Jump to content

Recommended Posts

Hello.  I was referred to MalwareBytes Forum by Broni at TechSpot Forum, who also suggested that I post the URL to the topic I created there, since it contains the logs for the various scans (the conclusion was that my PC is clean).  That URL is:

https://www.techspot.com/community/topics/pc-shutting-down-during-malware-scans-presumed-malware-infection-windows-7.246891/#post-1687693

 

I will repeat the description of the situation that prompted me to search for help, since that may give you some clues regarding my situation:

This issue has been happening for a while -- even though my PC has been scanned on several occasions and found "clean" -- and it seems to be getting much worse of late. Whenever I try to run certain malware scans (originally Dr. Web, a year or so ago, and more recently MalwareBytes), the scan progresses to a certain point (in both Dr. Web and MalwareBytes this occurred near the end of the scan -- in the case of MalwareBytes, either at the end of the "scan file system," or the beginning of the "heuristics analysis" part of the scan, though since the PC shuts down without warning, I can not report precisely where) and then the PC shuts down (apparently the processor is overheating). The reason I am posting in the (TechSpot) Malware Forum is because it appears to be an issue with infected file(s), that, when the scan comes to the file in question, the file initiates a burst of activity (my guess as to what is happening, since I know no way to document precisely what is going on) that overheats the processor -- this is the best way I can explain it, from my careful observations. The shut-downs always occur at precisely the same point in the scan.

Recently it has become increasingly difficult to run malware scans. Yesterday it appeared that GomPlayer had become infected or corrupted (videos were playing strangely, or crashing; and the uninstall file "Uninstall.exe" was missing, and GomPlayer not listed in the Add/Remove Programs list). The only thing I could think to do was redownload the install file, reinstall the program over top of the corrupted one, and then use the newly created "Uninstall.exe" file to remove the program from my PC. This has helped a little (I was able to keep the machine from shutting down while I scheduled the Boot Scan), but not really solved the problem. Earlier today, after removing the GomPlayer, I managed to keep Avast! open long enough to schedule a boot-time scan (and get the additional definitions downloaded and installed as well), and the scan found two issues (I can not find a way to get the results after the fact when running a boot-time scan, so perhaps they are not saved; and, knowing that from past experience, I copied these things down while the scan was running):

1) EICAR TEST-NOT VIRUS!!! (sic) [This item was moved from C:...\AppData\Local\temp to Avast!'s Virus Vault. This item, in a file named "AV-test.txt", was detected early in the scan, at the same point where some scans have failed when run after Windows had loaded.]

2) C:hiberfk.sys Win32:ISOM "Delete error 0xC0000043 {A file can not be opened because the share access flags are incompatible}." [Apparently nothing was done, since the file remained in situ in C:. This item was listed quite late in the scan, when it was around 97% complete, and this point corresponds to the failure of other scans -- notably Dr. Web and MalwareBytes.]

I am running Windows 7 Ultimate (with SP1), 32-bit O/S. If other details are needed, please tell me what to list.  And as for MalwareBytes, circumstances dictate that I use the free version:  after Broni indicated that my PC was "clean" I uninstalled the MalwareBytes program and deleted the install file, and then redownloaded a fresh install file and went on from there, and when I tried to run the scan, the same thing happened -- PC shut down.  I am going to do a system restore because, subsequent to this issue, when I turn on my PC, after signing in and the Windows "Welcome" screen, the monitor goes white, and either shuts down a minute or so later (while still showing a white screen), or begins to load the desktop and then shuts down.  (Even now, writing in Safe Mode, the overheating alarms just went off, so I had better close here, and then do the system restore before it shuts down again and I loose this -- actually, the PC shut down when I tried to submit this; fortunately the text was saved and I can try to submit it again now).

Thank you very much for your time, and for any help you can give.

-- Daniel M. Burkus

 

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link
    welcome mbst.png
  • Click the Gather Logs button
    gatherlogs.png
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     notify me.jpeg  

    Click "Reveal Hidden Contents" below for details on how to attach a file:
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    _mb_attach.jpg.a0465aaafd6cae688aa38ab16

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Can you see if you have a dump file at C:\Windows\MEMORY.dmp, and if you do, please zip it up and upload it here or use wetransfer.com to generate a download link.

If you don't have a dump file, please follow the steps to create one:

  1. Click the Start button and then right click Computer.
  2. Click Properties.
  3. Click Advanced System Settings on the left side.
  4. In the window that comes up, click the Hardware tab along the top.
  5. Under Startup and Recovery, click Settings.
  6. In the System Failure section, make sure that Kernel Memory Dump is selected and click Ok.
  7. Reboot.
  8. Run a scan to reproduce the issue and then look for the memory.dmp file.
Link to post
Share on other sites

1 hour ago, dcollins said:

Can you see if you have a dump file at C:\Windows\MEMORY.dmp, and if you do, please zip it up and upload it here or use wetransfer.com to generate a download link.

If you don't have a dump file, please follow the steps to create one:

  1. Click the Start button and then right click Computer.
  2. Click Properties.
  3. Click Advanced System Settings on the left side.
  4. In the window that comes up, click the Hardware tab along the top.
  5. Under Startup and Recovery, click Settings.
  6. In the System Failure section, make sure that Kernel Memory Dump is selected and click Ok.
  7. Reboot.
  8. Run a scan to reproduce the issue and then look for the memory.dmp file.

Thank you for your reply.  I did the above as far as step 7.  However, I do not understand how to run a kernel memory dump scan (and have not found anything on line other than by using third party software -- which I would prefer not to do at this time).

-- Daniel M. Burkus

Link to post
Share on other sites

Just run the scan with Malwarebytes that causes the crash.  Once the system crashes the memory dump will automatically be created (that's why you had to change those settings in Windows, to force it to create the kernel memory dump when a crash occurs).  After the crash happens, you should then be able to boot up the system again and find the memory.dmp file he requested in the Windows folder.

Link to post
Share on other sites

It is not so much trouble, and, yes, I imagined that it might be of help, too.  This is happening with other scans, too, and seems to be including more of them as time goes by.  Always the PC shutting down happens at the same point in the scan, and this suggests some sort of file issue.

I tried to run MalwareBytes and, as usual (recently), the PC shut down.  Since it is very annoying to be present when that happens, I was not in the room.  Nevertheless, when I left I noticed that it was progressing through the series of scans, and so probably shut down at the same place.  I came back and turned on the PC again, but I cannot find the dump file.  According to my understanding (from "Startup and Recovery" --> Dump file) it should be %SystemRoot%\MEMORY.DMP.  Sorry, but do you have any suggestions as to where the file might be?  (Searching for both "%SystemRoot%\MEMORY.DMP" and "MEMORY.DMP" yielded no results.)

 

-- Daniel M. Burkus

 

Link to post
Share on other sites

I should add that every time I run MalwareBytes since this started to happen, it causes certain issues:  for example, when I start the PC again after it shuts down, after the Windows "Welcome" screen, the monitor goes white.  It takes several minutes before it starts to load the desktop (and sometimes shuts down during the process).  Also, thereafter it seems to shut down randomly, for example when the browser is open.  I do not have to be doing anything, it just suddenly shuts down.  I mention this because shortly after I posted the previous message the PC shut down.  I could not get it to load the desktop in ordinary mode, so I am adding this from "Safe Mode with Networking."

 

-- Daniel M. Burkus

Link to post
Share on other sites

The only thing I could find was in the Event viewer.  The entire history is exactly the same -- only the event's number is different.  I am attaching a log from there -- I tried to run MalwareBytes again and this time it froze 51 seconds into the scan (while performing "pre-scan operations"), and after a while the PC shut down.  The file Event.zip contains the event log, which probably will not be much help.  I compared the logs from a number of events, and the details in all of them were identical (all the way back to the first time this happened, when I tried to run a scan with Dr. Web).

Also, I looked again (including looking through the Windows folder), but there is no "memory.dmp" file anywhere in this PC (according to "search programs and files").

 

-- Daniel M. Burkus

Event.zip

Link to post
Share on other sites

Can you tell me how to export the entire system event log (other than making a separate .txt file for each event, or manually adding a number of events to a single file, I can not see how that can be done)?  There have been 169 instances since March 30 (which is as far back as the records go -- though the event began to occur long before then).  I reviewed a number of the events individually, and the contents (when pasted to a .txt file such as I sent) were absolutely identical, with the exception of the Event Record ID (which naturally would change, in sequence).

Indeed, it is the case that the PC overheats and shuts down, as I have said all along.  The point, though, is that it is usually a malware scan (or its aftermath -- the effects seem to linger for varying lengths of time) that precipitates this overheating, and always when it arrives at a specific point in the scan series.  The point at which the PC overheats and shuts down, insofar as I can tell, is always very precisely the same.  Too clearly so that this is simply a matter of random overheating, because then it should occur at a different time or point each time a scan is run.

I have been running MalwareBytes at least once per week since this machine was set up, and can recall only one or two occasions -- quite some time ago -- when any malware was detected.  So primarily I am using it prophylactically.  Nevertheless, I think it is important to do this, and I would prefer to continue to do so in the future.  The shutting down when caused by MalwareBytes has been happening since sometime in May; and, as with other scans that cause this to happen, once it starts, it continues to happen every time that program is run.

 

-- Daniel M. Burkus

Link to post
Share on other sites

I believe you have to click down to a specific log view/filter view on the left (where it shows the folders containing the various views/log types such as Windows Logs>Application, Security, Setup and System) and when you click on the one where the events are stored (most likely System based on the nature of these events since they're hardware related), you should be able to right-click on it and choose Save All Events As... then browse to a location where you wish to save it (such as your desktop) then create a name for it (like System Events) then choose whether to export display settings for it (which shouldn't be necessary for an English OS) then you can zip and attach the file here in your reply.

Link to post
Share on other sites

Sorry, I have had problems saving the critical events (continually get errors, so the saved files have no data).  Attached is a .zip containing what I hope is a valid file.  For some reason the event viewer no longer groups the errors by type (I was trying to send only the critical errors, since they are the ones where the PC shut down), so this file contains all errors.

 

In one of the MalwareBytes forum articles (replies) there was a suggestion to run ComboFix.  I did that, and it seems to have helped (though I have not tried to run MalwareBytes because the last time the shut-down that it precipitated really messed up my PC).  I have the logs, if you would like to review them.

 

-- Daniel M. Burkus

Events.zip

Link to post
Share on other sites

You can try this and it may help if more data is needed:

Post Event Logs:

  • Please download VEW by Vino Rosso from here and save it to your desktop
  • Double click it to start it Note: If running Windows Vista, 7, 8/8.1 or Windows 10 you will need to right click the file and select Run as administrator and click Yes, Continue or Allow at the User Account Control Prompt.
  • Click the check boxes next to Application and System located under Select log to query on the upper left
  • Under Select type to list on the right, click the boxes next to Error and WarningNote: If running Windows Vista, 7, 8/8.1 or Windows 10 also click the box next to Critical (not XP).
  • Under Number or date of events select Date of Events and type [01] [01] [2017] in the boxes next to From: and type [11] [06] [2018] in the boxes next to To: then click Run
  • Once it finishes it will display a log file in notepad, you may close it and then navigate to the root of C:\ and you'll find a text file called VEW there; move it to your desktop
  • Right-click on the VEW.txt file on your desktop and hover your mouse over Send to and select Compressed (zipped) folder
  • Please attach the VEW.zip file you just created to your next reply


 
Link to post
Share on other sites

The PC had been running well since I ran the VEW scan.  This morning while watching a news video, the problem started again (and I have not been able to run the machine in Regular Mode -- I am using SafeMode now).  I prepared a new VEW scan (data for 1 June to 18 June 2018), and as close to a detailed description of the history of the incident, both of which .txt files I am enclosing in the attached .zip archive.

 

-- Daniel M. Burkus

VEW (1 June to 18 June, 2018).zip

Link to post
Share on other sites

Thanks for the additional info. Looking over everything reported here, especially the issues occurring from within safe mode, it makes me think that there might be a hardware issue at play here. Is your computer a brand name one, or a custom built one? If it's a branch name, many companies provide diagnostic software that you could use. If it's custom built, we may have to find specific software to run if possible based on your hardware.

Link to post
Share on other sites

  • 1 year later...

Greetings,

If your system is infected please read and follow the instructions in this topic, skipping any steps you are unable to complete, then create a new topic in our malware removal area by clicking here and one of our malware removal specialists will assist you in checking and cleaning the system of any threats.

I hope this helps and if there is anything else we might assist you with please let us know.

Thanks

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.