JamOrange

Hi @Porthos Oh ok, apologies, I'll download it shortly - thank you for your replies. Regards

Hi @Porthos, Ah ok - I thought it may be on beta release, but quite a version difference from 4.6.12.323 to 5.1.2.109, so I wasn't 100% sure. I'll wait until it's official release. Regards

Hi @BjelakovicL, I get the same error on Chrome too, is it because I'm running Malwarebytes software version 4.6.12.323? Why haven't I been upgraded to the latest version of Malwarebytes as I've got a pay for a Premium license, which I assumed would keep all the Malwarebytes software up to date - not just the database. Regards

Hi, Ah ok many thanks - the bouncing IP is the issue - or the website itself? That said, @BjelakovicL I'm a little confused on the version of Malwarebytes I'm running - as I've got a Premium license, which I have had for some time now - and also run the update earlier and it says I'm running Malwarebytes software version 4.6.12.323, whereas, Porthos, also on a Premium license is running on software version 5.1.2.109? I don't understand why I'm not running on the latest version? as I do and always have "Automatically download and install updates" turned on. Regards.

Hi, I've just run an update on Malwarebytes and rebooted - but the www.nchsoftware.com website remains blocked due to Malware. See please below. Regards ------------------------------------------------------------------------------------------------------------------------------- Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 4/4/24 Protection Event Time: 4:02 PM Log File: 6283dad6-f294-11ee-b240-004e01a98be8.json -Software Information- Version: 4.6.12.323 Components Version: 1.0.2309 Update Package Version: 1.0.83010 License: Premium -System Information- OS: Windows 10 (Build 19045.4170) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Malware Domain: www.nchsoftware.com IP Address: 66.39.83.155 Port: 443 Type: Outbound File: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe (end)

Hello, I'm being blocked going to www.nchsoftware.com as blocked due to Malware being reported by Malwarebytes. I have no idea if this is a false positive? but it's a well known website. Regards JamOrange

Hi @Maurice Naggar Many thanks for your detailed reply. Working through your thoughts and suggestions does reassure me that this was almost certainly a false positive for ransomware. Other than knowing what I've read about the carnage/misery that ransomware causes and that it can trigger from any point in time after hitting your device, I know very little about it. My only protection is to keep my paid-up versions of Malwarebytes and McAfee always up to date, which I do. My PC had been shutdown overnight and has restarted fine this morning. I did notice that all the files were iconcache and in a single directory; %userprofile%\appdata\local\microsoft\windows\explorer\ - but I didn't know if this was just the beginning or the start of the ransomware countdown. No, again, reassuringly, I've not had any on-screen messages or "ransom notes" and I'm able open a documents/excel/pdfs in my Documents folder fine in their native apps. So, so far, thankfully, I've not come across any locked documents. I manually checked my documents folder and desktop and also done a search across my entire PC (C: and D:) this morning looking for files with the regex expression, "^_.*.txt" and none have been found from yesterday and in total just 1 files; C:\Program Files\PDF24\lang\_readme.txt created on 30/04/23. As you say, I need to check on the reputation of the maker of the dashcam, "Navitel DVR Player" program. Until then I'll stop using it. As everything appears ok from restarting my PC from overnight, including my icons, I'll read through the article links you included to rebuild the icon cache, as good to know. I will also, as you suggest, definitely check with Acronis support about the original incident. Thanks again. Best Regards JamOrange

Hi all, I plugged in my Navitel dashcam, which I had installed by our local Citroen dealer. The first time I did, everything was fine, no apparent issues whatsoever. However, today when I plugged the dashcam into my PC (Windows10), Acronis reported potential ransomware - please see attached. I'm run a complete scan with MalwareBytes Premium (v4.6.5) and also Mcafee Total Protection (updates daily), neither of which reported any issues and are running constantly on my PC. Do I have a issue or is Acronis reporting a false postive? Many thanks JamOrange

Many thanks for this, it got me a step closer - but another error, so I had to also disable "Office WMI Abuse Prevention" to get the script to run successfully. But this is the only script I'm having issues with, as it does more - but not worth disabling 3 elements of protection to get it to work: Disable loading of VBScript libraries Office VBE7 abuse prevention Office WMI Abuse Prevention I think the only and safest option is to turn them all 3 back on and only turn off Malwarebytes when I want to run the script and then restart Malwarebytes? Regards JamOrange

Yes, I did, but apologies, I'm now getting a different error - my script is intentionally scanning my email inbox for email that match my search requirements and process them accordingly into Excel. Exploit: 1 Exploit.OfficeVBE7objectAbuse, D:\Documents\Outlook.Application, Blocked, 0, 392684, 0.0.0, , -Exploit Data- Affected Application: Microsoft Office Excel Protection Layer: Application Behavior Protection Protection Technique: Exploit Office VBE7 object abuse blocked File Name: D:\Documents\Outlook.Application URL: Many thanks JamOrange

Hello @Porthos - I'm having the same issue, but the above solution does not resolve it? -System Information- OS: Windows 10 (Build 19045.2846) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.VBScriptExecution, C:\Windows\SysWOW64\vbscript.dll, Blocked, 0, 392684, 0.0.0, D726550142BF1D098D0E9F65EE58A05F, 59A2413759882179E235F1BFF6185148F73305EEF3D2661C8EE318017692A714 -Exploit Data- Affected Application: Microsoft Office Excel Protection Layer: Application Hardening Protection Technique: Attempt to execute VBScript blocked File Name: C:\Windows\SysWOW64\vbscript.dll URL: Thanks JamOrange