Question Plagued by blue screens

[Mastiff37]

I'm hoping someone here can help me get to the bottom of my blue screen errors. I never had them when my system was Windows 10, but since Win 11, they have been happening every few days, and for some reason lately they are happening more like every few hours, often when I'm at the machine. This is the most recent one:

Source
Windows

Summary
Shut down unexpectedly

Date
‎5/‎6/‎2022 5:03 PM

Status
Report sent

Problem signature
Problem Event Name: BlueScreen
Code: 124
Parameter 1: 0
Parameter 2: ffffc807e8463028
Parameter 3: b2000000
Parameter 4: 10005
OS version: 10_0_22000
Service Pack: 0_0
Product: 768_1
OS Version: 10.0.22000.2.0.0.768.101
Locale ID: 1033

Extra information about the problem
Bucket ID: 0x124_0_GenuineIntel_PROCESSOR_Mae_BANK0_MSCOD0001_MCACOD0005_PCC_UC_VRFK_IMAGE_GenuineIntel.sys
Server information: ec7c8c0f-6c53-4b6f-b020-0e6f0919f58b

Sometimes they generate the reports, but this one did not. What info can I provide so you gurus can help?

 

[Mastiff37]

Here's another dump since adding the Intel drivers: https://www.dropbox.com/s/3vmpyt2jt8xvq1m/MEMORY2.DMP?dl=0

 

[johnbl]

Thanks. I ran some Intel tools and they found no drivers to update, but windows update did have two Intel drivers (one of them the Gaussian mixture thing) and those are installed. I don't see anything in device manager related to this though?

I turned off sleep mode for the USB hubs. Is high performance mode in addition to that?

I have nothing installed other than what comes in Win11 except various debug utilities, I may have gotten malware though. I'll do a scan for that.

since some of your files were modified you might run cmd.exe as an admin then run
sfc.exe /scannow
dism.exe /online /cleanup-image /restorehealth

the keylogger looks like it is running out of a hidden directory associated with your onedrive account
users\cmcdo\appdata\local\microsoft\onedrive\21.050.0310.001\filecoauth.exe

you will want to turn off your virtual memory to delete your pagefile.sys,reboot and turn it back on to create a new one.

looking to see where QtWebEngineProcess.exe is running from.
looks like you have a bunch of its parts running out of:
\program files (x86)\dropbox\client\147.4.4800
(15 different files from that location)

looks like your onedrive and dropbox might be infected.
you should avoid allowing connection and sync of files until you get stuff cleaned up. you should assume the keylogger has your passwords also.

 

[johnbl]

since some of your files were modified you might run cmd.exe as an admin then run
sfc.exe /scannow
dism.exe /online /cleanup-image /restorehealth

the keylogger looks like it is running out of a hidden directory associated with your onedrive account
users\cmcdo\appdata\local\microsoft\onedrive\21.050.0310.001\filecoauth.exe

you will want to turn off your virtual memory to delete your pagefile.sys,reboot and turn it back on to create a new one.

looking to see where QtWebEngineProcess.exe is running from.
looks like you have a bunch of its parts running out of:
\program files (x86)\dropbox\client\147.4.4800
(15 different files from that location)

looks like your onedrive and dropbox might be infected.
you should avoid allowing connection and sync of files until you get stuff cleaned up. you should assume the keylogger has your passwords also.

since the files are memory mapped they may not be on your hard drive. they get created as a file in memory. For this reason, I would wipe the machine and reinstall and create another account or do not allow the machine to connect to your cloud accounts. Then see if the machine is stable.

 

[Mastiff37]

Are you saying stuff can get into my onedrive, but not actually sync to the physical drive? This is frightening. Likewise Dropbox. I've only been using them as a means to get you the dump files. I know onedrive tries to sync settings and stuff like that across machines, but I really thought Dropbox was transparent with what files it kept.

I did run Mawarebytes on the system and it found nothing, as of yesterday morning or so.

EDIT: BTW, filecoauth.exe looks like it's probably legit, though Defender and others flag it sometimes: https://www.file.net/process/filecoauth.exe.html

 

[johnbl]

Are you saying stuff can get into my onedrive, but not actually sync to the physical drive? This is frightening. Likewise Dropbox. I've only been using them as a means to get you the dump files. I know onedrive tries to sync settings and stuff like that across machines, but I really thought Dropbox was transparent with what files it kept.

I did run Mawarebytes on the system and it found nothing, as of yesterday morning or so.

EDIT: BTW, filecoauth.exe looks like it's probably legit, though Defender and others flag it sometimes: https://www.file.net/process/filecoauth.exe.html

yes, it is most likely ok. I just did a quick google for the file and got a bogus site

malware tries to hide. one way of hiding is to create a file in memory rather than on disk. it is pretty common.

 

[Mastiff37]

I should have done this long ago, but I started up in safe mode (with networking) and it's been stable for quite a while. I suppose it could BSOD any second, but it hasn't gone this long in regular mode for a long time. I was certain it was a hardware problem. Any suggestions how to figure out which driver or service is to blame, if safe mode is indeed preventing the problem?

 

[johnbl]

well maybe on windows safe mode see if driverquerry will run.
start cmd.exe as an admin and run
cd c:\
driverquery.exe /V > driverlist1.txt

then do the same with booting normally with windows
and run
cd c:\
driverquery.exe /V > driverlist2.txt

then compare the two files.
(not a easy method)

you could also see if autoruns.exe will run on safe mode. select the hide microsoft entries and take a look at the list under a normal boot and a safe boot to see what is different.

you could also turn on verifier flags and see if they bugcheck on any driver.

under safe mode, your gpu drivers would not be loaded. other drivers that are not required will not be loaded.
sound drivers can mess up systems.