Jump to content
drdas

New exploit block after applying updates

Recommended Posts

After applying updates to my computer overnight, each time I reboot, I am getting the warning below from Malwarebytes. It has occurred with each of two reboots, but I've never seen it before (i'll admit that I only reboot about once per week, unless updates are being installed though). No filename listed as you can see below. Doesn't seem to recur after the reboot, even if the computer remains on for hours and engaging in normal activity. Unclear if this is related to the most recent windows update, but I'm having no other problems, and full MWB scans are coming back clean. Happy to provide any additional logs requested.

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 1/16/19
Protection Event Time: 11:18 AM
Log File: 6141610c-19aa-11e9-9acc-847beb2bb294.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.508
Update Package Version: 1.0.8818
License: Premium

-System Information-
OS: Windows 10 (Build 17134.523)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: Windows Script Host
Protection Layer: Malicious Memory Protection
Protection Technique: Exploit code executing from Heap memory blocked
File Name: 
URL: 

 

(end)

 

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions


 

Share this post


Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings
===

If the problem persists and you are Syncing Firefox it with other Devices remove it.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

When all is well you can re-sync your devices.

Keep me posted.

Share this post


Link to post
Share on other sites

A couple of things:

 

i dont see an attachment.

i am not syncing Firefox with any other devices. Is there a reason to believe that Firefox would be causing the issue in question?

thanks again!

Share this post


Link to post
Share on other sites

And in case it helps, I have also determined that signing out and signing back in to my profile also elicits the exploit pop up. As long as I stay signed in...l no problems. 

Share this post


Link to post
Share on other sites

Hi,


Sorry about that, my mistake.

p.s.
This program is installed by I'm seeing some error in your Addition.txt log.
Audacity 2.1.3 (HKLM-x32\...\Audacity®_is1) (Version: 2.1.3 - Audacity Team)

You may have to reinstall it or remove more it completely.
To remove  via the Control Panel > Programs > Programs and Features.

 I have also determined that signing out and signing back in to my profile also elicits the exploit pop up. As long as I stay signed in...l no problems.

These are the profiles in shown in your Addition.txt log.
Administrator (S-1-5-21-4106294062-4130048709-2438025359-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-4106294062-4130048709-2438025359-503 - Limited - Disabled)
Guest (S-1-5-21-4106294062-4130048709-2438025359-501 - Limited - Disabled)
somits (S-1-5-21-4106294062-4130048709-2438025359-1001 - Administrator - Enabled) => C:\Users\somits
WDAGUtilityAccount (S-1-5-21-4106294062-4130048709-2438025359-504 - Limited - Disabled)

Which one is compromised.
I see the your logs are Ran by DASCHUL but I do not see it in the list.

fixlist.txt

Edited by nasdaq

Share this post


Link to post
Share on other sites

It is the DASCHUL account that I regularly use. 

The others are setup by my work IT folks.

 

Will apply recommended fixes and let you know. 

Share this post


Link to post
Share on other sites

Fixes applied as per request. Firefox reset. Still getting the exploit block popup though. :(

Fixlog attached.

 

Fixlog.txt

Share this post


Link to post
Share on other sites

One more crazy idea...could this be part of the windows update process trying to clean itself up that MWB is blocking? It did start after I applied updates on wednesday......

Share this post


Link to post
Share on other sites

Could be.

Wait one or 2 days and let me know if all is well or not.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.