question

222breach-4484 avatar image
0 Votes"
222breach-4484 asked Docs-4663 edited

Can anyone make this error log make sense

So I've been suspecting that my computer has some advanced malware attacking it for the past few days. Today my computer told me my pin was incorrect multiple times despite it being the correct pin, then the challenge code pops up and before I can type in anything my computer bluescreens.


Microsoft (R) Windows Debugger Version 10.0.22415.1003 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff803`26200000 PsLoadedModuleList = 0xfffff803`26e2a270
Debug session time: Tue Oct 26 12:43:25.468 2021 (UTC - 5:00)
System Uptime: 1 days 22:03:27.576
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.........
Loading User Symbols
PEB is paged out (Peb.Ldr = 000000df`90862018). Type ".hh dbgerr001" for details
Loading unloaded module list
..................................................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff803`265f71b0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff883`e3bd7020=0000000000000139
3: kd> !analyze -v



  •                      Bugcheck Analysis                                    *
    



KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff883e3bd7340, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffff883e3bd7298, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Debugging Details:




KEY_VALUES_STRING: 1

 Key  : Analysis.CPU.mSec
 Value: 2296

 Key  : Analysis.DebugAnalysisManager
 Value: Create

 Key  : Analysis.Elapsed.mSec
 Value: 3323

 Key  : Analysis.Init.CPU.mSec
 Value: 2686

 Key  : Analysis.Init.Elapsed.mSec
 Value: 70753

 Key  : Analysis.Memory.CommitPeak.Mb
 Value: 87

 Key  : FailFast.Name
 Value: CORRUPT_LIST_ENTRY

 Key  : FailFast.Type
 Value: 3

 Key  : WER.OS.Branch
 Value: vb_release

 Key  : WER.OS.Timestamp
 Value: 2019-12-06T14:06:00Z

 Key  : WER.OS.Version
 Value: 10.0.19041.1


BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: fffff883e3bd7340

BUGCHECK_P3: fffff883e3bd7298

BUGCHECK_P4: 0

TRAP_FRAME: fffff883e3bd7340 -- (.trap 0xfffff883e3bd7340)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff80340d94310 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80340d796ba rsp=fffff883e3bd74d0 rbp=ffffffffffffffff
r8=00000000615333e3 r9=00000000000000be r10=ffffc1010020b100
r11=ffffc1010020b1be r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe cy
mbamswissarmy+0x196ba:
fffff803`40d796ba cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: fffff883e3bd7298 -- (.exr 0xfffff883e3bd7298)
ExceptionAddress: fffff80340d796ba (mbamswissarmy+0x00000000000196ba)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME: MBAMService.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000003

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
fffff883`e3bd7018 fffff803`26609169 : 00000000`00000139 00000000`00000003 fffff883`e3bd7340 fffff883`e3bd7298 : nt!KeBugCheckEx
fffff883`e3bd7020 fffff803`26609590 : 00000000`00001001 00000000`00000fff 00000000`0010019f 00000000`00020000 : nt!KiBugCheckDispatch+0x69
fffff883`e3bd7160 fffff803`26607923 : 00000000`00000f6e ffffd88d`00000000 00000000`00001001 00000000`00000fff : nt!KiFastFailDispatch+0xd0
fffff883`e3bd7340 fffff803`40d796ba : 00000000`00000002 00000000`00000000 00000000`00000000 ffffc100`eb0c1060 : nt!KiRaiseSecurityCheckFailure+0x323
fffff883`e3bd74d0 fffff803`40d77d5a : 00000000`00000002 00000000`000000c0 00000000`00000000 ffffc100`e7201c00 : mbamswissarmy+0x196ba
fffff883`e3bd7510 fffff803`40d77b9b : ffffc100`eb0c1060 fffff883`e3bd7620 00000000`00000000 00000000`00000000 : mbamswissarmy+0x17d5a
fffff883`e3bd7570 fffff803`40d78737 : 00000000`00000000 ffffc100`eb0c1060 fffff883`e3bd7630 ffffd88d`ca5ca0c0 : mbamswissarmy+0x17b9b
fffff883`e3bd75d0 fffff803`40d69c9c : ffffd88d`cf4f9410 fffff883`e3bd76b8 00000000`00000000 ffffc100`eb0c1060 : mbamswissarmy+0x18737
fffff883`e3bd7650 fffff803`40d98648 : ffffd88d`cf4f94e0 00000000`00000000 00000000`00000000 00000000`00000000 : mbamswissarmy+0x9c9c
fffff883`e3bd76b0 fffff803`2648f6f5 : ffffd88d`cf4f9410 00000000`00000002 00000000`00000000 ffffd88d`d06862b0 : mbamswissarmy+0x38648
fffff883`e3bd7700 fffff803`268758f8 : ffffd88d`cf4f9410 00000000`00000000 00000000`00000000 ffffd88d`ca5ca0c0 : nt!IofCallDriver+0x55
fffff883`e3bd7740 fffff803`268751c5 : 00000000`00222406 fffff883`e3bd7a80 00000000`00040005 fffff883`e3bd7a80 : nt!IopSynchronousServiceTail+0x1a8
fffff883`e3bd77e0 fffff803`26874bc6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x5e5
fffff883`e3bd7920 fffff803`26608bb5 : fffff883`e3bd7a18 00000000`00000000 00000000`00000000 ffffd88d`cb0dabf0 : nt!NtDeviceIoControlFile+0x56
fffff883`e3bd7990 00007ffe`308cce54 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
000000df`981ff198 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`308cce54


SYMBOL_NAME: mbamswissarmy+196ba

MODULE_NAME: mbamswissarmy

IMAGE_NAME: mbamswissarmy.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 196ba

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_mbamswissarmy!unknown_function

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {21b9e1f3-0f98-f424-a649-bfe9ada02f6f}

Followup: MachineOwner



windows-10-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Docs-4663 avatar image
0 Votes"
Docs-4663 answered Docs-4663 edited

Please run ESET bootable and post images of the results into this thread:
https://endpointsecurity.ca/eset-free-sysrescue-live-usb/




Run the V2 log collector and post a share link into this thread using one drive, drop box, or google drive.


https://www.windowsq.com/t/bsod-posting-instructions.17/
https://www.windowsq.com/resources/v2-log-collector.8/
https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html


.
.
.
.
.
Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post: Vote = a helpful post
.
.
.
.
.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.