[SOLVED] EMET Conflict

[moo4x]

Win XP SP3

IE 8.0.6001.18702

 

I rarely use IE (pretty much just for MS update).

 

I have 2 similar machines. This started on 1 a couple months ago, & on the other tonight. The attached file is from my main pc, which has had the issue for a couple months. I get a "blocked an exploit attempt" message upon opening, but no specifics as to what exploit is occurring.

 

I have 2 rootkit scanners (MB A-M PRO & Greatis Reg Run) on both machines & neither have found anything. Neither have several other malware & AV products.

 

Malwarebytes Anti-Exploit.zip

 

TIA

[pbust]

Thanks for posting moo4x.

 

Can you please also post the logs from FRST to see if there is anything on that system that might be conflicting with MBAE?

[moo4x]

Here are the 2 FRST logs, thank you! Since one of them was quite long, I've zipped them up.

 

frst.zip

[pbust]

Thanks for the logs moo4x.

 

You have EMET 4.1 installed on your machine and this is causing the known conflict with MBAE.

 

You can safely uninstall EMET and reboot as MBAE is a replacement (and improvement) over EMET.

[moo4x]

Thank you! I really don't like EMET, but thought it was necessary with XP. Are there any remnants I need to look for after uninstall, or anything else I might need to know?

[moo4x]

One last question: based on the logs, would there be any significant benefit to me to upgrade to the paid version of MBAE since I'm going to gladly follow your advice? (EMET has caused several other programs to have issues also).

[pbust]

Yes EMET is known to cause quite a few conflicts, especially when adding non-default programs such as Chrome, Flash, etc.

 

The one good thing about EMET is that it's completely free.

 

MBAE has a Free version which protects against drive-by download exploits in web browsers, browser addons (Flash, Silverlight, etc.) and Java. But MBAE Premium is a paid version which protects other applications such as MS Office, PDF Readers, Media Players and the ability to add custom shields.

 

If you ask me I rather pay for MBAE and forget about the EMET conflicts. Plus I know I would be better protected with MBAE than with EMET.

[moo4x]

Removing EMET worked. Thank you again! I am looking into buying the pro version of MBAE.

[pbust]

Cool, glad you got it working and good to hear that you're going with MBAE!

[discerningword]

-- I'm running Windows 7 Professional 64-bit.
-- I have the premium versions of Malwarebytes Anti-Malware and Zemana AntiLogger installed.
-- AVG 2015 Free is my antivirus.
-- Free versions of SUPERAntiSpyware, Spybot Search & Destroy, and Malwarebytes Anti-Exploit, too, are installed.
-- All security software is kept up-to-date, and scans are run regularly. Scans do not seem to show infections.
-- Java is kept updated.
-- Firefox (latest version) is set as my default browser, and Chrome, Opera, and Internet Explorer 11 are kept in reserve.
-- My AOL Desktop software won't use my Firefox, and the browser it presents within the software window supposedly is Internet Explorer with an AOL skin, but their techs say their software can use Chrome, too. The skinned browser presented seems to be working, so maybe the one being accessed is Chrome, since there's a problem with IE.  

Each time I try to open Internet Explorer 11 directly, I get an alert that Malwarebytes Anti-Exploit has blocked an exploit attempt. The IE window stops responding or appears as blank, and then disappears completely. From time to time a window pops up asking to allow an IE add-on... but I've been denying it because of the concern over the exploit. I cannot update IE manually because it will not function. Not sure what to do.

 

-- Would accepting the IE add-on make my computer vulnerable to the exploit, even with MBAE installed?

-- Would somehow otherwise whitelisting Internet Explorer leave a door open for the exploit, despite MBAE?
-- Is there a way to shield IE so it can be used safely?

-- Does this exploit have a name?
-- Would uninstalling MBAE and doing a new install solve the problem?
-- Would uninstalling and doing a new install of IE solve the problem?

I also get frequent MBAM Premium alerts about inbound attempts by a malicious site using svchost.exe in its attempts. I contacted Malwarebytes Anti-Malware Support about the matter, but they did not seem worried about inbound attempts, only outbound. Could the exploit attempts blocked by MBAE be related somehow to the inbound attempts Malwarebytes Anti-Malware Premium is blocking?

Trying to figure this thing out... but I seem to have more questions than answers. Hope someone may provide some insight as to how this can be fixed. I am supplying zip file with MBAE log data. Also supplying system and software information and FRST scan results. Thanks for whatever help one can offer.

 

 

Program Data MBAE log copy.zip

Belarc report 03-0802015.rtf

FRST scan results.zip

[pbust]

Welcome to the forum and thanks for posting.

 

You have the busiest FRST log I've ever seen. I recommend doing a bit of cleanup (running a couple of second opinion on-demand malware scanners + uninstalling a bunch of software that you may not need or use).

 

Also your MBAE logs ZIP only has 1 file, applications.dat. Please re-create the ZIP but include the entire contents of C:\ProgramData\Malwarebytes Anti-Exploit.

 

Also I see you have EMET 4.1 installed, although I don't see it running. Try uninstalling EMET and rebooting to see if that makes a difference.

[discerningword]

Dear Pedro:

Thanks for offering your help!

-- Attached is the corrected zip with all the log files in the Program Data MBAE folder. I was zipping with 7Zip for the first time before, and thought I had included all the files. Sorry 'bout that.

-- I uninstalled EMET, and tried opening Internet Explorer. This time I did not get an MBAE exploit alert! So, would that mean that the problem was simply a conflict between EMET and MBAE? That there is no exploit?

-- You suggested I run some online virus/malware scans. Have you particular sites you'd recommend? I wasn't too happy with the EULA for the Kaspersky Security Scan. Shall I try BitDefender?

RE: The busy FRST file. I like to collect software, compare, and see what works best for me. I keep a log of all software installed and reference text for each program. I have favorites among the software, of course, but I use programs as I need them. I do try to check programs for updates before using, particularly if it has been awhile since install or since last use.

mbae.zip

[pbust]

Thank you for the logs, this time they are correct!

 

If you uninstalled EMET and it is working correctly now, that means that yes, the root of your problem was the known conflict with EMET.

 

As for second opinion scanners, try Panda. Disclaimer: I used to work for Panda a lifetime ago But their "Cloud Cleaner" is pretty good.

 

PS: marking this thread as solved and merging with the existing EMET conflict thread.