Jump to content

Exploit false positive when trying to print from Word Windows 11


JustJackAtlanta
Go to solution Solved by Porthos,

Recommended Posts

User Sally reported this problem on 11/5/21 under the title of "I can run Word because RTP detection" (I am assuming she meant "can't").  I am having the same issue.  The thread was closed without resolution.  The log is shown below.  It is also attached.  My eye is drawn to the 8192 after the splwow64.exe.  Is that the port number?  Does that even make sense?  Also attached is the mb support tool output.  I'm in the same boat and not sure what to do.  Thank you.  Jack

 

PS, a snivey about the support tool.  It says that the file mbst-grab-results.zip is on my desktop.  It is not.  It is in the folder C:\Users\Public\Desktop.  Please modify the tool so that it provides the complete path or at least change the verbiage. 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/8/2021
Protection Event Time: 4:32 PM
Log File: 43e9a42e-586e-11ec-8d6f-28d24431946b.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.48326
License: Premium

-System Information-
OS: Windows 11 (Build 22000.348)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent - Exploit payload process blocked, C:\Windows\splwow64.exe C:\Windows\splwow64.exe 8192, Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: Microsoft Office Word
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 8192
URL:

 

(end)

exploit.txt mbst-grab-results.zip

Link to post
Share on other sites

1 minute ago, JustJackAtlanta said:

-Software Information-
Version: 4.4.10.144

Please do the following and DO NOT change any of the defaults once installed.

 Uninstall and reinstall using the Malwarebytes Support Tool

Please close all browsers and programs before running the tool. Right click and quit MB from the system tray also.

Link to post
Share on other sites

  • Solution
3 minutes ago, JustJackAtlanta said:

Should any of the system repairs be done as well?  Or will that create more issues?

NO, Just do the clean install using the tool. Do not change any settings other than adding your exclusions.

Your exclusions are as follows.

Quote

Exclusion Info:
========================================
Malware Exclusions:
C:\Program Files (x86)\Auslogics\Disk Defrag                                                            [folder]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics                                          [folder]
C:\ProgramData\Auslogics                                                                                [folder]
C:\Windows\System32\ndefrg.exe                                                                          [file]
C:\Windows\splwow64.exe                                                                                 [file]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_IS1|DISPLAYNAME    [regval]

Ransomware Exclusions:
C:\Program Files (x86)\Auslogics\Disk Defrag                                                            [folder]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics                                          [folder]
C:\ProgramData\Auslogics                                                                                [folder]
C:\Windows\System32\ndefrg.exe                                                                          [file]
C:\Windows\splwow64.exe                                                                                 [file]

 

 

Edited by Porthos
Link to post
Share on other sites

Perfect.  Thank you.  It is working fine now.  If only all problems could be solved so easily.  The Malwarebytes was uninstalled and reinstalled through the standard download previously.  A security issue had occurred where the license had been hijacked to another e-mail.  Malwarebytes support cancelled the subscription and created a new subscription.  The software that I was using was downloaded from the subscription e-mail link, but what was not done was the "Clean" removal of the previous version.  I usually suspect registry keys in this type of situation.  The support tool "clean" option does a good job of removing possible problems.  Thank you for your expeditious help!

Link to post
Share on other sites

4 minutes ago, JustJackAtlanta said:

The support tool "clean" option does a good job of removing possible problems. 

The issue actually was that some non default settings were enabled that should not have been. Since you were out of date, I killed 2 birds with one stone and had you do a proper clean install.

If a feature is off by default leave it that way or it leads to false positives.

Edited by Porthos
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.