MBAM Quick Scan "freezing" after 5-10 seconds

[Perth2008]

G'day All

I've noticed the above problem over the last week. Some of the symptoms appear to be consistent with the freezing issues of about a year ago, see here:

http://forums.malwarebytes.org/index.php?s...0&start=40)

MBAM is an important part of my daily system checking so when it stops working I get concerned.

I have scanned my system with my the following AV products:

• Norton360 2.5.05
  
• Spybot S&D
  
• Windows Malicious Software Removal Tool (Feb 2010)
  

Also resident are:

• WinPatrol
  
• Spyware Blaster
  

So as far as I can tell my system is OK on the virus/malware/trojan front and it is likely some (new) incompatability issue.

Although the Quick Scan stops working (while scanning c:\windows\system32) I can still do context menu scans on individual files or folders. Excerpt below:

Malwarebytes' Anti-Malware 1.44

Database version: 3764

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

20/02/2010 9:48:29 AM

mbam-log-2010-02-20 (09-48-29).txt

Scan type: Quick Scan

Objects scanned: 10

Time elapsed: 3 second(s)

I have uninstalled and re-installed MBAM twice however the same freezing occurs whether or not my Norton360 AV and firewall is active or not. I exit the program using Windows Task Manager after waiting for ~1 hour.

I recall that the previous time MBAM froze for me and others (link above) MBAM was actually running in the background but was showing as "Not Responding" however this time the CPU performance graph is "flat-lining" suggesting MBAM is not running. I've noticed no unusual programs/problems looking at my HijackThis file ... although I am NOT an expert by any stretch.

Perhaps it's the new Windows or IE security updates which were installed about the time MBAM started misbehaving? Puzzling.

Any comments/solutions/work arounds would be appreciated.

For the record the last successful Quick Scan on MBAM, about 5 days ago, was as per extract below (no problems found):

Malwarebytes' Anti-Malware 1.44

Database version: 3741

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

15/02/2010 8:00:24 PM

mbam-log-2010-02-15 (20-00-24).txt

Scan type: Quick Scan

Objects scanned: 127023

Time elapsed: 5 minute(s), 4 second(s)

[Perth2008]

Ooops

I've just noticed two similar threads: http://forums.malwarebytes.org/index.php?showtopic=40406 and

http://forums.malwarebytes.org/index.php?s...37820&st=40

So it's a bit of a widespread problem ... like the last freezing issue.

For the record I forgot to mention I am NOT having trouble with updating MBAM just running it.

Thanks again.

[noknojon]

Hi Perth2008 -

For Most Norton Products

Add exclusion to Auto-Protect and Risk scan

1 Start your Norton 2010 product.

2 In the Computer pane, click Settings.

3 Under Exclusions, next to Scan Exclusions, click Configure.

4 If you want to exclude a file from scan, under Scan Exclusions, click Add.

5 Browse and select the disk drive or folder or file you would like to exclude and click OK.

If you want to include subfolders within the folder, check Include Subfolders.

6 If you want to exclude a file from Auto-Protect, under Auto-Protect Exclusions, click Add.

7 Browse and select the disk drive or folder or file you would like to exclude and click OK.

If you want to include subfolders within the folder, check Include Subfolders.

8 Click Apply > OK

I noticed you also have MSE installed - These 2 programs will not co-exist as running antivirus programs - If you have the paid version of Norton installed then uninstall the MSE program -I will add the items to exclude to the Norton (using the process above)

Exclude Malwarebytes' Anti-Malware's Files and Folders From Other Active Security Programs including any non Windows Firewall:

For Windows XP:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

C:\Windows\System32\drivers\mbam.sys

C:\Windows\System32\drivers\mbamswissarmy.sys

Thank You -

EDIT - There was note after the last XP update about one bad item - I believe it has been fixed - Just check Windows updates -

Any other questions please post back

[Perth2008]

Hi noknojon

Thanks for reply.

While waiting I tried a few of the "safe" looking actions suggested in the other two active threads on the freezing issue:

1. I ran CHKDSK which ran for about 3 hours with no adverse messages and PC restarted as normal.
   
2. I then uninstalled MBAM, auto restart, ran mbam-clean.exe, restarted and and then reinstalled MBAM via the latest mbam-setup.exe and updated it.
   
3. MBAM ran for about 30sec before "freezing" again.
   

As far as I know I don't have (as far as I know) a product called "MSE" on my PC (FYI I was refering to Windows/IE security updates in my first post).

I run Norton360 (V2.5.05) and am unaware of any AV conflicts as I have followed the tips here at MBAM as to which products don't clash with each other (as listed in first post).

However as you suggested I have added the various MBAM files and folders to my autoprotect and risk exculsions in Norton360 (although this has NOT been an issue previously with running MBAM) and no MBAM programs are blocked by my Norton360 firewall (again this was not previously an issue). Only mbam.exe appears on my Norton360 firewall settings page as "custom" which I changed to "allow".

Although I would expect that temporarily deactivating the Norton360's AV and firewall while scanning with MBAM should achieve the same result.

MBAM context menu scanning of files and folders is STILL working (or appears to be as report is generated). Puzzling.

MBAM was running fine until about a week ago without AV exclusion or firewall changes.

So in summary I'm still experiencing the freeze problem.

Thanks for your help ... I'll check back ... I guess, based on last year's freeze crisis, that with a few people having similar problems it will be solved soon enough!

[exile360]

Hello Perth2008

Please try the following:

Boot into Safe Mode:

• Restart your computer.
  
• When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with the Windows XP Advanced Options menu.
  
• Select the option for Safe Mode using the arrow keys.
  
• Then press Enter on your keyboard to boot into Safe Mode.
  

You should then be presented with the Windows XP Login screen. Log in to Windows and when it prompts you about Safe Mode and asks if you'd like to continue click Yes.

Once in Safe Mode, try running another scan with Malwarebytes' Anti-Malware to see if it still locks up then reboot your computer and let it start normally.

Please post back to let me know how it went.

Thanks

[Perth2008]

G'day exile360

As they say, deja vu all over again! Could this become an annual "anti-freeze" reunion?

Seriously, I noticed noknojon's comment about a bug in the last Windows updates. Anyway I had a look and noticed a new urgent update, KB977165 (2.7MB), so I downloaded and installed it. After restarting MBAM ran ... though only for 1min 15sec, but longer than previously. Perhaps a coincidence, but perhaps relevant to the programmers?

Now, I did run MBAM Quick Scan in Safe Mode as requested. It ran fine, a bit longer than usual, but no freeze occured, results:

Malwarebytes' Anti-Malware 1.44

Database version: 3765

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

20/02/2010 3:18:24 PM

mbam-log-2010-02-20 (15-18-24).txt

Scan type: Quick Scan

Objects scanned: 125875

Time elapsed: 7 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

So on one hand it's a good result ... no malware!

I tried running it again in "normal" Windows just now and it stopped running after ~8 seconds.

Not sure if the following is relevant but the Microsft error files created when I exit MBAM includes this manifest.txt file:

Server=watson.microsoft.com

UI LCID=1033

Flags=1672016

Brand=WINDOWS

TitleName=Malwarebytes' Anti-Malware

DigPidRegPath=HKLM\Software\Microsoft\Windows NT\CurrentVersion\DigitalProductId

ErrorText=The program is not responding.

HeaderText=You chose to end the nonresponsive program, Malwarebytes' Anti-Malware.

EventLogSource=Application Hang

Stage1URL=

Stage1URL=/StageOne/mbam_exe/1_44_0_0/hungapp/0_0_0_0/00000000.htm

Stage2URL=

Stage2URL=/dw/stagetwo.asp?szAppName=mbam.exe&szAppVer=1.44.0.0&szModName=hungapp&szModVer=0.0.0.0&offset=00000000

DataFiles=C:\DOCUME~1\Frank\LOCALS~1\Temp\WERec01.dir00\mbam.exe.mdmp|C:\DOCUME~1\Frank\LOCALS~1\Temp\WERec01.dir00\appcompat.txt

Heap=C:\DOCUME~1\Frank\LOCALS~1\Temp\WERec01.dir00\mbam.exe.hdmp

ErrorSubPath=mbam.exe\1.44.0.0\hungapp\0.0.0.0\00000000

DirectoryDelete=C:\DOCUME~1\Frank\LOCALS~1\Temp\WERec01.dir00

Does this assist? I made a duplicate of the directory before it was sent to Microsoft, these include:

appcompat.txt 14kB

manifest.txt 2kB (above)

mbam.exe.hdmp 42,374kB

mbam.exe.mdmp 57kB

Would any of these files assist? I've only got a 60kB/s internet connection so sending the 42.3MB file would be a no go.

Good to see you're still around exile360!

[exile360]

Thank you Perth2008, that's very helpful indeed . I'm going to send you a PM with further instructions.

[noknojon]

Just a quick one - Turn them inti Zip files - Uses less - There is an italics function at the top of the answer panel (helps when you forget to close with

Sorry for toe stepping Exile

EDIT - Sorry it was a quick read and I misread Windows Malicious Software Removal Tool as Microsoft Securiyy Essentials -

[Perth2008]

Hi exile360

Thanks for the PM ... all seemed a bit drastic

Anyway I followed the instructions and my PC (so far) seems to have survived!

Alas MBAM QUick Scan still freezes after 20 or 30 seconds on "Normal"; I haven't tried it on "Safe Mode" since but presumably that would still work as above.

I'm assuming I should keep the ERUNT program installed just in case I notice something unusual (I have the usual Office suite and lots of PC games installed)?

FYI, I do run CCleaner regularly to clear/clean the various temp files and registry.

My PC's been running fine of late with other programs running as usual. So I'm assuming its either something new added to the recent MBAM updates or to Windows by Microsoft.

Just for the record, the only new program I've added recently was Steam, which came with the Velvet Assassin PC game, but I installed this a few days before MBAM started freezing.

Anyway ... let's keep trying.

Hi noknojon

Well I did zip the files ... it comes to 9.3MB which is close to my allotment of 9.5MB.

If you guys need it I can send it ... let me know!

Thanks to you both ...

[exile360]

Hello again Perth2008

We shouldn't need all of the dumps but I would like the mbam.exe.mdmp 57kB if you wouldn't mind uploading it (zip/rar it first to save yourself some bandwidth).

I will also be sending you some further instructions on something else to try shortly, and yes, keep ERUNT and the backups intact as they may come in handy. It's a great tool anyway, especially if you ever start digging in the registry as I often do .

Thanks

[Perth2008]

Good evening exile360!

OK, I tried the latest instructions. Alas MBAM still freezing after 10-20 seconds (even with Norton360 disabled).

I'm attching two zip files #1 is the mbam.exe.mdmp saved before trying the various registry fixes and #2 is one made on the last freeze after running ResetDefaultPerms.

Also attached is a Norton360 diagnostic report (made just now) and a HijackThis (made just now) ... in case any clues are therein.

By the way, do I need to undo ResetDefaultPerms or any of the other things if/when the MBAM freeze issue is resolved?

Knowing you guys, I'm assuming none of this stuff is harmful to my PC.

Off to watch some Winter Olympics on TV ... I'll check back now and then.

Thanks.

[exile360]

Thanks for all the logs. I'll let the developers know you posted them so they can take a look and hopefully figure this out .

As for ResetDefaultPerms, no, it actually does what its name implies, it resets permissions to their defaults (ie what they should have already been before you ran it), it was just an idea that perhaps corrupt permissions could have been preventing MBAM scans from completing by it getting blocked from scanning part of the registry. Since the issue remains the same, it's clear that isn't the case, but at least that's one more possibility eliminated which helps us figure out what is causing it .

[Perth2008]

Hi exile360

No problem ... thanks for clarifying.

As always happy to assist! Perhaps there's some clues in how the apparently similar(?) problem was solved a year ago.

I'll sign off now and check back tomorrow morning (Perth time).

Thanks to both you and noknojon for your help. Fingers crossed on a solution ... I feel safer when MBAM is working!

Cheers

[exile360]

Well, with the new version on the horizon I'm sure they'll have this fixed quickly as long as we can track down the cause.

Thank you so much for helping us try some stuff and diagnose it .

[Perth2008]

G'day exile360

I noticed the new(er) thread here: http://forums.malwarebytes.org/index.php?showtopic=40920 in which you ask: "For confirmation, if you open Malwarebytes' Anti-Malware and click the Settings tab and uncheck Always scan registry objects., is the scan then able to complete or does it still freeze?"

I can confirm that for me at least if Always scan registry objects is unchecked then MBAM does complete the Quick Scan.

Perhaps a step closer to the solution.

Malwarebytes' Anti-Malware 1.44

Database version: 3769

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

21/02/2010 5:45:29 PM

mbam-log-2010-02-21 (17-45-29).txt

Scan type: Quick Scan

Objects scanned: 109540

Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Cheers

[exile360]

Good, it seems you're suffering precisely the same symptoms then . That will help with diagnosis.

I've got another task for you if you're willing:

Create a ProcessMonitor Log:

• Please download ProcessMonitor from here and save it to your desktop
  
• Double-click on Procmon.exe to run it
  
• Open Malwarebytes' Anti-Malware and click on the Settings tab and make sure that Always scan registry opjects. is checked
  
• In Process Monitor, click on File at the top and select Backing Files...
  
• Click the circle to the left of Use file named: and click the ... button
  
• Browse to your desktop and type MBAM Log in the File name: box and click Save
  
• Now open Process Monitor again and click on Filter at the top and select Filter... from the list
  
• Click on the first drop-down menu that says Architecture and select Process Name then click the third drop-down menu which should be blank and select mbam.exe
  
• Click the Add button then click Apply and click OK
  
• Start a scan with Malwarebytes' Anti-Malware and when it freezes, try closing MBAM by ending its process in Task Manager or by whatever means you used previously to terminate it.
  
• Now, right-click on the MBAM Log file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  
• Attach the MBAM Log.zip file you just created to your next reply.
  

[Perth2008]

Hi exile360

I've tried multiple times to get this working ... what happens is after:

[exile360]

No problem, I'll play around with it some more and see if I can refine my instructions a bit. To remove the saved reg settings for Process Monitor please do the following:

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from here
  
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  
• Use the default install settings but say NO to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  
• Choose a location for the backup.
  
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
    

  [*]Make sure that at least the first two check boxes are selected.

  [*]Click on OK

  [*]Then click on YES to create the folder.

Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Once your backup is created, do the following:

Create a Reg File:

• Please copy and paste the following text exactly as written into notepad (not wordpad or any other text editor):
  

  Windows Registry Editor Version 5.00
  
  [-HKEY_CURRENT_USER\Software\Sysinternals\Process Monitor]

  Press Enter twice on your keyboard to insert 2 blank lines at the bottom of the text file
  

• Once you've done that click on File and select Save As...
  
• In the Save dialogue box click on the drop down menu next to Save as type and select All Files
  
• Name the file ProcmonRem.reg (the .reg extension is very important)
  
• Save the file to your desktop and double click it to run it.
  

That will remove the settings for Procmon so that it will simply run with default settings in the future.

[exile360]

Please refresh the page, the instructions I posted should now be accurate. I apologize for the error, I had difficulty getting Procmon to function normally the first time I ran it and so I had to repeat it a few times, which changed the steps that needed to be done.

[Perth2008]

Hi exile360

Wow this is fun

Tried it again as per your revised, more comprehensive, instructions used the various menu options to clear stop logging, clear previous data and start logging before starting MBAM again ... problem is even the output mbam specific zipped file is 28MB. The unzipped version is 10x the size!

Plus another file was created as well, MBAM Log-1.PML it is only 3.66MB so that is what is attached ... assuming the files are sequentially created it may have the answer to what stops MBAM running.

What I can say is that the MBAM Log-1.PML file states (in footer) 510,792 or 890,008 events (57%).

Hopefully the attached helps ... my attachments quota is now down to 4.09MB ... hopefully you can have it reset incase you need more logs, etc in the future.

Finally, I note this is a sysinternals program ... I know SecuROM, which is the DRM on most of my PC games, does not like the same company's Process Explorer product (OK if not running) ... but just in case I have problems how do I get rid of ProcessMonitor ... just delete the exe?

Back at work tomorrow so won't be able to assist till evening PM here.

[exile360]

Hello again

Tried it again as per your revised, more comprehensive, instructions used the various menu options to clear stop logging, clear previous data and start logging before starting MBAM again ... problem is even the output mbam specific zipped file is 28MB. The unzipped version is 10x the size!...Hopefully the attached helps ... my attachments quota is now down to 4.09MB ... hopefully you can have it reset incase you need more logs, etc in the future.

Yes, it creates some very large log files. You can click on My Controls at the top of the page and then go to Manage Your Attachments on the left to delete old attachments that you no longer need. I will most likely require the other log as well.

What I can say is that the MBAM Log-1.PML file states (in footer) 510,792 or 890,008 events (57%).

That's normal, that's just stating that it's only showing that number and percentage of events that are happening, thanks to the fact that we set it to filter out all events unrelated to mbam.exe.

Finally, I note this is a sysinternals program ... I know SecuROM, which is the DRM on most of my PC games, does not like the same company's Process Explorer product (OK if not running) ... but just in case I have problems how do I get rid of ProcessMonitor ... just delete the exe?

To remove the reg entries for Process Monitor, just run the reg file I had you create, it deletes all of its settings, then you can delete the exe. To remove it's driver you can do the following:

• Right-click on My Computer and select Manage
  
• Click on Device Manager on the left
  
• Click View at the top and select Show hidden devices
  
• Expand Non-Plug and Play Drivers and look for an entry called Procmon and if it exists, right-click on it and select Uninstall and click Yes or OK to any confirmation dialogues
  

Back at work tomorrow so won't be able to assist till evening PM here.

No problem . We're grateful for all of the assistance you've given us as well as your patience .

[Perth2008]

Hi exile360

OK, I've run the Process Monitor again ... it created 3 files which I have zipped with approx sizes as below:

MBAM Log 27.9MB

MBAM Log-1 25.5MB

MBAM Log-2 12.5MB

MBAM ran for ~30 seconds using the latest definitions #3774. I didn't shut MBAM down until about 10 seconds after its apparent freeze (just in case).

My problem is while I can download at ~60kB/s my upload speed is only ~15kB/s so it won't travel too fast and I'm not sure I can send all in one go/day.

Also my upload capacity here, while now back to 10MB, is still too small.

Let me know if you still need the files ... I'll keep the zip versions safe ... I noticed you sent PMs to the guys on the other thread with the same/similar freeze problem.

Does the solution appear any closer after the weekend?

Cheers

Frank

[exile360]

Yes, I'll send a PM with info on where to upload them .

Thanks a lot for your help with this

[Perth2008]

No problem! I'm sure if I ever get an infestation of bugs/malware you and the rest of the MBAM team will be their to help!

[exile360]

Of course