Jump to content

Malwarebytes said EXCEL.EXE is ransomware and deny the authentication?


Recommended Posts

The file is EXCEL.EXE in the install folder for Office 2019.
Windows 10
It my own personal machine and I am an administrator.

First, Malwarebytes reported EXCEL.EXE as a ransomware file. When this alert occurred I was in the middle of running an Excel file with macros. It's a routine file that I've been using for a couple of years. Here is the report from Malwarebytes:


The Excel process was killed. Now I am unable to run Excel. I opened it in Explorer to check security.  It shows that I do not have Read permission. For "owner" it says "Unable to display current owner." If I click "Change" this heading information disappears and I have no options to view or change permissions. When I try to run it as administrator it tells me I do not have appropriate permissions. When I try to delete it, it tells me I do not have permission.

Why would MWB identify this file as ransomware? Have I been hacked? Or is it a false positive?
It did not quarantine this file, it just removed all permissions. Even as Administrator I cannot take any actions. I can't even delete it, so now I can't reinstall Microsoft Office.
How do I recover from this?1.thumb.PNG.3fdba82185575aa37d199889e741014f.PNG

Link to post
Share on other sites

Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Protection Event Date: 7/13/20
    Protection Event Time: 10:58 AM
    Log File: 4bdfc328-c519-11ea-8d85-d050998a9a5c.json

    -Software Information-
    Version: 4.1.0.56
    Components Version: 1.0.955
    Update Package Version: 1.0.26771
    License: Premium

    -System Information-
    OS: Windows 10 (Build 18362.900)
    CPU: x64
    File System: NTFS
    User: System

    -Ransomware Details-
    File: 1
    Malware.Ransom.Agent.Generic, C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE,Blocked, 0, 392685, 0.0.0


    (end)
Link to post
Share on other sites

33 minutes ago, Beredetta said:

Version: 4.1.0.56     Components Version: 1.0.955

Please do the following Uninstall and reinstall using the Malwarebytes Support Tool

Please have lots of patience with the tool.  The first phase is a cleanup and does require a Windows Restart.
After the Restart, it may take 2 - 3 - 4 minutes till the Support tool screen shows up.   Please be patient and have faith.  Wait for it, whatever it takes.
The 2nd phase is where it offers to do a new Install.

 Let me know if that clears up the issue or not.

Link to post
Share on other sites

  • Staff
Quote

Or is it a false positive?

Yes, this was a false positive, which has been addressed in versions of Malwarebytes Premium newer than the version in your reports.
Please do upgrade. Following the instructions of @Porthos will help you get there.

 

Quote

it just removed all permissions.

When the Ransomware Protection places a block on a process, it prevents that process from running again in that same session. In the case of a certain False Positive, all that needs to be done is to temporarily disable the Ransomware Protection. This will release the hold on the process. We are considering how to better message this activity in a future release, date uncertain.

Edited by tetonbob
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.