Is Mssecsvc.exe Really Ransomware Or A False Positive?

I recently installed BitDefender Total Security 2018 as my new go-to for security (after my last license with another brand expired). Yesterday it gave a report that the file mssecsvc.exe in the Windows folder is infected with ransomware Wanna.Cryptor. This was a shock to say the least, considering my setup. I moved it to quarantine and did some research. Some results suggest it might be a fall positive.

The other reason I'm skeptical is that I NEVER browse the internet without my sandbox program running, and I don't download files or install programs unless they are 100% from legit sources (so no torrenting or things like that). This popped up while I was browsing Facebook, so it's a pretty innocuous site.

How can I determine what's up with this without having to do a full-on system barrage of scans and cleaning (since I feel that might be overkill on something that may or may not be a real threat).

Any help is appreciated.

 

Thanks for responding Tim. I tried to upload this normally, but it gave me a permission error saying I had to be an admin (which I am as far as I know). So I had to reboot into safe mode with network control. It worked fine after that. I wasn't able to download the results, because Virustotal requires you to be a member. But I took screenshots of all the tabs and attached those as images below. Here are the results:

 

UPDATE:

Just noticed the forum kind of shrank the images when I attached them and made them almost impossible to read above. I tired to upload them to an image host, but the forum says that has been disabled. So here is a zip file attached.

 

Hey Tim, looks like you posted before I had a chance to do this update. Did you still want me to do that before looking at the images in the zip file above?

 

Sure, no problem! Thanks for the help. I took care of that for you and have attached the files here. I will await instruction.

 

Thanks for the confirmation. Things are running a bit rough here on my end, but nothing I can't handle now. Somewhere along those scans several things got reset and my install of MBAM got nuked. Wouldn't let me load it any more and gave me the "Can't connect to the Service" error. Upon researching, doing a clean reinstall (using the MBAM removal kit) got it back up and running. I have re-run the scan and include the updated log below. It also seems several other key programs I use are going to need to be reactivated as well. I just have two follow up questions:

1. The system install I'm running is pretty old. I first installed Windows 7 on this machine back in 2012 and I've just been doing maintenance on it ever since. Not only am I looking for confirmation that this threat is removed, can you confirm that there are no other misc threats that may still persist? Does the procedure I went through above specifically focus in on the MSSECSVC.exe or does it also prove I've kept the rest of my system free of other threats throughout?
2. I know this question probably falls in the "unanswerable" category, but how the hell did MSSECSVC get on my system in the first place? It seems like a recent thing, I'm 100% certain I've not done any browsing outside the sandbox in the last month or so and I've not downloaded/installed anything to this computer in recent memory. I've had zero contact with any malicious or illegal sites (no Pirate Bays, no torrenting, no porn, etc). So how the hell did this little critter get past my defenses? Is it something I'm not aware of that it got through when my guard was down or perhaps an area I've not monitored thoroughly enough?

 

Thanks for the reply Tim. However, I am having a bit of fallout on my system that is causing me issues, even after doing the final steps above. Hopefully you can help with these (as well as one other follow up question regarding the source of the initial infection):

• Is there a breakdown of what was reset/refreshed on my system when running MGtools? Not only did it nuke my original install of MBAM, but now my BitDefender says the services are not responding. The activations of several other programs (like my screen saver, etc) have been cleared out and I'm going to have to fix those. I'm sure many other issues are going to pop up like this throughout. So I'll need to know what I need to go back and fix now that the scans have reset lots of stuff on my end. Can you help me narrow this down a bit?

• The only hole I can think of that MSSECSVC may have slipped through is my email. I have unfortunately been getting a lot of spam lately. I never click on any of the links in the email, but I do have to open them to add them to my spam folder and delete them. My sandbox is set up to load the mail app itself in a sandbox but allow full access to my Microsoft Outlook personal data files (otherwise my read emails never get pushed down to my system and they just keep reloading). Could that be a source? I really need to ensure I plug this security hole somewhere.

 

Thanks. However, I did have one new thing pop up and I wanted to ensure this wasn't related to the scanning process before I started an entirely new thread about it. I'm now seeing a "cmd" entry in my right click menu. When I click on it, I get an error message about it not being associated with a program. I researched it and it's the exact problem found at this link.

This wasn't present before scanning. Why was this created and how do I remove that?

 

Will do, thanks