DNS problems, BSOD problems lead to turning off Web Protection

[jono1]

 I have been running Malwarebytes successfully for several years on 5 machines across two houses.  The machines are all Windows 10.  The houses are connected by a VPN tunnel between Unifi routers.  About a month ago I started having DNS problems where no external ip addresses could be reached and I was getting BSODs on multiple machines.   Before that I was having some issues with Malwarebytes not opening and used the support tool to fix it (though it took a long time and didn't always fix it).

Based on information I saw on this and other forums I turned off Web Protection.  This solved the DNS and BSOD problems on each machine.   Interestingly, when I had the problem, each machine was ok for a brief period of time after a reboot but quickly started having problems again.  

Was it a Malwarebytes update that has caused this?  If so, am I better off using a previous version?  I do regular updates of Windows so I suppose that could have broken something as well.

I'm just happy to have a stable system again, but it without Web Protection so I am running Windows Defender as a supplement.

[Porthos]

@jono1 Hi and welcome. Sorry for the delay. An unknown issue placed your post in an approval  state.

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thanks

Edited December 28, 2021 by Porthos

[jono1]

I will try and grab the logs from a few of my machines.  I may have deleted them when I was trying to do clean installs during my week of trouble shooting.  I remember going into program data and deleting them. But I will submit what I have.  If there is not a problem in the logs, I'm sure I can recreate it by turning on the web protection.  I have added the zips from 4 computers (named bp, bp2, sp2 and of)

 

mbst-grab-results of.zipmbst-grab-results sp.zip

mbst-grab-results bp.zipmbst-grab-results bp2.zip

[AdvancedSetup]

I don't see an obvious issue on Computer logs 01 that would indicate a reason why DNS would be an issue at the moment. @jono1

 

Let's work on each computer, one-by-one and do some generic clean up and see if that helps correct your issues or not.

 

 

Computer: BP (Dell Inc. XPS 8500)

Please uninstall the following. Go to Control Panel, Programs, Programs and Features

 

• CCleaner (computer experts no longer recommend this program)

 

 

You have a Firewall block which may or may not be causing you some issues

FirewallRules: [UDP Query User{CD79325A-3F11-4383-9C9E-502B0ED1F5D0}C:\program files (x86)\internet explorer\iexplore.exe] => (Block) C:\program files (x86)\internet explorer\iexplore.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [TCP Query User{D458A2F3-2B11-4908-B87F-16BFD11F5085}C:\program files (x86)\internet explorer\iexplore.exe] => (Block) C:\program files (x86)\internet explorer\iexplore.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{460F3413-0DB4-40BD-9DF0-081239E60772}] => (Block) C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe (Intel Corporation -> )
FirewallRules: [{689C6920-6E46-458A-847B-A4E2DAE01788}] => (Block) C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe (Intel Corporation -> )

You have some type of network connection issue that may or may not be related but should be researched to see if it's an issue or not.

System errors:
=============
Error: (12/26/2021 12:53:01 PM) (Source: Schannel) (EventID: 4106) (User: NT AUTHORITY)
Description: An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.

 

You may want to rethink allowing Push Notifications

CHR Notifications: Default -> hxxps://app.slack.com; hxxps://shop.homeseer.com

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[jono1]

Thank you for making this effort to help fix my machinse.  I do have a question before I run it.  On each of the four machines that I uploaded logs most problems ceased when I stopped running Malwarebytes Web Protection.  The only problem I still see on on the BP machine when web protection is off is that Malwarebytes doesn't always open, or can take a really long time to open, but the service is still running in the task manager.  

If I understand correctly, I should remove CCleaner, turn  off windows defender and malwarebytes, run the fix.   Then turn on windows defender and malwarebytes (including web protection) and see if I have any problems.  

I think the problem with the logs is that I removed most of them when I was trying to fix this on my own.  Can you tell me how far the logs go back in time?

[AdvancedSetup]

You do not run this FIX on other machines. Each computer is unique and may need adjustments to the script.

If the computer is not working with Web Protection enabled then we really need to dig in and see why. Run the the fix on this machine and we'll proceed and see what we find and go from there.

Thanks @jono1

 

[jono1]

I have been running the fix but it’s been going almost 12 hours. I have a cursor available on my desktop but it doesn’t allow me to do anything, and if I scroll over the taskbar I get a blue rotating circle. At what point should I hard reboot my machine?

[AdvancedSetup]

I really don't want to but since the script has a 60 minute time out it looks like something went wrong. Please go ahead and hard restart if needed.

NOTE: I may not be able to reply again until Saturday. I'll try to hang around few more moments while you reboot @jono1 but then we'll probably need to take this back up again on Saturday

Thanks

 

[AdvancedSetup]

Well, it's 5:00 AM and I still haven't been to sleep. I'm heading to get some rest. If your system did become unstable from this then you can do a System Restore as the program creates one before it does anything.

I'll check back with you as soon as I can but it may not be until Saturday

Cheers

 

[jono1]

There is a fix log file but it is 0 kb.  Machine did start up again but running slowly. I am going to turn on web protection to see if I still get errors and if so at least the new logs will have themI am going to turn on web protection to see if I still get errors and if so at least the new logs will have them. 

[jono1]

Eventually malware bites started up. I turned on web protection and then DNS stopped working again. I have to reboot the machine to get DNS to work.  Presumably any logs would now capture this and I will attach here after I get them with the support tool

[jono1]

Ok here it is. 

mbst-grab-results bp 2nd try.zip

[AdvancedSetup]

It looks like Malwarebytes had an issue as did Dell Support.

Please do the following. Use our MBST tool to uninstall Malwarebytes but for now please DO NOT reinstall it when asked.

Also, the Privacy will try to install, cancel that as well. Do not reinstall any Malwarebytes software until given the all clear sign.

 

 

Can you please do the following?

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click the CLEAN button and follow the onscreen instructions but DO NOT reinstall Malwarebytes
• NOTE: Please have patience as it can take a while to remove and restart to complete

After the restart please do the following

• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you @jono1

 

 

[jono1]

Here it is.  I look forward to your thoughts.  Happy New Year!

mbst-grab-results bp 3rd time.zip

[AdvancedSetup]

Hello @jono1 and Happy New Year

It looks like one set of logs from Farbar are not present that I was looking for.

Please run Farbar again manually and get me new logs.

• FRST.txt
• Addition.txt

 

If needed here is the information for Farbar

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

Thank you

 

 

Edited January 2, 2022 by AdvancedSetup
Updated information

[jono1]

Ok, I ran it and here are the files attached.  Thanks for your help on this.

Addition.txt FRST.txt

[AdvancedSetup]

Hello @jono1

 

Neither of these files are signed and both are from 2012 long before Windows 10 was even released. 

R2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [327296 2012-12-27] (Qualcomm Atheros -> Atheros) [File not signed]
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [81536 2012-12-26] (Qualcomm Atheros -> Atheros) [File not signed]

 

Have you looked for validated and updated drivers for those above?

 

The following errors were also logged today.

System errors:
=============
Error: (01/01/2022 12:44:03 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The GoodSync Server service hung on starting.

Error: (01/01/2022 12:40:18 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Dell Data Vault Processor service hung on starting.
 

I would highly suggest you visit the Dell Support site and input your Service Tag number and allow Dell to automatically scan your hardware and install update device drivers.

https://www.dell.com/support/contents/en-us/article/product-support/self-support-knowledgebase/software-and-downloads/supportassist

https://www.dell.com/support/home/en-us?app=drivers

 

 

[jono1]

Thanks.  I use Dell support assist pretty regularly to keep up to date.  The drivers you cite are old because this machine pre dates windows 10. I don’t use Bluetooth or wifi on this machine so I never worried about finding windows 10 drivers and could run them in windows 7 compatibility mode if needed.  

More importantly I have the same dns problem on much newer machines that would not have any pre windows 10 hardware.  And for all my machines the problem stops when Malwarebytes web protection is turned off.   I am wondering whether now we’re bites Web protection is incompatible with my VPN tunnel between houses. I had everything running fine for a few years and these problems only started in the past two months.

[AdvancedSetup]

It is quite possible there is an issue with our program if you're using a VPN to connect between machines. But normal DNS should not be an issue. I need your help to try to help you but if you feel it's not worth the time to continue trying or are frustrated at this point, we can offer you a refund on the product. We want you to be happy with the product and want to help however we can if possible.

 

As for this machine, it's BIOS shows it is from 2018 and Windows 10 came out in 2015. It's up to you what you run on your system I'm just saying that I believe there are probably newer drivers for a 2018 computer and that Dell did not ship the computer even with Windows 7 and drivers from 2012. By 2018 it was almost impossible to buy a computer anywhere that was not running Windows 10 as Microsoft on purpose made it difficult for Vendors to do so.  

BIOS: Dell Inc. A14 06/25/2018
Motherboard: Dell Inc. 0YJPT1

 

Please let me know how you'd like to proceed, and I'll be happy to assist.

Thank you @jono1

 

 

[jono1]

May I suggest a better strategy is to work on one of my newer machines having the same problem?  Let's use the SP machine (see early post with the uploads).  That machine is only a year or two old and was built with windows 10.   I think the windows 10 on an older machine issue is a distraction not related to the problem, so lets eliminate it.   :-)

When web protection is on, the SP machine has dns problems for external websites (email etc) but no problem connecting to machines on my LAN (even across houses on the VPN).  This only started happening recently, and only when web protection is on.

Thanks and I appreciate your help on this.  I'm not looking for a refund, I just want that great Malwarebytes protection without breaking DNS.

[AdvancedSetup]

How are you managing the IP of the remote system over time? Meaning that on your own network you can force a computer to keep a static IP but if you're connecting to other personal computers over the Internet how do you know their IP at all times over the years?

 

[AdvancedSetup]

Or am I mistaken and all the computers are within your local network? If they are why do you use VPN to connect to them so that I better understand your setup @jono1

 

[jono1]

Two houses with a router in each house. Each router WAN address known using DynDNS.  Within each house all computers are on a static IP determined by the router. The routers are connected by a VPN tunnel so I can get to the other house computers with a local IP address. The third triplet in the IP address defines the house.

When I have problems it is purely with outside IP addresses

[AdvancedSetup]

Yes, digging into the logs more I did find that. I'm not sure if you're aware and if there is anything you can or should do for changes or updates but it looks like Oracle bought out DYN DNS? Not sure when that was but that was the type of software I was looking, thinking of.

https://www.oracle.com/cloud/networking/dns/

If you can check on that and let me know that would be great.

Thanks

 

[AdvancedSetup]

What VPN solution are you using? Did you setup a regular Windows 10 VPN? I'm not seeing an IPSec tunnel in the logs.

On another note Windows Defender has had off and on issues updating and finding updates as well, so finding the root cause and correcting needs attention for sure.