Jump to content

Malwarebytes vulnerability that opens the computer to attacks


Recommended Posts

A few days ago (25/01/2023) my computer started slowing down and freezing in some instances. The Malwarebytes program that has been running on my computer did detect a potentially malicious file from a Bittorrent application folder which was uninstalled sometime last year, so I didn't have Bittorrent installed at the time but it was rather remnant folder from previous uninstallation.

Ideally, the previous settings on Malwarebytes was to quarantine suspicious files of that nature and it didn't do that. The file in question was something like 7.10.3_44495.EXE and it was stored in the Bittorent updates file. From the report, this detection was flagged on 26/01/2023 and 27/01/2023 as well.

Fast forward to 05/02/2023, my Malwarebytes crashed unexpectedly and I had to restart the program manually. Now on 08/02/2023, my computer started producing a bleeping sound (the computer was on and overheating gradually while the fan was roaring wilding). At this point I suspected something was seriously wrong. So I turned off my WIFI connection and configured a custom scan which lasted 48 hours.

During this period there were three Bitcoin miner files detected to be running on my computer which I did not install. The name of the files were: XMR-STAK-CPU.EXE, NSCPUCNMINER32.EXE and NSCPUCNMINER64.EXE.

These programs were detected after 12 hours of scan and when the internet was disconnected which could not have happened if the computer was online (the malware seemingly has capabilities to adapt to periods when the computer is being scanned and connected to the internet which is often the case and on daily basis).

After Malwarebytes quarantined the files and everything looked normal, it crashed on 10/02/2023 again. I reopened it manually and restored the advanced security measures to default (some of them were surprisingly turned off despite the fact that I had put all of them in default mode).

So, this morning I checked the crash dump files and found two sizeable files related to Malwarebytes that corresponds to the mentioned dates. Using the WinDbg app, I assessed the files to understand why the application crashed twice within the same week and it indicated this "0xc0000409 - The system detected an overrun of a stack-based buffer in this application.

This overrun could potentially allow a malicious user to gain control of this application." This was the case for both dump files as attached in the text file herein. It could also explain why I had to restore default settings on the Advanced Exploit Protection Settings (Memory patch hijack protection, Stack pivoting protection and Dynamic anti-heap spraying reinforcement).

I have since updated the Malwarebytes application and don't know if it will resolve this issue. Given that my settings are password protected, this inherent flaw in Malwarebytes could be something beyond the current security measures and needs to be addressed soon.

 

Malwarebytes vulnerability report.txt

Edited by AdvancedSetup
Edited for readability and grammar
  • Thanks 1
Link to post
Share on other sites

  • Root Admin

Hello @avafranc

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

The computer looks to have been having issues for a while now. We'll scan, clean, and get things working properly again for you. @avafranc

 

[ 1 ]

Please go to Control Panel, Programs, Programs and Features and uninstall the following

 

  • CCLeaner (computer experts no longer recommend this program)
  • Java 8 Update 281 (old compromised version)
  • Java SE Development Kit 7 Update 51 (old compromised version)
     

 

[ 2 ]

There are various errors that appear to be effecting your database install as well. Part of the clean up process might help some but if there really is an internal database issue you'll need to use the database tools to help correct it.

 

Error: (02/11/2023 08:12:32 AM) (Source: Microsoft-Windows-PerfNet) (EventID: 2004) (User: FRANKY-PC)
Description: Unable to open the Server service performance object. The first four bytes (DWORD) of the Data section contains the status code.

Error: (02/11/2023 08:08:19 AM) (Source: MySQL) (EventID: 100) (User: )
Description: InnoDB: Table arincdb/usermessages in the InnoDB data dictionary has tablespace id 33, but tablespace with that id or name does not exist. Have you deleted or moved .ibd files? This may also be a table created with CREATE TEMPORARY TABLE whose .ibd and .frm files MySQL automatically removed, but the table still exists in the InnoDB internal data dictionary.

For more information, see Help and Support Center at http://www.mysql.com.

Error: (02/11/2023 08:08:19 AM) (Source: MySQL) (EventID: 100) (User: )
Description: InnoDB: Table arincdb/userdetails in the InnoDB data dictionary has tablespace id 26, but tablespace with that id or name does not exist. Have you deleted or moved .ibd files? This may also be a table created with CREATE TEMPORARY TABLE whose .ibd and .frm files MySQL automatically removed, but the table still exists in the InnoDB internal data dictionary.

For more information, see Help and Support Center at http://www.mysql.com.

Error: (02/11/2023 08:08:19 AM) (Source: MySQL) (EventID: 100) (User: )
Description: InnoDB: Table arincdb/userauth in the InnoDB data dictionary has tablespace id 30, but tablespace with that id or name does not exist. Have you deleted or moved .ibd files? This may also be a table created with CREATE TEMPORARY TABLE whose .ibd and .frm files MySQL automatically removed, but the table still exists in the InnoDB internal data dictionary.

For more information, see Help and Support Center at http://www.mysql.com.

Error: (02/11/2023 08:05:42 AM) (Source: Microsoft-Windows-Perflib) (EventID: 1000) (User: NT AUTHORITY)
Description: Access to performance data was denied to user "SYSTEM" (value from GetUserName() for the running thread) as attempted from module "C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe" (value from GetModuleFileName() for the binary that issued the query).

Error: (02/11/2023 08:04:38 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007045b, A system shutdown is in progress.
.

Error: (02/11/2023 08:04:38 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]

 

[ 3 ]

Is this program still valid and used on purpose by you?

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Virtual Router Manager.lnk [2016-01-25]
ShortcutTarget: Virtual Router Manager.lnk -> C:\Windows\Installer\{BE905C46-2B34-4D73-AEE1-769ED138E0FF}\_118D1A4EFFA6998C3492EB.exe () [File not signed]

 

[ 4 ]

Are you still using this program?

Task: {50B52F49-31C0-4630-8C42-5A5027E3B37B} - System32\Tasks\Hide My IP => C:\Program Files (x86)\Hide My IP 6\HideMyIP.exe /startup (No File)

[ 5 ]

Are you using this PROXY on purpose?

ProxyServer: [S-1-5-21-3750880910-1112175924-3655927385-1001] => proxy.uonbi.ac.ke:80

[ 6 ]

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

FF Notifications: Mozilla\Firefox\Profiles\oyrbjezp.default-1592570146962 -> hxxps://webmail.pg.edu.pl; hxxps://pl.pinterest.com

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

[ 7 ]

Running an FTP Server from 2012 is extremely insecure

R2 FileZilla Server; C:\xampp\filezillaftp\filezillaserver.exe [632320 2012-02-26] (FileZilla Project) [File not signed]
R2 FileZillaServer; C:\xampp\filezillaftp\filezillaserver.exe [632320 2012-02-26] (FileZilla Project) [File not signed]

 

[ 8 ]

The same with running MySQL from 2014

R2 mysql; C:\xampp\mysql\bin\mysqld.exe [11021824 2014-09-11] () [File not signed]

R2 Tomcat7; C:\xampp\tomcat\bin\tomcat7.exe [86656 2014-09-26] (CodeSigning for The Apache Software Foundation -> Apache Software Foundation)

[ 9 ]

Running a video converter from 2011 - up to you, but there are many better tools today

S3 anvsnddrv; C:\WINDOWS\system32\drivers\anvsnddrv.sys [33872 2011-11-28] (AnvSoft Co., Ltd. -> AnvSoft Inc.)

 

[ 10 ]

Not saying any of these files are bad. However, in general most files do not belong in the root of the Local folder or Roaming folder. Please check and verify they need to be there.

2015-10-05 20:05 - 2015-12-14 21:16 - 000000074 _____ () C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
2019-11-02 21:21 - 2023-01-12 05:13 - 000017929 _____ () C:\Users\Frank\AppData\Roaming\gnuplot_history
2020-06-10 15:34 - 2020-06-10 15:34 - 000000096 _____ () C:\Users\Frank\AppData\Roaming\version2.xml
2020-02-07 11:54 - 2020-02-07 11:54 - 000000218 _____ () C:\Users\Frank\AppData\Local\.recently-used.xbel
2020-03-30 13:26 - 2020-06-29 09:43 - 000148480 _____ () C:\Users\Frank\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-03-22 14:52 - 2016-03-22 14:52 - 000004096 ____H () C:\Users\Frank\AppData\Local\keyfile3.drm
2020-02-26 20:58 - 2020-08-23 07:20 - 000000128 _____ () C:\Users\Frank\AppData\Local\PUTTY.RND
2023-01-03 22:55 - 2020-07-15 19:42 - 000125158 _____ () C:\Users\Frank\AppData\Local\PyCharmCE2022.3_223.8214.51_Uninstall.exe
2022-04-27 21:33 - 2022-04-27 21:33 - 000000722 _____ () C:\Users\Frank\AppData\Local\recently-used.xbel
2015-10-01 19:59 - 2016-04-02 16:12 - 000007597 _____ () C:\Users\Frank\AppData\Local\resmon.resmoncfg
2017-09-02 20:18 - 2018-09-18 07:56 - 000222208 _____ () C:\Users\Frank\AppData\Local\WebpageIcons.db
2021-04-02 06:41 - 2021-04-02 06:41 - 000000000 _____ () C:\Users\Frank\AppData\Local\{D047F1D7-5B14-4E25-A1D8-F1C39DC1D962}

 

[ 11 ]

Please run the following fix

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\Frank\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed in most, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

  • Like 1
Link to post
Share on other sites

  • Root Admin

Thank you @avafranc I found the block and have removed it in our Clean Talk spam prevention tool. You should be able to post okay now.

The log you posted looks okay overall.

Let me have you run the following please.

 

 

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.