Jump to content

Firefox update pop up


Recommended Posts

  • Root Admin

 

Hello @CCWTech

I assume you're aware of this remote control software running on this computer?

R3 QuickControlService; C:\Program Files (x86)\Lenovo\QuickControl\QuickControlService.exe [317224 2014-12-05] (Lenovo Group Limited)
R2 ScreenConnect Client (61e735463d3bf1de); C:\Program Files (x86)\ScreenConnect Client (61e735463d3bf1de)\ScreenConnect.ClientService.exe [90768 2017-06-14] ()

R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10813680 2017-07-26] (TeamViewer GmbH)

S2 GoToAssist Remote Support Customer; "C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1092\g2ax_service.exe" "Start=service" [X]

 

This also appears to be a business computer? You may wish to have your IT Support Department take a look at the system.

 

From the Event Logs section

 

Application errors:
==================
Error: (08/15/2017 08:51:02 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (08/14/2017 06:55:27 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: RestorePointHandler.exe, version: 1.1.0.0, time stamp: 0x5840d416
Faulting module name: KERNELBASE.dll, version: 6.1.7601.23864, time stamp: 0x595fa988
Exception code: 0xe0434352
Fault offset: 0x000000000001a06d
Faulting process id: 0xbd8
Faulting application start time: 0x01d31561221549fb
Faulting application path: C:\Users\bpack\Documents\CCW Technology Remote Support\Temp\TechSuite\Tools\x64_Create Restore Point\RestorePointHandler.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 6ce0d89f-8154-11e7-a171-5ce0c58ce370

Error: (08/14/2017 06:55:25 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: RestorePointHandler.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.FormatException
   at System.DateTimeParse.ParseExact(System.String, System.String, System.Globalization.DateTimeFormatInfo, System.Globalization.DateTimeStyles)
   at RestorePointHandler.Program.ListRestorePoints()
   at RestorePointHandler.Program.Main(System.String[])

Error: (08/14/2017 05:11:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamservice.exe, version: 3.1.0.479, time stamp: 0x58f6af02
Faulting module name: mbamservice.exe, version: 3.1.0.479, time stamp: 0x58f6af02
Exception code: 0xc0000005
Fault offset: 0x0000000000310230
Faulting process id: 0x1cb0
Faulting application start time: 0x01d3155191660552
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
Report Id: e02e9960-8145-11e7-a171-5ce0c58ce370

Error: (08/14/2017 04:57:52 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (08/13/2017 07:19:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 376134

Error: (08/13/2017 07:19:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 376134

Error: (08/13/2017 07:19:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (08/13/2017 07:13:29 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1139

Error: (08/13/2017 07:13:29 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1139


System errors:
=============
Error: (08/15/2017 08:51:02 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
ndisrd

Error: (08/15/2017 08:50:56 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The GoToAssist Remote Support Customer service failed to start due to the following error: 
The system cannot find the file specified.

Error: (08/15/2017 08:50:53 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Error: (08/15/2017 08:50:53 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain BOE due to the following: 
There are currently no logon servers available to service the logon request.


This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (08/14/2017 10:02:53 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: BOE)
Description: The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

Error: (08/14/2017 05:11:18 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Malwarebytes Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (08/14/2017 05:00:22 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Lenovo Platform Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/14/2017 04:57:52 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
ndisrd

Error: (08/14/2017 04:57:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The GoToAssist Remote Support Customer service failed to start due to the following error: 
The system cannot find the file specified.

Error: (08/14/2017 04:57:49 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

 

Let me have you run the following.

 

 

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

STEP 02

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

Restart the computer and let me know if the issue is resolved or not.

Thanks

Ron

 

Edited by AdvancedSetup
Link to post
Share on other sites

Here is the ADWCleaner log. I'll run TFC now and report back on the issue:

# AdwCleaner 7.0.1.0 - Logfile created on Wed Aug 16 12:29:53 2017
# Updated on 2017/05/08 by Malwarebytes 
# Running on Windows 7 Professional (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

No malicious folders deleted.

***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

No malicious registry entries deleted.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [1168 B] - [2017/7/27 19:11:43]
C:/AdwCleaner/AdwCleaner[C1].txt - [1518 B] - [2017/8/14 22:57:8]
C:/AdwCleaner/AdwCleaner[S0].txt - [1137 B] - [2017/7/27 19:10:27]
C:/AdwCleaner/AdwCleaner[S1].txt - [1385 B] - [2017/8/14 22:56:18]
C:/AdwCleaner/AdwCleaner[S2].txt - [1223 B] - [2017/8/16 12:27:10]
C:/AdwCleaner/AdwCleaner[S3].txt - [1291 B] - [2017/8/16 12:28:55]


########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt ##########

Link to post
Share on other sites

  • Root Admin

I'm inclined to believe that maybe a shortcut for firefox is compromised or some extension is still installed, but let's try the following please.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

Link to post
Share on other sites

  • Root Admin

Okay. What I think is happening is there are .jason config files that keep referencing each other. I think you'll need to export your bookmarks. Disable sync if the user is using it. Then uninstall Firefox and remove all of the associated folders such as these below.

C:\ProgramData\Mozilla\
C:\Program Files\Mozilla Firefox
C:\Users\<user profile name>\AppData\Local\Mozilla
C:\Users\<user profile name>\AppData\LocalLow\Mozilla
C:\Users\<user profile name>\AppData\Roaming\Mozilla

Then restart the computer and reinstall Firefox and import your bookmarks back and pretty sure that will fix it.

If I knew the inner workings of the configuration files better in Firefox we could probably play around with those but a clean removal and reinstall should probably be faster and a cleaner result.

Please give that a try and let me know.

Ron

 

 

Link to post
Share on other sites

  • Root Admin

But the removal did correct it, did it not?

My point being that - are you sure all traces in the file system and registry were removed before? Is the user running some specific plugin ? Or visiting any sites that seem a bit out of the norm?

I can look at logs again, but I don't think it's an actual infection so much as it may be either a program or file association issue for the browser. Though if so I'd think a new install would have corrected that.

As a Tech then, can you run Microsoft Process Monitor and Explorer to take a closer look at what may behind it running?

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

I could be wrong, but I'm just not seeing anything, you're not seeing anything, and multiple scanners are not seeing anything.

Let me know your thoughts on this too and I'll be glad to help you research or track down what's going on here.

Ron

 

Link to post
Share on other sites

I don't think it ever was gone. It's very intermittent. I have looked at the browsing history of the user and there is nothing remarkable as far as going to a site that is potentially impacted. We also use a content filtering system to help prevent viruses.

Since it's so intermittent, I have difficulty reproducing it. I can spend an hour on the computer and have no issues so unless I can log a couple of days with process-explorer / procmon. Is there a logging feature or is it just real time?

Link to post
Share on other sites

  • Root Admin

There are ways to do long term logging but not really designed for such intermittent behavior over days (it might catch it but I'd have my doubts). As a test, can't you uninstall Firefox and let the user use IE or Chrome, or Opera for a few days ?

 

Edited by AdvancedSetup
Link to post
Share on other sites

  • Root Admin

Don't mean for him to use long term as that makes it sound like we can't find the issue. But a couple days on another browser with Firefox removed should help to confirm there are no ongoing issues and it's simply something going on with Firefox.

I can leave open for now and you can let me know if you do want to dig into it deeper, but probably a money losing proposition for you too at this point.

Cheers

Ron

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.