Lots of BSOD's after getting MB Premium

[hkangur]

Hello.

After purchasing MB Premium version just yesterday, I have had about 10 BSOD crashes, something that hasn't happened for a looong time before that. I have had MB free version on the laptop for a while, without any issues.

Was using SpyBot before and wanted to try out this software full version with yearly license.

 

After already bunch of BSOD's yesterday, I removed my previous Spybot installation, cleaned the system (CCleaner) and re-installed Malwarebytes. After some clunky web browsing, decided to restart the computer. BAM, another BSOD middle of shutting down process. Start back up, before doing anything else at all I tried to open the Support Tool to get error logs. BSOD again!

Had to exit MB right as Windows loaded up, otherwise it seems to happen at any random time.

I've attached the log files from the Support Tool, one of them is after cleaning and re-installation, the other after the 2nd BSOD just now.

Also screen photos from the BSOD's. FGuard64 relates to a program called Folder Guard which password protects manually selected folders (none of which are any system related, rather personal documents folders etc). Don't know if that's relevant.

So far not that happy about this purchase as didn't have any of these issues before getting the Pro version of MB. Can't even remember when I had BSOD before this, maybe one or two years ago.

 

Thank you for advice.

 

mbst-grab-results_after install.zip mbst-grab-results.zip

[Porthos]

Quote

Surfshark TAP Driver Windows (HKLM-x32\...\{1DBEF06A-E2B7-4655-9715-BFE3CC15E6C6}) (Version: 1.0 - Surfshark)
Surfshark TUN Driver Windows (HKLM\...\{6C7B5C05-1978-4CBA-9193-7168F518F2A4}) (Version: 1.0 - Surfshark)

Please also refer to this support article which lists several known applications which conflict with the Web Protection in Malwarebytes currently, which includes Surfshark.

Try disabling just Web protection and see if it corrects the issue.

Could you also zip  C:\Windows\MEMORY.DMP

Please upload it to WeTransfer and select the option to send the file as a link from the options menu available by clicking on the circular ... button on the page and provide us with the link to the file

Edited May 28, 2021 by Porthos

[hkangur]

Hello.

Thank you! I have removed Surfshark as I don't use it anyway.

Will disable Web protection and upload memory dump if BSOD happens again.

Thank you for the tips right now.

[jcgriff2]

Folder Guard (driver = fguard64.sys) is the probable cause listed in your second screenshot.

I suggest that you either update the software or remove it from your system.

Regards. . .

jcgriff2

[AdvancedSetup]

Hello @hkangur

Please follow the advice from @jcgriff2

Thank you

 

[hkangur]

Hello.

Finally had a moment of time to try this. I removed/updated Folder Guard and have been able to run MB at the moment without another BSOD. Few restarts have been normal as well. I do need Folder Guard though, so at the moment both are in 'probe phase' to see if additional issues come up.

Aside from this, as I turned off the web protection and didn't install Broswer Guard, for some reason the browser tabs take way too long to load up. When I open the browser with previously opened tabs, first it doesn't even show any url or anything in most tabs.. takes about 10+ seconds after it loads the page. That doesn't happen when MB is not running.

[AdvancedSetup]

Can you please do the following?

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
• NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

 

Let us know if the slow tab loading is still present or not @hkangur

Thank you

 

[hkangur]

Hello.

Just did as instructed above. CLEAN install with the Support tool (all other programs closed). Restarted. Turned off web protection.

Opened Firefox.. took solid 10 seconds to open the browser to begin with. All previously opened tabs were blank without urls. Any tab that I click on first takes about 10 seconds before it becomes active and loads the page (url appears then as well). Similar behavior seems to be with the new empty tab where Firefox keeps the list of most visited pages. That didn't load either until it took a while. Once a tab has loaded after initial 'freeze' it seems to behave normally.

After I have had the browser open now for 5 min or so, not all tabs take as long to load.. I have maybe 20 tabs in there. From Firefox settings they are set to load when first clicked on, in order to save memory and not have all of them loaded at startup. Some of that I click on load right away now, some other still take 10 seconds more. But I think that doesn't happen when MB is not running.

Logs zip file included from after the new installation.

mbst-grab-results.zip

[AdvancedSetup]

The log still shows Folder Guard from 2013

HKLM\...\Run: [FG_Monitor] => C:\Program Files\Folder Guard\FG64.exe [187976 2013-08-26] (WinAbility Software Corp. -> WinAbility® Software Corporation)

You're running the following. Is this still a valid product, program for you on this system? Just checking due to the age of the computer.

HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe, <==== ATTENTION
Lsa: [Notification Packages] DPPassFilter scecli

https://www.shouldiblockit.com/dpagent.exe-11380.aspx

 

This does not look like a valid, legit program. Do  you know what it is?
HKU\S-1-5-18\...\RunOnce: [KyhuRAcNvF] => "C:\Windows\system32\config\SYSTEM~1\AppData\Local\YXVHVH~1\win32k.exe"

 

These can be valid restrictions or maybe not. You'd need to check deeper on  your end.

GroupPolicy: Restriction - Chrome <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\HK\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION

 

You're using one of the custom huge HOSTS files for DNS blocking. That could potentially be part of the issue as the load and demand times are different and our program needs to check all those links in real-time. Not saying it is the cause but possibly adds to the issue.

 

Personally I remove all compatibility additions. If they're real they'll automatically be added back. Often times these get added by odd conditions at the time.

Task: {69BA8513-0C96-4822-BF50-9D6328214F93} - System32\Tasks\{233433DB-0603-4DBD-B5FC-7658FC5E81E5} => C:\Windows\system32\pcalua.exe -a F:\OnePlus_setup.exe -d F:\ -c /s

You're also using DNSCrypt which can take a tad more time to load up. Not sure what the effect is in conjunction with a large hosts file but assume nothing drastic

R2 dnscrypt-proxy; C:\Program Files\bitbeans\Simple DNSCrypt x64\dnscrypt-proxy\dnscrypt-proxy.exe [8109728 2020-03-30] (Christian Hermann -> )

 

These are from 2012 - what are they used for? It looks like some type of Audio?

R2 BtSwitcherService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\BtSwitcherService.exe [64216 2012-03-23] (Cambridge Silicon Radio Ltd. -> Cambridge Silicon Radio Limited)
R2 CSRBtAudioService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtAudioService.exe [465624 2012-03-23] (Cambridge Silicon Radio Ltd. -> Cambridge Silicon Radio Limited)
R2 CsrBtOBEXService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtOBEXService.exe [1041616 2012-03-23] (Cambridge Silicon Radio Ltd. -> Cambridge Silicon Radio Limited)
R2 CsrBtService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtService.exe [825032 2012-03-23] (Cambridge Silicon Radio Ltd. -> Cambridge Silicon Radio Limited)

 

This is for security and is very old. If used I'd highly recommend updating. If not used then uninstall it. Even Surfshark is quite old by now.

R2 ovpnagent; C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel\ovpnagent.exe [1493224 2016-02-19] (OpenVPN Technologies, Inc. -> )
R3 ptun0901; C:\Windows\System32\DRIVERS\ptun0901.sys [27136 2015-11-11] (OpenVPN Technologies, Inc. -> The OpenVPN Project)
R3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [27136 2016-04-21] (OpenVPN Technologies, Inc. -> The OpenVPN Project)
S3 tapsurfshark; C:\Windows\System32\DRIVERS\tapsurfshark.sys [36544 2020-06-15] (Surfshark Ltd. -> The OpenVPN Project)
R3 tapwindscribe0901; C:\Windows\System32\DRIVERS\tapwindscribe0901.sys [45560 2018-07-13] (Windscribe Limited -> The OpenVPN Project)

 

The SwitchBoard technology was removed on April 30, 2010 and is no longer hosted on Labs

S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Test Signing Certificate -> Adobe Systems Incorporated) [File not signed]

 

 

Not that removing or updating anything above would improve performance but I would still highly recommend you do update or remove as appropriate for your system.

 

Does this issue happen if you use a new install of Firefox?

 

Please run the following and post back the log

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current-security-update status of some applications.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.
• This tool is safe.   Smartscreen is overly sensitive.
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Thanks

 

[hkangur]

Hello.

Thank you very much for the analysis.

Few of the items I know about, the rest I need to research as they are not something that come to mind. I installed the OS back in 2014 and there can definitely be some older stuff in it. I will check through each of the listed items when I have some time for it.

Thank you!

[hkangur]

Hello.

I have checked and removed some of the above mentioned programs.

FGuard should be up to date (don't see old file in that folder). DPAgent seems to be part of HP installed software, related to DigitalPersona and fingerprint reader (although my laptop doesn't have one). CSR software is for USB Bluetooth radio device, installed by me. Irrelevant VPN services removed, DNSCrypt is in daily use due to current geolocation, Windscribe for instances where former cannot perform.

I do not have knowledge about the Restrictions/Policies that were listed. Where I find those and what do they do?

I do not have knowledge about the HOSTS file and how it works with the DNS, etc.

I used the SecurityCheck tool and updated/removed bunch of old programs. It still gives warning for .NET Framework although it was updated from the site as well. Latest check log added to this message. Also latest MB Support Tool zip log added.

Firefox got a fresh re-install.

I did some testing with and without Malwarebytes running. Fresh restart, normal background programs running. Opened and closed each program while taking times. 'First boot' means the time from the click on the program executable (taskbar icon) until anything visual came up. 'Instantaneous' means normal program loading time 2-3s given the age and configuration of the system. 'Open' tabs load from previous sessions, 'New' tabs from speed dials or favorites.

 

MB running (Web protection turned off)

• Chrome - first boot instantaneous, all tabs instantaneous when clicked on.
• Firefox - first boot 32s + blank screen until first tab load 40s, next open tab hang 18s, open Google tabs (search, docs, translate, etc.) instantaneous, open Reddit tab 27s, new Facebook tab from speed dial 32s.
• Pale Moon - first boot 33s + blank screen until first tab 7s, consecutive open and new tabs instantaneous.
• Opera - first boot 43s + program frozen until first tab 42s, new Facebook tab from speed dial 25s, new Reddit tab from speed dial 32s.
• Thunderbird - first boot 7s
• Skype - first boot 5s
• Telegram - first boot 5s

MB not running

• Chrome - first boot instantaneous, all tabs instantaneous.
• Firefox - first boot instantaneous, all tabs instantaneous.
• Pale Moon - first boot instantaneous, all tabs instantaneous.
• Opera - first boot instantaneous, all tabs instantaneous.
• Thunderbird - first boot 7s
• Skype - first boot instantaneous
• Telegram - first boot 5s

 

Similar behavior seems to be when opening offline documents such as PDF's, Doc and Excel files. Takes long time before anything shows up.

Any recommendations are welcome.

Thank you!

SecurityCheck.txt mbst-grab-results.zip

[AdvancedSetup]

Hello @hkangur

I'm out sick, but we'll probably need to see if we can get QA involved here.

Can  you open a Consumer Support Ticket so that we can track this and see if we're able to get this resolved for you.

Once you've created the ticket please let me know the number so that I can request someone follow up a bit sooner than normal

Thanks

 

[hkangur]

Hello.

Not a lot of rush with it, thank you for the advice. I have opened a ticket, the nr. is #3484217

Thank you!

[AdvancedSetup]

Support has replied to your ticket. Please run the MBST tool as requested and provide them updated logs.

Thank you @hkangur

 

[hkangur]

Hello.

I wonder if it has something to do with the changes I have been making regarding MB and the previous suggestions, but since yesterday I am not able to connect to Telegram app any longer with the normal settings I have been running for past months. It's 'Loading..' but doesn't connect. Even the automatic update didn't work, so I downloaded the latest version manually, but it didn't solve the issue.

I am able to connect to it when I enable Windscribe VPN (which I re-installed since it uses some elements of OpenVPN which we previously removed). As soon as I turn Windscribe off, Telegram disconnects.

I have been using the DnsCrypt VPN program daily, running on the background and giving access to some sites and services that would be restricted where I am. I tried by turning it off and on again, but still had the same issue with Telegram. Only when I enable Windscribe VPN, it connects. Perhaps I should contact their support in case they have made some changes during updates.

 

[AdvancedSetup]

Maybe you should look at uninstalling all the customized networking apps. Go back to the normal Windows defaults. Then with everything working again, decide what you need or want to reinstall.

Very late for me, will check back on you sometime tomorrow

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks