rmgalley

Hi, Any update? Have you been able to verify this behavior?

This is an update of the topic https://forums.malwarebytes.org/index.php?showtopic=145113 from last week. The scan freezing problem has been found to be related to my choice of custom location for my User Account files and folders. I have been following the advice at http://www.sevenforums.com/tutorials/87555-user-profile-change-default-location.html. Using this tutorial I selected 'OPTION TWO - For all New User Accounts' (half way down the page) to directly create a User Account on my E:\ drive. This was on a fresh install of Win7 64-bit as normal on C:\ drive. If I set 'ProfileDirectory' in 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList' to 'E:\' instead of the default '%SystemDrive%\Users', in order to create UserProfile files and folders on my E:\ drive, MBAM2 misbehaves. However once a UserProfile has thus been created on E:\ drive, for MBAM2 to behave correctly, I have to change 'ProfileDirectory' in 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList back to '%SystemDrive%\Users', followed by a reboot for scans to run without freezing. I've tried creating various temporary new UserAccounts both on C:\ and E:\ drives. On all occasions, if I leave the Registry setting such as to allow the creation of future UserAccounts on E:\ drive, the Threat Scans freeze. If, having created a UserAccount on E:\ drive I revert 'ProfileDirectory' back to'%SystemDrive%\Users', MBAM2 behaves correctly. The workaround for this freezing problem is specifically: once a User Account has been created at the location of your choice you have to revert the location of any future, or further, User Accounts back to the Microsoft default otherwise MBAM2 will freeze on a Threat Scan or Hyperscan.

Many thanks Ron. I think I'll go ahead with the 64-bit version and check whether the problem occurs after a standard clean install, and again after I've configured Win7 to my personal liking. It might be a while but I'll report back my findings. Strange about the nVidia driver crash as I don't remember this occuring and the current Win7 32-bit installation is only 3 weeks old and has been very stable.

John L. Galt - in Detection Options 'Scan for rootkits' is not ticked. I temporarily disabled Heuristic scanning and 'within archives' but it made no difference.

Firstly thank you AdvancedSetup for the quick and detailed reply. I have carried out your checklist carefully but the issue remains. Currently I have a Threat Scan started which became frozen after about 2 minutes, 55384 objects and static on C:\hiberfil.sys. Screenshots and repeat diagnostic files are attached, only this time created while the scan is still in progress. ChkDsk didn't find any problems. Java was uninstalled and JavaRa run. I don't think that JavaRa or TFC cleaned out very much and I didn't need to restart the computer. I repeated the MBAM Clean Removal Process before reinstalling. I was careful to shut down all other applications, Windows Firewall and set Avast Shields Control to disabled during both uninstall and reinstall. I've had a look for any other MBAM log files and one I found is attached, but I don't think it is relevant. Any other ideas? I'm about to install a 64-bit version of Win7 on this PC so I could check if I have the same issue with that. I'll be taking disk images of the 32-bit installation so I can revert back at any time - but that will be for tomorrow now. Best wishes and thank you for your help. JavaRa-28-03-2014.log Addition 28_03_14.txt CheckResults 28_03_14.txt FRST 28_03_14.txt protection-log-2014-03-28.xml

A new install of MBAM2. It freezes when performing the first Threat Scan and never finishes. I can't cancel the scan, the GUI becomes unresponsive and I have to force Windows7 SP1 32-bit to close the program down. The freeze occurs when 'File system Objects:' are being scanned, and after the total objects scanned has reached about 56448. The freeze occurs when any of objects 'C:\autoexec.bat' or 'C:\pagefile.sys' or 'C:\ hiberfil.sys' or 'C:\$Recycle.Bin\S-1-5-21- ...... -1000\desktop.ini' are being scanned about 2 minutes into the scan. On one occasion I left the scan running and it was still frozen, but consuming CPU cycles, over 5 hours later. I have tried disabling 'scan inside archives' and' 'heuristics' without any improvement. I tried uninstalling using dedicated uninstaller 2.0.2.0 and was surprised after rebooting my Registration Details did not need to be re-entered. Subsequently I found the HKLM\Software\Malwarebytes entry had not been deleted by the uninstaller so this did an incomplete job. I've tried all these uninstall and reinstall operations with Avast antivirus disabled. As others have been requested to attach diagnostic files I created these yesterday evening and they are attached. Also screenshots of the frozen program. Any idea from this information what is going on here? In the meantime I'm back to 1.75.0.1300. Any help would be much appreciated. FRST.txt Addition.txt CheckResults.txt

Hi Dave, I can confirm the procedure you have found works. Thank you very much for that. However I would describe it as a workaround rather than a fix. Whenever an image is mounted in read/write mode it creates a supplementary .tib file in anticipation of the changes it expects to be made. These aren't large in size when no changes have been made but it is an irritation to have to keep deleting them. This discovery should however offer a better insight into what happened with the introduction of Malwarebytes v1.45 and facilitate a true fix. I would never normally open an Acronis archive in read/write mode and yesterday was the first time I ever did.

I have found that once Protection Mode has been enabled once - that's it - Acronis will not mount images again. It doesn't matter even if you go into Safe Mode and choose 'Do not start with Windows'. You can untick all the boxes to deselect Protection but it is like a one way process. I have found the only way to have Acronis working again correctly is to uninstall Malwarebytes (and not enable Protection).

Acronis True Image Home 10 was last updated March 2007 (Build 4942). Home 2009 was available in about January 2009 and Home 2010 was in about November 2009. Home 2011 became available in September this year and is available for download as a trial. The versions of Acronis TI Home known to be susceptible are 10, 2009, (in all likelihood 2010) and certainly 2011. The current 'Pro' version is now called 'Backup and Recovery 10'.

This evening I did a fresh install of Windows XP Pro SP3 having backed up my recently installed version (of last week) with ATIH 10 (and also Macrium Reflect). As two of my HDDs are Western Digital I was able to install on this evenings installation the WD version which is based on ATIH 2009. I was working off-line with no firewall other than the MS Windows one. I had no anti-virus installed and, apart from ATIH 2009(WD), I had only installed Malwarebytes v1.44 - there was no other security software installed. With this version there were no conflicts with Acronis. I went through the Malwarebytes uninstall process, rebooting and then used their dedicated uninstall tool and rebooted again. Then I installed Malwarebytes v1.45 (not the latest version). Once again, with this version, the conflict with the Acronis mounting process was back freezing the PC. So we now know the conflict occurs with Malwarebytes v1.45 onwards with 'Protection' mode activated. Once 'Protection' has been activated it is not possible to deactivate such that Acronis works again correctly. The versions of Acronis now known to be susceptible are 10, 2009, probably 2010 and certainly 2011. As this was a fresh install of Windows the reports that not everyone is affected may mean there is a hardware element to the problem. In my case MSI K8N Neo 4 Platinum motherboard (MS-7125 1.0), AMD Athlon 64 x2 4800+ processor (2.4GHz), 3.00 GB RAM, 2 x 1 TB Samsung HDDs and 2 x 1 TB Western Digital HDDs.

OK, some information about my system exhibiting the problem. MSI K8N Neo 4 Platinum motherboard (MS-7125 1.0) AMD Athlon 64 x" 4800+ processor (2.4GHz) 3.00 GB RAM Security software installed Avira AntiVir Premium Malwarebytes' Anti-Malware Spybot S & D SpywareBlaster SUPERAntispyware Windows Defender Anvir Task Manager Currently only using the MS Windows Firewall (PC Tools Firewall Plus uninstalled during this investigation)

Thanks noknojon, I am now back with Acronis TI Home 10 having uninstalled the Home 2011 trial. I have carried out the procedure you suggest to the letter with my Avira Antivir Premium disabled on all three counts (Guard, Mailguard, Webguard). I didn't really expect the anti-virus was responsible as, at an early stage in my investigation while I was off-line, it was uninstalled. The only potential flag during the first Quick Scan was a registry reference 'HijackControlPanelStyle' which related to my choice of classic control panel. The problem occurs with Acronis when attempting to mount an image at the point where, at the 'Operation 1 of 1 - Assigning Logical Drive Letter', the 'Proceed' button is pressed. Now 'Perdido Beach' on the Acronis forum (http://forum.acronis.com/forum/15002#comment-45123) has discovered the exact same as myself using Acronis TI Home 2011. As discovered earlier today, Malwarebytes v 1.44 does not exhibit the problem so it has only been around for about the past 6 months.

Well, since my last post I have checked out Macrium Reflect and the trial version of Acronis TI Home 2011 for conflicts with Malwarebytes with 'Protection' enabled. There were no conflicts with Macrium but there were with Acronis TI Home 2011. With Acronis, when attempting to mount an image, I discovered the freeze begins when 'Assigning letters to partitions appears'. This message hangs for about 1 minute before 'confirmation of success' appears. However, this time I had the 'My Computer' window open and the mounted partition did not appear at any point despite the success message. I also became aware that, from thereon if I attempted to open any folder, the hourglass would appear for about a second, then disappear without the request being actioned. This includes the 'Start' button to shut down the PC. However already opened windows could be closed with the exception of the Acronis UI. Not everyone is suffering this problem but it is strange as it is happening with me with a fresh install of Windows XP Pro SP3.