Malwarebytes freezes computer after virus attack

[AndrewC]

I have been keeping an eye on the processes throughout. There's nothing suspicious running which I don't know about, as per normal Windows processes and ones related to specific hardware and programs I use.

One point before I get started on this reinstall is that I ran Malwarebytes in normal mode once again just to see if anything different happened, and I was using Firefox and VLC player at the time. Now what happened was interesting because some hours into the scan, which I was not watching but aware it was running, the computer locked again. Now this is a different condition to the freeze condition I detailed earlier. It could well have been that all that was locked was the keyboard and mouse, since programs continued to run normally, except I could not control anything and had to reboot. I have had this condition before as an effect of the virus attack. Recall also the language bar had been knocked out by the attack, so it makes me wonder whether there is still some executables running which are causing this. Like a program which detects the presence of anti-malware and then locks you out.

[Maurice Naggar]

Please, just focus on what the plan is.   Do Steps A & B  as listed from before.

Do that first.

Lets stop making guesses.   And as far as when you do start a scan, lets keep complications out of the picture.  Close all web browsers ; close other apps  ( no firefox, no browser, no Vlc, no multi-media)     .....before starting the  next scan.

Thank you.

Edited May 12, 2019 by Maurice Naggar

[Gt-truth]

@Maurice Naggar and @AndrewC

when you let the Malwarebytes in Minimize mode , then this will take less time to done the scan even if you’ve have to use any web browser like what I did (do not open Malwarebytes while it doing its scan ~ Malwarebytes already run in start up and an auto scan will be performed by the MBv3 software itself). yes , I know closing all running software is best in other case . but for me I did this because I am a gamer

this is only other option to go with

Edited May 12, 2019 by Gt-truth

[AndrewC]

4 hours ago, Maurice Naggar said:

Please, just focus on what the plan is.   Do Steps A & B  as listed from before.

Do that first.

Lets stop making guesses.   And as far as when you do start a scan, lets keep complications out of the picture.  Close all web browsers ; close other apps  ( no firefox, no browser, no Vlc, no multi-media)     .....before starting the  next scan.

Thank you.

I am focused on the plan, although I have to use my computer in the meantime and I did another scan to be on the safe side and before doing the reinstall. That way it does not matter. I'm trying to report symptoms as they happen.

Now I have completed Step A and when doing the reinstall using the assistant program the same thing happened as before. It got to the very last point and then stopped. The rest of the computer was running so I close it down in task manager, then try and reboot. Windows got stuck on a  screen saying Restarting Windows. I do a hardware reboot and I'm back running. Malwarebytes has installed, I've flicked the switches and now I'm going to close everything down and do a scan. Back in a bit.

[AndrewC]

OK scan attempted exactly as per instructions. It froze after about 2 minutes. I'll wait for a reply before doing anything else about it.

[Maurice Naggar]

I very much regret to read all this trouble.  Let's just get a fresh Support Tool report.

Your pc should have the tool already on the Downloads folder.   If you have it, you can skip the download part.

Download Malwarebytes Support Tool  

Once the file is downloaded, open your Downloads folder/location of the downloaded file

Double-click mb-support-X.X.X.XXXX.exe to run the program

You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.

Place a checkmark next to Accept License Agreement and click Next

You will be presented with a page stating, "Get Started!"

Click the Advanced tab on the left column

Click the Gather Logs button

A progress bar will appear and the program will proceed with getting logs from your computer

Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK

Please attach the file in your next reply.    Thank you.

[AndrewC]

Here's the new log.

mbst-grab-results.zip

[LiquidTension]

Hi @AndrewC

Is this issue with your Malwarebytes scans freezing/hanging consistently reproducible? Does it occur with every scan you perform?

If it does, obtaining a memory dump of MBAMService in the hung state will help us determine why the issue is occurring.
Steps on how to generate this can be found below.

Generate MBAMService Memory Dump

• Please download run_procdump.bat using the link below.
  → https://malwarebytes.box.com/s/e127cj2ppb2lq6njf67li2gls3kbfz24
• Open your Downloads folder.
• Double-click run_procdump.bat. Click Yes if prompted by User Account Control.
• Note: If you are prompted by Windows SmartScreen, click More info followed by Run anyway.
• A blue window will appear.
• When prompted to reboot, type Y into the window and press Enter on your keyboard.
• After your computer has rebooted, please do the following:
  • Reproduce the issue by running a scan with Malwarebytes and waiting for the program to freeze.
• Once done, open your Downloads folder and double-click the run_procdump.bat file once more.
• Upon completion, a file named memorydump.zip will be saved to your Desktop. Please attach the file in your next reply.
• Note: If the file is too large, you will be provided instructions to upload the file to a file hosting website (wetransfer.com).
   

-----

Based on the most recent Event logging, it looks like other services are having issues as well.
Please could you provide the following full Event logs:

Export Event Logs

• Press the Windows Key + R on your keyboard at the same time. Type eventvwr.msc and click OK.
• Expand Windows Logs.
• Right-click Application and click Save All Events As.... Name the file application and click OK.
• Repeat for Security and System.
• Navigate to the location of the files. Highlight the three files, right-click one and click Send to followed by Compressed (zipped) folder.
• Name the Zip file EventLogs.zip and attach the file in your next reply.

[AndrewC]

The situation with the scans is that after a safe install on the first two occasions there was a big delay in the pre-scan operations part. They both completed in just over three hours. Then I did a scan while using Firefox and VLC player and it froze after about two hours and then upon reinstall it froze after two minutes. So the issue of whether it crashes the computer or simply take a long time is somewhat random, and as I said in the OP, I ran it a few times after the virus attack and it was freezing every time then, but on some occasions 19 seconds and some about 3.5 minutes. The crashes seem to take two distinct forms. One is a compete CPU crash and the other is where it appears the keyboard and mouse lock. Sometimes the pointer moves but you can't click on anything, hence it is impossible, given the way you outline, to do a memory dump.

I have the files requested. Yes it does appear the Windows system itself is having trouble loading system processes. They seems to get going eventually from what I have looked at.

events.zip

[AndrewC]

Correction to the last post. I just realised what you meant - do a reboot and then do the remaining steps.

OK so that worked. It froze in the same way as the scan before, but at 39 seconds.

Here's the memory dump.  https://we.tl/t-fHU22XjRuy

[Maurice Naggar]

Thank you for running the last Support tool report.   Please stick with LiquidTension on the issue of memory dump, services, event logs.

Your pc currently has a good install of Malwarebytes version 3.7.1.2839    Whereas as when this thread started, Chameleon had been used & so pc had at best a version 2.x
The installation now is good.  You are running the free mode license;  so lets keep Malwarebytes at the basic on-demand free basis.

Start Malwarebytes.
Click Settings button ( on left).
Click the tab marked "Account Details" ( it is the 5th tab in the settings screen )
You should then see a button marked "Deactivate Premium Trial".

Next, click the button on the left marked "Settings".
Scroll down to the section marked "Startup Options".
Look at the line marked "Start Malwarebytes at Windows startup" and click that to OFF.

Click Settings.  Now look on the Application tab.
Scroll down to Impact of scans on system.
Select the line for  "Manual scans have high priority and will finish more quickly".

I am of the view that this box has a compound set of issues   ( e.g., Windows 10 startup issues).

One side issue is MS Windows Update & the failed attempts to update the Windows Defender definitions.   You want to follow up with special manual runs of Windows Update to take care of that.
This lines from the reports:
Date: 2019-05-13 01:38:06.415
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.

 

[AndrewC]

There are three buttons at the bottom of Account Details: Activate licence, Start My Premium Trial, Upgrade Now

Presumably the trial has not been activated in the first place. Shall I leave out this step?

[Maurice Naggar]

Skip that step.   Just please be sure to do the others   ( as much as possible).

[LiquidTension]

8 hours ago, AndrewC said:

Correction to the last post. I just realised what you meant - do a reboot and then do the remaining steps.

OK so that worked. It froze in the same way as the scan before, but at 39 seconds.

Here's the memory dump.  https://we.tl/t-fHU22XjRuy

Thanks for the information and memory dump. I'll get back to you shortly with the results.

[LiquidTension]

Hi @AndrewC,

There's no indication of a hang in that memory dump.

To confirm, is this the order of events you took?
Ran the batch file -> Entered Y into the Command Prompt and allowed the computer to reboot automatically -> After the reboot, ran a Threat Scan with Malwarebytes and waited for the program to freeze/hang -> Ran the batch file a second time

[AndrewC]

LiquidTension

Yes that is exactly what I did. When it froze, the time elapsed stopped on the program and I checked the Num Lock key, which had stopped working. I rebooted from the power switch on the computer and went straight to the file to run a second time.

[AndrewC]

Maurice Naggar

I have already got it on manual scan. I've flicked the switch to stop it from starting on Windows startup.

Actually I had noticed the error in updating Defender that you pointed out. However it appears it did another attempt and reported in one of those information events that it had updated definitions for Defender successfully. So it is still managing to get by, because that was one of my primary concerns. If it can update system files then there is a hope that if there is a dodgy file or misconfiguration then it might sort itself out.

Anyway, despite the problems, I am finding it will reliably reboot every time, given about a 30 min wait, and there is no sign problems are in any way getting worse, so the system is at least useable in Windows. Every other program I have tried to use so far has worked, except I needed to start a service to run disk defrag. It appears to me Malwarebytes is therefore the odd one out and is having multiple problems.

Please advise if you would like me to check or do anything else.

[exile360]

I don't know if it's related at all, but we did have this issue recently where a user was also experiencing slow/frozen system shutdowns with Malwarebytes active and it turned out to be due to some drawing tablet they had attached to the system and its driver/software activating the onscreen keyboard in Windows and that was actually what was holding up the system from shutting down, though again that may not apply to your case.  I just thought it was worth a mention since the symptoms sounded quite similar and they were both reported around the same time.

[LiquidTension]

17 hours ago, AndrewC said:

LiquidTension

Yes that is exactly what I did. When it froze, the time elapsed stopped on the program and I checked the Num Lock key, which had stopped working. I rebooted from the power switch on the computer and went straight to the file to run a second time.

Thanks for clarifying. So what you're experiencing is a full system freeze (as opposed to just the Malwarebytes program freezing)?

In which case, it won't be possible to obtain a memory dump specifically for MBAMService in the issue state as the entire system is frozen.

-----

We can however try to generate a memory dump of the system in the frozen state. This involves forcing the macahine to blue screen. More information can be found here.

First, please ensure the machine is configured to generate full memory dumps. Details on this can be found in the article linked below:
https://www.tenforums.com/tutorials/5560-configure-windows-10-create-minidump-bsod.html

(Refer to Option 2: "Have Windows Create a Complete Memory Dump on BSOD")

Once done, proceed with the following:

Enable Forced BSOD

• Download enable_forced_bsod.reg using the link below:
  → https://malwarebytes.box.com/s/8rxpxrwm4jmdz95dg5p1kudymdl4vtzm
• Open your Downloads folder or location of the downloaded enable_forced_bsod.reg file.
• Double-click enable_forced_bsod.reg and click Run followed by Yes if prompted by User Account Control.
• Click Yes when prompted to continue.
• Click OK.
• Restart your computer.

After the computer has restarted, reproduce the issue so that your machine is in the frozen state.

Once done, hold down the rightmost Ctrl key on your keyboard and press the Scroll Lock key twice.
This will force your machine to blue screen. After the computer has rebooted, open the C:\Windows folder and verify a file named MEMORY.dmp is present.

Right-click MEMORY.dmp and click Send to followed by Compressed (zipped) folder. If prompted to save the file to your Desktop, click Yes.
Upon completion, upload the Zip file to a file hosting service (e.g. Google Drive, OneDrive, WeTransfer.com, etc) and provide a download link in your next reply.

[AndrewC]

LiquidTension

 

Strange things seem to be happening. Here is the sequence of events:

Downloading and running the file you mention went fine. The reboot mentioned there were Windows updates to be processed.

Upon rebooting the machine the first thing I do is run Malwarebytes after it has fully loaded Windows.

I wait about 30 seconds and nothing appears to have happened. In thinking I didn't click the icon properly, I click again and again nothing happens. Then I open Task Manger to see what is running. A Malwarebytes background process is running, but no sign of an application running, and neither is the icon on the tray at the bottom of the screen. I then open Firefox to give me some indication as to whether Windows is in a reasonably operative condition and that works fine, network connection fine, so I close that down and then go back to Task Manger to have a closer look. At this point the mouse buttons fail, the Num Lock works, then it doesn't and then I realise I've encountered this freeze condition. So at this point I force a blue screen, the blue screen happens, it says it will reboot and I'm back to a rebooted and a working Windows. The trouble is I can not find any memory dump file.

Since then I tried this process again. With everything closed down I click on Malwarebytes once and then leave the computer alone and wait. I come back and find the same freeze condition as above and again no memory dump file when forcing the blue screen. To be absolutely certain there is not one, I did an entire search of the C drive for .dmp files, and it was not there.  I double check the settings in Startup and Recovery and they are all correct.

[LiquidTension]

Hi @AndrewC,

Here are a few common reasons why MEMORY.dmp is not created: https://support.microsoft.com/en-gb/help/130536/windows-does-not-save-memory-dump-file-after-a-crash

Just to confirm, Windows is definitely configured to generate a complete memory dump as specified in the article linked below?
https://www.tenforums.com/tutorials/5560-configure-windows-10-create-minidump-bsod.html

The System Event log should contain an entry with details on why the dump file was not created.

Export Event Logs

• Press the Windows Key + R on your keyboard at the same time. Type eventvwr.msc and click OK.
• Expand Windows Logs.
• Right-click Application and click Save All Events As.... Name the file application and click OK.
• Repeat for Security and System.
• Navigate to the location of the files. Highlight the three files, right-click one and click Send to followed by Compressed (zipped) folder.
• Name the Zip file EventLogs.zip and attach the file in your next reply.

[AndrewC]

These are the settings under System failure:

----------------------------

Write and event log to the system log - tick

Automatically restart - tick

Write debugging information - 'Complete memory dump'

Dump file - %SystemRoot%\MEMORY.DMP

Overwrite any existing file - tick

Disable automatic deletion of memory dumps when disk space is low - no tick

------------------------

Disk space OK, no SCSI drive in use.

 

Here are the events.

Events.zip