weird program on task manager startup

[Protos97]

Hi I logged into my computer and noticed that there was this strange app in my start up menu in task manager.  It will not allow me to select properties on program and the only thing it allows me to do is right click and "search online."

This is a new machine and I have not installed anything suspicious.   Any thoughts on what may be wrong? 

[Maurice Naggar]

Hello.  

My name is Maurice. I will be helping and guiding you, going forward on this case.

I can help you here in case there is a actual malware infection.  I determine that with the help of known and trusted security applications.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
Please only just attach   all report files, etc  that I ask for as we go along.  I

If you will be away for more than 4 consecutive days,  do try to let me know ahead of time, as much as possible.
 

I would appreciate  getting  additional / fuller  important details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.80.848.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one. 

Sincerely,

Maurice

[Protos97]

Thank you for addressing my forum post Maurice.

I followed your steps and attached the zip file to my reply.

mbst-grab-results.zip

[Maurice Naggar]

Thanks for the report file.  I do notice that the last scan with Malwarebytes for Windows was today & it reported no malware.

The other diagnostic reports do not show a obvious infection;  nor a odd process.  We can do a set of scans to further check the system.

I do notice that the Windows 10 operating system version is from the fall of 2019.  Which makes it like 2 versions behind.   More on that later.

I do notice that the Windows 10 Microsoft Defender antivirus is off.  We should enable it so that it is enabled.

The Premium ( or trial ) protections of Malwarebytes will still be on.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

Close Malwarebytes when done.

.

Now to run a new scan with Windows Defender

go to Start  > Settings  icon > Update & Security  >    select  at the left  Windows Security >  then  Virus & threat protection

Click Open Windows Security

when you see 'Security at a glance'   click on Virus & threat protection

Click Quick Scan

Let me know what the result is.

[Protos97]

So there are quite a bit of steps here. 

I opened malwarebytes and found "Always register Malwarebytes in the Windows Security Center"

Do you want me to uncheck the blue button as seen here?

What does unchecking this button do with windows defended?

[Protos97]

I followed the steps above and ran windows defender's quick scan and received the following results 

[Maurice Naggar]

Quote

Do you want me to uncheck the blue button as seen here?

What does unchecking this button do with windows defended?

Yes.  That action has the effect of allowing Microsoft Windows Defender antivirus to do real-time monitoring.  As I said in prior notes, the Malwarebytes Premium protections still continue to be on and active.  And I am glad to see that the scan with Defender antivirus has found no threats.

.

Now a scan using another security-antivirus-scanner.

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

Please attach the log from this scan with your next reply.

 

Edited December 24, 2020 by Maurice Naggar

[Protos97]

Hi Maurice!

I finished scanning my computer with the full scan and saved the log to my desktop top the log twice, but for some reason the log was not saved anywhere on my computer. 

I restarted the scan as a quick scan the second time and once again it said "we didn't detect any viruses"

When I press save it gives me the choice to save the file but it doesn't save anywhere on my computer.  See screenshots below.

I named my full scan logs "try again.txt" and it shows up under my windows explorer's search but has nothing in the short cut

I opened windows explorer to search for the log file and it gave me these results and these error pop ups.

The program did say that it did not detect anything though, so there is that.

It seems that this virus scanner does let save logs.  
Any suggestions?

 

[Maurice Naggar]

The ESET Onlinescanner is able to save the log, though it is something you have to select.  But the important thing is, it said it found no vius.

That is what counts.  Lets put that tool aside.  I do not believe that there is some "infection" here.  But rather you are looking at some oddity on the behavior of Task Manager when you look at the tab for "Startup".   As just one example, you may read this post at Tenforums https://www.tenforums.com/general-support/144443-task-manager-startup-shows-application-not-measured.html

That is just one sample.  If one looks some more, one can find other similar posts at the Microsoft Answers forum  ( many from years ago).

You may if you wish look into reducing what gets auto-started at each Windows startup session.  That is, to do what is commonly called a "clean boot startup".

Just do not disable any Windows Microsoft services !

How to perform a clean boot in Windows
https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

 

[Protos97]

Thanks Maurice and Merry Christmas!

I will do further research on the links you shared.  Can you keep the forum post active in case I have any questions in searching for a solution online?

There is one more thing.  A new process showed up today in the set up menu after following your steps concerning Windows Defender.

[Maurice Naggar]

Good morning.

To answer your first question, Yes this topic will stay open.  More important, one notices that this last screen grab from Task Manager is more complete, than the original one that was at the top,  The column on the far right "Command line" is most informative.   This one shows the line with the "Program"  to be from Microsoft Teams,  That is not a malware.  It is a Microsoft app.  ( We can do away with that entry later on.).

As to "MASCuiL" that is something that depends on the Version of Windows 10  and is possibly just taskbar-notification related.  Although it is not present on the latest Versions of Windows.  { Your Windows is build 1909, which as I noted before, is like 2 builds behind.)

Lets do two things.  Do one new scan with Malwarebytes for Windows and then do a fresh collection of reports from the Support tool.

[    1     ]

In Malwarebytes for Windows program, we want to do a special scan.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON        👈
Click it to get it ON  if it does not show a blue-color
.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
 

Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
You can actually click  ( tick )   the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).    👈

🔻

 

 

Then click on Quarantine selected.

 

( Do not fret if the Malwarebytes scan finds nothing malware-wise.)

 

[    2     ]   After the scan has finished, lets do a new Gather logs procedure.  Using Windows File Explorer go to your Downloads folder.

Locate mb-support-1.80.848.exe

Do a RIGHT-click mb-support-1.80.848.exe  & select "Run as Administrator" on it to start the report collection tool

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

We will do other procedures later.  ( Do not fret if the Malwarebytes scan finds nothing malware-wise.)

[Protos97]

Thanks for the help.  I did as you directed and took a screen shot of my scan in Malwarebytes

 

Also here is the log file that I did after the scan.

mbst-grab-results.zip

 

How soon can I update my computer after these steps?

[Maurice Naggar]

Thank you.   Lets do this next.

Let’s  please try to get and run a special  report  tool from Microsoft. 

It does not make changes. It will be just a report.

 

• Please download Sysinternals Autoruns from here and save it to your desktop.
• Note: you also need to do the following:
• Right-click on Autoruns.exe and select Properties
• Click on the Compatibility tab
• Under Privilege Level check the box next to Run this program as an administrator
• Click on Apply then click OK

Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...

In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:

• Include empty locations
• Hide Microsoft entries
• Hide Windows entries

Verify that the following is checked, if it is unchecked, check it:

• Verify code signatures

Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.

Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

 

Thank you.

 

[Protos97]

This is weird.  I downloaded autorun and followed the process you outlined above and I get the same glitch when I used the software ESET Online Scanner.  The program will not save the outcome to share the logs or show up anywhere on my desktop, documents, and windows explorer.

They only show my saves when I am saving the file, but that is all.

Any thoughts on what is wrong.

Please see video and screenshots below.

 

[Protos97]

Also I noticed two more apps in my startup menu.  It seems that these are being added without my consent.  I understand skype is part of microsoft but what is YourPhone.EXE?

Any thoughts on any of these new processes?

[Maurice Naggar]

Good morning.  I do regret that you had issues saving the output from Autoruns.  Maybe just perhaps you are overthinking it all?  Anyhow the Autoruns report is not a must have.

I think we need to re-group & refocus our overall efforts as to this case.  There is no malware here.  You have just done some digging around and you have noticed some things of Windows 10, Windows Defender antivirus, and how the Windows Task manager shows some information.

By regrouping and refocusing, I mean to remind both of us that this sub-forum is about checking for malware, removing it if present.  Beyond that, we need to refer you to other resources.   Lets please stop digging about hither & yon.

The YourPhone is a newer feature of Windows 10 to allow some optional association with modern smartphones.  I will refer you to the forum at https://tenforums.com  to get some clearer guidance on it.  Yourphone was not in the first original Windows 10 in 2015.   But it is a more recent added element.  Also see the remark made here https://answers.microsoft.com/en-us/windows/forum/windows_10-security/what-is-yourphoneexe/30ac20e2-f407-4c3b-b4e1-78f7042b5b11

As to the "not measured" shown on Task Manager, that is, I think, their way of saying that the Microsoft analytics does not 'measure' it.

Not at all a malware.

Likewise, 'msascuil' is not a malware.  It is just a part of the Windows 10 Windows Microsoft Defender antivirus on older Windows versions. msascuil (Microsoft Antivirus Security Centre User Interface Logo) was responsible for the icon appearing on the taskbar system tray. Your Windows 10 is Version 1909 which is 2 builds old from the current latest generation. Those builds do not have msascuil.  That functionality in the 2020 versions is incorporated  into the windows security health service .

That is another way of saying, you need to get your operating system updated to the latest Windows 10 version.  I believe I am going to refer you to the forum at Tenforums for that.

The custom script here is just intended to help a little.  By removing 4 permanent Windows tasks on Nvidia Crash handlers. To remove the auto-starting of Microsoft Teams  ( which is some of the stuff on Task Manager).   and to run the Windows System File Checker tool to check Windows.

[    1     ]

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[      2     ]

The system will be rebooted after the script has run.

This custom script is for  Protos97 only / for this machine only.

 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRSTENGLISH.exe   tool   which you have on your Downloads folder.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Start the Windows Explorer and then, to the Downloads   folder.

RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Some added notes.  The Malwarebytes for Windows program and the Microsoft Defender Antivrius is what is used to look for the presence of malware.

As long as those two tell us that there is no malware, then any strangeness on Task Manager or Windows itself need to be redirected to other resources.

The Support tool reports and the Farbar FRST reports do not show the presence of malware.

The recent scans with Malwarebytes for Windows reported no infection.

Fixlist.txt

[Protos97]

34 minutes ago, Maurice Naggar said:

[      2     ]

The system will be rebooted after the script has run.

This custom script is for  Protos97 only / for this machine only.

I do not see a script to use.  I used win + E to show all folders, but am confused as to what script I am supposed to use. 

Is FRSTENGLISH.exe the script to use?  If so I do not have it in my downloads folder

[Maurice Naggar]

Look at the very bottom of my last reply  ( online on the forum)  onto this topic.  My preceding reply has the attachment named FIXLIST.txt

The FRSTENGLISH is at folder   C:\Users\Chadwick\Downloads\FRSTEnglish.exe

[Protos97]

Thank you for clarifying the instructions.

I completed the scan and here are the results

Fixlog.txt

[Maurice Naggar]

I got your report.  Did you watch that run to completion?  Did it restart the system ?

It looks as if the account you are logged-in-with to Windows is 'not' one that has Administrator-level access  rights.  Can you double check and make real sure you Logoff Windows.   That on the next login, that you login with a Administrator-level account.

[Protos97]

So what I did was that I right clicked FRST and ran as administrator.  It went through and I restarted my computer.

However, I did log into my  admin account and the ESET scanner and other antivirus .txt file were accessible now after logging into my admin account.

I will attach those anti virus scans to this post as well.

 

Did something not work with using the script?  Should I try the process again?

try again.txt all files.txt

[Protos97]

eset scan.txt

[Maurice Naggar]

Thanks for all the logs.  BUT  that was too many times.  Lets put aside the ESET.   No need to run that anymore.

Lets also put aside the script from Fixlist.  Lets just have you do a manual SFC scan as follows.  Just again, be sure you are logged in with the one administrator-level account.

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

sfc /scannow

and tap Enter-key.   Then wait and when it all finishes, let me know the bottom line results.

[Protos97]

Cool.  I am logged into my administrator account and typed in the following in Command Prompt

[Maurice Naggar]

I'm very glad to see & know that result. The Windows System File Checker reports system files are in good shape.

Now just one time only.  Making sure that Fixlist.txt  on the Downloads folder.  Just do one new run.   That is to say, do not keep repeating after this !

RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.