Jump to content

MBAR crash dump


Recommended Posts

I have a minidump mpointing to mbamswissarmy.sys as a component of module mbar.exe

i.e. as the culprit for the BugCheck 3B, {c0000005, fffffa601737088a, fffffa6018028010, 0}

SYSTEM_SERVICE_EXCEPTION (3b)

An exception happened while executing a system service routine.

FAULTING_IP:

mbamswissarmy+688a

fffffa60`1737088a ?? ???

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: mbar.exe

MODULE_NAME: mbamswissarmy

IMAGE_NAME: mbamswissarmy.sys

Loaded symbol image file: mbamswissarmy.sys

Image path: \??\C:\Windows\system32\drivers\mbamswissarmy.sys

Image name: mbamswissarmy.sys

Timestamp: Tue Nov 06 20:10:52 2012 (5099B51C)

CheckSum: 0003407B

ImageSize: 00028000

Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

I half expected this I guess because on running mbar, it quickly notifies me:

PROBABLE ROOTKIT ACTIVITY DETECTED

Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity. Then I have a Yes / No choice to remove it now or not. When I don't and continue, it appears that mbar crashes. Is this my clue that I should say Yes to remove AppInit_Dlls and run again? What's my risk.

Link to post
Share on other sites

  • Root Admin

Hello David and Welcome to Malwarebytes,

You should really have someone assist you with looking into this deeper if it's actually causing a crash. I would recommend following the advice from this pinned topic: Available Assistance for Possibly Infected Computers

Thanks

Link to post
Share on other sites

PROBLEM SOLVED.

I choose a simple route of solving this by watching and videoing the Scan Progress:

It spent a lot of time then blue-screened when checking the file:

C:\programdata\Playrix Entertainment\Fishdom2\Storage.xml.bak

I assumed I could safely delete this backup file so i did, and emptied my recycle bin.

When I scanned again, mbar 1016 ran to the end.

I must say that simultaneously with deleting this file, MBAR 1011 prompted me to install the latest version, which had jumped from 1011 to 1016. I didn't think my version was that old.

It's hard to tell, but either deleting that stalled file, or the new version of mbar, allowed mbar to run to the end - clean.

So Good News. Case closed.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.