Jump to content

PowerPoint is ransomware ??


tcloud
 Share

Recommended Posts

Today, about 30 minutes ago, I was editing a PowerPoint presentation and a popup appeared declaring MB had detected Ransomware and had saved me from it.  My presentation closed at the same instant, and attempting to restart it brought a window telling me that I'd need to find another app for this file.  It removed my desktop icon and the executable for PowerPoint.  My copy of Office is fully legal and nothing in it should be flagged as malware.

When I was looking at the MB Quarantine, I noticed that several other programs I use had also been removed -- not sure what sin they committed.  One was RootsMagic, a genealogy program that was also declared ransomware.  Another was AxCrypt-1.7.2976.0-Setup.exe (Axantum Software AB AxCrypt File Encryption Software) ... not sure why it was quarantined.

Don't remember the others.

I found two logs for false ransomware quarantines -- PowerPoint and RootsMagic:

-Log Details-
Protection Event Date: 4/5/20
Protection Event Time: 3:43 PM
Log File: 09c4ddae-777e-11ea-9374-402343bc1a84.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.859
Update Package Version: 1.0.21972
License: Premium

-System Information-
OS: Windows 10 (Build 18362.720)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 3
Malware.Ransom.Agent.Generic, C:\Users\tc\Desktop\PowerPoint.lnk, Quarantined, 0, 392685, 0.0.0
Malware.Ransom.Agent.Generic, C:\PROGRA~1\MICROS~2\root\Office16\POWERPNT.EXE, Quarantined, 0, 392685, 0.0.0
Malware.Ransom.Agent.Generic, C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE, Quarantined, 0, 392685, 0.0.0

(end)

-Log Details-
Protection Event Date: 3/9/20
Protection Event Time: 5:07 PM
Log File: 51503484-6252-11ea-9cb4-402343bc1a84.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.835
Update Package Version: 1.0.20460
License: Premium

-System Information-
OS: Windows 10 (Build 18362.657)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 3
Malware.Ransom.Agent.Generic, C:\Users\tc\Desktop\RootsMagic.lnk, Quarantined, 0, 392685, 0.0.0
Malware.Ransom.Agent.Generic, C:\PROGRA~2\ROOTSM~1\ROOTSM~1.EXE, Quarantined, 0, 392685, 0.0.0
Malware.Ransom.Agent.Generic, C:\Program Files (x86)\RootsMagic\RootsMagic.exe, Quarantined, 0, 392685, 0.0.0

(end)

 

Link to post
Share on other sites

  • Staff

Hi @tcloud,

Assuming you have already restored the detected items from quarantine, please zip up and provide the following files:

  • C:\Users\tc\Desktop\PowerPoint.lnk
  • C:\PROGRA~2\ROOTSM~1\ROOTSM~1.EXE
  • C:\Program Files (x86)\RootsMagic\RootsMagic.exe
  • AxCrypt-1.7.2976.0-Setup.exe


If you haven't restored the items, please zip up the following folder:

  • C:\ProgramData\Malwarebytes\MBAMService\Quarantine


Please run the Malwarebytes Support Tool and gather logs as well so we can take a closer look at the detections:
https://support.malwarebytes.com/hc/en-us/articles/360039023453-Upload-Malwarebytes-Support-Tool-logs-manually

Thank you!

Link to post
Share on other sites

  • Staff

Thanks for that file.

So just the action of opening it, starting a slideshow, etc does not trigger any detection for us.

Without the exclusion for POWERPNT.EXE in place, do you find you consistently experience the Ransomware Protection detection for PowerPoint?
If you're able to consistently reproduce it, could you try disabling or uninstalling your McAfee product and see if this has any impact.

Can you provide any further details on what you were specifically doing with PowerPoint and the file you attached that resulted in the detection occurring?

We're hoping to be able to reproduce this detection so that we can more reliably ensure it does not happen again in the future.

Edited by LiquidTension
Link to post
Share on other sites

I have not entered any exclusions thus far (dealing with a 99-year-old mother) and I've not had a chance to work on the powerpoint.  (I had been working on it every day up until that happened, but situation has changed with my mother.)

It's weird -- I noticed MWB had quarantined my local server (XAMPP) which I use every day.  I never noticed any problem with it, even though MWB log said it had been quarantined.  The RootsMagic ....  I use it maybe once a week and never noticed it had been quarantined until I looked in the quarantine folder.  I've never used the AxCrypt, only downloaded the executable thinking I might check it out some day.

My own thoughts ?  ....  I suspect my new Dell XPS-8930 as there are hiccups.  For one thing, it freezes at least twice a day for about 2-3 seconds.  I can't help but wonder but what that doesn't cause problems for software.  I'm using McAfee because it came with the Dell.  Will probably go back to my Vipre when the year is up.

I'm willing to help if I can.

Link to post
Share on other sites

  • Staff

Thank you for the information.

The detections for the other files shouldn't occur any more. What we're especially interested in is the PowerPoint detection which may occur again. It would definitely help us to better understand how PowerPoint was being used at the time of the detection so that we can hopefully reproduce the issue. Any details at all on how PowerPoint was being used will be greatly appreciated!

One possible cause is McAfee process injection, which we've seen cause issues with other users. If you are able to reproduce the PowerPoint detection again, it would be interesting to see if the detection stops once McAfee is removed.

An additional point - could you zip up and provide the C:\ProgramData\Malwarebytes\MBAMService\ARW folder please?

Link to post
Share on other sites

I can't think of anything i was doing unusual with the powerpoint -- just adding information and occasionally previewing it.

I'm happy to stop McAfee ... actually looking for a reason to uninstall it as I have no intention of continuing to use it once the free year is up.

Here is ARW folder: ARW.zip

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.