Malwarebytes just detected AutoHotkey.exe as ransomware. Happened at 2:23am U.S. Central Time. The file doesn't appear in MBAM's quarantine, so I can't restore it, but MBAM has done something to the EXE file so that it won't run, and I can't delete it, rename it, or take ownership of it (any attempt to access the file gets "access denied"). Here's the logfile entry, fwiw (split across multiple lines for readability here, but it's one line in the logfile):
08/09/18 " 02:23:35.985" 262012836 0fcc 19e8 INFO AntiRansomwareControllerImpl
mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "ArwControllerImplHelper.cpp" 1166
"Received threat detection callback from ARW SDK, ObjectPath=C:\Program Files\AutoHotkey\AutoHotkey.exe,
Sha256Hash=18cfbbe2eb182b94eb499837f57c70989c3c80343c99575d577b440f76cefb59"
It created this entry in Reports:
Anyone else get hit with this? Anyone know how to fix it? I can't run any AHK scripts now! Thanks, Joe
Malwarebytes strikes again Topic is solved
- JoeWinograd
- Posts: 2182
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: Malwarebytes strikes again
Submit it to VirusTotal. If it turns out to be a false positive, whitelist it.
-
- Posts: 1472
- Joined: 05 May 2018, 12:23
Re: Malwarebytes strikes again
With so many people getting false alerts not just re: AHK, how much before computer users just turn it off or just dont trust it especially as real viruses get through ?
- JoeWinograd
- Posts: 2182
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: Malwarebytes strikes again
Submit what to VT? I can't submit AutoHotkey.exe, because I can't access the file. Trying to do the upload gives this:evilC wrote:Submit it to VirusTotal.
As I mentioned in the initial post, I can't take ownership of it. The PC is running W7 Pro, it's an admin account, not on a domain, and even with my file manager running elevated, it gives this when trying to set a new owner:
As also mentioned in my initial post, I can't delete it or rename it. Any ideas? Thanks, Joe
- JoeWinograd
- Posts: 2182
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: Malwarebytes strikes again
Hi Xtra,
Thanks for the idea and the link. The "Exclude a Previously Detected Exploit" section of that article sounded very promising, but when I go through the steps, the list with the previously detected exploits is empty:
There's no way to manually enter data into the "Exploit hash" and "Application" fields:
So, with the previously-detected list empty, there's no way to have it undo what it did to AutoHotkey.exe via that method. But it was a good thought. Thanks, Joe
Thanks for the idea and the link. The "Exclude a Previously Detected Exploit" section of that article sounded very promising, but when I go through the steps, the list with the previously detected exploits is empty:
There's no way to manually enter data into the "Exploit hash" and "Application" fields:
So, with the previously-detected list empty, there's no way to have it undo what it did to AutoHotkey.exe via that method. But it was a good thought. Thanks, Joe
Re: Malwarebytes strikes again
I would try excluding the folder where ahk is installed and then replacing the exe manually to that folder.
- JoeWinograd
- Posts: 2182
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: Malwarebytes strikes again
I put the c:\Program Files\AutoHotkey\ folder in Exclusions, but, apparently, it doesn't counteract what MBAM already did to the EXE file. I can't delete it or rename it ("access denied"). When I tried to overwrite it (via an admin account and with the file manager running elevated), I got this:Xtra wrote:I would try excluding the folder where ahk is installed and then replacing the exe manually to that folder.
Another good idea, but no dice. Thanks, Joe
Re: Malwarebytes strikes again
Log into the OS in safe mode then you wont be restricted. (F8 on boot)
- JoeWinograd
- Posts: 2182
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: Malwarebytes strikes again
Will try that as soon as I have an opening to shutdown...should be able to do it fairly soon, but not immediately. Thanks!
- JoeWinograd
- Posts: 2182
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: Malwarebytes strikes again
Well, this just got weirder. I did a shutdown and restarted, but my many frequent F8 taps didn't take, so I couldn't boot into Safe Mode. Guess what? AutoHotkey.exe is back to normal! Whatever MBAM did to it has been undone. The icon on AutoHotkey.exe, which had changed from the white-on-green "H" to some nondescript icon (wish I had captured a screenshot of it) is now back to the normal white-on-green "H" — and it is running perfectly. I suppose creating the MBAM Exclusion for the c:\Program Files\AutoHotkey\ folder might have done the trick, but I'm skeptical of that.
I really don't know what's going on with this. I filed a bug report with MBAM Support, but haven't heard back from them. If anything interesting comes to light, I'll post it here. Otherwise, my thanks to everyone who helped. Regards, Joe
I really don't know what's going on with this. I filed a bug report with MBAM Support, but haven't heard back from them. If anything interesting comes to light, I'll post it here. Otherwise, my thanks to everyone who helped. Regards, Joe
- JoeWinograd
- Posts: 2182
- Joined: 10 Feb 2014, 20:00
- Location: U.S. Central Time Zone
Re: Malwarebytes strikes again Topic is solved
For anyone following this thread, I heard back from MBAM. They admit that this was a bug in MBAM and that their "researchers" say that "this has been fixed". The support rep also said, "you should be able to remove the exclusion and you will not have any more trouble." I haven't been brave enough to do that yet. Regards, Joe
Who is online
Users browsing this forum: Mannaia666, skeerrt and 154 guests