Jump to content

A suspicious cumulation of errors, and a sudden (& puzzling) detection.


Recommended Posts

Hello,

over the last few weeks I encountered a few (mostly singular) events on my PC that raised an eyebrow. The cumulation however seems suspicious.

From the back of my head, here’s the list:

  • experienced on two different days: no browsers suddenly loading any websites (or at least extremely slow) while other devices on the same network did without any problem; a reboot “solved” it
  • triggered by one of these events, I tried opening the windows security screen for a scan but it was also loading “forever” (I assumed it was for some reason also waiting for a internet connect). This only happened once so far.
  • another day when booting the PC I was greeted by a “windows welcome screen” (sadly I can’t really tell what it was all about; I expected an error I knew from the past – namely a failed initialization of the windows account – pressed a “later” button; though only to find the desktop appear as expected); I checked the Windows update history but it didn’t list anything new
  • another day when booting the PC instead of the windows loading screen the monitors stayed blank – after a few minutes of waiting I restarted the machine and all worked fine.
  • two days ago, when booting my PC Dashlane reported an error message; “This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.” First error message I ever received from that application on my machine. Though a reinstall wasn’t necessary, I started the application again right after the error message and it worked.

Over the course of these weeks I ran various scans (MWB full scan; Windows Offline Scan; Kaspersky Rescue Disc complete scan; Microsoft Safety Scanner) but nothing was ever found.

Then yesterday Malwarebytes suddenly reported a trojan during its daily routine file scan, but the find was rather puzzling, since it was a log file of Acrobat DC (NGLClient_AcrobatDC112.0.log). Before pressing the quarantine button I uploaded the log to VirusTotal, though not a single scanner detected anything (including the Malwarebytes one). Here’s the report url: https://www.virustotal.com/gui/file/04903c579e29d1352d77d545afeea52a0288e4af28877690871ed1470388f118/details

Thanks kindly in advance,

Daniel

Addition.txt FRST.txt 2020-04-07-mwb-report.txt

Link to post
Share on other sites

Hi,  Daniel.  

My name is Maurice. I will be helping and guiding you, going forward on this case

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

Your report running MWB full scan; Windows Offline Scan; Kaspersky Rescue Disc complete scan; Microsoft Safety Scanner

& that those reported no malware.   That is good to know.

This last Malwarebytes scan tagged a .LOG file in a TEMP folder  C:\USERS\AOSMOSIS RECORDS\APPDATA\LOCAL\TEMP

The Malwarebytes on this pc needs to be updated to the latest definitions & latest component package.   I will guide you on that.

 

I also wanted to point out a couple of things, on some of what you described.

Quote

another day when booting the PC I was greeted by a “windows welcome screen” (sadly I can’t really tell what it was all about; I expected an error I knew from the past – namely a failed initialization of the windows account – pressed a “later” button; though only to find the desktop appear as expected); I checked the Windows update history but it didn’t list anything new

That sounds very much like a occasion when Windows on startup, failed to load up into your normal / regular login account.   You need to watch for that & be able to recognize that type of event,   While normally a Windows welcome screen with some sort of graphic in the background happens on a new Build of Windows..... this may happen on a user-profile load failure !

In the latter event, you want to go to a Command prompt window and type in

whoami

and then see what the system echoes back on screen.  You will see the machine id\user-login-account name

IF it is not your profile, then do a Logoff  & log back in or else, do a hard Windows restart.

 

The other one mentioned

Quote

another day when booting the PC instead of the windows loading screen the monitors stayed blank – after a few minutes of waiting I restarted the machine and all worked fine.

may just be a one-off event.

.

Keep in mind, we here on the malware-removal-help section will help you check for malware.  Other things outside of that, we may need to point you elsewhere.

.

Thanks for the FRST reports.  Since this Windows is set for the Deutsch languge & this the FRST notations can appear in Deutsch,  I would ask that you do me a small favor.

Locate the FRST64.exe  on the Downloads folder.  Do a right-click on FRST64.exe with your mouse.  Select RENAME.   rename it to FRSTENGLISH.exe  and tap Enter-key to make the change.  That will help me possibly later on, if we should need to re-use that tool.

 

Tell me, are you perhaps getting expert help on some other forum?  I see the file FSS.exe  was very recently downloaded.

 

I would like us to start with updating Malwarebytes for Windows.

Start Malwarebytes.  Click the Settings icon at the top.  Look on the General tab.

Find & click the button marked "Check for Updates".

Report to me the results, please.

Click on the About tab.

Do you see on there  "COMPONENT Package"    1.0.867

 

[   2   ]

Let’s  please try to get and run a special  report  tool from Microsoft. 

It does not make changes. It will be just a report.

 

  • Please download Sysinternals Autoruns from here and save it to your desktop.
  • Note: you also need to do the following:
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK


Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...

In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:

  • Include empty locations
  • Hide Microsoft entries
  • Hide Windows entries


Verify that the following is checked, if it is unchecked, check it:

  • Verify code signatures


Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.


Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

 

Thank you.

 

 

Edited by Maurice Naggar
Link to post
Share on other sites

Hello Maurice, thanks a lot for your help!

16 hours ago, Maurice Naggar said:

That sounds very much like a occasion when Windows on startup, failed to load up into your normal / regular login account.   You need to watch for that & be able to recognize that type of event,   While normally a Windows welcome screen with some sort of graphic in the background happens on a new Build of Windows..... this may happen on a user-profile load failure !

In the latter event, you want to go to a Command prompt window and type in

whoami

and then see what the system echoes back on screen.  You will see the machine id\user-login-account name

IF it is not your profile, then do a Logoff  & log back in or else, do a hard Windows restart.

Noted, in case it happens again, I do that! I had encountered this failed-initialization error on a previous laptop and the more I was surprised that the desktop of the user-profile appeared and no further action was needed. Irritating that I didn’t checked closely what it actually said.

16 hours ago, Maurice Naggar said:

Keep in mind, we here on the malware-removal-help section will help you check for malware.  Other things outside of that, we may need to point you elsewhere.

Sure! Fully aware. :) But as it was one of those non-standard events recently encountered, I thought it might actually be a hint towards malware screwing in the background.

16 hours ago, Maurice Naggar said:

Thanks for the FRST reports.  Since this Windows is set for the Deutsch languge & this the FRST notations can appear in Deutsch,  I would ask that you do me a small favor.

Locate the FRST64.exe  on the Downloads folder.  Do a right-click on FRST64.exe with your mouse.  Select RENAME.   rename it to FRSTENGLISH.exe  and tap Enter-key to make the change.  That will help me possibly later on, if we should need to re-use that tool.

Renamed! (Surely an interesting way to switch the language!)

16 hours ago, Maurice Naggar said:

Tell me, are you perhaps getting expert help on some other forum?  I see the file FSS.exe  was very recently downloaded.

Very well spotted! :) However, no, I consulted no one else. I read about FSS in a forum entry and thought it might be requested soon anyway. Have not executed the program so far.

17 hours ago, Maurice Naggar said:

I would like us to start with updating Malwarebytes for Windows. Start Malwarebytes.  Click the Settings icon at the top.  Look on the General tab. Find & click the button marked "Check for Updates". Report to me the results, please. Click on the About tab. Do you see on there  "COMPONENT Package"    1.0.867

Yes, package is version 1.0.867. When checking for updates about 20 minutes ago it was reported to be up-to-date. Just checked again and it performed an update. So up-to-date.

17 hours ago, Maurice Naggar said:

Let’s  please try to get and run a special  report  tool from Microsoft. 

It does not make changes. It will be just a report.

  • Please download Sysinternals Autoruns from here and save it to your desktop.
  • Note: you also need to do the following:
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK

Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...

In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:

  • Include empty locations
  • Hide Microsoft entries
  • Hide Windows entries

Verify that the following is checked, if it is unchecked, check it:

  • Verify code signatures

Everyting done, except I need a single clarification regarding those options. In the version that I downloaded that first option is named “Hide empty locations” instead – so should that be checked or unchecked?

Thanks again for your help & till soon!

Daniel

Link to post
Share on other sites

Thank you for the report.

Below is a custom script to cleanup un-needed & duplicate onedrive cleanup entries.  It will also run the Windows System File Checker & DISM.

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for  Lindenbyte    only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

image.png.7bb6a2c1b1692ef4578609a9edeebb00.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Fixlist.txt

Link to post
Share on other sites

Dear Maurice,

everything done as described (Farbar even updated itself automatically)!

The run of the fix took 11 minutes – thanks for the heads-up! A restart was not requested.

One note: when the FIXLOG opened after completion, I saw that – although Farbar’s language is English (due to the requested renaming) – the log contains various German sentences nonetheless – I assume those come from the language set in Windows itself. If it would still make sense I can turn the language of Windows to English as well – let me know.

With kind regards,

Daniel

Fixlog.txt

Link to post
Share on other sites

Hello, Daniel.   Thanks for the log report.   No, I would not ask you to change the language setting on Windows itself.

Overall, the custom fix run is a good one.

The run of the Windows DISM app succeeded in making a repair of the Windows system health.

 

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should UN-tick the offer for “periodic scanning”.
 

Link to post
Share on other sites

Hello Maurice!

On 4/11/2020 at 8:59 PM, Maurice Naggar said:

The run of the Windows DISM app succeeded in making a repair of the Windows system health.

Thanks a lot! Were through the Farbar scan traces of malware identifiable, or could what needed the repair point to “harmless” issues as well?

On 4/11/2020 at 8:59 PM, Maurice Naggar said:

I would suggest a free scan with the ESET Online Scanner

So I did everything as described. ESET scan took various hours and detected no malware.

Link to post
Share on other sites

Hello.

I am glad that ESET reported no malware / no P U P

The Windows DISM is not about malware.   It is about the health and correctness of the health status of key aspects of Windows significant elements..

Probably now is a good point to go into Windows Settings and to do a Windows Check for Updates

Link to post
Share on other sites

Hello Maurice!

 

I am glad that ESET reported no malware / no P U P

Same here! :) Guess this week saw some thorough scanning taking place.

Really appreciating your support!

 

The Windows DISM is not about malware.   It is about the health and correctness of the health status of key aspects of Windows significant elements..

So it sounds to me as if nothing extraordinary has to really take place to cause such issues for the Windows health status – rather an accumulation of smaller issues over time. Is there something to that assumption?

Btw, since a few weeks Photoshop reported an error with the “generator” application right after starting Photoshop… that problem actually disappeared after your fix!

 

 

Probably now is a good point to go into Windows Settings and to do a Windows Check for Updates

New cumulative (KB4549951) update and update of the Windows Defender definitions took place.

Nonetheless I’m still puzzled by the “log file” actually being reported by Malwarebytes as a Trojan and quarantined.

So does the circumstance that none of the scanners on VirusTotal reported anything point to a false-positive? (Yet I was not able to find such an issue reported on the forum yet.)

Or is it possible that the log file’s content (was) changed between the detection of MWB and the upload to VT? After all not even the MBW scanner on VT detected anything.

I hope not to bother with these questions!

Again, thanks for your efforts & have a great day!

Daniel

Link to post
Share on other sites

Hello Daniel.

At the start of the case, you had described a number of different things.  It is hard to make any conclusion as to what caused what.

However, the situations where Windows cannot load the normal user profile can happen to anyone.  You just learn over time about how to know when that is the case.

 

At this point, let me suggest 2 things, just to do different checks on this system.

[   1   ]

SecurityCheck by glax24    

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.
Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
and save the tool on the desktop.
If Windows's  SmartScreen block that with a message-window, then
Click on the MORE INFO spot and over-ride that and allow it to proceed.
This tool is safe.   Smartscreen is overly sensitive.
Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

[    2   ]

Do a Full scan with the Windows 10 antivirus  ......Windows Defender
navigate to the Virus & Threat protection section.

 

Look on the Windows search box on the Windows taskbar.  Type in

virus & threat protection

You should see a list display.  There is a link for " Virus & Threat protection".  Click on that.

Once you get there, note the "Scan Options" in blue.   Just need you to drill down into that to get to the option for FULL scan.

image.png.ef373aa406a6d2e98f0b125daff2b0e6.png

Click Scan options.

image.thumb.png.52961c57498aac823400dc1e38e15c6e.png

 

Then click on Full scan.   Have lots of patience.   Keep me advised on the result.    We can do more later.

Link to post
Share on other sites

The browser weirdness returned the quarter of an hour ago. Websites loading for easily 1–2 minutes without results (on different browsers) while other devices on the same network do just fine. Then suddenly a gust of content can rush in (not necessarily the full website though) and the waiting game repeats. What I noticed, however, was that in a longer time I had started the Spotify app (that I had installed around the time when these loading anomalies occurred for the first time) today. What caught my attention was that the Spotify app reports to be offline despite a spotless Internet connection at that time (I assumed the Farbar fix may have closed a certain door for the app here). Though that Spotify app is fully closed again and the described connection problem is still present.

If there’s any app to run in particular during these annomalies that can bring light into it, let me know!

Link to post
Share on other sites

The story continues. After my last post I shut down the PC, which was active just a bit too long (leds blinking on the tower, sounds, but blank screen) before the machine completely shutting down. When booting it afterwards everything worked until the Windows loading screen only popping up shortly (the logo with the animated circle) and then it was staring for over 4 minutes on a black screen until I lost patience and cold booted it. Afterwards everything back to normal. Now the internet connection of this machine is working again without issues. (My apologies for the 4-part series.)

Link to post
Share on other sites

Thank you for the SecurityCheck report.  It looks to me like the Firefox browser is the default browser on this machine.

I am very happy to know that the Windows Defender scan was completed,  AND  that it found no virus / no malware.

 

Get & install the Malwarebytes Browser Guard  Firefox extension. 
Open this link in your Firefox browser:    
https://addons.mozilla.org/de/firefox/addon/malwarebytes/
Then proceed with the setup. 
That link is for Deutsche.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

 

From your very last note, I take it that after a new RESTART of Windows, it is doing normal.

The next time you have Firefox opened

press and hold SHIFT + CTRL + DELete keys  on the keyboard   to start the process to delete all browser cache & history.
.

The Chrome browser is apparently a little behind in updating.

Start Chrome.   Click the Settings icon.  Then click on Help.  Then click About Google Chrome.

Let it do a Update.   It should update to version 81.0.4

[   3   ]

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   4   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   5   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

Make real sure it is "NOT" set to "continue where you left off"

.

[   6   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[   7   ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

[   8    ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.   I do believe that at that point, this machine ought to be in real good state.    Especially, with the 2 Malwarebytes Browser Guards.

Link to post
Share on other sites

Dear Maurice,

I completed your full list!

I got the Malwarebytes Browser Guards both for Firefox and Chrome (updated Chrome, too) and did all clearings as adviced!

On 4/18/2020 at 11:57 PM, Maurice Naggar said:

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

I use Chrome basically for a single service (project planning) and it turned out that it wasn’t even synced to my google account.

 

On 4/18/2020 at 11:57 PM, Maurice Naggar said:

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

Make real sure it is "NOT" set to "continue where you left off"

I think I found the specific setting [German equivalent seems “Zuletzt angesehene Seiten öffnen”]: one of 3 options that exclude each other. I had set it once to a specific starting page and thus the "continue where you left off" option was and is disabled.

Given your emphasis should I assume that this particular option makes for a security risk?

 

On 4/18/2020 at 11:57 PM, Maurice Naggar said:

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

I disabled the option on Chrome, Firefox, and on Edge. When I opened Edge (I use it very rarely) it advertised its latest version that I installed.

They moved the Notifications settings a bit in the new Edge installment, but it wasn’t that hard to find.

 

On 4/18/2020 at 11:57 PM, Maurice Naggar said:

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Done! The report is attached – funny enough it looks like the freshly installed (new) Edge browser dragged in the 4 entries that got detected!

Till soon & my apologies for the delay,

Daniel

AdwCleaner[C00].txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.