abkan Posted November 7, 2021 ID:1487206 Share Posted November 7, 2021 I got an alert of a blocked exploit, checked the log, and read up a bit on the Microsoft PrintNightmare nightmare. I also found a recent Cisco security blog connecting that with Win.Virus.Xpiro-9905216-1 - I assume that the virus is on my system and not detected by Malwarebytes? What to do? Also, the log refers to LibreOffice. I've never installed that. I use OpenOffice. However MB refers to soffice.bin, which, by golly, file.net says is used by both programs (one is a spinoff of the other, I guess). And I see that there's a warning from Malwarebytes about this:https://blog.malwarebytes.com/threat-analysis/2019/02/new-critical-vulnerability-open-source-office-suites/ So is some hacker using a virus on my system to run the PrintNightmare attack on my OpenOffice installation? Here's the log file of the blocked exploit: -Log Details- Protection Event Date: 11/6/21 Protection Event Time: 7:32 PM Log File: d2b70ab2-3f59-11ec-aae8-10604b79598e.json -Software Information- Version: 4.4.10.144 Components Version: 1.0.1499 Update Package Version: 1.0.46890 License: Premium -System Information- OS: Windows 10 (Build 19042.1288) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Malware.Exploit.Agent - Exploit payload process blocked, C:\WINDOWS\splwow64.exe C:\WINDOWS\splwow64.exe 8192, Blocked, 0, 392684, 0.0.0, , -Exploit Data- Affected Application: LibreOffice Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\splwow64.exe C:\WINDOWS\splwow64.exe 8192 URL: (end) Link to post Share on other sites More sharing options...
Porthos Posted November 7, 2021 ID:1487210 Share Posted November 7, 2021 47 minutes ago, abkan said: I got an alert of a blocked exploit, checked the log Did you open "open office" to work with a file? 1 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 7, 2021 Root Admin ID:1487216 Share Posted November 7, 2021 I have asked @Arthi about this detection for further advice. Hopefully I hear back on Monday more about this. Thanks @abkan 1 Link to post Share on other sites More sharing options...
abkan Posted November 7, 2021 Author ID:1487253 Share Posted November 7, 2021 12 hours ago, Porthos said: Did you open "open office" to work with a file? I must have been working on an OpenOffice text document at that time, yes. After I researched the problem, I decided to uninstall OpenOffice. I'm not sure if I had closed the text editor or not, but I attempted to download the latest OpenOffice version (it's been prompting me recently) from the program itself. That prompted my default browser, MS Edge, to open the OpenOffice download page. Malwarebytes warned of an exploit and blocked Edge from opening the page. (My memory is terrible so I'm using the log, below, to help me out here.) I then uninstalled OpenOffice, opened Malwarebytes, and checked ALL the boxes in advanced settings. Then I downloaded and made a fresh Kaspersky rescue disk, and performed a boot scan of all drives and folders. No malware/virus was found. This morning I tried to do a Windows Defender offline scan: It wouldn't run, now will any Windows Defender scan run. My guess is that checking all the boxes in Malwarebytes caused that. (I suppose that I can restore Malwarebyte's default settings and get Defender running again? Which I would do after I deal with the exploit problem.) Finally, here's the log of the aforementioned 2nd exploit attempt: -Log Details- Protection Event Date: 11/6/21 Protection Event Time: 9:28 PM Log File: f0e47bf4-3f69-11ec-8451-10604b79598e.json -Software Information- Version: 4.4.10.144 Components Version: 1.0.1499 Update Package Version: 1.0.46894 License: Premium -System Information- OS: Windows 10 (Build 19042.1288) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Malware.Exploit.Agent - Exploit payload process blocked, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --single-argument https:\www.openoffice.org\download?utm_source=AOO4_1_10_en-US&utm_medium=Client&utm_campaign=Upgrade, Blocked, 0, 392684, 0.0.0, , -Exploit Data- Affected Application: LibreOffice Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --single-argument https:\www.openoffice.org\download?utm_source=AOO4_1_10_en-US&utm_medium=Client&utm_campaign=Upgrade URL: (end) Link to post Share on other sites More sharing options...
abkan Posted November 7, 2021 Author ID:1487255 Share Posted November 7, 2021 Here's the Cisco Talos group report that I referred to: https://blog.talosintelligence.com/2021/11/threat-roundup-1029-1105.html A previous post on Microsoft's attempt (apparently unsuccessful) to fix the PrintNightmare bug: https://blog.talosintelligence.com/2021/10/microsoft-patch-tuesday-for-oct-2021.html Also, here's a reference to PrintNightmare and ransomware attacks - I can't find the original Cisco Talos post offhand: https://www.neowin.net/news/cisco-printnightmare-is-being-exploited-by-vice-society-to-inject-ransomware/ Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 7, 2021 Root Admin ID:1487286 Share Posted November 7, 2021 There is no setting with Malwarebytes that should stop or prevent Windows Defender from making a manual scan. At this point, it might be best to run a Microsoft threat scan as shown below. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Please let me know the results of this scan. The log is named MSERT.log the log will be at %SYSTEMROOT%\debug\msert.log which in most cases is C:\Windows\debug\msert.log Please attach that log with your next reply. Once that scan has been completed it might be best if you were to do a clean removal and reinstall of Malwarebytes to ensure that all files and settings are restored to a 100% clean state. Can you please do the following? Download the Malwarebytes Support Tool In your Downloads folder, open the mb-support-x.x.x.xxx.exe file In the User Account Control pop-up window, click Yes to continue the installation Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete After the restart please do the following Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply Thank you 1 Link to post Share on other sites More sharing options...
abkan Posted November 8, 2021 Author ID:1487315 Share Posted November 8, 2021 Thanks! MS Safety Scanner is amazing! It found 30 infected files! The "Scan results" box has a link to "View detailed results of the scan." Clicking that opens another box which states: Malware VirTool:Win32/DefenderTamperingRestore Scan results Removed A browser window is also opened to:https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=VirTool%3aWin32%2fDefenderTamperingRestore&product=13 - which doesn't have a lot of info other than: This detection is for suboptimal configurations that may prevent Microsoft Defender Antivirus from functioning properly. If you see this detection, a suboptimal configuration was detected, and Microsoft Defender Antivirus will auto-heal by automatically resetting to more secure configurations. I assume all infected files were removed. I found instructions in a Microsoft Community forum for finding the log so here's that: Microsoft Safety Scanner v1.353, (build 1.353.590.0) Started On Sun Nov 7 16:59:47 2021 Engine: 1.1.18700.4 Signatures: 1.353.590.0 MpGear: 1.1.16330.1 Run Mode: Interactive Graphical Mode I set it to scan my system drive, which is solid state, with 237 GB of files on it. Took about 2 hours. Last time I looked it was heading over 1.5 million files. Besides the Kaspersky rescue disk I used yesterday, I thought I'd try some others today. The most notable was Norton. Started up fine. No options other than "full scan." So I started that and worked in the yard for a while. Came back, system was asleep. I need to check the BIOS and figure that out. Stayed nearby and nudged the mouse occasionally for next hour or so. Scan complete, it had checked around 250k files, found nothing. "Full scan" huh. I also tried ESET. Didn't see hard drives I guess, wouldn't scan them anyway. "Startup scan" went through 14 files. Tried a few times then it said i'd reached a limit! Trend Micro booted to a Linux command line. I couldn't figure that one out. Comodo produced a "yellow screen of Linux death" as I'll call it. Frozen. Avira looked promising but was tortuously slow. It would go for about an hour creeping along up to 8% or so of full scan. Tried that twice. Ugh. I'll post the other info per instructions shortly. Link to post Share on other sites More sharing options...
abkan Posted November 8, 2021 Author ID:1487318 Share Posted November 8, 2021 mbst-grab-results.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 8, 2021 Root Admin ID:1487346 Share Posted November 8, 2021 Thank you @abkan Please go to Control Panel, Programs, Programs and Features and uninstall the following BonjourCCleaner (computer experts no longer recommend the use of this program) Then run the following fix. Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords. NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Thanks fixlist.txt Link to post Share on other sites More sharing options...
abkan Posted November 8, 2021 Author ID:1487400 Share Posted November 8, 2021 Fixlist is unavailable for some reason. Link to post Share on other sites More sharing options...
Porthos Posted November 8, 2021 ID:1487418 Share Posted November 8, 2021 (edited) 3 hours ago, abkan said: Fixlist is unavailable for some reason. Try again. I moved your topic to a section it should be available to download. Edited November 8, 2021 by Porthos 2 Link to post Share on other sites More sharing options...
abkan Posted November 8, 2021 Author ID:1487442 Share Posted November 8, 2021 17 hours ago, abkan said: Thanks! MS Safety Scanner is amazing! It found 30 infected files! Wrong again! I just ran a scan on a data file which produced "25 infected files" in process, but at the end it said no infections were found. wtf? So I researched and found that those are sort of false positives which aren't confirmed by the MAPS system, as my log shows.https://answers.microsoft.com/en-us/protect/forum/all/what-is-wrong-with-the-microsoft-safety-scanner/27c95df9-7d49-4d02-b734-bcb16495cfc3 I have the Fixlist and will report back later today. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 8, 2021 Root Admin ID:1487470 Share Posted November 8, 2021 Thank you @abkan Please post back the FIXLOG.txt file once you've run the Fix. Cheers 1 Link to post Share on other sites More sharing options...
abkan Posted November 8, 2021 Author ID:1487484 Share Posted November 8, 2021 1 hour ago, AdvancedSetup said: Thank you @abkan Please post back the FIXLOG.txt file once you've run the Fix. Cheers That worked great! The log is attached. BTW earlier today I also ran a Defender boot scan and a Malwarebytes full scan, no problems. Looking forward to your analysis. Thanks! Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 8, 2021 Root Admin ID:1487489 Share Posted November 8, 2021 The log looks good. It was able to find and repair some issues. Windows Resource Protection found corrupt files and successfully repaired them. Please run the following for me @abkan SecurityCheck by glax24 I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe If Microsoft SmartScreen blocks the download, click through to save the file This tool is safe. Smartscreen is overly sensitive. If SmartScreen blocks the file from running click on More info and Run anyway Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Thank you Link to post Share on other sites More sharing options...
abkan Posted November 9, 2021 Author ID:1487603 Share Posted November 9, 2021 22 hours ago, AdvancedSetup said: I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. Thank you Sorry, got distracted. Here you go. SecurityCheck.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 9, 2021 Root Admin ID:1487605 Share Posted November 9, 2021 Thank you @abkan Please uninstall, update, or otherwise address the following issues as appropriate for your system --------------------------- [ OtherUtilities ] ---------------------------- Microsoft Silverlight v.5.1.50918.0 Warning! This software is no longer supported. NVIDIA GeForce Experience 3.13.1.30 v.3.13.1.30 Warning! Download Update Foxit Reader v.9.0.1.1049 Warning! Download Update ------------------------------- [ Imaging ] ------------------------------- IrfanView 4.54 (64-bit) v.4.54 Warning! Download Update -------------------------- [ IMAndCollaborate ] --------------------------- Cisco Webex Meetings v.41.9.5 Warning! Download Update Zoom v.5.8.0 (1324) Warning! Download Update -------------------------------- [ Media ] -------------------------------- VLC media player v.2.2.4 Warning! Download Update QuickTime 7 v.7.79.80.95 Warning! This software is no longer supported. Please uninstall it and use another software. --------------------------- [ AdobeProduction ] --------------------------- Adobe AIR v.32.0.0.89 Warning! Download Update Adobe SVG Viewer v.1.0 Warning! This software is no longer supported. Please uninstall it. ----------------------------- [ EmailClient ] ----------------------------- Mozilla Thunderbird 60.8.0 (x86 en-US) v.60.8.0 Warning! Download Update ---------------------------- [ UnwantedApps ] ----------------------------- TerraGo Toolbar v.7.6.1.56 Warning! Browser's toolbar. It can slow down the working of your browser and have violation privacy problems. Once you've updated or corrected all of the above, please do a Clean Removal and Reinstall of the Malwarebytes software as it too shows some potential issues that will be corrected by a clean removal and reinstall. Can you please do the following? Download the Malwarebytes Support Tool In your Downloads folder, open the mb-support-x.x.x.xxx.exe file In the User Account Control pop-up window, click Yes to continue the installation Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete After the restart please do the following Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply Thank you Link to post Share on other sites More sharing options...
abkan Posted November 9, 2021 Author ID:1487620 Share Posted November 9, 2021 55 minutes ago, AdvancedSetup said: After the restart please do the following Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply Thank you No restart and I got a text file instead of a zip file. mbst-clean-results.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 9, 2021 Root Admin ID:1487622 Share Posted November 9, 2021 Please restart the computer yourself @abkan Once it has restarted then get me the logs for it. After the restart please do the following Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply Thank you 1 Link to post Share on other sites More sharing options...
abkan Posted November 9, 2021 Author ID:1487626 Share Posted November 9, 2021 Being an optimist, I began a DNAgedcom analysis that is proceeding painfully slowly, so it may be a few hours or maybe tomorrow morning. Sorry to interrupt the flow here. Link to post Share on other sites More sharing options...
abkan Posted November 10, 2021 Author ID:1487729 Share Posted November 10, 2021 17 hours ago, AdvancedSetup said: Please restart the computer yourself @abkan Once it has restarted then get me the logs for it. After the restart please do the following Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply Thank you Something odd that I've noticed is that the files that the MBST Support Tool don't show in Windows Explorer. I followed your instructions this morning and couldn't find the zip file by looking through the icons on my desktop. There had been a pending Windows update so I thought perhaps that had screwed something up, so I re-ran Clean and reinstallation. While I that was going on I found the missing zip file on my desktop! So I renamed that with a 1 in the file name. I'm attaching that with the 2nd zip file just in case you need it. (Probably the case since the original file has a lot more data in it.) Also, while all this was going on, Acronis True Image For Western Digital updated. I got a WD outboard drive for backup a few years ago. WD has since outsourced support for that drive to Acronis. Now, all of a sudden, ACTIFWD has added "active protection"! No notification, just did it. I've attached a screen grab. Will it play nice with Malwarebytes or should I "turn off protection"? Thank you. mbst-grab-results.zip mbst-grab-results1.zip Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted November 10, 2021 Root Admin Solution ID:1487738 Share Posted November 10, 2021 Good day @abkan Thank you for the logs. I don't know for sure if there is any conflict with the new Active Protection from Acronis or not. Probably best to setup exclusions though just in case. https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list How is the computer running now? Are there still any blocks or other issues with Malwarebytes at this time? Please post a status update when you have a moment Thank you 1 Link to post Share on other sites More sharing options...
abkan Posted November 10, 2021 Author ID:1487773 Share Posted November 10, 2021 I appear to be good to go! I also added the relevant Acronis folders to Malwarebytes exclusions, and Malwarebytes folders to Acronis exclusions. Acronis wouldn't see the Malwarebytes drivers for some reason, but the instructions you provided said to add those "if needed" so hopefully not. Anyway, thank you very much for your time and expert help! This forum sure makes Malwarebytes an even more fantastic product! 😁 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 10, 2021 Root Admin ID:1487780 Share Posted November 10, 2021 (edited) You're quite welcome @abkan Let's go ahead and do some clean-up work and remove the tools and logs we've run. Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. Please attach that file to your next reply. (not compulsory) Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/ Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2 Install a content blocker for your browser. Malwarebytes Browser Guard (Free)Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/ Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog https://blog.malwarebytes.com/ Hopefully, we've been able to assist you with correcting your system issues. Thank you for using Malwarebytes Edited November 10, 2021 by AdvancedSetup updated information 1 Link to post Share on other sites More sharing options...
abkan Posted November 10, 2021 Author ID:1487785 Share Posted November 10, 2021 KpRm got partway through then froze so I stopped it terminated it, created a restore point, then ran it again without the registry backup checked. Worked fine that time. So I wound up with two logs, both are attached. I'll do homework on those other links you provided, thanks very much! I've been using Noscript with Firefox for general browsing, and Chrome unfettered so I can run processes online like credit card purchases and whatnot. I haven't thought about Edge yet, I use it mostly for Gmail. But as I said I'll do some research on those. kprm-20211110143608.txt kprm-20211110142906.txt Link to post Share on other sites More sharing options...
Recommended Posts