RASelkirk Posted October 30, 2020 ID:1417456 Share Posted October 30, 2020 Hi All, I've been having an issue the past couple weeks with FF v82 on Win7x64. Seems I have to log in to all my sites every day, like something on a timer is clearing my cookie data overnight. I've gone around with Mozilla's support forum and they have no answer other than "malware". Is it even possible for Mw-B to do this? I'm pretty sure my box is clean as a whistle... Russ Link to post Share on other sites More sharing options...
Staff Malwarebytes Posted October 30, 2020 Staff ID:1417457 Share Posted October 30, 2020 ***This is an automated reply*** Hi, Thanks for posting in the Malwarebytes for Windows Help forum. If you are having technical issues with our Windows product, please do the following: Malwarebytes Support Tool - Advanced Options This feature is designed for the following reasons: For use when you are on the forums and need to provide logs for assistance For use when you don't need or want to create a ticket with Malwarebytes For use when you want to perform local troubleshooting on your own How to use the Advanced Options: Spoiler Download Malwarebytes Support Tool Double-click mb-support-X.X.X.XXXX.exe to run the program You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent. Place a checkmark next to Accept License Agreement and click Next Navigate to the Advanced tab The Advanced menu page contains four categories: Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand. Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot. Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent. Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program. To provide logs for review click the Gather Logs button Upon completion, click OK A file named mbst-grab-results.zip will be saved to your Desktop Please attach the file in your next reply. To uninstall all Malwarebytes Products, click the Clean button. Click the Yes button to proceed. Save all your work and click OK when you are ready to reboot. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows. Select Yes to install Malwarebytes. Malwarebytes for Windows will open once the installation completes successfully. Screenshots: Spoiler Spoiler If you are having licensing issues, please do the following: Spoiler For any of these issues: Renewals Refunds (including double billing) Cancellations Update Billing Info Multiple Transactions Consumer Purchases Transaction Receipt Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help If you need help looking up your license details, please head here: Find my premium license key Thanks in advance for your patience. -The Malwarebytes Forum Team Link to post Share on other sites More sharing options...
bjm Posted October 30, 2020 ID:1417458 Share Posted October 30, 2020 6 minutes ago, RASelkirk said: I've been having an issue the past couple weeks with FF v82 on Win7x64. Seems I have to log in to all my sites every day, like something on a timer is clearing my cookie data overnight. I've gone around with Mozilla's support forum and they have no answer other than "malware". Is it even possible for Mw-B to do this? I'm pretty sure my box is clean as a whistle... Please review: https://www.wilderssecurity.com/threads/getting-logged-out.433525/#post-2959139 Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 30, 2020 ID:1417462 Share Posted October 30, 2020 (edited) Hello @RASelkirk Please know that Malwarebytes for Windows does _nothing_ as far as web browser 'cookies'. Cookies in any event are text-type files and by themselves do not / cannot cause a infection. again, no, it does not delete cookies or do anything with them. I would suggest checking all your Settings in Firefox. Edited October 30, 2020 by Maurice Naggar Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 30, 2020 ID:1417470 Share Posted October 30, 2020 @RASelkirk Look the Options on Firefox. Select Options section >> drill down to Privacy & security. scroll down a bit. Review the section 'Cookies and Site Data' Look at the check-box status for the line 'Delete cookies and site data when Firefox is closed'. For your needs, you want to un-tick that box. Link to post Share on other sites More sharing options...
RASelkirk Posted October 30, 2020 Author ID:1417487 Share Posted October 30, 2020 I've been all over the privacy/security settings with the Mozilla gurus with no joy so I'm gonna try what bjm posted first. Whatever it is, it seems to be happening overnight without user interaction. Pretty much just wanted to verify Mw-B wasn't the culprit... Thanks! Russ Link to post Share on other sites More sharing options...
exile360 Posted October 31, 2020 ID:1417523 Share Posted October 31, 2020 If you use any sort of temp/junk cleaning tool like CCleaner it's possible that it has a scheduled task that is automatically deleting your Firefox cookies/cache data. I'd suggest you check your scheduled tasks to see if such a program is scheduled to run regularly. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 31, 2020 Root Admin ID:1417541 Share Posted October 31, 2020 Hello @RASelkirk Please open an elevated admin command prompt and type in or copy / paste the following. Then hit the Enter key. In the notepad file that opens click on File, Save-As and save the file to your desktop or some other location you can find it and upload it as an attachment on your next reply. TASKLIST /FO table /v > 0 && notepad 0 | ECHO >NUL & DEL 0 Then do the same thing for this one SCHTASKS /Query /fo table /v > 0 && notepad 0 | ECHO >NUL & DEL 0 Then run the following for us as well and we'll take a closer look to see what we can find. Please download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Also, please take a look at the following topic https://forums.malwarebytes.com/topic/263946-issues-creating-account-logging-in-or-posting/ Thank you Link to post Share on other sites More sharing options...
RASelkirk Posted October 31, 2020 Author ID:1417646 Share Posted October 31, 2020 OK, the files in a zip. Hope something pops out, 'cause this started not long after moving from my favorite old FF56.0 to the "latest and greatest". I do have a portable FF v56 installed on a different drive as a backup but have seldom used it. Russ Farber Recovery Tool.7z Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 31, 2020 Root Admin ID:1417696 Share Posted October 31, 2020 Hello @RASelkirk A very highly likely candidate for ongoing clean up issues may be related to your use of CCleaner Most Experts no longer recommend the use of CCleaner. It's your choice but I'd recommend you uninstall and use builtin tools where possible to achieve general computer maintenance. You have a very old and compromised version of Java on the computer. This greatly increases your threat attack surface area. I would highly recommend you go to Control Panel, Programs, Programs and Features and uninstall Java 8 Update 91 Are you 100% sure that your ZoneAlarm firewall is not somehow blocking one of the sites involved with using this site? You have some Alternate Data Steams you should remove. AlternateDataStreams: C:\ProgramData\TEMP:05E9FFE5 [122] AlternateDataStreams: C:\ProgramData\TEMP:BC359956 [234] Your computer Event Logs are showing the following error. Please see the fix below to correct it. Application errors: ================== Error: (10/31/2020 08:37:30 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: ) Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. . https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/event-id-4107-or-event-id-11-is-logged If you like I can write up some generic clean up and maintenance script to clean the computer and remove temporary files. Let me know. Link to post Share on other sites More sharing options...
RASelkirk Posted October 31, 2020 Author ID:1417708 Share Posted October 31, 2020 I have not used CCleaner for many years, even though it was in "Programs & Features" it was only a marker. I went over all my drives and couldn't find a reference to it. Removed the Java. ZA firewall log shows many blocks on svchost.exe going to 192.168.1.12 (fire stick) and .10 (TV). Shouldn't be an issue? ZA programs log shows Flashutil32_32_0_0_445.exe & sidebar.exe repeatedly trying (blocked) to call out. I uninstalled Flash and deleted it's parent folder. Don't know about alternate streams, but the folder "C:\ProgramData\TEMP" was empty. Followed your link to MS and followed the instructions. Not sure what to expect from all this, but thanks for helping! Russ Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 31, 2020 Root Admin ID:1417711 Share Posted October 31, 2020 Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks Link to post Share on other sites More sharing options...
RASelkirk Posted November 1, 2020 Author ID:1417776 Share Posted November 1, 2020 Wow, that dumped a ton of useless (I hope!) junk files. My box rebooted and all looks normal, so thanks for the cleanup! Thought you might like to see what-all got dumped. Russ Fixlog.7z Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 1, 2020 Root Admin ID:1417788 Share Posted November 1, 2020 Looks like at least a few commands did not complete successfully but most of it did @RASelkirk Please restart the computer one more time. Then run FRST again and click SCAN but make sure you also put a check mark on Additions.txt You don't need to zip the files. You can attach them directly. Thanks Link to post Share on other sites More sharing options...
RASelkirk Posted November 1, 2020 Author ID:1417802 Share Posted November 1, 2020 Ok, here they are. Seems like a lot less clutter... Russ FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 2, 2020 Root Admin ID:1417847 Share Posted November 2, 2020 The computer is still having the following error. Application errors: ================== Error: (11/01/2020 01:39:34 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: ) Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. . Please double-check the date and time on the computer and make sure it's accurate. Link to post Share on other sites More sharing options...
RASelkirk Posted November 2, 2020 Author ID:1417937 Share Posted November 2, 2020 Date/time is accurate. I pasted that link and was able to DL the file directly, it contains a single file "authroot.stl". Can that be dragged or otherwise imported? Or is Farbar saying there's something corrupt in either the file or my system? Russ Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 2, 2020 Root Admin ID:1418076 Share Posted November 2, 2020 No, there is another cause for the error. Please follow the directions from this web page on how to try and correct the issue Russ. https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/event-id-4107-or-event-id-11-is-logged Thanks Link to post Share on other sites More sharing options...
RASelkirk Posted November 4, 2020 Author ID:1418415 Share Posted November 4, 2020 OK, went there and did what was asked and still got the same errors. The errors don't state a specific user (it's blank) so I'm wondering if it's either a hidden admin account or the guest account which has been turned off since day one? I know it says something about the date/time, but mine's always up-to-date. Russ Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 4, 2020 Root Admin ID:1418457 Share Posted November 4, 2020 No, its not from a hidden account. The computer does not show any signs of currently being infected at this point. There is just a lot of damage from ongoing issues you've probably had for a long time now. One would need to probably do some extensive work on the computer to try and get it cleaned up but Windows 7 is also no longer supported by Microsoft. I don't know your financial status but if you can possibly afford it you might want to consider purchasing a cheap SSD drive and install Windows 10 cleanly on it. Are you purposefully encrypting your D volume drive? It looks like the system is having trouble reading the drive. System errors: ============= Error: (11/04/2020 07:48:12 AM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: The following boot-start or system-start driver(s) failed to load: BTATH_BUS Error: (11/04/2020 07:47:59 AM) (Source: SNMP) (EventID: 1500) (User: ) Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration. Error: (11/04/2020 07:47:50 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The ASPI32 service failed to start due to the following error: The system cannot find the file specified. Error: (11/04/2020 07:47:12 AM) (Source: Microsoft-Windows-BitLocker-Driver) (EventID: 24620) (User: NT AUTHORITY) Description: Encrypted volume check: Volume information on 😧 cannot be read. Error: (11/04/2020 07:47:12 AM) (Source: Microsoft-Windows-BitLocker-Driver) (EventID: 24620) (User: NT AUTHORITY) Description: Encrypted volume check: Volume information on \\?\Volume{c8187046-ebba-11e9-bb77-806e6f6e6963} cannot be read. Error: (11/04/2020 07:47:07 AM) (Source: VBoxNetLwf) (EventID: 12) (User: ) Description: The driver detected an internal driver error on \Device\VBoxNetLwf. Error: (11/04/2020 07:31:02 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY) Description: The following fatal alert was received: 70. Error: (11/04/2020 07:31:02 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY) Description: The following fatal alert was received: 70. Link to post Share on other sites More sharing options...
RASelkirk Posted November 4, 2020 Author ID:1418465 Share Posted November 4, 2020 LOL, I've had this "flavor" of Win7 for many years, I keep migrating the image to different machines so it's got a lot of "baggage" from previous installs. It would be nice to be able to remove all drivers, reg entries, files, etc for the cr@p I've had installed and since abandoned. No on the encryption, I had bit-locker for awhile before undoing it. And "D" partition runs just fine. I just love Win7 and absolutely hate v10. My next box will likely have Win10 and being 67, I'll migrate this Win7 to a VM and run it for the time I have left. The only noticeable issue is boot time, it takes around 2 minutes. For instance, I just changed printers and still have a bunch of HP drivers that load. Multiply that x's 10 and it does boot slow! Appreciate all you've done! Russ Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 4, 2020 Root Admin ID:1418484 Share Posted November 4, 2020 I mean you can still install a clean installation of Windows 7 and get it fully updated today, not sure how much longer but still possible today. Then only install the software you really want to use on it. Then you'd still have a much cleaner, faster system. Then if it's all clean and working well you could image the drive and continue using it for many years possibly Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 13, 2021 Root Admin ID:1432003 Share Posted January 13, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts