Jump to content
Elena_Nov

Malwarebytes has blocked Word; exclusion and restart don't help

Recommended Posts

Hi, please help me with the following issue:

Malwarebytes just blocked Microsoft Word on my PC. 

-Ransomware Details-
File: 1
Malware.Ransom.Agent.Generic, C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE, Blocked, 0, 392685, 0.0.0

I get the following message when I click on the Word icon:
C:\Program Files(x86)\Microsoft Office\Office14\WINWORD.EXE is not a valid Win32 application.

I've checked Excel - it works. 

The blocked WINWORD.EXE does not show up in quarantine, only in History, so I can't restore it.

I added WINWORD.EXE and Microsoft Office folder to my list of exclusions, disabled Ransomware Protection and restarted my computer, but it didn't help.

I've also run Malwarebytes Support Tool, so here is the mbst-grab-results.zip attached. ARW.zip is also attached in case you need it.

Can someone please help?

 

 

mbst-grab-results.zip ARW.zip

Share this post


Link to post
Share on other sites

Greetings,

Does it help if you disable Exploit Protection?  Please test and let us know.

Thanks

Share this post


Link to post
Share on other sites

Hi exile360,

No, disabling Exploit Protection doesn't help.

I still get this message when I click on the Word icon:
C:\Program Files(x86)\Microsoft Office\Office14\WINWORD.EXE is not a valid Win32 application.

Share this post


Link to post
Share on other sites

OK, and you mentioned previously that disabling Ransomware Protection didn't help either, correct?  Did you restart the system after disabling Ransomware Protection and then test it?  If not, please do so and let us know how it goes.

In the meantime I'll request that the forum moderators move this thread to the false positives section so that Research may address the FP.

Share this post


Link to post
Share on other sites

Yes, I restarted my PC after disabling Ransomware Protection and it didn't help either.

Share this post


Link to post
Share on other sites

OK, so what happens if you disable all 4 protection components and then restart your system so that Malwarebytes starts with all protection disabled?  Is the application still blocked then?

Share this post


Link to post
Share on other sites

I tried disabling all 4 protection components and then restarting my system. The application is still blocked.

Share this post


Link to post
Share on other sites

Thank you, and if you right-click the Malwarebytes tray icon and select Quit Malwarebytes, the application runs normally, correct?

Share this post


Link to post
Share on other sites

If I I quit Malwarebytes, the application is still blocked. I still get the message:
C:\Program Files(x86)\Microsoft Office\Office14\WINWORD.EXE is not a valid Win32 application.

Share this post


Link to post
Share on other sites

I see, then something else must be blocking it, not Malwarebytes.  When you quit Malwarebytes from the tray it removes all of its protection drivers and processes from memory.  Does anything show up in Malwarebytes' quarantine?  It may be that it removed one of the files needed for Word to run, otherwise it could be that something else is preventing Word from functioning.

Share this post


Link to post
Share on other sites
4 hours ago, Elena_Nov said:

Can someone please help?

In Control Panel > Programs and Features, click on the Office 2010 item and click the Change button. In the dialog, select Repair and click Continue. Wait for it to finish, and try Word again.
I am also concerned about the validity of a Microsoft program on your computer.

Quote

Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe

 

Share this post


Link to post
Share on other sites

Ah, KMS could explain why Malwarebytes might block/quarantine one or more components of the installation as well.  Nice catch Porthos.

Share this post


Link to post
Share on other sites

We're glad to hear it, if you run into any further issues please let us know.

Thanks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.