Jump to content
renoir

Malwarebytes 4.1 bogus detections and hindering pc operations

Recommended Posts

I recently updated to the latest version from the MB interface. Afterwards, when I tried to logoff my computer, it was stuck in the "logging off" screen, spinning around for 20+ minutes. I was forced to use the power button to force shutdown the computer. Upon restart, it immediately detected a "C:\dllhost.exe" as malware and quarantined it. This item does not otherwise exist until after I upgraded Malwarebytes. It's as though Malwarebytes is the one creating problematic files itself. I did a repair with the Malwarebytes Support tool, but when I restarted it did not offer me a reinstall as the instructions say. I went and downloaded an installer and reinstalled manually. 

It was fine for a day or so, and the odd "C:\dllhost.exe" no longer appeared. However,  after a while other weird issues cropped up. Youtube videos can no longer play, even though I can open websites just fine. When I tried to check my network settings, it froze and became not responding. When I restarted explorer, the taskbar loaded halfway and it was not responding again. I couldn't even open task manager. When I tried to restart the laptop, the same freeze happened (spinning circles on the restart screen). I had to do the forced shutdown with the power button again. Upon restart, the same weird "C:\dllhost.exe" happens again. 

I'm afraid repeated forced shutdown will wear down my PC. What's wrong here? I went down old threads, and I saw that some features of the Premium, which is activated on a 14 days trial basis, was the cause of it. Ransomware shield or something of that sort? But it was from way back in 018, I did not experience any issue with the MB version that I previously installed (I forgot if it was 3.7 or 3.8)

mbst-grab-results.zip

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites
3 hours ago, renoir said:

C:\dllhost.exe" as malware and quarantined it

That file should not exist on the C drive and that is why it was quarantined. The official directory location for this process is C:\Windows\System32\dllhost.exe

3 hours ago, renoir said:

It's as though Malwarebytes is the one creating problematic files itself.

I assure that is NOT happening.

Are you planning to use the premium or the free version?

I also see you are using Avast.

I recommend creating exclusions between Malwarebytes and Your AV to help prevent any possible conflicts or performance issues.  Please add the items listed in this support article to Your AV 's allow list(s)/trust list(s)/exclusion list(s) particularly for any of its real-time protection components and likewise add Your AV 's program folder(s) (likely located under C:\Program Files and/or C:\Program Files (x86)) to Malwarebytes' Allow List using the method described under the Allow a file or folder section of this support article and do the same for its primary data folder which is likely located under C:\ProgramData (you may need to show hidden files and folders to see it).

 

Share this post


Link to post
Share on other sites

As the logs indicate both an infection and piracy, I will move this topic to the Malware Removal forum.

HKU\S-1-5-21-1548047139-3213612109-1434141381-1001\...\Run: [Steam] => C:\Users\ROG\AppData\Roaming\NVIDIA\dllhost.exe [267856 2013-08-10] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
 CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {4AC656DF-F4D2-4FAF-B8F8-FC62F8B25C05} - System32\Tasks\Microsoft\Windows\WS\WSSync => C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\WSLicense\dllhost.exe [1050624 2019-03-02] (Microsoft Corporation) [File not signed] <==== ATTENTION

J:\xfcs3mkg\adobe-master-cs3-keygen.exe
C:\Program Files\ByteFence\ByteFence.exe

 

Share this post


Link to post
Share on other sites

Hello @renoir

I notice that you have Bytefence installed. Many people seem to believe that is Malwarebytes - it is not. Please run the following so that we can look at cleaning up your computer.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Share this post


Link to post
Share on other sites

Wow, those are interesting. I just have Malwarebytes Trial, and I never installed Bytefence. I just opened Program Files, don't see that folder. It's not in my list of installed programs either. The log also showed a J:\ directory that I do not have either.

So about the C:\dllhost.exe. When I uninstalled Malwarebytes, that file never appeared. I had C:\ open and keep waiting for that dllhost to appear and it never did. 

I saw a thread about Malwarebytes slowing down PC in the other subforum, and that was the exact same thing that happened to me. Logging off and restart seems to take forever, if it ever does at all. But I will go try adwcleaner as suggested.

Share this post


Link to post
Share on other sites

I'm here to report that after AdwCleaner does its job, I'm stuck on the restarting screen AGAIN. I had to force shutdown with the power button, again. 

I'm finding that this older forum thread matches my issue perfectly: 

 

Anyway, I attached the AdwCleaner logs. 

Do I have to restart again to do the Farbar scan? I really don't want to have to sit around waiting for 20 minutes and force shutdown the poor computer for the umpteenth time :(

AdwCleaner[S01].txtAdwCleaner[C01].txt

Scan report.txt

Share this post


Link to post
Share on other sites

Apologies for multi-posting, but there's no edit button. 

I would like to inform that when I quit/turned off Malwarebytes, the issue did not occur. However, everytime Malwarebytes is active, my computer will be stuck on the power off (or log off or restart) screen. 

Share this post


Link to post
Share on other sites
Posted (edited)

You have old, compromised versions of Java on your computer. Please go to Control Panel, Programs, Add/Remove and uninstall the following. If at all possible it would be much safer to run your computer without Java. If you really must have it then make sure it's up to date at all times.

Java 8 Update 231 (64-bit)
Java 8 Update 231
Java(TM) 6 Update 37

 

Things to consider as your logs show that uTorrent is installed

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is very much illegal, and there is always a chance of getting caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. In many countries including the USA, the Government and ISP often work together to catch people distributing unsanctioned material.
Sharing data via P2P has also seen an increase of bundled software where the user gets the file they were looking for but hidden in the installer or application is a Trojan piece of malware and in some cases has gone on to encrypt all user data.

 

What exactly is mDNSResponder.exe?

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

Most experts no longer recommend the use of CCleaner

https://www.howtogeek.com/361112/heres-what-you-should-use-instead-of-ccleaner/

https://www.howtogeek.com/172820/beginner-geek-what-does-ccleaner-do-and-should-you-use-it/

 

The missing J: drive is or was a USB mapping at some point. It's quite possible you have one or more USB sticks that might have some type of infection on them.

 

Are you wanting to start all these pages up on purpose each time you launch Google Chrome?

"hxxps://www.google.com/","hxxps://www.google.com/","hxxps://www.google.com/","hxxps://www.google.com/","hxxps://www.google.com/","hxxp:www.okaytab.com","hxxp:www.bronav.com"

 

 

Please go ahead and temporarily uninstall Malwarebytes then run the following fix below after a restart.

 

Please FULLY disable Avast antivirus temporarily and run the following fix.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Edited by AdvancedSetup
updated information

Share this post


Link to post
Share on other sites

I've never seen those urls before. I wonder if it might be something that came with a plugin I installed? I recently installed a Chrome tab manager. 

I will try the Farbar fix now

Share this post


Link to post
Share on other sites

I went to check my Chrome for the "hxxp" urls and found none. 

This is the Fixlog that appeared after running Farbar. I'm afraid I did something wrong because I accidentally downloaded it to Downloads (not Desktop)

Fixlog.txt

Share this post


Link to post
Share on other sites

Uh, hey, I just wanted to really make sure if all of this is necessary in the first place. As you recommended I uninstalled Malwarebytes before running FRST, and the issue immediately disappeared. Clearly there's something about the new Malwarebytes update that isn't compatible with my computer. If I forgot to mention it, let me emphasize that the issue is not present before the upgrade. I was using Malwarebytes 3, though I wasn't sure the exact version. It was either 3.8 or 3.6. 

I ran the FRST fix anyway, just in case. 

Share this post


Link to post
Share on other sites

The Fixlog iCBS.logndicates issues that are recorded in a CBS log. I've attached the CBS log in quetion here 

Share this post


Link to post
Share on other sites
Posted (edited)

Your computer has many issues. Updating to the 4.x version along with Avast I'm sure caused quite a noticeable slow down.  I asked you to remove Malwarebytes so that we can concentrate of fixing your computer. Soon, I will ask you to remove Avast (temporarily) but not yet.

Again, temporarily fully disable Avast and run the following

The DISM command did not complete which needs to complete in order to probably fix files that SFC requires to fix issues.

Please open an elevated command prompt
https://winaero.com/blog/do-you-know-all-these-ways-to-open-an-elevated-command-prompt-in-windows/

https://www.howtogeek.com/194041/how-to-open-the-command-prompt-as-administrator-in-windows-8.1/

Then type in or copy  / paste the following exactly and then press the Enter key and let it run. Let me know the final results. Take a screenshot of what it says please.

 DISM.exe /Online /Cleanup-image /Restorehealth  

Afterwards, assuming it was successful please run the following command as well in that Elevated admin command prompt and then press the Enter key. Let me know what it says too

 SFC  /SCANNOW  

Thanks

 

Edited by AdvancedSetup
updated information

Share this post


Link to post
Share on other sites

No need for the CBS log. The SFC command says it was successful this time in repairing corrupted files.

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

Share this post


Link to post
Share on other sites

I ran Kaspersky Virus Removal. It dinged Process Hacker.exe, which is something I did install, but it didn't say it was infected. It just says its at risk of being used by hackers. 

Other than that, there's nothing.

Share this post


Link to post
Share on other sites

Good, that's good to hear.

Please restart the computer and run FRST again and post back both new logs as an attachment and I will review them.

 

Share this post


Link to post
Share on other sites

So, uh, I had left my computer on sleep mode the other day, and today it had shut off and I received a message saying "Windows has encountered an error and had to restart." It says something about sending the logs to Microsoft. I wish I could attach it here. but I didn't catch where the location of the logs are. For what it's worth, this was the second time this happened since I reported this Malwarebytes issue.

Anyway, I restarted the computer again just in case, and ran FRST. 

FRST.txt

I forgot I had reinstalled Malwarebytes 3 last night, before sending it to sleep. I wonder if that had caused the issue as well, but I really don't know. 

Addition.txt

Share this post


Link to post
Share on other sites

I checked event log and found that ther shutdown was made on behalf of this other user that I don't use. My normal username is ROG. There's another username called Renoir that showed up out of nowhere a few months ago because I botched something on the computer. This might be related to the error? 

The process C:\Windows\explorer.exe ([my computer name]) has initiated the restart of computer [computer name] on behalf of user [computer name]\Renoir for the following reason: Other (Unplanned)
 Reason Code: 0x0
 Shut-down Type: restart

- Provider
      [ Name] User32
      [ Guid] {b0aa8734-56f7-41cc-b2f4-de228e98b946}
      [ EventSourceName] User32
   
- EventID 1074
      [ Qualifiers] 32768
   
  Version 0
   
  Level 4
   
  Task 0
   
  Opcode 0
   
  Keywords 0x8080000000000000
   
- TimeCreated
      [ SystemTime] 2020-05-17T10:38:23.460036200Z
   
  EventRecordID 83787
   
  Correlation
   
- Execution
      [ ProcessID] 584
      [ ThreadID] 1504
   
  Channel System
   
  Computer [name]
   
- Security
      [ UserID] S-1-5-21-1548047139-3213612109-1434141381-1001
- EventData
    param1 C:\Users\ROG\AppData\Local\Temp\mwb81FD.tmp\mb-support.exe ([computer name])
    param2 [computer name]
    param3 Legacy API shutdown
    param4 0x80070000
    param5 restart
    param6  
    param7 [computer name]\Renoir

Share this post


Link to post
Share on other sites

What I'm confused is that "Renoir" seems to be the registerd account in this computer, even though on the C:\Users\ directory it says "ROG". I'm very confused...

image.png.8e017f60ec95c8e39518a3c8a34e96fd.png 

 

Share this post


Link to post
Share on other sites

Either the logs you've provided are old or you have not uninstalled Java as requested. Old versions of Java pose a threat to your computer.

Please open an Elevated admin command prompt and type or copy/paste the following and then post back the results

wmic useraccount list  

Then run the following as well and post back the results for this one as well

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s   

 

Share this post


Link to post
Share on other sites
6 minutes ago, AdvancedSetup said:

Either the logs you've provided are old or you have not uninstalled Java as requested. Old versions of Java pose a threat to your computer.

 

Oh, but I thought you said it's fine if I updated it? I already updated it because I need Java. Did I miss something?

 

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>eventvwr

C:\Windows\system32>eventvwr

C:\Windows\system32>wmic useraccount list
AccountType  Description                                               Disabled
 Domain  FullName      InstallDate  LocalAccount  Lockout  Name           Passwo
rdChangeable  PasswordExpires  PasswordRequired  SID
                 SIDType  Status
512          Built-in account for administering the computer/domain    TRUE
 [computer name]                             TRUE          FALSE    Administrator  TRUE
              FALSE            TRUE              S-1-5-21-1548047139-3213612109-
1434141381-500   1        Degraded
512          Built-in account for guest access to the computer/domain  FALSE
 [computer name]                             TRUE          FALSE    Guest          FALSE
              FALSE            FALSE             S-1-5-21-1548047139-3213612109-
1434141381-501   1        OK
512                                                                    FALSE
 [computer name]  [my name]               TRUE          FALSE    Renoir         TRUE
              FALSE            FALSE             S-1-5-21-1548047139-3213612109-
1434141381-1001  1        OK


C:\Windows\system32>reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\ProfileList" /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    Default    REG_EXPAND_SZ    %SystemDrive%\Users\Default
    ProfilesDirectory    REG_EXPAND_SZ    %SystemDrive%\Users
    ProgramData    REG_EXPAND_SZ    %SystemDrive%\ProgramData
    Public    REG_EXPAND_SZ    %SystemDrive%\Users\Public

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-18
    Flags    REG_DWORD    0xc
    ProfileImagePath    REG_EXPAND_SZ    %systemroot%\system32\config\systemprof
ile
    Sid    REG_BINARY    010100000000000512000000
    RefCount    REG_DWORD    0x1
    State    REG_DWORD    0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-19
    ProfileImagePath    REG_EXPAND_SZ    C:\Windows\ServiceProfiles\LocalService

    Flags    REG_DWORD    0x0
    State    REG_DWORD    0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-20
    ProfileImagePath    REG_EXPAND_SZ    C:\Windows\ServiceProfiles\NetworkServi
ce
    Flags    REG_DWORD    0x0
    State    REG_DWORD    0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-21-1548047139-3213612109-1434141381-1001
    ProfileImagePath    REG_EXPAND_SZ    C:\Users\ROG
    Flags    REG_DWORD    0x0
    State    REG_DWORD    0x0
    Sid    REG_BINARY    0105000000000005150000002353455C4DD48BBFC5427B55E903000
0
    ProfileAttemptedProfileDownloadTimeLow    REG_DWORD    0x0
    ProfileAttemptedProfileDownloadTimeHigh    REG_DWORD    0x0
    ProfileLoadTimeLow    REG_DWORD    0x0
    ProfileLoadTimeHigh    REG_DWORD    0x0
    RefCount    REG_DWORD    0x11
    RunLogonScriptSync    REG_DWORD    0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-21-1548047139-3213612109-1434141381-500
    ProfileImagePath    REG_EXPAND_SZ    C:\Users\Administrator
    Flags    REG_DWORD    0x0
    State    REG_DWORD    0x100
    Sid    REG_BINARY    0105000000000005150000002353455C4DD48BBFC5427B55F401000
0
    ProfileAttemptedProfileDownloadTimeLow    REG_DWORD    0x0
    ProfileAttemptedProfileDownloadTimeHigh    REG_DWORD    0x0
    ProfileLoadTimeLow    REG_DWORD    0x0
    ProfileLoadTimeHigh    REG_DWORD    0x0
    RefCount    REG_DWORD    0x0
    RunLogonScriptSync    REG_DWORD    0x0


C:\Windows\system32>
C:\Windows\system32>

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.