Jump to content
atariguy

BSOD running a certain program after 1.1.18 update

Recommended Posts

We have an application that we use in our office that we created using PowerBuilder. Today on 3 computers with Windows 7 it started causing a BSOD every time we tried running it. It turned out that those 3 (mine is one of them) all had one thing in common - the Malwarebytes Anti-Ransomware Beta, which apparently just received update 1.1.18. Reinstalling our app fixed it on mine, but not the others. We disabled the anti-ransomware program on theirs and the problem went away. On mine, I have now set our program to be on the Exclusions list.

Share this post


Link to post
Share on other sites

Information displayed on the BSOD: system_service_exception related to fltmgr.sys

And just after submitting that, I tried running our app again, and got another BSOD. So putting it on the Exclusions list didn't help, and my "fix" of replacing the files was only temporary.  I guess I'll have to uninstall the anti-ransomware program for now.

Share this post


Link to post
Share on other sites

Hello @atariguy and :welcome:

Before uninstalling MBARW, Using the native Windows built-in zip utility, please create the following .zip (not .7z or .rar) archive container for MBARW developer team analysis:

                                                          "%ProgramData%\MalwarebytesARW"

Please attach the .zip archive to your next reply.  Thank you for testing the MBARW Beta.

Share this post


Link to post
Share on other sites

Hi @atariguy,

Do you happen to have MEMORY.DMP from a BSOD?

It's typically located in %SystemRoot% if you have the OS setting enabled.

If not enabled, here is how to enable it.

Configure your system for Complete Memory Dump:

Open File Explorer (click the folder icon in the left part of the taskbar).

Right-click This PC and select Properties from the menu.  

In the left part of the System window, click Advanced system settings.

In the System Properties window, go to the Advanced tab. In the Startup and Recovery section, click Settings.

In the Startup and Recovery window, select Complete or Kernel memory dump from the drop-down list.

Uncheck Automatically restart

Click OK and OK your way out of the dialog box. Allow the computer to restart.

After this is enabled, please reproduce the BSOD again, and send us the MEMORY.DMP file itself to here https://wetransfer.com/ and give us the link?

The memory dump will give us more details of the root cause.

Many thanks for this.

Nobu@malwarebytes

 

Share this post


Link to post
Share on other sites

The update that MB Ransomware had on Thursday caused major issues across a lot of PCs. BSOD hell :)

Unplugging etherner / rebooting / system restore > remove anti ransomware > reinstall system chipset drivers and NIC fixed the issue

Share this post


Link to post
Share on other sites

I also have BSOD related to fltmgr.sys and doubleclicking calibre-portable.exe (ebook-Reader calibre) on several installations  of windows 10 on the same hardware (1511 and 1607 versions). Disabling Anti-Ransomware 0.9.17.661 solves this for now. Exclusions with calibre-portable.exe and fltmgr.sys are without success.

Share this post


Link to post
Share on other sites

Spent Friday and the weekend troubleshooting this. Yes, there is a problem with the latest update. Unfortunately, Windows had some updates as well and I assumed (what happens when you assume) it was their updates causing the issue.

 

Share this post


Link to post
Share on other sites

I am experiencieng the same Problem. Had BSOD with system_service_exception related to fltmgr.sys today.

Windows-Updates KB kb3210139, kb3207752, kb3210131 were automatically installed on Friday. After a reboot of the System, while logging in the BSOD happened.

After System-Restore to the day before the Installation of the Windows-Update everything was ok.

I had 5 other PCs experiencing the same Problem. I think, this is a combination of the KBs mentioned above and 1.1.18 update

Share this post


Link to post
Share on other sites
7 hours ago, Dietmar said:

I am experiencieng the same Problem. Had BSOD with system_service_exception related to fltmgr.sys today.

Windows-Updates KB kb3210139, kb3207752, kb3210131 were automatically installed on Friday. After a reboot of the System, while logging in the BSOD happened.

After System-Restore to the day before the Installation of the Windows-Update everything was ok.

I had 5 other PCs experiencing the same Problem. I think, this is a combination of the KBs mentioned above and 1.1.18 update

We have Windows updates set to not install automatically, so they were not a factor for us, since they hadn't been applied. So they most likely are not related.

Share this post


Link to post
Share on other sites

@atariguy Do you use a network/SAMBA mapped to you system and do some file I/O there at the time of crash?  Besides your PowerBuilder app you work on, we are trying to gather more environmental context data.  Thanks!

Share this post


Link to post
Share on other sites

I had problems with this last week and troubleshooting the issue led to the computer becoming unbootable, so I restored from an image.  The problem returned this morning and again caused the system to be unbootable after troubleshooting and getting a few BSODs.  I ran the Macrium recover disk this time and let it fix the boot record, MBR, etc and was able to boot again.  The BSODs were all System Service Error in fltmgr.sys, but the boot error notification named mb3swissarmy.sys which put me on the track of the anti-ransomware.  Uninstalling fixed it, and reinstalling it even stayed fixed for an hour or two, then back to the BSODs.  Mine is completely reproducible.  I have a NAS hooked to my network and a drive shared from the server.  Both are mapped drives on the main machine.  Working with the drives causes no issues, copying to or from them is fine.  Running an executable though would BSOD the machine every time once it started doing it.  Any executable, either drive.  As someone else mentioned in this thread, I excluded the whole drive from ant-ransomware, but no luck.  Nothing else I've done triggers the bluescreens except actually executing a file off the shared drive.

Share this post


Link to post
Share on other sites

Hello @CassK and :welcome:

Malwarebytes' staffers would appreciate your assistance in identifying the source of the BSoD(s) your system has experienced.  Please attach the following data to your next reply:

1.)  Using the native Windows built-in zip utility, attach the archived contents of the "%ProgramData%\MalwarebytesARW\” directory in a .zip file.
2.)  Post the most recent Complete or Kernel Dump (.dmp) file, from the "%SystemRoot%\Minidump\" directory to a free file sharing service such as https://www.dropbox.com/ and reply with the .dmp file's URL.  Otherwise, attach the Small Memory Dump (.dmp) file in your next reply.
3.)  Attach (do not compress/copy/paste) the separate FRST.txt and the Addition.txt output diagnostic reports from only Log Set 1.

Soon after the requested data is posted, the Malwarebytes' QA & Developer Teams, and staffers can commence their analysis.  Thank you always for your assistance.

Share this post


Link to post
Share on other sites

I'm not really needing help with this since I solved it by uninstalling.  I was just adding my experiences to this thread to hopefully help you guys troubleshoot.  I don't have the application logs anymore since I uninstalled, but I'll attach the relevant mini-dumps which is all I have.  I installed the latest MB trial with anti-ransomware real time protection and so far the problem hasn't recurred.

Minidump.zip

Share this post


Link to post
Share on other sites

Since last week we have the same problem that certain PCs get a bluescreen with STOP-Code 8E when starting a certain program.

We had this with a banking software and with a program used in a doctor´s office. The banking software brought the error code 8E with the file fltmgr.sys.

After ending Malwarebytes Antiransomware Beta (the latest version) everything is fine.

 

Thank you

Paul

 

Attached you can find some files (Malwarebytes and mindump)

MalwarebytesARW.zip

MalwarebytesARW.zip

121516-5257-01.dmp

Addition.txt

FRST.txt

MalwarebytesARW.zip

Share this post


Link to post
Share on other sites

We had this issue too at a law firm client. We are running MBARW on 3 users that are high-risk Internet users in the past.

Everything was fine until Friday morning - 12/16/16

The issue is:

Whenever they launch a .exe from a mapped drive on a server, they get BSOD and reboots.

Doesn't matter which executable or which mapped drive. Everything worked fine before - all the way back to February 2016 when first beta version was installed.

All we had to do was uninstall MBARW and the problem goes away.

I am owner of I.T. company and Senior Tech/Engineer for 23 years, and I know it is an antiquated way to run program executables off a server drive...... Unfortunately in the legal industry, Credit Union industry, etc... the leading apps in some specialty areas require that users do this. The apps cannot be run locally.

So... We love this program and it has already saved 2 clients from RW attacks.

The update last week needs to be tweaked so we can exclude .exe on mapped drives. We have tried excluding the .exe file, the mapped location, the shortcut location on the local PC, etc...  - nothing worked. Still BSOD.

Hope this helps others to not spend an entire day troubleshooting.

 

Share this post


Link to post
Share on other sites

Thanks, @DFLO

The potential fix/solution i just mentioned in my previous reply targets exactly this work flow.  We should have some updates to all of you soon.

thanks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.