I require another check.

[JorgeBon]

Hello, my computer had some strange issues lately.

First of all things, I couldn't revert to an backup version of the system, it told me that it failed for unknown reasons. After I did this, the start menu got corrupted so i had to reinstall packages to get it working again.

It made me question on why this happened, the only major changes I can recall are the recent updates for windows, but I wasn't sure if that was the case.

 

It made me paranoid if there is maybe something else going on, the system started to make a lot of mat-debug logs alongside with db.ses files, which I think means that the graphic driver is corrupted, unless I read something wrong.

 

Would appreciate assistance on checking out if my system is fine. I also would like to know if i installed the right firefox, they made installers unique, so checking them on VT got trickier.

Addition.txt FRST.txt

[JorgeBon]

Reuploading the FRST.txt.

FRST.txt

[AdvancedSetup]

I don't see an obvious infection.

You do have a Firewall block on Firefox you may want to double-check on.

FirewallRules: [TCP Query User{C8BC0036-FF5D-4839-9ECA-E048714EA321}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [UDP Query User{A4CA81BA-0343-41F9-94A0-C75EC7705253}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)

 

The logs show that the Windows Search appears to be corrupted. Please review the following to fix or reset Windows Search.

https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/fix-problems-in-windows-search

 

Please try setting your DNS to Google Public DNS
https://developers.google.com/speed/public-dns/docs/using

 

When ready, save any open and unsaved documents and close all open applications and run the following to run a disk check.
NOTE: This will force a computer restart so make sure you do not have any open unsaved documents or you'd lose that data.

Then open an elevated admin command prompt and type in or copy / paste the following and press the Enter key

shutdown /r /t 30 && echo y | chkdsk c: /f

 

Once the Windows Search has been fixed and you've run the disk check, then click on Start and type in "Check for updates" and let Windows check for updates. It looks like you might still need one or two more updates.

 

After Windows has finished updates, then run the following tool to check for other program updates from software you have installed

Patch My PC Home Updater
https://patchmypc.com/home-updater

 

[JorgeBon]

Hello @AdvancedSetup

I took the steps that you recommended, I cant find the entries for firefox being blocked though.

I don't know if this fixed my system, any steps I should take? Should I take new Logs?

Cheers

[JorgeBon]

Windows troubleshoot also mentioned that Windows Search is now fixed, but there was something wrong with the permissions, not entirely sure what they meant.

[AdvancedSetup]

Please restart the computer one more time just to clear out any temporary pending file renaming, etc.

Then run FRST again and click on Scan and attach back both new logs and I'll check again @JorgeBon

 

 

[JorgeBon]

Here are the logs.

Thank you for your time, cheers.

FRST.txt Addition.txt

[AdvancedSetup]

The change to Google DNS does not appear to have been done

DNS Servers: 192.168.0.1

 

 

 

Please save the attached FIXLIST.TXT file to the same location as FRST - then run FRST and click on the FIX button.

fixlist.txt

After the computer restarts post back the new FIXLOG.TXT file.

Thanks

 

[JorgeBon]

@AdvancedSetup

Changed the DNS, I hope this time successfully.

FRST entry says DNS Servers: 8.8.8.8 - 8.8.4.4

 

Fixlog.txt

Edited June 18, 2021 by JorgeBon

[JorgeBon]

Am I supposed to do anything specific with the DNS change?

[AdvancedSetup]

Thanks @JorgeBon

Windows Resource Protection found damaged files, some of which could not be repaired.

Please run the following from an elevated admin command prompt

 

DISM.exe /Online /Cleanup-image /Restorehealth

Assuming that runs successfully please then run the following as well

SFC  /SCANNOW 

Let me know the results of those commands please.

 

Edited June 18, 2021 by AdvancedSetup
updated information

[JorgeBon]

Hello @AdvancedSetup

 

First Scan stated that the recovery was successful.

The second Scan states that there were no errors.

[AdvancedSetup]

That doesn't make sense. I've been doing computer support for a long time now and I cannot say I've ever seen SFC say it could not fix the files. Then run DISM and then run SFC again and it say there is nothing to fix. New to me, but okay. As long as SFC says all is good now that's what counts.

Der Windows-Ressourcenschutz hat beschädigte Dateien gefunden, die teilweise nicht repariert werden konnten.

Bei Onlinereparaturen finden Sie Details in der CBS-Protokolldatei unter 

windir\Logs\CBS\CBS.log. Beispiel C:\Windows\Logs\CBS\CBS.log. Bei Offlinereparaturen

finden Sie Details in der durch das /OFFLOGFILE-Kennzeichen angegebenen Protokolldatei.

 

Is there anything else I can assist you with? Is the computer running okay now?

Cheers

 

[JorgeBon]

Quite surprised as you are, at least that issue got solved quick before it turned into an headache.

Everything is fine now except that I'm still wondering what these mat-debug logs are, they keep getting created after this backup issue happened.

Same with db.ses files getting created.

[AdvancedSetup]

Not sure if this is true or not but please see the following

https://a-man-in-the-cookie.blogspot.com/2020/10/microsoft-edge-remote-code-execution-vulnerability.html

I'll need to check into it further as I don't the real answer at this time.

 

Check out these posts about the mat-debug and see if they make sense for you or not. Don't download any supposed "fixes" just read the article and see if it makes sense to you

http://www.surfacetablethelp.com/2020/07/remove-mat-debug-files-created-in-temp-folders-on-windows-10.html

https://answers.microsoft.com/en-us/windows/forum/all/mat-debug-xxxxlog-files-in-temp-folder/955f105f-2eee-4f9b-96b3-e6433d051d46

 

[JorgeBon]

The part about the .ses file containing the ID and stuff looks exactly what I have, but I don't think this is exactly related to some exploit, especially not with edge, I barely used the browser, the only time I used it today is to get firefox back.

The second post mentions about going into safe mode and emptying the temp folder, I think I did that once some ages ago, I'm not sure if I did, but I think it actually helped making it stop creating these files, all that remained were .ses files.

The third post has the most closest to what my symptoms are, its exactly like that.

I suppose I don't think this is some sort of malware attack. Anyway, I restarted the system after the scans we did and haven't got any files created for a while now, it might still appear though, sometimes its sorta late for some reason.

[JorgeBon]

There are also posts that say that this is connected to the EdgeUpdate.exe in C:\Program Files (x86)\Microsoft.

This feels very ambiguous in terms of what could cause this.

 

Edit: Nevermind the folder is called EdgeUpdate, and not the exe. I noticed that the folder is renamed to EdgeUpdate2, which I think I did a good while ago so I will try to rename it back to its original name.

Edited June 19, 2021 by JorgeBon

[AdvancedSetup]

@JorgeBon

I enabled Auditing and have now proven that Microsoft Edge is in fact creating a .SES file with 2 lines in the file that look like some type of ID and a GUID number in the local user temp folder when opened with Notepad. It doesn't appear right away but soon after launching MS Edge (Chromium based)

 

 

06/18/2021  06:21 PM                53 .ses
               1 File(s)             53 bytes

 

I was not able to locate any documentation or authoritative discussion about the creation of this file. It can be deleted with Microsoft Edge open. There are no handles to the file so once it's created it's not locked for writing

 

I do not believe it is detrimental to the computer or user. It's possible perhaps that it's somehow related to some type of telemetry but even that is only a guess and currently no proof of that either.

 

 

Edited June 19, 2021 by AdvancedSetup
updated information

[JorgeBon]

I think this is something that just writes down your session of sorts. At least it doesn't seem malicious.

Just wondering about db.ses and mat-debug now, I don't know if db.ses and .ses are different files but they seem to contain the same content.

[JorgeBon]

It seems that office is the one that creates these files, as soon as i launched it, it created a mat-debug and db.ses file.

Curious on why this seems to create these files every minute interval though.

[JorgeBon]

After switching to safe mode and emptying the temp files, it seems to have fixed the issue?

A new file was created which was named "msedge_installer.log" or something and so far I haven't gotten any new mat-debug or db.ses files. The only temp file that keeps getting created now is StructuredQuery.log, which is probably the most normal this system has been, I've had these created for a long while now.

[AdvancedSetup]

Yes, don't know the underpinnings of why Microsoft chooses to create the files. I'm not seeing any harmful actions though.

Is there anything else I can assist you with?

 

[JorgeBon]

I believe  everything is now fine, thank you for your help.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you