MBAM scans repeatably freeze after a few seconds - assistance requested

[plax]

Please help per thread: http://www.malwarebytes.org/forums/index.php?showtopic=34815

Original Message:

====================

Hello,

I recently put my old T21 ThinkPad back in service. Its OS is Windows 2000 Pro SP4. Several days ago I downloaded and installed MBAM v1.42, I updated the defs, and I ran a full scan. No problems and no malware was detected.

This morning I decided to go to the Windows Update site to get caught up on security patches. It needed 76 of them. I downloaded and installed them all, then ran Microsoft Security Analyzer to verify all was well. All patches were successfully installed.

This afternoon, I updated MBAM and tried to run a new scan. The scan stalled after 16 seconds and would not resume. I spent the rest of the afternoon trying to troubleshoot the matter. I tried multiple quick scans and multiple full scans. Each one would stall at some point between 9 and 20 seconds after it started. The MBAM GUI interface would virtually freeze (no buttons would respond) and the scan would remain paralyzed indefinitely. The only thing that worked to get out of it (aside from killing the process in task manager) is clicking the X button in the upper right corner of the interface window -- in that it would bring up the "Not Responding - End Program" dialog. The frozen MBAM would easily terminate from that dialog.

During my testing sessions I noticed in task manager that two instances of rundll32.exe were running. I found that terminating one of them would allow a newly launched instance of MBAM to easily and consistently complete either a full or a quick scan. And the results of these MBAM scans is consistently that no malware objects are detected.

There is currently no AV software installed on this ThinkPad. I was planning on installing Nod32 on it tomorrow, but I'd like to get this MBAM matter sorted first if I could. There is an older version of Sygate Pro firewall (v5) installed on it though.

Any help or suggestions will be much appreciated.

Thank you

Added comment:

I've observed yet another: Unchecking "Always scan memory objects" will also eliminate this scan stalling issue. So I can get the scans to complete by either terminating one of the two running rundll32.exe processes (and I've discovered that it must be a particular one of them that's stopped in order to eliminates the problem; terminating the other one makes no difference), OR I can deactivate the memory objects scanning function in MBAM.

====================

DDS.txt Contents:

====================

DDS (Ver_09-12-01.01) - FAT32x86

Run by Administrator at 6:20:34.91 on Tue 12/29/2009

Internet Explorer: 6.0.2800.1106

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.383.258 [GMT -8:00]

============== Running Processes ===============

C:\WINNT\system32\ibmpmsvc.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\PGPsdkServ.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\SPF\Smc.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\Program Files\Network Associates\PGP for Windows 2000\PGPservice.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\ltmsg.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\WINNT\system32\RunDll32.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

C:\WINNT\system32\PRPCUI.exe

C:\Program Files\The Cleaner\tcm.exe

C:\WINNT\system32\RunDll32.exe

C:\Program Files\Intel\Intel PSNCU\CpuNumber.exe

C:\CFGSAFE\AUTOCHK.EXE

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\OLYMPUS\OLYMPUS Viewer\Ov_Monitor.exe

C:\Program Files\Network Associates\PGP for Windows 2000\PGPtray.exe

C:\Install\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Settings,ProxyOverride = *hotmail*;*services.msn*;*yahoo*

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll

uRun: [intelProcNumUtility] "c:\program files\intel\intel psncu\CpuNumber.exe" /nosplash

mRun: [TrackPointSrv] tp4serv.exe

mRun: [LTWinModem1] ltmsg.exe 9

mRun: [tourpath] regedit /s c:\winnt\tour.reg

mRun: [TPTRAY] c:\progra~1\thinkpad\utilit~1\TP98TRAY.EXE

mRun: [bMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor

mRun: [TpHotkey] c:\progra~1\thinkpad\utilit~1\tphkmgr.exe

mRun: [PRPCMonitor] PRPCUI.exe

mRun: [smcService] c:\progra~1\spf\Smc.exe -startgui

mRun: [tcmonitor] c:\program files\the cleaner\tcm.exe

mRun: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd

mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\pgptray.lnk - c:\program files\network associates\pgp for windows 2000\PGPtray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autochk.lnk - c:\cfgsafe\AUTOCHK.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adsubt~1.lnk - c:\program files\adsubtract\adsub.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\olympu~1.lnk - c:\program files\olympus\olympus viewer\Ov_Monitor.exe

DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261846091336

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37866.4440740741

DPF: {CEBC955E-58AF-11D2-A30A-00A0C903492B} - hxxp://windowsupdate.microsoft.com/R970/V31Controls/x86/nt5/en/actsetup.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: {E573382F-E9C7-44E0-AB68-0B8325781D7D} = 209.210.176.8,209.210.176.9

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\jr5w84pf.default\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 TPPWR;TPPWR;c:\winnt\system32\drivers\TPPWR.SYS [2001-7-11 11776]

R2 IntelPND;IntelPND;c:\winnt\system32\drivers\IntelPND.sys [2001-7-15 18528]

R2 PGPsdkServ;PGPsdkService;c:\winnt\system32\PGPsdkServ.exe [2001-9-20 65536]

R2 PGPService;PGPService;c:\program files\network associates\pgp for windows 2000\PGPservice.exe [2001-9-20 249856]

R2 PRPC;PRPC;c:\winnt\system32\drivers\prpc.sys [2001-7-11 12182]

R2 SVKP;SVKP;c:\winnt\system32\SVKP.sys [2005-11-5 2368]

R2 V7;V7;c:\winnt\system32\drivers\V7.SYS [2001-7-11 7196]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\winnt\system32\drivers\mbamswissarmy.sys [2009-12-29 38224]

R3 ne2000;Novell/Eagle NE2000 Adapter Driver;c:\winnt\system32\drivers\ne2000.sys [2001-7-20 16016]

R3 S3GSavageMX;S3GSavageMX;c:\winnt\system32\drivers\s3gsavm.sys [2003-1-24 88576]

R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\winnt\system32\drivers\tp4track.sys [1980-1-1 8991]

S3 ec2t;Linksys Combo PCMCIA EthernetCard NT Driver;c:\winnt\system32\drivers\ec2t.sys [1980-1-1 26944]

=============== Created Last 30 ================

2009-12-29 14:19:21 16384 ----a-w- c:\winnt\system32\Perflib_Perfdata_2e0.dat

2009-12-29 14:16:14 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2009-12-29 13:56:20 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2009-12-29 13:56:17 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys

2009-12-29 13:56:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-29 13:01:52 0 d-----w- c:\program files\StartUp Control

2009-12-28 21:00:05 0 d-----w- c:\program files\UPHClean

2009-12-28 16:50:59 744716 ---h--w- c:\winnt\ShellIconCache

2009-12-28 16:08:41 0 d-----w- C:\d27cc7383e44beeb149067

2009-12-28 16:08:16 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2009-12-28 15:13:34 0 d-----w- c:\program files\Microsoft Baseline Security Analyzer 2

2009-12-28 14:56:13 69904 ----a-w- c:\winnt\system32\dllcache\browser.dll

2009-12-28 14:56:13 69904 ----a-w- c:\winnt\system32\browser.dll

2009-12-28 14:56:13 442640 ----a-w- c:\winnt\system32\ipnathlp.dll

2009-12-28 14:56:13 442640 ----a-w- c:\winnt\system32\dllcache\ipnathlp.dll

2009-12-28 14:56:13 167184 ----a-w- c:\winnt\system32\WINTRUST.DLL

2009-12-28 14:56:13 167184 ----a-w- c:\winnt\system32\dllcache\wintrust.dll

2009-12-28 14:56:12 255248 ----a-w- c:\winnt\system32\h323.tsp

2009-12-28 14:56:12 255248 ------w- c:\winnt\system32\dllcache\h323.tsp

2009-12-28 14:54:45 155408 ----a-w- c:\winnt\system32\dllcache\mtstocom.exe

2009-12-28 14:50:13 107792 ----a-w- c:\winnt\system32\dllcache\tshoot.ocx

2009-12-27 00:08:40 57344 ----a-w- c:\winnt\uneng.exe

2009-12-27 00:08:40 0 d-----w- c:\program files\common files\Adaptec Shared

2009-12-26 21:02:59 0 d--h--w- c:\winnt\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$

2009-12-26 21:00:19 957 ----a-w- c:\winnt\setup.inf

2009-12-26 21:00:19 283 ----a-w- c:\winnt\setup.rpt

2009-12-26 21:00:15 0 d-----w- c:\winnt\mui

2009-12-26 18:57:51 0 d-----w- C:\0dd5435c07f835984914c35fb815

2009-12-26 16:50:23 21728 ----a-w- c:\winnt\system32\wucltui.dll.mui

2009-12-26 16:50:23 17632 ----a-w- c:\winnt\system32\wuaueng.dll.mui

2009-12-26 16:50:23 15072 ----a-w- c:\winnt\system32\wuaucpl.cpl.mui

2009-12-26 16:50:22 15064 ----a-w- c:\winnt\system32\wuapi.dll.mui

2009-12-26 16:50:22 0 d-----w- c:\winnt\system32\SoftwareDistribution

2009-12-26 01:22:47 65240 ----a-w- c:\winnt\system32\drivers\avgntflt.sys

2009-12-25 23:50:05 0 d-----w- c:\program files\CCleaner

2009-12-25 22:37:49 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2009-12-25 22:37:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-12-25 21:26:11 0 d-----w- c:\winnt\winsxs

2009-12-25 19:54:37 499712 ----a-w- c:\winnt\system32\MSVCP71.dll

2009-12-25 19:54:37 348160 ----a-w- c:\winnt\system32\MSVCR71.dll

2009-12-25 19:54:37 1060864 ----a-w- c:\winnt\system32\MFC71.dll

==================== Find3M ====================

2009-12-27 00:08:42 58000 ----a-w- c:\winnt\system32\drivers\cdr4_2k.sys

====================

NOTE: I'm unable to find a way to attach the attach.zip file (containing attach.txt and ark.txt). Perhaps I can do it on a reply.

Thank you

[plax]

I've concluded that it's the rundll32.exe instance that's handling Tweak UI which causes the MBAM scan stalling issue. Repeated testing establishes that the other one that handles the ThinkPad utilities makes no difference whether or not it's running. If I disable the Tweak UI call in the registry at HKLM\SOFTWARE/Microsoft\Windows\CurrentVersion\Run and reboot the machine, the registry value remains disabled (or deleted - whichever I've done) but the second instance of rundll32.exe still loads and must be terminated before MBAM will scan. Conversely, if I disable the ThinkPad utilities call at the HKLM Run key, the associated rundll32.exe process will no longer start upon the next reboot. But even with just the single instance of rundll.exe running (that's handling the Tweak UI activities), MBAM still refuses to scan for longer than 20 seconds. So it appears to be an issue related to Tweal UI and its DLL dynamics. The strange thing is that before I installed the Microsoft security patches yesterday, MBAM would scan fine without issue and Tweak UI was running then as well.

The reason I want to continue using Tweak UI is because of its ability to auto-clear various logs, lists, and histories upon restarting the laptop. So I'd prefer to keep using it but I'd also like to be able to use Malwarebytes as an on-demand tool, and do so without having to guess which rundll.exe isntance to terminate first.

[plax]

I finally figured out that my secondary script filter on this particular PC was blocking JavaScript here. I've thus exempted malwarebytes.org from said filtering so here's my belated attachment for the ThinkPad issue.

If you require any other information please let me know.

Thnaks kindly

attach.zip