Jump to content

Can Mw-B dump my browser's cookies?


Recommended Posts

Hi All,

I've been having an issue the past couple weeks with FF v82 on Win7x64. Seems I have to log in to all my sites every day, like something on a timer is clearing my cookie data overnight. I've gone around with Mozilla's support forum and they have no answer other than "malware".  Is it even possible for Mw-B to do this? I'm pretty sure my box is clean as a whistle...

Russ

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

6 minutes ago, RASelkirk said:

I've been having an issue the past couple weeks with FF v82 on Win7x64. Seems I have to log in to all my sites every day, like something on a timer is clearing my cookie data overnight. I've gone around with Mozilla's support forum and they have no answer other than "malware".  Is it even possible for Mw-B to do this? I'm pretty sure my box is clean as a whistle...

Please review: https://www.wilderssecurity.com/threads/getting-logged-out.433525/#post-2959139

Link to post
Share on other sites

Hello @RASelkirk   Please know that Malwarebytes for Windows does _nothing_ as far as web browser 'cookies'.   Cookies in any event are text-type files and by themselves do not / cannot cause a infection.   again, no, it does not delete cookies or do anything with them.

I would suggest checking all your Settings in Firefox.

Edited by Maurice Naggar
Link to post
Share on other sites

@RASelkirk   Look the Options on Firefox.

Select Options section >> drill down to Privacy & security.  scroll down a bit. Review the section 'Cookies and Site Data'

Look at the check-box status for the line 'Delete cookies and site data when Firefox is closed'.

For your needs, you want to un-tick that box.

FF_cook_site.thumb.jpg.b1ffa3b8064ca9268827ba39c71d5d7f.jpg

Link to post
Share on other sites

  • Root Admin

Hello @RASelkirk

 

Please open an elevated admin command prompt and type in or copy / paste the following. Then hit the Enter key.

In the notepad file that opens click on File, Save-As and save the file to your desktop or some other location you can find it and upload it as an attachment on your next reply.

TASKLIST /FO table /v > 0 && notepad 0 | ECHO >NUL  & DEL 0 

 

Then do the same thing for this one

SCHTASKS /Query /fo table /v > 0 && notepad 0 | ECHO >NUL  & DEL 0 

 

 

Then run the following for us as well and we'll take a closer look to see what we can find.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

 

Also, please take a look at the following topic

https://forums.malwarebytes.com/topic/263946-issues-creating-account-logging-in-or-posting/

 

 

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Hello @RASelkirk

A very highly likely candidate for ongoing clean up issues may be related to your use of CCleaner

Most Experts no longer recommend the use of CCleaner. It's your choice but I'd recommend you uninstall and use builtin tools where possible to achieve general computer maintenance.

You have a very old and compromised version of Java on the computer. This greatly increases your threat attack surface area. I would highly recommend you go to Control Panel, Programs, Programs and Features and uninstall

Java 8 Update 91

 

Are you 100% sure that your ZoneAlarm firewall is not somehow blocking one of the sites involved with using this site?

You have some Alternate Data Steams you should remove.

AlternateDataStreams: C:\ProgramData\TEMP:05E9FFE5 [122]
AlternateDataStreams: C:\ProgramData\TEMP:BC359956 [234]

 

Your computer Event Logs are showing the following error. Please see the fix below to correct it.

Application errors:
==================
Error: (10/31/2020 08:37:30 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/event-id-4107-or-event-id-11-is-logged

 

If you like I can write up some generic clean up and maintenance script to clean the computer and remove temporary files. Let me know.

 

 

 

Link to post
Share on other sites

I have not used CCleaner for many years, even though it was in "Programs & Features" it was only a marker. I went over all my drives and couldn't find a reference to it.

Removed the Java.

ZA firewall log shows many blocks on svchost.exe going to 192.168.1.12 (fire stick) and .10 (TV). Shouldn't be an issue?

ZA programs log shows Flashutil32_32_0_0_445.exe & sidebar.exe repeatedly trying (blocked) to call out. I uninstalled Flash and deleted it's parent folder.

Don't know about alternate streams, but the folder "C:\ProgramData\TEMP" was empty.

Followed your link to MS and followed the instructions.

Not sure what to expect from all this, but thanks for helping!

Russ

Link to post
Share on other sites

  • Root Admin

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Looks like at least a few commands did not complete successfully but most of it did @RASelkirk

 

Please restart the computer one more time. Then run FRST again and click SCAN but make sure you also put a check mark on Additions.txt

You don't need to zip the files. You can attach them directly.

Thanks

 

 

Link to post
Share on other sites

  • Root Admin

The computer is still having the following error.

Application errors:
==================
Error: (11/01/2020 01:39:34 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
.

Please double-check the date and time on the computer and make sure it's accurate.

 

Link to post
Share on other sites

OK, went there and did what was asked and still got the same errors. The errors don't state a specific user (it's blank) so I'm wondering if it's either a hidden admin account or the guest account which has been turned off since day one? I know it says something about the date/time, but mine's always up-to-date.

Russ

Image 000.jpg

Addition.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

No, its not from a hidden account.  The computer does not show any  signs of currently being infected at this point. There is just a lot of damage from ongoing issues you've probably had for a long time now.

One would need to probably do some extensive work on the computer to try and get it cleaned up but Windows 7 is also no longer supported by Microsoft.  I don't know your financial status but if you can possibly afford it you might want to consider purchasing a cheap SSD drive and install Windows 10 cleanly on it.

Are you purposefully encrypting your D volume drive? It looks like the system is having trouble reading the drive.

 

 

System errors:
=============
Error: (11/04/2020 07:48:12 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
BTATH_BUS

Error: (11/04/2020 07:47:59 AM) (Source: SNMP) (EventID: 1500) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.

Error: (11/04/2020 07:47:50 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The ASPI32 service failed to start due to the following error:
The system cannot find the file specified.

Error: (11/04/2020 07:47:12 AM) (Source: Microsoft-Windows-BitLocker-Driver) (EventID: 24620) (User: NT AUTHORITY)
Description: Encrypted volume check: Volume information on 😧 cannot be read.

Error: (11/04/2020 07:47:12 AM) (Source: Microsoft-Windows-BitLocker-Driver) (EventID: 24620) (User: NT AUTHORITY)
Description: Encrypted volume check: Volume information on \\?\Volume{c8187046-ebba-11e9-bb77-806e6f6e6963} cannot be read.

Error: (11/04/2020 07:47:07 AM) (Source: VBoxNetLwf) (EventID: 12) (User: )
Description: The driver detected an internal driver error on \Device\VBoxNetLwf.

Error: (11/04/2020 07:31:02 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.

Error: (11/04/2020 07:31:02 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.

 

Link to post
Share on other sites

LOL, I've had this "flavor" of Win7 for many years, I keep migrating the image to different machines so it's got a lot of "baggage" from previous installs. It would be nice to be able to remove all drivers, reg entries, files, etc for the cr@p I've had installed and since abandoned. No on the encryption, I had bit-locker for awhile before undoing it. And "D" partition runs just fine. I just love Win7 and absolutely hate v10. My next box will likely have Win10 and being 67, I'll migrate this Win7 to a VM and run it for the time I have left.

The only noticeable issue is boot time, it takes around 2 minutes. For instance, I just changed printers and still have a bunch of HP drivers that load. Multiply that x's 10 and it does boot slow!

Appreciate all you've done!

Russ

Link to post
Share on other sites

  • Root Admin

I mean you can still install a clean installation of Windows 7 and get it fully updated today, not sure how much longer but still possible today.

Then only install the software you really want to use on it. Then you'd still have a much cleaner, faster system. Then if it's all clean and working well you could image the drive and continue using it for many years possibly

 

Link to post
Share on other sites

  • 2 months later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.