removal tool by the way) didn't change the outcome.

@thejayroh just FYI... please do not use Kaspersky's removal tool unless you are otherwise unable to remove Kaspersky via the normal uninstaller. This tool is known to have ill effects at times and is a means of last resort. This comment is unrelated to MBAM or other conflicts.

Share this post


Link to post
Share on other sites
3 minutes ago, Telos said:

@thejayroh just FYI... please do not use Kaspersky's removal tool unless you are otherwise unable to remove Kaspersky via the normal uninstaller. This tool is known to have ill effects at times and is a means of last resort. This comment is unrelated to MBAM or other conflicts.

The normal uninstaller has issues getting rid of Kaspersky completely, which is when I learned of this tool.

Share this post


Link to post
Share on other sites

Even when zipped, the dump file is 207 MB in size which is well over the 29 MB limit for attachments.

Edited by thejayroh
clarifications

Share this post


Link to post
Share on other sites
4 minutes ago, thejayroh said:

Even when zipped, the dump file is 207 MB in size which is well over the 29 MB limit.

You can use a site such as https://wetransfer.com/ to upload your files and then provide the link to Ron...

Share this post


Link to post
Share on other sites

Upload File(s) to WeTransfer:

  • Visit WeTransfer.com
  • Click on I Agree
    4ENbg3P.png
  • Click on the icon on the lower left indicated in the below image
    qKOjzXD.png
  • Select the Link option
    Cyzhcx1.png
  • Click on +Add Files
    CvZMyrC.png
  • Browse to the location of the file and double-click on it or click once on it and select Open
    S5Ty834.png
  • Click on Transfer
    8eYfZGi.png
  • Once the transfer completes, click on Copy link
    fkb0tkR.png
  • Once you receive the Copied! message as indicated below, paste the link into your next reply
    ndpEstA.png

Share this post


Link to post
Share on other sites

MBAMService.DMP

 

The scan has been stuck for over approximately two hours scanning File System.  There is no name for what file is being scanned, just the words "File System" in the field where the name of the file being scanned should be placed.

malwarebytes_stuck.jpg

Share this post


Link to post
Share on other sites

This is the exact same problem that I reported some months ago, so will be watching with great interest :-)

Share this post


Link to post
Share on other sites

An update on this issue:

I haven't been having this issue on subsequent machines.  I stopped deactivating the however-many-day trial of the paid version before running the first scan, and the machines where I didn't deactivate the trial first do not have this issue.  However, I have tried downloading the new version of malwarebytes to the problematic computers which has reactivated a trial, but there is no change on any of the machines which already had the stuck-scan issue.

Edited by thejayroh
spelling

Share this post


Link to post
Share on other sites
5 hours ago, AdvancedSetup said:

Thanks for the update @thejayroh

So, at this time, all the systems appear to be scanning okay now?

rON

 

Negative, only the systems where I did not deactivate the trial first.

Share this post


Link to post
Share on other sites

Okay, well. In order to continue I need to get a fresh set of logs from one of the affected systems that is not working properly please.

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.