Search the Community
Showing results for tags 'audit-failure'.
Found 1 result
Acer Aspire 5733Z running Windows 10 Home 64-bit version 1903 build 18362.592, running Eset Internet Security 220.127.116.11 in Automatic filtering mode. Had problems with the system getting extremely slow some months ago, did not suspect an infection. More recently, last week, had problem with Mozilla Thunderbird acting very strange, no accounts or folders shown at all, and layout controls didn't work. Uninstalled and reinstalled it, but that did not change the behavior. So I restored from a Macrium Reflect full image backup from the previous day, and that fixed it. A couple of days later, the Thunderbird problem returned. With a little more digging, it looked like the profile was missing or corrupted. I tried to switch to a different Windows account to see if Thunderbird worked better there, but then saw that the account I usually use was missing. I also noticed that another account, named "John Smith", was also missing. That account had appeared some months ago, but I thought my brother John had created it when he used the computer when he was at the house for Thanksgiving. So I checked the Eset logs and found no problems, and started scanning for viruses using Windows Defender offline, and Eset online scan, and downloaded malwarebytes free. No problems found. So then I checked the event viewer security log and found a number of Audit Failure entries in the System Integrity category like this: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Program Files\ESET\ESET Smart Security\ecmds.exe There were also a number of failures in the Logon category, some of which looked very suspicious requesting all kinds of privileges I never heard of. So I found the oldest suspicious-looking Audit Failure, and did a full image restore from the beginning of the week in which it occurred. That also fixed the Thunderbird problem and brought back the Windows account that had been deleted (but not the "John Smith" account, which I found odd). The system has been fine for a couple of days now, but I'm worried there is still a problem that will resurface. I still get the Audit Failure for corrupt ecmds.exe, but not the alarming logon attempts. Using google and searching on the eset website, I can find various reports that include corruption of \Device\HarddiskVolume2\Program Files\ESET\ESET Smart Security\ecmds.exe but nothing that identifies it as a smoking gun in an infection. Is it actually a smoking gun, or just an Eset or Windows screwup of some kind? I have a full image backup of the system made on the day that Thunderbird was broken and my account was missing, so I can easily mount it with Macrium reflect, but don't know if I can extract the audit failures or other useful information. Any suggestions on what I could find from the mounted image? It wouldn't be very easy or convenient to restore that image to the computer and then run tools and create logs on it, but I could do that and post the results here if you think you could find something definitive. Of course I wouldn't want to leave it running in that state for long, so I wouldn't have it available for running experiments for more than a day or two. If restoring the image and running tools and extracting logs is the best thing, could you please point me at something explaining exactly what I should do to give the best chance of diagnosing and permanently fixing the problem? I've never had a virus infection on any system I've owned, and I've been a programmer since 1968, so this is new and scary territory for me :-)