Jump to content

Recommended Posts

Hello, I had a problem with my computer a month ago, which turned out to be nothing, and received great help, I'm hoping you guys can help me again here. I hope this is the right section to post it.

I've only noticed it this past weekend, but it all seems to have started April 11, after installing Windows patches. For what it's worth, the Malicious Software Removal Tool is listed as failed in update history, even though it was downloaded and had run. I even downloaded it directly from Microsoft, confirming it was updated. Every time it runs, it completes and seems to have done just fine, but Reliability Monitor reports that it crashes, but I've seen this reportedly elsewhere.

What's really strange and confusing is that a strange event is being recorded by Event Viewer. The ID is 16962, source Directory-Services-SAM, the text is: "Remote calls to the SAM database are being restricted using the default security descriptor: ."

This event happens every restart, before I log into my account, and seems to be related to LSASS. I googled for hours to find almost nothing about this particular event, and when I do, it's about Windows Server which I don't have. The event seems to be security related, but there's no way anything remote could be trying to access at the time, because I have wifi disabled, and the router isn't on... there is no network connectivity at all.

I have run numerous scans both quick and full with MB, MB Anti Rootkit, McAfee, HitmanPro, Sophos, all of which come back clean.

I've posted logs from FARBAR, hoping someone can shine some light on what might be causing this, if it's malware, a bad file, or something else. I didn't change any of the scan settings on FARBAR, please let me know if I've scanned and posted properly.

Addition.txt

FRST.txt

 

Edit: I wanted to add, there also seems to be strange activity in WMI-Activity section of events as well involving Security Center. Errors with NT AUTHORITY/SYSTEM as the user, the text includes " Start IWbemServices::DeleteInstance - root\SecurityCenter : AntiSpywareProduct".

Edited by guest11
Link to post
Share on other sites

  • Root Admin

Overall the logs don't seem to indicate any infection. A few errors in the system. Let's go ahead and do some scans though to make sure.

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

I downloaded and scanned with JRT, turned AV off, tried to run as administrator but each time it opened JRT said it wasn't running as administrator. The scan came up with nothing, File System: 0 and Registry: 0. During the scan, it also closed Firefox and CurrPorts, not sure if that's relevant.

Downloaded AdwCleaner, ran it and it opened CCC.exe for some reason then told me I needed to download a newer version. I downloaded the newer version, scanned, came back clean. I clicked the clean button and attached the log that opened on reboot. There was another log, but it had no information other than no malicious items found under everything.

I already had Sophos downloaded, I updated the database and scanned, everything clean.

And finally ran Farbar again, attaching the new logs.

AdwCleaner[C0].txt

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Just not seeing anything obvious that would account for slow startup, shutdown, etc. You could trim down some things from starting but not sure there would be enough there for a fix.

Maybe check the hard drive with Seagate Tools or Western Digital tools depending on what Manufacturer drive you're using, to make sure it's not starting to fail.

You could also open a new topic in the PC General Help forum or see if Microsoft Support at the forum or Answers site can help you track down the issue.

Link to post
Share on other sites

I downloaded Sea Tools and ran the quick self scan and the long generic scan (I'm not familiar with this program so I'm hoping I did it right) and both of them passed. Please let me know if there was another setting I should have used on the scan..

The slow restarts seemed to have stopped. I actually haven't shutdown the computer in some time, do you think a shutdown overnight or a shutdown and removing the power cord would help at all?

And just to be sure, you don't believe this to be security related? There was a blog post on Microsoft that implied this event is generated by a remote attack, although the blog post pertains to Windows Server 2016, and I have no idea why it would show up while running Windows 8.1. The post is here if you're interested: https://blogs.technet.microsoft.com/datacentersecurity/2017/01/30/windows-server-2016-security-auditing/

I think I will try PC Help section here if I can't find the issue.

Link to post
Share on other sites

  • Root Admin

Just as an added security measure. Try doing a factory reset on your router. Then change the administrator password and make sure it is a secure password.

Make sure your firewall is enabled as well. Otherwise, it looks like things are okay. Doing a dedicated one-on-one remote attack is a very advanced skill set and takes time that unless you have something of real value to gain it just isn't worth the time for someone to sit down and attack your machine remotely. There are all types of probes where people are looking for openings, but that's all automated.

 

Link to post
Share on other sites

I wasn't really concerned it was a real-time attack, because the event is generated when the computer is in the process of booting up, usually right after filters load. At that time the router is off, ethernet cable is unplugged, there's no wireless capabilities, no network at all. I figured it must have been something programmed to run during boot. Do you think I should still reset the router?

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.