Jump to content

Is Malwarebytes causing deadlocks on Windows 11 22H2?


David-B

Recommended Posts

Hello Malwarebytes Community,

Last week, I updated my PC to the Windows 11 22H2 release. Soon after upgrading, I began seeing frequent occurrences of the machine arbitrarily deadlocking. The behavior is weird to describe. I would simply be using the machine, and then various applications that I have open would start locking up and becoming unresponsive. It would begin with the application that was in focus, and then in the next 30 seconds or so, would begin to impact other applications that I have open as well, ultimately ending with the entire Explorer UI becoming unresponsive. The only "solution" would be to crash the computer and reboot it. I've seen this behavior occasionally happen in the past, but it has become a regular occurrence averaging about 5 times a day since updating to 22H2. I've had bizarre issues with installing major updates in the past that stem from Malwarebytes, so I naturally I assumed that Malwarebytes is the culprit. Because of that, I've been A/B testing the use of my machine with and without Malwarebytes enabled. The issue has never occurred when I have it disabled. Is anyone seeing bizarre behavior of this sort? Is the issue known about among the Malwarebytes team? Is there something I can do to work around it? Or should I just run my system without Malwarebytes until an update is released?

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

3 minutes ago, David-B said:

Is there something I can do to work around it?

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thanks

Link to post
Share on other sites

  • Root Admin

Please uninstall the following

Bonjour
CCleaner

 

Then restart the computer and see about fixing your Search Service

 

Error: (09/29/2022 01:08:00 AM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: Recovery phase failed.

https://www.makeuseof.com/windows-11-search-bar-not-showing-working-on/

 

Link to post
Share on other sites

On 9/29/2022 at 4:03 PM, Porthos said:

Did you manually upgrade to 22h2?

Was it offered to you thru Windows update?

It was offered to me, and I decided to take it. In hindsight, perhaps I shouldn't have.

On 9/29/2022 at 4:15 PM, AdvancedSetup said:

Please uninstall the following

Bonjour
CCleaner

 

Then restart the computer and see about fixing your Search Service

 

Error: (09/29/2022 01:08:00 AM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: Recovery phase failed.

https://www.makeuseof.com/windows-11-search-bar-not-showing-working-on/

 

I can try it, but may I ask what exactly is wrong with Bonjour and CCleaner?

Link to post
Share on other sites

  • Root Admin

Bonjour is an Apple program designed as a network discovery share program. Windows can already share anything it needs to share with builtin tools. The Bonjour program is noisy and broadcasts constantly often causing network issues for users on Windows.

CCleaner (is no longer recommended by computer experts as it has been sold to multiple companies now and has had undesirable features added to the program. Windows can already do 90% of what CCleaner does with builtin tools)

 

Fixing your SEARCH index should help the computer to run better.

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

On 10/3/2022 at 4:01 PM, AdvancedSetup said:

Bonjour is an Apple program designed as a network discovery share program. Windows can already share anything it needs to share with builtin tools. The Bonjour program is noisy and broadcasts constantly often causing network issues for users on Windows.

CCleaner (is no longer recommended by computer experts as it has been sold to multiple companies now and has had undesirable features added to the program. Windows can already do 90% of what CCleaner does with builtin tools)

 

Fixing your SEARCH index should help the computer to run better.

 

 

Unfortunately, whatever is happening still happens even after doing this.

Link to post
Share on other sites

  • Root Admin

Okay, please restart the computer and get me the following logs @David-B

 

Please do the following so that we can get started and see what's going on.


The Farbar Recovery Scan Tool is a free Windows utility designed to create troubleshooting logs for your computer. These logs help our Support team to identify and resolve issues with your computer.

There are two versions of the Farbar Recovery Scan Tool available for download: 32-bit and 64-bit.
To find which operating system is installed on your computer, refer to Microsoft's article: 32-bit and 64-bit Windows: Frequently asked questions

Download and launch Farbar Recovery Scan Tool

  1. Download the Farbar Recovery Scan Tool
    Do not click on any Ads.
     
  2. Locate the file you downloaded on your computer.
    Downloaded files are often saved to the Downloads folder.
     
  3. Double-click the downloaded file to run the Farbar Recovery Scan Tool.

    DOC-1318-1.png
     
  4. Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
    Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?

         a.  Click More info.

    https://support.malwarebytes.com/hc/article_attachments/360051190254/DOC-1318-2.png
         b.  Click Run anyway.

    https://support.malwarebytes.com/hc/article_attachments/360051190294/DOC-1318-3.png
  5. When the User Account Control window appears, click Yes.

    image.png

     
  6. To accept the Disclaimer of warranty, click Yes.

    image.png

     
  7. Ensure only the boxes listed below are checked

    image.png

    Registry  Services  Drivers
    Processes  Internet  One month
    Addition.txt

    image.png

     

  8. Disable any Antivirus software you have installed ONLY if it stops software we may use from working.
    Please remember to re-enable any Antivirus software when we are finished running scans

    Click Scan. The scan may take a few minutes to complete.

    image.png
     

  9. When the scan completes, Farbar Recovery Scan Tool shows two messages:

  • Scan completed. FRST.txt is saved in the same directory FRST is located.

    image.png

  • Addition.txt is saved in the same directory FRST is located.

    image.png
     

  • Click OK to close each message window

 

Please attach both of those logs on your next reply, DO NOT copy/paste the contents of the logs directly

https://content.invisioncic.com/Mmalware/monthly_2018_10/_mb_attach.jpg.dbd89b8e360d3763b3bbe33ce83d680d.jpg

 

 

Thanks

 

 

Link to post
Share on other sites

  • Root Admin

Your Search Service looks to be corrupted, Please repair it.

System errors:
=============
Error: (10/05/2022 06:59:58 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The WSearch service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (10/05/2022 06:59:58 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The WSearch service terminated with the following error:
A specified logon session does not exist. It may already have been terminated.

 

Application errors:
==================
Error: (10/05/2022 06:59:49 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: Recovery phase failed.

Context:  Application, SystemIndex Catalog

Details:
    0x%08x (0x80040d23 - The gatherer is shutting down.  (HRESULT : 0x80040d23))

Error: (10/05/2022 06:59:49 PM) (Source: Windows Search Service) (EventID: 3602) (User: )
Description: Error ID 1 happened in Windows Search recovery stage, please restart the service. If this error persists, please recreate the index.

Context:  Application, SystemIndex Catalog

Details:
    0x%08x (0x80040d23 - The gatherer is shutting down.  (HRESULT : 0x80040d23))

 

 

DO NOT click on any Ads, or download anything. Just read the page on how to fix Windows Search

Indexing Broken in Windows 11? Try these fixes!
https://appuals.com/indexing-broken-windows-11/

 

 

 

Why do you have this set?

IFEO\vdsldr.exe: [Debugger] cmd /q Skip TPM Check on Dynamic Update (c) AveYo, 2021 /d/x/r>nul (erase /f/s/q %systemdrive%\$windows.~bt\appraiserres.dll&md 11&cd 11&ren vd.exe vdsldr.exe&robocopy "../" "./" "vdsldr.exe"&ren vdsldr.exe vd.exe&start vd -Embedding)&rem;

 

 

What are all these folders for?

They are locked which is not normal

2022-09-20 18:56 C:\WINDOWS\system32\_MEI43602
2022-09-20 18:56 C:\WINDOWS\system32\_MEI43802
2022-09-20 18:56 C:\WINDOWS\system32\_MEI44762
2022-09-20 18:56 C:\WINDOWS\system32\_MEI46002
2022-09-20 18:56 C:\WINDOWS\system32\_MEI47002
2022-09-20 18:56 C:\WINDOWS\system32\_MEI47202
2022-09-20 20:19 C:\WINDOWS\system32\_MEI47402
2022-09-20 18:56 C:\WINDOWS\system32\_MEI47802
2022-09-20 18:56 C:\WINDOWS\system32\_MEI48082
2022-09-20 18:56 C:\WINDOWS\system32\_MEI48162
2022-09-20 18:56 C:\WINDOWS\system32\_MEI48202
2022-09-20 18:56 C:\WINDOWS\system32\_MEI48442
2022-09-20 18:56 C:\WINDOWS\system32\_MEI48522
2022-09-20 18:56 C:\WINDOWS\system32\_MEI48602
2022-10-03 14:23 C:\WINDOWS\system32\_MEI48962
2022-09-20 18:56 C:\WINDOWS\system32\_MEI49042
2022-09-20 18:56 C:\WINDOWS\system32\_MEI49043
2022-09-21 14:19 C:\WINDOWS\system32\_MEI49162
2022-09-20 18:56 C:\WINDOWS\system32\_MEI50282
2022-09-20 18:56 C:\WINDOWS\system32\_MEI50482
2022-09-20 18:56 C:\WINDOWS\system32\_MEI50562
2022-09-20 19:04 C:\WINDOWS\system32\_MEI50563
2022-09-20 18:56 C:\WINDOWS\system32\_MEI50762
2022-09-20 18:56 C:\WINDOWS\system32\_MEI50882
2022-09-20 18:56 C:\WINDOWS\system32\_MEI51082
2022-09-20 18:56 C:\WINDOWS\system32\_MEI51482
2022-09-26 14:20 C:\WINDOWS\system32\_MEI51602
2022-10-03 14:02 C:\WINDOWS\system32\_MEI52042
2022-09-23 15:04 C:\WINDOWS\system32\_MEI52282
2022-09-20 18:56 C:\WINDOWS\system32\_MEI52482
2022-09-23 11:40 C:\WINDOWS\system32\_MEI52483
2022-09-29 15:51 C:\WINDOWS\system32\_MEI52522
2022-09-27 09:05 C:\WINDOWS\system32\_MEI52562
2022-09-23 13:24 C:\WINDOWS\system32\_MEI52642
2022-09-29 12:05 C:\WINDOWS\system32\_MEI52643
2022-09-20 18:56 C:\WINDOWS\system32\_MEI52682
2022-10-03 14:26 C:\WINDOWS\system32\_MEI52683
2022-09-26 14:40 C:\WINDOWS\system32\_MEI52722
2022-09-29 09:37 C:\WINDOWS\system32\_MEI52762
2022-10-05 13:39 C:\WINDOWS\system32\_MEI52763
2022-09-29 15:29 C:\WINDOWS\system32\_MEI52802
2022-10-05 18:59 C:\WINDOWS\system32\_MEI52803
2022-10-05 09:55 C:\WINDOWS\system32\_MEI52922
2022-09-29 09:59 C:\WINDOWS\system32\_MEI53602
2022-09-20 19:15 C:\WINDOWS\system32\_MEI53682
2022-10-03 11:49 C:\WINDOWS\system32\_MEI53722
2022-09-20 20:55 C:\WINDOWS\system32\_MEI53882
2022-09-24 21:56 C:\WINDOWS\system32\_MEI53883
2022-09-21 11:01 C:\WINDOWS\system32\_MEI53922
2022-09-28 19:54 C:\WINDOWS\system32\_MEI54202
2022-09-29 11:48 C:\WINDOWS\system32\_MEI54362
2022-09-20 19:11 C:\WINDOWS\system32\_MEI54442
2022-09-26 09:15 C:\WINDOWS\system32\_MEI54443
2022-09-26 14:48 C:\WINDOWS\system32\_MEI54522
2022-09-20 19:57 C:\WINDOWS\system32\_MEI54682
2022-09-20 19:29 C:\WINDOWS\system32\_MEI54762
2022-09-20 20:44 C:\WINDOWS\system32\_MEI54922
2022-09-23 14:45 C:\WINDOWS\system32\_MEI55762
2022-09-20 18:51 C:\WINDOWS\system32\_MEI72522

 

 

Please answer those questions and run the following scanner.

I'll check back on you tomorrow

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Link to post
Share on other sites

I find it interesting that the Search Service is still corrupted. I tried fixing it earlier by forcing a rebuild of the index. Evidently that was not enough, so I have just tried the more aggressive method of totally wiping out the contents of C:\ProgramData\Microsoft\Search as per the instructions listed on the page you linked to.

The "Skip TPM on Dynamic Update" thing is there because I needed to disable my TPM for a bit at one point, but doing so caused updates to stop installing because my device was not in compliance with the hardware requirements. The TPM requirement is a stupid meaningless artificial limitation set by Microsoft anyway, so I fixed it by using this.

I have an explanation for the set of C:\WINDOWS\system32\_MEI* folders. One of the background services that I run on my computer is a self-built application that I wrote in Python and packaged into a Windows binary using PyInstaller. Applications built with PyInstaller generate these _MEI* directories, but they typically do it in the user's temp directory and clean them up when they are finished executing. Apparently though, the one that I'm running as a service is dropping the temporary directories in C:\WINDOWS\system32 instead and isn't cleaning them up. In other words, you found a bug in my code that I wasn't aware of. Once I get a chance to fix it, all will be well.

As for the ESET log, I have attached it. As you expected, it didn't find anything. The one and only thing it did find was a false positive.

log.txt

Link to post
Share on other sites

  • Root Admin

What you do on your system is up to you. Not here to be the Microsoft security guard.

Obviously you're doing things the system isn't expecting. Probably best to use Microsoft Process Monitor to try and help you track down the issue as the current logs are not showing an obvious reason for a lock.

Creation of a program or system crash dump might help.

https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

 

Link to post
Share on other sites

Fair enough. The reason I had to disable the TPM is because I was working on an application that would behave differently depending on whether a TPM was present or not. Because of this, I wanted to have a way to keep getting updates regardless of whether I had it on or off at any given time.

So, you are suggesting running Process Monitor on the machine in the background until it locks up again?

Link to post
Share on other sites

On 10/7/2022 at 6:41 PM, AdvancedSetup said:

You cannot run it forever as it makes HUGE logs very quickly.

You run the tool then try to duplicate the issue.

I would love to do this, but there's just one problem: the deadlock occurs arbitrarily. There is no consistent pattern for me to use for reproducing. The only way that I can think of to collect any information would be to just leave the application running in the background and wait for the machine to deadlock to see what I collect, but given that the log grows so rapidly, that seems infeasible. And even if I do go that route, that doesn't guarantee that the valuable log data wouldn't get lost when I am forced in to crashing the machine.

Link to post
Share on other sites

  • Root Admin

I'd have to try to get someone from our QA Team to take a look at it. I cannot promise when that will happen but you'll need to create a Support Ticket to get the process started.

Regular Support will initially help you once they do reply to your ticket. If they're unable to correct it, they can then escalate it on to QA if needed.

Please fill out the form from the link below. Please note that it can potentially be more than ten workdays before you get a reply.

 

Consumer Support

https://support.malwarebytes.com/hc/en-us/requests/new

Thank you

 

 

Link to post
Share on other sites

16 hours ago, AdvancedSetup said:

I'd have to try to get someone from our QA Team to take a look at it. I cannot promise when that will happen but you'll need to create a Support Ticket to get the process started.

Regular Support will initially help you once they do reply to your ticket. If they're unable to correct it, they can then escalate it on to QA if needed.

Please fill out the form from the link below. Please note that it can potentially be more than ten workdays before you get a reply.

 

Consumer Support

https://support.malwarebytes.com/hc/en-us/requests/new

Thank you

Alright. I have just submitted a ticket and included a reference to this thread. Thank you for your continued support with this, by the way. I really appreciate it especially since I am not so sure that the issue I'm facing is caused by Malwarebytes given that I have seen this occur even when I have Malwarebytes disabled.

Link to post
Share on other sites

26 minutes ago, David-B said:

I am not so sure that the issue I'm facing is caused by Malwarebytes given that I have seen this occur even when I have Malwarebytes disabled.

My 02 here.

That processor is not as you probably are aware supported by Win 11 in the first place. I know there many ways to bypass it although I would never do it.

Also 22h2 is having issues with many, even supported systems and I am waiting until the end of the year to move my clients to it.

I wonder how wise it was to install Win 11 on an unsupported system with from the looks of it "mission critical" use.

Edited by Porthos
Link to post
Share on other sites

44 minutes ago, Porthos said:

My 02 here.

That processor is not as you probably are aware supported by Win 11 in the first place. I know there many ways to bypass it although I would never do it.

Also 22h2 is having issues with many, even supported systems and I am waiting until the end of the year to move my clients to it.

I wonder how wise it was to install Win 11 on an unsupported system with from the looks of it "mission critical" use.

Yeah I am considering doing a rollback. I'm waiting for tomorrow's patches to roll out before I make a decision about that though.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.