Jump to content

mbshlext.dll crashing explorer.exe in Windows 7


Recommended Posts

Salutations,

When I use the context menu in windows to scan any drive other than c:

I am told that explorer.exe has crashed and a report is being generated to find a solution.  This is followed by explorer.exe is restarting. After explorer has restarted the scan completes normally. The following error appears in event viewer. As a temporary workaround, I have disabled context menu scans in MBAM 3.5.1 Settings. I am running Windows 7 Home with 8GB RAM. I have no idea how to troubleshoot this error to get "Scan with Malwarebytes" to function properly from the context menu. Please help?

 

Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: mbshlext.dll_unloaded, version: 0.0.0.0, time stamp: 0x5abe91ea
Exception code: 0xc0000005
Fault offset: 0x000007fedfc5f97e
Faulting process id: 0xc8c
Faulting application start time: 0x01d44eb7189320a5
Faulting application path: C:\windows\Explorer.EXE
Faulting module path: mbshlext.dll
Report Id: 392bd72d-baad-11e8-8858-e0ca949f8102

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link

    welcome mbst.png
     
  • Click the Gather Logs button

    gatherlogs.png
     
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  


    Click "Reveal Hidden Contents" below for details on how to attach a file:
     
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    mb_attach.jpg.220985d559e943927cbe3c078b
     

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Following the instructions in that post I set my UAC to "Default" Recommended setting and rebooted. The issue persisted. I used the "Clean" button in mb-support-1.1.2.471 to perform a clean install of the MBAM 3.5.1. I allowed it to download and install the latest version on the outside chance that my previously downloaded installer had an issue. Unfortunately, nothing has worked. I left the clean install at all default settings, where I had enabled rootkit scans in the original. Thought maybe the rootkit scan had an issue with drives other than the boot drive. Still same condition exists when I attempt to scan any drive other than drive c from  the context menu in File Explorer.

Link to post
Share on other sites

  • Staff

Greetings,

Please post a fresh set of logs now that you've performed a clean installation and reset UAC back to default:

  1. Run the Malwarebytes Support Tool
  2. Accept the EULA and click Advanced Options on the main page (not Get Started)
  3. Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply

Thanks

Link to post
Share on other sites

This is the log files collected after the clean reinstall and changing the UAC settings. All settings in MBAM 3.5.1 are still set to defaults. As previously stated, the scans complete normally, but only after Windows Explorer crashes out once. After explorer.exe has restarted, I can scan any drive I wish without any further crashes. Possibly malware loading at boot time? Or maybe a boot time program leaking the memory that mbshlext.dll needs?

mbst-grab-results.zip

Link to post
Share on other sites

  • Staff

I did notice that in the first set of logs you posted that all of the registry entries for the Malwarebytes shell extension were missing.  The new set shows that they are all present.  I would speculate that if they show as missing prior to trying to use it once and having explorer.exe crash, that would explain why it works after that if they are getting created in the registry each time by successfully registering the shell extension.

If I am correct, then something could be reverting the registry for some reason or un-registering the Malwarebytes shell extension causing this scenario to occur.  If you use any type of system backup/restore solution that resets or rolls back changes on restart then this could have something to do with why this keeps happening.

Link to post
Share on other sites

Something else I have noticed, that is odd... When I go to Scan>Custom Scans>Configure I cannot select any drives in this installation. In my other computers I can select anything I wish, however, in this installation when I select drive c or d or f the check appears in the checkbox for only a moment and then almost immediately disappears. I am not double-clicking ;) It is very odd behavior IMHO. It just wont let me scan any drives other than a normal drive c scan without using the context menu to initiate it and when I do Windows Explorer stops working... error report generates... explorer.exe restarts then it completes the scan (supposedly) is okay again for subsequent scans from the context menu without "crashing". Windows Explorer until I reboot. Then it all reverts to the issues. Also, after it crashes explorer, I can still not select any drives in the custom scan. Sounds like malicious activity to me...

Link to post
Share on other sites

I had a look at the mbst-clean-results.txt file and found this line:

2018-09-17 18:03:43.364   Failed to delete File C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll, reason:(Access is denied.(error=5)),

Could it be a problem with permissions causing the issue? Interestingly, the problem only occurs when I use the context menu to launch a scan, the mbshlext.dll file is responsible for the context menu being there! Also, I tried a "clean" boot of windows 7 and the MBAM program would not load. It said (not responding) right from launch!

Link to post
Share on other sites

  • Staff

No, that error is expected because the shell extension is loaded in explorer.exe.

As for your issue, are your drives encrypted by chance? Also, when you say you can't click the drives in Custom Scan, do you mean they're greyed out and disabled, or if you click them, they just don't have a checkbox next to them?

Link to post
Share on other sites

3 minutes ago, dcollins said:

No, that error is expected because the shell extension is loaded in explorer.exe.

As for your issue, are your drives encrypted by chance? Also, when you say you can't click the drives in Custom Scan, do you mean they're greyed out and disabled, or if you click them, they just don't have a checkbox next to them?

I ran through it again, just now, and see that the error did not happen on the last run. I looked for c:\program files\malwarebytes\ and the folder was successfully deleted after reboot. None of the drives are encrypted. I just found that I can select the drives. I was clicking too fast. When I click and hold for a moment it works as expected to select the drives.

Link to post
Share on other sites

  • Staff

Please try the following:

  1. Download and extract the attached zip file CrashDump.zip
  2. Right click on RUNME.bat and choose Run as Administrator
  3. Leave that window open, and then reproduce the crashing issue
  4. Once explorer crashes, the black box should disappear and there should be a .dmp file in the folder from step 1
  5. Zip up the file and either attach it here, or use wetransfer.com to generate a download link and reply with the download link

This will give us an idea of why we're crashing. Thanks!

CrashDump.zip

Link to post
Share on other sites

This is interesting. When I run the batch file (as administrator) and then use the file explorer context menu to scan drive F there is no crash of explorer! I could not find the .dmp file so I opened the batch file in editor to see where it was being written. Apparently, it is the folder that procdump.exe is run from (by default). No file is being written when there is no crash. So, I am going to try reboot and make it crash without loading procdump as administrator to see if the UAC process is preventing the crash. I had to go out on a call, so, it will be later today when I can resume chasing this issue. As yet, I have no crash dump log to send you. I just wanted you to know that I have not lost interest and why the delayed response. 

Link to post
Share on other sites

Wow! WeTransfer was interesting. I had to click a blank area to select the file to upload. I have a Dropbox Business account. I wanted to use it but I wanted to follow your instructions...so I used WeTransfer. There is some history you should be aware of. When I would reboot the pc then run the runme.bat file as administrator I would be prompted for UAC. Every time I was challenged with the UAC prompt, and accepted it, I could launch a scan of drive F from the context menu with no crash! However, when I reboot the pc and try to launch a scan of drive F from the context menu, Windows Explorer crashes. Somehow, accepting the UAC was preventing the crash! Similar to after the first crash MBAM would work as expected, too. I finally tried lowering the UAC to never prompt rebooted, launched runme.bat as administrator was able to capture the crash. This seemed odd as when I did the clean install of MBAM it was with the UAC at the recommended (default) level. However, originally the UAC was lowered to never when I installed the first time and started the thread. (as you saw in the MBSupport logs) So, here is the file. I hope this will reveal what is happening. 

 

https://we.tl/t-gIlz5Ln3QV

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.