Jump to content
sootsnoot

Windows 10 account and Mozilla Firefox profile deleted

Recommended Posts

Acer Aspire 5733Z running Windows 10 Home 64-bit version 1903 build 18362.592, running Eset Internet Security 13.0.24.0 in Automatic filtering mode.

Had problems with the system getting extremely slow some months ago, did not suspect an infection. More recently, last week, had problem with Mozilla Thunderbird acting very strange, no accounts or folders shown at all, and layout controls didn't work. Uninstalled and reinstalled it, but that did not change the behavior. So I restored from a Macrium Reflect full image backup from the previous day, and that fixed it.

A couple of days later, the Thunderbird problem returned. With a little more digging, it looked like the profile was missing or corrupted. I tried to switch to a different Windows account to see if Thunderbird worked better there, but then saw that the account I usually use was missing. I also noticed that another account, named "John Smith", was also missing. That account had appeared some months ago, but I thought my brother John had created it when he used the computer when he was at the house for Thanksgiving. So I checked the Eset logs and found no problems, and started scanning for viruses using Windows Defender offline, and Eset online scan, and downloaded malwarebytes free. No problems found.

So then I checked the event viewer security log and found a number of Audit Failure entries in the System Integrity category like this:

Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:	\Device\HarddiskVolume2\Program Files\ESET\ESET Smart Security\ecmds.exe	

There were also a number of failures in the Logon category, some of which looked very suspicious requesting all kinds of privileges I never heard of.

So I found the oldest suspicious-looking Audit Failure, and did a full image restore from the beginning of the week in which it occurred. That also fixed the Thunderbird problem and brought back the Windows account that had been deleted (but not the "John Smith" account, which I found odd). The system has been fine for a couple of days now, but I'm worried there is still a problem that will resurface. I still get the Audit Failure for corrupt ecmds.exe, but not the alarming logon attempts.

Using google and searching on the eset website, I can find various reports that include corruption of 

\Device\HarddiskVolume2\Program Files\ESET\ESET Smart Security\ecmds.exe

but nothing that identifies it as a smoking gun in an infection. Is it actually a smoking gun, or just an Eset or Windows screwup of some kind?

I have a full image backup of the system made on the day that Thunderbird was broken and my account was missing, so I can easily mount it with Macrium reflect, but don't know if I can extract the audit failures or other useful information.  Any suggestions on what I could find from the mounted image? It wouldn't be very easy or convenient to restore that image to the computer and then run tools and create logs on it, but I could do that and post the results here if you think you could find something definitive. Of course I wouldn't want to leave it running in that state for long, so I wouldn't have it available for running experiments for more than a day or two. If restoring the image and running tools and extracting logs is the best thing, could you please point me at something explaining exactly what I should do to give the best chance of diagnosing and permanently fixing the problem? I've never had a virus infection on any system I've owned, and I've been a programmer since 1968, so this is new and scary territory for me :-)

Share this post


Link to post
Share on other sites

Hi.

My name is Maurice.   Let me know what first name you prefer to go by.

 

Sometimes Windows may have conditions such that it cannot load the default user-profile  ( your normal one).

So be on the lookout for that.

This pc is running  Windows 10 build 1903.

You should do what follows to verify what profile is logged in.  Press and hold the Windows-key on keyboard and tap the X key and then tap the A key

[  to get the Windows Command prompt in a Elevated mode ]

then type in

whoami

and tap the Enter-key.   Look at the profile reported  ( displayed ).

.

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.


1: Please download FRST from the link below and save it to your desktop:

"Download link for 32-Bit version Windows"

"Download link for 64-Bit Version Windows"

Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Run report with FRST

Right-click on FRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._
Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.


The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.
Thank you.
 

 

 

Share this post


Link to post
Share on other sites

Hello Maurice, my name is Rich.

Thank you very much for taking the time to look at this for me, and for your crystal clear and easy-to-follow instructions.

The whoami command returned "user". I believe that is the name of the original account created when setting up Windows 10.

I've attached the two log files you requested. Please note that these are from the running system I restored from the start of the week with the earliest suspicious Audit Failure problems I found. So this is what I think of as a "good" system, except that event viewer still shows Audit Failure with System Integrity for ecmds.exe. If you want me to restore the image for the system when the account was missing and Thunderbird was unusable, please let me know and I can do that, and run the tool and provide the reports from that, too.

Best regards,

 -Rich

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

Hi Rich.

Thanks for the FRST reports.   There is no need to be considering a image restore at this time.

Check your P.M.

I want to be sure that you are logging in with your usual account.   But in event, need you to be logged in with one that has rights of Administrator.

.

I would like for you to do a check with Windows System File Checker.

This procedure will use the Windows System File Checker tool  ( SFC ).

Open an elevated command prompt window i.e. run Command Prompt as an administrator .
It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )
On that command prompt,  Copy & Paste this command
sfc /scannow

 

Share this post


Link to post
Share on other sites

p.s.  I need you to LOGOFF from Windows   and login with one of the other accounts I mentioned in the Personal Message.

The reports show you were logged in with a account that has "limited" rights.

Share this post


Link to post
Share on other sites

Okay, I did as you asked and logged in from a privileged account, then opened an elevated command prompt and got:

Microsoft Windows [Version 10.0.18362.592]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\WINDOWS\system32>

Share this post


Link to post
Share on other sites

Slight correction. I did not actually log off my wife's unprivileged account, I just switched to a privileged account to run sfc, while leaving her logged in. I would think that shouldn't matter, but as I said, I really don't understand Windows accounts and privileges.

Share this post


Link to post
Share on other sites

Thanks for the detail on SFC.

As to logged in account, it is imperative that while we work this whole case, that the pc be logged in with the account that has Adminiistrator rights.

Otherwise, we will run into faults due to not having full access rights.   Please be sure of the account you are on.

I need for you to be logged out of your spouse's limited account.

.

What follows below is a couple of commands  ( to be run one at a time )   on a Elevated Command prompt.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .
It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )
On that command prompt,  Copy & Paste this command

DISM /Online /Cleanup-Image /CheckHealth

tap the Enter-key  and let it proceed.   Monitor it.  Wait for it to finish.

 

Next COPY  & Paste this into the Command-prompt-window
 

DISM /Online /Cleanup-Image /ScanHealth

tap the Enter-key  and let it proceed.   Monitor it.  Wait for it to finish.

 

Share this post


Link to post
Share on other sites

Hi Maurice. I followed your instruction and signed out of my wife's account, then signed in to my Administrator account. Actually, I rebooted before signing in, just for good measure. I actually signed in to what shows up on the account selection list as the "John Smith" account, as it turns out that account is connected to my Microsoft account, but my Microsoft account had the name "John Smith" on it, something I probably did on the Microsoft website to annoy Microsoft spies. Yesterday I changed that name back to my own name on accounts.microsoft.com, but it still shows up as "John Smith" on the PC, even after the reboot and logging in to it with my Microsoft account password. So I'm thinking that there was no account deletion that happened, but rather that the name of the account shown on the lock screen changed from my own name to "John Smith" sometime long after I had made that change on accounts.microsoft.com, and perhaps my name will start showing up again, and "John Smith" will disappear, on the lock screen sometime in the distant future.

So I guess my only real visible symptom of an infection was the corruption of the Thunderbird profile, which happened once, survived a reinstall of Thunderbird, was fixed by an image restore to the previous day, happened again a day or two later, then was fixed by an image restore to a time before the earliest suspicious logon Audit Failure, and has been working for a week or two since then. So the System Integrity audit failure on the Eset program ecmds.exe is the worst thing I currently see.

Back to what you asked for:

Microsoft Windows [Version 10.0.18362.592]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>DISM /Online /Cleanup-Image /CheckHealth

Deployment Image Servicing and Management tool
Version: 10.0.18362.1

Image Version: 10.0.18362.592

No component store corruption detected.
The operation completed successfully.

C:\WINDOWS\system32>DISM /Online /Cleanup-Image /ScanHealth

Deployment Image Servicing and Management tool
Version: 10.0.18362.1

Image Version: 10.0.18362.592

[==========================100.0%==========================] No component store corruption detected.
The operation completed successfully.

C:\WINDOWS\system32>

 

Share this post


Link to post
Share on other sites

Hi.  Thank you so much for the results of the 2 DISM applet tool.   Kudos.

So you indicate that the Thunderbird issue is now not happening any more.

That your one slight concern is the possible false positive on the ESET ecmds.exe  by Windows Defender.

(  I have to say my first focus was always on the Login account and access rights with your login).

If the current concern at this point is the ESET,  I would highly recommend that you contact ESET Support.

Another item to have ESET advise you about is one of their DLL files.   EAMSI.dll

The FRST report showed Windows system reporting several instances like this.

CodeIntegrity:
===================================

Date: 2020-01-26 12:54:56.515
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\ESET\ESET Smart Security\eamsi.dll that did not meet the Windows signing level requirements.
 

Check with ESET Support.   See what they advise.

 

Share this post


Link to post
Share on other sites

Wow, great, thank you so much for working this with me. I'm really sorry about that red herring with the Windows account, it sure had me fooled. It wasn't until I saw the "John Smith" name at accounts.microsoft.com that it occurred to me it could have been caused by something I'd done. The interval of time between when I made the change online and when I saw the name on the lock screen was so great that I just didn't think of any connection between that and the Win 10 lock screen. My wife's computer does use logons through Microsoft accounts, but on my own Win 10 PC I only have local accounts, making the connection all the more surprising to me.

I'll certainly check with Eset support on the two issues with their files. I had checked around previously on the ecmds issue, and was surprised I couldn't find anything from them about it, part of the reason I went to malwarebytes. Now that you've also found a problem with eamsi.dll, I'll press them directly about the issues. I've been paying license fees for quite a few years now, so I think they owe me an explanation.

So I guess you can close this now.

When/if I get any useful information from Eset support, I'll report back here, as this is an excellent repository of information about security problems. And I imagine you might have a niggling curiosity about it, too. Though I can't imagine the level of patience you have in delving into the details of so many log files sent by so many bewildered users 🙂

Have a good evening!

Share this post


Link to post
Share on other sites

I wholly understand.  Yes, it can get quite involved.   I had a good amount of concern about access rights potentially being involved.

As long as you are able to login and see your documents and files,  then that is a relief.

You are very welcome.  I'll keep this case open for the meantime.

Cheers.

Share this post


Link to post
Share on other sites

Wow, great, thank you so much for working this with me. I'm really sorry about that red herring with the Windows account, it sure had me fooled. It wasn't until I saw the "John Smith" name at accounts.microsoft.com that it occurred to me it could have been caused by something I'd done. The interval of time between when I made the change online and when I saw the name on the lock screen was so great that I just didn't think of any connection between that and the Win 10 lock screen. My wife's computer does use logons through Microsoft accounts, but on my own Win 10 PC I only have local accounts, making the connection all the more surprising to me.

I'll certainly check with Eset support on the two issues with their files. I had checked around previously on the ecmds issue, and was surprised I couldn't find anything from them about it, part of the reason I went to malwarebytes. Now that you've also found a problem with eamsi.dll, I'll press them directly about the issues. I've been paying license fees for quite a few years now, so I think they owe me an explanation.

So I guess you can close this now.

When/if I get any useful information from Eset support, I'll report back here, as this is an excellent repository of information about security problems. And I imagine you might have a niggling curiosity about it, too. Though I can't imagine the level of patience you have in delving into the details of so many log files sent by so many bewildered users 🙂

Have a good evening!

Share this post


Link to post
Share on other sites

Here's what happened with Eset tech support, who were really quite responsive (I was pleasantly surprised). I submitted a report of a possible infection which required my license key. I described the issue and provided a link to this forum discussion, highlighting the corruption of ecmds.exe reported by event viewer, as well as the corruption of eamsi.dll you had found in the FRST log, and noting that the FRST reports were available to download from here.

The initial response was a generic one saying that corruption of Eset files can occur for several non-suspicious reasons such as installing an updated version over an old version, an interrupted installation, or other things like installation of other 3rd-party software. They recommended doing a manual uninstall according http://support.eset.com/zap/kb2289/ and then reinstalling. They also asked that I download and run their Eset Log Collector tool, which I did.

I balked at the complexity of the manual uninstall, and asked why not simply try Windows add/remove programs. They replied that I certainly could try add/remove programs first, just being aware that it might not be enough, that the manual uninstall might be necessary to fix the corruption issues. But they also noted that the Eset Log collector showed some unusual settings for Eset, and asked me to confirm if I was aware of these settings, in particular: 

  • Media to Scan- Local Drives - disabled
  • Scan on- file open - disabled
  • Scan on- file creation - disabled
  • Scan on- file execution - disabled
  • SSL Protocol Checking - disabled

So I checked those settings, and sure enough that's what the installed version of Eset showed. But I'm quite sure I had never made those changes to Eset's default settings. And I'm certain my wife didn't change them either, as she doesn't know what Eset is. So I'd say that's very clear evidence of malware that had been on her computer at some point. The settings on my own computer, which had not had any problem with Thunderbird, but did show the same kind of corruption of ecmds, were normal. I did not run FRST on my own computer, so I don't know if it also had the problem with eamsi.dll.

Anyway, I used add/remove to remove Eset from my wife's computer, then reinstalled it. It installed normally and started its initial scan. I confirmed that its settings were normal, no disabled scans, and I checked  Event Viewer's Security log and found no complaints about ecmds.exe. So I'm thinking it's finally clean :-). Now I'll do the same on my own computer to get rid of complaints about ecmds, and go on my merry way.

Once more, thank you for all your help!

 -Rich

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.