Jump to content

Malwarebytes crashes Excel 2010 - exploit code executing from heap memory


Recommended Posts

Hello and Welcome
I'm sorry the software isn't working properly but we'll do our best to help.
To begin, please do the following so that we may take a closer look at your installation for troubleshooting:
NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply
Thank you
Link to post
Share on other sites

  • Root Admin

Hello @ScotchJohn

It's probably due to our recent update that adds more protection for MS Office documents. Try removing the check for Exploit protection. Then see if opening, closing documents stops crashing and let me know.

The computer could also probably use some general maintenance and clean up. We can help you with that if you like, there is no charge just some of your time to follow along.

 

Link to post
Share on other sites

Would you advocate generally unchecking Microsoft Excel protection, via "Manage protected applications"?  Or should I choose one of the MS Office options from Advanced Exploit Protection settings?

You say that my computer could do with some general maintenance and clean-up.  What suggestions do you have?

Link to post
Share on other sites

  • Root Admin

Okay, that verifies for us that it is one of the settings in the Anti-Exploit module.

Please enable the Anti-Exploit module again. Then open Malwarebytes and go to Settings, Security and scroll to the bottom and click the Advanced Settings button.

image.png

In the next dialog box go to the Application behavior protection and on the MS Office column try unchecking one-by-one and test which module is causing this.

image.png

 

 

 

Your Event Logs show some errors and running some temporary file cleaning and verifying the operating system files, etc.

Below is an example of what is typically cleaned up by the clean-up script.

 

 

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

 

 

 

Link to post
Share on other sites

I re-checked Exploit Protection, and, tried your suggested actions in the Advanced settings > Application behaviour protection, unchecking one module at a time.

I could not find any single module that, unchecked, would eliminate the freeze and crash.

I therefore tried unchecking all the MS Office modules in Application behaviour protection.  Excel still freezes and crashes.  The same freeze and crash happens with Word 2010.

What would you like me to try now?  I have restored defaults.

Link to post
Share on other sites

I re-checked Exploit Protection, and, tried your suggested actions in the Advanced settings > Application behaviour protection, unchecking one module at a time.

I could not find any single module that, unchecked, would eliminate the freeze and crash.

I therefore tried unchecking all the MS Office modules in Application behaviour protection.  Excel still freezes and crashes.  The same freeze and crash happens with Word 2010.

What would you like me to try now?  I have restored defaults.

Link to post
Share on other sites

  • Root Admin

Can you please do the following? @ScotchJohn

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
  • NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Staff

Hi ScotchJohn,

Feel free to leave it disabled. It is only required for the enhanced log generation.

Please go to Malwarebytes and go to Settings, Security and scroll to the bottom and click the Advanced Settings button. In the Advanced Memory protection tab, uncheck the Malicious return address Detection setting for MS Office. 

Please let me know if that helps.

Thank you.

 

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

  • Root Admin

Hello @ScotchJohn

I'm not seeing an actual block for Anti-Exploit in the logs you provided. I'm also not seeing any fault for Microsoft Office in the Event Logs from Windows.

I am seeing the following over and over though.

 

ITEM 1

Application errors:
==================
Error: (08/31/2021 04:08:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: fingagent.exe, version: 2.6.0.0, time stamp: 0x60818213
Faulting module name: fingagent.exe, version: 2.6.0.0, time stamp: 0x60818213
Exception code: 0x40000015
Fault offset: 0x000da55e
Faulting process ID: 0x1584
Faulting application start time: 0x01d79e2efdd49c7a
Faulting application path: C:\Program Files\Fing\resources\extraResources\fingagent.exe
Faulting module path: C:\Program Files\Fing\resources\extraResources\fingagent.exe
Report ID: 29356dff-967f-4195-96c4-4b2d267534ee
Faulting package full name:
Faulting package-relative application ID:

 

Please try temporarily uninstalling Fing 2.6.0

 

ITEM 2

You also have the following error from Bonjour from Apple. I would recommend that you go to Control Panel, Programs, Programs and Features and uninstall Bonjour then restart the computer.

Error: (08/31/2021 04:59:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Client application bug: DNSServiceResolve(mobile._epoccam._tcp.local.) active for over two minutes. This places considerable burden on the network.

See if the issue remains after removing Bonjour.

 

ITEM 3

I would also recommend that you uninstall CCleaner (most experts no longer recommend the use of this product)

 

ITEM 4

You also have some Alternate Data Streams that probably should not be on the computer.

AlternateDataStreams: C:\ProgramData\TEMP:58A5270D [214]
AlternateDataStreams: C:\ProgramData\TEMP:5B811727 [198]
AlternateDataStreams: C:\ProgramData\TEMP:B3CFB697 [400]
AlternateDataStreams: C:\ProgramData\TEMP:F8AF2BB9 [414]

 

ITEM 5

You also have the following on your network which may not be recommended. Are you sure you want that enabled on all your connections?

Network Binding:
=============
Ethernet: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled)
WiFi: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled)
Bluetooth Network Connection: Npcap Packet Driver (NPCAP) -> INSECURE_NPCAP (enabled)

 

ITEM 6

Windows Defender is also logging issues updating. Please open Windows Defender and manually check for updates and run a Quick Scan. Let me know if it finds anything.

 

ITEM 7

I'd also recommend you download the following program and run it to have it check for and update any of your out of date software.

Patch My PC Home Updater
https://patchmypc.com/home-updater

 

Let me know if correcting the issues above corrects your issues with Microsoft Office

 

Thank you

 

 

Link to post
Share on other sites

Thanks for your three mails; I probably contributed by double-posting in error, ID 1477183 and 1477184

I have unchecked Malicious return address Detection as you advised.  Excel 2010 and Word 2010 appear to function as expected.  I understand that you are still looking at the issue in your latest update to Malwarebytes that caused the freeze and crash, and that you may then update Malwarebytes.  I would restore all Malwarebytes defaults.

Taking your six recommendations in order:

1) - I have uninstalled Fing, but plan to restore it later

2) - Bonjour is installed, without the option, when installing one or the other of the Apple products that I use, iCloud or iTunes.  I have never known that I needed it, and shall uninstall it.

3) - CCleaner also comes in for some negative comments from some of the experienced posters on AskWoody, which I read regularly.  It's now out.

4) - I can't find these entries in C:\ProgramData, so I'm not very sure what I can do on this point.

5) - Where can I make the adjustments that you describe?

6) - Windows Defender reports that it is up-to-date, and has given a clean scan

7) - I downloaded Patch My PC, and it gave the same results as I get from SUMo; all now updated, though nothing appeared critical.

Again, thanks

Link to post
Share on other sites

  • Staff

Hi ScotchJohn,

Glad to know our recommendations worked.

Are you also experiencing freezes and crashes, if so Can we please have crash dumps from your system so we can analyze further. Thanks.

To do so, you need to have admin privileges,

Under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps  registry key, set DumpType to the value 2. This full memory dump will provide us useful information to analyze further. 

Once you encounter the problem, please collect the dump logs from %LOCALAPPDATA%\CrashDumps and send it to us.

You can find more information on it from this link

https://msdn.microsoft.com/en-us/library/windows/desktop/bb787181(v=vs.85).aspx

 

Link to post
Share on other sites

  • Root Admin

I notice you're running a program file from Quicken that is way back from 2002 and I would have to believe is probably not needed at this time?

HKLM-x32\...\Run: [QAGENT] => C:\Program Files (x86)\QuickenW\QAGENT.EXE [94208 2002-01-24] () [File not signed]

The item 5 is from the NPCAP which is a driver used by many different programs used to capture videos from online sources, etc.

Task: {68BF0A9E-2E66-4988-82A1-10FCB9D15F57} - System32\Tasks\npcapwatchdog => C:\Program Files\Npcap\CheckStatus.bat [880 2020-09-25] () [File not signed]


You also appear to be using Macrium Reflect for backups (good product) but you also have entries for a very old backup system that I don't believe it would work properly for Windows 10.

Did you install, set up this? Is it working to backup? Have you done a restore to verify file backup works?

Task: {20208944-D30F-4FCE-8836-DBEBDB1421FC} - System32\Tasks\Microsoft\Windows\Windows Server\Backup_On_Idle => C:\Program Files\Windows Server\Bin\RunTask.exe [17528 2012-11-02] (Microsoft Corporation -> Microsoft Corporation) -> /asm:"C:\Program Files\Windows Server\Bin\BackupClientProvider.dll" /class:Microsoft.WindowsServerSolutions.DataProtection.PCBackup.ObjectModel.PCBackupClientManager /method:DoScheduledOnIdleBackup /task:"Backup_On_Idle"
Task: {2826EB2D-E039-4554-8E11-1D9568B7329A} - System32\Tasks\Microsoft\Windows\Windows Server\Health Definition Updates => C:\Program Files\Windows Server\Bin\RunTask.exe [17528 2012-11-02] (Microsoft Corporation -> Microsoft Corporation) -> /asm:"C:\Program Files\Windows Server\Bin\AlertFramework.dll" /class:Microsoft.WindowsServerSolutions.NetworkHealth.AlertFramework.HealthScheduledTask /method:UpdateDefinitionPlugInTaskAction /task:"Health Definition Updates"

 

You can use the STREAMS program from Microsoft to remove the Alternate Data Streams from Item 4

https://docs.microsoft.com/en-us/sysinternals/downloads/streams

 


I would also recommend you run an SFC (System File Checker) scan of the system to make sure all Microsoft files are valid.

From an elevated admin command prompt run the following

SFC /SCANNOW 

Then run a disk check on your OS drive

ECHO Y|CHKDSK C: /F

Clean your temp folders and reboot and let the disk check run @ScotchJohn

 

Link to post
Share on other sites

JTK - thanks for your ongoing suggestions.

Quicken 2002 is there because Intuit sold it in the UK, and then walked away from the personal finance market completely in 2005 (they stayed with Quick Books).  Even if I wanted to, I am unable to take a download of a more modern version from Intuit as they detect me as "foreign", and won't deal with me!  In any case, Quicken 2002 has certain features that I value, features that Intuit does not offer in versions targeted at a domestic (for them) market.

I have not loaded any other backup program on this machine, though the target for my backups is an HP Proliant home server, using Windows Home Server 2011 as its OS.  Yes, another software version where the publisher moved on and abandoned this section of its market.  I think that what you report seeing may be related to the interface between WHS2011 and the Win 10 OS on my system.  Yes, I have restored successfully from the home server.

I'll run the SFC and Scannow, but have done this not long ago, and it returned no errors.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.