Jump to content

Malwarebytes causing severe storage (NVMe, SSD, HDD) issues

PiersJ

By PiersJ
in Resolved Malware Removal Logs

 Share

Recommended Posts

PiersJ

PiersJ

Posted
Posted

Background

My PC is relatively new (about three months old) and I performed a clean Windows 11 installation (not my first choice), installed my usual applications, and started using my PC. 

The Problem

I can do sustained file transfers from SSD to HDD, over the network from a 4U server to NVMe, or any other configuration you can think of and the speeds are excellent. The drives perform as expected in terms of reads, writes, random, etc. However, the problem is that renaming a file or directory can take 2 or 3 seconds. Explorer will freeze whilst a file or folder is being renamed. This is frustrating.

My Atom-based HTPC (Pentium J5005) renames files and folders instantly. My server (4U Supermicro, Xeon 1225, albeit with HBA card) renames files and folders instantly. Both of those PCs are far, far slower. All drives show 0% utilisation when the problem occurs.

The Fix (I believe)

Simply exiting Malwarebytes, and letting Windows Security turn its own built-in security application on seemed to fix the problem. Renaming files and folders is instant. Enabling Malwarebytes brings the problem back.

Which part of Malwarebytes is causing this behaviour?

PC Specification:

  • AMD Ryzen 5900X
  • Corsair H150 Pro XT (360mm radiator)
  • Corsair 32GB (2*16) 3600 MT/s CL18
  • Asus ROG B550-E w/ WIFI
  • EVGA RTX 3080 XC3 Hybrid (240mm radiator)
  • M.2 NVMe = WD Blue SN550 (~2,400 MB/s | 2,000 MB/s write)
  • SATA SSD WD Blue 1TB (x2)
  • SATA HDD Toshiba N300 (7200RPM, 256MB cache)

Thank you for any help.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

I don't have a remote connection like you mentioned but I do have NVMe and multiple other drives and I cannot reproduce that issue. Can we get some logs to see if we can see what's going on @PiersJ

My folder rename is instantaneous

 

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites
PiersJ

PiersJ

Posted
  • Author
Posted

 

3 minutes ago, AdvancedSetup said:

I don't have a remote connection like you mentioned but I do have NVMe and multiple other drives and I cannot reproduce that issue. Can we get some logs to see if we can see what's going on @PiersJ

Mine folder rename is instantaneous

 

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Thank you for the reply. I've created the zip, but it contains a couple of exclusions from 'not entirely legitimate sources' (technically, one exclusion). Is that still OK?

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Let's try a couple of things. @PiersJ

First, let's do a general clean-up of the system and see if that helps to correct the issue or not.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites
PiersJ

PiersJ

Posted
  • Author
Posted (edited)

I appreciate the reply (even if the attachment is "unavailable"), but I'm not prepared to remove all temporary files on a two-month-old, clean Windows 11 installation. I can reproduce the problem by simply enabling Malwarebytes again. For now, I'll stop using it on this workstation (it still works fine on my Windows 10 server) and return to it at a later date (enabling/disabling each protection mechanism one by one to find the culprit). In terms of the following:

  • Windows Temp  - there are about a dozen files between %systemdrive%\Windows\temp and %temp% as I regularly perform maintenance 
  • Users Temp folders - please see above
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History - I apologise, but I am not prepared to do this as the Chrome install is only a month old, with three extensions (uBlock, Privacy Badger, Session Manager). 
  • Recently opened files cache - I cleared that and disabled it from caching (assuming we're talking about the same option) just before I posted
  • Flash Player cache - not installed
  • Java cache - It's just been updated and, therefore, the cache has been cleared
  • Steam HTML cache - I apologise, but I am not prepared to do this
  • Explorer thumbnail and icon cache - I let Windows rebuild the thumbnail/icon cache about a week ago
  • BITS transfer queue (qmgr*.dat files) - Get-BitsTransfer -AllUsers shows no queue 
  • Recycle Bin - Already emptied

Again, I genuinely appreciate your help, but there's not much you can do when the user won't fully cooperate (I'm not trying to be annoying). I should point out that I installed Windows 11, activated it using my account licence, used Ninite to install a number of standard applications (Audacity, LibreOffice, etc.), including Malwarebytes, then started using the PC. It was after that time I started to restore files from my server and noticed performance issues.   

image.png.c9661fc04fbc5ad42b8885ff637aae6c.png

 

Edit: Going through each of the four Malwarebytes layers and enabling/disabling just one at a time (i.e. disable Exploit Protection -> test -> record result -> re-enable Exploit Protection and move on);

  • Exploit Protection (disabled): No change 
  • Ransomware Protection (disabled): Very large (positive) change with only a slight delay
  • Malware and PUP Protection: No change
  • Web Protection: No change

It certainly appears that Ransomware Protection is the cause.

Edited by PiersJ
Basic diagnostics
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The question I have is WHY would Ransomware Protection be triggered or concerned about a single folder rename. How are you trying to rename this folder?

You seem to know what you're doing. Simply create an image of your current system to an external USB drive with something like Macrium Reflect Free - then you could 100% return it back to the way it is now within minutes.

 

If you were using some type of automation to do multiple file or folder renames then I could see Ransomware Protection possibly kicking in but not on a single folder rename from Windows Explorer or DOS Command Prompt

 

Link to post
Share on other sites
PiersJ

PiersJ

Posted
  • Author
Posted

Looks like it might be something else. I never like seeing audit failures. 

Quote

 

Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:    \Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe

 

Although, this seemed to be when I was testing each protection layer. Hmm.

Link to post
Share on other sites
PiersJ

PiersJ

Posted
  • Author
Posted

I've continued to test scenarios and found that the ransomware component is the cause of the slowdown. Disabling it instantly fixes the issue on all storage formats. Enabling it again brings the problem back. It seems that disabling it also reduces the Malwarebytes Service from using over 450MB of RAM, to ~295 MB.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay well right there, using 450MB is just wrong. @PiersJ

 

Can you please do the following?

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
  • NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

  • Like 1
Link to post
Share on other sites
PiersJ

PiersJ

Posted
  • Author
Posted

Currently running a batch encode with three x265 processes going. Will run the tool once that's completed. Screenshot because it's only been a few months since I've gone from an 4C/8T 6700K @ 4.4 GHz to a 12C/24T 5900X @ 4.25 GHz and I'm still amazed at the performance... plus I'm so tired that I'm finding it hard to find the motivation to move from my office to my bedroom.

image.thumb.png.3906d66531e2c3c713427fc60a5863bc.png

Link to post
Share on other sites
PiersJ

PiersJ

Posted
  • Author
Posted

This post is of little use as I've not yet had a chance to reinstall using the above tool, but after using the PC with Malwarebytes not running, my boot time (the Windows logo) - ignoring Task Manager's time value - went from ~20s to almost instant (I think I saw the Windows logo for less than a second). Login also went from taking ~5s after entering my PIN, to now showing the desktop straight away. Previous explorer windows that are automatically opened upon login also showed instantly. 

I will follow the reinstallation instructions above, but I'm amazed (and very surprised) at how much faster Windows 11 Pro is without Malwarebytes.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Don't know what to say. I have several systems and honestly cannot tell the difference if Malwarebytes is running or not.

It's up to you if you run the programs requested or not. I've provided methods and tools to run and here we are almost two weeks later and you still have not run anything asked of you.

If you like I can just go ahead and close your topic if you like.

 

Link to post
Share on other sites
PiersJ

PiersJ

Posted
  • Author
Posted (edited)
On 12/19/2021 at 9:13 PM, AdvancedSetup said:

Okay well right there, using 450MB is just wrong. @PiersJ

 

Can you please do the following?

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
  • NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

I am genuinely sorry for the delay. With the first half of the instructions, the 'clean' process seems to remove all Malwarebytes components and files, but then instead of it rebooting as you stated above, a popup appears asking if I want to reinstall it - I selected 'yes' and it then starts the installation process. There is no restart between cleaning and re-installing. The tool also mentions that the licence key will be saved to the desktop - this does not happen.

Edit: upon trying to install it, it says that Malwarebytes has been installed, but then a dialog pops up saying it's been cancelled. 

Edit2: After trying to find my licence key and activating it, the service "stopped working". Going to reboot now and try the second half of the instructions. Will update this post with the requested zip file, assuming it works (gremlins).

For the record, I have run sfc /scannow, checked SMART, etc. (the M.2 NVMe SSD is only three months old - like the rest of the PC).

 

Edited by PiersJ
Link to post
Share on other sites
PiersJ

PiersJ

Posted
  • Author
Posted
11 hours ago, AdvancedSetup said:

Don't know what to say. I have several systems and honestly cannot tell the difference if Malwarebytes is running or not.

It's up to you if you run the programs requested or not. I've provided methods and tools to run and here we are almost two weeks later and you still have not run anything asked of you.

If you like I can just go ahead and close your topic if you like.

 

I am truly sorry. I've had personal family problems that took priority over everything. I've now completed the requested instructions, but it didn't go quite to plan.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

No problem.

Please run the MBST tool again. Do the uninstall again, but DO NOT allow it to reinstall anything. Click to cancel or close any attempt to reinstall any software.

After it has completed please restart the computer.

Then run the MBST tool one more time and go to advanced and click on the Gather Logs and post back the log it saves.

 

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites
PiersJ

PiersJ

Posted
  • Author
Posted (edited)
1 hour ago, AdvancedSetup said:

but DO NOT allow it to reinstall anything.

OK, selected 'No' and it instantly opened the Malwarebytes Privacy install wizard. I manually exited that.

1 hour ago, AdvancedSetup said:

Click to cancel or close any attempt to reinstall any software.

OK, Malwarebytes uninstalled using the support tool. Now going to reboot, open the tool, then gather logs. If I understand your instructions, I'm not meant to re-install Malwarebytes yet? Sorry if that's a stupid question - want to make sure I do things correctly.

Edit: uploaded the requested zip. I'm pretty sure I was meant to re-install Malwarebytes after rebooting and then generate logs, but just in case here's a (probably useless) zip.

mbst-grab-results.zip

Edited by PiersJ
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

  • Like 1
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

I'd also like to have you run the following. It will do some generic temp file clean up and reset some default items as well as verify Microsoft system files and perform a disk check to verify data integrity.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.