BSOD in 2.0.2.1012

[swgiles]

I've had recurring BSOD (once or twice a week) that I've finally tracked down to MalwareBytes (Premium - been long time with Malwarebytes).  Seems it started with version 2 on May 1,  when I was upgraded to 2.0.xxx.  I tried upgrading ot 2.0.2.1012, and still a problem.

 

I'm running Win 7 Pro SP1, and Microsoft Security Essentials for Antivirus.  Often, crash happens while running Google Chrome (presently 35.0.1916.114 m)

 

I'm not at all happy with Malwarebytes at this point - it's been a great tool for many years, but I can't abide a utility that routinely BSODs.  I'm turning off real-time protection until I can get something resolved.

 

Please help...I'm happy to send minidump files if you wish.

------------------------------------------

 

OSROnline gives the following BSOD analysis info:

 

Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`03a19000 PsLoadedModuleList = 0xfffff800`03c5c670
Debug session time: Tue Jun 3 22:27:32.451 2014 (UTC - 4:00)
System Uptime: 0 days 1:00:43.685
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000020, a pool block header size is corrupt.
Arg2: fffffa800aea1830, The pool entry we were looking for within the page.
Arg3: fffffa800aea1850, The next pool entry.
Arg4: 0000000004020008, (reserved)

Debugging Details:
------------------

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

BUGCHECK_STR: 0x19_20

POOL_ADDRESS: GetPointerFromAddress: unable to read from fffff80003cc6100
GetUlongFromAddress: unable to read from fffff80003cc61c0
fffffa800aea1830 Nonpaged pool

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

PROCESS_NAME: mbamservice.ex

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff80003bc1cae to fffff80003a8ec00

STACK_TEXT:
fffff880`0d5ed258 fffff800`03bc1cae : 00000000`00000019 00000000`00000020 fffffa80`0aea1830 fffffa80`0aea1850 : nt!KeBugCheckEx
fffff880`0d5ed260 fffff880`01f290bd : 00000000`00000008 00000000`00000004 00000000`676e7049 fffff880`04e790b2 : nt!ExDeferredFreePool+0x12da
fffff880`0d5ed310 fffff880`011a004a : 00000000`00000000 fffff880`0119c0c3 00000000`00000000 fffffa80`0b786010 : tcpip!IppInspectBuildHeaders+0x65d
fffff880`0d5ed5f0 fffff880`090c4109 : 00000000`00000000 00000000`00000014 00000000`00000000 fffffa80`06949790 : fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+0x20a
fffff880`0d5ed690 00000000`00000000 : 00000000`00000014 00000000`00000000 fffffa80`06949790 fffffa80`069497a4 : mwac+0x6109


STACK_COMMAND: kb

FOLLOWUP_IP:
fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a
fffff880`011a004a 85c0 test eax,eax

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: fwpkclnt

IMAGE_NAME: fwpkclnt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 50e4f5c8

FAILURE_BUCKET_ID: X64_0x19_20_fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a

BUCKET_ID: X64_0x19_20_fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a

 

 

[AdvancedSetup]

Please read the following and post back the requested logs.
 
Diagnostic Logs
 
Thank you
 

[swgiles]

Ron,

 

Requested files are attached.

Addition.txt

FRST.txt

CheckResults.txt

[AdvancedSetup]

Let's try some maintenance and see if that helps or not.  I see you're using Acronis TrueImage so I assume you have good backups but please go ahead and create a new System Restore Point and then do the following.
 
 
Please run a Full Disk Check on your system drive.  If needed here are some links on how to run a Disk Check.

On Windows 7 the disk check log is in the Event Logs under Application with a heading source of  Wininit
 
How to Run Disk Check in Windows 7

How to Run Check Disk at Startup in Vista or Windows 7

How to Read the Event Viewer Log for Check Disk (chkdsk) in Vista, Windows 7, and Windows 8
 
Basically from an elevated admin command prompt run:  CHKDSK C: /R and say yes to run it on restart then restart the computer and let it run.
Then go into the Event Logs and find the entry and copy/paste the log results back here on your next reply.
 
Then go into Control Panel, Add/Remove and uninstall ALL versions of Java (you're running old compromised java) and run the following.
 
Please download JavaRa-1.16 and save it to your computer.

• Double click to open the zip file and then select all and choose Copy.
• Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
• Quit all browsers and other running applications.
• Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location and post it in your next reply.

 

 

Next, run the following.
 
Please Run TFC by OldTimer to clear temporary files:

• Download TFC from here and save it to your desktop.
• http://oldtimer.geekstogo.com/TFC.exe
• Close any open programs and Internet browsers.
• Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
• Please be patient as clearing out temp files may take a while.
• Once it completes you may be prompted to restart your computer, please do so.
• Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

 

 

Then run  our MBAM CLEAN process to ensure a good clean install of the program.

• Please uninstall your current version of MBAM and reinstall the latest version. MBAM Clean Removal Process 2x
• NOTE: There is an FAQ section with valuable information located here: - Common Questions, Issues, and their Solutions

 

Then run your system as you would normally and let me know if you continue to see this issue or not.

 

[swgiles]

Ron,

All recommended actions have been done.  Malwarebytes Premium is now reinstalled at 2.0.2.1012.  Attached is the chkdsk results and JavaRra.log. 

 

Note that when the BSODs started about a month ago, I did a chkdsk at that time, as well as sfc/scannow, as well as updating all system drivers (through Thinkpad System Update).  I wasn't suspecting Malwarebytes at the time and WhoCrashed only told me it was tcpip.sys, not the actual cause.  So I'm guessing that the reparse records from the chkdsk had more to do with the BSODs I've had subsequently.  

 

BSODs are rough on the stability of a Windows installation.  I really do appreciate your help, and I don't doubt your expertise, but with all due respect, I'm having a hard time believing that issues such as out-of-date Java (yes, it's a security issue, agreed) could be linked to Malwarebytes BSODs.  I've turned on real-time Malware Protection and Malicious Website Protection for now, but one more BSOD attributed to Malwarebytes and they're off until some more definitive bug fixes or information.  

 

I wish I was more optimistic...basic troubleshooting procedure would suggest that (1) before Malwarebytes 2, no crashes for more than 1 year (with previous version of Malwarebytes running), (2) after Malwarebytes 2, several crashes, with crash analysis pointing to Malwarebytes every time, (3) cause is Malwarebytes 2. I hope you pinpoint the actual cause of the BSODs and fix it real soon!  Malwarebytes has been a great product, and I'd like to stick with it, but not at the risk of system stability.

 

Cheers

 

 

 

 

Chkdsk Jun 5 2014.txt

JavaRa.log

[AdvancedSetup]

No not suggesting that Java is the cause (only noticed it was old and you were going to be rebooting so figured best to get it removed).

 

Your logs don't show anything iron clad that might be causing it and thus why I recommended general maintenance. If it was BSOD on a regular basis or we had several dump files that all showed the exact same error then we could probably conclude what was the exact cause but that's not the case. Your BSOD happens randomly and can go days without it which does make it more difficult to track down.

 

Yes we'd certainly love the program to run 100% on every single computer out there but the reality is that there are too many complexities going on under covers with computers to be able to easily track down all issues. If we're unable to track down the issue and it were my own computer I'd be looking at removing it too. Hopefully this maintenance will have helped with the issue.  Let us know how it goes.

 

Thanks

[anachromat]

@AdvancedSetup, I think this requires someone with access to the source code to think about what it's doing  .  I expect that my report has the same cause:

https://forums.malwarebytes.org/index.php?showtopic=149651#entry837323

 

and both the mini-dump and the full MEMORY.DMP are available for that.  In that report, I also posted links to two reports on non-Malwarebytes sites with very similar stack traces.

While appeal to authority isn't really helpful, I have over 40 years of professional software development experience, and this all points to a genuine bug in mwac.sys.  Alas, it is a relatively rare bug, and for whatever reason looks like at least half of the bug reporters don't think to post to this forum.  Nevertheless, where there's a will there's a way 

[swgiles]

@anachromat, well said.  I also have many years of professional software development experience, and I agree the evidence on this issue is pointing in an obvious direction.  

 

@AdvancedSetup, I also have minidumps still from all BSODs.  Happy to share them, if Malwarebytes thinks they would be helpful.

[AdvancedSetup]

Yes, Please zip up all your mini-dumps from the past month along with all your protection logs and scan logs for the program and I will submit them to the development team.

 

As for the BAD_POOL_HEADER that is almost a red herring for me as I've repaired more computers than I can count with both infections and bad memory modules that have had nothing to do with the program. Once the infection was removed or once the user replaced their memory the error vanished without any changes to our program. Certainly it's possible that our driver does not like something that is on your system but I also know from debugging code that just because a file is in the stack does not mean it is the root cause. OSROnline is a great resource and the people behind the site are great for providing such a tool but often it simply does not have enough information to provide the exact cause and needs human intervention to review it. A single debug file alone is sometimes not enough information either. If you've been doing software development that long then you know that debugging is not always a walk in the park and I've seen posts from those teaching the subject where they've spent weeks debugging.  Bottom line though is getting these debug files along with the other logs should hopefully help our Development Team track down what is causing it and either provide advise we can pass along to you or if it is our program then work on fixing it for a future update.

 

Thank you again

 

Ron

 

[swgiles]

Thanks, Ron.  No disrespect meant at all.  In my specific instance, I see where all the evidence is pointing, but I'm also well aware that finding the actual cause can be very elusive.   

 

I also checked the usual culprits about a month ago when BSODs mysteriously surfaced - re-seated memory, ran memory diagnostics, updated video and network drivers, etc.  I wasn't suspecting Malwarebytes.  Malwarebytes has a hard-earned and well-deserved reputation at the top of the heap of the malware-fighting community, and the patient work of many staff and volunteers in these forums is truly appreciated.

 

I had another BSOD last night.  Again, OSROnline points at mwac as the culprit.  My solution right now, not my preferred one, but necessary, is to turn off Malicious Website Protection, the main reason I have Malwarebytes.  I need to protect the integrity of my system.

 

I will zip up all of the minidump files shortly and post them. 

[swgiles]

BSOD Minidump files and MBAM logs are attached.  Thanks again for your help.

Minidump.zip

MBAM_Logs.zip

[AdvancedSetup]

Thank you very much. I've alerted our QA department to please come take a look at these files and see what's going on.

 

Cheers

[swgiles]

Here's an update...

 

For more than two weeks now,  I've had Malwarebytes running with all protections enabled, and no BSODs.  Just before I re-enabled, I noticed that Windows Update was calling for over 1 GB of updates (over 100 updates), even though I always have Windows Update set to auto, and always update dutifully on Microsoft's bidding.  Possibly something got reset on one of the previous crashes.  Though I can't tell for sure anymore, I'm quite sure that my system was in that state during some of the more recent crashes, but I'm certain it wasn't when my system first started crashing (though running an earlier version of Malwarebytes 2)   I ran all the updates (took most of the day), and then turned on all Malwarebytes Premium real-time protections.

 

So, all is well at this point.  Before this, crashes were approximately once per day, or every other day.

 

My guess at causation - latest Malwarebytes release (2.0.2.1012) must have fixed whatever was the initial problem causing the BSODs, but when I updated Malwarebytes to the latest, it didn't interact well with my OS that was needing a bunch of Win 7 updates.

 

Thanks once again @AdvancedSetup for your help.