BSOD after computer awakening, no malware detected

[Berkey]

Strange, opened the lid of my laptop, which woke it up, then clicked on my browser, then boom. Haven't installed anything recently, except Virtual box, but it wasn't running at the time, so I'm stumped. Everything is working fine now, so I just wanted to make sure what the cause was as I ran a scan with Malwarebytes and Hitmanpro and nothing showed up.

 

[Golden]

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff88001928c1d, fffff8800bc37a70, 0}

*** WARNING: Unable to verify timestamp for [B][COLOR="Red"]mwac.sys[/COLOR][/B]
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : fwpkclnt.sys ( fwpkclnt!FwpsConstructIpHeaderForTransportPacket0+20a )

Followup: MachineOwner
---------
0: kd> !thread
GetPointerFromAddress: unable to read from fffff800030af000
THREAD fffffa8006fb3a00  Cid 0a84.236c  Teb: 000000007ef7d000 Win32Thread: 0000000000000000 RUNNING on processor 0
IRP List:
    Unable to read nt!_IRP @ fffffa80532e6220
Not impersonating
GetUlongFromAddress: unable to read from fffff80002feeba8
Owning Process            fffffa800c0375e0       Image:         [B][COLOR="red"]mbamservice.ex[/COLOR][/B]
Attached Process          N/A            Image:         N/A
fffff78000000000: Unable to get shared data
Wait Start TickCount      10716026     
Context Switch Count      12             IdealProcessor: 2             
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x00000000009c3d70
Stack Init fffff8800bc38db0 Current fffff8800bc37d50

At first glance, the problem seems to be with Malwarebytes. In my experience, these are always a red-herring caused by a networking issue. Lets check.

fffff880`0bc37ef0  fffff880`00000002
fffff880`0bc37ef8  00000000`00000801
fffff880`0bc37f00  fffff880`017f43b8Unable to load image brnfilelock.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for brnfilelock.sys
*** ERROR: Module load completed but symbols could not be loaded for [B][COLOR="red"]brnfilelock.sys[/COLOR][/B]
 brnfilelock+0xe3b8
fffff880`0bc37f08  fffff800`02ea06c5 nt!RtlGetExtendedContextLength+0x19
fffff880`0bc37f10  00000000`00000000
fffff880`0bc37f18  fffff800`02eb8976 nt!iswctype_l+0x76
fffff880`0bc37f20  00000000`00000000
.
    Loaded symbol image file: brnfilelock.sys
    Image path: brnfilelock.sys
    Image name: brnfilelock.sys
    Timestamp:        Sat [B][COLOR="red"]Feb 22[/COLOR][/B] 07:53:44 [B][COLOR="red"]2014[/COLOR][/B] (5307C3E0)
    CheckSum:         00017B9E
    ImageSize:        00017000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Start Menu\Programs\Blue Ridge Networks	Public:Start Menu\Programs\Blue Ridge Networks	Public

Bingo! The real issue seems to be with the Blue Ridge Networks filter driver conflicting with the Malwarebytes update service.

Check the manufacturer's website for an updated driver, and download it. Create a system restore point. Install the updated driver and monitor for further BSOD's.

 

[Berkey]

“Hi Golden,

First thank you for the response! Blueridge is the company the owns Appguard, but I don't recall any drivers being installed. They also do not have any drivers available on their site.

I have not had a BSOD since that one strange happening, so I'm not sure as to why Appguard and MAlwarebytes butted heads this time.

In the Driver manager the only error I'm having is a Broadcom USH driver, which I haven't been able to resolve it's identification since I've originally installed on this laptop which was last year, before I installed Appguard.

 

[Golden]

There's definately a driver installed as evidenced by its appearance in the. dmp file. At this stage, the only thing I can suggest is to remove AppGuard as clearly it is indeed conflicting with Malwarebytes.

Once you've done that, run Driver Verifier so see if we can isolate the Broadcom driver.

Please do the following:

Run Driver Verifier for 24 hours or the occurrence of the next crash, whichever is earlier.
http://www.sevenforums.com/tutorials/101379-driver-verifier-enable-disable.html

Driver Verifier will cause your computer to run very sluggishly - this is normal. What it is trying to do is force your system to BSOD and isolate the offending driver/s. When it does, reboot, disable driver verifier, reboot as normal and upload the new dmp file/s here.

I recommend creating a system restore point before turning on driver verifier:
http://www.sevenforums.com/tutorials/697-system-restore-point-create.html

If your system fails to boot to desktop once driver verifier is enabled, turn it off by booting into Safe Mode:
http://www.sevenforums.com/tutorials/69585-safe-mode.html

 

[Berkey]

Hi Golden,

It's been a while since I've used this laptop, so I haven't dealt with the problem yet, but today I had another BSOD, but couldn't run the program until ow. Couple questions:

If this program needs to run for 24hrs do I need to avoid using the computer? Also should I disable sleep or any other power saver configurations at all?

 

[Berkey]

Also, there is a broadcom USH driver which gives me the status of :

The drivers for this device are not installed. (Code 28)

There is no driver selected for the device information set or element.


To find a driver for this device, click Update Driver.

But, trying to update, results in a negative. Also couldn't use the ID's in the links from the tutorial either. Just wanted to put this up in case it helped

 

[Golden]

No. When running Driver Verifier, just use the PC as you normally would. Lrave sleep etc. Settings as they are.

What links are yiu referring to?

 

[Berkey]

Sorry, forgot to link it.

http://www.sevenforums.com/tutorials/96442-device-manager-finding-unknown-devices.html

 

[Golden]

Do you mean this link?

Drivers Lookup

 

[Berkey]

Do you mean this link?

Drivers Lookup

Thats the one. Sorry it's been a long couple days