Jump to content

MBAM persistently finds ransomware in Chrome.exe


Recommended Posts

I have MBAM Prem 4.1.0 with Win 10 Pro, 1909, 18363.900

Once or twice per day, MBAM closes all instances of Chrome (within Sandboxie).

The affected file is:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

I immediately scan that EXE file with Win Defender and MBAM. No issues.

MBAM always runs an automatic scan at morning startup. No issues.

QUESTION: is it safe for me to add Chrome to my "Allow" list in MBAM ?

Thanks

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

After submitting my new topic, the automated response regarding "Malwarebytes Support Tool" was posted.

I followed all the instructions related to "Clean".

No adverse results were notified.

So, IMHO, my original question still stands:

QUESTION: is it safe for me to add Chrome to my "Allow" list in MBAM ?

Thanks.

Link to post
Share on other sites

2 hours ago, OldGrantonian said:

QUESTION: is it safe for me to add Chrome to my "Allow" list in MBAM ?

I don't think that will be a good idea....

Please use the same tool you downloaded and use it to gather the logs and post them here so someone on the team can review them and find the root cause of your issues.

Link to post
Share on other sites

  • Root Admin

No it is not safe to add Chrome to your Allow list. That would compromise your system and bypass protection.

Please try resetting sync, clearing cache, cookies, etc first and see if that helps or not and let us know.

https://forums.malwarebytes.com/topic/258938-resetting-google-chrome-to-clear-unexpected-issues/

Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

13 hours ago, AdvancedSetup said:

Please try resetting sync, clearing cache, cookies

 

 - sync:  I'm one of the few remaining survivors of those who tell Google nothing. The only option set in "Synch and Google services" is the spell check. (The only reason I'm mentioning that is to help the troubleshooting - I don't grind axes.)

 - cache, cookies:  all 3 boxes checked

 

13 hours ago, AdvancedSetup said:

Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

 

Good general advice.

I use the free LastPass. Nothing stored in browser.

Link to post
Share on other sites

On 7/11/2020 at 9:59 PM, AdvancedSetup said:

Please restart the computer and let us know if you continue to get a block or not

.

I restarted my computer on the day of my last post (7 Jul). 

I've had no problems until an hour ago. Chrome terminated abnormally when I was visiting this site:

https://www.worldometers.info/coronavirus/#countries

I'm not blaming that site. I've visited it several times per day since February. I'm simply forestalling the usual helpdesk question:  "What were you doing at the time of the incident?"

Some further info. For a few weeks I've had MBAM notifications stating that a site was blocked from installing ransomware. But Chrome was not terminated. I had a look in MBAM just now to see what sites had been blocked - but I couldn't find the list. Maybe the list was reset after my recent cleanup and re-install of MBAM. If that's true, there might be a case for preserving all MBAM notifications forever (or until deliberately deleted by user). Surely they're just harmless text strings?

The ransomware sites never seemed to be the same. They had URLs which were well-formed but  short, weird, and strange looking. The site business could never be determined from the URL alone.

Needless to say ( !! ) I've never visited any "doubtful" sites since the MBAM ransomware notifications started.

Thanks.

Link to post
Share on other sites

  • Root Admin

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

1 hour ago, AdvancedSetup said:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Here are the steps that I implemented:

 - Launched the Farbar site.

 - Click the "Download" button for the 64-bit version.

 - Wait for the normal download dialog to appear, in order to specify the download location. The dialog never appeared.

 - I then noticed that Chrome had terminated abnormally.

 - The MBAM popup message appeared:

image.png.ed27f95e08b8203a772067158d443c12.png

 - I rebooted. (After a ransomware stoppage, Chrome can't be restarted without a reboot.)

- Launched Chrome within Sandboxie.

 - Launch the Farbar site

 - Click the "Download Now" button for 64 bits. Save to desktop. (Note: no MBAM popup this time. That suggests to me that the first MBAM stoppage message in the above screenshot might be suspect. The Farbar site either hosts ransomware or it doesn't. The second click on the Farbar Download button was less than 2 minutes after the click that caused the abnormal termination of Chrome. That wouldn't have been sufficient time for the Farbar site keepers to note the stoppage and clean the ransomware. )

 - Double-click on FRST64.exe 

 - Click Scan

 - Attached files.

Thanks.

 

Addition.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

ATTENTION: System Restore is disabled (Total:103.63 GB) (Free:7.21 GB) (7%)

Please enable System Restore and create a new Restore Point

 

Please make sure the following folder exists. If it does not then create it.

C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\

 

Is this a Home computer or a Work computer?
Do you use a local account or a Microsoft online Azure account?

 

The Intel Driver & Support Assistant is crashing.

Error: (07/13/2020 07:40:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: DSAService.exe, version: 20.7.26.7, time stamp: 0x5ef414af
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x04afc89d
Faulting process ID: 0x10a8
Faulting application start time: 0x01d659439ebfdfac
Faulting application path: C:\Program Files (x86)\Intel\Driver and Support Assistant\DSAService.exe
Faulting module path: unknown
Report ID: 588eb2b3-a434-488d-b679-170af79498c8
Faulting package full name:
Faulting package-relative application ID:

Error: (07/13/2020 07:40:29 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: DSAService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.NullReferenceException
   at Intel.DSA.CommonCore.Controllers.LoggingBaseClass.TraceMethodStart(System.Type, System.String, System.String)
   at DSARestService.RestHttpListener.StopListening()
   at DSARestService.RestHttpListener.Finalize()

 

Error: (07/13/2020 07:30:31 PM) (Source: CertEnroll) (EventID: 87) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment for WORKGROUP\ASUS$ via https://INTC-KeyId-5e73c89aa3e902b272b9f0741f7d8730e3ec724a.microsoftaik.azure.net/templates/Aik/scep failed:

SubmitDone
Submit(Request): Bad Request
{"Message":"Attestation statement cannot be verified, rejecting request: 0x80070057."}
HTTP/1.1 400 Bad Request
Cache-Control: private
Date: Mon, 13 Jul 2020 18:30:32 GMT
Content-Length: 86
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: 4e2955ea-01d8-4e72-9ccd-bd3ac6b4d146

 

Then there are the following errors too

 

Error: (07/13/2020 07:40:31 PM) (Source: Microsoft-Windows-Bits-Client) (EventID: 16392) (User: NT AUTHORITY)
Description: The BITS service failed to start.  Error 2147942405.

 

Date: 2020-04-19 10:10:35.713
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\browser_broker.exe) attempted to load \Device\HarddiskVolume3\Program Files\Classic Shell\ClassicExplorer64.dll that did not meet the Microsoft signing level requirements.

 

I think we should move this topic to the Malware Removal forum and work on correcting some internal issues you appear to be having with Windows

 

Link to post
Share on other sites

New info: MBAM runs an automatic scan at the first laptop activity of each day - irrespective of whether the first activity was a boot or a recovery from hibernation. That scan has never produced any adverse notifications.

 

10 hours ago, AdvancedSetup said:

Please enable System Restore and create a new Restore Point

Done.

 

10 hours ago, AdvancedSetup said:

Please make sure the following folder exists. If it does not then create it.

C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\

Did not exist. Created.

 

10 hours ago, AdvancedSetup said:

Is this a Home computer or a Work computer?

Home.

 

10 hours ago, AdvancedSetup said:

Do you use a local account or a Microsoft online Azure account?

Local account.

Most of the diagnostic info below here means nothing to me. I've commented on anything that I recognize.

 

10 hours ago, AdvancedSetup said:

The Intel Driver & Support Assistant is crashing.

This was updated a couple of days ago. Hovering over the sys tray icon shows "Updated".

 

11 hours ago, AdvancedSetup said:

Error: (07/13/2020 07:40:31 PM) (Source: Microsoft-Windows-Bits-Client) (EventID: 16392) (User: NT AUTHORITY)
Description: The BITS service failed to start.  Error 2147942405.

This seems to be a process that allows file transfers between "machines".

My laptop  is never connected to any other "machine". I regularly use external drives - only on demand - for backups. Otherwise these are disconnected. 

 

11 hours ago, AdvancedSetup said:

Date: 2020-04-19 10:10:35.713
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\browser_broker.exe) attempted to load \Device\HarddiskVolume3\Program Files\Classic Shell\ClassicExplorer64.dll that did not meet the Microsoft signing level requirements.

This is "Classic Shell", which I've been using for as long as I've been using Win 10. It makes Win 10 look like Win 7.

http://www.classicshell.net/

Link to post
Share on other sites

  • Root Admin

BITS is part of Windows since XP and is installed and enabled by default on Windows 10 as well. It is more than just transferring files between local machines.

https://docs.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal

I'm aware of what the Classic Shell is, I'm simply pointing out that there is an issue on your computer with it. I don't personally use Classic Shell. Perhaps you might try Open Shell since Class Shell is no longer under development.   https://open-shell.github.io/Open-Shell-Menu/

Very late for me again, but I would highly recommend that we fix, repair BITS and then reboot and get new FRST logs.

 

Please open an Admin level command prompt and type in the following, and press the Enter key. Please show me the results of what it says when done.

 

SFC  /SCANNOW

Then copy / paste the following into the Admin level command prompt and press the Enter key. Again, let me know what it says too.

DISM.exe /Online /Cleanup-image /Restorehealth

 

Assuming both run well go ahead and restart the computer and get new FRST logs and post back and I'll check them in the morning.

If SFC fails to fix then try running SFC command again after running DISM command.

 

Link to post
Share on other sites

29 minutes ago, AdvancedSetup said:

open an Admin level command prompt and type in the following, and press the Enter key. Please show me the results of what it says when done.

 


SFC  /SCANNOW

Is it possible to pipe the results into a txt file, or do I simply drag and mark in white then copy-paste? The problem with the second is that sometimes stuff at the ends of lines gets dropped

 

 

 

Link to post
Share on other sites

1 minute ago, AdvancedSetup said:

No, just open the Elevated Admin command prompt and type it in.

I'm headed to bed but if you still need further help I'll move your topic and give you a script to run in the morning.

Thanks

 

Sorry for all the hassle. Here are the results:

---------------

Windows Resource Protection found corrupt files and successfully repaired them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.

----------

Thanks for all help so far.

 

 

 

Link to post
Share on other sites

2 hours ago, OldGrantonian said:

details are included in the CBS log file

For SFC  /SCANNOW, the CBS.log file is attached.

---

The following DOS command produces no files:

SFC  /SCANNOW offlogfile

---

3 hours ago, AdvancedSetup said:

copy / paste the following into the Admin level command prompt and press the Enter key. Again, let me know what it says too.


DISM.exe /Online /Cleanup-image /Restorehealth

The message was:

 - The operation completed successfully.

 

 

 

 

 

 

 

 

 

CBS.txt

Link to post
Share on other sites

  • Root Admin

Don't need the CBS file. The program SFC says it already fixed the issues it found.

Windows Resource Protection found corrupt files and successfully repaired them.

 

Please restart the computer 2 times. Then run the FRST program again and click on Scan and post back both new log files. FRST and Additions

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.