Syswow64.exe/PrintNightmare exploit

[abkan]

I got an alert of a blocked exploit, checked the log, and read up a bit on the Microsoft PrintNightmare nightmare. I also found a recent Cisco security blog connecting that with Win.Virus.Xpiro-9905216-1

- I assume that the virus is on my system and not detected by Malwarebytes? What to do?

Also, the log refers to LibreOffice. I've never installed that. I use OpenOffice. However MB refers to soffice.bin, which, by golly, file.net says is used by both programs (one is a spinoff of the other, I guess). And I see that there's a warning from Malwarebytes about this:
https://blog.malwarebytes.com/threat-analysis/2019/02/new-critical-vulnerability-open-source-office-suites/

So is some hacker using a virus on my system to run the PrintNightmare attack on my OpenOffice installation? Here's the log file of the blocked exploit:

-Log Details-
Protection Event Date: 11/6/21
Protection Event Time: 7:32 PM
Log File: d2b70ab2-3f59-11ec-aae8-10604b79598e.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.46890
License: Premium

-System Information-
OS: Windows 10 (Build 19042.1288)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent - Exploit payload process blocked, C:\WINDOWS\splwow64.exe C:\WINDOWS\splwow64.exe 8192, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: LibreOffice
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\WINDOWS\splwow64.exe C:\WINDOWS\splwow64.exe 8192
URL: 

(end)

[Porthos]

47 minutes ago, abkan said:

I got an alert of a blocked exploit, checked the log

Did you open "open office" to work with a file?

[AdvancedSetup]

I have asked @Arthi about this detection for further advice. Hopefully I hear back on Monday more about this.

Thanks @abkan

 

[abkan]

12 hours ago, Porthos said:

Did you open "open office" to work with a file?

I must have been working on an OpenOffice text document at that time, yes. After I researched the problem, I decided to uninstall OpenOffice. I'm not sure if I had closed the text editor or not, but I attempted to download the latest OpenOffice version (it's been prompting me recently) from the program itself. That prompted my default browser, MS Edge, to open the OpenOffice download page. Malwarebytes warned of an exploit and blocked Edge from opening the page. (My memory is terrible so I'm using the log, below, to help me out here.) I then uninstalled OpenOffice, opened Malwarebytes, and checked ALL the boxes in advanced settings. Then I downloaded and made a fresh Kaspersky rescue disk, and performed a boot scan of all drives and folders. No malware/virus was found.

This morning I tried to do a Windows Defender offline scan: It wouldn't run, now will any Windows Defender scan run. My guess is that checking all the boxes in Malwarebytes caused that. (I suppose that I can restore Malwarebyte's default settings and get Defender running again? Which I would do after I deal with the exploit problem.) Finally, here's the log of the aforementioned 2nd exploit attempt:

-Log Details-
Protection Event Date: 11/6/21
Protection Event Time: 9:28 PM
Log File: f0e47bf4-3f69-11ec-8451-10604b79598e.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.46894
License: Premium

-System Information-
OS: Windows 10 (Build 19042.1288)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent - Exploit payload process blocked, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --single-argument https:\www.openoffice.org\download?utm_source=AOO4_1_10_en-US&utm_medium=Client&utm_campaign=Upgrade, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: LibreOffice
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --single-argument https:\www.openoffice.org\download?utm_source=AOO4_1_10_en-US&utm_medium=Client&utm_campaign=Upgrade
URL: 

(end)

[abkan]

Here's the Cisco Talos group report that I referred to:

https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html

A previous post on Microsoft's attempt (apparently unsuccessful) to fix the PrintNightmare bug:

https://blog.talosintelligence.com/2021/10/microsoft-patch-tuesday-for-oct-2021.html

Also, here's a reference to PrintNightmare and ransomware attacks - I can't find the original Cisco Talos post offhand:

https://www.neowin.net/news/cisco-printnightmare-is-being-exploited-by-vice-society-to-inject-ransomware/

[AdvancedSetup]

There is no setting with Malwarebytes that should stop or prevent Windows Defender from making a manual scan.

At this point, it might be best to run a Microsoft threat scan as shown below.

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

Once that scan has been completed it might be best if you were to do a clean removal and reinstall of Malwarebytes to ensure that all files and settings are restored to a 100% clean state.

 

Can you please do the following?

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
• NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

[abkan]

Thanks! MS Safety Scanner is amazing! It found 30 infected files! The "Scan results" box has a link to "View detailed results of the scan." Clicking that opens another box which states:

Malware
VirTool:Win32/DefenderTamperingRestore
Scan results
Removed

A browser window is also opened to:
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=VirTool%3aWin32%2fDefenderTamperingRestore&product=13

- which doesn't have a lot of info other than:
This detection is for suboptimal configurations that may prevent Microsoft Defender Antivirus from functioning properly.
If you see this detection, a suboptimal configuration was detected, and Microsoft Defender Antivirus will auto-heal by automatically resetting to more secure configurations.

I assume all infected files were removed. I found instructions in a Microsoft Community forum for finding the log so here's that:

Microsoft Safety Scanner v1.353, (build 1.353.590.0)
Started On Sun Nov  7 16:59:47 2021

Engine: 1.1.18700.4
Signatures: 1.353.590.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

I set it to scan my system drive, which is solid state, with 237 GB of files on it. Took about 2 hours. Last time I looked it was heading over 1.5 million files.

Besides the Kaspersky rescue disk I used yesterday, I thought I'd try some others today. The most notable was Norton. Started up fine. No options other than "full scan." So I started that and worked in the yard for a while. Came back, system was asleep. I need to check the BIOS and figure that out. Stayed nearby and nudged the mouse occasionally for next hour or so. Scan complete, it had checked around 250k files, found nothing. "Full scan" huh. I also tried ESET. Didn't see hard drives I guess, wouldn't scan them anyway. "Startup scan" went through 14 files. Tried a few times then it said i'd reached a limit! Trend Micro booted to a Linux command line. I couldn't figure that one out. Comodo produced a "yellow screen of Linux death" as I'll call it. Frozen. Avira looked promising but was tortuously slow. It would go for about an hour creeping along up to 8% or so of full scan. Tried that twice. Ugh.

I'll post the other info per instructions shortly.

[abkan]

mbst-grab-results.zip

[AdvancedSetup]

Thank you @abkan

 

Please go to Control Panel, Programs, Programs and Features and uninstall the following

 

Bonjour
CCleaner (computer experts no longer recommend the use of this program)
 

 

Then run the following fix.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

 

Thanks

 

fixlist.txt

[abkan]

Fixlist is unavailable for some reason.

[Porthos]

3 hours ago, abkan said:

Fixlist is unavailable for some reason.

Try again. I moved your topic to a section it should be available to download.

Edited November 8, 2021 by Porthos

[abkan]

17 hours ago, abkan said:

Thanks! MS Safety Scanner is amazing! It found 30 infected files!

Wrong again! I just ran a scan on a data file which produced "25 infected files" in process, but at the end it said no infections were found. wtf? So I researched and found that those are sort of false positives which aren't confirmed by the MAPS system, as my log shows.
https://answers.microsoft.com/en-us/protect/forum/all/what-is-wrong-with-the-microsoft-safety-scanner/27c95df9-7d49-4d02-b734-bcb16495cfc3

I have the Fixlist and will report back later today.

[AdvancedSetup]

Thank you @abkan

Please post back the FIXLOG.txt file once you've run the Fix.

Cheers

 

[abkan]

1 hour ago, AdvancedSetup said:

Thank you @abkan

Please post back the FIXLOG.txt file once you've run the Fix.

Cheers

 

That worked great! The log is attached. BTW earlier today I also ran a Defender boot scan and a Malwarebytes full scan, no problems. Looking forward to your analysis. Thanks!

Fixlog.txt

[AdvancedSetup]

The log looks good. It was able to find and repair some issues.

Windows Resource Protection found corrupt files and successfully repaired them.

 

Please run the following for me @abkan

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

• Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• If Microsoft SmartScreen blocks the download, click through to save the file
• This tool is safe.   Smartscreen is overly sensitive.
• If SmartScreen blocks the file from running click on More info and Run anyway
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

 

Thank you

 

 

[abkan]

22 hours ago, AdvancedSetup said:

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

 

Thank you

 

 

Sorry, got distracted. Here you go.

SecurityCheck.txt

[AdvancedSetup]

Thank you @abkan

Please uninstall, update, or otherwise address the following issues as appropriate for your system

 

 

--------------------------- [ OtherUtilities ] ----------------------------

Microsoft Silverlight v.5.1.50918.0 Warning! This software is no longer supported.

NVIDIA GeForce Experience 3.13.1.30 v.3.13.1.30 Warning! Download Update

Foxit Reader v.9.0.1.1049 Warning! Download Update

 

------------------------------- [ Imaging ] -------------------------------
IrfanView 4.54 (64-bit) v.4.54 Warning! Download Update

-------------------------- [ IMAndCollaborate ] ---------------------------

Cisco Webex Meetings v.41.9.5 Warning! Download Update

Zoom v.5.8.0 (1324) Warning! Download Update

 

-------------------------------- [ Media ] --------------------------------
VLC media player v.2.2.4 Warning! Download Update

QuickTime 7 v.7.79.80.95 Warning! This software is no longer supported. Please uninstall it and use another software.

--------------------------- [ AdobeProduction ] ---------------------------

Adobe AIR v.32.0.0.89 Warning! Download Update

Adobe SVG Viewer v.1.0 Warning! This software is no longer supported. Please uninstall it.

 

----------------------------- [ EmailClient ] -----------------------------

Mozilla Thunderbird 60.8.0 (x86 en-US) v.60.8.0 Warning! Download Update

---------------------------- [ UnwantedApps ] -----------------------------

TerraGo Toolbar v.7.6.1.56 Warning! Browser's toolbar. It can slow down the working of your browser and have violation privacy problems.

 

 

Once you've updated or corrected all of the above, please do a Clean Removal and Reinstall of the Malwarebytes software as it too shows some potential issues that will be corrected by a clean removal and reinstall.

 

 

Can you please do the following?

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
• NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

[abkan]

55 minutes ago, AdvancedSetup said:

 

After the restart please do the following

• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

No restart and I got a text file instead of a zip file.

mbst-clean-results.txt

[AdvancedSetup]

Please restart the computer yourself @abkan

Once it has restarted then get me the logs for it.

After the restart please do the following

• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

[abkan]

Being an optimist, I began a DNAgedcom analysis that is proceeding painfully slowly, so it may be a few hours or maybe tomorrow morning. Sorry to interrupt the flow here.

[abkan]

17 hours ago, AdvancedSetup said:

Please restart the computer yourself @abkan

Once it has restarted then get me the logs for it.

After the restart please do the following

• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Something odd that I've noticed is that the files that the MBST Support Tool don't show in Windows Explorer. I followed your instructions this morning and couldn't find the zip file by looking through the icons on my desktop. There had been a pending Windows update so I thought perhaps that had screwed something up, so I re-ran Clean and reinstallation. While I that was going on I found the missing zip file on my desktop! So I renamed that with a 1 in the file name. I'm attaching that with the 2nd zip file just in case you need it. (Probably the case since the original file has a lot more data in it.)

Also, while all this was going on, Acronis True Image For Western Digital updated. I got a WD outboard drive for backup a few years ago. WD has since outsourced support for that drive to Acronis. Now, all of a sudden, ACTIFWD has added "active protection"! No notification, just did it. I've attached a screen grab. Will it play nice with Malwarebytes or should I "turn off protection"? Thank you.

mbst-grab-results.zip mbst-grab-results1.zip

[AdvancedSetup]

Good day @abkan

Thank you for the logs. I don't know for sure if there is any conflict with the new Active Protection from Acronis or not. Probably best to setup exclusions though just in case.

https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

How is the computer running now?

Are there still any blocks or other issues with Malwarebytes at this time?

Please post a status update when you have a moment

Thank you

 

[abkan]

I appear to be good to go! I also added the relevant Acronis folders to Malwarebytes exclusions, and Malwarebytes folders to Acronis exclusions. Acronis wouldn't see the Malwarebytes drivers for some reason, but the instructions you provided said to add those "if needed" so hopefully not.

Anyway, thank you very much for your time and expert help! This forum sure makes Malwarebytes an even more fantastic product! 😁

[AdvancedSetup]

You're quite welcome @abkan

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• Please attach that file to your next reply. (not compulsory)

 

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
2. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
3. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
4. Install a content blocker for your browser. Malwarebytes Browser Guard (Free)
   Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/  
   Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee 
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Edited November 10, 2021 by AdvancedSetup
updated information

[abkan]

KpRm got partway through then froze so I stopped it terminated it, created a restore point, then ran it again without the registry backup checked. Worked fine that time. So I wound up with two logs, both are attached.

I'll do homework on those other links you provided, thanks very much! I've been using Noscript with Firefox for general browsing, and Chrome unfettered so I can run processes online like credit card purchases and whatnot. I haven't thought about Edge yet, I use it mostly for Gmail. But as I said I'll do some research on those.

kprm-20211110143608.txt kprm-20211110142906.txt