[PowerPoint is ransomware ??]

I can't think of anything i was doing unusual with the powerpoint -- just adding information and occasionally previewing it.

I'm happy to stop McAfee ... actually looking for a reason to uninstall it as I have no intention of continuing to use it once the free year is up.

Here is ARW folder: ARW.zip

[PowerPoint is ransomware ??]

I have not entered any exclusions thus far (dealing with a 99-year-old mother) and I've not had a chance to work on the powerpoint.  (I had been working on it every day up until that happened, but situation has changed with my mother.)

It's weird -- I noticed MWB had quarantined my local server (XAMPP) which I use every day.  I never noticed any problem with it, even though MWB log said it had been quarantined.  The RootsMagic ....  I use it maybe once a week and never noticed it had been quarantined until I looked in the quarantine folder.  I've never used the AxCrypt, only downloaded the executable thinking I might check it out some day.

My own thoughts ?  ....  I suspect my new Dell XPS-8930 as there are hiccups.  For one thing, it freezes at least twice a day for about 2-3 seconds.  I can't help but wonder but what that doesn't cause problems for software.  I'm using McAfee because it came with the Dell.  Will probably go back to my Vipre when the year is up.

I'm willing to help if I can.

[PowerPoint is ransomware ??]

Here is powerpoint 00-00 GEM-01.zip

[PowerPoint is ransomware ??]

thank you -- I've zipped all files into folder "MWB problem files"MWB problem files.zip

[PowerPoint is ransomware ??]

FYI, I got the data I posted from MWB > Notifications > Ransomware blocked ... on Report window, clicked "Advanced" and then export to txt

So, there were no files for my initial query.

[PowerPoint is ransomware ??]

sorry, I don't know what files to zip, nor do I know what a virustotal report is ?

Please tell me what files to zip (and where to locate them) and I'll be happy to submit them.

[PowerPoint is ransomware ??]

I see that it also quarantined my XAMPP apache service httpd.exe -- listed as "Malware.Ransom.Agent.Generic"

AxCrypt-1.7.2976.0-Setup.exe -- listed as "Generic.Malware\/Suspicious"

[PowerPoint is ransomware ??]

Today, about 30 minutes ago, I was editing a PowerPoint presentation and a popup appeared declaring MB had detected Ransomware and had saved me from it.  My presentation closed at the same instant, and attempting to restart it brought a window telling me that I'd need to find another app for this file.  It removed my desktop icon and the executable for PowerPoint.  My copy of Office is fully legal and nothing in it should be flagged as malware.

When I was looking at the MB Quarantine, I noticed that several other programs I use had also been removed -- not sure what sin they committed.  One was RootsMagic, a genealogy program that was also declared ransomware.  Another was AxCrypt-1.7.2976.0-Setup.exe (Axantum Software AB AxCrypt File Encryption Software) ... not sure why it was quarantined.

Don't remember the others.

I found two logs for false ransomware quarantines -- PowerPoint and RootsMagic:

-Log Details-
Protection Event Date: 4/5/20
Protection Event Time: 3:43 PM
Log File: 09c4ddae-777e-11ea-9374-402343bc1a84.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.859
Update Package Version: 1.0.21972
License: Premium

-System Information-
OS: Windows 10 (Build 18362.720)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 3
Malware.Ransom.Agent.Generic, C:\Users\tc\Desktop\PowerPoint.lnk, Quarantined, 0, 392685, 0.0.0
Malware.Ransom.Agent.Generic, C:\PROGRA~1\MICROS~2\root\Office16\POWERPNT.EXE, Quarantined, 0, 392685, 0.0.0
Malware.Ransom.Agent.Generic, C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE, Quarantined, 0, 392685, 0.0.0

(end)

-Log Details-
Protection Event Date: 3/9/20
Protection Event Time: 5:07 PM
Log File: 51503484-6252-11ea-9cb4-402343bc1a84.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.835
Update Package Version: 1.0.20460
License: Premium

-System Information-
OS: Windows 10 (Build 18362.657)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 3
Malware.Ransom.Agent.Generic, C:\Users\tc\Desktop\RootsMagic.lnk, Quarantined, 0, 392685, 0.0.0
Malware.Ransom.Agent.Generic, C:\PROGRA~2\ROOTSM~1\ROOTSM~1.EXE, Quarantined, 0, 392685, 0.0.0
Malware.Ransom.Agent.Generic, C:\Program Files (x86)\RootsMagic\RootsMagic.exe, Quarantined, 0, 392685, 0.0.0

(end)

 

[mb is blocking new web site]

I just purchased a domain name and a hosting package so I could set up a sandbox site and it is blocked with the message "Website blocked due to malware" and another time "Website blocked due to adware".  But this site only has an index.php page with no content in it yet other than an H2 tag with "Home" in it.

I want this site to be visible to anyone -- I don't want everyone to have to unblock it.

The domain is www[.]mytestsite[.]icu or mytestsite[.]icu (I haven't set up an .htaccess file yet).

[periodic "Real-Time Protection layers turned off"]

problem has returned --   (and I'm not running grammerly)

• Windows 10 updated a couple of days ago
• then Windows crashed on me yesterday.
• This morning (5-12-2017) MWB reported Web Protection turned off.
• Rebooted and Malware Protection was off, but turned on without need for reboot.
• Checked the VIPRE file exclusions and modified all files to have full path
  • I notice there is no "rules.ref" file anywhere on my C drive.

believe it should be located - C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\rules.ref

Since all has been good until this morning, I will wait to see if problem recurs before posting logs.

[periodic "Real-Time Protection layers turned off"]

It can go for days before it fails.  I'll report any issues when they occur.

thanks

[periodic "Real-Time Protection layers turned off"]

I stayed behind to do it .. didn't take long.

The only file that was already excluded was mbam.exe

It is a little perplexing that I could see none of the files in the system32\drivers folder from the VIPRE browse menu even though I could see them when I opened the folder in explorer.  Then, after I entered the path directly into the file input field, there was no way to tell VIPRE to accept them, so I used the Return key and they now appear on the list.  I hope that means it found the files.

 

[periodic "Real-Time Protection layers turned off"]

thanks ... I thought I'd already done that.  It's late now and I may not be able to attend to this until Monday, but I will take your suggestion.

thanks again.

[periodic "Real-Time Protection layers turned off"]

Not sure when it began, but I get error "Real-Time Protection layers turned off" after several hours of using computer.  A log of when the failures occurred is below.

I'm running Malwarebytes Premium, ver. 3.0.6.1469.  I'm also running VIPRE Internet Security 2016 and SpyWare Blaster and Windows Defender is disabled.

===============

I noticed that some others with similar problem are using VIPRE.

My version is AntiVirus Internet Security 2016 --

Belarc Advisor lists -- Virus Protection:
ThreatTrack Security VIPRE
Malwarebytes

Software Versions:
ThreatTrack Security - VIPRE version 9.3.4.3
ThreatTrack Security - VIPRE Internet Security version 9.3.4.3
ThreatTrack Security - VIPRE SBVIPRE_PREMIUM_EN
ThreatTrack Security - VipreEdgeProtection.exe version 2.3.4.7 (64-bit)

===============

I began a log of the failures, but not immediately after they began.  Note that the computer is turned on before 07:00 every day, so you can see how long it ran before the protection failed.

2017-03-23
Getting popup message saying Malwarebytes Real Time Protection is turned off.  Can't turn it back on unless disable antivirus and reboot.  Actually, don't need to turn off AV, just reboot and it's back on.

rebooted 15:17 ... let's see how long before error message appears.
... running Scan ... complete 15:22

installed Belarc Advisor, got system details and uninstalled -- now restarting
16:00 -- restart

(no date, probably 3-24)
14:12 -- attempt to uninstall Belarc Advisor 8.5c again and rebooted.
15:24 -- MWB still appears to be okay
17:00 (app.) installed Office 2016 after an hour or so with Microsoft tech support ... MWB still seems okay

2017-03-30 - 16:18
Real-Time Protection layers turned off
One or more Real-Time Protection layers are turned off. Turn on all ...
-- Web Protection turned off -- hangs with "Starting"

2017-04-02 -- not sure when, noticed at 16:25
reooted -- then 14:35, same as above -- Web Protection turned off -- hangs with "Starting"
rebooted -- 16:40 -- all protection enabled

2017-04-04
-- Web Protection turned off
-- not sure when, noticed at 16:25

2017-04-05 -- 14:30
had removed Win7GamesForWin8-Setup.exe with Revo and restarted
.Rensomware Protection: Prevents ransomware from encrypting your files

15:45 -- noticed protection off again -- ransomware again
15:52 - after reboot, all protections okay

2017-04-17
10:00 -- no problem observed
00:44 (Monday morning) problem -- Web Protection turned off

2017-04-19
08:50 -- Web Protection turned off

2017-04-19
sometime between 1900 and 22:20
-- Web Protection turned off

2017-04-20
18:26  -- Web Protection turned off

2017-04-22
14:24 -- Web Protection turned off

MB-CheckResult-.txt

FRST.txt

Addition.txt

2017-04-22 mwbytes-scan-report.txt

logs.zip

[MBAM update (1.51.0.1200) won't run]

I updated MBAM from 1.4.6 to 1.51.0.1200 and now it won't run -- details below:

I downloaded and installed Able RAWer RAW Image Editor:

http://webmessengertutorials.com/able-rawer-free-raw-image-editor_22435.html

When I ran it, ZoneAlarm warned me that an executable named 0.87181453043776.exe

... was trying to access the trusted zone and internet to contact:

http://92.38.233.191

... I denied it access.

I found the executable in my Local Settings/Temp directory and ran MalWareBytes on the file (0.87181453043776.exe) and -- I believe -- it identified it as a Trojan.Dropper.

I then deleted the file.

(I also ran TDSSKiller.exe and it might be that application that provided the Trojan.Dropper identification.)

TDSKiller identified windows/system32/drivers/sptd.sys as a potential threat because it was locked. I have Daemon Tools Lite installed -- so I uninstalled it and removed the registry keys that were locked.

** sptd.sys is removed from my system -- could that be the problem?

I downloaded the update to MalWareBytes (1.51.0.1200.) (I was running version 1.46) -- and now MalWareBytes will not run at all.

** I still have the logs from when I ran MBAM last June it they would help.

I looked on-line for this problem and found several solutions -- beginning with renaming the setup file and the application file to fool apps that might be inhibiting it, including installing to a different directory -- no change, still won't run.

I followed the solution posted at: http://spywarehammer.com/simplemachinesforum/index.php?topic=10307.0

- run TFC.exe (temp file cleaner)

- reboot

- run Rkill.scr

- run MBAM ... still won't run.

I read a thread on this forum ( http://forums.malwarebytes.org/index.php?showtopic=87029 ) recommending running MBAM-clean, disabling my anti-virus/firewall, install a fresh download of MBAM and run it. I followed those instructions -- still won't run.

System information:

XP-Pro v. 5.1.2600, SP-3 Build 2600

Board: Intel Corporation D865PERL AAC26719-209

Bus Clock: 200 MHz

BIOS: Intel Corp. RL86510A.86A.0085.P19.0406281350 06/28/2004

2.80 GHz Intel P-4

8 KB primary memory cache

512 KB secondary memory cache

Hyper-threaded (2 total)

2 GB RAM

640.14 Gigabytes Usable Hard Drive Capacity

313.07 Gigabytes Hard Drive Free Space

AntiVirus -- ZoneAlarm Extreme Security Antivirus Version 9.3.037.000

Any suggestions very much appreciated.

thanks,

Tom