Jump to content

Exploit Office WMI abuse blocked


Recommended Posts

Hello while surfing the internet. I received a notification regarding the detection of an exploit. I am asking for help in getting rid of the threat
Malwarebytes
www.malwarebytes.com

-Szczegóły raportu-
Data zdarzenia ochrony: 30.03.2022
Czas zdarzenia ochrony: 19:44
Plik raportu: 15479e4c-b051-11ec-9cf3-0c9d9284f00c.json

-Informacje o oprogramowaniu-
Wersja: 4.5.6.180
Wersja komponentów: 1.0.1634
Aktualna wersja pakietu: 1.0.53052
Licencja: Premium

-Informacje o systemie-
System operacyjny: Windows 11 (Build 22000.556)
Procesor: x64
System plików: NTFS
Użytkownik: System

-Eksportuj szczegóły-
Plik: 0
(Nie wykryto zagrożeń)

Zagrożenie wykorzystujące lukę w oprogramowaniu: 1
Malware.Exploit.Agent.Generic, explorer.exe, Zablokowano, 0, 392684, 0.0.0, , 

-Dane zagrożenia wykorzystującego lukę w oprogramowaniu-
Powiązana aplikacja: Windows Control Panel
Warstwa ochrony: Application Behavior Protection
Technika ochrony: Exploit Office WMI abuse blocked
Nazwa pliku: explorer.exe
Adres URL: 

(end)

 

image.png

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

  • Root Admin

Hello @_A00

 

Can you please do the following?

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
  • NOTE: Please have patience as it can take a while to remove and reinstall. The computer will restart to complete

After the restart please do the following

  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

Thank you for the logs

Please restart the computer one more time, then run the following.

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

SecurityCheck by glax24 & Severnyj v.1.4.0.54 [06.12.21]
WebSite: www.safezone.cc
DateLog: 30.03.2022 22:14:06
Path starting: C:\Users\patry\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: patry
VersionXML: 9.65is-29.03.2022
___________________________________________________________________________

Windows 11(6.3.22000) (x64) Professional Release: 21H2 Lang: Polish(0415)
Installation date OS: 10.02.2022 17:26:54
LicenseStatus: Windows(R), Professional edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files\Google\Chrome\Application\chrome.exe
SystemDrive: C: FS: [NTFS] Capacity: [476.2 Gb] Used: [82.2 Gb] Free: [394 Gb]
------------------------------- [ Windows ] -------------------------------
User Account Control enabled (Level 3)
Centrum zabezpieczeń (wscsvc) - The service is running
Rejestr zdalny (RemoteRegistry) - The service has stopped
Odnajdywanie SSDP (SSDPSRV) - The service has stopped
Usługi pulpitu zdalnego (TermService) - The service has stopped
Zdalne zarządzanie systemem Windows (WS-Management) (WinRM) - The service has stopped
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (disabled and up to date)
Malwarebytes (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Zapora Windows Defender (mpssvc) - The service is running
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Malwarebytes version 4.5.7.186 v.4.5.7.186 [+]
--------------------------- [ OtherUtilities ] ----------------------------
Steam v.2.10.91.91
Epic Games Launcher v.1.3.0.0
------------------------------ [ ArchAndFM ] ------------------------------
WinRAR 6.10 (64-bitowy) v.6.10.0 Warning! Download Update
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox (x64 pl) v.97.0.1 Warning! Download Update
Google Chrome v.100.0.4896.60 [+]
Microsoft Edge v.99.0.1150.55
------------------ [ AntivirusFirewallProcessServices ] -------------------
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe v.4.0.0.1290
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe v.4.0.0.1290
Malwarebytes Service (MBAMService) - The service is running
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe v.3.2.0.1051
Usługa Program antywirusowy Microsoft Defender (WinDefend) - The service has stopped
Usługa inspekcji sieci Programu antywirusowego Microsoft Defender (WdNisSvc) - The service has stopped
----------------------------- [ End of Log ] ------------------------------
 

Link to post
Share on other sites

  • Root Admin

Please go ahead and run the folowing

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

Thank you

 

Link to post
Share on other sites


---------------------------------------------------------------------------------------
Microsoft Safety Scanner v1.361, (build 1.361.1015.0)
Started On Wed Mar 30 23:51:31 2022

Engine: 1.1.19100.5
Signatures: 1.361.1015.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

Quick Scan Results:
-------------------
Threat Detected: VirTool:Win32/DefenderTamperingRestore and Removed!
  Action: Remove, Result: 0x00000000
    regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware
        SigSeq: 0x0000055555C57273

Results Summary:
----------------
Found VirTool:Win32/DefenderTamperingRestore and Removed!
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Wed Mar 30 23:53:25 2022


Return code: 6 (0x6)

---------------------------------------------------------------------------------------
Microsoft Safety Scanner v1.361, (build 1.361.1015.0)
Started On Wed Mar 30 23:53:28 2022

Engine: 1.1.19100.5
Signatures: 1.361.1015.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Thu Mar 31 00:29:03 2022


Return code: 0 (0x0)
 

Link to post
Share on other sites

  • Root Admin

That looks good.

At this time the computer does not appear to show signs of an infection. Unless you're seeing or having other issues we should be done here now.

 

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

  • Thanks 1
Link to post
Share on other sites

# Run at 31.03.2022 11:37:41
# KpRm (Kernel-panik) version 2.9.3
# Website https://kernel-panik.me/tool/kprm/
# Run by patry from C:\Users\patry\Downloads
# Computer Name: DESKTOP-R6LRBVL
# OS: Windows 10 X64 (22000) 
# Number of passes: 1

- Checked options -

    ~ Registry Backup
    ~ Delete Tools
    ~ Restore System Settings
    ~ UAC Restore
    ~ Delete Restore Points
    ~ Create Restore Point
    ~ Delete Quarantines

- Create Registry Backup -

   ~ [OK] Hive C:\WINDOWS\System32\config\SOFTWARE backed up
   ~ [OK] Hive C:\Users\patry\NTUSER.dat backed up

     [OK] Registry Backup: C:\KPRM\backup\2022-03-31-11-37-41

- Delete Tools -


  ## AdwCleaner
     [OK] C:\Users\patry\Downloads\adwcleaner_8.3.1.exe deleted
     [OK] C:\AdwCleaner deleted

  ## FRST
     [OK] C:\Users\patry\Downloads\Addition.txt deleted
     [OK] C:\Users\patry\Downloads\FRST.txt deleted
     [OK] C:\Users\patry\Downloads\FRSTEnglish.exe deleted
     [OK] C:\FRST deleted

- Restore System Settings -

     [OK] Reset WinSock
     [OK] FLUSHDNS
     [OK] Hide Hidden file.
     [OK] Show Extensions for known file types
     [OK] Hide protected operating system files

- Restore UAC -

     [OK] Set EnableLUA with default (1) value
     [OK] Set ConsentPromptBehaviorAdmin with default (5) value
     [OK] Set ConsentPromptBehaviorUser with default (3) value
     [OK] Set EnableInstallerDetection with default (0) value
     [OK] Set EnableSecureUIAPaths with default (1) value
     [OK] Set EnableUIADesktopToggle with default (0) value
     [OK] Set EnableVirtualization with default (1) value
     [OK] Set FilterAdministratorToken with default (0) value
     [OK] Set PromptOnSecureDesktop with default (1) value
     [OK] Set ValidateAdminCodeSignatures with default (0) value

- Clear Restore Points -

   ~ [OK] RP named Zainstalowano: Microsoft Visual C++ 2005 Redistributable created at 03/26/2022 10:38:31 deleted
   ~ [OK] RP named Instalator modułów systemu Windows created at 03/30/2022 17:50:58 deleted
     [OK] All system restore points have been successfully deleted

- Create Restore Point -

     [OK] System Restore Point created

- Display System Restore Point -

   ~ RP named KpRm created at 03/31/2022 09:37:48

-- KPRM finished in 13.77s --

 

Thank you for your time.

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.