Jump to content

MBAM (free) quick scan freezes on desktop.ini


Recommended Posts

Greetings :)

Is this the same system that MBAM has been freezing on since the beta of 1.50? I ask because it's starting to sound like there could be some hardware issue causing this if it's been happening all this time.

Please do the following:

Boot into Safe Mode:

  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with the Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Then press Enter on your keyboard to boot into Safe Mode.

You should then be presented with the Windows XP Login screen. Log in to Windows and when it prompts you about Safe Mode and asks if you'd like to continue click Yes.

Once in Safe Mode, run a Quick Scan with Malwarebytes' Anti-Malware and then reboot your computer and let it start normally and then post back here to let me know if it froze in Safe Mode or not.

Thanks :)

Link to post
Share on other sites

Thanks for letting me know, that helps me narrow down what's going on. I don't think you're infected, but I do think there may be an issue with your hard drive.

Please do the following:

Run a Disk Check on your C: drive in Windows XP:

  • Click Start and open My Computer
  • Right-click on C: and select Properties
  • Click on the Tools tab
  • Under Error-checking click the Check Now... button
  • Mark the box next to Automatically fix file system errors and Scan for and attempt recovery of bad sectors
  • Click on the Start button
  • When the message box pops up, click the Schedule disk check button and restart your computer
  • Once your computer restarts it will check the drive, don't press any keys so that it is allowed to do so

Once that is done and your system reboots again, go ahead and try another Quick Scan with all the default options enabled and let me know if it still freezes or not.

Thanks :)

Link to post
Share on other sites

OK, please do the following:

Create a Process Monitor Log:

  • Create a new folder on your desktop called Logs
  • Please download Process Monitor from here and save it to your desktop
  • Double-click on Procmon.exe to run it
  • In Process Monitor, click on File at the top and select Backing Files...
  • Click the circle to the left of Use file named: and click the ... button
  • Browse to the Logs folder you just created and type MBAM Log in the File name: box and click Save
  • Open Malwarebytes' Anti-Malware
  • Exit Process Monitor and open it again so that it starts creating the logs
  • Perform a Quick Scan with Malwarebytes' Anti-Malware
  • If you're able to, close Process Monitor, if not, then reboot again (assuming your PC is frozen at this point)
  • Once your computer boots again, right-click on the Logs folder on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Please attach the Logs.zip file you just created to your next reply, if it is too large then please upload it to RapidShare and post the link in your next reply so that I can download it.

Thanks :)

Link to post
Share on other sites

Hello again :)

Unfortunately that log is corrupt and there's likely no way to avoid it. I was hoping it would work, but often when the system crashes or freezes, Process Monitor cannot close the log cleanly, so it ends up being corrupted.

Anyway, what I suspect is causing this is some issue with your hard drive, because the scan completes in Safe Mode, and the only difference between Safe Mode and normal mode with regards to MBAM is that in Safe Mode our DDA driver (which is used for scanning for rootkits by doing low level scanning of the hard drive to find hidden items) doesn't load, but in normal mode it does. In the majority of cases I've seen where the DDA driver had a problem like this, it was either due to some software blocking our driver from working, blocking access to a file or folder or actual corrupt sectors on the drive itself, the latter of which can potentially be an indicator of impending hard drive failure, or it may just be corruption of a file that can be fixed by CHKDSK but that doesn't always work unfortunately.

Link to post
Share on other sites

Hello again :)

Unfortunately that log is corrupt and there's likely no way to avoid it. I was hoping it would work, but often when the system crashes or freezes, Process Monitor cannot close the log cleanly, so it ends up being corrupted.

Anyway, what I suspect is causing this is some issue with your hard drive, because the scan completes in Safe Mode, and the only difference between Safe Mode and normal mode with regards to MBAM is that in Safe Mode our DDA driver (which is used for scanning for rootkits by doing low level scanning of the hard drive to find hidden items) doesn't load, but in normal mode it does. In the majority of cases I've seen where the DDA driver had a problem like this, it was either due to some software blocking our driver from working, blocking access to a file or folder or actual corrupt sectors on the drive itself, the latter of which can potentially be an indicator of impending hard drive failure, or it may just be corruption of a file that can be fixed by CHKDSK but that doesn't always work unfortunately.

Thanks.... Is there any setting that'd ask MBAM not to use this "DDA driver" in normal mode or this is a lost cause?

Link to post
Share on other sites

Unfortunately there is no setting to disable it. I would still like to take a look at an Autoruns log just in case I am able to discover some other piece of software on your system, such as a driver or something, that might be causing this:

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here and save it to your desktop.
    • Note: If using Windows Vista or Windows 7 then you also need to do the following:
      1. Right-click on Autoruns.exe and select Properties
      2. Click on the Compatibility tab
      3. Under Privilege Level check the box next to Run this program as an administrator
      4. Click on Apply then click OK

    [*]Double-click Autoruns.exe to run it.

    [*]Once it starts, please press the Esc key on your keyboard.

    [*]Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures so that it is now checked

    [*]Click on the Options button again and this time uncheck Hide Windows Entries

    [*]Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.

    [*]When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.

    [*]Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder

    [*]Attach the Autoruns.zip folder you just created to your next reply

It's a long shot, but worth a look anyway, perhaps I'll be able to spot something.

Thanks :)

Link to post
Share on other sites

Unfortunately there is no setting to disable it. I would still like to take a look at an Autoruns log just in case I am able to discover some other piece of software on your system, such as a driver or something, that might be causing this:

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here and save it to your desktop.
    • Note: If using Windows Vista or Windows 7 then you also need to do the following:
      1. Right-click on Autoruns.exe and select Properties
      2. Click on the Compatibility tab
      3. Under Privilege Level check the box next to Run this program as an administrator
      4. Click on Apply then click OK

    [*]Double-click Autoruns.exe to run it.

    [*]Once it starts, please press the Esc key on your keyboard.

    [*]Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures so that it is now checked

    [*]Click on the Options button again and this time uncheck Hide Windows Entries

    [*]Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.

    [*]When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.

    [*]Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder

    [*]Attach the Autoruns.zip folder you just created to your next reply

It's a long shot, but worth a look anyway, perhaps I'll be able to spot something.

Thanks :)

Sorry for the belated reply, I have attached the Autoruns.zip. Thanks so much for your help!

AutoRuns.zip

Link to post
Share on other sites

Open Autoruns and once it finishes scanning, click on the Logon tab and uncheck everything listed under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run except for avgnt and reboot your computer.

Once that is done, perform another Quick Scan with Malwarebytes' Anti-Malware to see if it still freezes or not.

If it still freezes, open Autoruns again and let it complete scanning then click on the Logon tab and click the box next to all of the disabled items to enable them again and then do the following:

Uninstall Programs:

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall the following if found:



  • PC Tools Spyware Doctor



Once that's done, reboot your computer one more time and try another Quick Scan and to see if it still freezes.

Please let me know how it goes.

Thanks :)

Link to post
Share on other sites

Hello again :)

Please do the following:

Note: After you do this, much of your hardware and software may not work, this is only temporary as we will be re-enabling all of your startup items again, this is purely for diagnostic purposes to determine if it is a hardware or software issue causing the freeze.

Open Autoruns and click on the Services tab then uncheck each of the following:

  • AcPrfMgrSvc
  • AcSvc
  • Apple Mobile Device
  • Bonjour Service
  • FolderSize
  • iPod Service
  • IviRegMgr
  • JavaQuickStarterService
  • Kodak Theatre Service
  • LicCtrlService
  • LMS
  • MySQL
  • Power Manager DBC Service
  • RegSrvc
  • RoxMediaDB10
  • S24EventMonitor
  • SessionLauncher
  • stllssvr
  • SUService
  • TabletServiceWacom
  • ThinkVantage Registry Monitor Service
  • TPHDEXLGSVC
  • TSSCoreService
  • TVT Backup Protection Service
  • TVT Backup Service
  • TVT Scheduler
  • TVT_UpdateMonitor
  • UNS
  • YahooAUService

Click on the Logon tab and uncheck all entries under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run except for avtng and also uncheck Digital Line Detect.lnk under C:\Documents and Settings\All Users\Start Menu\Programs\Startup and Google Update under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

Once that is done, click on the Scheduled Tasks tab and uncheck everything that is not unchecked already (currently you've only got PMTask.job unchecked).

Click on the Drivers tab and uncheck each of the following:

  • ANC
  • catchme Note: you may actually delete this one if you wish, it's just a leftover reg entry from having run ComboFix previously
  • DLABMFSM
  • DLABOIOM
  • DLACDBHM
  • DLADResM
  • DLAIFS_M
  • DLAOPIOM
  • DLAPoolM
  • DLARTL_M
  • DLAUDF_M
  • DLAUDFAM
  • DRVMCDB
  • DRVNDDM
  • IBMTPCHK
  • pmem
  • PxHelp20
  • Shockprf
  • sptd
  • TPDIGIMN
  • TPPWRIF
  • TSMAPIP
  • tvtumon

Click on the Explorer tab and uncheck each of the following:

Under HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers

  • 7-Zip
  • Notepad++
  • RXDCExtSvr
  • WinRAR
    Under HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers
  • HashTab
    Under HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
  • 7-Zip
  • WinRAR
    Under HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
  • 7-Zip
  • Roxio DragToDisc Shell Extension
  • WinRAR
    Under HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers
  • FileZilla3CopyHook
  • Roxio DragToDisc Shell Extension
    Under HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
  • PDF Shell Extension
  • {04DAAD08-70EF-450E-834A-DCFAF9B48748}
  • {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
    Under HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
  • RXDCExtSvr
  • WinRAR
    Under HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers
  • WinRAR

Once that is complete, reboot your PC and let it start normally. Open Malwarebytes' Anti-Malware and try another Quick Scan to see if it freezes or not.

Once that is done, create a fresh Autoruns log (you may delete your previous log if you wish as it is no longer needed) and do the following:

Create a List of Running Services:

  • Please copy and paste the following text exactly as written into notepad (not wordpad or any other text editor):
    @echo off
    net start>"%userprofile%\desktop\services.txt"
    sc query type= service>>"%userprofile%\desktop\services.txt"
    sc query type= driver>>"%userprofile%\desktop\services.txt"
    del /f /q %0

    Once you've done that click on File and select Save As...

  • In the Save dialogue box click on the drop down menu next to Save as type and select All Files
  • Name the file Services.bat (the .bat extension is very important)
  • Save the file to your desktop and double click it to run it.
  • Once it finishes you will find a text file called services.txt on your desktop, right-click on it and hover your mouse over Send to and choose Compressed (zipped) Folder
  • Attach the services.zip file you just created to your next reply

Attach both your fresh Autoruns log and your services log to your next reply and also let me know if the Quick Scan was able to complete or not.

After you've posted, you may open Autoruns and re-enable all of the startup items that I had you disable previously and reboot your computer, allowing it to start normally.

Link to post
Share on other sites

Hello again,

My apologies for that. It was likely disabling one of the drivers that did that. I'm glad you figured out to use Last Known Good Configuration to get it booted. At this point I'm nervous to continue digging into this, as I certainly don't want you to have to go through that again. I still suspect that one of the many non-default startups on your system may be at the root of this, but I can't really see a safe way to determine which one.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.