'Freezing' during rootkit scan

[Argante]

Hello

 

I have recently upgraded to the new version of Malwarebytes and yesterday ran a rootkit scan.  When it reached Windows/web/wallpaper/scenes/img29jpeg it seemed to freeze, although the 'progress' blue line continued to run and the blue arrows continued to turn.  I tried again later and the same thing happened but this time it froze on scenes/img24/jpeg.  Tried again today and it happened again but this time on img28jpeg.

 

On a normal scan without the rootkit box checked everything was fine.

 

Does anyone have any idea what is happening?

 

Thanks for any advice/help

[John L. Galt]

Let it keep running - it appears to be not doing anything but in fact it is.

 

This issue of appearing to freeze is currently being worked on, and should be fixed in a future update.

[Argante]

I will let it run, then.   I had thought that it was something a bit 'dodgy' and was a bit worried about it.

 

Thank you very much for replying to me

[John L. Galt]

Actually, it is a bit dodgy, in the sense that it should not be happening, but it is one of a few issues that is currently being addressed.  In future builds this should not be an issue.

[daledoc1]

@Argante:

 

In addition to JLG's expert advice:  is your hard drive encrypted, by any chance?

The only drive encryption currently supported by MBAM 2.x ARK (anti-rootkit) is TrueCrypt -- see "Program Information", Item #5 here.

If you use BitLocker, SecureDoc, or other encryption software,  ARK could error-out, stall/hang, or provide misleading results.

So you'll need to disable ARK scanning.

 

I'll turn you back over to JLG and the other staff and experts.

 

Cheers,

 

daledoc1

[Argante]

Thank you, JLG and Daledoc1.  I let the scanner run as advised and, although it took a while, it did complete the scan and all was well.

[AdvancedSetup]

The latest version (not released to the public just yet) is scanning faster.

Can you please post the results of your scan

Thanks

[Argante]

Not sure if I have done this correctly but here goes:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 19/04/2014
Scan Time: 22:24:42
Logfile: log.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.04.19.08
Rootkit Database: v2014.03.27.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Ming

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 332014
Time Elapsed: 2 hr, 45 min, 16 sec

Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Disabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

[AdvancedSetup]

I would agree that is a very long time for the small amount of files scanned. We do have about 3 updates since your version (not available to the public yet) that the scanning engine is now much faster.

Hopefully that will be released soon and if you can please run that version once it is available and let us know if that corrects the issue for you.

If you can read the following and post back the requested logs we might be able to find out why it does take so long on the current version as well.

 

Diagnostic Logs

 

Thanks

 

 

[fivealive]

I had the same issue with that file on my computer with the root kit scan, I found it on it was having troubles scanning that file, considering it's small size and it's only thing in the folder.

In top of that I couldn't stop the scanner well it was trying to scan that file,

[Argante]

Thank you. 

 

FRST.txtAddition.txtCheckResults.txt

[Argante]

Five alive - I didn't try to stop the scan so don't know whether I would be able to or not

[AdvancedSetup]

Please try installing the latest beta 2.0.2 and restart the computer even though not asked.  Then try the scan again and let us know if that  helps or not.

 

https://forums.malwarebytes.org/index.php?showtopic=147144

 

Thanks

[Argante]

I have installed the new version and ran a custom scan (with all boxes ticked).  It did seem faster and I monitored its progress to see if it lingered on the wallpaper jpeg files again.  It did (on web\wallpaper\windows\img0.jpeg) but only for about 15 minutes instead of the hour that it took previously.  Although it seemed to scan faster with this version I was surprised to see that the whole scan took longer to complete than before, although there were a lot more files in the scan results log.   The scan did seem to take quite a while to complete the 'heuristic analysis' section.

 

I will give it another go tomorrow and let you know what happens

 

Thanks again for your help

[AdvancedSetup]

Please post the results of your log.  History, Application Logs.

 

Then after that, Please try the following.

Please run a Full Disk Check on your system drive. If needed here are some links on how to run a Disk Check.

On Windows 7 the disk check log is in the Event Logs under Application with a heading source of Wininit

How to Run Disk Check in Windows 7

How to Run Check Disk at Startup in Vista or Windows 7

How to Read the Event Viewer Log for Check Disk (chkdsk) in Vista, Windows 7, and Windows 8
 
Once completed please copy and paste the results of the disk check from your Event Logs.
 
 
Then run the following and RESTART the computer.
 
Please Run TFC by OldTimer to clear temporary files:

• Download TFC from here and save it to your desktop.
• http://oldtimer.geekstogo.com/TFC.exe
• Close any open programs and Internet browsers.
• Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
• Please be patient as clearing out temp files may take a while.
• Once it completes you may be prompted to restart your computer, please do so.
• Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

 

Then try running the MBAM scan again and from the History, Applications Log post back the new log.

 

[Argante]

Advanced Setup - your advice and recommendations have done the trick!  I have attached 'before and after' scan results and also the wininit log.  After carrying out instructions the custom scan (including archive and rootkit scan) was faster by almost two hours.

 

Before

 

log.txt  wininit1.txt

 

and After

 

log2.txt

 

 

Thank you very much for your time and help.  I am happy

[AdvancedSetup]

Great, glad that was able to resolve your issues. 

 

Take care

[gulliver]

The beta release now works fine. I really don't understand the reason why Mbam released an official new 2.0 version so bad. The 1.75 was perfect. A little more patience would be better....