WIndows system apps crashing, mouse clicks odd, but virus scans clean

[jspencer]

Windows 10 machine, v1909  b18363, v2004 not available to me yet.  laptop only about 6 months old.  

Ever since this weekend I have been unable to a broad range of windows functions, although others are fine.  Things like the windows Icon to the start menu and search bars are inoperative.  I can see things trying to kick off in Process Explorer (like searchUI.exe), but then it closes within a second.  Even calculator will run then crash, same with the software to linkto my cell phone.  Windows defender, firewall all inoperative.  Malwarebytes still runs ok, scans come back clean.   microsoft office works fine, Explorer is fine.  But weird mouse click behavior on windows apps only.  things like right click on windows icon brings up normal right click options, but left click does nothing, so i cant see my start menu.  Conversely,  on apps that are on the task bar and running, left click works, but right click doesn't.  Control panel works fine, appwiz.cpl, services.msc, eventvwr all work.  Event viewer just shows lots of programs terminating (see attached).  SFC /scannow shows no problem.

I may have screwed it up by running old software - the timing with my is is about the same.  It was a version of Corel Draw X3, circa 2007, which scans perfectly fine by malwarebytes and other virus checkers, but once installed it put in a version of "InstallSheild" along with an "agent.exe" program that seemed to write itself all over the place in the registry, including running from startup the c:\Program files(86)\common files directory, vs a more legitimate more official location.  I thought it looked pretty suspicious, and removed it and corel from the machine, but to no avail.  All sorts of checks on the web for resetting these apps with a powershell script didn't work.  Also, a new profile account didn't work. 

checked looking for rootkit viruses in safe mode, nothing.  HIjackthis looks ok after removing the startup functions .  Multiple scans by Malwarebytes come up clean 

THere does seem to be other people with this kind of weird windows behavior from around 2015, but most suggest removing updates (didn't help), nor does it seem that people are blaming a virus...but it just feels so bizarre to lose about a good chunk of windows functionality, and everything else be ok.  especially the crashing apps part.    

Before i try to go back to a full reset, i really would like to figure out what happened, and i wonder f there's any way a really old program could break Windows by itself just being old, or is there still some kind of virus that im dealing with.   If it was a really old virus, it's not like current virus software wouldn't still detect it, right?  Any insights would be appreciated.  

[AdvancedSetup]

Hello @jspencer

Let's go ahead and scan the system and get some logs to see what we can find going on.

 

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.
 

Spoiler

 

 

 

 

 

Spoiler

 

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

 

 

STEP 01

• If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Double-click to run the program
• Accept the End User License Agreement.
• Wait until the database is updated.
• Click Scan Now.
• When finished, if items are found please click Quarantine.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
• Please attach the Additions.txt log to your reply as well.
• On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

[jspencer]

Hi 

Thanks for your help

Malware bytes reported no issues

adware cleaner reported minor issues (web companion) and removed it

FRST64 will not run at all, not in safe mode either.  

 

AdwCleaner[C00].txt AdwCleaner[S00].txt JSpencer scan.txt

[jspencer]

again, strange that windows apps will not run, but almost everything else, and likewise the right click/left click failures on the taskbar.   without showing any diagnostic that detects the problem. Im pretty savvy to most things Windows (more than 30 yrs experience as a computer consultant), i have never seen anything like this.  

I can do a reset of windows probably, but i would much rather at least find some forensics for what is going on.

[jspencer]

meant to say that almost everything else works, including microsoft software like Office, but not Microsoft apps like phone, or defender, or search, or calculator.  But Eventvwr and services.msc runs.  same problems in safe mode as well.

[AdvancedSetup]

Please open an elevated admin command prompt. Click on Start and type in CMD.EXE and when it shows right-click and select "Run as administrator" then copy/paste the following.

SFC /SCANNOW 

Then run the following once that completes. (mark down or screen capture what SFC reports)

DISM.exe /Online /Cleanup-Image /ScanHealth 

Post back what DISM says as well

Thanks

 

[jspencer]

hi thanks, I did do that more than a few times, no problems found for both of them. 

But here is another strange thing - I couldn't even run cmd from the run menu (from right clicking windows icon, again, left click does nothing).  It said program not found, same with others like mspaint.exe.   So I checked my environment variables, and c:\windows\system32 was in the path like its supposed to be.  Ran that directly from navigating to it from Windows explorer, and once the window opened, the pathing seemed to be fixed.  

I know at this point its probably a reinstall, but is there any clue as to what could cause this behavior

[AdvancedSetup]

Try creating another user profile or login to another user profile and see if it works any better or not

 

[jspencer]

thanks, no, I tried that already and that doesn't work either, new profile behaves just as the existing one (both are admin as well)

Can you imagine some sort of virus that would crash windows system apps, but not others?  It just seems so strange that all this weird behavior without any diagnostic showing that there is even a problem.

 

[AdvancedSetup]

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

Thank you

 

 

 

[jspencer]

hi thanks.  I had already run this program 2 weeks ago, but noticed the change the video suggested about scanning loaded modules/reboot.  So I tried that, and alas, nothing found.  see attached log (ran it twice, which is why its a bigger log)

TDSSKiller.3.1.0.28_04.12.2020_09.45.53_log.txt

[AdvancedSetup]

Create an Autoruns Log:

• Please download Sysinternals Autoruns from here.
• Save Autoruns.exe to your desktop and double-click it to run it.
• Once it starts, please press the Esc key on your keyboard.
• Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures and Check VirusTotal.com and Submit Unknown Images
• Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
• When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
• Right-click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
• Attach the Autoruns.zip folder you just created to your next reply

 

 

Thanks

 

[jspencer]

Hi, thanks again for continuing to find other ways to scan the system.  attached is my TMC1.arn file after a full scan as directed.  I noticed the Protexis licensing service running from the program files(86)/common files directory.  As per search, this is related to the Corel Draw program i tried to install, so it makes sense it is there (along with a 2006 datestamp on the file).  the original installshield directory was renamed to XXX_installshield_XXX, so any of those programs are not running (see registry entries that are still calling for them).  Also, to be clear, i did try and run a keygen crack on the corel installation, which does scan as a Riskware.tool.CK program by malware bytes, so it clearly could be a source, but theres no indication on how to fix any resulting problem if we can't detect them.  I mean, if it was doing anything active, it would show up in scans, or if it broke some windows file, then SFC or DISM should have been able to detect fix? 

TMC1.zip

[AdvancedSetup]

The log doesn't show anything suspicious that would account for what you're seeing.

Was this issue there before installing Malwarebytes? Can you trying going into Control Panel and uninstall Malwarebytes and reboot and let me know if any improvement or not

 

[jspencer]

hi, i have had malwarebytes installed since i first got the computer, thanks, have used it for many years.  Which is why i thought I was ok after scanning the download.  its possible its not malware, but just a screwup on the installshield program that kept Corel draw updated, but because it was circa 2007 it messed with Windows Update.  On different forums, people seemed to have similar problems with Windows apps not working that have symptoms like mine, but there wasn't any real solution other than reinstall/reset windows.  Nothing like chasing red herrings

(i have tried the different re-register apps procedures, like the powershell Get-AppxPackage -allusers | foreach {Add-AppxPackage -register “$($_.InstallLocation)appxmanifest.xml” -DisableDevelopmentMode} routine).

I guess resetting windows is my next move, since it doesn't appear that there is any virus on the system, thanks for helping to confirm that.  I always look for the actual fix vs the resetting from scratch, and figured windows 10 would have known how to heal itself using the SFC and DISM routines, but I guess we are still not there yet.  What is really weird is how almost everything still functions ok, except for basic windows apps like calc or search, or the start menu, or the right click on task bar items...I've never seen anything like it.  I have been able to still work on the computer just fine, figuring out different workarounds (even using the cmd line search to find files!)

BTW, windows update reports that it is still waiting to update to v2004, which apparently is not supported using my computer's hardware (it's a new Dell Inspiron 7791)

I will try a few more things before resetting, but if I have to do that, I will let you know what happens.  Thanks again for your support.

[AdvancedSetup]

Each of your issues, as you've explained and know are well known problems.

Broken Search can affect all of that, or them. We could try a few other fixes if you like, but no guarantee they'd help either.

Select Start  > Settings  > Update & Security   > Troubleshoot.

Then run the one for Search and Indexing

See if that finds and fixes any issues.

Obviously you could run others if wanted too.

How to Reset & Rebuild Windows Search Index Completely
https://www.winhelponline.com/blog/reset-rebuild-windows-search-index-fix-problems/

Windows 10 Search Is Broken and Shows Blank Results, How to Fix
https://www.bleepingcomputer.com/news/microsoft/windows-10-search-is-broken-and-shows-blank-results-how-to-fix/

 

Also look at running this one

Fix problems that block programs from being installed or removed
https://support.microsoft.com/en-us/help/17588/windows-fix-problems-that-block-programs-being-installed-or-removed

 

[AdvancedSetup]

You can also download the latest version of our MBST support tool and also reset some of the basic core features of Windows.

Open the MBST tool and click on the Advanced menu on the left side.

Then under the Repair System panel place a check mark in all 4 boxes. Then click the Repair System button and let it run and restart your computer and see how things run at this point.

[jspencer]

Hi, 

thanks again for your continued support.  Windows troubleshooter found no issues with search.  The service itself runs ok, there was a 900mb edb file that had recent timestamps on it.  I set the reset flag in the registry, and restarting the indexer  is now creating a clean index slowly.  I did the disablebingsearch test, am rebooting now to see.  after that, will run the MBST tool.  

I did notice that FRST.exe popped up as one of the installation files when i ran the MBST install, will be interesting to see if that runs ok under the MBST program.  As far as I tried before, it would not run at all on my machine.

Booting now...

[jspencer]

so ran everything, no problems found.  the FRSTEnglish.exe that downloaded with the MBST program did actually run on the machine, attached are the log files.  I noticed in the addition.txt that there was a block on a strange looking EXE file in the temp folder: Controlled Folder Access blocked C:\Users\jwalt\AppData\Local\Temp\{EE61B842-065E-46D1-A896-01D79931C510}\{64D4E1DA-8D7D-4209-92BF-D26453A19570}.exe from making changes to memory.  when i tried to open the folder in Explorer, it wouldnt let me in, even with admin rights and taking ownership.  But the cmd line did allow it, but there was nothing there.  I deleted all the files in the temp folder, including this odd one, am rebooting now.

 

[jspencer]

(dupe w attachments )so ran MBST and rebooted, no problems found.  then ran FRSTEnglish.exe that downloaded with the MBST program did actually run on the machine, attached are the log files.  I noticed in the addition.txt that there was a block on a strange looking EXE file in the temp folder: Controlled Folder Access blocked C:\Users\jwalt\AppData\Local\Temp\{EE61B842-065E-46D1-A896-01D79931C510}\{64D4E1DA-8D7D-4209-92BF-D26453A19570}.exe from making changes to memory.  when i tried to open the folder in Explorer, it wouldnt let me in, even with admin rights and taking ownership.  But the cmd line did allow it, but there was nothing there.  I deleted all the files in the temp folder, including this odd one, am rebooting now.

 

 

Addition.txt FRST.txt

[AdvancedSetup]

Did you change this to Microsoft Process Explorer?

IFEO\taskmgr.exe: [Debugger] "C:\WINDOWS\SYSTEM32\PROCEXP.EXE"

 

Not sure if this affects your system or if it is an issue, but it is running on your system

https://www.dell.com/community/Networking-Internet-Bluetooth/Beware-of-SmartByte/td-p/6130892

 

 

But, no smoking gun to account for what you're experiencing.

 

Perhaps if we pick some app that's not working and see if we can track that down and see what it's not working.

What specific application that is normally installed on Windows is not currently working?

 

[jspencer]

Thanks, my thoughts exactly, find a simple program that's not working, like calc.exe.  The behavior in Process Explorer is the same as for the other windows apps, like SearchUI and Phone...basically it starts up (green), but the werfault.exe is already in play, and then a second or so later, it all turns red and disappears.  So its like theres something in the hosting svchost.exe process that is not allowing it to start?  but clearly, that same process is running other apps, and the whole thing has lots more instances it can keep tapping.

considering that so much else is running fine, one would think there is a magic bullet solution to this, no?  

re smartbyte, i gather that can cause issues around connectivity, but i didn't see any issues relating to apps crashing.  My speed is ok, i am on a cell phone hotspot, which maybe is the target they made that program for.  

[AdvancedSetup]

Please download Process Monitor and save it to your computer.

Make sure you close down as many applications and processes as you can.

Then open Process Monitor and then run Calculator and once it's done stop the monitoring and save the file.

You may need to do it a couple times to make sure you're used to using the program. Then zip the saved file and attach in your next reply

 

[jspencer]

thanks, sure is a lot of stuff going on.  attached is a log file after running Calc.exe

Logfile.zip

[AdvancedSetup]

Please type in RELIABILITY into the Start area and then run the program.

Then locate the issue today and highlight it and it should show what it believes was involved in the crash.

Then on the bottom left click and save the file, the zip it and attach please.