Jump to content

ransomware agent threat alerts + programs not running properly


Recommended Posts


I have a XPS13 running W7 Professional (64bit) that had a MB (v4.1.2.73) alert of successfully stopping a "Malware.Ransomware.Agent" threat as I was using Outlook 2007 in Sandboxie. Outlook had immediately closed itself after the MB alert. In summary, Outlook.exe was zapped to 0kB but I eventually was able to reinstall the program & restore all my emails etc.

I also have installed WinPatrol (* I’ve uninstalled it after learning that it’s no longer updated or supported) on W7 laptop and after those incidents, WinPatrol also started to give various alerts (of WerFault.exe service being added/removed from starting at Startup). I’ve used Macrium Reflect to make a backup image of all local drives of W7 laptop and started to setup another XPS13, running W10 Professional (64bit) to transition over.

I had posted on another forum for support with Macrium Reflect free edition to make the backup image, one forum member had advised to scan with MB, HitmanPro (which I’ve used before), and Emsisoft Emergency Kit. Scans using all three of these programs did not find any threats.

I also run Firefox in Sandboxie and just under 2 weeks after getting the 1st alert, had another MB alert of “successfully blocked a malware.ransomeware.agent threat”, when I used W7 laptop to search online as I setup the W10 machine. Sandboxie also gave error dialogs of not being able to properly run the Sandbox for Firefox program. Since getting this 2nd alert from MB, I’ve limited my use of W7 laptop, particularly not running Outlook to sync further emails etc. and concentrated on getting W10 machine up and running. I’ve screenshots of MB’s notifications of these alerts (but no files were listed as quarantined on dates associated with these alerts) – let me know if I need to upload them.

I then realized that I needed to send this post using the W7 laptop since all my screenshots and MB reports are on it. While I using W7 laptop last night, Malwarebytes ran its scheduled 2 custom scans (with no threats found) and as I clicked on ‘view’ to see the report, Window dialog box popped up that MB wasn’t running properly and either close program or allow it go online to try fix the problem and then close the program. The icon in the minimize tray was gone and clicking Start menu to run MB would bring me back to the same Windows dialog box that MB wasn’t running properly. I checked task manager and saw that MB was listed as one of programs I had currently running. I right-clicked and chose “end task” – it ended without incident. But when I tried again & clicked Start menu to run MB, this brought me back to the same Windows dialog that MB wasn’t running properly. I’d shutdown both W7 & W10 laptops for the night.

While I was using W7 machine this morning to continue with this post, MB had apparently recovered and had ran two of the scheduled scans I saved (one of C with ‘scan rootkit’ enabled and one of D(data partition) – ‘scan rootkit’ option wasn’t allowed) – a dialog box came up when it finished with these scans. Both scans didn’t find any threats. [**For some reason, my 8am scheduled threat scan didn’t run (even though option to ‘if missed, run at next opportunity’ was checked).]

Please help me with figuring out and removing the program (?) that is causing these problems on the W7 machine as I want to be certain that the backup image of the data partition is clean of malware/ransomware/viruses before I clone the image to the W10 machine. I also want to clean the OS partitions before I get it updated and be able to continue using it, mostly offline. Regrettably, the W7 machine is only updated to Dec 2017 (Group B). With much appreciation for all the guidance to be offered so that the W7 OS is soon fixed and I have clean data partition to clone over to W10 in next few days!

Edited by AlexSmith
removed extra spaces
Link to post
Share on other sites

Recapping my situation: I have a XPS13 running W7 Professional (64bit) and MB premium (v4.1.2.73). I run Outlook, Firefox, and Chrome through Sandboxie. I got two MB alerts (In mid July and at end of July) with the RTP detection of “malware.ransomware.agent”. In the first instance, Outlook.exe outside of Sandboxie was zapped to 0kB and in the 2nd instance, Firefox.exe outside of Sandboxie didn’t get zapped but the Sandboxes I created for Firefox and for Chrome had both malfunctioned. Viber Desktop is another program that I run (but not through Sandboxie) which needs internet connection that also had got wiped out just before I had the incident with Outlook and that program also had to be reinstalled.

Does all these problems I have fit with the situation for which the following temporary solution has been suggested?

https://forums.malwarebytes.com/topic/261368-microsoft-office-blocked-by-ransomware-protection/

Secondly and more disturbing, Malwarebytes itself crashed two days ago. I have only screenshots of the crash dialog window that popped up and I did export the crash dump file & took screenshot of the location but didn’t look for it till today and now I can’t find it. As I kept on getting the Windows dialog box that Malwarebytes wasn’t running properly, through task manager I’d clicked “end task” to close Malwarebytes. It crashed yet again after I tried running it from Start menu I’m also uploading the 2nd set of screenshots of the crash dialog window “after end task”.

AlexSmith had given me links of two topic pages to help me get detailed logs for uploading.  In the topic page “I'm infected - What do I do now?”, it was recommended to post the threat scan report. Today’s daily scheduled threat scan report is odd (wrong dates, Malwarebytes version incorrect, etc.) I have threat scan report of the 2 RTP detections (Jul 16 & Jul 28) downloaded before Malwarebytes’ crash. I started downloading scan reports 30 days back including the one for Jul 16 and the reports of the same day aren’t the same!

As guided by the topic page “Having problems using Malwarebytes? Please follow these steps”, I’ve downloaded and the Malwarebytes Support Tool to gather logs (uploaded).

As this current post hasn’t gotten a reply yet, I’m not comfortable to the repair process portion on my own without direct support of an expert helper, which hopefully will happen soon.

2020-08-05 Malwarebytes crash info part1.JPG

2020-08-05 Malwarebytes crash info part2.JPG

2020-08-05 Malwarebytes dumpfile location.JPG

2020-08-05 Malwarebytes after endtask crash info part1.JPG

2020-08-05 Malwarebytes after endtask crash info part2.JPG

2020 Jul16 Malwarebytes RTP detection report #1.txt 2020 Jul28 Malwarebytes RTP detection report #2.txt 2020 Jul19 Malwarebytes full scan local drives report.txt 2020-07-16 Malwarebytes schedule Threat scan report - downloaded after MB crash.txt mbst-grab-results.zip

Link to post
Share on other sites

  • Root Admin

Hello @dpwoodpecker

Sorry for the delay. Let's have you do a clean removal and reinstall of Malwarebytes and see if that corrects your issue.

1st - please restart the computer. Don't shut it down, just restart it.

I would also recommend that you disable Fast Startup

Then follow the directions from the following KB article
Uninstall and reinstall Malwarebytes using the Malwarebytes Support Tool

 

Let me know if that corrects your issue or not

Thank you

 

Link to post
Share on other sites

Thank you, @AdvancedSetup! Please note, your instructions are for Windows 10 and the computer with which I'm having trouble is running Windows 7. So I'll skip the "Fast Startup" bit. I'll use the Malware Support Tool already downloaded and I assume that it will configure instructions for W7 instead of W10.

In the article link you gave, there's the caution: "Before the next step, make sure all your work is saved in the background." Does this mean I should make a backup image of all local drives or at least of my data partition (1/2 hr) before processing the clean function?

Link to post
Share on other sites

  • Root Admin

No, it just means sometimes people have Word or Excel or other programs open that have not saved the document yet. Just close all applications first as the computer will be restarting.

Sorry about the Windows 10 instructions. I read your logs and saw it was Windows 7 but I'm so used to Windows 10 these days I forgot.

Thanks

 

Link to post
Share on other sites

  • Root Admin

Please go ahead and download the installer from the following link

MB4 Offline Installer
https://downloads.malwarebytes.com/file/mb4_offline

 

 

Then restart the computer after the installation

After the reboot start Malwarebytes and check for updates from the General or About tabs in Settings

Let me know if you're still having any issues with a detection of the Office products

 

Link to post
Share on other sites

  • Root Admin

I'm not sure exactly what you're meaning. Personally I highly recommend that you allow and show all icons and notifications and that is how I setup user's computers when I work on them. I know the tray is supposed to alert you but I can't count how many times people say they never saw the notification.

If you show all icons and show all notifications then you will never be blindsided by not seeing it when something happens.

Open Malwarebytes and go to the Settings, About.

Here is what mine currently shows

image.png

 

 

Link to post
Share on other sites

@AdvancedSetup I've reinstalled Malwarebytes and my uploaded screenshot shows the same info. I've scheduled for a threat scan to run five minutes ago and the "if missed scan at next opportunity" kicked in and will be scanning in another 2 minutes.

As for the "odd icons" in the previous post's uploaded image, it's the last two listed: the UniKeyNT.exe and Outlook were not running at the time of that screenshot  - I've exited from all programs. And the icon "for Outlook" is the "mute volume" icon instead of the usual icon for Outlook.

So this is all MB related? Any way to be certain that there's no viruses etc., particularly in the Data partition? I want to be certain be for it's cloned to the W10 machine.

Also, I'd mentioned that Viber is a program (similar to Skype, WhatsApp) I use that need access to internet; do I need to add it to the "allowed list" of the Detection History category?

2020-08-10 MB reinstalled version details.JPG

Link to post
Share on other sites

  • Root Admin

How the tray setting for icons works has nothing to do with Malwarebytes.

https://support.microsoft.com/en-us/help/975785/guided-help-customize-the-notification-area-in-windows-7

You can open an elevated Admin command prompt and type in the following

SFC /SCANNOW 

That will scan for any possible corrupted Microsoft operating system files and if found attempt to fix them.

 

You can also run a 3rd party antivirus scan to double check and see if they find anything

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

When done then check for any outdated program files

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Then, check Windows Updates and make sure your computer has all Microsoft Windows updates installed.

 

Link to post
Share on other sites

[I was in the middle of this reply when the notification came in...don't know how to safe an-in-progress reply to check so will send in before reading your message.]

Hi again - I'd forgotten to also ask whether it's safe to use Outlook now and not have it zapped as before? The 1st scan report is uploaded and I have appointments in the two hours so won't be able to check / post till afterwards. Many Thanks!

2020-08-10 Malwarebytes after installation 1st scheduled threat scan report.txt

Link to post
Share on other sites

The ESET scan has finished with 7 resolved detections of possible unwanted applications. A few are programs I've downloaded but hadn't had time to test while the rest are 'false findings' - just older versions that should have been deleted anyway. The scan log file is uploaded and I'll proceed with the SecurityCheck by glas24.

2020-08-10 ESET scan log.txt

Link to post
Share on other sites

Uploading the SecurityCheck log file. I remembered that I've ran sfc /verifyonly on W7 machine on 7/27 with result as "Windows Resource Protection did not find any integrity violations." (At the time I didn't have a working bootable USB to make / restore backup images.)

So does the ESET scan results mean that the W7 machine is not infected with virus? That I can use Outlook on W7 and finish preparation to clone data over to W10 machine?

 

2020-08-10 SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

Please review and attempt to update, or uninstall the following software as needed.


------------------------------- [ Windows ] -------------------------------
Extended support has ended 14.01.2020, Your operating system may be vulnerable to new types of threats
Internet Explorer 11.0.9600.18860 Warning! Download Update

Account guest is enabled. Not require a password. (this account should be disabled)


------------------------------- [ HotFix ] --------------------------------
HotFix KB3177467 Warning! Download Update
HotFix KB3125574 Warning! Download Update
HotFix KB4499175 Warning! Download Update
HotFix KB4474419 Warning! Download Update
HotFix KB4490628 Warning! Download Update
HotFix KB4474419 Warning! Download Update
HotFix KB4539602 Warning! Download Update


Windows Defender (disabled and up to date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Microsoft Security Essentials v.4.9.218.0 Warning! Download Update


-------------------------- [ SecurityUtilities ] --------------------------
Sandboxie 5.30 (64-bit) v.5.30 Warning! Download Update

--------------------------- [ OtherUtilities ] ----------------------------
DivX Setup v.3.0.0.141 Warning! Download Update
Microsoft .NET Framework 4.6.1 v.4.6.01055 Warning! Download Update
Microsoft Office Enterprise 2007 v.12.0.6612.1000 Warning! This software is no longer supported. Please use latest Microsift Office, Office Online or LibreOffice
Foxit Reader v.9.7.0.29455 Warning! Download Update

VLC media player v.2.2.4 Warning! Download Update
Microsoft Office 2007 Primary Interop Assemblies v.12.0.4518.1014 Warning! This software is no longer supported. Please use latest Microsift Office, Office Online or LibreOffice
Microsoft Office 2007 Service Pack 3 (SP3) Warning! This software is no longer supported. Please use latest Microsift Office, Office Online or LibreOffice

-------------------------------- [ Arch ] ---------------------------------
7-Zip 9.20 (x64 edition) v.9.20.00.0 Warning! This software is no longer supported. Uninstall old version, download and install new one.

--------------------------------- [ IM ] ----------------------------------
Skype version 8.28 v.8.28 Warning! Download Update
Skype™ 7.41 v.7.41.101 Warning! Download Update
Viber v.13.3.1.21 Warning! Download Update
^Optional update.^

--------------------------- [ AdobeProduction ] ---------------------------
swMSM v.12.0.0.1 << Hidden Warning! This software is no longer supported. Please uninstall it.

 

Link to post
Share on other sites

Thank you, @AdvancedSetup. Just a quick message that I've meeting this morning so will reply with more details later with my dilema as I'm at a crossroad: 1) transfer main data to 2nd laptop that's running on Windows 10, 2) on current laptop running Windows 7, attempt to upgrade or else upgrade to Windows 10 (possible incompatibility as this machine was made in 2013).

Link to post
Share on other sites

  • Root Admin

Realizing the age of the unit running Windows 7 you might be able to install Windows 10 but I'd say it requires a bit more resources as the eye candy if you will is higher and the telemetry is higher and the background management is higher, etc. etc.

Investing in good, solid backups of data that is not kept connected at all times might be an option to extend the life of the unit even further.

The following link has ideas and information on better protecting the system as well as your privacy. Implementing some of the changes might help secure the device longer until you're ready to purchase a new computer.

https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/

 

I'd say first and foremost it would behoove you to get Windows 7 up to the latest updates. You may require help with that as getting there seems to be a bit more difficult than it really should be but since Microsoft no longer really supports Windows 7 one has to do a bit of work getting all the latest updates.

Then, take care of the backups to an external device that does not remain connected so as to prevent possible attack of the backups too in case a threat were to make it through protection.

If you do need further assistance please let me know.

 

Link to post
Share on other sites

@AdvancedSetup, terribly sorry that I wasn't able to reply sooner...energy got zapped with vaccination shot!

I've put some work on hold as I had thought my W7 machine was infected by virus/ransomware. The 2nd machine running W10 is a newer machine so with all the scans we've done on the W7, is it safe to clone the data portion image made from W7 over to the W10 machine? I've used Macrium Reflect v7 to make the backup image.

After I've taken care of top priority work, then I'll check compatibility of the W7 machine for running W10; if it's not upgrade-able, then will it okay that I check back with you (via message) for help to get the necessary updates for W7?

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.