Munchkin

[Munchkin]

Hi,

    I received a notification after booting up PC that MBAM anti exploit (premium) not completed start up and to reboot. I did and anti exploit kicked in OK. 

Following this I got an immediate 'Exploit blocked' message on Microsoft Edge, using Windows 10. It stated it was a 'ROP gadget attack' on MS Edge and add on.

This is the first time this has occurred and whilst I am relieved Anti-exploit did its job I have no idea , having limited PC know how, what this exploit is and if I need to take any further security steps. I am running an MBAM just now.

Could anyone enlighten me about this exploit attempt and where it may have originated from ? 

[Maurice Naggar]

Hi.   Keep posting here on this thread.

Tell me if you have REBOOTED the computer today.  If not, do so at this point.

I would suggest you follow the tips I posted at the following link

Then reply back here and let me know if that has helped.

If not, provide full details on the whole content of the message, what site maybe was being tried.  I also would like to know the Version and build number of this Windows.

I may need to get diagnostic reports from this pc, later.   Send these reports if you get another "exploit message" or any other type "exception.

 

I would like you to run the diagnostic tool for Malwarebytes Anti-Exploit. You can download and run the MBAE Support tool from this link

 

Once the tool has run, please collect your Anti-Exploit logs using the steps below:

Note: Some of the Folders might not appear as they are hidden by default. To make these folders visible, please check the following .
We need to show ALL files and folders and extenstions in File Explorer:

Click on the File Explorer  ( yellow folder icon ) shortcut on the windows Taskbar.
( or you may Press and hold Windows-key & then press E key  to start File  Explorer. )

Click the VIEW tab on the top bar menu.   ( you may also press ALT-key then V key to get VIEW menu).
Be patient as it will show a VIEW tab with a ribbon at the top.   Look on the right-side half of it across the top.

Look at the top ribbon, right side. {the Show/Hide  block}
Look at the check box  "File Name extensions:.    IF it has no checkmark, then Click the box one time so that it is checked.
Look at the check box  "Hidden items". IF it has no checkmark, then Click the box one time so that it is checked.

Those are important to have and show all that.   Don't get freaked out if you get a prompt when doing this.  It is all good.
Also, keep these changes permanent.  They actually help you keep more secure when you actually see file extensions.

 

Collecting Logs for your system:

1. Click on Start
2. Click on Computer
3. Double-click C:\ > ProgramData
4. Right-click the Malwarebytes Anti-Exploit folder
5. Click Send to > Selected Compressed (zipped) folder
6. A zipped file will be created in the ProgramData
7. Drag the newly created zipped file to your desktop and attach it with your reply.

 

[Munchkin]

Hi Maurice, 

Thanks for your response. I have rebooted my PC and followed your advice but I am still getting the exploit notifications when I open Edge. 

 I am on BST so am going to shut down now and will carry on tomorrow.

                                                                                                                           Regards

 

 

[Maurice Naggar]

Please send the reports requested  ( earlier).

I also need to know which way exactly  ( what link , what shortcut) you use to start EDGE.   In addition, what page it is set to Start with.  Which website ( if any) you had been browsing at the moment when the MBAE showed its notification-message-window.

[Maurice Naggar]

Further to the last reply......   Does this pc have installed IBM Trusteer Rapport ?

[Munchkin]

Hi Maurice, thanks for replies.

I am going to download the MBAE support tool now and send you the reports.

I have been opening Edge in a couple of ways. This problem first cropped up when I typed in a question via start/search/Cortana . This opens Bing search results in Edge by default. The 'Exploit' notification then pops up and eventually told 'page won't load'. When I open Edge from the task bar icon it opens with the start page which displays my 'News feed' and other information like weather. The 'Exploit' notification pops up shortly after and then start page goes into a continuous loop shutting down, opening, pop up notification appearing, shutting down .....

I am using Microsoft Windows 10 Home

Version 10.014393

Build 14393

Yes, this PC does have IBM Trusteer installed but I am not sure Edge is protected as it is not an available extension with Edge ?

I am aware that there are other people experiencing this problem

[Munchkin]

Hi Maurice,

Here are the logs you requested

Malwarebytes Anti-Exploit.zip

[Maurice Naggar]

quoting from the Known-issues-conflicts section of the MBAE support sub-forum

Quote

Trusteer Rapport may conflict with MBAE. As a workaround simply disable the ROP and malicious return address protections in MBAE's advanced settings to make Trusteer work alongside MBAE. But even with those techniques disabled sometimes Trusteer's "Pinpoint technology", which tries to detect the presence of Trusteer through a webpage, introduces a conflict whereby it cannot detect the presence of Trusteer's hooks. There is a long history of complaints about IBM's lack of interest in fixing Rapport's conflicts with dozens of security applications. We've managed to make Trusteer work with most web browsers but in the case of Pinpoint technology it does not know how to deal with basic chained API hooks.

Do you only exclusively use the EDGE browser ?  Ar you perhaps able to use Internet Explorer or another ?
Have you Reset the Edge browser?



As we go along, from time to time, Windows User Account Control ( U A C ) will prompt whether to allow a tool or procedure to proceed forward.  Approve the Windows’ UAC prompt on by clicking on Continue or Yes.


Please download    Farbar Recovery Scan Tool and save it to your desktop.
Get the version that matches the bit-ted-ness of your Windows  ( ie, 32 or 64 bit ).
You can check here if you're not sure if your computer is 32-bit or 64-bit

You may wind up needing to temporarily turn off your antivirus program IF it interferes with the diagnostic tool-reports listed below.

Right-click on *FRST* icon and select  *Run as Administrator * to start the tool , and reply *YES* to allow it to proceed and run.
_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line  *More info* information on that screen and click button *Run anyway* on next screen._
Click YES when prompted by Windows U A C prompt to allow it to run.


Approve the Windows’ UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes.

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it also makes another log (Addition.txt).
Please attach FRST.txt & Addition.txt along your next reply.
 

 

[Munchkin]

Hi Maurice,

Thanks for your reply. I mainly use Chrome and Firefox as my browsers. Edge is the default browser when I use Cortana to search. Not sure if I can change this. I don't actually use Edge very much. I don't use IE 11 either. I 'reset' Edge - if by that you mean clearing the cache ?

I looked at my Anti Exploit consul to check advanced settings with a view to disabling ROP expoits but it is greyed out as are the top three check boxes including 'automatically upgrade to latest version'. I am a premium user so this surprises me ? 

I have completed the Farbar scan and have the two files but not sure if I 'attach' both as you say 'copy and paste' FRST.txt ? Please advise.

 

 

[Maurice Naggar]

This is being handled on the Helpdesk.   Please check your email Inbox.

Closing this here.  Having duplicate cases is not advisable.