Defender will not complete a scan

  • Thread starter Thread starter JLEHM
  • Start date Start date
J

JLEHM

I am running Vista SP1. I can launch defender; however, the scan will hangup
on a file and never complete. The Scan can be a complete scan or a quicj
scan, any ideas.
 
Hello JLEHM,


Can you let us know what the trojan is and where its being detected ?

It will be alot easier to help you remove it once we know what it is and
where its saved into.

-=-


Ǝиçεl
-=-
 
Hi JLEHM,


You can go to the System Event log:

Start, Run, eventvwr.msc <enter>

Click on the System event log

Go to View, choose Filter, and choose "windefend" in the source control.

Look for yellow triangle entries that give the precise path and location of
what was detected, and use the button provided to paste the content of the
detection back to a message here.
-=-



Run in safe mode Windows Malicious Software Removal Tool – (KB890830) MRT

Delete Cookies and Temp Files and included all offline cºntent
Empty your IE cache
To run in safe mode.
http://www.computerhope.com/issues/chsafe.htm


Try running the "chkdsk /r" command at the command prompt
< http://support.microsoft.com/kb/315265>

Reboot


Run a Full scan with MRT

The programme can be found at C:\Windows\System32\MRT.exe ; MRT standing for
MicroSoft Removal Tool.

I find it easier to create a "short-cut icon" and locate the icon on my
"desktop"...... a double click and away she goes.
The icon is apt in design being the image of a Window with accompanying
sponge and soap suds.
If you don't believe me test by executing/running MRT upper or lower case
letters makes no difference,
Also you can double click C:\Windows\System32\MRT.exe and select the scan.

After finish the scan Reboot


Let us know if you still have the problem.


Good luck



Ǝиçεl
-=-
 
Below is content of the message

Log Name: System
Source: Microsoft-Windows-Windows Defender
Date: 11/7/2008 6:39:02 PM
Event ID: 3004
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: Compaq-Notebook
Description:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
Not Applicable
Scan ID: {38CE2B7F-3841-47C8-BFD4-B8B475F88AB6}
User: Compaq-Notebook\John
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found: driver:mchInjDrv
Alert Type: Unclassified software
Detection Type:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Windows Defender"
Guid="{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}" EventSourceName="WinDefend" />
<EventID Qualifiers="0">3004</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-11-08T00:39:02.000Z" />
<EventRecordID>45653</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>Compaq-Notebook</Computer>
<Security />
</System>
<EventData>
<Data Name="Product Name">%%827</Data>
<Data Name="Product Version">1.1.1600.0</Data>
<Data Name="Scan ID">{38CE2B7F-3841-47C8-BFD4-B8B475F88AB6}</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Domain">Compaq-Notebook</Data>
<Data Name="User">John</Data>
<Data Name="SID">S-1-5-21-2883898654-1166958187-1743476954-1000</Data>
<Data Name="Threat Name">Unknown</Data>
<Data Name="Threat Id">
</Data>
<Data Name="Threat Severity">
</Data>
<Data Name="Threat Category">
</Data>
<Data Name="FWLink">%%832</Data>
<Data Name="Path Found">driver:mchInjDrv</Data>
<Data Name="Threat Classification Index">0</Data>
<Data Name="Threat Classification">%%807</Data>
<Data Name="Unused">
</Data>
<Data Name="Unused">
</Data>
<Data Name="Detection Type Index">
</Data>
<Data Name="Detection Type">
</Data>
</EventData>
</Event>
 
What happens when you try the things I advised? What are your answers to the
questions I asked?
 
Hi John,

What changed in your system shortly before the problem occurred? Knowing
about a setting change or added software or hardware may be helpful in
solving the problem.

Maybe new driver

Any wireless peripherals involved?
-=-

Can't hurt to try MalwareBytes Anti-malware (MBAM)
<http://www.malwarebytes.org/forums/index.php?showtopic=2061&mode=threaded&pid=6518>
-=-

<http://aumha.net/viewtopic.php?f=30&t=36962>

Please download MalwareBytes Anti-malware (MBAM) from one of the following
links:

<http://www.majorgeeks.com/Malwarebytes_ ... d5756.html>
<http://www.besttechie.net/tools/mbam-setup.exe>
-=-
 
The log record you're posted (thanks!) is likely completely benign--an
unknown is just that--something that isn't on Defender's radar screen--a
good many hardware drivers fit that category, and aren't necessarily
malware.

The scan completion issue is worth troubleshooting further.

Can you say how long you have left it scanning?

If it is showing filenames as it scans, does it seem to stop on a particular
filename?

Does your system have many large archive files? An archive file is a
compressed container for potentially many smaller files--examples are files
suffixed .zip, .iso and others, including .exe in some cases.

If this is the case, there is an option setting to tell Defender not to scan
within such files, but I'm inclined to guess--from the fact that this
happens on both quick and full scans, that this is not the issue.

I've believe this can happen when registry security settings keep Defender
from scanning areas that it expects to be able to scan, but this is ancient
dusty memory--so if you can tell more about what the scan shows is happening
when it appears to hang, that may help.

Additionally, such hangs may, in fact, simply be very slow progress--hence
the question about how long you've left it. I'm not minimizing the impact
of this on the user--just wanting to distinguish between locked up
completely and proceeding tortoise slow! Either way, it is certainly worth
troubleshooting and seeing if the performance can be improved. The goal
(and experience on most machines) is that a quick scan should have minimal
usability impact, and take a reasonable amount of time--certainly measured
in minutes rather than hours.
 
The problem occured on full systtem scans awhile ago; I viewed the Defender
update files and noticed htat one did not complete. I manually updated the
file and Defender started to work again. All of sudden it started failing on
both full and quick cans.

No wireless peripherals involved.

I followed your instructions regarding running the program in safe mode;
after running for 14 hours it came uwith nothing. I ran a quick scan a couple
of times and it is working fine. I have setup Defender to run a full scan
later today.
 
I followed Engel instructions and things are working better, I am going to
monitor for the next few days; I have had Defender start working again and
then fail. I do not have not added anything to the PC; hence, no new drivers.

At times I have left it scanning for days. I have a daily scan setup and
usually just let I run in the background.

There is at least one file in the Quick scan (regedit) and two in the Full
Scan ( HP Doc file) that it halts on.

I only have one archieve file; it does not appear to be having an issue with
that file.
 
If you are OK now on a quick scan, I would expect the full scan to complete
ok as well--although with a much longer time requirement.

Let us know what happens.

--
 
One other thought is to run a chkdsk on the drives. Re-reads on a disk are
below the level of the OS, so they just end up looking like stuff taking
forever (and the disk light staying on full even when there's no CPU or
memory pressure visible in Task Manager.

So running a chkdsk (which will require you to reboot to actually initiate)
may be worth doing. Such a check can take a long time with large drives,
though.

Given that you are now able to complete quickscans, I'd hold off on this,
but remember it if the problem returns. I don't think it is likely to help
in your case, but it won't hurt, and an occasional chkdsk isn't a bad idea
anyway.


--
 
Back
Top