Sudden BSOD and corrupted SFC scan, Need Help

Cultmethod · Oct 1, 2021

I built my workstation PC and it's been working flawlessly for about 2-3 years. Today I just got a BSOD (first one ever) while working in Photoshop CC:

Code:

SYSTEM THREAD EXCEPTION NOT HANDLED

I then ran sfc /scannow from an elevated command prompt and let it do its thing. It said it found corrupted files and told me to check the CBS.log file.

So I copied and opened the CBS.log file and scanned through to see if I could find anything. Here are the errors I could find:

Code:

Warning: Overlap: Directory \??\C:\Program Files (x86)\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-10-01 19:21:21, Info                  CSI    000001cd Warning: Overlap: Directory \??\C:\ProgramData\Microsoft\Windows\Start Menu\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-10-01 19:21:21, Info                  CSI    000001ce Warning: Overlap: Directory \??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-10-01 19:21:21, Info                  CSI    000001cf Warning: Overlap: Directory \??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}

Code:

2021-10-01 19:21:12, Info                  CSI    00000195 Warning: Overlap: Directory \??\C:\WINDOWS\SysWOW64\drivers\en-US\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-10-01 19:21:12, Info                  CSI    00000196 Warning: Overlap: Directory \??\C:\WINDOWS\SysWOW64\wbem\en-US\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-10-01 19:21:12, Info                  CSI    00000197 Warning: Overlap: Directory \??\C:\WINDOWS\help\mui\0409\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch Host= amd64 Guest= x86, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}

Code:

2021-10-01 19:20:44, Info                  CSI    00000100 Warning: Overlap: Directory \??\C:\ProgramData\Microsoft\Windows\Start Menu\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-10-01 19:20:44, Info                  CSI    00000101 Warning: Overlap: Directory \??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-10-01 19:20:44, Info                  CSI    00000102 Warning: Overlap: Directory \??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-shell32, version 10.0.19041.1202, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}

Code:

2021-10-01 19:20:17, Info                  CSI    0000007c Warning: Overlap: Directory \??\C:\WINDOWS\System32\drivers\en-US\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch amd64, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch amd64, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-10-01 19:20:17, Info                  CSI    0000007d Warning: Overlap: Directory \??\C:\WINDOWS\System32\wbem\en-US\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch amd64, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch amd64, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
2021-10-01 19:20:17, Info                  CSI    0000007e Warning: Overlap: Directory \??\C:\WINDOWS\help\mui\0409\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch amd64, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-Foundation-Default-Security.Resources, version 10.0.19041.1, arch amd64, culture [l:5]'en-US', nonSxS, pkt {l:8 b:31bf3856ad364e35}

While I am concerned about these errors, I am also concerned by some of the other entries in CBS.log. It looks like yesterday and earlier today some various "FoD packages" (according to the log) were installed and a lot of them seem related to remote management. I never use remote tools with my PC.

Ultimately I am concerned my PC is compromised and came here looking for some help. If anyone can possibly identify what's going on, that would be great.

System Manufacturer?

Built it myself

Laptop or Desktop?

Desktop

OS ? (Windows 10, 8.1, 8, 7, Vista)

Windows 10

x86 (32bit) or x64 (64bit)?

x64

What was original installed OS on system?

Windows 10

Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)?

Full Retail

Age of system? (hardware)

About 2 years

Age of OS installation?

Same as system.

Have you re-installed the OS?

No, and I'd really like to avoid that.

CPU

Intel Core i9-9900KF

RAM (brand, EXACT model, what slots are you using?)

16GB PC4-17000 DDR4 SDRAM G-Skill F4-3600C16-16GTZRC in all four rows. (Total of 64GB)

Video Card

NVIDIA GeForce RTX 2080 TI

MotherBoard - (if NOT a laptop)

Gigabyte Z390 AORUS ULTRA

Power Supply - brand & wattage (if laptop, skip this one)

CORSAIR RMX Series, RM850x

Is driver verifier enabled or disabled?

Not sure. I never manually enabled it.

What security software are you using? (Firewall, antivirus, antimalware, antispyware, and so forth)

Just Windows security center

Are you using proxy, vpn, ipfilters or similar software?

No

Are you using Disk Image tools? (like daemon tools, alcohol 52% or 120%, virtual CloneDrive, roxio software)

No

Are you currently under/overclocking? Are there overclocking software installed on your system?

I think I am very slightly overclocked. I did this when I first got the machine. Not using software, I did it via BIOS.

Speccy link: http://speccy.piriform.com/results/QXnUMFE5UdP3tG1qFFO72i1

axe0 · Oct 2, 2021

I see you have also requested help at Bleeping Computer and are currently undergoing a malware cleanup process.
Sudden BSOD and corrupted SFC scan, Need Help - Virus, Trojan, Spyware, and Malware Removal Help

Because they need to know the exact state at which your computer is and because we don't want colliding suggestions, please stick to one thread only and do not ask at multiple places for help on the same problem because it may not end well.

Cultmethod · Oct 2, 2021

Ah, I'm sorry about that. I'll stick to the thread in Bleeping Computer then. Feel free to delete my post here.

Sudden BSOD and corrupted SFC scan, Need Help

Cultmethod

Member

Attachments

axe0

Administrator,
BSOD Academy Instructor,
Security Analyst

Cultmethod

Member

Sudden BSOD and corrupted SFC scan, Need Help

Cultmethod

Member

Attachments

axe0

Administrator, BSOD Academy Instructor, Security Analyst

Cultmethod

Member

Administrator,
BSOD Academy Instructor,
Security Analyst