Jump to content

Win11 - Turning off Malwarebytes kills all network adapters. Must restart


Press9

Recommended Posts

1 minute ago, Press9 said:

No, the kill switch is not turned on.

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thanks

Link to post
Share on other sites

  • Root Admin

It's past midnight here for me and I'm off work until Monday, but looking at the logs it looks like this is Business model Surface Pro 7 that I assume came with Windows 10

Did it come with Windows 10 and you upgraded it to Windows 11 or did it come with Windows 11?

It also says it's a HOME version yet you have a ton of business software on it. Is the version listed in the logs wrong?

Microsoft Windows 11 Home Version 21H2 22000.348 (X64) (2021-11-03 23:08:04)

This seems to be a business computer that one might find connected to a domain, but Windows 10 Home does not support connecting to a domain or using GPO editing tools, etc.

 

These type of programs indicate business

  • Active Directory Authentication Library for SQL Server
  • Avaya Workplace
  • AWS Command Line Interface v2
  • Bomgar Representative Console rsupport.convergys.com
  • ECL Viewer
  • Entity Framework 6.2.0 Tools  for Visual Studio 2019
  • IIS 10.0 Express
  • MSI Development Tools
  • Npcap
  • PuTTY release 0.74
  • Universal CRT Extension SDK
  • VMware Remote Console
  • Windows Software Development Kit

 

 

This appears to be the main culprit or issue.

System errors:
=============
Error: (12/11/2021 12:25:17 AM) (Source: Netwtw10) (EventID: 5010) (User: )
Description: Intel(R) Wi-Fi 6 AX201 160MHz : The network adapter has returned an invalid value to the driver.
5010 - Driver DBG_ASSERT - instead of BSOD

 

Do you have either another physical or virtual computer on the network with the same name? This event indicates that you do.

Error: (12/10/2021 03:02:27 PM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{8AA61526-26DC-4315-AF1E-9213C226ACE2} because another computer on the network has the same name.  The server could not start.

 

 

Also you can see that Windows Defender is also having issues

 

Windows Defender:
================
Date: 2021-12-08 18:20:30
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2021-12-06 22:12:07
Description:
N/A

Date: 2021-12-06 22:12:06
Description:
N/A

Date: 2021-12-05 18:37:30
Description:
N/A

Date: 2021-12-04 20:31:21
Description:
N/A
Event[0]

Date: 2021-11-23 17:58:15
Description:
Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: Behavior Monitoring
Error Code: 0x80004005
Error description: Unspecified error
Reason: Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.

 

BIOS: Microsoft Corporation 9.107.140 04/30/2021
Motherboard: Microsoft Corporation Surface Pro 7

 

Please double-check and verify that you have the very latest Wif-Fi drivers from Microsoft for this device.

 

You're also running SSL VPN Secure Remote Access (Pulse Secure 9.1 ) which may possibly conflict with other VPN software

 

I'll check back on you tomorrow if I can but if not then on Monday.

 

We might have to look at uninstalling Privacy and verifying that all these errors are gone before reinstalling.

 

Link to post
Share on other sites

I hope I get all your questions answered.

Original configuration Surface 7 with Windows 10 Home purchased before pandemic started so I had access to office without bringing my office computer home.

Free upgrade applied to machine recently to move to Windows 11.

Business requirement is Pulse Secure or Cisco AnyConnect to VPN into office.

AV is Windows Defender.

System has worked fine (connecting / disconnecting using either VPN software) until trying to use this.

System continues to work fine until I disconnect from Mal Privacy then the all network devices are gone.

There is no other machine on my network with that name.  This is the only surface in the household.

I'll get Bomgar removed as I don't use that anymore.

Hope that answers everything.

Link to post
Share on other sites

  • Root Admin

Thanks, @Press9 yes that answers my questions.

Let's do the following then. Please go ahead and uninstall Malwarebytes Privacy using our MBST tool. Once done it will attempt to reinstall both Malwarebytes and Privacy VPN.

Please say no and close the X button on the top right for Privacy. For now, do not allow it to install either program.

 

Please do the following?

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click the CLEAN button and follow the onscreen instructions but do not reinstall Malwarebytes
  • NOTE: Please have patience as it can take a while to remove and restart to complete

After the restart please do the following

  • Run the MBST Support Tool again
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

 

Again, I'm off for the weekend and doing some errands but I'll try to reply before Monday if possible.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @Press9

 

Your DNS Servers: 10.0.0.1  

Please consider changing your default DNS Server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

  • Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

 

ATTENTION: System Restore is disabled (Total:237.28 GB) (Free:133.71 GB) (56%)

Please enable System Protection and create a new System Restore Point

https://itechhacks.com/system-restore-windows-11/

 

 

Your Event Logs show ongoing VSS errors. Please run the following tools. There are two. One from Acronis and one from Macrium Reflect. I'd use both tools to make sure all is okay.

 

Please download and run the following  Volume Shadow Copy Service (VSS), Diagnostic Tool, from Acronis

Acronis VSS Doctor

Free tool for diagnosing and repairing Volume Shadow Copy Service issues. Download link on the bottom of the page.
Download - Acronis VSS Doctor

In many cases, it can correct the issues on its own. If not, then it will give details on what may be causing the issues. Please save the report in text format and post back that log on your next reply.


You can also try the tool from Macrium Reflect if the Acronis tool did not work.

Macrium Reflect Volume Shadow Copy Service (VSS) Repair Tool


Once you've run the repair tool you need to restart your computer.

 

 

Not sure if this error is before or after the uninstall of Malwarebytes Privacy but it's still there.

System errors:
=============
Error: (12/12/2021 12:45:52 AM) (Source: Netwtw10) (EventID: 5010) (User: )
Description: Intel(R) Wi-Fi 6 AX201 160MHz : The network adapter has returned an invalid value to the driver.
5010 - Driver DBG_ASSERT - instead of BSOD

 

 

 

Edge Notifications: Default -> hxxps://remotesupport.concentrix.com

CHR Notifications: Default -> hxxps://calendar.google.com; hxxps://messages.google.com; hxxps://teams.microsoft.com; hxxps://voice.google.com; hxxps://www.dallasnews.com; hxxps://www.facebook.com; hxxps://www.reddit.com; hxxps://www.youtube.com

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

You don't appear to be using Norton antivirus or VPN but you still have a couple of left over folders you could consider removing

C:\ProgramData\Norton

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NortonSecureVPN

 

Please run the following fix

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Hi there.

Please explain in a bit more detail what specifically is not working. We can always do a restore but I'd like to keep moving forward if we can.

 

Please restart the computer one more time then run the MBST tool and gather logs for me and I'll take look at them tomorrow.

Cheers @Press9

Link to post
Share on other sites

Ok, I felt like I needed to reinstall the OS to clean things up.  May not have been necessary as the version of Pulse Secure (9.0.13) that I was using was flakey.

Getting the latest version has resolved my back office connectivity.

So, where do we start?

Please don't feel compelled to help outside of your support hours.

Link to post
Share on other sites

  • Root Admin

Did you do a Factory Restore or a Clean install of Windows 11 ?

Let me get a new set of logs please.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

Thanks, @Press9

Multiple ongoing errors from VSS

Please run both of the tools below to verify that VSS is working properly

 

Please download and run the following  Volume Shadow Copy Service (VSS), Diagnostic Tool, from Acronis

Acronis VSS Doctor

Free tool for diagnosing and repairing Volume Shadow Copy Service issues. Download link on the bottom of the page.
Download - Acronis VSS Doctor

In many cases, it can correct the issues on its own. If not, then it will give details on what may be causing the issues. Please save the report in text format and post back that log on your next reply.


You can also try the tool from Macrium Reflect if the Acronis tool did not work.

Macrium Reflect Volume Shadow Copy Service (VSS) Repair Tool


Once you've run the repair tool you need to restart your computer.

 

 

 

Application errors:
==================
Error: (12/14/2021 07:26:44 PM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} [0x80040154, Class not registered
].


Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Delete Shadow Copies

Context:
   Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}
   Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Error: (12/14/2021 07:26:44 PM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} and Name SW_PROV is [0x80040154, Class not registered
].


Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Delete Shadow Copies

Context:
   Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}
   Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Error: (12/14/2021 07:26:44 PM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} [0x80040154, Class not registered
].


Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Get Shadow Copy Properties
   Delete Shadow Copies

Context:
   Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}
   Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator
   Execution Context: Coordinator

Error: (12/14/2021 07:26:44 PM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} and Name SW_PROV is [0x80040154, Class not registered
].


Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Get Shadow Copy Properties
   Delete Shadow Copies

Context:
   Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}
   Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator
   Execution Context: Coordinator

Error: (12/14/2021 07:26:44 PM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} [0x80040154, Class not registered
].


Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Query Shadow Copies

Context:
   Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}
   Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Error: (12/14/2021 07:26:44 PM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} and Name SW_PROV is [0x80040154, Class not registered
].


Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Query Shadow Copies

Context:
   Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}
   Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Error: (12/14/2021 07:26:44 PM) (Source: VSS) (EventID: 12292) (User: )
Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} [0x80040154, Class not registered
].


Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Query Shadow Copies

Context:
   Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}
   Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Error: (12/14/2021 07:26:44 PM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {3e02620c-e180-44f3-b154-2473646e4cb8} and Name SW_PROV is [0x80040154, Class not registered
].


Operation:
   Obtain a callable interface for this provider
   List interfaces for all providers supporting this context
   Query Shadow Copies

Context:
   Provider ID: {74600e39-7dc5-4567-a03b-f091d6c7b092}
   Class ID: {3e02620c-e180-44f3-b154-2473646e4cb8}
   Snapshot Context: -1
   Snapshot Context: -1
   Execution Context: Coordinator

Link to post
Share on other sites

  • Root Admin

There is no rebuilding the machine.

VSS is the underlying core of how Windows is able to save files, how it can create System Restore points.

Basically with VSS not working right you can potentially even lose data.

Please just try to run the tool. I'm trying to help you. If you'd rather we submit this to our QA department we can do that but it will be at least 3 to 5 workdays before a reply from the Support Desk.

Let me know how you'd like to proceed please.

Thank you

 

Link to post
Share on other sites

Guess I'm a little gun shy at this point in regards to executing stuff and the effect it may have on the machine.

I do appreciate the help and if these are the steps needed, then OK.

I'm in support myself and have been on log chasing missions before because the escalation engineer was stalling.

Both programs executed.  VSS did complain about the restore partition not having enough free space, but after mounting it, it doesn't show anything.

Machine was restarted today 15/DEC/2021 @ 6 am CST (-6 GMT)

Reran the MBST tool and attached the log.

mbst-grab-results.zip

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.