Jump to content


Photo

Very high memory usage from mbamservice.exe 200+Mb

mermory mbamservice

  • Please log in to reply
6 replies to this topic

#1 AccessIT

AccessIT

    New Member

  • Members
  • Pip
  • 4 posts
  • Gender:Male

Posted 13 August 2013 - 01:50 AM

I have searched high and low on the internet for a solution or at least reason why my mbamservice on two completely different computers is using 200+MB of ram constantly. This occurs start after starting and stays around the same even when running for weeks non-stop on a server with the usual scans and updates.

 

Attached are two screen snapshots of the memory usage:

 

1. Is for a Windows 7 x64 machine with 8Gb of RAM

2. Is a Windows 2003 server 32 bit with 4Gb of RAM

 

So this is from two completely different machines and OS versions. Both are running the latest version of MBAM and have been installed with it for a few months (earlier versions obviously). They update successfully and seem to work fine aside from the memory pressure that the service excerpts on the system. The only commonality between the machines is that they are also running Microsoft Security Essentials as an Anti-virus.

 

In hunting around I have seen other "solutions" to basically scan for any malware or infections which has been done using all the different tools suggested by each post (including ones on this forum).

 

Any input into how to find out the high memory usage would be appreciated and I don't believe it is anything to do with an infection as the CPU usage on the service is negligible except when it should be.

 

Your help or advice is appreciated as the Windows server has enough memory problems being a 32 bit OS already.

Attached Images

  • MBAM Memory usage WIN7.jpg
  • MBAM Memory usage.jpg


#2 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,900 posts
  • Gender:Male
  • Location:US

Posted 13 August 2013 - 02:08 AM

Hello and :welcome:
 
Please run the following scanner and post back the logs and we'll if we can determine what's going on.
 
 
Please create an mbam-check log:

  • Download mbam-check.exe from here and save it to your desktop
  • Double-click on mbam-check.exe to run it, it should then open a log file
  • Please do not copy and paste the entire contents of the log into your next post, instead please attach the log CheckResults.txt file which should now be located on your desktop to your next post

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop
dds.scr
dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool.
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop
  • Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt
  • You can ignore the note about zipping the Attach.txt file.

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.
 
 
 
Thanks


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#3 AccessIT

AccessIT

    New Member

  • Members
  • Pip
  • 4 posts
  • Gender:Male

Posted 13 August 2013 - 02:41 AM

Thank you Ron for your quick and detailed reply.

 

I have been through these steps and as there are 2 computers I will do the files in 2 separate messages.

First is the Windows 7 x64 machine.

 

Regards

Noel

Attached Files



#4 AccessIT

AccessIT

    New Member

  • Members
  • Pip
  • 4 posts
  • Gender:Male

Posted 13 August 2013 - 02:49 AM

Here is the second set of files for the Windows 2003 machine, however the dds program wont run under Windows 2003.

Here is the notification I get as a screenshot.

 

DDS wont run on Windows 2003.jpg

 

Thanks Noel

Attached Files



#5 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,900 posts
  • Gender:Male
  • Location:US

Posted 13 August 2013 - 03:18 AM

Both system appear to be having multiple issues.

 

The first one appears to be running as a guest on VMware.  In that case I would recommend possibly restoring it to a SnapShot where everything was working well and then update and secure from there.  If there are no snapshots then I'd recommend fixing, cleaning, and updating the current state and then creating a SnapShot with which to restore if needed.

 

Event Logs for Windows 7 computer.

 

==== Event Viewer Messages From Past Week ========
.
8/08/2013 12:05:38 PM, Error: Microsoft-Windows-DistributedCOM [10006]  - DCOM got error "2147944122" from the computer mail.accessit.com.au when attempting to activate the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
8/08/2013 12:02:03 PM, Error: Microsoft-Windows-DistributedCOM [10009]  - DCOM was unable to communicate with the computer mail.accessit.com.au using any of the configured protocols.
7/08/2013 7:47:44 AM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/08/2013 4:43:43 PM, Error: Microsoft-Windows-DistributedCOM [10009]  - DCOM was unable to communicate with the computer 202.60.94.204 using any of the configured protocols.
7/08/2013 12:50:53 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001]  - The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000119 (0x0000000000000001, 0x000000000001b228, 0x000000000001b22a, 0x000000000001b229). A dump was saved in: C:\Windows\Minidump\080713-22557-01.dmp. Report Id: 080713-22557-01.
6/08/2013 6:53:10 AM, Error: Service Control Manager [7022]  - The Windows Media Player Network Sharing Service service hung on starting.
13/08/2013 6:45:18 AM, Error: atapi [11]  - The driver detected a controller error on \Device\Ide\IdePort2.
13/08/2013 6:45:13 AM, Error: Service Control Manager [7024]  - The TurboFTP Sync Service service terminated with service-specific error The operation completed successfully..
13/08/2013 6:44:59 AM, Error: SNMP [1500]  - The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.
13/08/2013 3:20:12 PM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk8\DR8.
13/08/2013 1:24:42 PM, Error: Schannel [36888]  - The following fatal alert was generated: 48. The internal error state is 552.
13/08/2013 1:24:42 PM, Error: Schannel [36882]  - The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.
12/08/2013 6:23:57 AM, Error: Service Control Manager [7022]  - The Server service hung on starting.
11/08/2013 4:02:34 PM, Error: Schannel [36888]  - The following fatal alert was generated: 43. The internal error state is 252.
11/08/2013 11:17:28 AM, Error: atapi [11]  - The driver detected a controller error on \Device\Ide\IdePort5.
.
==== End Of File ===========================

 

 

Though the log shows it's the recent version the files for MBAM show that they are not the latest version.

 

I would recommend doing the following for this system to fix, repair, update MBAM

 

MBAM Clean Removal Process
 

Then probably have someone double check it deeper to ensure it's not infected.

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thanks


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#6 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 40,900 posts
  • Gender:Male
  • Location:US

Posted 13 August 2013 - 03:23 AM

Most of the tools for scanning and fixing Windows as related to malware removal do not work on Server 2003 - in most cases servers have dedicated IT Support personnel that can in most cases deal with any type of issues the server may run into.

 

The Server shows it has an invalid path to a Winsock entry which though not sure sign is a sign that it could be infected and needs to be repaired.

Also, MBAM is not fully supported on Server 2003 due to some issues with the Web blocker on some mixes of hardware and drivers.  As long as the Web blocker is working on the system then your hardware and drivers may not be the ones affected.

 

So, this computer too should be looked at to ensure that it is not infected.

 

We do not work on infection detection and removal in this sub-forum so you'd need to post in the link provided above. 

Please be warned that many helpers will not assist you if working on a Server - though some will.


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#7 AccessIT

AccessIT

    New Member

  • Members
  • Pip
  • 4 posts
  • Gender:Male

Posted 13 August 2013 - 04:13 AM

AdvancedSetup, on 13 Aug 2013 - 6:18 PM, said:

The first one appears to be running as a guest on VMware.  In that case I would recommend possibly restoring it to a SnapShot where everything was working well and then update and secure from there.  If there are no snapshots then I'd recommend fixing, cleaning, and updating the current state and then creating a SnapShot with which to restore if needed.

 

Hi Ron

 

Thank you very much for the excellent feedback and links to follow up.

 

I just wanted to clarify one thing - the Windows 7 machine is definitely the primary boot operating system, it does have VMware Workstation installed for running virtual machines on it but the MBAM I am having the high memory issue with is running on a Windows 7 x64 machine not a VM.

 

Thanks for your help

Regards

Noel






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users