JorgeBon Posted June 18, 2021 ID:1464082 Share Posted June 18, 2021 Hello, my computer had some strange issues lately. First of all things, I couldn't revert to an backup version of the system, it told me that it failed for unknown reasons. After I did this, the start menu got corrupted so i had to reinstall packages to get it working again. It made me question on why this happened, the only major changes I can recall are the recent updates for windows, but I wasn't sure if that was the case. It made me paranoid if there is maybe something else going on, the system started to make a lot of mat-debug logs alongside with db.ses files, which I think means that the graphic driver is corrupted, unless I read something wrong. Would appreciate assistance on checking out if my system is fine. I also would like to know if i installed the right firefox, they made installers unique, so checking them on VT got trickier. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
JorgeBon Posted June 18, 2021 Author ID:1464083 Share Posted June 18, 2021 Reuploading the FRST.txt. FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 18, 2021 Root Admin ID:1464147 Share Posted June 18, 2021 I don't see an obvious infection. You do have a Firewall block on Firefox you may want to double-check on. FirewallRules: [TCP Query User{C8BC0036-FF5D-4839-9ECA-E048714EA321}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation) FirewallRules: [UDP Query User{A4CA81BA-0343-41F9-94A0-C75EC7705253}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation) The logs show that the Windows Search appears to be corrupted. Please review the following to fix or reset Windows Search. https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/fix-problems-in-windows-search Please try setting your DNS to Google Public DNShttps://developers.google.com/speed/public-dns/docs/using When ready, save any open and unsaved documents and close all open applications and run the following to run a disk check. NOTE: This will force a computer restart so make sure you do not have any open unsaved documents or you'd lose that data. Then open an elevated admin command prompt and type in or copy / paste the following and press the Enter key shutdown /r /t 30 && echo y | chkdsk c: /f Once the Windows Search has been fixed and you've run the disk check, then click on Start and type in "Check for updates" and let Windows check for updates. It looks like you might still need one or two more updates. After Windows has finished updates, then run the following tool to check for other program updates from software you have installed Patch My PC Home Updaterhttps://patchmypc.com/home-updater Link to post Share on other sites More sharing options...
JorgeBon Posted June 18, 2021 Author ID:1464153 Share Posted June 18, 2021 Hello @AdvancedSetup I took the steps that you recommended, I cant find the entries for firefox being blocked though. I don't know if this fixed my system, any steps I should take? Should I take new Logs? Cheers Link to post Share on other sites More sharing options...
JorgeBon Posted June 18, 2021 Author ID:1464154 Share Posted June 18, 2021 Windows troubleshoot also mentioned that Windows Search is now fixed, but there was something wrong with the permissions, not entirely sure what they meant. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 18, 2021 Root Admin ID:1464155 Share Posted June 18, 2021 Please restart the computer one more time just to clear out any temporary pending file renaming, etc. Then run FRST again and click on Scan and attach back both new logs and I'll check again @JorgeBon Link to post Share on other sites More sharing options...
JorgeBon Posted June 18, 2021 Author ID:1464158 Share Posted June 18, 2021 Here are the logs. Thank you for your time, cheers. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 18, 2021 Root Admin ID:1464160 Share Posted June 18, 2021 The change to Google DNS does not appear to have been done DNS Servers: 192.168.0.1 Please save the attached FIXLIST.TXT file to the same location as FRST - then run FRST and click on the FIX button. fixlist.txt After the computer restarts post back the new FIXLOG.TXT file. Thanks Link to post Share on other sites More sharing options...
JorgeBon Posted June 18, 2021 Author ID:1464162 Share Posted June 18, 2021 (edited) @AdvancedSetup Changed the DNS, I hope this time successfully. FRST entry says DNS Servers: 8.8.8.8 - 8.8.4.4 Fixlog.txt Edited June 18, 2021 by JorgeBon Link to post Share on other sites More sharing options...
JorgeBon Posted June 18, 2021 Author ID:1464164 Share Posted June 18, 2021 Am I supposed to do anything specific with the DNS change? Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted June 18, 2021 Root Admin Solution ID:1464170 Share Posted June 18, 2021 (edited) Thanks @JorgeBon Windows Resource Protection found damaged files, some of which could not be repaired. Please run the following from an elevated admin command prompt DISM.exe /Online /Cleanup-image /Restorehealth Assuming that runs successfully please then run the following as well SFC /SCANNOW Let me know the results of those commands please. Edited June 18, 2021 by AdvancedSetup updated information 1 Link to post Share on other sites More sharing options...
JorgeBon Posted June 18, 2021 Author ID:1464174 Share Posted June 18, 2021 Hello @AdvancedSetup First Scan stated that the recovery was successful. The second Scan states that there were no errors. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 18, 2021 Root Admin ID:1464176 Share Posted June 18, 2021 That doesn't make sense. I've been doing computer support for a long time now and I cannot say I've ever seen SFC say it could not fix the files. Then run DISM and then run SFC again and it say there is nothing to fix. New to me, but okay. As long as SFC says all is good now that's what counts. Der Windows-Ressourcenschutz hat beschädigte Dateien gefunden, die teilweise nicht repariert werden konnten. Bei Onlinereparaturen finden Sie Details in der CBS-Protokolldatei unter windir\Logs\CBS\CBS.log. Beispiel C:\Windows\Logs\CBS\CBS.log. Bei Offlinereparaturen finden Sie Details in der durch das /OFFLOGFILE-Kennzeichen angegebenen Protokolldatei. Is there anything else I can assist you with? Is the computer running okay now? Cheers Link to post Share on other sites More sharing options...
JorgeBon Posted June 18, 2021 Author ID:1464177 Share Posted June 18, 2021 Quite surprised as you are, at least that issue got solved quick before it turned into an headache. Everything is fine now except that I'm still wondering what these mat-debug logs are, they keep getting created after this backup issue happened. Same with db.ses files getting created. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 18, 2021 Root Admin ID:1464182 Share Posted June 18, 2021 Not sure if this is true or not but please see the following https://a-man-in-the-cookie.blogspot.com/2020/10/microsoft-edge-remote-code-execution-vulnerability.html I'll need to check into it further as I don't the real answer at this time. Check out these posts about the mat-debug and see if they make sense for you or not. Don't download any supposed "fixes" just read the article and see if it makes sense to you http://www.surfacetablethelp.com/2020/07/remove-mat-debug-files-created-in-temp-folders-on-windows-10.html https://answers.microsoft.com/en-us/windows/forum/all/mat-debug-xxxxlog-files-in-temp-folder/955f105f-2eee-4f9b-96b3-e6433d051d46 Link to post Share on other sites More sharing options...
JorgeBon Posted June 18, 2021 Author ID:1464185 Share Posted June 18, 2021 The part about the .ses file containing the ID and stuff looks exactly what I have, but I don't think this is exactly related to some exploit, especially not with edge, I barely used the browser, the only time I used it today is to get firefox back. The second post mentions about going into safe mode and emptying the temp folder, I think I did that once some ages ago, I'm not sure if I did, but I think it actually helped making it stop creating these files, all that remained were .ses files. The third post has the most closest to what my symptoms are, its exactly like that. I suppose I don't think this is some sort of malware attack. Anyway, I restarted the system after the scans we did and haven't got any files created for a while now, it might still appear though, sometimes its sorta late for some reason. Link to post Share on other sites More sharing options...
JorgeBon Posted June 18, 2021 Author ID:1464190 Share Posted June 18, 2021 (edited) There are also posts that say that this is connected to the EdgeUpdate.exe in C:\Program Files (x86)\Microsoft. This feels very ambiguous in terms of what could cause this. Edit: Nevermind the folder is called EdgeUpdate, and not the exe. I noticed that the folder is renamed to EdgeUpdate2, which I think I did a good while ago so I will try to rename it back to its original name. Edited June 19, 2021 by JorgeBon Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 19, 2021 Root Admin ID:1464199 Share Posted June 19, 2021 (edited) @JorgeBon I enabled Auditing and have now proven that Microsoft Edge is in fact creating a .SES file with 2 lines in the file that look like some type of ID and a GUID number in the local user temp folder when opened with Notepad. It doesn't appear right away but soon after launching MS Edge (Chromium based) 06/18/2021 06:21 PM 53 .ses 1 File(s) 53 bytes I was not able to locate any documentation or authoritative discussion about the creation of this file. It can be deleted with Microsoft Edge open. There are no handles to the file so once it's created it's not locked for writing I do not believe it is detrimental to the computer or user. It's possible perhaps that it's somehow related to some type of telemetry but even that is only a guess and currently no proof of that either. Edited June 19, 2021 by AdvancedSetup updated information Link to post Share on other sites More sharing options...
JorgeBon Posted June 19, 2021 Author ID:1464224 Share Posted June 19, 2021 I think this is something that just writes down your session of sorts. At least it doesn't seem malicious. Just wondering about db.ses and mat-debug now, I don't know if db.ses and .ses are different files but they seem to contain the same content. Link to post Share on other sites More sharing options...
JorgeBon Posted June 19, 2021 Author ID:1464226 Share Posted June 19, 2021 It seems that office is the one that creates these files, as soon as i launched it, it created a mat-debug and db.ses file. Curious on why this seems to create these files every minute interval though. Link to post Share on other sites More sharing options...
JorgeBon Posted June 19, 2021 Author ID:1464234 Share Posted June 19, 2021 After switching to safe mode and emptying the temp files, it seems to have fixed the issue? A new file was created which was named "msedge_installer.log" or something and so far I haven't gotten any new mat-debug or db.ses files. The only temp file that keeps getting created now is StructuredQuery.log, which is probably the most normal this system has been, I've had these created for a long while now. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 19, 2021 Root Admin ID:1464291 Share Posted June 19, 2021 Yes, don't know the underpinnings of why Microsoft chooses to create the files. I'm not seeing any harmful actions though. Is there anything else I can assist you with? Link to post Share on other sites More sharing options...
JorgeBon Posted June 20, 2021 Author ID:1464388 Share Posted June 20, 2021 I believe everything is now fine, thank you for your help. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 21, 2021 Root Admin ID:1464496 Share Posted June 21, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts