Windows 10 - Malwarebytes service terminated unexpectedly

[SpaceCoyote]

Windows 10 x64
Up to date in Windows Update as of now
MWB Premium 3.2.2.2029

In the last 24 hours, I've seen this event 13 times - "The Malwarebytes Service service terminated unexpectedly. It has done this x time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service." in Event Viewer > Windows Logs > System (x is a number between 1 and 5)

These errors are followed by a series of information events from FilterManager and Service Control Manager regarding unloading, and services installed.

As the errors are happening my PC will hang, and apps will go unresponsive, until the services are restarted.

I have removed MWB this morning, and downloaded the current version, and the error has happened twice since.

I'm planning a clean install when the next W10 Creator's update is available which I think is the 17th, but I thought this might be worth investigating in the meantime.

Thanks in advance.

[Firefox]

Hello and Welcome!

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues....

1. FIRST: Create and obtain Farbar Recovery Scan Tool (FRST) logs
2. Download FRST and save it to your desktop
   NOTE: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
3. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
4. Press the "Scan" button
5. This will product two files in the same location (directory) as FRST: FRST.txt and Addition.txt
   NOTE: These two files will be collected by the MB-Check Tool and added to the zip file for you
6. NEXT: Create and obtain an mb-check log
7. Download MB-Check and save to your desktop
8. Double-click to run MB-Check and within a few second the command window will open, then click "OK"
9. This will produce one log file on your desktop: mb-check-results.zip
10. Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area
    

Thank You,

Firefox

[SpaceCoyote]

Hey Firefox

Thanks for your message. I've attached the results file to this post.

mb-check-results.zip

[Firefox]

Thanks for the logs, lets wait for someone from staff to review them....

@dcollins or @nikhils

[nikhils]

Hello @SpaceCoyote

From your logs there is an indication of a crash but cannot determine why.

Can you please help us by getting the following logs:

1. Turn on Debug logging in Malwarebytes. Go to Settings/Application and under the "Event data log" turn on the "Collect enhanced event log data for support" option.

2. Wait for the service to terminate and restart the service.

3. Please send us these fresh mb-check logs.

4. Also if you are seeing a crash in the Malwarebytes service , please generate a crash dump (Task manager/processes/Malwarebytes Service -- Right click on the process and click on generate crash dump)

Appreciate your help.

Thank you.

[SpaceCoyote]

Thanks @nikhils

I have turned the debugging on, and I'm leaving it to run for a while. The problem happened shortly after boot this morning, but I think it was before the logging was active.

I'll follow up later today.

[SpaceCoyote]

Okay, hopefully I've collected enough data.

I've attached the mb-check logs, but the MBAMService.zip .DMP file is 83 Mb, even with the best compression I can achieve, so it's not attached.

mb-check-results.zip

[Firefox]

2 hours ago, SpaceCoyote said:

.DMP file is 83 Mb, even with the best compression I can achieve, so it's not attached.

You can use a service called WeTransfer to upload there and then share the link here....

WeTransfer for uploading crash dumps

Upload File(s) to WeTransfer:

• Visit WeTransfer.com
• Click on I Agree
  
• Click on the icon on the lower left indicated in the below image
  
• Select the Link option
  
• Click on +Add Files
  
• Browse to the location of the file and double-click on it or click once on it and select Open
  
• Click on Transfer
  
• Once the transfer completes, click on Copy link
  
• Once you receive the Copied! message as indicated below, paste the link into your next reply
  
  

[SpaceCoyote]

Thanks @Firefox

https://we.tl/AXwBSDZT8c

This has been Rarred, instead of zipped.

[Firefox]

Your welcome, now lets wait for @nikhils to review your logs...

[nikhils]

Thank you for the logs @SpaceCoyote

Will review them today and get back to you. 

[nikhils]

Hello @SpaceCoyote

The dumps did not give the critical information we were looking for . Can you please try this:

 Grab the procmon.zip file attached. Now follow the following steps:

1. Open Malwarebytes and go to Settings -> Protection
2. Disable the Self Protection option
3. Download the following Procdump.zip file: Procdump.zip
4. Right click on procdump.zip and then choose properties
5. In the window that pops up, click the unblock button near the bottom and then click ok
    
6. Extract procdump.zip.
7. GET MB3 into the broken state
8. Open the folder where the files were extracted
9. Right click "1-mbam_crash" and select Run as administrator.
   • If you did the steps correctly you should see a black screen .
10. Wait 10-30 seconds and then the black window should go away
11. There should be a new file in the folder that ends with .dmp
12. Right click the DMP file and choose Send to -> Compressed (Zipped) folder
13. Reply with the dump file

 

procdump.zip

[SpaceCoyote]

Thanks for looking into this @nikhils

The problems are happening consistently around a minute after boot up. If I make the changes in the steps above, will they apply at boot time?

[nikhils]

Hello @SpaceCoyote

My suggestion would be to have everything ready (Step 1 - step 6) and then after bootup when you get the crash just run the 1-mbam_crash script.

Thank you for going the extra mile to get the logs.

[SpaceCoyote]

I think the problem I'm having in generating these logs is the time between the service failing and restarting is 13 seconds, so in theory MB3 is in a broken state for such a short period of time, unless I manage to run the dump in that time, the logs will show that it's working as expected.

For example this morning's event list:

18/10/17 08:40:17 Service Control Manager - The Malwarebytes Service service terminated unexpectedly. It has done this 14 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
18/10/17 08:40:24 FilterManager - File System Filter 'MBAMProtection' (Version 6.3, ‎2017‎-‎09‎-‎06T13:40:25.000000000Z) unloaded successfully.
18/10/17 08:40:24 FilterManager - File System Filter 'MBAMFarflt' (Version 6.3, ‎2017‎-‎09‎-‎06T00:44:07.000000000Z) unloaded successfully.
18/10/17 08:40:24 Service Control Manager x 3 messages

A service was installed in the system.

Service Name:  MBAMWebProtection
Service File Name:  \SystemRoot\system32\DRIVERS\mwac.sys
Service Type:  kernel mode driver
Service Start Type:  demand start
Service Account:

A service was installed in the system.

Service Name:  MBAMProtection
Service File Name:  \SystemRoot\system32\DRIVERS\mbam.sys
Service Type:  kernel mode driver
Service Start Type:  demand start
Service Account: 

A service was installed in the system.

Service Name:  MBAMFarflt
Service File Name:  \SystemRoot\system32\DRIVERS\farflt.sys
Service Type:  kernel mode driver
Service Start Type:  demand start
Service Account: 

18/10/2017 08:40:27 FilterManager x 2 messages
File System Filter 'MBAMFarflt' (6.3, ‎2017‎-‎09‎-‎06T00:44:07.000000000Z) has successfully loaded and registered with Filter Manager.
File System Filter 'MBAMProtection' (6.3, ‎2017‎-‎09‎-‎06T13:40:25.000000000Z) has successfully loaded and registered with Filter Manager.

Then the whole process repeats twice more in the space of 30 seconds, with the final attempt apparently succeeding at 08:41:07

I mentioned in my original post that I was planning a clean reinstall when the Creator's Update Fall 2017 was out, I think that's my best next step to be honest. If I have problems with MB3 afterwards, I'll be in touch.

Thanks for your time looking into the issue, really appreciate it.

[nikhils]

Hello @SpaceCoyote

My bad, I asked you to run the 1-mbam_crash script. You should be running the 4-mbamservice_crash script.

So the flow would be:

1. Immediately after bootup run the script and leave it running.

2. After a minute when you see the crash it will be immediately detected and the crash dump will be written.

Please let me know if that worked.

[SpaceCoyote]

Quick update: I've not had chance to run the scripts, and my PC has updated itself to W10 v1709 build 16299.19. The Service Control Manager messages are still happening, and I will get the crash dump tomorrow morning.

[nikhils]

Thank you.