Jump to content

sootsnoot

Members
  • Posts

    8
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Here's what happened with Eset tech support, who were really quite responsive (I was pleasantly surprised). I submitted a report of a possible infection which required my license key. I described the issue and provided a link to this forum discussion, highlighting the corruption of ecmds.exe reported by event viewer, as well as the corruption of eamsi.dll you had found in the FRST log, and noting that the FRST reports were available to download from here. The initial response was a generic one saying that corruption of Eset files can occur for several non-suspicious reasons such as installing an updated version over an old version, an interrupted installation, or other things like installation of other 3rd-party software. They recommended doing a manual uninstall according http://support.eset.com/zap/kb2289/ and then reinstalling. They also asked that I download and run their Eset Log Collector tool, which I did. I balked at the complexity of the manual uninstall, and asked why not simply try Windows add/remove programs. They replied that I certainly could try add/remove programs first, just being aware that it might not be enough, that the manual uninstall might be necessary to fix the corruption issues. But they also noted that the Eset Log collector showed some unusual settings for Eset, and asked me to confirm if I was aware of these settings, in particular: Media to Scan- Local Drives - disabled Scan on- file open - disabled Scan on- file creation - disabled Scan on- file execution - disabled SSL Protocol Checking - disabled So I checked those settings, and sure enough that's what the installed version of Eset showed. But I'm quite sure I had never made those changes to Eset's default settings. And I'm certain my wife didn't change them either, as she doesn't know what Eset is. So I'd say that's very clear evidence of malware that had been on her computer at some point. The settings on my own computer, which had not had any problem with Thunderbird, but did show the same kind of corruption of ecmds, were normal. I did not run FRST on my own computer, so I don't know if it also had the problem with eamsi.dll. Anyway, I used add/remove to remove Eset from my wife's computer, then reinstalled it. It installed normally and started its initial scan. I confirmed that its settings were normal, no disabled scans, and I checked Event Viewer's Security log and found no complaints about ecmds.exe. So I'm thinking it's finally clean :-). Now I'll do the same on my own computer to get rid of complaints about ecmds, and go on my merry way. Once more, thank you for all your help! -Rich
  2. Wow, great, thank you so much for working this with me. I'm really sorry about that red herring with the Windows account, it sure had me fooled. It wasn't until I saw the "John Smith" name at accounts.microsoft.com that it occurred to me it could have been caused by something I'd done. The interval of time between when I made the change online and when I saw the name on the lock screen was so great that I just didn't think of any connection between that and the Win 10 lock screen. My wife's computer does use logons through Microsoft accounts, but on my own Win 10 PC I only have local accounts, making the connection all the more surprising to me. I'll certainly check with Eset support on the two issues with their files. I had checked around previously on the ecmds issue, and was surprised I couldn't find anything from them about it, part of the reason I went to malwarebytes. Now that you've also found a problem with eamsi.dll, I'll press them directly about the issues. I've been paying license fees for quite a few years now, so I think they owe me an explanation. So I guess you can close this now. When/if I get any useful information from Eset support, I'll report back here, as this is an excellent repository of information about security problems. And I imagine you might have a niggling curiosity about it, too. Though I can't imagine the level of patience you have in delving into the details of so many log files sent by so many bewildered users 🙂 Have a good evening!
  3. Wow, great, thank you so much for working this with me. I'm really sorry about that red herring with the Windows account, it sure had me fooled. It wasn't until I saw the "John Smith" name at accounts.microsoft.com that it occurred to me it could have been caused by something I'd done. The interval of time between when I made the change online and when I saw the name on the lock screen was so great that I just didn't think of any connection between that and the Win 10 lock screen. My wife's computer does use logons through Microsoft accounts, but on my own Win 10 PC I only have local accounts, making the connection all the more surprising to me. I'll certainly check with Eset support on the two issues with their files. I had checked around previously on the ecmds issue, and was surprised I couldn't find anything from them about it, part of the reason I went to malwarebytes. Now that you've also found a problem with eamsi.dll, I'll press them directly about the issues. I've been paying license fees for quite a few years now, so I think they owe me an explanation. So I guess you can close this now. When/if I get any useful information from Eset support, I'll report back here, as this is an excellent repository of information about security problems. And I imagine you might have a niggling curiosity about it, too. Though I can't imagine the level of patience you have in delving into the details of so many log files sent by so many bewildered users 🙂 Have a good evening!
  4. Hi Maurice. I followed your instruction and signed out of my wife's account, then signed in to my Administrator account. Actually, I rebooted before signing in, just for good measure. I actually signed in to what shows up on the account selection list as the "John Smith" account, as it turns out that account is connected to my Microsoft account, but my Microsoft account had the name "John Smith" on it, something I probably did on the Microsoft website to annoy Microsoft spies. Yesterday I changed that name back to my own name on accounts.microsoft.com, but it still shows up as "John Smith" on the PC, even after the reboot and logging in to it with my Microsoft account password. So I'm thinking that there was no account deletion that happened, but rather that the name of the account shown on the lock screen changed from my own name to "John Smith" sometime long after I had made that change on accounts.microsoft.com, and perhaps my name will start showing up again, and "John Smith" will disappear, on the lock screen sometime in the distant future. So I guess my only real visible symptom of an infection was the corruption of the Thunderbird profile, which happened once, survived a reinstall of Thunderbird, was fixed by an image restore to the previous day, happened again a day or two later, then was fixed by an image restore to a time before the earliest suspicious logon Audit Failure, and has been working for a week or two since then. So the System Integrity audit failure on the Eset program ecmds.exe is the worst thing I currently see. Back to what you asked for: Microsoft Windows [Version 10.0.18362.592] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>DISM /Online /Cleanup-Image /CheckHealth Deployment Image Servicing and Management tool Version: 10.0.18362.1 Image Version: 10.0.18362.592 No component store corruption detected. The operation completed successfully. C:\WINDOWS\system32>DISM /Online /Cleanup-Image /ScanHealth Deployment Image Servicing and Management tool Version: 10.0.18362.1 Image Version: 10.0.18362.592 [==========================100.0%==========================] No component store corruption detected. The operation completed successfully. C:\WINDOWS\system32>
  5. Slight correction. I did not actually log off my wife's unprivileged account, I just switched to a privileged account to run sfc, while leaving her logged in. I would think that shouldn't matter, but as I said, I really don't understand Windows accounts and privileges.
  6. Okay, I did as you asked and logged in from a privileged account, then opened an elevated command prompt and got: Microsoft Windows [Version 10.0.18362.592] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>sfc /scannow Beginning system scan. This process will take some time. Beginning verification phase of system scan. Verification 100% complete. Windows Resource Protection did not find any integrity violations. C:\WINDOWS\system32>
  7. Hello Maurice, my name is Rich. Thank you very much for taking the time to look at this for me, and for your crystal clear and easy-to-follow instructions. The whoami command returned "user". I believe that is the name of the original account created when setting up Windows 10. I've attached the two log files you requested. Please note that these are from the running system I restored from the start of the week with the earliest suspicious Audit Failure problems I found. So this is what I think of as a "good" system, except that event viewer still shows Audit Failure with System Integrity for ecmds.exe. If you want me to restore the image for the system when the account was missing and Thunderbird was unusable, please let me know and I can do that, and run the tool and provide the reports from that, too. Best regards, -Rich Addition.txt FRST.txt
  8. Acer Aspire 5733Z running Windows 10 Home 64-bit version 1903 build 18362.592, running Eset Internet Security 13.0.24.0 in Automatic filtering mode. Had problems with the system getting extremely slow some months ago, did not suspect an infection. More recently, last week, had problem with Mozilla Thunderbird acting very strange, no accounts or folders shown at all, and layout controls didn't work. Uninstalled and reinstalled it, but that did not change the behavior. So I restored from a Macrium Reflect full image backup from the previous day, and that fixed it. A couple of days later, the Thunderbird problem returned. With a little more digging, it looked like the profile was missing or corrupted. I tried to switch to a different Windows account to see if Thunderbird worked better there, but then saw that the account I usually use was missing. I also noticed that another account, named "John Smith", was also missing. That account had appeared some months ago, but I thought my brother John had created it when he used the computer when he was at the house for Thanksgiving. So I checked the Eset logs and found no problems, and started scanning for viruses using Windows Defender offline, and Eset online scan, and downloaded malwarebytes free. No problems found. So then I checked the event viewer security log and found a number of Audit Failure entries in the System Integrity category like this: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Program Files\ESET\ESET Smart Security\ecmds.exe There were also a number of failures in the Logon category, some of which looked very suspicious requesting all kinds of privileges I never heard of. So I found the oldest suspicious-looking Audit Failure, and did a full image restore from the beginning of the week in which it occurred. That also fixed the Thunderbird problem and brought back the Windows account that had been deleted (but not the "John Smith" account, which I found odd). The system has been fine for a couple of days now, but I'm worried there is still a problem that will resurface. I still get the Audit Failure for corrupt ecmds.exe, but not the alarming logon attempts. Using google and searching on the eset website, I can find various reports that include corruption of \Device\HarddiskVolume2\Program Files\ESET\ESET Smart Security\ecmds.exe but nothing that identifies it as a smoking gun in an infection. Is it actually a smoking gun, or just an Eset or Windows screwup of some kind? I have a full image backup of the system made on the day that Thunderbird was broken and my account was missing, so I can easily mount it with Macrium reflect, but don't know if I can extract the audit failures or other useful information. Any suggestions on what I could find from the mounted image? It wouldn't be very easy or convenient to restore that image to the computer and then run tools and create logs on it, but I could do that and post the results here if you think you could find something definitive. Of course I wouldn't want to leave it running in that state for long, so I wouldn't have it available for running experiments for more than a day or two. If restoring the image and running tools and extracting logs is the best thing, could you please point me at something explaining exactly what I should do to give the best chance of diagnosing and permanently fixing the problem? I've never had a virus infection on any system I've owned, and I've been a programmer since 1968, so this is new and scary territory for me :-)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.