MBAM crashes and locks PC

[kb-r]

Hi.

Fairly frequently, perhaps as often as three times a month, I find the PC locked up, with a notification from MBAM, in the form:

"The instruction at 0x00427be3 referenced memory at 0x0180fe10. The memory could not be read."

It also informs me that MBAM must be closed, and a button is provided to achieve this.

There is no response from the button, neither can I close MBAM via the Task Manager.

If I try to re-boot Windows, or even shut down the PC, using the usual method (Start/Turn off computer...) it stalls at "...saving your settings", so restarting is via the On/Off button.

On restart, all seems well, until the above is repeated, perhaps a week later... Or two weeks... Or a day...

As part of the above process, I am directed to examine a MBAM log file that is never in existence (perhaps because I am unable to look for it until after switch-off and switch-on) so there's no help there.

Without MBAM running on my machine, I have no problems.

I have uninstalled and reinstalled MBAM several times - including using mbam-clean.exe twixt uninstall and re-install.

At the moment, not wanting to risk an interruption to my current, I have MBAM shut down; all is well and has been for about a month.

However, I would like to have MBAM running, provided that I can solve these instabilities, so I welcome any ideas or suggestions.

Anticipating the usual request, I include a HJT log.

Regards,

kb-r

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:16:39, on 27/09/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\WINDOWS\system32\ezSP_Px.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\PROGRA~1\SYSTEM~1\WScheduler.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\FeedReader30\feedreader.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Restore Desktop\RestoreDesktop.exe

C:\Program Files\AutoSizer\AutoSizer.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Documents and Settings\k\My Documents\Downloads\SOFTWARE\PROGRAMS IN USE\TClock\TClock.exe

C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\Documents and Settings\k\My Documents\Downloads\SOFTWARE\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe

O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [sBAutoUpdate] C:\PROGRAM FILES\SPYWAREBLASTER\SBAUTOUPDATE.EXE

O4 - HKLM\..\Run: [WScheduler] C:\PROGRA~1\SYSTEM~1\WScheduler.exe /LOGON

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKCU\..\Run: [feedreader.exe] "C:\Program Files\FeedReader30\feedreader.exe"

O4 - HKCU\..\Run: [RestoreDesktop] C:\Program Files\Restore Desktop\RestoreDesktop.exe

O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: TClock.lnk = C:\Documents and Settings\k\My Documents\Downloads\SOFTWARE\PROGRAMS IN USE\TClock\TClock.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 5201 bytes

[AdvancedSetup]

I would try disabling SAS for now just as a test. Maybe both programs running in real time can conflict with each other.

If you take a look at your scheduled task, do these freezes happen after a file update?

[kb-r]

Oops, I should have said: SAS is only enabled because I don't have MBAM - When MBAM was running, SAS was not active.

[AdvancedSetup]

Well I would still guess there is a possible conflict. Have you review the FAQ for setting up file exclusions with your AV?

http://www.malwarebytes.org/forums/index.php?showtopic=10138

[kb-r]

...sorry, missed the end bit.

I cannot be certain, but I suspect that they follow or coincide with an MBAM update.

kb-r

[AdvancedSetup]

Well look and setup file exclusions for your AV and then try to keep an eye out at the times you have set for updates and make sure your AV or other Security products to think the update is a rogue and attack it or temporarily block it. See how it goes and let us know.

[kb-r]

Hi.

OK - I've added the files,

- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

to the Avira exclusions (Guard and Scan).

I shall take out SAS, reactivate MBAM, and see how it goes.

Thank you,

kb-r

[srtools1980y]

Hello

All 3 (Avira+MBAM+SAS) are in my systray with current updates & there's no prob. here.

SAS:4130 & MBAM:2866

(OS=XP Pro)

[kb-r]

Hi, again.

At 2000 BST, MBAM "unexpectedly terminated"; this is the time of a scheduled MBAM update.

Restarted...

Regards,

kb-r

[kb-r]

PS: that was, 2000 on 29/9/09.

[AdvancedSetup]

Okay, please try to disable your AV temporarily just a bit before a scheduled update and see if it still has an issue or not doing the MBAM update.

[Jacktivity]

@ kb-r,

Just curious, what Zone Alarm are you using? Is this the free version of the firewall or is it the full on Security Suite or Extreme Security?

Have you tried making any adjustments there?

The reason I ask is because of this quote from Zone Alarm support forums

NOTICE:Please note that ZASS and ZAXSdo not play nice with many overlapping security tools (even if disabled). To troubleshoot ZASS/ZAXS issues removethe other Security programsand install them back once you see that ZA works as it should. For example,Norton/Symantec, McAfee,AVG, Spyspweeper, Spyware Doctor, trojan hunter, adware, SpyBotS&D, PC tools Threat Fire, any otherAnti-virus, Anti-spyware, Registry Guard or locking tools, etc...

[kb-r]

Hi.

Thank you for the interest.

The ZA is v6.1.744, "Free" (firewall only - I have an aversion to "suites" of protection software).

If Antivir were jumping on MBAM, I would expect some indication in Antivir, especially as I have it set to do nothing automatically, but to alert and await instruction.

Also, there is nothing recorded in the Antivir log of any kind event for the time of the MBAM crash, as recorded in the Windows event log.

There are no other scheduled activities or processes occurring at the time in question.

These failings are a fairly recent thing, starting, maybe, about 3 months ago - it's difficult to say, exactly, because, as I said at the top, it can sometimes a be 2 or 3 weeks between happenings.

Also the severity of the failures has varied between a simple cessation of MBAM service (as happened yesterday evening) and a complete seizure of the PC (as I described in my first post).

The former, I would merely be inclined to shrug off and to restart MBAM; the latter, however, with the greater degree of attendant hassle, including possible loss of work, is a different matter, and the development of a "history" of these events made me decide to pursue it here.

I was hoping that it might have been a recognisable bug which occurs in some PC configurations, and that someone might have jumped in with, "Aha - that's the woozle-pinkum file that's corrupt..."

Apparently not.

I'm happy to try things like dropping the firewall, or turning off Antivir, while an auto-update takes place, but the intermittency of the failings, to a random timescale, means that unless the test condition were to be applied for the next month or so, the only reliable result would be that of another failure indicating no relation between the test scenario and the failures.

kb-r

[Jacktivity]

@ kb-r

How do you feel about outright uninstalling Zone Alarm for a week or two and just using the Windows firewall in the meanwhile? Your version is way past it's day as it is. Even the free version is 8.x

It might also be worthwhile to try a memory test.

You can download a free bootable iso of Memtest86+ from here.

[kb-r]

Good morning.

Trying the Windows firewall would, I feel, be unproductive, as I would not wish to use a one-way firewall on a permanent basis.

Interestingly, I have been trying ZA v.8 (again) for the past week: sadly, it is unchanged from my last flirtation with it in that it still boosts this machine's boot time from approx 90 seconds to about 4 minutes (mostly blank desktop). This appears to be a fairly common phenomenon, with no recognisable diagnosis/cure, judging by the number of threads reporting similar issues on the ZA forum.

Of all firewalls I have tried, I find the ZA v.6.1.744 (for which I also have a "Pro." licence, which I do not use) to be clean, simple and stable; it also passes all reasonable tests available to me, both local and on the internet.

(I do recognise, however, that in all these matters, familiarity plays a very large part in ones preferences.)

Memory is fine - 2 GB of RAM, testing OK with Memtest, about a month ago.

Meanwhile, MbAM crashed again, this very morning, locking the PC, but this time on startup from a cold boot (with ZA v.8 installed!).

It appears that to achieve satisfactory operation of MbAM on this PC (should it indeed be achievable) will involve at least a lengthy period of testing various combinations of software and configurations thereof, on what is otherwise, in all aspects, a satisfactory system.

I am not paranoid enough to do this for the relatively small degree of extra protection that MbAM might give me.

Ergo, my problems have all been solved by the uninstalling of MbAM

I have no doubt that I shall reinstall it at sometime in the future, but until that time, I thank you for your patience and interest.

Regards,

kb-r

[exile360]

Greetings .

If you'd like to have one last go at making it work, and assuming you've not already done so, please set the following files as Trusted in ZA to see if it is helpful:

• C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  
• C:\Windows\System32\drivers\mbam.sys
  
• C:\Windows\System32\drivers\mbamswissarmy.sys
  

I understand if you don't wish to troubleshoot this further, I was just presenting an idea .