Jump to content

Malwarebytes 3, cannot complete the custom scanner: the system hangs in black screen


Recommended Posts

OS: Windows 10 Pro 32 Bit (Updated)
Antivirus: Avira Free Antivirus (updated)
Firewall: Comodo Firewall 10 (updated)
Asus Notebook working.
Problem encountered during a simple
routine check (other on-demand control / cleaning programs, and the same Avira, have never detected infections).

Malwarebytes 3: the threat scan is completed without detecting any infection.
Malwarebytes 3: custom scanning, with all available options (and only the disk where the operating system is installed) selected, after about an hour, hangs the computer. The monitor starts flashing and, then, the screen becomes black (black screen). I must therefore brutally shut down down the machine (hard reset).

Completely removed Malwarebytes 3, then I installed Malwarebytes Anti-Malware 2.2.1 and I tried again.
The above reported problem (with no other mutations
in the system) does not occur with the Malwarebytes Anti-Malware 2.2.1 version: scanning (even with the same settings as Malwarebytes 3) is regularly completed (detecting even the same PUPs), although it takes more than three hours.

The disks control did not reveal any problems.

Now I'm using version 2.2.1.
Thank you for your attention and excuse my English!
Greetings from Italy.

Link to post
Share on other sites

I'm back!
So, I made some attempts.

 

Step by step:

1.1) uninstalled Malwarebytes Anti-Malware 2.2.1 (also with the support of Revo Uninstaller)
1.2) launched the MB-Clean tool and verified that no trace was left (attached mb-clean-results.txt)

2.1) launched Farbar Recovery Scan Tool (attached FRST.txt and Addition.txt)

3.1) installed Malwarebytes 3
3.2) the threat scan run without any problems
neither detects infections
3.3) started custom scanning (with the above settings) and, after just over an hour (as in other circumstances), the system hanged, but this time without displaying the black screen (and no BSOD; attached mb-check-results.zip).

I hope I have acted correctly.
Thank you so much for your courtesy and patience!

Cheers!

Addition.txt

FRST.txt

mb-check-results.zip

mb-clean-results.txt

Link to post
Share on other sites

So, this time the scan was completed regularly (and even in a short time)! :)
As you pointed out, this time I did not select the "Scan for Rootkits" option.

What conclusions should I deduce?

Consider that with Malwarebytes Anti-Malware 2.2.1 I can select the "Scan for Rootkits" option and the process is carried out regularly (though after several hours).

Link to post
Share on other sites

  • Staff

Thanks. Let's try doing some other checks, as most likely there's a file that's tripping up our detection

  1. Open Malwarebytes 
  2. Go to Settings -> Application
  3. Turn on the option for Event Log Data
  4. Turn on the option entitled "Lower the priority of manual scans to improve multitasking"
  5. Run a custom scan, and be sure to enable rootkit scanning
  6. Once the scan hangs, don't reboot
  7. Run mb-check from https://downloads.malwarebytes.com/file/mb3
  8. Upload the mb-check-results.zip file from your desktop in your reply
Link to post
Share on other sites

I am thanking you for your courtesy and patience! :)

Then, summarising to confirm the steps (I'm sorry for my English!).

  1. Settings - Application - Event Log Data - "Collect enhanced event log data for support (not recommended)" >>> option enabled
  2. Settings - Application - Impact of Scans on System - "Lower the priority of manual scans to improve multitasking" >>> option enabled
  3. Scan - Custom Scan - Configure Scan - "Scan for rootkits" >>> option enabled

Are also active options:
"Scan Memory Objects"
"Scan Startup and Registry Settings"
"Scan within archives"
as well as
PUP - Treat detections as malware
PUM - Treat detections as malware

Scanning is currently underway: I'll let you know! ;)

However, about points 6 and 7 of your last post, some details:
"6) Once the scan hangs, do not reboot"
Until now, when the scan hangs, the whole system hangs (except the mouse). Maybe, with the settings above described, if and when the scan will hang will not even cause the computer hangs ... (so I can run the MB-Check run).

"7) Run mb-check from https://downloads.malwarebytes.com/file/mb3"
The file being downloaded is a (updated) version of Malwarebytes 3 and not MB-Check ... I'm wrong?
In my post with ID 3 (posted yesterday at 7:45 AM), I've already loaded the result of a scan with MB-Check.

Anyway, let's see the developments of current scanning ...
Thanks again!

Link to post
Share on other sites

Nothing to do unfortunately ... :(
Again the black screen and just the pointer (the small arrow) of the mouse in sight ... the hard disk is working (its small light is flashing), but every action is precluded.

Under these conditions I can not launch MB-Check.

The only thing I can do now is stop somehow the machine and launch MB-Check once back to a working (I hope) environment.

At this point, I can suppose that the rootkit scan (what seems to create this hangs) works in a different way between Malwarebytes 3 (when my system crashes) and Malwarebytes Anti-Malware 2.2.1 (taking several hours, but scanning is carried complete).

Link to post
Share on other sites

  • Staff

Sorry, I didn't mean to link MB3, but mb-check. Thanks for running mb-check. For some reason, it didn't give us all of the files we needed. Let's get some more:

  1. Navigate to C:\ProgramData\Malwarebytes\MBAMService
    • The ProgramData folder may be hidden. If you can't see it, you'll need to type the path manually or turn on showing hidden files/folders
  2. Right click the logs folder and choose Send to -> Compressed (Zipped) folder
    • This should create a zip file on your desktop named logs.zip
  3. Upload logs.zip in your reply
Link to post
Share on other sites

  • Staff

Thanks! One more thing while I'm looking this over:

  1. Download the latest mb-check from here: https://downloads.malwarebytes.com/file/mb3
  2. Download Procmon from https://live.sysinternals.com/procmon.exe
  3. Launch Procmon and accept the EULA
    • If you've used this tool before, you may get a popup about filters. Click reset and then ok
  4. Once it loads, you should see a lot of information start displaying on the screen
    • If not, click the magnifying glass so that information starts showing up on the screen
  5. Open mb-check and let it complete
  6. Once mb-check completes, click the magnifying glass in Procmon so that it stops capturing
  7. Click the Save button to save the Procmon log
  8. Right click the Procmon log and choose Send to -> Compressed (Zipped) folder
  9. Upload both the mb-check-results.zip file from your desktop, and the procmon log zipped up from step 8

Thanks!

Can you also try doing a custom scan of the C:\Program Files\GIMP 2 folder please?

Edited by dcollins
Link to post
Share on other sites

Of course! I'll try during the day, as soon as possible and I'll let you know. :)

"Download the latest mb-check from here: https://downloads.malwarebytes.com/file/mb3" did you mean "Download the latest mb-check from here: https://downloads.malwarebytes.com/file/mb3_check"?
I am currently using MB-check version 3.1.0.1002. Is that the last and correct version I have to use?

Meanwhile, I asked Malwarebytes 3 to scan the "C:\ProgramFiles\GIMP 2" folder and, in effect, the program seems to be unresponsive.
I mean:
1) the computer is not locked
2) Malwarebytes 3 has started scanning, but no progress has been made.
Better:
Currently Scanning: (no indication - white space)
Scanned Items: (no indication - white space)
Time Elapsed 00:00:00 (several minutes)
Threats Identified: 0
The "Pause" and "Cancel" buttons are disabled.
Anyway, Malwarebytes 3 does not seem blocked: I can still close it with the "x" in the upper right.

Summarizing, the custom scanning settings for the GIMP 2 folder are:
"Lower the priority of manual scans to improve multitasking" >>> option enabled
"Scan Memory Objects"  >>> option enabled
"Scan Startup and Registry Settings"  >>> option enabled
"Scan within archives"  >>> option enabled
"Scan for rootkits" >>> option enabled
As well as
PUP - Treat detections as malware
PUM - Treat detections as malware

I've tried customized scanning for a particular folder on another computer (Win10 Pro 64-bit, where Malwarebytes 3 runs regularly and even custom disk scanning - with the rootkit option enabled - is successfully completed). Even in this case, Malwarebytes 3 starts (at least looks like) scanning, but no progress has been made.

That is:
Currently Scanning: (no indication - white space)
Scanned Items: (no indication - white space)
Time Elapsed 00:00:00 (several minutes)
Threats Identified: 0
The "Pause" and "Cancel" buttons are disabled.
The scanning folder in this last case is not GIMP 2 (a program that is not even installed on this second machine with Win10 Pro 64 bits).

Perhaps I need to scan a specific folder from the Windows Explorer menu?

Anyway, I still have to run Process Monitor ... (I'll have to do it later, during the day).

Link to post
Share on other sites

Small update on the fly ...
Scanning the GIMP 2 folder is performed regularly (only) if launched from the context menù of Windows Explorer.
While if I try to scan only the GIMP 2 folder from "Scan - Custom Scan - Configure Scan - select only GIMP 2 folder - Scan Now" does not give any progress and does not finish.

Link to post
Share on other sites

I did some tries.
To overcome my difficulties with the language, before some clarifications.
The environment where work is always Win10 Pro 32 bit.
I can scan a single folder in two ways:
1) Scan - Custom Scan - Configure Scan - select the folder in the right pane
or
2) right click on the folder by Windows Explorer and then scan with Malwarebytes.

(1)

In the first manner, always and in any case, regardless of the folder (either GIMP 2 or another), the scanning is not finished (it seems to start, but is not over).

Screenshots attached named 001-001_Custom Scan_Scan Now_GIMP2 selected.jpg, 001-002_Custom Scan_Scan Now_GIMP2 selected.jpg, 001-003_Custom Scan_Scan Now_GIMP2 selected.jpg, 003-001_Custom Scan_Scan Now_7zip selected.jpg, 003-002_Custom Scan_Scan Now_7zip selected.jpg).

(2)

In the second case, the scan is concluded, even for the GIMP 2 folder.

Screenshots attached named 002-001_Custom Scan_Right Click_Context Menù_GIMP2.jpg, 002-002_Custom Scan_Right Click_Context Menù_GIMP2.jpg,002-003_Custom Scan_Right Click_Context Menù_GIMP2.jpg.

 

 

001-001_Custom Scan_Scan Now_GIMP2 selected.jpg

001-002_Custom Scan_Scan Now_GIMP2 selected.jpg

001-003_Custom Scan_Scan Now_GIMP2 selected.jpg

002-001_Custom Scan_Right Click_Context Menù_GIMP2.jpg

002-002_Custom Scan_Right Click_Context Menù_GIMP2.jpg

002-003_Custom Scan_Right Click_Context Menù_GIMP2.jpg

003-001_Custom Scan_Scan Now_7zip selected.jpg

003-002_Custom Scan_Scan Now_7zip selected.jpg

Link to post
Share on other sites

With scan method n. 1 (Scan - Custom Scan - Configure Scan - select the folder to scan in the right pane - Scan Now) and the "Scan for rootkits" option disabled, the operation is successfully completed, even for the GIMP 2 folder!

Summarizing the custom scanning settings for method n. 1:
"Lower the priority of manual scans to improve multitasking" >>> option enabled
"Scan Memory Objects" >>> option enabled
"Scan Startup and Registry Settings" >>> option enabled
"Scan within archives" >>> option enabled
"Scan for rootkits" >>> option disabled
As well as
PUP - Treat detections as malware
PUM - Treat detections as malware

As soon as possible I'll give you updates about Procmon!
Thank you so much for the assistance and the time spent for me! :)

Edited by markinson
Link to post
Share on other sites

Here are the monitoring results with Process Monitor (attached).

Some clarifications:
1) MB-Check version 3.1.1.1003
2) Process Monitor version 3.33
3) the Process Monitor log is in three different formats (I did not know which could be the most easy to read ...) :blush:

I followed exactly the steps you indicated, that is (briefly):
- launch Procmon and accept the EULA
- open mb-check and let it complete
- once mb-check completes, click the magnifying glass in Procmon so that it stops capturing
- click the Save button to save the Procmon log

I hope I've done the job properly ...

mb-check-results.zip

ProcessMonitor_Log_CSV-PML-XML.zip

Link to post
Share on other sites

  • Staff

OK, let's try to get a memory dump:

  1. Start a scan with rootkit scanning enabled and wait for it to hang
  2. Right click your taskbar at the bottom and choose Task Manager, or press Ctrl + Shift + ESC
  3. In the Task Manager window, click More Details at the bottom if it's there
  4. Click the Details tab at the top, and find mbamservice.exe in the list
  5. Right click mbamservice.exe and choose Create Dump File
  6. When the process is finished, it should tell you the location of the dump file it created
  7. Go to that folder (it's usually %temp%) and right click the mbamservice.dmp file, choose Send to -> Compressed (Zipped) folder to zip it up
  8. Upload the zip in your reply. If it's too large, use wetransfer.com to send the file to dcollins@malwarebytes.com

Thanks!

Link to post
Share on other sites

Here I am, back again! :)

I will upload as soon as possible the dump file, but first another clarification on my part.

Performing the various tries, compared to the initial situation that led me to open this discussion, I am now in two different situations where Malwarebytes does not respond as I expect.

First situation (the original one, for which I opened the thread; Scan - Custom Scan - Configure Scan - select the all hard disk to scan in the right pane - Scan Now): complete hangs
The hard disk custom scan, with all enabled options (including rootkit scanning), is not completed because the system is completely blocked-hanged: black screen, I cannot do anything, only mouse arrow moves.

Second situation (discovered during tests and, most of all, verified in two different computers): Malwarebytes (partially) doesn't respond
The custom scanning of a single specific folder (or folders) on the hard disk (so not all the hard disk, but only one or more folders of this), with the rootkit option enabled, starts, but it does not end or show any progress (refer to attached screenshots named 001-001_Custom Scan_Scan Now_GIMP2 selected.jpg, 001-002_Custom Scan_Scan Now_GIMP2 selected.jpg, 001-003_Custom Scan_Scan Now_GIMP2 selected.jpg, 003-001_Custom Scan_Scan Now_7zip selected.jpg , 003-002_Custom Scan_Scan Now_7zip selected.jpg).
In this case, however, the system is still working and even I can continue to move within the various sections of Malwarebytes (as shown with the screenshot 001-003_Custom Scan_Scan Now_GIMP2 selected.jpg); although custom scanning, with the rootkit option enabled, does not make any progress or is ultimately completed (refer to screenshots 001-002_Custom Scan_Scan Now_GIMP2 selected.jpg and 003-002_Custom Scan_Scan Now_7zip selected.jpg).

I intend to specify all this to say that I can only dump the file in this second circumstance ...
... so sorry for my terrible English! :blush:

Edited by markinson
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.