Latest Update to 5721 Causes Crash?

[MTField]

I seem to have a problem with the latest update which causes MBAM to crash during a scan.

I've already tried a clean install as per post #2 at http://forums.malwarebytes.org/index.php?showtopic=70872

After installing, MBAM runs fine and performs both Quick and Full scans without a hitch but after it updates to the latest Database Version: 5721 it crashes during both Quick and Full scans.

I've tried 3 separate clean installs today with the same result every time so the error seems repeatable. I've also tried using two different versions of the installer exe file. The first from the download link I received on purchase (as I finally bought the pro version this morning), and the second exe from the link in the above thread which leads to downloads.cnet

Given that MBAM runs fine without the update is this error caused by the latest database? Anyone else with this problem?

FYI

XP Pro SP2 also running ESET NOD32 Antivirus v4.2.71.2 but already added the relevant files to its Exclusions list.

Can someone please advise?

[daledoc1]

Hello and welcome, MTField:

5721 working fine here (but it's Win7, fully patched).

I wonder if this may be related (directly or indirectly) to your VERY outdated Windows OS (stability and security updates ended months ago): http://support.microsoft.com/gp/lifean31

I have seen numerous threads here and at other security forums lately about updating/scanning issues with outdated Windows OS that resolve upon install of the current SP.

I know you said you did a clean install of MBAM, but it might be worth repeating the process AFTER you update Windows XP to SP3.

(FYI it is usually recommended that one uninstall one's AV/FW suite temporarily before updating to SP3, then reinstalling it -- it looks like your AV is also outdated, so this would be a good opportunity to update it, too.)

The instructions you followed for the MBAM reinstall were correct, but here is a slightly more detailed version, JIC it might be helpful:

1) Uninstall MBAM from the Windows control panel;

2) Reboot (very important);

3) Download and run the MBAM cleanup tool, found here: http://www.malwarebytes.org/mbam-clean.exe

4) Reboot;

5) Download a fresh copy of MBAM from here: http://www.malwarebytes.org/mbam-download.php

6) Temporarily disable your AV and install MBAM. Note: You will need to reactivate the program using the license you were sent.

7) Reboot;

8) Set up an program permissions and file exclusions in your AV and firewall, as explained here: http://forums.malwarebytes.org/index.php?showtopic=10138 (Specific instructions depend on the AV software vendor and your computer's OS).

9) Add the program folder(s) for you AV and FW to MBAM's "Ignore List".

I would probably start there, unless or until one of the experts has some other suggestions, such as generating a developer log,

daledoc1

[Mainard]

Hello MTField,

Are you able to perform a scan in safemode with the latest update? (5721 for clarification)

If it still crashes Are you getting an error prompt?

If you could get me a memory dump if it still crashes for you.

To get a memory dump please keep the crash up (please do not close any applications after a crash)

Create a Full Crash Dump using Sysinternals Process Explorer:

• Please download Sysinternals Process Explorer from here and save it to your desktop.
  
• Double-click ProcExp.exe to run it.
  
• Once it starts, find mbam.exe in the process list and right-click on it and hover your mouse over Create Dump and select Create Full Dump...
  
• Save the mbam.dmp file to your desktop and close Process Explorer
  
• Right-click on the mbam.dmp file you just created and hover your mouse over Send To and select Compressed (zipped) Folder
  
• Attach the ZIP file you just created to your next reply if it is small enough. If it isn't then please upload it to RapidShare
  

[MTField]

Thanks for the replies!

@daledoc1

I hear what you're saying about SP3 and while I understand that having the latest updates is perhaps the best policy to ensure that modern software functions correctly, I'm running a P4 3.0GHz Northwood (single core) based PC which though a little outdated by today's standards, still does everything I ask of it and it does it fast too. Fact it only really splutters and spits when I'm working on 300dpi images in Photoshop. Coincidentally, this problem may also lead to me being able to speed up Photoshop too but I'll get to that later. I need the PC to do my work and unfortunately I have no other computer I can use if it ever goes down and little money to replace it at the moment. And as the old saying goes, if it ain't broke, why fix it.

Also, SP3 for XP introduced a myriad of security updates and addition functions which, quite frankly, slow an older PC like mine down quite a bit and I'm far happier allowing 3rd party vendors like ESET, Agnitum and Malwarebyte to supply the security rather than leaving it to Microsoft. I'm sure there's ups and downs to both but I'll save that for another time.

OK, here's what I did regarding the crash.

I added ESET's folder to MBAM's ignore list as per daledoc1's tip - No Joy I'm afraid and the Quick Scan crashed again, however, I did sit and pay attention this time and noticed that the crash occurred in the C:\Windows\fonts\ folder. Strangely, two further Quick Scans completed without error but a fourth one crashed again on a different font.

Made sense at this point to assume the problem's in the fonts folder, so I added the whole folder to the ignore list and re-ran the Quick Scan. This time it ran without error 8 times in a row and completed a full scan without error so I think one or two of the fonts seem to be the cause of the crash.

At this point I read Mainard's response (Thanks Mainard), and booted into safemode.

I removed the fonts folder from the ignore list and ran a Quick Scan - Same error again (with a font file in the fonts folder). And again.

I tried to create the full dump file with Precess Explorer but received the error "Error writing dump file: The system cannot read from the desired device". tried this several times to different locations and drives but no luck. I did manage to get the drwin.exe dump file which was active as a sub-program attached to mbam.exe (in the Process Explorer Window), after MBAM crashed. The file is about 26MB so I can upload to Rapidshare if desire. Please let me know.

Not quite sure what to make of all this.

The fonts that seem to cause a problem only do so for the 5721 database update but not for the pre-updated version. Has something new being added?

The fonts in question (ST Gothic.ttf, tahoma.ttf, ST Rundschriff.ttf, Starbb_ .ttf and probably a few others too), could well be corrupted in some way as a few of them we're missing from an image I was working on in Photoshop which warned me on opening to update fonts, even though I hadn't removed them. Given that Photoshop scans the contents of the fonts folder on opening and while working on images at certain times, the corrupted fonts could also be slowing it down. But I digress...

Did something just change with the latest update regarding the way fonts are scanned? Anyone have any insight?

Let me also add that this is a mighty fine program and having been a freeloader with MBAM for a number of years I'm please to finally be a proud owner of the Pro version. It does exactly what it says on the tin so hat's off to everyone involved.

[Mainard]

Hello again,

If you could please send that dump file over that would be greatly appreciated.

If you could please, go to your fonts folder and right click and do a scan using MBAM. (context menu scan)

if It crashes again, could you please make a copy of your fonts folder, zip it up. and attach it in your next reply?

Just so I am on page with what you have done:

• You ran MBAMClean.exe
  
• Installed a Fresh MBAM (did not update) Ran a Quick Scan (all is well)
  
• Updated MBAM, Ran a Quick Scan (Boom Crash)
  

IF that is accurate please let me know.

Thank you very much!

[MTField]

Hello and thanks for your support.

You're on the same page but I need to make a correction after further testing.

I reinstalled the original version again, (after uninstalling, rebooting, cleaning, rebooting) without the update and ran some more tests.

MBAM Database 5363 (without the latest update), also crashes on the fonts folder during a Quick Scan. The crash seems random and it will sometimes complete the Quick Scan then crash, then complete two more scans then crash...

Strangely though, using the context menu ie. Right clicking on the fonts folder and selecting "Scan with Malwarebyte's Antimalware" always completes the scan without error! When I say always, I ran 9 quick scans this way and it completed each one without crashing.

It seems I was wrong to think the crash was caused by the update to database 5721 but I've no idea why MBAM is completing a context menu scan but failing the Quick and Full scans on the same folder.

I've uploaded the dwwin full crash report file to Dropbox

File name: dwwin.zip

Size: 9.88MB

http://db.tt/QQF44tu

In zipping up the fonts folder I noticed some discrepancies.

Windows properties reports the folder contents as 819 files but looking inside only 689 fonts are visible. I guess some of the OEM Windows fonts may be hidden from view? Some of the fonts do have the hidden attribute and some are marked as read only. Also one of the fonts is 22MB in size and a series of others seems to be rather large for simple fonts. I think it needs a proper sort-out but I'll send it to you anyway "as is" to help troubleshoot. NOD32 scans the contents as clean but something's definitely not right.

The fonts folder is also in Dropbox

File name: Fonts.zip

Size: 99MB

http://db.tt/AGS8s1D

Again, thanks for your support.

[Mainard]

Hello MTField!

Thank you for the files.

Please do one more attempt of scanning with (Heuristics Shuriken Disabled)

1. Click on Settings
   
2. Click on Scanner Settings
   
3. Uncheck Enable advanced heuristics engine (Heuristics Shuriken)
   
4. Run a Quick Scan
   

Then we will move into using procMon to see where exactly it is crashing.

Thank you!

[MTField]

Hello.

Unchecked Enable advanced heuristics engine (Heuristics Shuriken)

Ran 10 Quick Scans

Completed 6

Crashed 4 (All crashes on different "currently scanning" files in the fonts folder)

Out of curiosity I also

Unchecked Scan additional items against heuristics

Ran 10 Quick Scans

Completed 2

Crashed 8 (As above, each crash reports a different font file in the fonts folder)

[shadowwar]

Just something to add..

Have you run a manufacturers diag on your hard drive to rule that out? Especially if you had problems loading the font files in photoshop.

Cheers.

[MTField]

Good point shadowwar

Just ran Western Digital's Diagnostic program

No errors.

Tried HDD Sentinel Pro too and it reports

"The hard disk status is PERFECT. Problematic or weak sectors were not found and there are no spin up or data transfer errors. No actions needed."

The drive's getting a bit long in the tooth though

Power on time is 1434 days , 2 hours which is almost 4 years of being on.

Thank for your input.

[Mainard]

Hello MTField

Let's Create a process Monitor log.

Create a Process Monitor Log:

• Create a new folder on your desktop called Logs
  
• Please download Process Monitor from here and save it to your desktop
  
• Double-click on Procmon.exe to run it
  
• In Process Monitor, click on File at the top and select Backing Files...
  
• Click the circle to the left of Use file named: and click the ... button
  
• Browse to the Logs folder you just created and type MBAM Log in the File name: box and click Save
  
• Exit Process Monitor and open it again so that it starts creating the logs
  
• Re-Create the issue.
  
• Close Process Monitor
  
• Right-click on the Logs folder on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  
• Please attach the Logs.zip file you just created to your next reply
  

Thank you!

[MTField]

Hello Mainard. Thanks for your continued support on this.

The zipped Process Monitor Logs were too large to attached here so I've uploaded to Dropbox

File name: MBAM Log.zip

Size: 87.92MB

http://db.tt/e9fB4fS

The zip file contains two sets of log files from two separate Quick Scan runs using MBAM's 5363 database on default settings.

Run 1:

MBAM crashed on a font file

CRASH-MBAM Log.PML

CRASH-MBAM Log-1.PML

Run 2:

MBAM finished the Quick Scan without crashing on a font file

NO-CRASH-MBAM Log.PML

NO-CRASH-MBAM Log-1.PML

As I mentioned already, I'm pretty sure that the fault is mine and not MBAM's and that the problem lies with certain fonts within my font folder rather than with the program code. I'm curious though why the crash only occurs sometimes and not all the time and also why the "currently scanning" item details a different font on each crash and not the same font. I guess several fonts could be causing a problem?!

If your require anything else then please let me know and thanks again!

[Mainard]

Hello MTField,

While I send over all these data over for the developers to take a look at, I would like to know if you add your fonts folder to MBAM's ignore can you run a scan?

Thank you.

[MTField]

Hello Mainard.

You are correct. When the Fonts folder is added to the ignore list, scans complete without crashes.

Thanks again for help!

[Mainard]

Hello MTField,

Can you please copy your fonts folder to the desktop for me? Then Drag the fonts folder back into C:\Windows (This will prompt to override) Please have it override. (it's a copy so nothing will be missing)

Please let me know if you are then able to perform a quick scan. (Removing the ignore)

Thank you!

[MTField]

Hello Mainard,

I've copied the Fonts folder to the Desktop, however, when I attempt to copy it back to the Windows folder I get the error

"Cannot copy arial: The requested operation cannot be performed on a file with a user-mapped section open."

Removing the offending font from the desktop folder and attempting to copy the Folder back into Windows I get the same error on a different font

"Cannot copy arialbd.ttf: The requested operation cannot be performed on a file with a user-mapped section open."

Removing and copying again I get

"Cannot copy cour: The requested operation cannot be performed on a file with a user-mapped section open."

then

"Cannot copy marlett: The requested operation cannot be performed on a file with a user-mapped section open."

then

"Cannot copy micross: The requested operation cannot be performed on a file with a user-mapped section open."

then

"Cannot copy tahoma: The requested operation cannot be performed on a file with a user-mapped section open."

and finally

"Cannot copy times: The requested operation cannot be performed on a file with a user-mapped section open."

All the other fonts are copied back normally.

Can you advise what a "user-mapped" section is and why it would be open? Is some other program or process "hooked into" these font files? Do the offending files contain more that just fonts? Should I be concerned?

Again, thanks for your continued support on this. I'm much obliged!

[Mainard]

You clicked through the prompts correct? If so are you able to perform a quick scan?

If not, Create a folder on the desktop named Files. Then please move the fonts:

• C:\Windows\Fonts\Trekcon4.fon
  
• C:\Windows\Fonts\Trend__.ttf
  

Into the folder you created on the desktop.

Then perform a quick scan.

Please let me know what you perform and the result.

Thank you!

[MTField]

I removed the two fonts above.

Both Quick and Full scans now complete without MBAM crashing.

Do you know what the problem is with these fonts?

Thanks again!

[Mainard]

Great news! Glad to hear no more crashing.

What occurs if you were to put those fonts back into the folder? (This usually means installing the font)

What can cause the issue? The installation is corrupting the font file or the file is being written to a corrupt sector on your HDD (potential possibility)

Thank you!

[burf]

I recently updated my databases, and have the same problem (on XP SP3).

I don't have those fonts that caused the issue, with MT. My HD is new, on a pretty new install of XP. I had already added the Fonts folder to my ignore list, and all scans completed successfully. I also checked the Fonts folder for corrupt fonts, using a Font Manager, and everything came up OK.

When I dragged the Fonts folder back to Windows, the only error I received, was that it couldn't copy "arial.ttf", because the file existed, and I should rename it.

After, I did a quick scan again, and MB crashed again.

How would I figure out what fonts may be causing this?

If need be, is there a way to just reinstall the default fonts?

By the way, this never happened until recently, and I usually do a scan every few weeks.

Any help appreciated... Thanks!

[MTField]

A huge thank you to you Grant!

I checked the drive for bad sectors and there are none.

Copying back the problem fonts into the font folder causes MBAM to crash again during both Quick and Full scans. Removing them, as above, remedies the problem.

As you suggested, I reinstalled the original copies of the problem fonts and both scans now work without error so I think you're correct to say that these fonts were somehow corrupted during the initial installation. As a bonus, Photoshop CS3 now seems a little quicker too. I assume it was also stumbling as it read the contents of the fonts folder during start-up.

I am curious though as to why a corrupted installation of a font would cause MBAM to stumble in a seemingly random fashion, sometimes completing a scan without error, sometimes not.

Thanks for your committed support!

All the best

Max

PS. Maybe the title of my original thread should be changed to "Font Problem" or maybe "Font Problem" could be appended to the original title to aid future MBAM'ers?

[Mainard]

Hello MTField!

I am glad that reinstalling those fonts fixed the issue. As for the reason it seems random there are a myriad of different potential causes. Since it was a corrupted install (I was able to replicate it on my Fresh XP system) sometimes MBAM was able to handle the corrupted file and other times it hung which causes the crash.

@Burf Hello Burf! Please create a new topic detailing your issues. Please include within that topic the specifics of the issue as well as whether you MBAM Pro or Free. Also, any AV software you have installed.

Thank you!