Losing my mind: Continuous alerts about blocked threats by Mail Shield

Hi,

I just realized that one of my e-mail accounts in Windows 10 Mail wasn’t syncing up any longer. I use it to manage 4 different accounts.

I ended up deleting the account that stopped syncing properly and re-adding it. At some point, while I was trying to sync the account, I started getting “Threat blocked” pops. I’m selecting “Move to Virus Chest”, but it’s prompting me repeatedly. As soon as I action one, another pops up within a second.

One says:
“We’ve blocked the threat [Embedded:OLE10Native] from harming your computer.”
Threat name: Script:SNH-gen [Trj]
Severity: 1/3
File path: Statement00034813.xlsm|Statement00034813.xlsm#3527025720|xl\embeddings\oleObject2.bin|[Embedded:OLE10Native]
Process: C:\Windows\System32\svchost.exe
Detected by: Mail Shield
Status: Blocked

My action: keep blocking

Next says:

“We’ve blocked the threat _1_Ole10Native:xx from harming your computer.”
Threat name: Script:SNH-gen [Trj]
Severity: 1/3
File path: Statement00034813.xlsm|Statement00034813.xlsm#3527025720|xl\embeddings\oleObject2.bin|_1_Ole10Native:xx
Process: C:\Windows\System32\svchost.exe
Detected by: Mail Shield
Status: Blocked

My action: keep blocking

Next says:

“We’ve blocked the threat [Embedded:OLE10Native] from harming your computer.”
Threat name: Script:SNH-gen [Trj]
Severity: 1/3
File path: Statement00034813.xlsm|Statement00034813.xlsm#3527025720|xl\embeddings\oleObject2.bin|[Embedded:OLE10Native]
Process: C:\Windows\System32\svchost.exe
Detected by: Mail Shield
Status: Blocked

My action: keep blocking

Next says:

“We’ve blocked the threat _1_Ole10Native:xx from harming your computer.”
Threat name: Script:SNH-gen [Trj]
Severity: 1/3
File path: Statement00034813.xlsm|Statement00034813.xlsm#3527025720|xl\embeddings\oleObject2.bin|_1_Ole10Native:xx
Process: C:\Windows\System32\svchost.exe
Detected by: Mail Shield
Status: Blocked

My action: keep blocking

Next says:

“We’ve blocked the threat [Embedded:OLE10Native] from harming your computer.”
Threat name: Script:SNH-gen [Trj]
Severity: 1/3
File path: Statement00034813.xlsm|Statement00034813.xlsm#3527025720|xl\embeddings\oleObject2.bin|[Embedded:OLE10Native]
Process: C:\Windows\System32\svchost.exe
Detected by: Mail Shield
Status: Blocked

My action: keep blocking

Ad infinitum.

You get the picture. I tried removing the account I synced up, but it kept happening, so I added it back.
I tried closing the Windows 10 Mail, but it kept happening, so I reopened it.

I’m starting to wonder if it’s even linked to Windows 10 at all, because I also use Outlook, but I don’t know how to figure this out. I tried closing both, and it still happens. Any suggestions of how I can get to the bottom of this please?

I just realized that there’s a log file.
This is what I see in report/EmailShield.txt:

  • Started on: Monday, April 27, 2020 11:34:16 AM

27/04/2020 7:25:53 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\vbaProject.bin [L] VBA:Downloader-FDM [Trj] (0)
File was successfully moved to chest…
27/04/2020 7:27:14 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>[Embedded:OLE10Native] [L] Script:SNH-gen [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
27/04/2020 7:27:30 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\vbaProject.bin [L] VBA:Downloader-FDM [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
File was successfully moved to chest…
27/04/2020 7:27:45 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>[Embedded:OLE10Native] [L] Script:SNH-gen [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
27/04/2020 7:28:44 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>_1_Ole10Native:xx [L] Script:SNH-gen [Trj] (0)
27/04/2020 7:28:46 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\vbaProject.bin [L] VBA:Downloader-FDM [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
While moving file to chest, error occurred: The system cannot find the file specified
27/04/2020 7:29:56 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>[Embedded:OLE10Native] [L] Script:SNH-gen [Trj] (0)
27/04/2020 7:30:02 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\vbaProject.bin [L] VBA:Downloader-FDM [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
While moving file to chest, error occurred: The system cannot find the file specified
27/04/2020 7:30:59 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>_1_Ole10Native:xx [L] Script:SNH-gen [Trj] (0)
27/04/2020 7:31:18 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\vbaProject.bin [L] VBA:Downloader-FDM [Trj] (0)
27/04/2020 7:32:06 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>[Embedded:OLE10Native] [L] Script:SNH-gen [Trj] (0)
27/04/2020 7:32:16 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>_1_Ole10Native:xx [L] Script:SNH-gen [Trj] (0)
27/04/2020 7:32:20 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject3.bin [L] Other:Malware-gen [Trj] (0)
27/04/2020 7:32:24 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject3.bin [L] Other:Malware-gen [Trj] (0)
27/04/2020 7:32:27 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>[Embedded:OLE10Native] [L] Script:SNH-gen [Trj] (0)
27/04/2020 7:32:31 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>_1_Ole10Native:xx [L] Script:SNH-gen [Trj] (0)
27/04/2020 7:32:34 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\vbaProject.bin [L] VBA:Downloader-FDM [Trj] (0)
27/04/2020 7:32:35 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject3.bin [L] Other:Malware-gen [Trj] (0)
27/04/2020 7:32:45 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>_1_Ole10Native:xx [L] Script:SNH-gen [Trj] (0)
27/04/2020 7:33:51 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\vbaProject.bin [L] VBA:Downloader-FDM [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
27/04/2020 7:34:20 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>[Embedded:OLE10Native] [L] Script:SNH-gen [Trj] (0)
27/04/2020 7:35:06 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\vbaProject.bin [L] VBA:Downloader-FDM [Trj] (0)
27/04/2020 7:36:23 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\vbaProject.bin [L] VBA:Downloader-FDM [Trj] (0)
27/04/2020 7:37:39 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\vbaProject.bin [L] VBA:Downloader-FDM [Trj] (0)
File was successfully moved to chest…
While moving file to chest, error occurred: The system cannot find the file specified
File was successfully moved to chest…
27/04/2020 7:47:56 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>[Embedded:OLE10Native] [L] Script:SNH-gen [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
While moving file to chest, error occurred: The system cannot find the file specified
27/04/2020 7:49:01 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\vbaProject.bin [L] VBA:Downloader-FDM [Trj] (0)
27/04/2020 7:51:14 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>[Embedded:OLE10Native] [L] Script:SNH-gen [Trj] (0)
27/04/2020 7:51:28 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>[Embedded:OLE10Native] [L] Script:SNH-gen [Trj] (0)
27/04/2020 7:51:30 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>[Embedded:OLE10Native] [L] Script:SNH-gen [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
While moving file to chest, error occurred: The system cannot find the file specified
While moving file to chest, error occurred: The system cannot find the file specified
While moving file to chest, error occurred: The system cannot find the file specified
File was successfully moved to chest…
27/04/2020 7:52:22 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>[Embedded:OLE10Native] [L] Script:SNH-gen [Trj] (0)
While moving file to chest, error occurred: The system cannot find the file specified
While moving file to chest, error occurred: The system cannot find the file specified
27/04/2020 8:15:48 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>_1_Ole10Native:xx [L] Script:SNH-gen [Trj] (0)
27/04/2020 8:17:31 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject3.bin [L] Other:Malware-gen [Trj] (0)
27/04/2020 8:18:45 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>_1_Ole10Native:xx [L] Script:SNH-gen [Trj] (0)
27/04/2020 8:20:23 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject3.bin [L] Other:Malware-gen [Trj] (0)
27/04/2020 8:21:22 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>_1_Ole10Native:xx [L] Script:SNH-gen [Trj] (0)
27/04/2020 8:23:19 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>_1_Ole10Native:xx [L] Script:SNH-gen [Trj] (0)
27/04/2020 8:23:30 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>_1_Ole10Native:xx [L] Script:SNH-gen [Trj] (0)
27/04/2020 8:23:34 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject2.bin|>_1_Ole10Native:xx [L] Script:SNH-gen [Trj] (0)
27/04/2020 8:24:01 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject3.bin [L] Other:Malware-gen [Trj] (0)
27/04/2020 8:26:00 PM Statement00034813.xlsm|>Statement00034813.xlsm#3527025720|>xl\embeddings\oleObject3.bin [L] Other:Malware-gen [Trj] (0)
File was successfully moved to chest…
While moving file to chest, error occurred: The system cannot find the file specified

It may also be worth noting that I had problems with Outlook 2016 this morning. I could open the application, but as soon as I would try to read an email it would crash.

Including the mbam. Sorry for not doing it earlier.

Hmmmm… I started closing a bunch of stuff and I started getting the alerts. It may have stopped after I closed Chrome, which is interesting since the alerts were from Mail Shield. I can’t even reopen Chrome right now. I did install the Toggl extension from Chrome this afternoon…

I think I narrowed it down. I tried restarting, running Malwarebytes. Doing AVAST scans. Did all this in regular mode and safe mode. I ran CCleaner and cleaned up a bunch of crap.
When I restarted, I thought I was good and started opening stuff up again and it started happening again! I had opened so much that I couldn’t narrow it down. I had reconnected an email account to my Windows 10 Mail app which I suspected, so I closed that and restarted, but it happened again. This time I opened the Mail app, deleted the account I most recently added, then restarted, now I’m reopening most of my applications that I had opened before, minus the Windows 10 Mail app, and so far so good. I’m suspecting it’s that one e-mail account that I connected to the Windows mail app. What does that even mean?

Is there a way to pinpoint the exact request that triggers this?

Okay. I’m absolutely certain it’s Windows Mail now. I successfully used my computer all day. At the end of the day, I decided I couldn’t live with not knowing what the problem is, so I set up the account again, and while it was syncing I got those same alerts. It’s definitely happens when that account tries to sync. I tried syncing with two other accounts for the same domain, and one worked fine, the other causes the same errors AND the one that gets the same errors reported is an email distribution list that the main email I was trying to sync get mail from. This leads me to think there’s a malicious attachment.

Is there a way to test this theory? There are thousands of emails with attachments.