Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unusual UAC Request


  • This topic is locked This topic is locked
19 replies to this topic

#1 joshuals

joshuals

  • Members
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec (Summer) Arizona (Winter)
  • Local time:01:49 AM

Posted 10 December 2017 - 02:27 PM

Win10 version 1709.16299.98 running on a Dell Inspiron 5559 laptop, under a Standard User Account.

 

This morning I received a UAC popup requesting permission to run the following: 

  • Local Hash DBUpdater by Sutherland Global Systems.

 

I denied the request.

 

I Googled the string "Local Hash....etc." and got zero hits.

 

I ran a Malwarebytes scan and a Norton Security scan which returned no malicious items.

 

I also ran a scan with FRST and the log shows the following running process:

  • (Sutherland Global Services, Inc) c:\ProgramFiles\Dell\SupportAssistAgent\SRE\SRE.exe

 

The above is the only reference to "Sutherland" in the FRST logs and there were no warnings in the logs.  Task Manager shows that sre.exe is, in fact, running on the machine and I know that Dell Support Assist has been installed on this computer.

 

Anyone ever heard of "Local Hash DB Updater" or anything similar?  Is it malicious?

 

Thank you for any feedback.


Edited by joshuals, 10 December 2017 - 02:29 PM.


BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:49 AM

Posted 10 December 2017 - 02:46 PM

Hello joshuals and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

====================================================

Download TFC to your desktop

  • close any open windows
  • double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run
  • click the Start button to begin the process
  • allow TFC to run uninterrupted
  • the program should not take long to finish it's job
  • once its finished it should automatically reboot your machine
  • if it doesn't, manually reboot to ensure a complete clean.

====================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

Logs to include with next post:

Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 joshuals

joshuals
  • Topic Starter

  • Members
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec (Summer) Arizona (Winter)
  • Local time:01:49 AM

Posted 11 December 2017 - 11:35 AM

Hello Satchfan

 

In following your instructions I find that I am unable to Paste (from Notepad) into the Topic Reply Box.   Copy/paste works normally within documents on the computer, however.  I have tried several methods including the Paste icon on the Reply Box Tool Bar.  I noticed this behavior when I made my first post and had to type by hand the line from the FRST log in Post #1.

 

Attempted to paste from 2 different User Accounts on this computer.....same result.  Cursor blinks slightly but text does not paste.

 

Any ideas? 

 

 


Edited by joshuals, 11 December 2017 - 11:41 AM.


#4 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:49 AM

Posted 11 December 2017 - 11:47 AM

Have you tried to copy from Notepad  nthen click in the reply box and then pasting by holding down Ctrl+v?

 

If that doesn't work please attach them.

 

Off out now so won't reply for a few hours.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 joshuals

joshuals
  • Topic Starter

  • Members
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec (Summer) Arizona (Winter)
  • Local time:01:49 AM

Posted 11 December 2017 - 11:49 AM

In response to your question in Post #4.....yes I tried that with no success.

 

I am now responding from a different computer and attempting to Paste with the same results, so it's not particular to the computer we're discussing in this thread.



#6 joshuals

joshuals
  • Topic Starter

  • Members
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec (Summer) Arizona (Winter)
  • Local time:01:49 AM

Posted 11 December 2017 - 12:05 PM

In this post I am attempting to Paste from yet a third computer and am unable to do so.  I will go back to the first computer and paste the logs as you requested.



#7 joshuals

joshuals
  • Topic Starter

  • Members
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec (Summer) Arizona (Winter)
  • Local time:01:49 AM

Posted 11 December 2017 - 12:11 PM

With regard to the computer we're discussing in this thread I followed you instructions in Post #2.  I ran TFC fom the Administrator's Account despite OT's note that the tool is not for Win8.1 or Win10.  It did not reboot the computer, so I rebooted manually.

 

The FRST logs are attached.

 

There have been no further popups or other symptoms of malware.

Attached Files


Edited by joshuals, 11 December 2017 - 12:12 PM.


#8 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:49 AM

Posted 11 December 2017 - 03:46 PM

OK I understand.

 

Will look at the logs as soon as I can.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 joshuals

joshuals
  • Topic Starter

  • Members
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec (Summer) Arizona (Winter)
  • Local time:01:49 AM

Posted 11 December 2017 - 04:11 PM

I had an opportunity to post in a different forum this morning on an issue totally unrelated to computers and had no problem pasting text.  The problem seems to be limited to posting to BC.



#10 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:49 AM

Posted 11 December 2017 - 06:05 PM

I'm glad things are better but a few things need to be dealt with.

 

Run Farbar Recovery Scan Tool

  • right-click FRST/FRST64 and select ‘Run as administrator’
  • highlight the contents of the code box below, then press Ctrl+c):
Start::
CloseProcesses:
SearchScopes: HKU\S-1-5-21-2299309460-2324534085-1175044672-1001 -> DefaultScope {668BA064-4FDA-42CB-907D-BEAB01B52ECE} URL =
SearchScopes: HKU\S-1-5-21-2299309460-2324534085-1175044672-1001 -> {668BA064-4FDA-42CB-907D-BEAB01B52ECE} URL =
SearchScopes: HKU\S-1-5-21-2299309460-2324534085-1175044672-500 -> DefaultScope {668BA064-4FDA-42CB-907D-BEAB01B52ECE} URL =
SearchScopes: HKU\S-1-5-21-2299309460-2324534085-1175044672-500 -> {668BA064-4FDA-42CB-907D-BEAB01B52ECE} URL =
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Security with Backup\Engine\22.11.2.7\Exts\Chrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Security with Backup\Engine\22.11.2.7\Exts\Chrome.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
Task: {C2C8D07B-A499-4F85-8977-42D3B70845DD} - System32\Tasks\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => C:\WINDOWS\TEMP\DeleteFolderTask.exe <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
C:\WINDOWS\TEMP\DeleteFolderTask.exe
EmptyTemp:
End::

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • in the FRST window, press the ‘Fix’ button once and wait
  • please reboot the computer if requested
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista/7/8/10, instead of double-clicking, right-mouse click JRT.exe and select ‘Run as Administrator’
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

Logs to include with next post:

Fixlog.txt
AdwCleaner log
JRT.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 joshuals

joshuals
  • Topic Starter

  • Members
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec (Summer) Arizona (Winter)
  • Local time:01:49 AM

Posted 11 December 2017 - 07:52 PM

Hello Satchfan

 

No problems following your instructions and no further popups or symptoms of malware.

 

Sorry I still have to attach the logs;  still unable to paste into the BC Reply Box.

Attached Files



#12 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:49 AM

Posted 12 December 2017 - 03:35 AM

That all looks good. It would appear that the TFC scan sorted out the problem and I see no signs in your logs that would require further scans.

 

Let me know if you're happy to tidy up and I'll send instructions.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 joshuals

joshuals
  • Topic Starter

  • Members
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec (Summer) Arizona (Winter)
  • Local time:01:49 AM

Posted 12 December 2017 - 09:28 AM

I have not seen a repeat of the popup that caused me to start this thread and there are no other symptoms.  Can you tell me what the problem was?

 

However, I would like to resolve why I have three computers (2 Win10 and 1 Win7, all running IE) that are unable to paste into the BC Reply Box.  Note that the Win7 computer is also running Firefox and Chrome, and both Firefox and Chrome behave normally with regard to pasting into BC.  So it would appear that the problem is limited to IE only. I have done a brief search on BC and have not found any other threads on this problem.  I realize this may not be a malware problem so if appropriate, please redirect me to the correct forum.

 

If you would like to proceed with the cleanup, please give me the instructions.



#14 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:49 AM

Posted 12 December 2017 - 04:22 PM

I think the original problem was related to Dropbox.

 

The 'paste' problem could be browser-related as I have problems myself at different forums. Is it only forum-based or a general problem?


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 joshuals

joshuals
  • Topic Starter

  • Members
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec (Summer) Arizona (Winter)
  • Local time:01:49 AM

Posted 12 December 2017 - 05:49 PM

It appears to be only forum-based and only at BC, and then only when using IE.  I have tried three other forums using IE and all others paste normally.

 

I have attempted to copy/paste using the ctrl+____ functions, by using right-click menus, and by using the paste icons at the top of the BC Reply Box, all without success.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users