Malwarebytes strikes again Topic is solved

Get help with using AutoHotkey (v1.1 and older) and its commands and hotkeys
User avatar
JoeWinograd
Posts: 2182
Joined: 10 Feb 2014, 20:00
Location: U.S. Central Time Zone

Malwarebytes strikes again

09 Aug 2018, 03:05

Malwarebytes just detected AutoHotkey.exe as ransomware. Happened at 2:23am U.S. Central Time. The file doesn't appear in MBAM's quarantine, so I can't restore it, but MBAM has done something to the EXE file so that it won't run, and I can't delete it, rename it, or take ownership of it (any attempt to access the file gets "access denied"). Here's the logfile entry, fwiw (split across multiple lines for readability here, but it's one line in the logfile):

08/09/18 " 02:23:35.985" 262012836 0fcc 19e8 INFO AntiRansomwareControllerImpl
mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "ArwControllerImplHelper.cpp" 1166
"Received threat detection callback from ARW SDK, ObjectPath=C:\Program Files\AutoHotkey\AutoHotkey.exe,
Sha256Hash=18cfbbe2eb182b94eb499837f57c70989c3c80343c99575d577b440f76cefb59"


It created this entry in Reports:
ahk mbam ransomware.png
ahk mbam ransomware.png (4.03 KiB) Viewed 2129 times
Anyone else get hit with this? Anyone know how to fix it? I can't run any AHK scripts now! Thanks, Joe
AHKStudent
Posts: 1472
Joined: 05 May 2018, 12:23

Re: Malwarebytes strikes again

09 Aug 2018, 05:36

With so many people getting false alerts not just re: AHK, how much before computer users just turn it off or just dont trust it especially as real viruses get through ?
User avatar
JoeWinograd
Posts: 2182
Joined: 10 Feb 2014, 20:00
Location: U.S. Central Time Zone

Re: Malwarebytes strikes again

09 Aug 2018, 08:16

evilC wrote:Submit it to VirusTotal.
Submit what to VT? I can't submit AutoHotkey.exe, because I can't access the file. Trying to do the upload gives this:
trying to upload to VirusTotal.png
trying to upload to VirusTotal.png (19.22 KiB) Viewed 2096 times
As I mentioned in the initial post, I can't take ownership of it. The PC is running W7 Pro, it's an admin account, not on a domain, and even with my file manager running elevated, it gives this when trying to set a new owner:
access denied admin elevated.png
access denied admin elevated.png (19.35 KiB) Viewed 2096 times
As also mentioned in my initial post, I can't delete it or rename it. Any ideas? Thanks, Joe
User avatar
JoeWinograd
Posts: 2182
Joined: 10 Feb 2014, 20:00
Location: U.S. Central Time Zone

Re: Malwarebytes strikes again

09 Aug 2018, 12:20

Hi Xtra,
Thanks for the idea and the link. The "Exclude a Previously Detected Exploit" section of that article sounded very promising, but when I go through the steps, the list with the previously detected exploits is empty:
mbam previously detected exploit app list empty.png
mbam previously detected exploit app list empty.png (21.45 KiB) Viewed 2069 times
There's no way to manually enter data into the "Exploit hash" and "Application" fields:
mbam select previously detected exploit.png
mbam select previously detected exploit.png (33.44 KiB) Viewed 2069 times
So, with the previously-detected list empty, there's no way to have it undo what it did to AutoHotkey.exe via that method. But it was a good thought. Thanks, Joe
User avatar
Xtra
Posts: 2744
Joined: 02 Oct 2015, 12:15

Re: Malwarebytes strikes again

09 Aug 2018, 13:08

I would try excluding the folder where ahk is installed and then replacing the exe manually to that folder.
User avatar
JoeWinograd
Posts: 2182
Joined: 10 Feb 2014, 20:00
Location: U.S. Central Time Zone

Re: Malwarebytes strikes again

09 Aug 2018, 13:40

Xtra wrote:I would try excluding the folder where ahk is installed and then replacing the exe manually to that folder.
I put the c:\Program Files\AutoHotkey\ folder in Exclusions, but, apparently, it doesn't counteract what MBAM already did to the EXE file. I can't delete it or rename it ("access denied"). When I tried to overwrite it (via an admin account and with the file manager running elevated), I got this:
overwrite denied.png
overwrite denied.png (15.02 KiB) Viewed 2052 times
Another good idea, but no dice. Thanks, Joe
User avatar
Xtra
Posts: 2744
Joined: 02 Oct 2015, 12:15

Re: Malwarebytes strikes again

09 Aug 2018, 13:46

Log into the OS in safe mode then you wont be restricted. (F8 on boot)
User avatar
JoeWinograd
Posts: 2182
Joined: 10 Feb 2014, 20:00
Location: U.S. Central Time Zone

Re: Malwarebytes strikes again

09 Aug 2018, 14:07

Will try that as soon as I have an opening to shutdown...should be able to do it fairly soon, but not immediately. Thanks!
User avatar
JoeWinograd
Posts: 2182
Joined: 10 Feb 2014, 20:00
Location: U.S. Central Time Zone

Re: Malwarebytes strikes again

09 Aug 2018, 18:14

Well, this just got weirder. I did a shutdown and restarted, but my many frequent F8 taps didn't take, so I couldn't boot into Safe Mode. Guess what? AutoHotkey.exe is back to normal! Whatever MBAM did to it has been undone. The icon on AutoHotkey.exe, which had changed from the white-on-green "H" to some nondescript icon (wish I had captured a screenshot of it) is now back to the normal white-on-green "H" — and it is running perfectly. I suppose creating the MBAM Exclusion for the c:\Program Files\AutoHotkey\ folder might have done the trick, but I'm skeptical of that.

I really don't know what's going on with this. I filed a bug report with MBAM Support, but haven't heard back from them. If anything interesting comes to light, I'll post it here. Otherwise, my thanks to everyone who helped. Regards, Joe
User avatar
JoeWinograd
Posts: 2182
Joined: 10 Feb 2014, 20:00
Location: U.S. Central Time Zone

Re: Malwarebytes strikes again  Topic is solved

21 Aug 2018, 22:14

For anyone following this thread, I heard back from MBAM. They admit that this was a bug in MBAM and that their "researchers" say that "this has been fixed". The support rep also said, "you should be able to remove the exclusion and you will not have any more trouble." I haven't been brave enough to do that yet. :) Regards, Joe

Return to “Ask for Help (v1)”

Who is online

Users browsing this forum: Mannaia666, skeerrt and 154 guests