Jump to content

MB "Exploit Blocked" Disables Microsoft Excel


Recommended Posts

A bit more information.  I went through the settings and found I could disable protection for Excel.  I did that and when I did the following message popped up three times:

ExcelWarningMessage.jpg.19e022445437c1d5b7c7d32c3ae7d564.jpg

 

I answered "no" and after the third time Excel loaded and the add in that adds menus to Excel came up and worked.  At least I was able to open the file I needed to look at.

Link to post
Share on other sites

  • Root Admin

Hello @wdolson

Please open Malwarebytes and go to Settings, General, and under Event log data, check to enable it.

image.png

Then attempt to run what you were running to trigger the block again. Then gather logs for us please.

 

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

What was being blocked appears to be Classic Menu (for Office 2007 V8.05).  I discovered it after a Malwarebytes program update.  Someone else on the forum had the same problem and I started out replying to that thread, but I guess the administrators broke my post out into a separate thread.

Excel would begin to start and then quit just as the main window begins to draw.  I selected an exception for Excel and it worked.  Then the next day I tried using Word 2007 and got the same behavior.  I put in an exception for Word too and it worked after going through an install procedure.  I just turned off the exceptions to try and capture the problem went away, though Word wants to go through a reinstall step every time I try to run Word, but it works.

Maybe this problem was addressed in a database update in the last few days?

Link to post
Share on other sites

  • Root Admin

There has not been an update to the anti-exploit module for about a week now. We will be making some minor changes soon to the beta version, which will then normally hit the release version about a week later if no further issues are detected in the beta.

If all is working well for you then that's great.

Thanks for the feedback

 

 

Link to post
Share on other sites

  • Root Admin

Hello @wdolson

Please go to Control Panel, Programs, Programs and Features and uninstall the following

Bonjour
ClamWin Free Antivirus

 

 

Are you still using Private Internet Access? I see you have a couple of different VPN programs and PIA is getting IP blocks from Malwarebytes due to P2P networks it connects to from time to time.

 

Why is the Windows Firewall disabled?

 

 

There are a few programs faulting, including our own Malwarebytes program.

 

Application errors:
==================
Error: (09/08/2021 07:47:22 PM) (Source: Firefox Default Browser Agent) (EventID: 5) (User: )
Description: Event-ID 5

Error: (09/08/2021 07:41:57 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: WinStore.App.exe, version: 0.0.0.0, time stamp: 0x61086559
Faulting module name: KERNELBASE.dll, version: 10.0.19041.906, time stamp: 0x2f2f77bf
Exception code: 0xc000027b
Fault offset: 0x000000000010b2dc
Faulting process id: 0x524
Faulting application start time: 0x01d7a5244185bff6
Faulting application path: C:\Program Files\WindowsApps\Microsoft.WindowsStore_12107.1001.15.0_x64__8wekyb3d8bbwe\WinStore.App.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: 8194252c-1346-47cb-8ab3-4cdbf06c2229
Faulting package full name: Microsoft.WindowsStore_12107.1001.15.0_x64__8wekyb3d8bbwe
Faulting package-relative application ID: App

Error: (09/08/2021 07:40:51 PM) (Source: Simple DNS Plus) (EventID: 251) (User: )
Description: Failed to load plug-in "Alias Zones1": Requires "Unlimited zones" license.

Error: (09/06/2021 05:56:13 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.19041.546, time stamp: 0x1d3a15e7
Faulting module name: KERNELBASE.dll, version: 10.0.19041.906, time stamp: 0x2f2f77bf
Exception code: 0xc0000409
Fault offset: 0x000000000010b2dc
Faulting process id: 0x4538
Faulting application start time: 0x01d7a31e92434e9f
Faulting application path: C:\Windows\system32\backgroundTaskHost.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: 9072eb6b-17cf-4699-8828-686b6026474e
Faulting package full name: Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe
Faulting package-relative application ID: App

Error: (09/05/2021 11:39:48 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MBAMService.exe, version: 3.2.0.991, time stamp: 0x6102c9d9
Faulting module name: MBAMCore.dll, version: 3.0.0.1166, time stamp: 0x60e73958
Exception code: 0xc0000005
Fault offset: 0x0000000000042256
Faulting process id: 0x1404
Faulting application start time: 0x01d7a1ba64e07fd8
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
Faulting module path: C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MBAMCore.dll
Report Id: 0811454c-7cc8-43d2-92ad-05f8591916ab
Faulting package full name:
Faulting package-relative application ID:

Error: (09/05/2021 10:04:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 4.0.0.1089, time stamp: 0x610955fb
Faulting module name: Qt5Core.dll, version: 5.14.1.0, time stamp: 0x603971ce
Exception code: 0xc0000005
Fault offset: 0x0000000000219dc5
Faulting process id: 0x32b8
Faulting application start time: 0x01d7a2dca4f352fa
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: 6392ae08-dcb7-498a-b021-ec304f75270a
Faulting package full name:
Faulting package-relative application ID:

Error: (09/05/2021 05:56:04 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.19041.546, time stamp: 0x1d3a15e7
Faulting module name: KERNELBASE.dll, version: 10.0.19041.906, time stamp: 0x2f2f77bf
Exception code: 0xc0000409
Fault offset: 0x000000000010b2dc
Faulting process id: 0x4320
Faulting application start time: 0x01d7a25562ef52fd
Faulting application path: C:\Windows\system32\backgroundTaskHost.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: da5d66bd-feac-446b-b3e9-a3c3f9e6233f
Faulting package full name: Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe
Faulting package-relative application ID: App

Error: (09/04/2021 11:56:58 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.19041.546, time stamp: 0x1d3a15e7
Faulting module name: KERNELBASE.dll, version: 10.0.19041.906, time stamp: 0x2f2f77bf
Exception code: 0xc0000409
Fault offset: 0x000000000010b2dc
Faulting process id: 0x2244
Faulting application start time: 0x01d7a1bea34c0c7e
Faulting application path: C:\Windows\system32\backgroundTaskHost.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: b61f45e7-4ed8-48f1-b440-ffaf9b2c3b3b
Faulting package full name: Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe
Faulting package-relative application ID: App

 

System errors:
=============
Error: (09/08/2021 07:40:50 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The PDFsam Enhanced 4 Manager service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (09/08/2021 07:40:50 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (45000 milliseconds) while waiting for the PDFsam Enhanced 4 Manager service to connect.

Error: (09/08/2021 07:40:48 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The OpenVPNServiceInteractive service depends on the following service: tap0901. This service might not be installed.

Error: (09/08/2021 06:44:40 PM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

 

 

Windows Defender:
================
Date: 2021-08-30 01:06:27
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version: 1.347.688.0
Previous security intelligence Version: 1.347.140.0
Update Source: User
Security intelligence Type: AntiSpyware
Update Type: Delta
Current Engine Version: 1.1.18400.5
Previous Engine Version: 1.1.18400.5
Error code: 0x80509004
Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.

 

What is going on with all these NameServer entries?

Tcpip\..\Interfaces\{39f1c376-1fd1-4c21-8ed8-acb33588301c}: [NameServer] 91.239.100.100,89.233.43.71,34.221.188.35,172.98.193.62,198.50.135.212,172.98.193.42,8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{3d16948b-0675-4b1d-9dd8-27d99e35e3f5}: [NameServer] 91.239.100.100,8.8.8.8,8.8.4.4,89.233.43.71,84.200.69.80,84.200.70.40,198.153.194.1,68.87.76.182,37.235.1.174,37.235.1.177
Tcpip\..\Interfaces\{3e16d09c-97ce-4c5c-b0f3-500774408b30}: [NameServer] 91.237.100.100,8.8.8.8
Tcpip\..\Interfaces\{5734de18-8860-4c05-8430-709629fef276}: [NameServer] 9.9.9.9,8.8.8.8,34.221.188.35,172.98.193.62,198.50.135.212,172.98.193.42,91.239.100.100,89.233.43.71,8.8.4.4
Tcpip\..\Interfaces\{79b9d272-ea31-4639-88dc-b468c8cc9268}: [NameServer] 91.239.100.100,9.9.9.9,84.200.69.80,84.200.70.40,89.233.43.71,91.237.100.100,8.8.8.8,37.235.1.174,37.235.1.177,198.153.194.1,68.87.76.182,156.154.70.1,216.146.36.36,8.8.4.4

 

 

FF Notifications: Mozilla\Firefox\Profiles\75tcslq5.default -> hxxps://teslamotorsclub.com

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

Please run the following fix for me.

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Staff

Hi wdolson,

Thanks for sending us the logs. Please open Malwarebytes, go to Settings -> Security tab -> Advanced Exploit protection settings->Application Behavior protection tab and turn off Malicious Return address protection for MS Office and hit Apply. Thanks. 

 

Screen Shot 2021-09-08 at 23.44.28.png

Edited by Arthi
Link to post
Share on other sites

1 hour ago, AdvancedSetup said:

Hello @wdolson

Please go to Control Panel, Programs, Programs and Features and uninstall the following

Bonjour
ClamWin Free Antivirus

Are you still using Private Internet Access? I see you have a couple of different VPN programs and PIA is getting IP blocks from Malwarebytes due to P2P networks it connects to from time to time.

I use PIA and another VPN.  Each has features that are useful for different things.  Malwarebytes goes through phases of false positives on PIA servers about once a month.  It lasts a couple of days and then goes away.  I traced the IP it flags once and it I think it was in some developing country, I forget which.  It appears that when PIA is running it pings all the servers on their network to see if they are active and that's when Malwarebytes has a problem, if it's going to.  Most of the time when PIA is loaded there are no IP blocks.

1 hour ago, AdvancedSetup said:

Why is the Windows Firewall disabled?

Having two firewalls on is redundant.  The system is behind a hardware firewall.  I've run several tests on the hardware firewall and it passes all of them.  I retest from time to time.

 

1 hour ago, AdvancedSetup said:

There are a few programs faulting, including our own Malwarebytes program.

I've been having hell with Windows updates lately.  For work I need to maintain a Windows 7 machine on the network.  I develop software for industrial applications and there is still an installed base of Windows 7 machines.  

A Windows update a month ago caused this computer (my development computer) to stop seeing the Windows 7 machine.  I could ping the IP address, but it was otherwise invisible on the network.  I removed the update and Windows had a lot of instability for a while.  I finally tracked down the last thing that was causing problems two days ago.  I've had a number of programs crash over the last month and blue screens about 4 times a week.  Yesterday was the first day in a month without any programs crashing.

I've been searching for solutions to the Windows 7 becoming invisible problem, but I haven't found anything useful.  There are lots of common reasons network browsing may fail and there is lots of advice out there on that, but very little on Windows updates causing browsing of old OS's to fail.  But I have verified this is happening.  I've tested it three times, install the update, Windows 7 machine is no longer visible (but other Win 10 machines and the servers are), remove the update and Windows 7 machine is fully accessible again.

 

 

1 hour ago, AdvancedSetup said:

 

 

Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.