lindenbyte

Okay then, thanks! And so far no further problems. And even an all-clear wirth regards to the start screen once described! It re-appeared two days ago, and from checking the text (as I said, last time I skipped it without reading) it appeared like a promt by Microsoft to push the use of additional services. I checked online and it is a known annoyance on Windows 10, so no indication for a failed initialization of the account as originally expected. It just appeared right at a time when I was extra-sensitive to stuff out of the norm on the system.

Yes, that’s the one! It is still sitting in quarantine. From what I got from the VirusTotal results (https://www.virustotal.com/gui/file/04903c579e29d1352d77d545afeea52a0288e4af28877690871ed1470388f118/details) back then, it is a pure text file – the more I am puzzled that it could ever register as some kind of malware.

I understand, makes sense! Until now the previously reported error to connect to websites was the last of puzzling events taking place on the machine. Very much relieved that the system was so thoroughly checked and fixed (thank you so much!) and that no melcious software turned up all along the way. Now, I am still puzzled by the nature of the “trojan log file” that Malwarebytes discovered but then didn’t raise a single red flag when uploaded to VirusTotal. Is there an approach (different from uploading to TotalVirus) that you can recommend to determine safely if the detected (and quarantined) file was actually detected wrongfully as such?! I understand that this has hardly a high priority, so I wont bother about it beyond this message. Kind regards! Daniel

Dear Maurice, I completed your full list! I got the Malwarebytes Browser Guards both for Firefox and Chrome (updated Chrome, too) and did all clearings as adviced! I use Chrome basically for a single service (project planning) and it turned out that it wasn’t even synced to my google account. I think I found the specific setting [German equivalent seems “Zuletzt angesehene Seiten öffnen”]: one of 3 options that exclude each other. I had set it once to a specific starting page and thus the "continue where you left off" option was and is disabled. Given your emphasis should I assume that this particular option makes for a security risk? I disabled the option on Chrome, Firefox, and on Edge. When I opened Edge (I use it very rarely) it advertised its latest version that I installed. They moved the Notifications settings a bit in the new Edge installment, but it wasn’t that hard to find. Done! The report is attached – funny enough it looks like the freshly installed (new) Edge browser dragged in the 4 entries that got detected! Till soon & my apologies for the delay, Daniel AdwCleaner[C00].txt

Thank you for the forbearance and patience! As an interposed question, what is the idea behind clearing the full browsing history? Talk soon, Daniel

Good evening Maurice, thanks for sending a reminder – I can’t believe how fast these last few days passed! My apology, indeed, I missed on checking it out… and what a large reply it actually is! I’m going to dive into it tomorrow! Thank you very much & till soon! Daniel

The story continues. After my last post I shut down the PC, which was active just a bit too long (leds blinking on the tower, sounds, but blank screen) before the machine completely shutting down. When booting it afterwards everything worked until the Windows loading screen only popping up shortly (the logo with the animated circle) and then it was staring for over 4 minutes on a black screen until I lost patience and cold booted it. Afterwards everything back to normal. Now the internet connection of this machine is working again without issues. (My apologies for the 4-part series.)

The browser weirdness returned the quarter of an hour ago. Websites loading for easily 1–2 minutes without results (on different browsers) while other devices on the same network do just fine. Then suddenly a gust of content can rush in (not necessarily the full website though) and the waiting game repeats. What I noticed, however, was that in a longer time I had started the Spotify app (that I had installed around the time when these loading anomalies occurred for the first time) today. What caught my attention was that the Spotify app reports to be offline despite a spotless Internet connection at that time (I assumed the Farbar fix may have closed a certain door for the app here). Though that Spotify app is fully closed again and the described connection problem is still present. If there’s any app to run in particular during these annomalies that can bring light into it, let me know!

The Windows Defender scan completed! No findings were reported.

The full scan of Windows Defender is currently running. Attached is the logfile of SecurityCheck for now. Much thanks & cheers! SecurityCheck.txt

Dear Maurice, just found the time to read your post this evening and wanted to let you know that I’m going to run the described scans tomorrow! As always, thanks for your help, and patience – till tomorrow! Daniel

Hello Maurice! I am glad that ESET reported no malware / no P U P Same here! Guess this week saw some thorough scanning taking place. Really appreciating your support! The Windows DISM is not about malware. It is about the health and correctness of the health status of key aspects of Windows significant elements.. So it sounds to me as if nothing extraordinary has to really take place to cause such issues for the Windows health status – rather an accumulation of smaller issues over time. Is there something to that assumption? Btw, since a few weeks Photoshop reported an error with the “generator” application right after starting Photoshop… that problem actually disappeared after your fix! Probably now is a good point to go into Windows Settings and to do a Windows Check for Updates New cumulative (KB4549951) update and update of the Windows Defender definitions took place. Nonetheless I’m still puzzled by the “log file” actually being reported by Malwarebytes as a Trojan and quarantined. So does the circumstance that none of the scanners on VirusTotal reported anything point to a false-positive? (Yet I was not able to find such an issue reported on the forum yet.) Or is it possible that the log file’s content (was) changed between the detection of MWB and the upload to VT? After all not even the MBW scanner on VT detected anything. I hope not to bother with these questions! Again, thanks for your efforts & have a great day! Daniel

Hello Maurice! Thanks a lot! Were through the Farbar scan traces of malware identifiable, or could what needed the repair point to “harmless” issues as well? So I did everything as described. ESET scan took various hours and detected no malware.

Dear Maurice, everything done as described (Farbar even updated itself automatically)! The run of the fix took 11 minutes – thanks for the heads-up! A restart was not requested. One note: when the FIXLOG opened after completion, I saw that – although Farbar’s language is English (due to the requested renaming) – the log contains various German sentences nonetheless – I assume those come from the language set in Windows itself. If it would still make sense I can turn the language of Windows to English as well – let me know. With kind regards, Daniel Fixlog.txt

Dear Maurice, here it is! (Was puzzled for a moment to not find the file on my desktop after the completion, then realized that it was saved to the desktop of the admin account.) With best wishes, Daniel Autoruns.zip

Hello Maurice, thanks a lot for your help! Noted, in case it happens again, I do that! I had encountered this failed-initialization error on a previous laptop and the more I was surprised that the desktop of the user-profile appeared and no further action was needed. Irritating that I didn’t checked closely what it actually said. Sure! Fully aware. But as it was one of those non-standard events recently encountered, I thought it might actually be a hint towards malware screwing in the background. Renamed! (Surely an interesting way to switch the language!) Very well spotted! However, no, I consulted no one else. I read about FSS in a forum entry and thought it might be requested soon anyway. Have not executed the program so far. Yes, package is version 1.0.867. When checking for updates about 20 minutes ago it was reported to be up-to-date. Just checked again and it performed an update. So up-to-date. Everyting done, except I need a single clarification regarding those options. In the version that I downloaded that first option is named “Hide empty locations” instead – so should that be checked or unchecked? Thanks again for your help & till soon! Daniel

Hello, over the last few weeks I encountered a few (mostly singular) events on my PC that raised an eyebrow. The cumulation however seems suspicious. From the back of my head, here’s the list: experienced on two different days: no browsers suddenly loading any websites (or at least extremely slow) while other devices on the same network did without any problem; a reboot “solved” it triggered by one of these events, I tried opening the windows security screen for a scan but it was also loading “forever” (I assumed it was for some reason also waiting for a internet connect). This only happened once so far. another day when booting the PC I was greeted by a “windows welcome screen” (sadly I can’t really tell what it was all about; I expected an error I knew from the past – namely a failed initialization of the windows account – pressed a “later” button; though only to find the desktop appear as expected); I checked the Windows update history but it didn’t list anything new another day when booting the PC instead of the windows loading screen the monitors stayed blank – after a few minutes of waiting I restarted the machine and all worked fine. two days ago, when booting my PC Dashlane reported an error message; “This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.” First error message I ever received from that application on my machine. Though a reinstall wasn’t necessary, I started the application again right after the error message and it worked. Over the course of these weeks I ran various scans (MWB full scan; Windows Offline Scan; Kaspersky Rescue Disc complete scan; Microsoft Safety Scanner) but nothing was ever found. Then yesterday Malwarebytes suddenly reported a trojan during its daily routine file scan, but the find was rather puzzling, since it was a log file of Acrobat DC (NGLClient_AcrobatDC112.0.log). Before pressing the quarantine button I uploaded the log to VirusTotal, though not a single scanner detected anything (including the Malwarebytes one). Here’s the report url: https://www.virustotal.com/gui/file/04903c579e29d1352d77d545afeea52a0288e4af28877690871ed1470388f118/details Thanks kindly in advance, Daniel Addition.txt FRST.txt 2020-04-07-mwb-report.txt

So I wanted to update the driver this evening, but right before it happened again by chance: realtime protection wasn’t active after I changed to another standard account. I closed Anti-Malware Premium (AM) and reopened as admin. Next opened Firefox for a visit, but no error message this time. UNTIL I opened Thunderbird and suddenly AM threw the attached message [Screenshot 1]. This recalled a weird matter that came to my attention a while ago [Screenshot 2]: a much older Thunderbird version was shown as installed on September 1st… it points to the same executable file as the other Thunderbird version, and within Thunderbird itself the update history showed no updates of the program. What could possibily be the problem?

Okay, obviously it’d be great if this just happens due to a mere incompatibility instead of malware. I’ll check for the particular driver. However, what’s up with the supposedly compromised Firefox trying to rapidly contacting a malicious server? (Is anything known about symcd.com?) As I said, suspiciously this was only detected on an occasion when the real-time protection didn’t activate at first, and I managed to manually activate it as an admin and started Firefox afterwards. Cheers & many thanks!

Thanks Ron, first time the log files where in German so I did a rerun (and as I just learned renaming the icon to “EnglishFRST64.exe” does the trick.) Here we go… Addition.txt FRST.txt

(My appologies for the length, if .) On my laptop (updated from Windows 7 -> Windows 10 about 6 months ago) runs since 3 months Anti-Malware Premium (AM) and Anti-Exploit Premium (AEx) – daily complete scans (I activated rootkit search) without any findings (except for the first day when the rather nasty “Amazon1ButtonApp,” sneakily installed via the Java installer, was detected and removed). AEx is displaying since its installation consistently “Blocked Exploit Attempts: 0.” Once in a while – maybe about 1 time in 2 weeks – does AM not initialise on starting the laptop (= icon does not appear in the bar). When I manually start it, the real-time protection is deactivated. [Screenshot 1]. Alternatively it does initialise on start, but the icon in the bar displays the red exclamation mark and opening the application shows the same result. (AEx instead is always running). Clicking the button in the top right (“Fix Now”/“Jetzt beheben”) to activate the full protection does nothing (means, it’s as if it was an image that I’d click, no message, no visual change at all). I run the same combination (AM + AEx) on my old laptop (which I barely use though) and ecountered the same problem once – however, a few days later on starting the machine everything seemed fine again. (I suspected some problem after an automatic update.) Anyway. What showed to work on my new laptop when the issue appeared was to close the account and change to the Admin account (all others are standard accounts) and click on “Malwarebytes Anti-Malware Notifications” in the start menu – it initialised with realtime protection and when I returned to the standard account: the same (= real-time protection active again). Just 5 days ago it happened again, and I decided to “cut the process short” by closing AM and re-starting it “as Admin” via the context menu. However, I got the message that the “anti rootkit dda driver” was not able to initialise. [Screenshot 2] A second related error message followed (sorry, no screenshot in this case, but basically saying the same). Restart of the laptop and going the described route via Admin account worked again. TWO DAYS AGO (please bare with me, still something new here) – I was using one standard account for various hours where AM’s realtime-protection was active, and then I changed to another standard account (no restart of the laptop) where the protection was suddenly displayed as DEACTIVATED. I decided to close it and start again as Admin via the context menu (with the goal to document the full process via screenshots). To my surprise it worked fine this time, HOWEVER: while AM ran a full-scan I used the time to serve in Firefox only to suddenly receive (never before seen) messages from AM that it’s blocking a malicious domain that Firefox tried to contact [Screenshot 3]. (I was visiting an absolutely unsuspicious website, and indeed checking different websites still resulted in that warnings). Besides these messages, the full scan by AM resulted in no detection of malware. Now I just remember that a day before Firefox had also thrown an error message that a security update failed and it didn’t succeeded in contacting the server. After a restart of my laptop with an again successfully initialised AM, no messages about malicious websites show up during surfing (in the same account on the same browser, also checked with the same URLs). This underpinned the suspicion that is displayed in my thread’s title. 2 QUESTIONS ON FARBAR (Recovery Scan Tool) 1.) I downloaded the 64bit version directly from the Bleepingcomputer URL. On starting it I received a warning from Windows that the publisher isn’t verified, when continuing the mentioned disclaimer didn’t appear. May any of that be an indication that the software was compromised on the machine? 2.) Should FRST be started in the admin role? Many thanks in advance!