Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Curious behavior, not sure whether malware or not


  • This topic is locked This topic is locked
4 replies to this topic

#1 saluqi

saluqi

  • Members
  • 645 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:southern San Joaquin Valley, Calfornia
  • Local time:10:47 PM

Posted 02 July 2018 - 10:26 PM

Dell XPS 8700, Win 10 Pro 64 bit version 1803, Avast Premier, MBAM Premium.  Curious behavior: for the last several days, every time I used MS Word (part of MS Office 365) I got a notice from MBAM saying it had blocked an "exploit".  This happened every time I closed MS Word, whether or not I had actually opened any Word file.  It did NOT happen with other MS Office components (PowerPoint, Excel etc.).  It happened only on closing MS Word, not during file operations within Word.  Those all proceeded normally.

 

In preparation for this FRST run, I ran a complete image backup using Macrium Reflect 7.  I first tried to use an external HDD that had fallen on the floor; some of the resulting errors show in the FRST scan log.

 

After running a successful Macrium image backup to another, undamaged external HDD, I can no longer reproduce the MBAM "exploit" message - I can open and close MS Word and nothing at all happens.

 

There have been no other symptoms than the MBAM notifications - the computer and all programs have run normally, except for the problems created by the damaged external HDD (disabled mouse, disabled keyboard, disabled APC PowerChute connection, and many error messages).  Those problems ceased upon disconnecting the USB 3 cable between the damaged HDD and the computer.

 

Even 1/4 of FRST.txt was too long to post here.  Nearly all of the entries are in the "Registry" section, in a list of Group Policy Restrictions.

 

I have attached FRST.txt and Addition.txt

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 AM

Posted 03 July 2018 - 08:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

These restrictions on Software are set by the Crypto Prevent you have installed.
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.crt <==== ATTENTION

etc....
----

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
CloseProcesses:

GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

HKU\S-1-5-21-1983444219-1921732429-727815663-1001\...\ChromeHTML: ->  <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [1074]

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 saluqi

saluqi
  • Topic Starter

  • Members
  • 645 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:southern San Joaquin Valley, Calfornia
  • Local time:10:47 PM

Posted 03 July 2018 - 11:12 AM

Yes, I had quickly realized that all those software restrictions must have resulted from CryptoPrevent.  Ouch.

 

Please note that the original problem that started this investigation seems to have disappeared, as per my message #1 above.  I can now open and close MS Word without receiving an "exploit" notification from Malwarebytes.  The notice appeared only when I closed MS Word, and it appeared whether or not I had actually opened a file in Word.  Since running the Macrium image backup, the "curious behavior" has disappeared.

 

I have created the prescribed Fixlist.txt on the desktop, where FRST is located.

 

I want to be sure I run FRST correctly.  When I open FRST, what should I see and what should I do (i.e. "click on Fix once" or should Fix be the only thing checked?)

 

Thanks



#4 saluqi

saluqi
  • Topic Starter

  • Members
  • 645 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:southern San Joaquin Valley, Calfornia
  • Local time:10:47 PM

Posted 03 July 2018 - 12:12 PM

Never mind, I figured it out.

 

At this point I am not aware of any problem remaining on this computer.

 

Very much thanks!

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018
Ran by John (03-07-2018 10:03:13) Run:1
Running from C:\Users\John\Desktop
Loaded Profiles: John (Available Profiles: John & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
CloseProcesses:
 
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
 
HKU\S-1-5-21-1983444219-1921732429-727815663-1001\...\ChromeHTML: ->  <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [1074]
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => removed successfully
"HKU\S-1-5-21-1983444219-1921732429-727815663-1001_Classes\ChromeHTML" => removed successfully
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully
 
 
The system needed a reboot.
 
==== End of Fixlog 10:03:45 ====


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:47 AM

Posted 04 July 2018 - 06:27 AM

Hi,

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users