Page 3 of 3 First 123
  1. #41
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...



    Thank very much DonnaB for the detailed description.

    After I thought about it for a minute, what you said about companies making this info hard to find actually does make sense. I thought I read every comment on that Bitdefender page, but I think I was so tired when I read it that I obviously missed that one. Thanks for pointing it out to me. It all makes sense now.

    I think your right about the Bitdefender technician being in the dark (as confident as he claimed to be, I did kinda pick up on a rushed tone in his voice). Anyway, I read the aforementioned article from PCWorld about the BDAR tool and it most certainly confirms your assessment. Thank you kindly again for helping me nail this down.

    At this point the only thing I'm still curious about is the Rootkit detections found by AVZ AntiViral Toolkit. Considering the AVZ log I posted above, do you have any ideas as to what these might indicate, albeit, now that we know I don't actually have a Locky infection-------I wonder if there's something else here I need to worry about now?


    • Ad Bot

      advertising
      Beep.

        
       

  2. #42
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,610

    Re: Totally Perplexed by this Locky Ransomware...

    Neither Donna nor I found anything from the AVZ log to be concerned about. However, let's see results from MBAR. Please do the following to modify Malwarebytes Anti-Malware (MBAM) Scan for Rootkits Settings:

    For the running of a Custom Scan:

    • Open MBAM.
    • Click the Scan tab.
    • Select Custom Scan and click Configure Scan.
    • Place a checkmark next to Scan for Rootkits.
    • Select your desired scan location(s) and settings, and click Scan Now.


    Note: If you have a scheduled scan, make the following change:
    • Open MBAM.
    • Click the Scan tab.
    • Select Custom Scan and click Configure Scan.
    • Place a checkmark next to Scan for Rootkits.
    • Select your desired scan location(s) and settings, and click Scan Now.


    Scan for rootkits is not enabled by default due to the increased scan time involved. This is due to the low level nature of the scan, involving direct access to your hard drive (DDA). Such scanning may significantly increase the time in which it takes to complete the scan. Please be aware of the increased scan time.

    Provide a copy of the results in your next reply.

    Thank you!


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  3. #43
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    Okay. Thanks for double-checking that Corrine. I ran the additional MBAR scan you asked me to do and have posted the results below. I'm glad to see nothing was found.


    MBAM/MBAR Scam Results:

    Malwarebytes Anti-Malware
    Malwarebytes | Free Anti-Malware & Internet Security Software

    Scan Date: 6/5/2016
    Scan Time: 2:53 PM
    Logfile: MBAR Results.txt
    Administrator: Yes

    Version: 2.2.1.1043
    Malware Database: v2016.06.05.04
    Rootkit Database: v2016.05.27.01
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Enabled

    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: TKRA7

    Scan Type: Custom Scan
    Result: Completed
    Objects Scanned: 352281
    Time Elapsed: 43 min, 59 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Disabled
    Rootkits: Enabled
    Heuristics: Enabled
    PUP: Disabled
    PUM: Warn

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 0




    One final thought I wish to add, after further considering my steps along the way, is that I do recall installing BDAR as one of the first software installations after re-installing Windows on each drive and only sometime after that did I find the Locky entries in each respective Registry scan-------which again, confirms your teams conclusion that this was in fact due to "Bitdefender AntiRansomware" and how it behaves this way in order to fool real ransomware viruses into thinking its already installed on the system.

    So sorry we had to go through all this trouble-shooting just to find this out, but God forbid it ended up being a real ransom-ware infection, I guess it's still a good thing that I had such a knee-jerk reaction when I originally caught site of these keys.

    Again much thanks to you and your entire team for helping me to solve this one.



    While I may be cash-strapped at the moment, I intend to make a donation to Sysnative soon, once things pan out for me financially. If it wasn't for all the hard you guys put into this thing, Lord only knows how much harder it would've been for me to find the real answer to what was causing this issue in the first place.

    Thank you so much for your help and for the admirable work you and your team selflessly do for the good of others.

    May the force always be with us...
    Corrine, niemiro and DonnaB say thanks for this.

  4. #44
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,610

    Re: Totally Perplexed by this Locky Ransomware...



    On behalf of the rest of the team, thank you for your kind words. I am so glad that we were able. As to the trouble-shooting, as the saying goes, better safe than sorry.

    Please be sure to take the time to clean up the tools we used with Delfix:

    Please download Delfix from here.

    Ensure the following boxes are checked:
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Click Run

    The program will run for a few moments and then notepad will open with a log. You don't need to post the log but if there are any additional applications you installed merely for the purpose of trouble-shooting, you may want to un install them as well.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  5. #45
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...



    I know I marked this thread as solved-------and it is, but, for the sake of making it official for everyone's benefit, I thought it would be good to add the response I finally received from Bitdefender Tech Support via email, in which they did in fact confirm that their Bitdefender AntiRansomware tool does behave in this manner...

    (The following correspondence, excerpted from my email archive, is between Bitdefender and myself regarding this Locky key issue)



    On Sat, 4th Jun 2016 at 2:29 am, ******* <*******@protonmail.com> wrote:

    "Let me take this opportunity to clarify my issue. As I stated, I only have Bitdefender AntiRansomware installed. I use ESET NOD32 for my other security application. After scanning my registry I noticed some "Locky" entries. These keys showed that they had restricted permissions...

    ...After a scan with ComboFix, these same keys were again listed and ComboFix said that the keys were locked...I now only need Bitdefender to confirm if this is, in fact, what 'Bitdefender AntiRansomware' does."



    On Mon, 6th Jun 2016 at 6:37 pm, Robert ***** BD wrote:

    Hello *******,

    Thank you for your reply.

    Be advised that the Bitdefender Ransomware vaccine does generate the registration keys you mentioned, in order to trick the actual virus that the system is already infected.

    Should you suspect your computer is infected, please provide us the following.

    1. A BDSYS log;
    2. A detailed description of the situation;
    3. One or more screenshots displaying the effects of the infection;

    [how to GENERATE A BDSYS LOG]

    http://www.bitdefender.com/support/total-security/-490.html


    [How to create a screen shot]

    http://bitdefender.com/support/How-to-create-a-screenshot-1166.html

    looking forward to hearing from you..

    Have a wonderful day!

    Best regards,

    Robert *****

    Technical Support Engineer

    -------------------
    http://www.bitdefender.com/support
    http://forum.bitdefender.com






    Thanks again to the Sysnative Team. Your hard work helped me to solve this issue. You guys really rock!
    Last edited by YOnGodsGreenEarth; 06-11-2016 at 01:11 PM. Reason: Attempted to fix unusually large spaces between each line.
    niemiro, Corrine and DonnaB say thanks for this.

Page 3 of 3 First 123

Similar Threads

  1. Incidents of Ransomware on the Rise
    By JMH in forum Security News
    Replies: 0
    Last Post: 04-30-2016, 07:09 PM
  2. How to respond to ransomware threats
    By JMH in forum Security News
    Replies: 0
    Last Post: 03-20-2016, 05:51 PM
  3. Replies: 0
    Last Post: 02-13-2016, 06:14 PM
  4. Ransomware: To pay or not to pay
    By JMH in forum Security News
    Replies: 0
    Last Post: 10-14-2015, 10:44 PM
  5. CryptoLocker Ransomware
    By Corrine in forum General Help & Information
    Replies: 8
    Last Post: 11-16-2013, 01:49 PM

Log in

Log in