Posts tagged ‘Avira’

Mozy driver could have been behind 100–200 BSODs since the Windows 10 Creators fall update was installed


A post shared by Jack Yan 甄爵恩 (@jack.yan) on

Two very helpful people—bwv848 at Bleeping Computer and Sumit Dhiman at Microsoft—have taken me through the steps to figure out what was going on with my Windows 10 desktop computer, on which I’ve had between 100 and 200 BSODs since the Windows 10 Creators fall update arrived.
   Windows claimed that the error was a DRIVER_IRQL_NOT_LESS_OR_EQUAL in tcpip.sys, but we know that that wasn’t the cause of the crash.
   They had both got to the point where the Driver Verifier had to be run again. On the first attempt, the process had identified an Avira driver, although after removing and reinstalling the anti-virus program, the crashes continued. I had found other dodgy things in the Event Viewer, but solving them didn’t get rid of the BSODs.
   Now that I’m back from holiday—and with Windows 10 crashing one more time and costing me more work that hadn’t been backed up—I gave Driver Verifier one more go.
   I had been averse to it because of the crashes that resulted from it, and had a sense it would tell me the same thing it had in December.
   True to form, Windows wouldn’t even load and it BSODed during the boot. But this time, running Windbg on the dump file revealed something called mobk.sys (Mozy Change Monitor Filter Driver), part of a program called Mozy.
   I’ve never heard of Mozy, but it appears to be a back-up program. Checking my driver, it dates from April 2010 and was installed in 2012—around the time I bought the computer.
   It could well have been installed by me as part of a bundle, or by PB (the retailer).
   Mozy wasn’t helpful. They have a forum, but when you sign up to use it, you get to a page where they want to charge you US$109 for one of their plans. Personally, if I was making software, I’d want reports from people like me. It’s not as though the question was complex: I wanted to know if it made sense to delete the offending driver in safe mode, or maybe download a trial version of their program, then remove it, in the hope that the driver would be overwritten and deleted. It’s only been a couple of hours since I Tweeted them, so I don’t expect any replies till tomorrow.
   Rather than wait, I popped into safe mode and deleted mobk.sys from the system32\drivers folder.
   These errors are deeply frustrating and in direct contrast to the stability that my Imacs have exhibited. Even though I’ve tired of OS X, at least I wasn’t losing work because of three to six BSODs per day.
   The advice I can give to others is to create a system restore point, then run the Driver Verifier, and repeat the two processes until a culprit has been identified.
   There are a few silver linings to this: I got rid of certain software which might have been insecure, and the random resets were quite handy in “clearing” the PC sometimes when I was doing work on it remotely.
   I wonder what had changed in Windows between the spring and fall Creators updates that generated this very serious problem. I haven’t seen Windows crash this often since a dying laptop, on Vista, needed a fresh OS installation (it now runs Ubuntu). I’m still of the mind that Microsoft shipped a lemon, given that I’ve had no end of problems with this OS since it launched, from inconsistent behaviour (Windows 10 would originally be different each time it booted up, from Cortana settings to which keyboard it believed I was using), to very difficult updates (Anniversary took 11 attempts on this PC and never made it on to my laptop even after 40 attempts; it only updated to Creators because all other updates would fail).
   While I can understand that there was no way either Mozy or Microsoft could have checked on a 2010 driver for compatibility, and there are so many configurations of Windows out there, there’s still no escaping that Windows 10 could have shipped with fewer bugs. Happily, as it turned out, the troubleshooting procedures may have worked, even if things wound up taking a month.
   I’ll blog again if I’m wrong about Mozy.

PS. (January 18): After 24-plus hours with no crashes, I got another one, with the same message. Following my own advice, I ran the driver verifier again. Windbg pointed this time to Oracle Virtualbox. I intentionally ran an older version of this because since 2015, no newer version would work due to its hardening feature. Faced with no choice but to update, it had the same error which, finally, I traced to Mactype. This was the error, for those searching:

The virtual machine ‘Windows XP’ has terminated unexpectedly during startup with exit code -1073741819 (0xc0000005). More details may be available in ‘C:\Users\User\VirtualBox VMs\Windows XP\Logs\VBoxHardening.log’.

Result Code:
E_FAIL (0x80004005)
IMachine {85cd948e-a71f-4289-281e-0ca7ad48cd89}

The key is to insert these three lines into Mactype.ini:


   The error also picked up that there were McAfee drivers left behind from what should have been a full removal. I ran mcpr.exe, found in a thread with the ever-helpful Peter (Exbrit on the McAfee forums). Mcpr.exe did not remove the three drivers, so I took them out manually (despite this going against expert advice): mfeclnrk.sys, mfencbdc.sys and mfencrk.sys. There was also a driver from Malwarebytes, which I downloaded after expert advice in the wake of the damage done by Facebook and its forced download in 2016. Malwarebytes had to be removed with a program called mb-clean as it didn’t show up in the Windows 10 programs’ list.
   One important point: when the system restored itself after the latest crash, it appeared the old mobk.sys reinstalled itself into system32\drivers. I removed it again in safe mode. I’ve since created multiple restore points so hopefully none of the now-removed drivers resurface to cause problems again.
   I am very happy that I’m running the latest Virtualbox, too, since posting in 2015 resulted in no solid leads. It’s why I’m posting all of this stuff, in the hope others find it useful.—JY

P.PS. (January 22): No crashes for three days, I update both the Microsoft and Bleeping Computer threads with the good news, and within nine minutes, bam! Oracle VM Virtualbox is to blame again, if the driver verifier is accurate. That was yesterday. Today, I attempted to remove the program from the Windows Control Panel. Merely removing it caused three BSODs for three attempts, literally within minutes of each other. I booted into safe mode once, tried to remove it (I couldn’t), then back to the regular mode. I was then able to remove Virtualbox. I have since reinstalled it—let’s see what happens next.—JY

P.P.PS. (January 23): Two BSODs this afternoon, still so very disappointed software is this unreliable today. Removing a networking driver from Virtualbox has made no difference. Same error as before. I haven’t re-run driver verifier, but I have now updated MacType to the latest version and double-checked the ini file changes are still there.—JY

P.P.P.PS. (January 24): MacType update did nothing. Bwv848 recommends removing Oracle Virtualbox altogether. I may have to do that, and reinstall it only when I need it, and see what happens. Sumit at Microsoft has given up for the time being.—JY

P.P.P.P.PS. (January 25): After one more crash despite some tweaking of the power options last night, I removed Oracle Virtualbox this morning. There were five remaining drivers that removal did not address, two from the latest version (VBoxNetAdp6.sys and VBoxNetLwf.sys) and three from the old one (VBoxNetAdp.sys, VBoxNetFlt.sys and VBoxUSB.sys). I manually removed them. No crashes since, though I will be interested to know if reinstalling, without any of the old drivers present, will make a difference.—JY

P.P.P.P.P.PS. (January 26): Got to its first crash by 11.45 a.m. Driver verifier now blames CLVirtualDrive.sys. Found one user on Virtualbox’s forum who had the DRIVER_IRQL_NOT_LESS_OR_EQUAL crash but the mod doesn’t like me helping out (very protective people, who don’t like their favourite software criticized). A system restore saw Oracle Virtualbox return, even though I made a restore point long after I deleted it. Let’s see what CLVirtualDrive.sys is. Four BSODs before noon. Man from Mozy got back to me—the first contact other than on Twitter—because they wound up spamming me and never responded to my original support question. Amazing how a few events—including Facebook’s forced download in 2016—have directly led to this time-wasting point in 2018.—JY

Enough postscripts. The next episode of the saga is here.

Tags: , , , , , , , , , , , , ,
Posted in technology, USA | 3 Comments »

Solving my BSODs with Windows 10 Creators fall update—it’s not the usual culprits


Amazingly, Microsoft Windows 10 Creators fall update arrived last week on my desktop PC, and it took all of 25 minutes to do (running a Crucial 525 Gbyte SSD). (Add an extra 35 minutes for me to put my customizations back in.) This is in contrast to the Anniversary update, which took 11 attempts over many months, including one that bricked my desktop PC and necessitated repairs back at PB Technologies.
   However, I began getting regular BSODs, with the error message ‘Driver_IRQL_not_less_or_equal’ (all in caps), saying that tcpip.sys was the system file affected. An analysis of the minidump file using Windmp revealed that the cause was netio.sys (add ‘Netio!StreamInjectRequestsToStack+239’ if you want the full line).
   There were few people with a similar issue, though I can always count on people in the industry who help—usually it’s folks like Cyrus McEnnis, whom I have known since we were in the third form at Rongotai College, or Aaron Taylor, or, in this case, Hayden Kirk of Layer3, who pointed me in the right direction (that it was either hardware or drivers).
   First up, Windows Update isn’t any help, so let’s not waste any time there.
   Secondly, Device Manager was no help, either. Getting Windows to find updated drivers doesn’t necessarily result in the latest ones being downloaded. If the file that was crashing was tcpip.sys, then it does hint at something afoot with the TCP/IP, i.e. the networking.
   I couldn’t solve it through a virus scan, since a full one would never complete before I got another BSOD. (In fact, one BSOD knocked out Avira, and it had to be reinstalled.)
   It wasn’t Nvidia Control Panel, which was a regular culprit that people pointed to. I did remove and reinstall, just to be on the safe side, but that didn’t fix the problems.
   I had used the ‘Update driver’ option in the Device Manager for my network adapter, the Realtek PCIe GBE Family Controller #2, and while it did update, it wound up on version 1.
   Without much to lose, I decided to feed in the full name of the adapter to look for drivers. Realtek’s website took me here, where I selected the Win10 Auto Installation Program.
   This installed a driver that was version 10, and last updated on December 1, 2017, according to Realtek’s website (the driver is dated October 3, 2017).
   So far I’ve been BSOD-free, and things appear to have settled down.
   If you’re interested, I filed a bug report at Bleeping Computer, and my dump files are there.
   Also remarkable is that my Lenovo laptop, which had attempted to install various Windows 10 updates for over a year, and failing each time (I estimate over 40 attempts, as usually I let it run most times I turn that laptop on; as of April 18 it was at 31 attempts). That laptop was on near-factory settings, so the fact no Windows update would work on it was ridiculous. (I’ve even seen this at shops, where display laptops have Windows update errors.)
   Again, there’s plenty of advice out there, including the removal of Avira as the antivirus program. I tried that a few times over the first 31 attempts. It made no difference.
   I am happy to report that over the weekend, the spring Creators Update actually worked, using the Update tool, and the only alteration I made to Avira was the removal of its System Speedup program.
   And as of this morning, the same computer wound up with the newer fall update.
   There haven’t been BSODs there but to me it confirms that Microsoft’s earlier updates were incredibly buggy, and after two years they’ve managed to see to them.
   I can report that the advice on the Microsoft forums didn’t work and I never needed to result to using the ISO update methods. The cure seemed to be patience and allowing multiple attempts. Since Windows 10 behaves differently each time you boot it up anyway, one of those times might have been compatible with the update patches.
   Hopefully the above helps those who have been struggling with getting their Windows 10s to update. I’d advise against attempting some of the more extreme solutions, especially if your gut or your logic tells you that you shouldn’t need to go to those lengths just to update, when easier solutions worked perfectly fine when you were on Windows XP or Windows 7.

PS., December 12: After a day without crashes post-driver-update, they returned the following day. Investigations are ongoing … I’ve updated the Bleeping Computer link page.

P.PS.: Updated a remote-access program as well as Java (which hadn’t updated despite it having been set to automatic updates). During the former, I had another BSOD as it tried to shut down various network services. Wish I wrote down what they were. However, it does point at a networking issue. Also I saw some hackers in Latvia and the Netherlands try to get in to the system and blocked their IPs. Coincidentally, they had not attempted anything yesterday, which was the day I didn’t have BSODs.

P.P.PS.: Event Viewer revealed those hackers were really going for it. Hayden says it was a ‘port exhaustion hack’, which does, logically, affect TCP/IP. I’ve replaced the remote desktop program, though Java 8 wound back on the desktop because of another program I run. The PC has stayed on since the afternoon, so hopefully that is that. It does mean a day wasted on IT—and it does seem worrying that Windows 10 Creators fall has potentially more holes by default, or somehow falls over more easily when attacked. Those attacks had always come, but they never resulted in BSODs. It was, overall, more robust in updating but it may have some other problems, if the last few days are any indication.
   The external HD was also moved to another USB port. There could be a connection to USBs, as it crashed once after my partner unplugged her phone, and on another occasion I distinctly heard the external HD activate just before a BSOD.

P.P.P.PS.: The above never solved it, but one month on, this might have done the trick.

It didn’t do the trick. Here’s the next part.

Tags: , , , , , , , , , , , , ,
Posted in design, technology, USA | 2 Comments »

What Facebook’s anti-malware malware does to your Windows 10 computer


When I said in January that Facebook’s and Kaspersky’s anti-malware malware (there’s no better term for it, though of course they will deny that it was malware) had it in for McAfee, what did I mean?
   As some of you know, I fell for Facebook’s insistence that I download its malware if I wanted to gain access to the site, and no, I was not phished. This is a “feature” that Facebook and Kaspersky have bragged about.
   After you download the program from Kaspersky, that company refuses to tell you how to remove it from your computer. It doesn’t appear in your installed programs’ list. I put a very polite comment at their blog entry on the subject, but it was never approved. They don’t want to help people who were laboured with this unnecessary and invasive software. I once thought highly of Kaspersky, but their willingness to collaborate with Facebook, their opaqueness on this matter, and the earlier (unproven) accusations that they were party to faking malware to harm rival products have made me highly wary of the firm. I’ll never purchase anything from them because of their behaviour, at least till I see some change that they are willing to get with the programme as far as transparency and integrity are concerned.
   Thanks to Reddit, I learned how to remove what I could, but the fact remains that after the whole Facebook–Kaspersky scan for non-existent malware, McAfee would not work properly any more. This wasn’t due to any other malware—I had run a very comprehensive series of legitimate malware scans guided by an expert in Germany at Bleeping Computer in the wake of this incident, and confirmed all was well. As far as I could tell, the only noticeable change to my system was what Facebook put on.
   I was eventually forced to remove McAfee after 27 years of using their products, in favour of Avira. This is why: whatever was left on the computer kept fighting McAfee to turn itself off (above right, and video below). My Windows computer didn’t like the idea of having no antivirus program. I had attempted to reinstall McAfee once already, which stopped this behaviour for about a week. McAfee Virtual Technician could not resolve it, and I never got very far with McAfee support (as opposed to the incredibly helpful people on their forums). Over a month after Facebook forced its download on me, I was still paying the price of following their instructions—when we should know by now that anything these idiots tell you cannot be of any advantage to the user. Sometimes, when you get their warnings at 3 a.m., you don’t necessarily think as clearly as you would at 3 p.m.

   I don’t know how many hours I wasted on this in total, but I know I have saved many users a lot of time. For many days I found a lot of other Facebookers forced to do the same, and gave them some simple advice so that they would not fall into the same trap. Others have come to this blog: I’ve had some decent traffic around the two posts I wrote on the subject.
   People really need to know that not only is Facebook messing around with your settings and tracking you, they are putting things on your computer. I’m glad, then, that I will principally remain there for a few messages, and page and group administration—the latter very necessary given all the bots and spammers that now plague the website. I’m sure I can’t be alone in spotting numerous spammers per day, spammers which Facebook often does nothing about when reported. That, too, should make us wonder.

Tags: , , , , , , , , , ,
Posted in business, internet, USA | 3 Comments »