Jump to content

Malwareytes Premium Breaking Ndu.sys


Recommended Posts

I've come here because I've exhausted all other options.  I have a Gigabyte AORUS X5 V8 laptop with a KillerNetworking adapter.

Since April 2020, my system has been periodically getting a BSOD with a hard reset, creating a number of different errors all tied to the Ndu.sys for Windows 10.  It has gotten so bad recently that it can now happen twice or three times a week!

I have not installed the May 2020 Update yet, because there is currently a problem with it disabling network functionality altogether with my system.  I have tried the following to fix this problem:

  • Updated Network Drivers
  • Clean reinstall of Network Drivers
  • Cleared Internet Cache
  • Updated GPU Drivers
  • Checked Hard Drive for Errors
  • Checked Memory for Errors
  • Run SFC Scan
  • Run CHKDSK and DISM
  • Updated the BIOS
  • Updated Java Runtime
  • Updated XSplit applications
  • Uninstalled Virtual CloneDrive
  • Repaired Windows 10
  • Clean Install of Windows 10

Ostensibly, none of these solutions have worked.  Then I read a thread on the Microsoft forums suggesting a feature of MB Anti-Malware Premium is misbehaving with this driver - perhaps intermittently treating it as Malware/Ransomware.  We only recently renewed our Premium Subscription, so it would be a shame if this matter couldn't be resolved...

I have attached my system's FRST logs for review.

mbst-grab-results.zip

Link to post
Share on other sites

4 hours ago, Hyncharas said:

I have attached my system's FRST logs for review.

First I would upgrade Malwarebytes to the current Beta version. Once you do that do another manual check for updates.

I would  also recommend creating exclusions between Malwarebytes and Your AV to help prevent any possible conflicts or performance issues.  Please add the items listed in this support article to Your AV 's allow list(s)/trust list(s)/exclusion list(s) particularly for any of its real-time protection components and likewise add Your AV 's program folder(s) (likely located under C:\Program Files and/or C:\Program Files (x86)) to Malwarebytes' Allow List using the method described under the Allow a file or folder section of this support article and do the same for its primary data folder which is likely located under C:\ProgramData (you may need to show hidden files and folders to see it).

 

 

2020-06-02_21h53_44.png

Manuel update.png

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

When you say it's flagged. Do you mean in the BSOD error or in some other log?

If you uninstall Malwarebytes does the issue go away?

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

Your logs from 10 days ago show you have quite an outdated version installed.

Please update to the latest version (Malwarebytes version 4.1.2, Component update package 1.0.979 or higher) and verify if the issue persists or not.

If the issue persists:

  • We need to confirm if Malwarebytes is definitely involved.
  • Does the issue still occur if Avast is uninstalled and Malwarebytes is left fully enabled?
  • Is a particular Real-Time Protection component in Malwarebytes involved? I would suggest starting with disabling Web Protection.
  • Can you provide the full kernel dump generated from the BSOD (C:\Windows\MEMORY.dmp)?
Link to post
Share on other sites

Thus far I have added ndu.sys to Avast's "file exclusion" list; I will, however, try uninstalling it completely and see what happens.  Please note I have also read about a security vulnerability with my system's "app center" from the manufacturer, so have updated this to the latest version.

The system has been having trouble creating a Kernal dump as yet, so I have set it to not delete the dump file if system memory is low - I have also uninstalled a few applications to free up additional space on the OS' drive to support this...

I will keep you apprised.

Link to post
Share on other sites

Since we last spoke, I haven't experienced a single crash with the ndu.sys until today.

When it occurred, I found Malware and Ransomware protection had turned themselves off, where I turned them on.  A few minutes later, they turned off again.  After downloading an update to MBAM, I then tried to turn on both shields a second time, which caused a GSOD (green screen of death) with the ndu.sys file listed, and "KMODE_EXCEPTION_NOT_HANDLED" – interestingly, however, I am NOT running a Windows 10 Preview Build.

In the process of planning to upload the Kernel dump to OneDrive for review, my system froze again, where upon reset it was deleted.  I am also, periodically, receiving “unable to connect to license server” errors, even though I am still connected to the internet…

I have, therefore, uploaded the FRST and Addition files to this post; note these wouldn’t create on Desktop, so were saved to my storage drive.  I have further changed the destination of the Kernel dump to my storage drive, When I experience another crash, I will provide a link.

Addition.txt FRST.txt

Link to post
Share on other sites

I have, but in some instances it still does so, or simply erases the dumps alogether.  This is a laptop and, when I purchased it (a month before RTX laptops launched), I thought I would only need 500GB M.2 SSD for the OS and 2TB for storage, because a 1TB OS drive at that time was 4x as expensive... unfortunately this is making my problem harder.

This is the most advanced system I have, and I don't have much money right now to fix it, should this turn out to be a hardware issue.

Link to post
Share on other sites

So I was going to upload a Kernel Dump created just now, but they still seem to be erased whenever Windows 10 fully reloads.  Fortunately I have discovered another function of Windows 10, SilentCleanup, was the culprit purging them... until this issue is resolved I have disabled it, so the next Kernel Dump (fingers crossed) should help figure out what's happening.

However, it could be something simple I've overlooked - though I'm not on Windows Insider Previews now, I was previously.  I am, therefore, downloading a fresh, standard version of Windows 10 with the MCT in case I just need to replace the current build.

Link to post
Share on other sites

  • Root Admin

Hello @Hyncharas

Since you have Windows 10 - it comes with Windows Defender which is a pretty good antivirus program on it's own. What I would like to do is do a clean removal of both Avast and Malwarebytes both.
Then get a couple of reboots. Then run the SFS and DISM again and get new FRST logs.

Then run the computer for a couple of days and verify if the BSOD is gone for sure. Then we'll introduce Malwarebytes back into the picture without Avast and verify if the BSOD returns or not.
If all still good then we'll reintroduce Avast back to the system as well and see if the BSOD returns or not.

Please download and use the following tools to uninstall Avast and Malwarebytes temporarily

AVAST
https://support.avast.com/en-us/article/10/

Malwarebytes
https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-using-the-Malwarebytes-Support-Tool

(When asked to reinstall Malwarebytes decline and do not reinstall at this time)

 

After both of them have been uninstalled please run the following. Open an elevated Admin command prompt and type the following and press the Enter key
 

SFC /SCANNOW

Then type or  run the following and press the Enter key

DISM.exe /Online /Cleanup-image /Restorehealth

Then the following

CHKDSK C: /F 

When it says it cannot lock the volume, press the Y key and restart the computer.

 

Then run FRST again and post back both new logs as an attachment.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

Didn't find any issues with memtest86, so it's not the RAM.  I've actually only played launcher-based games and no internet browsing since removing Avast and MBAM, as I've found Defender is useless at keeping systems protected.

I've had no crashes (so far), but I only started this testing yesterday without those two suites.  I am, therefore, attaching the latest FRST and Addition logs.

Addition.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

Hello @Hyncharas

What were the results for the SFC, DISM, and CHKDSK routines? Please run the script fix below and it will automatically run these for you.

As for Windows Defender not working well, yes that was true on Windows 7 as it was dismal at detection. Under Windows 10 it is a completely different antivirus and results and reports show that it actually does work rather well.

The logs do show that Avast has not been fully removed. Using the tool from the link I provided should have cleaned it up more.

 

 

The following clean up script will also finish cleaning up and removing many items the Avast clean up tool did not remove.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

So something weird happened with FRST - the moment I pressed "Fix" the system crash-booted.  From what I can tell no changes were made, as all the temporary files are still present...

all important files are backed up, so I am willing to scan with FRST and send new logs to create a new fixlist and try again.  Alternatively, I am prepared to simply do a completely clean install of windows, wiping the drives.  I await your decision.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.