SwissArmy vs nvlddmkm

[HellHunter]

So I've had nVidia driver issues for some time where they seemingly randomly crash during various activities. Today it crashed at probably the most infuriating time so this time I decided to peel apart the event logs and try to correlate some data. What I discovered is that every driver crash (event 4101) (which is actually anywhere between 2-5 individual crashes) happens right after a multiple 7045 events for MBAMSwissArmy installing as a service (2-3 events). Immediately after this service install, it says "Mbamchameleon Failed to obtain file name information - C01C0005" although the hex value varies each time. Then the driver crashes happen.

I've seen some very helpful technical people reply to these types of posts so I wanted to start here before I potentially opened any cases. I've included what I've found to be the standard troubleshooting files and a screenshot of a typical driver fight.

Addition.txt

FRST.txt

CheckResults.txt

[daledoc1]

Hello and :

There's a bunch of stuff in your logs, and it's not clear if MBAM is contributing to your video driver issues.

So we'll need to wait for a forum expert or staff member to review them and advise you.

However, a few things pop out after preliminary review:

1) MBAM was most recently installed in March 2016, but it was not a "clean" install.  Your logs show that MBAM was last cleanly installed BEFORE you upgraded to Win10.  Sometimes, the OS upgrade can lead to subtle corruption in MBAM and other security applications.

2) The " Mbamchameleon Failed to obtain file name information - C01C0005" error may be explained by this post HERE.  Try disabling MBAM Self-Protection and those errors should resolve.

3) Important Windows services are failing:

Quote

==================== Event log errors: =========================

Application errors:
==================
Error: (07/30/2016 04:03:07 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (07/30/2016 03:04:36 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (07/30/2016 02:58:49 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (07/30/2016 02:21:04 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (07/30/2016 02:21:02 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (07/30/2016 01:44:00 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (07/30/2016 01:43:59 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (07/30/2016 01:10:51 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (07/30/2016 01:10:06 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (07/30/2016 12:59:00 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

System errors:
=============
Error: (07/30/2016 12:33:51 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (07/30/2016 12:24:58 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {F3B4E234-7A68-4E43-B813-E4BA55A065F6}

Error: (07/30/2016 09:55:15 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (07/30/2016 12:58:02 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (07/30/2016 12:49:08 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {F3B4E234-7A68-4E43-B813-E4BA55A065F6}

Error: (07/29/2016 06:30:14 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {F3B4E234-7A68-4E43-B813-E4BA55A065F6}

Error: (07/29/2016 06:14:40 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {F3B4E234-7A68-4E43-B813-E4BA55A065F6}

Error: (07/29/2016 08:03:29 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (07/28/2016 11:38:41 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (07/28/2016 11:25:16 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {F3B4E234-7A68-4E43-B813-E4BA55A065F6}

 

4) Also: What is this web exclusion?

Quote

Web Exclusions:
================
Category: Domain, Exclusion: www.genesis-mining.com

So, for starters, you might want to try the following:

1. I suggest carefully following all the steps in this tutorial to cleanly reinstall MBAM: MBAM Clean Removal Process 2x
2. Disable MBAM Self-Protection (it should be "off" by default after a clean reinstall)

Then, you might want to head over to the malware removal section of the forum for a deeper look at the system.  I'm not saying that you are necessarily infected.  However, the helpers in that other forum area have access to other tools to help clean up and repair the system.  To start the process, please read this pinned topic: Available Assistance for Possibly Infected Computers.  Then please start a new post in the malware removal section, attaching the same logs.  A trained helper will assist you further.

Thanks,

[HellHunter]

Thanks for your input. Some answers below:

1) This was built as Win10 system and MBAM wasn't installed until after the upgrade, but it was quite some time ago. I'm assuming the 3/16 installation is an upgrade to MBam which would explain the lack of a "clean" install.

2) I did find the self-protection threads and even looked into Windows Defender causing these events. I disabled both, but they did not stop. However I have not rebooted after either change and toggled it all back on to verify event generation.

3)Looks like there's a permissions issue on a service for LLDP errors. I did a backup today which is what triggered those errors. The DCOM errors appear to be permissions issues as well for an unknown SID.

4) Decided to test out bit mining for a bit (no pun intended). MB decided to block the site randomly the other day (even though I've been on the site many times prior) so I added it to the exc list. Using cloud services on a 2FA'ed site.

I can try a clean reinstall of MBAM to see if that resolves anything, but I will probably wait for some additional insight before doing that just in case there are other things they would like to see on the current install scenario. I've disabled self-protection for now. I mean those events are information, not errors (nor warnings) so I'm assuming MBAM doesn't particularly care too much.

[daledoc1]

Hi:

Thanks for the update.

If your log data are correct, MBAM was last "cleanly" installed on November 20 and Windows 10 was installed on December 12.  In any event, a clean reinstall clears out accumulated logs/settings and often resolves minor corruption.  So it would be a good starting point.

The failing Windows cryptographic service probably needs further attention, but that's up to you.

As far as the web exclusion of bit mining site, that's not a good idea. If MBAM is blocking it, it's likely for a good reason. THIS ARTICLE explains the significance of MBAM IP blocks. Setting that site as an exclusion creates a security vulnerability. If you think that the MBAM block is a false positive, then a safer approach would be to start with the advice HERE and to please post the requested information (URL and IP) in the website blocking F/P section HERE.  The research team will review the data to determine if or if not the block is a F/P.

A forum expert or staff member may have additional advice.

Thanks again,

Edited July 31, 2016 by daledoc1
punctuation

[HellHunter]

So I looked into why it was blocking it. It wasn't blocking it because of domain or IP matches, but the ports it is trying to use. I am looking into that and why it is doing that. My guess is it is attempting to mine my computer. I am reviewing my firewall rules additionally after this find.

And yes, the permissions issue is a relatively easy fix that I will address.

[daledoc1]

Hi:

4 hours ago, HellHunter said:

So I looked into why it was blocking it. It wasn't blocking it because of domain or IP matches, but the ports it is trying to use

I don't think MBAM blocks anything by ports, as it's not a firewall.  It blocks either IPs or website/domains.  In any event, the web exclusion for the bit mining site is unlikely to be related to the issue you reported.  I merely pointed it out as it seems unsafe to set that exclusion.

Have you done the MBAM Clean Reinstall?  That, plus disabling MBAM Self-Protection, may resolve the original issue you reported.  I'm not sure it will fix your ongoing video driver issues, but it would not hurt to try.

Other than that, I suggest heading over to the malware removal section for some deeper work on the system, if you wish.

Cheers,

[HellHunter]

4 hours ago, daledoc1 said:

Hi:

I don't think MBAM blocks anything by ports, as it's not a firewall.  It blocks either IPs or website/domains.  In any event, the web exclusion for the bit mining site is unlikely to be related to the issue you reported.  I merely pointed it out as it seems unsafe to set that exclusion.

Have you done the MBAM Clean Reinstall?  That, plus disabling MBAM Self-Protection, may resolve the original issue you reported.  I'm not sure it will fix your ongoing video driver issues, but it would not hurt to try.

Other than that, I suggest heading over to the malware removal section for some deeper work on the system, if you wish.

Cheers,

Yes, you are right on the site blocking. Trying to work on this at 3AM has some drawbacks....lol. Now that I've slept I was looking back at why I said that which was sleep deprived thinking. I was expecting to see 443, but it lists source, not destination ports in the MBAM logs.

I am going to do a clean install and look at the other Windows issues as well now that it is morning.

[HellHunter]

Clean install has been done and the issues with the backups and the RuntimeBroker have been resolved. Apparently all native OS internal "features."

We'll see if the clean install fixes the nVidia driver crash, but it is "random" with no decisive way to replicate the problem on my end so I will just have to wait and see.

[daledoc1]

Hi:

That's great news!
I'm glad you were able to resolve at least some of your issues.

Thanks for taking the time to let us know.

Cheers,

[HellHunter]

After additional crashes today I noticed that while the events are back-to-back in the log, the time stamps are far enough apart that this probably isn't the cause. An oversight while trying to hunt down the root cause too late at night.

[daledoc1]

Hi:

Disabling MBAM self-protection ought to have stopped the "Mbamchameleon Failed to obtain file name information - C01C0005" errors.

But, as you pointed out, it's not likely that your video driver problems relate to MBAM.

If you need more help with the non-MBAM problems (video driver issues, failing Windows services, etc.), then I suggest heading over to the other forum section for a deeper look.
I'm not saying that you are infected.  It's just that the sort of work needed to diagnose and fix these sorts of issues cannot be performed here, in this particular forum section.  So, I suggest starting with the advice here: Available Assistance for Possibly Infected Computers.  A trained helper will guide you through scanning, cleanup and repair.

Thanks,

[AdvancedSetup]

If you're still having issues it might be a good idea to have someone assist you in further scanning just to make sure there are no malware or PUP issues on the system.

Thanks