MBAM getting stuck while scanning

[Kratch]

Hi. So I've been having a problem where MBAM gets stuck on a certain file (or at least, on a specific area). One the last two scans I ran, the scan stopped running at the files shown in the images below. The timer still ticked up, but no more files were scanned and the second scan could not be cancelled.

Is this a problem with the program, or do I have reason to be concerned about malware? Any help would be appreciated. 

[Firefox]

Hello and Welcome

Sorry your having issues, the logs below will help the team better understand what my be going on.

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues....

1. FIRST: Create and obtain Farbar Recovery Scan Tool (FRST) logs
2. Download FRST and save it to your desktop
   NOTE: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
3. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
4. Press the "Scan" button
5. This will product two files in the same location (directory) as FRST: FRST.txt and Addition.txt
   NOTE: These two files will be collected by the MB-Check Tool and added to the zip file for you
6. NEXT: Create and obtain an mb-check log
7. Download MB-Check and save to your desktop
8. Double-click to run MB-Check and within a few second the command window will open, then click "OK"
9. This will produce one log file on your desktop: mb-check-results.zip
10. Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area
    

Thank You,

Firefox

[Kratch]

FRST.txt

Addition.txt

mb-check-results.txt

Edited October 6, 2017 by Kratch

[Firefox]

Can you upload the whole mb-check-results.zip that was created on your desktop please?

[Kratch]

mb-check-results.zip

[dcollins]

Thanks for this. Here's another set of information we'll need as it will help us get more advanced logs for this.

1. Downloads FRST from https://downloads.malwarebytes.com/file/frst64 and save it to your desktop
2. Download the attached fixlist.txt file and save it to your desktop
3. Run FRST and accept the EULA if prompted
4. Click fix and wait a few seconds
5. Once completed, close the notepad window and FRST
6. Private Message me the fixlog.txt file that should be created on your desktop

fixlist.txt

[Kratch]

So no one ever got back to me on this...

[dcollins]

Sorry about that, I never clicked send on the reply to the message you sent me.

Can you try disabling rootkit scanning and seeing if your problem goes away.

If that does work, please turn rootkit scanning back on, and follow the details below:

1. Download CaptureTrace - Logman.zip from the following link: https://malwarebytes.box.com/s/rywipu0jyyfiza9aqk8owxlkhuw6j2lu
2. Extract the capture.bat file from inside the zip
3. Right click on capture.bat and choose Run as Administrator
4. After a few seconds, you should get a message that says "Please attempt to reproduce your issue, and wait 30 seconds"
5. Run a scan that causes the hang
6. Wait for the hang to happen and wait 5-10 more minutes
7. With the scan still running, go to the black Window from step 4 and press enter.
8. This should create at least one .etl file. Please zip up all the .etl files and attach them in your reply
   • If the files are too big to attach, use wetransfer.com to send them to dcollins@malwarebytes.com

[Kratch]

Did you get my message? I'll upload the file again here.

RTPEvents.etl-ets_000001.zip

[Kratch]

Is anyone ever going to get back to me on this...?

[Firefox]

8 hours ago, Kratch said:

Is anyone ever going to get back to me on this...?

@dcollins @nikhils @Maurice Naggar

[dcollins]

Sorry about that, I was working with our engineers to determine what else we needed to gather. Can you please follow the details below to generate a memory dump:

1. Download Procdump.zip from the following URL: https://malwarebytes.box.com/s/7gdfv6it0xsgu1mzbt3dbbyjcg7kguep
2. Extract the Procdump.zip file to a folder
3. Run a scan that causes the hang, and wait for the hang to happen
4. Once the hang happens, open the folder from step 2 and run 6 - mbamservice_kernel.bat
5. This should open a window and after a few seconds, it should close
6. In the folder from step 2, you should now have at least one .dmp file
7. Please zip up these files and either upload them here, or if they're too large, use wetransfer.com to send them to dcollins@malwarebytes.com

Thanks, and sorry for the delay

[Kratch]

MBAMService.exe_171110_010027.zip

[dcollins]

Have you tried upgrading to 3.3.1 yet? I don't believe it will solve your issue, but it's a good step 1 for where we'll go next.

https://downloads.malwarebytes.com/file/mb3

If installing 3.3.1 doesn't help, please run mb-check again and upload the new zip file, then we'll get a little bit more information.

[Kratch]

already upgraded a week ago. didn't help.

 

 

mb-check-results.zip

 

 

[Kratch]

bump

[lock]

I can confirm that. The same "MBAM gets stuck on a certain file " , in my situation is a .dll file.

[Porthos]

On 11/13/2017 at 5:07 PM, Kratch said:

already upgraded a week ago. didn't help.

This needs to be corrected.

Quote

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
    C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe    REG_SZ        ELEVATECREATEPROCESS

 

 

Go to the folder C:\Program Files\Malwarebytes\Anti-Malware\
Find the file mbam.exe and right click on it and choose Properties
In the window that pops up click on Compatibility Tab
Remove any changes there that don't match my picture below and click OK

Please restart.

[dcollins]

If you turn off rootkit scanning, does the issue go away?

[lock]

14 hours ago, lock said:

I can confirm that. The same "MBAM gets stuck on a certain file " , in my situation is a .dll file.

Here where is stuck:

[Kratch]

Porthos: I looked at the properties. Everything was already unchecked. Also, some of the options were different; I assume that's down to OS differences?

 

As for rootkit scanning, the scan did complete without rootkit scanning, albeit in much less time than with it enabled (not counting the hang, obviously). 

[dcollins]

@Kratch correct, rootkit scanning will greatly increase the scan time due to the nature of the scan. That being said, it shouldn't be hanging though. We are still looking into what other data we can attempt to grab here

[BruceAJohnson]

I've seen the same thing with several computers, and it has been happening for months, using Malwarebytes Free (up-to-date).  Today, I let one go for 6 hours before cancelling the scan.

What I see is that the scan doesn't necessarily stall, but it will take longer and longer to scan files in C:\Windows\WinSxS.  Eventually it gets to the point where it is taking many minutes for files that are less than 100 KB.

When I know I'm going to be working on one of these computers that Malwarebytes malfunctions, I just run the Malwarebytes threat scan, and/or run scans with other products.  I'll try leaving the rootkit scan unchecked next time.